Privacy Policy

Upstage Co., Ltd. (hereinafter referred to as ‘the Company’) establishes and discloses the following privacy policy in accordance with Article 30 of the Personal Information Protection Act to protect the personal information of data subjects and to swiftly and smoothly handle any grievances related to it.

The contents of this privacy policy are as follows. It includes both the mandatory items of a privacy policy required by relevant laws and regulations, and contents deemed important by Upstage for the protection of user’s personal information.

1. Purpose of Processing Personal Information

The company processes personal information for the following purposes. The processed personal information will not be used for any purpose other than the following, and if the purpose of use changes, the company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act of South Korea.

1. Membership Registration and Management - Processing for the purpose of confirming the intention to register as a member, providing member-based services, identifying and authenticating the person, maintaining and managing membership qualifications, preventing fraudulent use of services, enhancing user security, improving service quality, developing new features and services, various notifications and announcements, and grievance handling.
2. Provision of Goods or Services - Processing for the purpose of providing services, billing and settlement, and providing customized services.
3. Utilization for Marketing Information - Processing for the purpose of sending newsletters, providing events and promotional information, and using for customized advertising through estimating demographic characteristics and users’ interests and preferences.

2. Personal Information Processing and Retention Period

The company processes and retains personal information within the personal information retention and usage period consented to by the data subject at the time of collecting personal information or within the period specified by laws and regulations. However, the following information will be preserved for the period specified for the reasons listed below:

2.1 Information Retention Based on Company’s Internal Policy

1. Personal information items collected for the fulfillment of contracts and billing for service provision as stipulated in Article 7:
   • Duration of service use.
2. Personal information items collected for member management as stipulated in Article 7:
   • Duration of service use.

2.2 Information Retention as Required by Relevant Laws

1. Records related to display and advertisement, contract content, and performance of transactions in accordance with the Act on Consumer Protection in Electronic Commerce, etc.:
   • Record of display and advertisement: 6 months
   • Records of contract or withdrawal of subscription, payment, supply of goods, etc.: 5 years
   • Records of consumer complaints or dispute resolution: 3 years
2. Retention of communication confirmation data in accordance with the Protection of Communications Secrets Act:
   • Service usage records, access logs, IP information: 3 months

3. Provision of Personal Information to Third Parties

The company processes the personal information of the data subject only within the scope specified in Article 1 (Purpose of Processing Personal Information) and provides personal information to third parties only with the consent of the data subject, special provisions of the law, or in cases corresponding to Articles 17 and 18 of the Personal Information Protection Act.

4. Matters Concerning the Entrustment of Personal Information Processing

The company entrusts personal information processing tasks for the smooth handling of personal information tasks as follows. When entering into an entrustment contract, in accordance with Article 26 of the Personal Information Protection Act, the company specifies in the contract or other documents matters such as the prohibition of processing personal information for purposes other than those of the entrusted tasks, technical and managerial protective measures, restrictions on re-entrustment, management and supervision of the trustee, and responsibility for compensation for damages. The company supervises to ensure that the trustee processes personal information securely.

Entrusted Party (Trustee)	Content of the Entrusted Tasks
Google	Customer Information Verification, Login
Paddle	Payment services
Sentry	Error and application event monitoring

In the event of a change in the content of the entrusted tasks or the trustee, we will promptly disclose such changes through this privacy policy.

5. Matters Concerning the Transfer of Personal Information Overseas

The company entrusts the processing or storage of personal information to entities located outside of the country as described below.

Google

Entrusted Party (Trustee)	Google
Transferred Personal Information Items	Personal Information Items as Stipulated in Article 7
Country to Which [Personal Information] is Transferred	USA
Time and Method of Transfer	Personal information collected may be transferred via network transmission at the time of storage on the cloud servers managed by the company.
Corporate Name and Contact Information of the Receiving Company	Legal name: Alphabet Inc.
Contact	https://support.google.com/
Address	1600 Amphitheatre Parkway Mountain View, CA 94043, USA, 1-650-253-0000
Purpose of Use, Retention and Usage Period of Personal Information by the Recipient	For the Purpose of Storing the Company’s Personal Information
	Consistent with the Retention Period Specified in Article 2

Paddle

Entrusted Party (Trustee)	Paddle
Transferred Personal Information Items	Personal Information Items as Stipulated in Article 7
Country to Which [Personal Information] is Transferred	United Kingdom
Time and Method of Transfer	Personal information collected may be transferred via network transmission at the time of storage on the cloud servers managed by the company.
Corporate Name and Contact Information of the Receiving Company	Legal name: Paddle.com Market Ltd.
Contact	privacy@paddle.com
Address	Judd House 18-29 Mora Street LONDON, EC1V 8BT United Kingdom
Purpose of Use, Retention and Usage Period of Personal Information by the Recipient	For the Purpose of Storing the Company’s Personal Information
	Consistent with the Retention Period Specified in Article 2

Sentry

Entrusted Party (Trustee)	Sentry
Transferred Personal Information Items	Personal Information Items as Stipulated in Article 7
Country to Which [Personal Information] is Transferred	USA
Time and Method of Transfer	Personal information collected may be transferred via network transmission at the time of storage on the cloud servers managed by the company.
Corporate Name and Contact Information of the Receiving Company	Legal name: FUNCTIONAL SOFTWARE, INC
Contact	hello@sentry.io
Address	45 Fremont Street, 8th Floor, San Francisco, CA 94105.
Purpose of Use, Retention and Usage Period of Personal Information by the Recipient	For the Purpose of Storing the Company’s Personal Information
	Consistent with the Retention Period Specified in Article 2

6. Rights and Obligations of the Data Subject and Legal Representative, and Method of Exercising Them

1. Data subjects have the right to request access, correction, deletion, and suspension of processing of their personal information from the company at any time.
2. The exercise of rights under paragraph 1 can be done via email at infosec@upstage.ai, and the company will respond to this without delay.
3. The exercise of rights under paragraph 1 can also be done through a legal representative or an agent authorized by the data subject. In this case, a power of attorney in accordance with the “Notification on the Method of Processing Personal Information (No. 2020-7) Attachment No. 11” must be submitted.
4. Requests for access and suspension of personal information processing may be limited under Article 35, paragraph 4, and Article 37, paragraph 2 of the Personal Information Protection Act.
5. Requests for correction and deletion of personal information cannot be made if the personal information is specified as a collection target in other laws.
6. The company verifies whether the individual making the request for access, correction, deletion, or suspension of processing is the data subject or a legitimate representative.

7. Items of Personal Information Processed

1. The company processes the following personal information items.

Service	Purpose	Items	Retention and Usage Period
Membership Registration and Management	For purposes such as confirming the intention to register, providing membership-based services, personal identification and authentication, maintaining and managing membership status, preventing fraudulent use of services, enhancing user security, improving service quality, developing new features and services, various notifications and announcements, and grievance handling	(Mandatory) Name, Email	Until the time of membership withdrawal.
Provision of Goods or Services	For service provision, fee payment and settlement, and providing customized services	(Mandatory) Card number, card expiration date, CVC number
(Optional) Data entered by the user in the service, data automatically generated during the use of the service.	Until the completion of the supply of goods or services and the completion of payment and settlement.
※ However, if there are legal requirements to preserve the data instead of disposing of it, it will be retained until the end of the required period.
Utilization for Marketing Information	For sending newsletters	(Optional) Name, Email address	Until the individual expresses a refusal to receive them or withdraws their consent from the date of agreement.
Utilization for Marketing Information	Provision of Events and Promotional Information	(Optional) Name, Email address, Phone number, Affiliation (Company and Department/School and Major), Job position.	Until the individual expresses a refusal to receive them or withdraws their consent from the date of agreement.

2. In the course of using internet services, the following personal information items may be collected:
   • Data entered by users: Images, texts, videos, etc., containing personal information, regardless of form.
   • Data automatically generated during service use: IP address, cookies, service usage records, visit records, service output results.
3. Other:
   • The company does not provide services to children under the age of 14 and does not collect personal information related to them.
   • If the purpose and items of member information processed by the company change, consent is requested in advance according to relevant laws.
   • The company collects personal information in the following ways and obtains prior consent before collection:
4. Online, through direct input of personal information by the user.
5. Automatically, through the collection of cookies, access logs, etc., during the service usage process.

8. Procedure and Method of Personal Information Destruction

1. The company immediately destroys personal information when its retention period has expired or its processing purpose has been achieved, and the information is no longer necessary.
2. Despite the expiration of the personal information retention period agreed upon by the data subject or the achievement of the processing purpose, if the personal information must still be retained according to other laws as below, the company will transfer such personal information to a separate database (DB) or store it in a different location:
3. Records related to display and advertisement, contract content, and performance of transactions under the Act on Consumer Protection in Electronic Commerce, etc.:
   • Record of display and advertisement: 6 months
   • Records of contract or withdrawal of subscription, payment, supply of goods, etc.: 5 years
   • Records of consumer complaints or dispute resolution: 3 years
4. Retention of communication confirmation data in accordance with the Protection of Communications Secrets Act:
   • Time and duration of subscriber’s telecommunication, start and end time, number of the other party, frequency of use, location data of the base station of the outgoing call: 1 year
   • Computer communication, internet log record data, access location tracking data: 3 months
5. The procedure and method of personal information destruction are as follows:
   • Destruction Procedure: The company selects personal information for which a reason for destruction has occurred and destroys it with the approval of the company’s personal information protection officer.
   • Destruction Method: Personal information recorded and stored in electronic file format is destroyed in a way that makes it impossible to reproduce the record. Personal information recorded and stored on paper documents is destroyed by shredding or incineration.

9. Measures for Ensuring the Safety of Personal Information

The company takes the following measures to ensure the safety of personal information:

1. Administrative measures: Establishment and implementation of internal management plans, regular staff training, etc.
2. Technical measures: Access right management for personal information processing systems, installation of access control systems, encryption of unique identification information, installation of security programs.
3. Physical measures: Access control for computer rooms, data storage rooms, etc.

10. Installation, Operation of Automatic Personal Information Collection Devices and Their Refusal

1. The company uses ‘cookies’ to store and retrieve use information from time to time to provide customized services to website users.
2. Cookies are small amounts of information sent by the server (http) operating the website to the user’s computer browser and may be stored on the hard disk of the user’s PC.
3. Purpose of cookie use: Used to identify the user’s visit and usage patterns for each service and website, popular search terms, whether secure access, etc., in order to provide optimized information to the user.
4. Installation, operation, and refusal of cookies: In Internet Explorer, you can refuse to save cookies through the menu option settings in Tools > Internet Options > Privacy > Advanced. In Chrome, you can refuse to save cookies through Settings menu > Privacy and Security > Cookies and Other Site Data.
5. Refusing to save cookies may cause difficulties in using customized services.

11. Matters Regarding the Personal Information Protection Officer

1. The company is responsible for overseeing the overall tasks related to the processing of personal information and has designated a Personal Information Protection Officer as below, to handle grievances and damage relief for data subjects concerning personal information processing.

Personal Information Protection Officer

• Name: Sean Cho
• Position: CISO (Chief Information Security Officer)
• Contact: +82-70-8098-3023, infosec@upstage.ai

Department Responsible for Personal Information Protection

• Department Name: Infra & Security
• Person in Charge: Sean Cho
• Contact: +82-70-8098-3023, infosec@upstage.ai

2. Data subjects can direct all inquiries, complaints, and requests for damage relief related to personal information protection arising from the use of the company’s services (or business) to the Personal Information Protection Officer and the relevant department. The company will respond to and address the inquiries of the data subjects without delay.

12. Department for Receiving and Processing Requests for Access to Personal Information

The “Department Responsible for Personal Information Protection” mentioned in “Article 11: Matters Regarding the Personal Information Protection Officer” is in charge of handling requests for access to personal information.

13. Remedies for Infringement of Rights

Data subjects can apply for dispute resolution or counseling to institutions such as the Personal Information Dispute Mediation Committee and the Personal Information Infringement Report Center of the Korea Internet & Security Agency for remedies due to personal information infringement. For other reports and consultations regarding personal information infringement, please contact the following institutions:

1. Personal Information Dispute Mediation Committee: (No area code) 1833-6972 (www.kopico.go.kr)
2. Personal Information Infringement Report Center: (No area code) 118 (privacy.kisa.or.kr)
3. Supreme Prosecutors’ Office: (No area code) 1301 (www.spo.go.kr)
4. National Police Agency: (No area code) 182 (ecrm.police.go.kr)