Privacy Policy

Last Updated: March 25, 2026

This Privacy Policy is issued by Pioneer ECOM Global Limited (RM A10, Unit 20, 28th Floor, Asia Trade Centre, No. 79 Lei Muk Road, Kwai Chung, New Territories, Hong Kong)VIVAIA and its affiliates (together, “VIVAIA”, “we”, “us” or “our”). It is directed towards external individuals who interact with us, including customers, website visitors, application users, recipients of our other products or services, corporate clients, and personnel of suppliers (together, “you” or “your”).

This Privacy Policy applies to the following services operated by us:

·      www.vivaia.com

·      www.vivaia.kr

·      www.vivaia.jp

·      www.vivaia.tw

·      Any other websites owned and/or operated by VIVAIA that contain a link to this Privacy Policy (each, a “Website” and collectively, the “Websites”);

·      All mobile applications that contain a link to this Privacy Policy (collectively, the “Apps”); and

·      All services made available by VIVAIA, including through the Websites, Apps, marketing materials, and through services offered electronically and in person where a link to this Privacy Policy is provided.

For purposes of this Privacy Policy, the foregoing services are referred to, collectively, as the “Service”. By using our services, you agree to the practices outlined in this Privacy Policy.

We may update this Privacy Policy to reflect changes to our information practices. If we make any material changes, we will notify you via the email address associated with your account or through a prominent notice on our website/application before the change take effect. All changes will be effective from the date of publication unless otherwise stated. We encourage you to periodically review this page for the latest information on our privacy practices.

If you are a resident of the United States, Australia, Japan, South Korea, etc. please pay special attention to Section 16 (Jurisdiction-Specific Supplemental Terms) of this Privacy Policy, which explains how we comply with local data protection laws and regulations and provides information specific to your personal data.

Table of Contents

1.     Collection of Personal Data

2.     Creation of Personal Data Profiles

3.     Categories of Personal Data We Collect and How We Process It

4.     Purposes of Processing Personal Data

5.     Legal Bases for Processing Personal Data

6.     Disclosure and Sharing of Personal Data

7.     International Transfer of Personal Data

8.     Data Retention

9.     Your Privacy Rights

10.  Direct Marketing

11.  Data Controller Details

12.  Business Information and Third-Party Website Links

13.  Cookies, Analytics, Marketing and Personalized Advertising

14.  How We Protect Your Information

15.  Contact Us

16.  Jurisdiction-Specific Supplemental Terms

17.  Definitions

Appendix – Data Processing Details

1. Collection of Personal Data

1.1 Depending on how you use our websites, applications, products, or services, we may collect or obtain your personal data from the following sources:

·      Data you provide to us: Personal data you voluntarily provide to us when you register an account on our website/application, contact us via email/online customer service/physical stores, complete a transaction, submit comments or feedback, etc.

·      Account creation details: Basic account-related information we collect when you register or create an account on our website or in our physical stores.

·      Service relationship data: Relevant personal data collected in the ordinary course of providing services to you.

·      Website usage data: Behavioral and device-related data automatically collected when you access and use our website and its features and resources.

·      Content and advertisement interaction data: Data collected by third-party service providers when you interact with third-party content or advertisements on our website. We authorize these third-party service providers to collect personal data generated from your interaction with such content or advertisements and may receive some or all of such data from them.

·      Data you make public: Personal data you publicly post on our website's comment sections, referral sections, or other channels, or personal data related to our website that you post on public platforms such as social media.

·      Third-party information: Personal data we obtain from third parties such as single sign-on service providers, payment processors, logistics service providers, advertising partners, and corporate partners, which you have authorized to be shared with us.

·      Data automatically collected: Information automatically collected by us and third-party partners through tracking technologies such as Cookies, web beacons, pixel tags, and embedded scripts when you visit our website, read our emails, or use our in-site services. We typically collect such data through various tracking technologies, including: (i) Cookies (small data files) stored on user devices; and (ii) other related technologies such as web beacons, pixel trackers, embedded scripts, mobile SDKs, location-identifying technologies, and logging technologies (collectively, "Tracking Technologies"). Personal data collected automatically may be integrated with personal data we collect directly from you.

1.2 For more information on the categories of personal data we collect, the scenarios in which we collect it, and how we process it, please refer to Appendix – Data Processing Details of this Privacy Policy.

1.3 Our website and applications only request access to your device permissions in specific functional scenarios, including location permissions (for store recommendations), camera permissions (for scanning, etc.), and photo library permissions (for uploading images). You can control the granting and revocation of permissions through your device's system settings. Please note that revoking permissions may prevent the relevant functions of our website from functioning properly.

2. Creation of Personal Data Profiles

In some scenarios, we may create a personal data profile for you, including records of your interactions with us and historical service details. Additionally, we may associate and integrate your personal data collected from different functions of our website and different devices to provide you with a unified service experience.

3. Categories of Personal Data We Collect and How We Process It

3.1 Basic Account Registration Information

When you first register an account on our website, we will collect your email address. If you choose to complete your profile voluntarily, you may also provide information such as age, gender, and nickname. You may also use single sign-on through your Google Account, Line Account, or Kakao Account. In such cases, we will obtain basic identification information authorized by you, such as your email address, from Google, Line, or Kakao, eliminating the need for duplicate registration. A successfully created account can be used directly for all functions and services on our website.

3.2 Other Categories of Personal Data Collected

As you use our website services, we may also collect and/or process the following categories of personal data in different scenarios:

·      Contact information: Name, mobile phone number, shipping address, email address, etc., that you voluntarily provide.

·      Account information: Your account nickname, age, gender, language preferences, account login credentials, membership status, etc., as well as your browsing, favorites, and purchase history on our website.

·      Transaction information: Your purchase history, order amount, recipient name and contact information, shipping address, shipping tracking information, return and after-sales warranty details, etc.

·      Payment information: Your invoice/payment records, payment amount, payment date, billing address, payment channel information, etc.

Please Note: We use third-party payment service providers such as PayPal, Stripe, Google Pay, and Apple Pay to process payments. We do not receive or retain sensitive payment information such as your bank card number or CVV code. Such information is provided directly by you to the third-party payment service provider, and their processing of personal data is governed by their own privacy policies.

·      Third-party login/authorization information: When you use single sign-on via Google Account, Line Account, or Kakao Account, we only obtain the authentication token and basic information authorized by you (such as email address) from the third party. We do not obtain your third-party account login password. The information we receive depends on the third party's privacy policy and your privacy settings on that third-party platform.

·      Interaction and feedback information: Product reviews, comments, suggestions you submit on our website, as well as inquiry content and ticket information submitted through online customer service.

·      Device and network information: Your device model, brand, operating system version, browser type, IP address, device MAC address, WiFi SSID, device unique identifiers (such as IDFA/GAID), session ID, etc.

·      Website usage behavior information: Your page visit history, dwell time, click behavior, functional operation traces, and your actions such as opening our marketing emails and clicking on links within them.

·      Location information: We obtain approximate geographic location information from your IP address, used solely to provide logistics-related services and to adapt regional page settings (such as currency and language). The corresponding store page on our website may obtain your device location permission to recommend the nearest physical store to you.

·      Marketing and promotional information: Email addresses and mobile phone numbers voluntarily provided by you to receive marketing information, as well as information related to your participation in our discount programs, referral programs, V-plus membership program, and other marketing activities.

3.3 Collection of Sensitive Personal Data

We only collect sensitive personal data, such as bank card numbers and mobile phone numbers, in scenarios necessary to provide services such as transaction payment and identity verification. We implement security measures such as masking and encryption for such information and will not use sensitive personal data for other purposes without your separate consent.

3.4 Device Permission Management

Our website only requests access to your device permissions in specific functional scenarios, including location permissions (for store recommendations). You can control the granting and revocation of permissions through your device's system settings. Please note that revoking permissions may prevent the relevant functions of our website from functioning properly.

4. Purposes of Processing Personal Data

We collect and process your personal data for the following specific, legitimate purposes and in accordance with applicable laws and regulations:

·      Contractual Obligations. To fulfill contractual obligations with you and provide you with the requested products and services, including account management, transaction fulfillment, logistics delivery, and customer service;

·      Website Operations. To maintain the daily operation of our website, including system security, technical maintenance, and troubleshooting;

·      Communication. To communicate with you, including sending order status notifications, shipping updates, and account security alerts via email, SMS, in-site messages, etc.;

·      Market Research. To conduct market research and user behavior analysis, understand user needs, and optimize our website's product design, service experience, and functional layout;

·      Personalized Marketing. To provide you with personalized marketing and promotional services, including recommending relevant products based on your browsing and purchase history, and pushing discount information, new product announcements, etc., via EDM, SMS, online advertising, etc.;

·      Fraud Prevention. To detect, prevent, and investigate fraud, unauthorized transactions, fake orders, and other illegal or improper activities, protecting your account and property security and maintaining the transaction order on our website;

·      Product Monitoring. To test, optimize, update, audit, and monitor our products and services (including communication systems, IT systems, and security systems), or to perform technical fault diagnosis and repair;

·      Dispute Resolution. To resolve disputes, fulfill obligations, protect rights and interests, and safeguard our commercial interests and the rights of third parties;

·      Legal Compliance. To comply with applicable laws, regulations, and regulatory requirements, fulfilling legal obligations;

·      Data Processing. To achieve the specific purposes for which you provided personal data, or to engage in other processing activities based on your consent.

For specific scenarios corresponding to the purposes of processing personal data, please refer to Appendix – Data Processing Details of this Privacy Policy.

5. Legal Bases for Processing Personal Data

We process your personal data based on the following lawful bases, selecting the appropriate basis depending on the processing scenario:

·      Performance of a Contract or Necessary for Entering into a Contract: If you purchase products or register an account on our website, we process your personal data to fulfill contractual obligations and complete service delivery, including account management, transaction payment, and logistics delivery;

·      Legitimate Interests: To maintain the operational security of our website, optimize service experience, and conduct reasonable marketing and promotion, provided that your legitimate rights and interests are not compromised, we process your personal data based on our legitimate interests. Examples include user behavior analysis, fraud risk control, and advertising effectiveness optimization;

·      Your Consent: In scenarios such as conducting marketing promotions, sharing data with third parties, and transferring personal data internationally, we will obtain your explicit consent in advance. You may withdraw this consent at any time. Upon withdrawal, we will cease processing personal data based on that consent (without affecting the lawfulness of processing completed prior to withdrawal);

·      Compliance with Legal Obligations: Processing your personal data in accordance with applicable laws, regulations, regulatory requirements, or mandatory directives from judicial authorities.

For the specific legal bases for processing personal data in different scenarios, please refer to Appendix – Details of Processing in this Privacy Policy.

6. Disclosure and Sharing of Personal Data

We do not disclose your personal data to third parties arbitrarily. We only share, transfer, disclose, grant access to, provide, or make public your personal data in the following statutory or agreed-upon circumstances, and we impose strict confidentiality and security obligations on third parties:

·      Disclosure and Sharing with You and Your Authorized Representatives: Providing your personal data to you or a third party you have authorized in writing, upon your request;

·      Disclosure and Sharing with VIVAIA Affiliates and Internal Organization: Disclosing and sharing personal data with VIVAIA's affiliates and internal organization to provide unified services and conduct internal group compliance and operational management. Such entities will process the information in accordance with the requirements of this Privacy Policy;

·      Disclosure and Sharing Based on Legal Requirements: If we have a reasonable and good faith belief that disclosure and sharing of personal data are necessary to comply with laws and regulations, respond to mandatory directives from judicial/regulatory authorities, establish, exercise, or defend legal rights, or protect our and third parties' legitimate rights and interests (e.g., property, personal safety);

·      Disclosure and Sharing with Third-Party Processors: Disclosing and sharing personal data with third-party service providers bound by reasonable confidentiality terms to complete service delivery, including payment service providers, logistics service providers, customer service system providers, review system providers, marketing service providers, and data analytics service providers. Such third parties may only process personal data according to our instructions and may not use it for any other purpose.

·      Disclosure and Sharing with Advertising Partners: Disclosing anonymized/pseudonymized device information and behavioral data to advertising partners such as Google Ads, Meta, and TikTok to provide personalized advertising services and optimize advertising effectiveness. We do not disclose your identifiable information;

·      Disclosure and Sharing in Business Transactions: If VIVAIA undergoes a merger, acquisition, asset sale, or other business transaction, your personal data may be transferred to the recipient as part of the transaction assets. We will inform you before the transaction is completed and require the recipient to process personal data in accordance with this Privacy Policy and applicable laws;

·      Disclosure and Sharing Based on Your Consent: Disclosing and sharing personal data with third parties designated by you upon your explicit consent.

7. International Transfer of Personal Data

7.1 Due to the international nature of our business, we transfer personal data within the VIVAIA group and with the third-party service providers described in Section 6 of this Privacy Policy. Therefore, your personal data may be transferred to countries or regions outside your country of residence, including China and other jurisdictions where our affiliates, logistics partners, payment processors, cloud service providers, and other service providers are located. The data protection laws in some regions may differ from those in your region.

7.2 We take appropriate measures to ensure that any such international data transfer complies with applicable data protection laws and that your personal data remains protected.

7.3 If you are located in the European Economic Area (EEA), we will ensure that when transferring your personal data to countries or regions outside the EEA, we comply with the requirements set out in Chapter V of the General Data Protection Regulation (GDPR) as follows:

·      We transfer personal data only to countries that the European Commission has determined provide an adequate level of protection;

·      We enter into agreements with recipients outside the EEA that incorporate the European Commission’s Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms, which impose data protection obligations equivalent to those under the GDPR; or

·      When necessary, we will take technical and organizational measures, such as encryption and pseudonymization, to protect the security of personal data during transfer.

7.4 If you wish to learn more about the specific safeguards for the international transfer of personal data, please contact us using the methods provided in Section 15 of this Privacy Policy.

8. Data Retention

8.1 We adhere to the principles of minimal necessity and shortest duration when retaining your personal data. We will retain it only for as long as necessary to fulfill the processing purposes described in this Privacy Policy, and the retention period is determined according to the following criteria:

·      If you maintain an ongoing service relationship with us (e.g. If you are a registered user of our website, you have not unsubscribed from our marketing emails), we will continue to retain your personal data until the service relationship ends;

·      If the service relationship ends, we will retain your personal data in accordance with the statute of limitations periods applicable under relevant laws. After the expiration of the statute of limitations, we will retain it for an additional two (2) months to address potential legal claims;

·      If there are unresolved legal claims or regulatory investigations, we will continue to retain the relevant personal data until the claim/investigation is concluded.

8.2 After the personal data reaches the retention period specified above, we will take the following actions:

·      Permanently delete or destroy the relevant personal data; or

·      Anonymize or de-identify the relevant personal data so that it can no longer be linked to a specific individual, allowing it to be used for non-personalized services such as data analysis.

9. Your Rights

9.1 In accordance with applicable laws and regulations, you have the following rights regarding your personal data processed by us. We will respond to your requests promptly as required by law:

·      Right to Refuse Provision: You may choose not to provide your personal data to us. However, if you do not provide information that is necessary for the operation of certain services, those services may not be available to you;

·      Right of Access: You have the right to request access from us as to whether we are processing your personal data and to obtain a copy of that information and details related to its processing;

·      Right to Rectification: If you find that the personal data we process about you is inaccurate or incomplete, you have the right to request that we rectify or complete it;

·      Right to Restriction of Processing: Under statutory circumstances, you have the right to request that we restrict the processing of your personal data;

·      Right to Portability: You have the right to request that we provide your personal data to you or a third party you designate in a structured, commonly used, and machine-readable format;

·      Right to Erasure: If we have no lawful basis to continue processing your personal data, you have the right to request that we delete it. If immediate deletion from backup systems is technically infeasible, we will isolate the information and cease any further processing;

·      Right to Withdraw Consent: If you have provided personal data based on your consent, you have the right to withdraw that consent at any time. Upon withdrawal, we will cease processing based on that consent, without affecting the lawfulness of processing completed prior to withdrawal;

·      Right to Complain: If you believe that our processing of personal data infringes upon your legitimate rights and interests, you have the right to file a complaint with the local data protection supervisory authority.

9.2 How to Exercise Your Rights

You may submit the above requests to us using the contact methods in Section 15 of this Privacy Policy. Before processing a request, we may ask you to provide identification documents to verify your identity. We will respond to requests that meet statutory requirements within the legally prescribed timeframe. We reserve the right to refuse requests that cannot be verified or do not meet statutory requirements and will provide reasons for such refusal.

10. Direct Marketing

10.1 We may send you marketing communications, such as product information, discount promotions, and new product announcements, via email (EDM), SMS, etc. Such marketing activities are based on your consent, and you may unsubscribe at any time.

10.2 You can unsubscribe from marketing communications in the following ways:

• Click the “unsubscribe” link in our marketing emails to opt out of email marketing;
• Reply to marketing SMS with “STOP” or “UNSUBSCRIBE” to opt out of SMS marketing;
• Contact us using the methods in Section 15 of this Privacy Policy to inform us that you wish to unsubscribe from all marketing communications.

10.3 After unsubscribing, we will no longer send you marketing communications but may still send you necessary service-related information such as order notifications, shipping updates, and account security alerts.

11. Data Controller

Your personal data is processed by VIVAIA. The details of the relevant data controller are as follows:

Entity Name: Pioneer ECOM Global Limited

We may engage other entities within the VIVAIA group to act as data processors to process your personal data. Such engagements will be governed by strict data processing agreements to ensure the protection of personal data complies with this Privacy Policy and applicable laws.

For general inquiries or to exercise any rights set forth in this Privacy Policy, please contact DPO [datacompliance@starlinke.com]. Requests concerning data protection will be coordinated by VIVAIA based on your location.

12. Business Information and Third-Party Website Links

12.1 Business Information: Business information you provide during cooperation with us, such as company name, business scope, and cooperation needs, will be used solely for fulfilling the cooperation contract. We will implement measures and will not disclose it to third parties without your consent;

12.2 Third-Party Website Links: Our website may contain links to third-party websites. The privacy policies of such websites are independently established by the third parties and are unrelated to us. If you access such third-party websites, their processing of personal data is governed by their own privacy policies. We encourage you to carefully read the privacy policies of third parties.

13. Cookies, Analytics, and Personalized Advertising

13.1 Use of Cookies

Like many websites, we use cookies, tags, pixels, beacons and other tracking technologies (collectively referred to as “Cookies”). Cookies are files stored on your computer’s hard drive by your browser to enable the Website to remember you, your actions and preferences (such as login, language, font size and other display preferences) over a period of time. This allows us to optimize the shopping experience, hold selections in a shopping cart when a user leaves the Website without checking out and send you reminder e-mails about your shopping orders and other shopping opportunities. We also use Cookies to gather statistical information about use of the Website in order to improve its design and functionality, understand how the Website is used, and assist us with resolving questions. Cookies do not collect sensitive identifiable information from you, and you can control the use of Cookies through your browser settings.

13.2 Categories of Cookies Used on Our Website and Their Purposes

The Cookies on our website are divided into First-Party Cookies and Third-Party Cookies. Their usage is as follows:

(1) First-Party Cookies

(2) Third-Party Cookies

Set by third-party service providers such as Google, Facebook, Yotpo, and Pinterest for purposes such as user behavior analysis, advertising conversion tracking, and comment interaction statistics. The storage period ranges from 1 month to 2 years, depending on the rules of the respective third-party service provider.

13.3 Managing Cookies

You can manage Cookies in the following ways:

·      Browser Settings: You can choose to allow, block, or delete Cookies in your browser's “Settings – Privacy and Security” section. The specific steps vary slightly across different browsers.

·      Third-Party Tools: You can refuse third-party service providers from collecting your information via Cookies by using tools such as the Google Analytics opt-out browser add-on or the Digital Advertising Alliance (DAA) Opt-Out tool;

·      Website Settings: Our website will introduce a Cookie preference setting feature in future updates, allowing you to choose to enable/disable various categories of Cookies through in-site settings.

Please note that disabling Cookies may prevent some functions of our website (such as personalized recommendations and automatic account login) from working properly.

13.4 Marketing and Personalized Advertising

To enhance the efficiency of our marketing efforts, we collaborate with various social media platforms, search engines, and advertising networks, collectively referred to as “Advertising Partners.”

Our advertising partners include platforms such as Facebook, Instagram, Pinterest, and TikTok for social media advertising, as well as Google for online advertising networks like Google Ads. Additionally, we work with affiliate marketing partners to drive traffic to our websites.

These advertising partners may utilize data provided by us, along with information collected from cookies and other tracking technologies, to predict your preferences and interests. This enables us to run targeted advertising campaigns and assess the effectiveness and reach of our advertising materials. Furthermore, it aids in evaluating the performance and efficiency of our advertising partners’ campaigns.

Advertising partners employ cookies and similar technologies to monitor your interactions with our websites and services by accessing data stored on your device or within applications. Our Advertising Partners help us identify and engage with the appropriate target audience, allowing us to create and distribute personalized marketing content across various platforms and services. To tailor content to your interests, we may use information gathered from you as a member, account holder, newsletter subscriber, or as a customer. We may share this information, along with a customer identifier (e.g., an encrypted email address), with our Advertising partners. This process aims to display relevant advertisements to you on third-party websites by matching your data with the Advertising partner’s database. If a match occurs, you will receive appropriate promotional content in your feed or search results.

For instance, we utilize Google Analytics on our website to collect usage information and analyze how users interact with the site—such as time spent, pages visited, cart details, mouse clicks, keystrokes, purchases, and other interactions. This information helps us to provide advertisements to you on other websites. To learn more about Google’s practices, please visit www.google.com/policies/privacy/partners/. You can opt-out of Google Analytics by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout/.

You can opt out of personalized advertising through the privacy settings pages of these advertising partners or by disabling the relevant Cookies as described in Section 13.3 of this Privacy Policy.

14. How We Protect Your Information

We implement reasonable physical, electronic, and procedural security measures designed to protect your personal data from unauthorized processing, use, or disclosure. Our security measures include physical, technical, and administrative safeguards that meet industry standards to prevent unauthorized access to or disclosure of your information.

The internet is not an absolutely secure environment, and we cannot guarantee the absolute security of your personal data. Therefore, we strongly recommend that you use a unique and complex password to help us keep your account secure. We also strongly recommend that you do not share your password with others and do not reuse passwords used on other websites or applications for our services, as doing so increases your risk of becoming a victim of malicious online actors. If you believe that the security of your account or personal data has been compromised, please contact us immediately.

15. Contact Us

If you have any questions or suggestions regarding this Privacy Policy or our personal data processing practices, or if you wish to exercise the information rights described in Section 9 of this Privacy Policy, please contact us using the following methods:

[Contact-Us]

We will respond to and process your inquiry/request within the legally prescribed timeframe after receipt.

16. Jurisdiction-Specific Supplemental Terms

This section contains supplemental terms for the data protection laws and regulations of different countries/regions. If you are a resident of the following regions, these terms apply. Matters not covered in this section are governed by the other terms of this Privacy Policy.

16.1 United States

16.1.1 If you reside in the United States, your personal information is collected and processed by STARBRANDS GLOBAL HOLDING LLC (8 The Green STE A, Dover, Delaware, 19901).

16.1.2 The categories of personal data we collect from U.S. residents include identifiers, customer records, commercial information, internet/network information, and sensitive personal data (such as bank card numbers, precise location information, etc.). We collect and process sensitive personal data only when necessary and do not sell sensitive personal data or use it for targeted advertising.

16.1.2.1 We have collected the following categories of personal data and have continued to do so over the past 12 months:

·      Identifiers, including name, preferred name, phone number, email address, user ID, and online identifiers.

·      Customer records, including contact details and account information.

·      Protected classification characteristics, such as age, gender, and health information.

·      Commercial information, including purchase history and price data, shipping address and contact details, return details, and consumer history data and consumption tendencies.

·      Biometric information — for example, facial recognition data — where such processing occurs solely on your device and is not accessible by us.

·      Internet/network information, including device type, manufacturer and model, operating system, IP address, browser type, internet service provider, and unique identifiers related to you, your device, or your network.

·      Sensitive personal data, such as account credentials and biometric information (further explained below).

·      Other personal data, including but not limited to: your communication preferences, entertainment preferences, home configurations (for our home-related services), participation in loyalty and rewards programs, and any other personal data provided in customized messages you choose to receive via email address or other contact methods.

·      Inferences drawn, including consumer preferences, propensities, and characteristics.

16.1.2.2 As previously stated, we collect personal data directly from the following sources: when you use our websites, applications, products, or other services (including automatically collected methods), from third parties, and from public third-party platforms such as social media.

16.1.2.3 We collect your personal data for various purposes. For example: using personal data to communicate with you; processing and completing orders you submit or services you request; conducting surveys, sweepstakes, and other promotions; analyzing and optimizing website and application usage; delivering marketing communications and personalized/non-personalized advertising; and improving customer service efficiency.

16.1.2.4 Sensitive Personal Data. The following elements of personal data we collect or process in connection with our websites, applications, products, or services may be categorized as “sensitive data” under specific privacy laws ("Sensitive Personal Data"):

·      Account credentials.

·      Payment card information (collected and processed solely by our third-party payment service providers; VIVAIA does not have access to this data).

·      Biometric information (collected and processed solely on the user's device; VIVAIA does not have access to this data).

·      Precise geolocation data.

We use or disclose Sensitive Personal Data only as reasonably necessary and proportionate to, and in accordance with legal requirements for, the following purposes: performing services requested by you, verifying and maintaining service quality, detecting security incidents, preventing fraud and other illegal activities, ensuring the physical safety of natural persons, performing services on behalf of businesses, and for short-term, transient use. We do not collect or process Sensitive Personal Data with the purpose of inferring characteristics about individuals, nor do we use Sensitive Personal Data for targeted advertising.

16.1.2.5 However, depending on the laws of your state and subject to specific legal limitations and exceptions, you may have the right to limit or withdraw your consent regarding our processing of Sensitive Personal Data.

16.1.3 Additional Privacy Rights. Residents of certain U.S. states (such as California, Virginia, Colorado, etc.) have additional privacy rights, including the right to request disclosure of the sale/sharing of personal data, the right to limit the processing of sensitive personal data, and the right to opt out of targeted advertising. For example, California law permits residents of California to request certain details about how their information is disclosed to third parties for direct marketing purposes. Under the law, a business must either provide this information or permit California residents to opt in to, or opt out of, this type of disclosure. You may exercise these rights as described in Section 9 of this Privacy Policy.

16.1.4 Notice of Financial Incentives. We may offer you financial incentives for the collection, sale, retention, and use of your personal information as permitted by the CCPA that can, without limitation, result in reasonably different prices, rates, or quality levels. The material aspects of any financial incentive will be explained and described in its program terms. Please note that participating in incentive programs is entirely optional, you will have to affirmatively opt-in to the program and you can opt-out of each program i.e., terminate participation and forgo the ongoing incentives) prospectively by following the instructions in the applicable program description and terms., We may add or change incentive programs, or their terms by posting notice on the program descriptions and terms linked to above, so check them regularly. Each financial incentive or price or service difference related to the collection and use of personal information is based upon our reasonable, good-faith determination of the estimated value of such information to our business, taking into consideration the value of the offer itself and the anticipated revenue generation that may be realized by rewarding brand loyalty. We calculate the value of the offer and financial incentive by using the expense related to the offer.

16.1.5 We do not sell the personal data of users under 16 years of age to third parties or use such information for targeted advertising.

16.2 Australia

16.2.1 We strictly comply with Australian laws and regulations, including the Privacy Act 1988 and the Spam Act 2003. We implement physical and technical security measures to protect your personal data. In the event of a data breach, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by law.

16.2.2 If you have a complaint regarding our handling of your personal data, you may contact us first. If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

16.3 South Korea

16.3.1  If you reside in South Korea, your personal information is collected and processed by VIVAIA KOREA Co., Ltd. (서울특별시 강남구 논현로10길 30, 5층, 505-139호).

16.3.2 We comply with South Korea's Personal Information Protection Act (PIPA). When collecting personal data from South Korean residents, we will clearly inform you of the purpose of collection, scope of use, and retention period. For details, please refer to Section 3 of this Privacy Policy. We will not disclose your personal data to third parties without your consent, except in the following circumstances:

·      When it is economically or technically infeasible to obtain consent for the personal data necessary to provide the service through conventional means.  

·      When necessary for billing purposes in providing the service.

·      When otherwise specifically permitted by law. However, even if permitted by law, personal data will not be provided unconditionally upon request from administrative or investigative authorities. It will only be provided in accordance with legal procedures, such as the production of a search warrant or documents bearing the seal of the head of the relevant agency.

16.3.3 Regarding the personal data of minors under 14 years of age, we will obtain explicit consent from their legal guardian before processing. When obtaining consent from a legal guardian for processing the personal data of a minor under 14, VIVAIA may display the authorization status on the official website and may request only necessary information such as the legal guardian's name and mobile phone number.

16.3.4 You may inquire about and correct your personal data through the account center on our website. You may also request to withdraw your consent for the processing of personal data at any time. Upon withdrawal, we will cease the relevant processing. If the withdrawal results in the inability to use our services, we will not be held liable.

16.4 Japan

16.4.1 If you reside in Japan, your personal information is collected and processed by 株式会社STARLINK (東京都渋谷区神宮前６丁目２８番９号).

16.4.2 We collect and use your personal data for the purposes described in this Privacy Policy (e.g., order processing, customer service, marketing, data analysis) and to the extent permitted under the Act on the Protection of Personal Information (APPI) of Japan. Your personal data will be strictly used for the purposes described in this Privacy Policy. Any use of personal data beyond those stated purposes will require prior consent in accordance with the requirements of the APPI.

16.4.3 Your personal data may be transferred to, stored, or processed outside Japan. By accepting this Privacy Policy, you agree to such transfers. Under the APPI, unless otherwise permitted by applicable law, we will obtain your prior consent before transferring your personal data to a third party located outside Japan.

16.4.4 If you have any questions or complaints about how we handle your personal data, please contact us according to Section 15 of this Privacy Policy. We will respond as required by applicable law. If you are unsatisfied with our response, you may contact us to discuss your concerns or file a complaint with the Personal Information Protection Commission of Japan (https://www.ppc.go.jp/).

16.5 Mainland China

16.5.1 For sensitive personal data, including but not limited to financial information or identification information, we will obtain your separate, explicit consent in addition to any general consent.

16.5.2 We only collect personal data necessary to achieve the explicitly defined purposes. The collection of personal data that is beyond the stated purpose, irrelevant, or not explicitly specified is prohibited.

16.5.3 If you are under 14 years old, we will only process your personal data after obtaining verifiable consent from a parent or guardian.

17. Definitions

17.1 “Adequate Jurisdiction” means a jurisdiction that has been formally designated by the European Commission as providing an adequate level of protection for personal data.

17.2 “Application” means any application operated, maintained, or operated on behalf of us.

17.3 “California Resident” means: (1) any individual who is in the State of California for other than a temporary or transitory purpose; and (2) any individual who is domiciled in the State of California but is outside the State of California for a temporary or transitory purpose.

17.4 “Cookie” means a small file stored on your device when you visit a website, including our website. In this Privacy Policy, the term "Cookie" includes similar technologies such as web beacons and transparent GIF images.

17.5 “Controller” means the entity that determines the means and purposes of processing personal data. In many jurisdictions, the Controller bears primary responsibility for complying with applicable data protection laws.

17.6 “Data Protection Authority” means an independent public authority legally responsible for monitoring the application of relevant data protection laws.

17.7 “EEA” means the European Economic Area (EU member states plus Iceland, Norway, and Liechtenstein).

17.8 “GDPR” means the EU General Data Protection Regulation (EU) 2016/679.

17.9 “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

17.10 “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

17.11 “Processor” means any person or entity (other than an employee of the Controller) which processes personal data on behalf of the Controller.

17.12 “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

17.13 “Sale” means the transfer of a consumer's personal data by a business to another business or third party for monetary or other valuable consideration, including renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means. Under applicable law, a business does not sell personal data in the following circumstances (for example):

• The consumer uses or directs the business to intentionally disclose personal data, or the business intentionally interacts with a third party at the direction of the consumer, subject to specific conditions;
• The business uses or shares an identifier for a consumer who has opted out of the sale of personal data for the purpose of alerting third parties that the consumer has opted out;
• The business uses or shares consumer personal data with a processor for a business purpose, subject to specific restrictions; or
• The business transfers consumer personal data as an asset to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, subject to specific conditions.

17.14 “Standard Contractual Clauses” means the standard contractual clauses for data transfers adopted by the European Commission or approved by a data protection supervisory authority and the European Commission.

17.15 “Website” means any website operated, maintained, or operated on behalf of us.

Appendix – Data Processing Details

Note: This Appendix is subject to change at any time based on updates to our website's products and services. Notification of changes will be posted on our website.

The right to interpret this Privacy Policy resides with VIVAIA.