Privacy Policy

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. Personal information collected shall not be used for purposes other than those listed below. If the purpose of use changes, prior consent will be obtained.

• Membership registration and management: Identity verification and authentication, membership maintenance and management, prevention of unauthorized use, various notices and notifications
• Service provision: AI analysis processing of uploaded content, UX diagnostic report generation, visual improvement suggestions and development specs
• Service improvement: Analysis of service usage patterns, development of new services, provision of personalized services
• Complaint handling: Identity verification of complainants, confirmation of complaints, and notification of processing results
• Paid service provision and payment processing: Usage rights purchases, payment method registration and management, payment approval and refund processing, purchase history management

Article 2 (Personal Information Items Processed)

Required items

• Email address, password (stored encrypted)

Optional items

• Name (nickname)

Automatically generated and collected during service use

• Service usage records, access logs, IP addresses
• Uploaded videos, images, and other content files
• Report data generated by AI analysis

Payment-related items

• Sensitive payment information such as card numbers and expiration dates are transmitted directly to the payment processor (PortOne for domestic payments, Paddle for international payments) and are not stored on our servers.
• Card brand, masked card number (e.g., ****1234), card type (credit/debit) — for payment method display purposes
• Payment amount, payment date and time, payment status, purchased product (usage rights plan), receipt URL

Article 3 (Processing and Retention Period)

(1) The Company processes and retains personal information within the retention and usage period prescribed by law or within the retention and usage period agreed upon when collecting personal information from the data subject.

(2) The processing and retention periods for each category of personal information are as follows:

• Membership registration and management: Until membership withdrawal (except where retention is required by applicable law)
• Uploaded content and analysis reports: Until directly deleted by the member or upon membership withdrawal

(3) Retention periods required by applicable Korean law:

• Records on contracts or withdrawal of subscription: 5 years (Act on Consumer Protection in Electronic Commerce)
• Records on payment and supply of goods: 5 years (Act on Consumer Protection in Electronic Commerce)
• Records on consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce)
• Records on access logs: 3 months (Protection of Communications Secrets Act)

Article 4 (Provision of Personal Information to Third Parties)

(1) The Company does not, in principle, provide users' personal information to third parties. However, the following cases are exceptions:

• When the user has given prior consent
• When required by law or when requested by investigative authorities in accordance with the procedures and methods prescribed by law for investigative purposes

Article 5 (Outsourcing of Personal Information Processing)

The Company outsources personal information processing to the following entities for service provision:

Uploaded content is transmitted to the Google Gemini API for AI analysis. Please refer to Google's Privacy Policy for details on their data processing practices.

For domestic (Korea) payments, sensitive payment information such as card numbers and expiration dates is processed in PortOne's PCI DSS-certified secure environment and is not stored on our servers.

For international payments, Paddle acts as the Merchant of Record and directly collects and processes payment information. The Company does not have access to international users' card information, and all payment data is handled securely in accordance with Paddle's security policies.

Article 6 (Destruction of Personal Information)

(1) The Company shall promptly destroy personal information when it is no longer needed, such as when the retention period has expired or the processing purpose has been achieved.

(2) The procedures and methods of destruction are as follows:

• Destruction procedure: When a member requests account deletion or the retention period expires, the relevant personal information is immediately deleted.
• Destruction method: Information in electronic file format is permanently deleted so that records cannot be reproduced.

Article 7 (Measures to Ensure Security of Personal Information)

The Company takes the following measures to ensure the security of personal information:

• Encryption of personal information: Passwords are encrypted for storage and management, and important data is protected with additional security features.
• Access control: Supabase Row Level Security (RLS) policies ensure that users can only access their own data.
• Encryption in transit: All data transmissions are encrypted via HTTPS.
• File storage security: Uploaded files are stored in encrypted cloud storage.
• Payment information security: Sensitive payment information such as card numbers is processed through PCI DSS-certified PortOne or Paddle, and raw card information is not stored on our servers.

Article 8 (Rights and Obligations of Data Subjects)

(1) Users may exercise the following rights regarding personal information protection at any time:

• Request to access personal information
• Request for correction of errors
• Request for deletion
• Request to suspend processing

(2) Users may directly view and modify their personal information or delete individual reports and files through the account settings page. All related data will be permanently deleted upon account deletion.

(3) The rights under paragraph (1) may be exercised by contacting by.min@clovbit.com in writing, by phone, or by email. The Company will take action without delay.

Article 9 (Use of Cookies)

(1) The Company uses only essential cookies necessary for authentication session management for the User's use of the Service.

(2) The Company does not use advertising cookies or third-party tracking cookies for behavioral information collection purposes.

Article 10 (Personal Information Protection Officer)

The Company designates the following Personal Information Protection Officer to oversee all personal information processing activities and to handle complaints and remedies related to personal information processing:

• Personal Information Protection Officer
• Name: Byeoungyun Min
• Company: Stocel
• Address: 2F 215-166, 35 Dongil-ro 129-gil, Jungnang-gu, Seoul, South Korea
• Phone: +82-10-7619-8701
• Email: by.min@clovbit.com

Users may contact the Personal Information Protection Officer regarding all inquiries, complaints, and remedies related to personal information protection arising from the use of the Service. The Company will respond to and process such inquiries without delay.

Article 11 (Remedies for Rights Infringement)

Users may contact the following organizations for remedies, counseling, and other inquiries regarding personal information infringement:

• Personal Information Infringement Report Center (operated by KISA): 118 / privacy.kisa.or.kr
• Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr
• Supreme Prosecutors' Office Cyber Crime Investigation Unit: +82-2-3480-3573 / www.spo.go.kr
• National Police Agency Cyber Bureau: 182 / cyberbureau.police.go.kr

Article 12 (Changes to the Privacy Policy)

This Privacy Policy is effective from March 28, 2026. In the event of additions, deletions, or corrections due to changes in laws or policies, the Company will announce the changes through the Service at least 7 days before they take effect. Changes unfavorable to users will be notified separately by email at least 30 days in advance.