Privacy Policy

In accordance with related laws, Nota Inc. (hereinafter referred to as the “Company”) has established and discloses the following personal data processing policy to keep data subjects (hereinafter referred to as the “User(s)”) who are using NetsPresso and all services (hereinafter referred to as the “Service (s)”) informed about the procedures and standards for personal data processing and handle related grievances quickly and smoothly.

Article 1. (Purpose of Processing Personal Data)

The company processes personal data for the following purposes.

1. Membership registration and management: confirmation of intention to sign up, identification, age verification, maintenance and management of membership, prevention of fraudulent use of services, confirmation of consent of legal representatives when processing personal data of children under 14 years of age, all sorts of notification

2. Provision of goods or services: provision of basic/customized services, sending contracts and bills, identification, age verification, payment and settlement of charges, credit collection

3. Complaint handling: contact and notification for identification of users, confirmation of complaints, contact/notice for the fact investigation, and notification of the results of handling complaints

4. Service improvement and development: service performance enhancement, AI algorithm improvement, existing service improvement and new service development, customized service development

5. Utilization of pseudonymous data [1]: Use of pseudonym processing and pseudonymous data for purposes in the public interest, scientific or historical research purposes or statistical purposes.

Article 2. (Personal Data to be Processed)

The company collects and processes the following personal data of service users.

1. Basic collection when signing up for membership (mandatory): name, password, email, regional information (Asia/Europe/US), company name

2. Personal data provided by the user in the process of using the service (optional): image files provided by the user, metadata of the image file, model file, pre/process code file generated in the process of packaging

3. The following personal data are automatically collected while using the service: IP address, cookies, service use records (visit and use records, low quality use records, etc.), device information (cell phone model number, OS name and version information), advertisement identifier

4. When handling complaints: collecting and processing items necessary for handling complaints from users among the above information and separate items necessary for handling complaints

Article 3. (Personal Data Processing and Retention Period)

① If the user withdraws from the service or loses his/her qualification, the company deletes and destroys the collected user's data without delay, even if there is no separate request. However, despite the withdrawal of membership or loss of user qualification, the following data is preserved for the following reasons.

1. If an investigation and enquiry is in progress due to a violation of the relevant laws and regulations, by the end of the relevant investigation.

2. If the claim-obligation relationship remains due to the use of services, until the relevant claim-obligation relationship is settled.

② Notwithstanding the preceding paragraph, the company shall preserve it until the end of the relevant period in the following cases:

1. Personal data related to service use (log record): 3 months, which is the retention period under the Protection of communications secrets Act of the Republic of Korea.

2. Records on the withdrawal of contracts or subscriptions, and records on payment and supply of goods: 5 years retention period under the Act on the Consumer Protection in Electronic Commerce, etc. of the Republic of Korea.

3. Records on the handling of complaints or disputes by consumers: 3 years retention period under the Act on the Consumer Protection in Electronic Commerce, etc. of the Republic of Korea.

4. Records on display advertising: 6 months retention period under the Act on the Consumer Protection in Electronic Commerce, etc. of the Republic of Korea.

5. Books and evidentiary documents concerning all transactions prescribed by the Tax Act: 5 years, which is the retention period under the Framework Act on National Taxes of the Republic of Korea.

③ The company separately stores or deletes personal data of users who have not used the service for a year or a period separately determined by the user.

Article 4. (Provision of Personal Data to Third Party)

The company provides personal data to third parties only with the consent of the user or when there is a special provisions in the Personal Information Protection Act of the Republic of Korea or other laws.

Article 5. (Entrustment of Personal Data Processing)

① The Company entrusts the processing of personal data for the smooth processing of personal data as follows:

• Name of Entrustee: Amazon Web Services, Inc. (AWS Asia, US, Europe region)

• Entrusted Work: infrastructure management for data storage, service provision and analysis, and email sending

② The company entrusts the processing of personal information to a third party abroad as follows.

1. Amazon Web Services, Inc.

• Items of personal information transferred: Information about user's usage behavior

• Country of transfer: United States

• Date and time of transfer and method of transfer: frequent transfers through information and communication networks during service delivery

• Name/contact information of the transfer recipient: AWS Korea Privacy/ aws-korea-privacy@amazon.com

• Purpose of use of personal data of transfer recipient: data storage, infrastructure management for service provision and analysis, and sending of e-mail

• Recipient’s retention and use period: consistent with the retention and use period described in Article 3

  2. Google Inc. (GA)

• Items of personal information transferred: information about user's usage behavior (cookies, device/browser related data, IP address, activity information within the site/app)

• Country of transfer: United States

• Date and time of transfer and method of transfer: frequent transfers through information and communication networks during service delivery

• Name/contact information of the transfer recipient: Google LLC Privacy Team, googlekrsupport@google.com

• Purpose of use of personal data of transfer recipient: prehension and analysis of usage methods.

• Recipient’s retention and use period: 26 months

Article 6. (Use and Provision of Personal Data within the Scope Reasonably Related to the Purpose of Collection)

The company may use or provide personal data to third parties without the consent of the user, taking into account the following criteria within reasonable scope for the purpose of the original collection.

1. Whether it is related to the original collection purpose: determining whether the original collection purpose and the purpose of additional use and provision are related to the nature or tendency.

2. Whether additional use or provision of personal data is predictable under circumstances or processing practices collecting personal data: consideration of the relationship between the personal data processor and the user, technology level and speed of technical development, and general reason (practices) established over a considerable period of time.

3. Whether the user's interests are unjustly infringed: determining whether the user's interests are substantially violated in relation to the purpose of additional use and whether the infringement of the relevant interests is unjust, etc.

4. Whether measures necessary for securing safety, such as pseudonymization or encryption, have been taken: determining whether safety measures are taken in consideration of the possibility of infringement, etc.

Article 7. (Rights and Obligations of User, Its Statutory Agent and Method of Exercising Them)

① The user's personal data is notified that it is being transferred to the Republic of Korea, where the company is located, and accordingly, the company is obligated to implement technical and administrative protective measures for legitimate transfer.

② Users can request the company to access, correct, delete, and stop processing personal data at any time, and exercise rights such as the right to data portability, object, and reject automated individual decision-making including profiling [2].

③ When providing information to users, the company should provide information in a concise, transparent, easy-to-understand, and accessible format.

④ When providing information to users, the company may provide information in writing, by electronic means, or verbally.

⑤ The rights under paragraph ② can be exercised in writing, e-mail, etc., and the company must provide information to the user within one month from the date of request, and may extend it to two months if necessary, considering the complexity and number of requests. However, the company is obligated to notify the user of the extension and the reason for delay.

⑥ If the company does not comply with the user's request, the personal data processor under the Korean law and the personal data controller under the GDPR must file a complaint with the supervisory authority and notify the user that they can receive judicial relief within a month.

⑦ The company should provide information to users for free.

⑧ The exercise of rights under paragraph ② may be conducted through a legal representative of the user or a person who has been delegated. In this case, the user must submit a power of attorney to confirm the delegation to the trustee.

⑨ As stipulated by relevant laws and regulations, such as the Personal Information Protection Act of Republic of Korea and GDPR of EU, the exercise of rights such as users' requests to access, correct, delete, and stop processing personal data, and the right to data portability, object, and reject automated individual decision-making including profiling  may be restricted.

⑩ Requests for correction and deletion of personal data cannot be requested if the personal data is specified as a collection target in other laws.

⑪ The company verifies whether the person who requested access, correction, deletion or suspension of processing according to user rights is the person or a legitimate agent.

⑫ Users must be informed that they may withdraw their consent at any time and that they can exercise their rights before providing consent.

⑬ The rights under paragraph ② shall be as easily exercised as the provision of consent, and withdrawal of consent shall not affect the legality of information processing based on consent prior to withdrawal.

⑭ The user has the right to file a complaint with the supervisory authority of the country where he/she is located, especially where he/she resides, works, or is suspected of infringement, if the processing of personal data violates this regulation.

Article 8. (Destruction of Personal Data)

① Where personal data becomes unnecessary because of expiration of the personal data retention period, achievement of the purpose of processing, etc., the company shall immediately destroy the relevant personal data.

② In the event that the company must continue to preserve the personal data in accordance with Article 3, Paragraph ② even when the personal data retention period agreed by the data subject has elapsed or the purpose of processing has been achieved, the company may move the personal data to a separate database or store it in a different storage location.

③ The procedure and method of destroying personal data are as follows.

1. Destruction procedure: the company selects personal data for which the cause for destruction occurs, and destroys personal data with the approval of the company’s Chief Privacy Officer.

2. Destruction method: the company destroys personal data recorded and kept in the form of an electronic file so that records cannot be reproduced, and the personal data recorded and kept in paper documents is shredded by a shredder or incinerated and destroyed.

④ The company converts users who do not use the service for a year or a period of time that the user has separately agreed to, into a dormant account, and stores personal data separately. The company destroys the personal data stored separately without delay after 4 years of storage.

⑤ If the user doesn't want to switch to a dormant account, he/she can log in to the service before switching to a dormant account. In addition, even if it is converted to a dormant account, if the user log in, he/she can use the normal service by restoring the dormant account according to the user's consent.

Article 9. (Personal Data Security Securement Measures)

The company is taking the following measures to ensure the safety of personal data.

1. Managerial measures: establishing an internal management plan, regular employee training, etc.

2. Technical measures: technical measures against hacking, encryption of personal data, access authority management of personal data processing systems, storage of access records and prevention of forgery, etc.

3. Physical measures: Control access to server rooms, archive rooms, etc.

Article 10. (Matters concerning Installation, Operation, and Refusal of Automatic Personal Data Collection Devices)

In order to provide individual customized services to users, the company uses a "cookie" that stores usage information and loads it frequently as follows. Cookies are a small amount of information that the server used to run the website sends to the user's computer browser, and they are also stored on the hard disk of the user's PC.

1. Purpose of using cookies: Analyze user’s access frequency and visit time, identify user service usage pattern, track user's traces, secure connection status, number of users, etc. to improve security management and service development, customized service and advertisement.

2. Installation, operation and refusal of cookies: Service users have the right to select of installing cookies. Therefore, the user can refuse to save the cookie by changing the settings of the option in a web browser as shown below.

• Internet Explorer: Tools → Internet Options → Privacy → Advanced → select the options to block the cookies

• Microsoft Edge: …(click the settings and more icon …) → Settings → Cookies and site permissions → select the options to block the cookies

• Chrome: → Settings → Privacy and Security → Cookies and other site data → select the options to block the cookies

  3. Refusing to save cookies can cause difficulties with some services.

Article 11. (Person in charge of Personal Data Protection)

① The company designates a person in charge of personal data protection for the Korea Personal Information Protection Act to handle complaints and remedy damages from users as follows:

Chief Privacy Officer

• Name: Myungsu Chae

• Position: Chief Executive Officer

• Contact: privacy@nota.ai

② Users can inquire about all personal data protection inquiries, complaints, and damage relief that occurred while using the company's service (or business) to Chief Privacy Officer and the department in charge below.

• Department: Compliance Team

• Contact: +82 2-555-8659 (Representative), privacy@nota.ai

③ In accordance with EU General Data Protection Regulation, the company separately designates the Data Protection Officer.

Data Protection Office

• 123 Factory UG (haftungsbeschränkt)

• Contact: hello@123factory.de

• Address: Mariendorfer Damm 1 (The Driver GmbH), 12099 Berlin, Germany

Article 12. (Change of Personal Data Processing Policy)

The company may revise its personal data processing policy for the purpose of reflecting changes in laws or services. If the personal data processing policy is changed, the company will post the change at least 7 days before the effective date, and it will be notified separately by e-mail. The revised personal data processing policy will take effect on the date of entry. However, if a significant change in user rights occurs, such as changes in the items of personal data to be collected and the purpose of use, the company will notify the user at least 30 days in advance.

This personal data processing policy is effective from August 30th, 2022.

[1] pseudonymous data is the data that cannot identify a specific individual without additional information, such as deleting part of personal information or replacing part or all of it, and corresponds to personal data.

[2] Profiling refers to the processing of all forms of automated personal data using personal information to analyze or predict aspects of work performance, economic conditions, health, personal preferences, interests, reliability, behavior, location, or movement of natural persons.