Effective date / Last updated: 4 June 2026
This Privacy Policy explains how the business being established as Peptide Cake Co., Ltd. (Korean: 주식회사 펩타이드 케이크) — "Peptide Cake", "we", "us", or "our" — handles personal data in connection with our website at peptidecake.com and its localised versions (the "site"). We are a stock company (주식회사) being incorporated under the laws of the Republic of Korea, with our intended registered office in Seoul, Republic of Korea. We are the controller of the personal data described below. Until incorporation completes, the promoter(s) establishing the business control that data and are responsible for it. After incorporation, Peptide Cake Co., Ltd. may, by corporate action, assume operation of the site and the controller role on a prospective basis; any such assumption takes effect only to the extent valid under applicable law. Full company-registration details (business registration number, registered office address, and representative director) will be published on this page upon incorporation. Formal notices, data-subject requests, and correspondence from supervisory authorities may be sent to privacy@peptidecake.com (or legal@peptidecake.com), which is monitored and actioned on the business's behalf.
The site is a business-to-business marketing and partnership site, not an online shop. It does not sell products, take payment, or process orders. Your use of the site is also subject to our Terms of Use. In this policy, "you" and "your" refer to the individual using the site.
We practise data minimisation: we collect only what we need to respond to partnership enquiries and to operate the site. We collect the personal data you provide only when you submit our single partner-enquiry / contact form.
Information you provide through the enquiry form:
Providing the optional fields (company and message) is voluntary; declining them does not prevent you from submitting an enquiry. The form also includes a hidden anti-spam field; if it is completed (which a genuine user would not do), the submission is silently discarded and not stored.
Information collected and stored when you submit the form:
Each enquiry record also carries a system-generated reference (a sequential identifier and a channel tag indicating that it came from the site), used solely to manage the record.
We do not store your full IP address in our enquiry records. Your IP address is, however, necessarily transmitted to and processed in transit by our infrastructure provider (Cloudflare) to deliver and secure the site and to derive the approximate country, and is sent to Google when your browser requests fonts on the main marketing pages (see Sections 3 and 6); it may be retained briefly in our providers' operational and security logs under their own retention. We simply do not retain it in our own records.
We do not collect special-category / sensitive personal data through the site, and we ask that you not submit any.
The site stores a single value in your browser's localStorage named pc_lang to remember the language you chose. That is all. pc_lang is strictly functional: it only remembers your language preference. You can refuse or delete it at any time through your browser settings or by clearing site data; doing so simply resets your language to the default.
The site uses no tracking cookies, no advertising cookies, and no analytics or behavioural-tracking technologies. The only third-party request the site itself causes is the loading of certain fonts from Google, which happens when you load the main marketing pages of the site and transmits your IP address and request headers to Google on each such visit, as described in Section 6. A font request of this kind is not behavioural tracking, but we disclose it for transparency. The standalone legal pages (this Privacy Policy and the Terms of Use) use only self-hosted fonts and do not make this request.
When you submit an enquiry:
If you contact us by email instead of, or in addition to, the form — including via the email link or fallback we provide — your message reaches our team's mailbox (hosted on Google Workspace) directly; that route does not create a Cloudflare D1 record, and the email is handled under the same purposes and retention as form enquiries. When you email us, your message travels through your own email provider and the public email system before reaching us, and it may include information (such as your full email address, message content, and email headers) beyond the minimal set the form collects; you control what you include. The service providers involved are described in Section 6.
We use your personal data for these purposes:
Under the Republic of Korea's Personal Information Protection Act (PIPA), our processing of your enquiry is based on the consent you give by submitting the form and on the necessity of the processing to handle your enquiry; the automatic processing needed to operate, secure, and display the site is based on the necessity of that processing to provide the site you have requested.
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing (including profiling or AI). The rights under PIPA Article 37-2 and GDPR Article 22 concerning solely automated decisions therefore do not arise on this site.
No third-party provision. We do not sell your personal data, do not share it for advertising, and do not provide your personal information to any third party for that third party's own purposes (no 제3자 제공 under PIPA Article 17). Our use of the service providers below is consignment of processing only (위탁 under PIPA Article 26): they process personal data on our behalf and under our instructions. Each consignment is governed by a written agreement (data-processing terms) that restricts the consignee to processing on our instructions, prohibits onward provision, and requires appropriate security measures; we supervise the consignees and keep the consignment details current. The consignees and the consigned tasks are:
Google Fonts (a controller-caused third-party request). Certain fonts (such as Noto Sans KR and Noto Sans Arabic) are loaded from Google's font network because our pages instruct your browser to request them. This request is made by your browser whenever you load one of the main marketing pages of the site — on each such visit and in every language, not only when you submit the form or use Korean or Arabic — so Google's servers (in the United States) receive your IP address and request headers on each such visit, at our instigation. Because this is a direct request from your browser to Google over its public font network, and Google is not restricted to processing only on our instructions under a consignment (위탁) agreement, we do not treat Google Fonts as consignment: it is an independent, controller-caused third-party request for which Google acts as a separate controller of the connection data it receives. The standalone legal pages use only self-hosted fonts and do not make this request, and our primary brand fonts are self-hosted throughout. The PIPA basis for this is the necessity of rendering the site you have requested; where the GDPR applies, the basis is our legitimate interest (Section 5). We may remove this dependency by self-hosting these fonts, which would eliminate the request to Google.
The site also links to our partners' public social media profiles (such as Instagram and YouTube). Those are third-party sites with their own terms and privacy practices; this policy does not cover them. Outbound links to partner profiles include neutral attribution parameters (such as utm_source, utm_medium, and utm_campaign) so that a partner can see that a visit was referred from this site; these parameters do not identify you.
Because our providers operate globally, your personal data is processed and stored outside the Republic of Korea and outside your own country. For all cross-border transfers described here, our primary PIPA basis is our disclosure in this Privacy Policy of the matters required for overseas transfer by PIPA Article 28-8(2) (relied on under Article 28-8(1)(iii)); those required matters are set out immediately below. Where consent is additionally relevant, the consent you give by submitting the form (Article 28-8(1)(i)) serves only as a supporting basis; we do not rely on bundled consent as the sole basis for any overseas transfer. The required transfer details are:
For recipients in the United States, the transfer is, to the extent the recipient is certified, covered by the EU-U.S. Data Privacy Framework (and its UK Extension); where it is not, or for any data not within that adequacy, we (or our providers) rely on the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum. Brevo / Sendinblue is established in the EU; to the extent it engages sub-processors outside the EEA, it does so under its own GDPR-compliant transfer safeguards. You may request details of the safeguards we rely on by emailing privacy@peptidecake.com.
We keep enquiry records only as long as needed to evaluate and respond to the enquiry and for a reasonable period afterwards for our business and legal records, and we review them periodically for deletion. As a guide, we aim to delete or anonymise enquiry records within 24 months of the date you submitted the enquiry, unless a longer period is required to establish, exercise, or defend legal claims, in which case we keep them no longer than the applicable statutory limitation period. Email notifications in our mailbox are retained under our internal retention practice and are deleted when no longer needed, which we aim to align with the underlying enquiry record. Our providers may retain technical transmission, backup, or security logs for their own limited operational and legal-compliance periods under their data-processing terms, separate from our enquiry-record retention and outside our direct control. You may ask us to delete your data at any time, subject to limited exceptions where we are required or permitted by law to retain certain records.
When the retention period ends or you successfully request deletion, we destroy the data we hold without undue delay so that it cannot be recovered from our own records: electronic records are permanently deleted, and any printed records are shredded or incinerated.
Depending on where you live, you have rights over your personal data. Under the GDPR and Korea's PIPA, these include the rights to:
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects (see Section 5).
Where our processing relies on your consent (for example, under PIPA when you submit the form, or for the transfer of your enquiry data), you may withdraw that consent at any time; withdrawal does not affect processing already carried out or processing we may lawfully continue on another basis (such as handling your enquiry, our legitimate interests, or the necessity of processing to provide the site).
To exercise any of these rights, email privacy@peptidecake.com. We will respond without undue delay and within the period required by applicable law — in Korea, generally within 10 days under PIPA (extendable with notice); under the GDPR, within one month (extendable by up to two further months for complex or numerous requests, with notice).
You also have the right to lodge a complaint or seek a remedy. In the Republic of Korea, you may contact the Personal Information Protection Commission (PIPC); the Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center (개인정보침해 신고센터, privacy.kisa.or.kr, hotline 118); and the Personal Information Dispute Mediation Committee (개인정보 분쟁조정위원회), and you may also pursue civil remedies through the courts. In the EEA or UK, you may contact your local data protection authority. If you are resident elsewhere (for example, in Kazakhstan, the wider CIS, or the United Arab Emirates), you may have rights under your local data-protection law and may contact the relevant authority in your country; email privacy@peptidecake.com and we will assist.
California (CCPA/CPRA). If you are a California resident, the categories of personal information we collect are identifiers (your name and email address, and your IP address as processed transiently by Cloudflare and received by Google when your browser requests fonts on the main marketing pages — we do not store full IP addresses in our enquiry records), commercial/professional information (your company), internet or other electronic network activity (your capped user-agent string), and approximate geolocation (an approximate country, where our provider can derive one); the source is you (and, for the automatic items, your browser and our infrastructure provider); and the business purpose is to evaluate and respond to your enquiry and to operate and secure the site. You have the right to know, delete, and correct this information, and the right not to be discriminated against for exercising your rights; contact privacy@peptidecake.com to make a request. Do not sell or share. We do not sell your personal information and do not share it for cross-context behavioural advertising, as those terms are used under the CCPA/CPRA and similar laws.
In accordance with PIPA Articles 30 and 31, we designate the following contact for personal-information protection and the handling of related complaints and grievances:
This contact receives and handles personal-information-related complaints and grievances. Pending incorporation, the promoter(s) responsible for site operation perform this function; upon incorporation, the formally designated officer's name and position, and the department's telephone number, will be published here. Requests and grievances are handled as described in Section 9. Where and to the extent Article 27 of the EU/UK GDPR requires it, an EU/UK representative will be designated and its details published here.
We take measures to protect personal data appropriate to the limited data we hold:
No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
The site is a business-to-business site and is not directed to children, and we do not knowingly collect personal data from children. In the Republic of Korea, a child under 14 may not provide consent without a legal representative — 14 is the age under PIPA at which a legal representative's consent is required, distinct from the general age of majority; in many other jurisdictions the relevant threshold is under 16. If you believe a child has provided us with personal data, contact us at privacy@peptidecake.com and we will delete it.
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. We will give notice of material changes — for example, by posting the change and its effective date — before or when they take effect, and will make the prior and revised versions available where practicable. Please review this page periodically.
This Privacy Policy is written in English, which is the sole authoritative and legally binding language. Any translation is provided for convenience only; in the event of any conflict, the English version prevails. Nothing in this section limits any mandatory requirement under Korean or other applicable law to provide a particular privacy disclosure or notice in a local language; where such a requirement applies, we will provide that disclosure or notice as required.
For any privacy question or to exercise your rights, contact us at privacy@peptidecake.com. For legal matters, legal@peptidecake.com. For general matters, hello@peptidecake.com.