Lemon Inspect
Back to Home
Policy Document

LemonInspect Privacy Policy

Article 1 (Purpose and Scope of Application)

TSBT Company Co.,Ltd. (hereinafter the "Company") values users' personal information and complies with applicable laws and regulations. This Privacy Policy (hereinafter this "Policy") provides information on the items of personal information collected by the Company in connection with the website www.lemoninspect.com (hereinafter the "Site") and the LemonInspect AI-based vehicle diagnosis and history report service (hereinafter the "Service"), the purposes of collection, use, retention and destruction, provision to third parties, and overseas transfers.

This Policy applies to all users worldwide and complies with the mandatory provisions of the following jurisdictions:

  • Republic of Korea — Personal Information Protection Act (PIPA) and related laws and regulations
  • United Arab Emirates (UAE) — Federal Decree-Law No. 45/2021 (UAE PDPL)
  • Saudi Arabia — Personal Data Protection Law (PDPL, Royal Decree M/19) and SDAIA regulations
  • European Economic Area (EEA) — General Data Protection Regulation (GDPR) *(where EEA residents use the Service)*

If the laws of the jurisdiction of residence grant rights greater than the rights specified in this Policy, such local laws shall prevail.

This Policy applies together with the following supplemental policies: Terms of Service, Disclaimer, Refund and Cancellation Policy, Cookie Policy.

Article 2 (Legal Basis for Processing Personal Information)

The Company processes personal information on the following legal bases:

  • Performance of a contract: generation and provision of reports to provide the Service
  • Consent: processing based on the user's explicit consent (submission of images, recorded data, etc.)
  • Legal obligations: performance of obligations under tax laws, commercial laws, e-commerce laws, etc.
  • Legitimate interests: service security, fraud prevention, service improvement

For EEA users, with respect to processing based on "legitimate interests," the Company maintains a documented legitimate interests assessment (LIA), and users may object to such processing at any time pursuant to Article 21 of the GDPR.

Article 3 (Items of Personal Information Collected)

3.1. Account Information (Provided Directly by Users)

ItemPurpose of CollectionRequired/OptionalLegal Basis
Email addressAccount creation, authentication, purchase receipts, service noticesRequiredPerformance of contract / Consent (PIPA Article 15)
Password (hashed)Account securityRequiredPerformance of contract
Name/nicknameAccount identificationRequiredPerformance of contract
Phone numberAccount recovery, customer supportOptionalConsent
Account type (individual/business)Determination of applicable terms, verification of legal statusRequiredLegitimate interests / Performance of contract
Company name and business registration number (business members)Verification of business account, issuance of tax invoiceConditionally requiredPerformance of contract / Legal obligation

3.2. Vehicle Data (Provided by User or Derived)

ItemPurpose of CollectionRequired/OptionalLegal Basis
VINVehicle identification, history inquiry, report generationRequiredPerformance of contract
Vehicle photos/imagesAI exterior condition diagnosis (Vision AI — Core C, when the applicable feature is provided)OptionalPerformance of contract / Consent
Voice recordings such as engine soundsAI acoustic diagnosis (Sound Engine — Core B)OptionalPerformance of contract / Consent
OBD-II diagnostic dataDiagnostic trouble code (DTC) analysis, readiness monitor evaluation (when the applicable feature is provided)OptionalPerformance of contract / Consent
Vehicle specifications (manufacturer, model, model year, trim)Report generation, repair cost estimation, safety rating inquiryRequiredPerformance of contract

⚠️ Notice regarding VIN: A vehicle identification number (VIN) is vehicle identification information and is not direct personal identification information. However, because it may identify a specific individual when combined with registration records, the Company manages VINs in a manner equivalent to personal information.

3.3. Transaction Information

ItemPurpose of CollectionRequired/OptionalLegal Basis
Purchase historyService provision, customer support, analysisRequiredPerformance of contract
Payment method (last 4 digits of card only)Transaction identification, refund processingRequiredPerformance of contract
Report version and access recordsReport provision, 30-day reuse for the same VIN, re-viewing, management of eligibility for corrective access, dispute evidenceRequiredPerformance of contract / Legitimate interests
Credit transaction recordsCredit top-up and deduction, management of unused credit validity period, prevention of duplicate billing, refund or credit restorationRequiredPerformance of contract / Legal obligation
Tax invoice informationBusiness billing, tax complianceConditionally requiredLegal obligation (Framework Act on National Taxes, Value-Added Tax Act)

Note: Full payment card information (card number, CVV, expiration date) is not stored by the Company. All payment processing is performed by third-party payment gateway providers (PG providers) certified under PCI-DSS.

3.4. Automatically Collected Information

ItemPurpose of CollectionRequired/OptionalLegal Basis
IP addressSecurity, fraud prevention, consent logs, regional determinationAutomaticLegitimate interests
Browser type and versionService compatibility, analysisAutomaticLegitimate interests
Device type and operating systemService optimizationAutomaticLegitimate interests
Pages visited and dwell timeService improvement, analysisAutomaticLegitimate interests / Consent (cookies)
Consent interaction logsLegal compliance, dispute evidenceAutomaticLegal obligation / Legitimate interests
Timestamp (UTC)Audit trail, consent recordsAutomaticLegal obligation
Report reference date, viewing time, VIN request logsReport version management, application of 30-day reuse policy, management of corrective access for undetermined items, prevention of unauthorized useAutomaticPerformance of contract / Legitimate interests

Automatic collection devices such as cookies. The Company uses automatic collection devices such as cookies, local storage, and pixels. For details, please refer to the Cookie Policy.

3.5. Information Not Collected

The Company does not collect the following information:

  • Statutory unique identifiers such as resident registration numbers, passport numbers, and driver's license numbers
  • Biometric information (fingerprints, facial recognition)
  • Health or medical information
  • Financial account numbers (bank accounts, full credit card numbers)
  • Precise location information other than approximate IP-based location
  • Information of persons under the age of 18 (provided, however, that for members residing in Korea, minors under the Civil Act (under the age of 19) may sign up only if they have obtained consent from a legal representative, and for persons under the age of 14, explicit consent from a legal representative is mandatory pursuant to Article 22 of the Personal Information Protection Act — see Article 11)

Article 4 (Purposes of Use of Personal Information)

PurposeData Used
Service provision — generation of vehicle inspection assistance and history reports, granting access rights to existing report versions and managing re-viewingAccount, vehicle, transaction information
AI-based inspection assistance processing — execution of LemonInspect inspection assistance engine analysisVehicle information (audio, VIN, and images and OBD-II when the applicable features are provided)
Report version and corrective access management — application of the 30-day reuse policy for the same VIN, recording of report reference date, management of corrective access eligibility for undetermined itemsAccount, vehicle, transaction, technical information
Payment processing — purchase processing, issuance of receipts, refundsAccount, transaction information
Compliance with legal obligations — maintenance of consent records, response to legal requests, tax reportingAll
Dispute resolution — chargeback defense, provision of evidence for arbitration proceedingsAccount, transaction, technical information
Service improvement — analysis of usage patterns, improvement of AI accuracy (de-identified/aggregated processing)Technical, usage information
Communications — purchase confirmations, service updates, notices of policy changesAccount (email)
Security — fraud detection, prevention of unauthorized accessTechnical, account information

The Company does not use personal information for the following purposes:

  • Selling personal information to third parties
  • Advertising profiling or behavior-based targeting
  • Automated decision-making with legal effect (AI-based inspection assistance analysis is for reference information only)

4.1. AI Model Training Data Policy

The Company may use de-identified and aggregated diagnostic data (after removing personal identification information, VIN, and location information) to improve AI model accuracy and develop new diagnostic features. However:

  • Original images, voice recordings, and raw diagnostic data submitted by users are not directly used for AI model training without separate explicit opt-in consent
  • If an opt-in program for contributing training data is introduced in the future, participation will be entirely voluntary and will not affect service provision or fees
  • De-identified statistical patterns (e.g., "timing chain wear signals detected in X% of 2019 Genesis G80 vehicles") may be derived from aggregated data without personal attribution

Article 4-2 (Notification of Personal Information Breach)

In the event of a personal information breach that may pose a risk to users' rights and freedoms, the Company shall:

  • Notify the relevant supervisory authorities (Korea Personal Information Protection Commission, EEA lead supervisory authority, UAE Data Office, etc.) within 72 hours from becoming aware of the breach in accordance with Article 34 of the Personal Information Protection Act, Articles 33-34 of the GDPR, and the UAE PDPL
  • Notify affected users without delay via the account registration email
  • Provide details of the nature of the breach, types of data affected, expected consequences, and measures taken to mitigate harm

Article 5 (Provision of Personal Information to Third Parties)

5.1. External AI and Infrastructure Services (Including Overseas Transfers)

To generate reports and operate the Service, the Company transmits data to the following overseas business operators:

RecipientTransmitted DataPurposeCountry of TransferTime of Transfer
Google LLC (Gemini Pro Vision API)Vehicle images/photosAI visual condition analysis (Core C, when the applicable feature is provided)United States, etc. (Google Cloud)When a report generation request is made for the applicable feature
Google LLC (Gemini API)Vehicle diagnostic summary text promptsMultimodal reasoning, generation of report narrativesUnited States, etc. (Google Cloud)When a report generation request is made
OpenAI, Inc.Vehicle diagnostic data, text promptsLLM-based analysis and narrative generation (GPT series)United States (Microsoft Azure)When a report generation request is made
Anthropic, PBCVehicle diagnostic data, text promptsLLM-based analysis and narrative generation (Claude series)United States (AWS)When a report generation request is made
Amazon Web Services, Inc. (AWS)Account information, VIN, vehicle data, report outputs, consent logs (all items)Cloud database, authentication, storage (service backend)United States (us-east / ap-northeast, etc.)Throughout the entire period of membership registration and Service use
Cloudflare, Inc.Web traffic, IP address, User-Agent, cookies, request metadataCDN, DDoS protection, DNS, WAF (Site hosting gateway)Global anycast network (United States, EU, Asia, etc.)Automatically upon accessing the Site

⚠️ Notice on overseas transfers (Article 28-8 of the Personal Information Protection Act / Article 46 of the GDPR):

The transfers to overseas business operators listed in the table above are essential for the provision of the Service (performance of a contract), and the Company secures appropriate safeguards by entering into standard contractual clauses (SCC) or data processing agreements (DPA) with each recipient. These transfers are based on appropriate safeguards (such as SCC) under Article 28-8(1) of the Personal Information Protection Act of the Republic of Korea, and for EEA users, on appropriate safeguards under Article 46 of the GDPR. The Company clearly notifies users of these overseas transfers on the membership registration screen.

Consequences if transfer is not possible. Because these overseas transfers constitute the technical foundation of the Service (cloud DB, CDN, AI inference), membership registration and report generation are technically impossible without the transfers. The relevant countries may not provide the same level of personal information protection as the Republic of Korea.

5.1A. User Data Segregation

Images, voice recordings, and other diagnostic data submitted by a user are used only to generate that user's report. Where multiple users request reports for the same VIN:

  • Media (photos, audio) submitted by each user is processed separately and is not included in, displayed in, or made accessible through another user's report
  • Public data (VIN history, recall records, safety ratings) originates from public third-party sources rather than user submissions and therefore may be included in multiple reports for the same VIN

5.2. Public Data Source Inquiries

The following public and government data sources are queried for report compilation. In these inquiries, users' personal information is not transmitted, and only VIN and vehicle identification information are used:

  • NHTSA (National Highway Traffic Safety Administration, United States) — recalls, consumer complaints, safety ratings
  • Ministry of Land, Infrastructure and Transport / Korea Automobile Testing & Research Institute (KATRI) — Korea recall records
  • Euro NCAP — European safety ratings
  • IIHS (Insurance Institute for Highway Safety, United States) — crash test ratings
  • KNCAP (Korea New Car Assessment Program) — Korea crash test ratings
  • KIDI (Korea Insurance Development Institute) — insurance loss ratings

5.3. Infrastructure Service Providers

ProviderPurposeAccessed Data
Cloudflare, Inc. (United States, global anycast)Site gateway — CDN / DDoS protection / DNS / WAFWeb traffic, IP address, User-Agent, cookies, request metadata
Amazon Web Services, Inc. (AWS) (United States)Cloud database / authentication / object storage / serverless computingAccount, VIN, vehicle data, report outputs, consent logs (encrypted at rest and in transit)
Supabase, Inc. (United States, AWS hosting)Relational database / authentication / real-time APIAccount information, report metadata, authentication tokens
Vercel, Inc. (United States)Frontend hosting / edge network / CI/CDWeb traffic, IP address, User-Agent, request logs
Google LLC (United States, etc.)AI inference — Gemini API (when Core C visual feature is provided / report narrative generation)Vehicle images (when the applicable feature is provided), diagnostic summary prompts
OpenAI, Inc. (United States)AI inference — GPT series (analysis and narrative generation)Vehicle diagnostic data, text prompts
Anthropic, PBC (United States)AI inference — Claude series (analysis and narrative generation)Vehicle diagnostic data, text prompts
PayPal, Inc. (United States)Payment processing — overseas (PCI-DSS certified)Payment data only (card number and CVV not stored)
PortOne Co., Ltd. (Republic of Korea)Payment processing — domestic PG integration (PCI-DSS certified)Payment data only (card number and CVV not stored)
Google LLC (Google Workspace) (United States)Sending transaction and authentication emails (purchase receipts, refund notices, consent renewals, membership registration authentication)Email address, name (sent from [email protected])

5.4. Legal Disclosure

The Company may disclose personal information in the following cases:

  • Where required by a court order, subpoena, or legal process
  • Arbitration proceedings (International Arbitration Rules of the Korean Commercial Arbitration Board)
  • Requests from government agencies with lawful authority
  • Where necessary to protect the Company's legal rights or the safety of users

Article 6 (Retention and Destruction of Personal Information)

Information TypeRetention PeriodBasis
Account informationAccount maintenance period + 3 years after withdrawalCommercial Act; dispute resolution
Vehicle data (VIN, images, audio)1 year after report generationService improvement; dispute resolution
Transaction records5 yearsTax law compliance (Framework Act on National Taxes, Value-Added Tax Act)
Consent logs (IP, timestamp, terms version)5 years or until the end of the relevant disputeLegal obligation; chargeback defense
Technical/usage information1 year (then de-identified)Legitimate interests
Generated reports (analysis results excluding original media)The period during which members may view reports is, from the date access rights are granted for each plan, 6 months (180 days) for Single Report and 1 year (365 days) for Multi-Check Pack and Dealer Starter Pack; the Company internally retains reports for 3 years from the report generation date for dispute response purposes and then destroys themPerformance of contract; dispute resolution
Report access and version records5 years or until the end of the relevant disputePerformance of contract; dispute resolution; chargeback defense
Confirmation of notice on report reuse/reference date5 years or until the end of the relevant disputeEvidence that the user was notified of the report reference date and 30-day reuse policy
Confirmation of notice on corrective access for undetermined items5 years or until the end of the relevant disputeEvidence of notice that undetermined items may remain undetermined and corrective access is limited

Distinction between viewing period and internal retention. The period during which a member may view a report and download the PDF (from the date access rights are granted for each plan, 6 months (180 days) for Single Report and 1 year (365 days) for Multi-Check Pack and Dealer Starter Pack) is separate from the period during which the Company internally retains the report (3 years from generation date, for dispute response purposes). In other words, even after the member's viewing period expires, the Company internally retains the report (analysis results excluding original media) for dispute and chargeback response.

Relationship with original media. Original media submitted by users (images and audio) is destroyed when 1 year has elapsed after report generation, and thereafter the report is retained as a static output containing only analysis results without the original media. Report access and version records (5 years) are metadata for dispute evidence and do not include original media.

Destruction methods:

  • Electronic files: deleted by technical methods that make restoration impossible
  • Printouts: shredded or incinerated

Article 7 (User Rights)

7.1. Basic Rights (All Users)

RightDetails
Request accessRequest a copy of one's personal information held by the Company
Request correctionRequest correction of inaccurate or incomplete information
Request deletionRequest deletion of personal information (excluding information subject to legal retention obligations)
Request suspension of processingRequest suspension of processing of personal information
Withdraw consentWithdraw consent previously provided (without affecting the lawfulness of processing prior to withdrawal)
ObjectObject to processing based on legitimate interests
Refuse automated decisions and request explanationPursuant to Article 37-2 of the Personal Information Protection Act (amendment effective in 2024), where a decision made by a fully automated system (including artificial intelligence) has a significant impact on a member's rights or obligations, the right to refuse such decision or request an explanation of the criteria and grounds for such decision. Note: The Company's AI diagnosis (including Trust Score) is provided only as reference information and does not constitute an automated decision with legal effect, but members may exercise this right.
File complaintFile a complaint with the personal information supervisory authority in the jurisdiction of residence

7.2. Method of Exercising Rights and Response Period

Contact: [email protected]

The Company will respond or process within the following periods from the date of receipt of the request (depending on applicable law):

Applicable LawResponse Period
Korea Personal Information Protection Act (PIPA)Within 10 days (access, correction, deletion)
European GDPRWithin 30 days (extendable by 1 month)
UAE PDPLWithin 30 days

The Company may conduct an identity verification procedure.

7.3. Additional Rights of Overseas Users

7.3.1. EEA Users (GDPR)

  • Data portability: the right to receive data in a structured, machine-readable format
  • Right to restriction: the right to restrict processing in certain circumstances
  • Right to refuse automated decision-making: the right not to be subject to purely automated decision-making that has legal effect (the Company's AI-based inspection assistance analysis is reference information and has no legal effect)
  • Right to file a complaint with a supervisory authority: complaints may be filed with the data protection supervisory authority (DPA) in the country of residence

7.3.2. UAE Users (UAE PDPL)

  • All rights specified in Federal Decree-Law No. 45/2021
  • Right to consent to overseas transfers (see Article 8)
  • Complaints may be filed with the UAE Data Office

Article 8 (Overseas Transfers)

8.1. Transfer Status

RecipientCountry of TransferData TransferredPurposeSafeguards
Google LLCUnited StatesVehicle images (when the applicable feature is provided), diagnostic promptsAI analysis (Gemini API)Google DPA; SCC
Google LLC (Google Workspace)United StatesEmail address, nameSending transaction and authentication emailsGoogle DPA; SCC
OpenAI, Inc.United StatesVehicle diagnostic data, text promptsAI analysis (GPT series)OpenAI DPA; SCC
Anthropic, PBCUnited StatesVehicle diagnostic data, text promptsAI analysis (Claude series)Anthropic DPA; SCC
Amazon Web Services, Inc. (AWS)United StatesAll items of account, VIN, vehicle data, reports, consent logsCloud DB / authentication / storageAWS DPA; SCC
Supabase, Inc.United States (AWS hosting)Account information, report metadata, authentication tokensDB / authentication / real-time APISupabase DPA; SCC
Vercel, Inc.United StatesWeb traffic, IP, User-Agent, request logsFrontend hosting / edge networkVercel DPA; SCC
Cloudflare, Inc.Global anycast (United States, EU, Asia)Web traffic, IP, User-Agent, cookies, request metadataCDN / DDoS protection / DNS / WAFCloudflare DPA; SCC
PayPal, Inc.United StatesPayment dataOverseas payment processingPayPal DPA; SCC

8.2. Consent

The overseas transfers to the countries listed in the table in 8.1 above are essential for the provision of the Service, and the Company secures appropriate safeguards through standard contractual clauses (SCC) and data processing agreements (DPA) (Article 28-8 of the Personal Information Protection Act / Article 46 of the GDPR). The Company notifies users of these transfers at membership registration, and users are informed that the relevant countries may not provide the same level of personal information protection as their country of residence.

Consent may be withdrawn by contacting [email protected]. However, because these transfers constitute the technical foundation of the Service (DB, CDN, AI), additional use of the Service will be restricted upon withdrawal of consent, and reports already generated will not be affected.

Article 9 (Management of Consent Records)

The Company maintains records of consent interactions to protect the Company and users:

Record ItemPurpose
Account type selection (individual/business)Determination of applicable legal framework
Consent to Terms of Service (version + timestamp)Evidence of contract formation
Confirmation of Disclaimer (version + timestamp)Evidence of limitation of liability
Confirmation of Refund Policy (version + timestamp)Evidence for chargeback defense
Confirmation of notice on report reuse/reference date (if displayed)Evidence that the user was notified of the report reference date and 30-day reuse policy
Confirmation of notice on corrective access for undetermined items (if displayed)Evidence of notice that undetermined items may remain undetermined and corrective access is limited
Consent to overseas transfer (timestamp)GDPR/UAE PDPL compliance
IP address at time of consentRegional confirmation, fraud prevention
User-Agent stringDevice identification, integrity of consent records

Consent records are retained for 5 years or until the end of the relevant dispute.

Article 10 (Measures to Ensure Security)

The Company implements the following technical and administrative measures to protect personal information:

  • Encryption in transit: TLS 1.2 or higher
  • Encryption at rest: AES-256
  • Access control: role-based access control, principle of least privilege
  • Authentication: secure password hashing (bcrypt/Argon2)
  • Monitoring: intrusion detection, access logs, anomaly detection
  • Vendor security: requiring third-party processors to meet equivalent security standards

No system can guarantee 100% security, and although the Company takes commercially reasonable measures, it does not guarantee the absolute security of data.

Article 11 (Personal Information of Minors)

11.1. Global principle. The Service is not directed to individuals under the age of 18. The Company does not knowingly collect personal information of minors without the consent of the data subject or legal representative.

11.2. Korea under age 14 — legal representative consent mandatory. Pursuant to Article 22 of the Personal Information Protection Act, explicit consent from a legal representative is mandatory to process personal information of children under the age of 14 residing in Korea, and information collected without consent will be destroyed immediately.

11.3. Korea age 14 or older and under 19. In the case of minors under the Korean Civil Act (under the age of 19), this membership registration or payment is possible only if consent from a legal representative has been obtained, and a contract concluded without consent may be canceled by the person or the legal representative (see Article 4.1 of the Terms of Service).

11.4. Reporting and deletion requests. If you become aware that a minor has provided personal information to the Company in violation of this Policy, please contact [email protected] and the Company will destroy the relevant information without delay.

Article 12 (Chief Privacy Officer)

Pursuant to Article 31 of the Personal Information Protection Act, the Company designates and discloses its Chief Privacy Officer (CPO) as follows:

  • Name: Choo Kyo-han
  • Position: Chief Executive Officer
  • Affiliation: TSBT Company Co.,Ltd.
  • Email: [email protected]
  • Mailing address: Room B105-E280, 196 World Cup-ro, Mapo-gu, Seoul, Republic of Korea (Seongsan-dong, Daemyung Vicien City Officetel)

Users may contact the Chief Privacy Officer regarding all personal information protection-related inquiries, complaint handling, damage relief, etc. arising while using the Company's services. The Company will respond to and handle users' inquiries without delay.

Article 13 (Changes to This Policy)

The Company may change this Policy from time to time. If there are material changes:

  • The changed Policy will be posted on the Site and the "Last Modified" date will be updated
  • Prior notice will be provided to the registered email at least 7 days in advance
  • Continued use of the Service after the effective date will be deemed consent to the changed Policy

Article 14 (Remedies for Infringement of Rights and Interests)

If you need to report or consult regarding a personal information infringement, you may contact the following organizations:

  • Personal Information Infringement Report Center (Korea Internet & Security Agency): 118 / privacy.kisa.or.kr
  • Personal Information Dispute Mediation Committee: 1833-6972 / kopico.go.kr
  • Cyber Investigation Department, Supreme Prosecutors' Office: 1301 / spo.go.kr
  • Cyber Investigation Bureau, National Police Agency: 182 / ecrm.cyber.go.kr
  • Personal Information Protection Commission (PIPC): pipc.go.kr

Overseas users may file complaints with the data protection supervisory authority in their country of residence (EEA: local DPA, UAE: UAE Data Office, Saudi Arabia: SDAIA).

Article 15 (Language Priority)

This Policy is originally prepared in Korean, and versions translated into English and other languages are provided for members' convenience. In the event of any difference in interpretation between the original and a translation, the Korean original shall prevail. However, this shall not apply to the extent that the laws of the member's jurisdiction of residence require local-language notation as a mandatory provision.

Article 16 (Contact)

Email: [email protected]

*This Privacy Policy takes effect from 2026-05-29.*