This Privacy Policy applies to the SteadySeller.com website, the mobile applications provided by the Company, and related services (collectively, the 'Service'). SteadySeller.com ('we,' 'our,' or 'us') is committed to protecting users' personal information. In this policy, 'user' includes direct Service users and visitors, as well as users of SteadyBackend customers' client services whose personal information we process as an entrusted processor. This policy outlines how we collect, use, and protect personal information processed in connection with the Service.
Personal Information We Process
We may collect or process the following personal information:
1. Personal Information Processed Universally
- Personal Information: Your name, email address, phone number, and any other information you voluntarily provide.
- Device and Usage Data: Information about the device you use to access our website, app, or related services, including IP address, browser type, operating system, app version, and pages visited.
- Cookie data used to enhance your experience and collect analytics. You can disable cookies in your browser settings if you prefer.
2. Personal Information Processed by Service
Common to Mobile Applications
- Device identifiers generated or checked when using the Service or linking a device (for example, Android ID or iOS Vendor Identifier)
- Device model and operating system version
- App version and build number
- Device language and country settings
- Push notification tokens (for example, FCM or APNs tokens) and notification permission status used to provide notifications and sync device state
- Location search terms, selected coordinates, address or place search results, distance measurement, or directions request information processed when using location-based features
- Saved place names, notes, and coordinates entered in the app. Saved places are not synced to our servers and are stored in the app storage on the user's device. Search terms or coordinates may be processed to the extent necessary when using network features such as location search, detail lookup, or sharing.
- In apps that provide advertising, advertising identifiers and ad events such as impressions, clicks, and errors used for ad delivery, frequency control, invalid traffic prevention, and performance measurement
When You Use Quick Sign-In or External Authentication
- Identifiers, email address, email verification status, name or nickname, and profile image URL provided by an external authentication provider or authentication service
- Status of linking, unlinking, or relinking a quick sign-in account with a SteadySeller.com account, linked timestamp, last login timestamp, and related audit records
- External account identifiers and selected profile information passed through external authentication providers such as Google, GitHub, Kakao, and Apple ID, and through authentication services such as Logto
- IP address, User-Agent, authentication request and response status, error reasons, and access or usage records used for login security, abuse prevention, and account linking verification
- We do not store authentication tokens themselves from external authentication providers, such as access tokens, refresh tokens, or ID tokens, in the SteadySeller.com user session or member information. However, the authentication service provider may separately retain tokens or authentication-related information in accordance with its own policy and service settings.
When You Use Payments or Subscriptions
- Product names, payment method category, transaction or order identifiers, payment amount, currency, payment, cancellation, or refund status, and processing timestamps that may be checked when handling paid services, donations, subscriptions, or refunds
- Product IDs, purchase tokens or receipt information, original transaction IDs, subscription periods, renewal, cancellation, refund, or billing grace period status, and paid feature access grant or revocation records needed to provide paid features, restore purchases, and check subscription status
- For web payments, the payment processor or digital wallet provider may directly process the payment details, and we may review or retain only the minimum information necessary for transaction verification, settlement, refunds, and dispute handling.
- For app marketplace payments, platform operators such as the Apple App Store or Google Play directly process billing details, and we may review only the purchase item information, transaction status, subscription renewal, cancellation, or refund status, and information needed for customer support.
- We do not directly collect or store full payment method details such as card numbers or bank account numbers. Payment method details are processed directly by the payment processor or app marketplace operator.
When You Use SteadyBackend
- SteadyBackend administrator and service contract information: linked admin account, email address, name, permission status, package application, payment, contract information, usage, and settlement records
- Client service registration information: client name, identifier, platform, icon or service URL, version, policy information, client secret key, admin secret key, and API token identifiers
- OAuth/OIDC client and permission information: client app name, identifiers, redirect URIs (where users return after authentication), allowed scopes (permission ranges), API resources and audiences (token usage targets), consent screen display information, and privacy policy or terms URLs
- Client user management information: external service code, external user ID, login ID, email address, phone number, name, nickname, profile image URL, language, time zone, authentication, consent, login status, and related timestamps
- Client user authentication and security information: password hashes, refresh token hashes, password reset token hashes, failed login counts, lock status, and login records
- OAuth/OIDC authentication, consent, and token operation information: OIDC subjects (external authentication account identifiers), client IDs, grant types (authentication flows), requested and approved scopes (permission ranges), consent histories, authorization code or token identifiers, hashes, expiration and revocation records, issuer, audience, callback processing results, IP address, User-Agent, and security logs
- License and assignment information: license key, license name, status, usage period, assignee name, email address, reference value, and assignment history
- Push messaging operation information: FCM or APNs token, platform, device, app, language, and country information, notification permission status, push title, body, image, link, data payload, delivery targets, results, errors, and receipts
- Open API and usage records: called endpoint, request timestamp, processing result, usage and quota calculation records, and billing or settlement usage snapshots
- Metadata and operational records entered by the client administrator or transmitted through the API. The client administrator must manage the data in advance so that sensitive information or unique identification information is not included.
When You Use AI-Assisted Features
- System instructions, prompts, request content, and conversation context entered into AI chat or content generation features
- AI responses, generated outputs, and product, brand, company profile, or business service information saved or applied by the user
- AI API usage and operation metadata such as model name, request identifier, token usage, processing timestamp, and success or error status
- We do not use AI feature inputs or outputs to train our own AI models. Any use by external AI providers for model training or service improvement, and any related opt-out method, is governed by the provider's policy and our contract or service settings with that provider.
- You must not enter sensitive information, unique identification information, non-public personal information, trade secrets, or information that may infringe third-party rights into AI features.
Push Notification Tester
- Platform information (e.g., Android or iOS)
- Push notification type (e.g., FCM or APNs)
- FCM or APNs token (Registration Token, Device Token)
- Push notification title and body
- iOS-specific: Bundle Identifier, Team ID, APNs Key ID
- Custom payload content
- Push notification delivery result, success status, and request time
- Note: Details of Service Account File and APNs Key File (e.g., Private Key) are not collected.
Purposes of Using Personal Information
We use personal information for the following purposes:
- To improve our Service and user experience.
- To process member registration, login, quick sign-in, account linking, unlinking, relinking, account verification, and abuse prevention.
- To provide app notifications, check device compatibility, manage app versions, and improve service stability.
- To provide location-based app features such as location search, map display, saved place management, distance measurement, directions, and location sharing.
- To provide mobile app advertising, control ad frequency, prevent invalid traffic, and measure advertising performance.
- To process payments, subscription renewals or cancellations, refunds, transaction verification, and dispute handling.
- To verify paid product purchases, restore purchases, provide paid features, check subscription status, and manage paid feature access.
- To operate SteadyBackend client services, manage client users, licenses, policies, and push messaging, provide APIs, calculate usage, process billing and settlement, and provide customer support.
- To authenticate SteadyBackend Open API requests, prevent abuse, control access, enforce usage limits, and manage security logs.
- To operate SteadyBackend OAuth/OIDC authentication APIs, manage user consent and scopes (permission ranges), issue, verify, and revoke tokens, and control access for client apps and API resources.
- To support AI chat and content generation, review and apply generated outputs, check AI API usage, and manage costs, errors, and security.
- To respond to your inquiries and provide customer support.
- To send newsletters, updates, and promotional materials (with your consent).
- To comply with legal obligations or resolve disputes.
Criteria for Additional Use or Provision of Personal Information
We use and provide personal information within the processing purposes disclosed in this Privacy Policy. If additional use or provision of personal information is necessary, we comprehensively consider the following factors in accordance with applicable law:
- Whether the additional use or provision is related to the original purpose of collection
- Whether the relevant user could reasonably foresee the additional use or provision in light of the circumstances of collection or processing practices
- Whether the additional use or provision unfairly infringes the interests of the relevant user
- Whether necessary safeguards such as pseudonymization or encryption have been applied
- Additional use or provision under these criteria is reviewed by the Chief Privacy Officer or responsible department, and where necessary we will obtain consent or another lawful basis.
External Service Providers
We may use the following external service providers in connection with cloud infrastructure, authentication, quick sign-in, security, push messaging, payments, map and location-based features, mobile advertising, AI features, and app marketplace operations, and each provider may process personal information under its own privacy policy.
We do not provide personal information to third parties except in the following cases:
- Where the user has given separate prior consent
- Where disclosure is required by applicable law or a lawful request from an investigative or supervisory authority
- Where disclosure is clearly necessary to protect the life, body, or property of the user or a third party
Entrustment of Personal Information Processing
We may entrust certain tasks to external service providers to operate the Service, and we may process personal information as an entrusted processor for SteadyBackend customers' client service operations. Information that an external authentication provider directly collects or processes from the user on its own login screen is governed by that provider's privacy policy, and the scope below is based on the authentication results we receive or store and the account linking tasks we use to provide the Service. The major entrusted tasks, processing scopes, and processing boundaries for external authentication providers include the following:
- Tasks entrusted by SteadyBackend customers (client administrators) to SteadySeller.com: client user management, authentication and consent record management, license management, push message delivery and delivery result management, client version and policy management, API provision, and operational support
- SteadyBackend customers must, as the personal information controller or entrusting party for their own service, provide necessary notices, obtain consents, or establish another lawful basis for their client users. We process personal information only within the entrusted processor role based on the customer's contract, settings, API requests, or other instructions.
- The customer is responsible for disputes or damages arising from the customer's instructions, input data, delivery requests, or client service operation violating applicable law, third-party rights, or the scope of the customer's own notices, consents, or other lawful basis. This does not exclude liability caused by our intent or negligence or liability that cannot be excluded under applicable law.
- SteadyBackend entrusted tasks may involve processing by external processors or sub-processors for cloud infrastructure, push messaging, email, security, spam prevention, and similar operations necessary to provide the Service. The main processors and overseas processing destinations are disclosed in this section and in the overseas transfer section.
- Amazon Web Services: web service hosting, file storage such as images, CDN delivery, email delivery, and log/security operation support
- Apple Inc. / APNs: iOS push message delivery support
- Cloudflare, Inc. / Turnstile: spam and bot prevention and CAPTCHA verification
- Logto / Silverhand Inc.: quick sign-in and SteadyBackend OAuth/OIDC authentication, account linking, token issuance and verification support, and consent and authentication log management
- External authentication providers (including Apple Inc., Google LLC, GitHub, Inc., and Kakao Corp.): external account authentication selected by the user, external account login screens, authentication results, and basic profile information. Information that an external authentication provider directly collects or processes on its own login screen is governed by that provider's privacy policy.
- Google LLC / Firebase: authentication, push messaging, app operation support, and incident response
- Google LLC / Google Analytics: web usage analytics
- Google LLC / Google Maps Platform: support for map display, location search, geocoding, place information, directions, and other location-based features
- Google LLC / Google AdMob and Google Mobile Ads: mobile app ad delivery, advertising performance measurement, invalid traffic prevention, and ad operation support
- OpenAI, L.L.C. / API: AI chat, content generation support, and AI API operation
- PayPal: web payment processing and payment-related verification
- When entering into entrustment agreements, we require the service provider to comply with applicable privacy laws, including prohibitions on processing personal information outside the entrusted purpose, privacy protection, restrictions on re-entrustment, security measures, management and supervision, and liability for damages. If the entrusted task or service provider changes, we will disclose the change through this Privacy Policy.
Overseas Processing and Transfer of Personal Information
We may use overseas providers for cloud, authentication, push, analytics, payment, security, map and location-based features, mobile advertising, and AI services, and personal information may therefore be processed or transferred outside your country. Information that an external authentication provider directly collects or processes from the user on its own login screen is governed by that provider's privacy policy. We disclose the following based on the authentication results we receive and the processing or storage entrusted to authentication service providers. The main cases include:
- Legal basis for overseas transfer: processing entrusted or stored as necessary to enter into or perform the service contract, or processing necessary to provide cloud infrastructure, authentication, payment, push, security, map and location-based features, mobile advertising, and AI features, and, where required, consent or another lawful basis permitted by applicable law.
- Amazon Web Services: United States and other locations / transmitted or stored over the network when you use the Service, upload images, receive emails, or use APIs / account and contact information, uploaded files and metadata, email recipients and body content, access and usage records, SteadyBackend operation information, etc. / web service hosting, storage, CDN, email delivery, security, and incident response
- Apple Inc. (APNs): United States and other locations / transmitted over the network when iOS push messages are sent / push tokens, message title, body, and payload / iOS push message delivery
- Cloudflare, Inc. (Turnstile): United States and other locations / transmitted over the network when CAPTCHA is displayed and verified / CAPTCHA token, IP address, browser, device, and verification-related information / spam and bot prevention and service security
- Logto / Silverhand Inc.: United States, European Union, Australia, or other countries based on the Logto Cloud service region selected by us and countries necessary for authentication service operations / transmitted or stored over the network when quick sign-in, account linking, SteadyBackend OAuth/OIDC authentication, or token requests are processed / external authentication identifiers, email address, name or nickname, profile image URL, authentication and authorization data, scopes (permission ranges), client IDs, token identifiers, expiration and revocation records, IP address, login, consent, and audit logs / quick sign-in authentication, OAuth/OIDC authentication API provision, account linking, security, and abuse prevention
- Apple Inc., Google LLC, GitHub, Inc., and Kakao Corp.: countries where each external authentication provider operates its service / directly transmitted by the user or received as authentication results when the user signs in with or links the relevant external account / external account identifier, email address, name or nickname, profile image, authentication status, and authentication result / external account authentication, external account login screens, and basic profile information
- Google LLC (Firebase, Google Analytics, Google Maps Platform, Google AdMob, and Google Mobile Ads): United States and other locations / transmitted over the network when you use the app or web service, map or location search features, push notifications, analytics, or advertising / device identifiers, access and usage information, app notification linkage information, location search terms, selected coordinates, map or place lookup request information, advertising identifiers, and ad event information / authentication, push notifications, analytics, map and location-based features, mobile app advertising, and incident response
- OpenAI, L.L.C.: United States and other locations / transmitted over the network when you use AI chat or content generation features / prompts, system instructions, conversation context, generated outputs, model names, request identifiers, token usage, etc. / AI response generation, content generation support, and AI API operation
- PayPal: United States and other locations / transmitted over the network when you make a payment / transaction information necessary for payment processing / payment processing and fraud prevention
- Recipient contact and retention/use period: governed by each provider's privacy policy or service terms, and policy links for the main providers are disclosed in the external service providers section. You may contact our Customer Center or email us for further details.
- How to refuse overseas transfer and effect of refusal: users may contact our Customer Center or email us to ask about or refuse overseas transfer. However, if a user refuses cloud, authentication, payment, push, security, map and location-based features, mobile advertising, or AI processing that is necessary to provide the relevant feature or Service, the relevant feature or Service may be restricted.
User Privacy Rights and How to Exercise Them
Under applicable law, users or their legal representatives may exercise the following rights through our Customer Center or by email.
- Request access to, correction of, deletion of, suspension of processing of, or withdrawal of consent for personal information
- Ask about processing history, retention periods, and the status of third-party provision or entrustment
- Ask about quick sign-in account linking status, unlinking, relinking, or related authentication records
- Requests from SteadyBackend client service users to withdraw OAuth/OIDC consent, unlink an app, or revoke tokens are handled primarily by the SteadyBackend customer operating the relevant client service, and we support such requests as necessary based on the customer's reasonable instructions.
- Requests from SteadyBackend client users to access, correct, delete, suspend processing of, withdraw consent for, or opt out of push notifications for their personal information are handled primarily by the SteadyBackend customer operating the relevant client service, and we support such requests as necessary based on the customer's reasonable instructions.
- Request account withdrawal or deletion, or object to service restriction measures
- We will process rights requests without undue delay after verifying the requester's identity in accordance with applicable law, and where necessary we will explain the outcome or the reason a request cannot be fulfilled.
Account Withdrawal and Account Deletion
If you wish to withdraw from membership or delete your account, please submit a request through our Customer Center, by email, or through any account deletion option separately provided within the Service.
- Deleting an app or discontinuing use of the Service alone may not automatically complete account deletion or personal data deletion.
- If the Service provides an account deletion menu, you may also submit the deletion request directly through that menu.
- When account deletion is requested, we will delete the relevant information without undue delay or process it in an irrecoverable manner, except where retention is required by applicable law.
- Information that must be retained for legal compliance, dispute response, fraud prevention, payment settlement, or consumer protection may be stored separately for the applicable statutory period.
- Additional materials may be requested where necessary to verify the requester's identity or confirm the facts relevant to the request.
Retention and Use Period of Personal Information
We retain and use personal information until the relevant processing purpose has been achieved, and delete it without undue delay once the purpose has been achieved or a deletion request is received. The following exceptions may apply:
- We retain ordinary personal information only until the relevant processing purpose has been achieved, and delete it without undue delay once a membership withdrawal or deletion request has been completed.
- Saved place information that a user directly stores in a mobile app is not synced to our servers and is stored in the app storage on that device. It may be deleted by deleting the app or using any in-app deletion feature. Minimum records generated when using network features such as location search, detail lookup, advertising, or analytics may be retained for the period necessary for service stability, usage management, error response, and dispute handling.
- SteadyBackend administrator and service contract information is retained for the period necessary to maintain the service contract, process payment and settlement, provide customer support, and respond to disputes, and is deleted without undue delay after contract termination or a deletion request except where retention is required by applicable law.
- SteadyBackend client user information, license assignment information, push tokens, and delivery histories are retained until the customer's deletion request, API deletion processing, termination of the client service, or achievement of the processing purpose. Minimum records necessary for payment and settlement, security, incident response, and dispute response may be stored separately for a limited period.
- SteadyBackend OAuth/OIDC client apps, consent histories, token identifiers, revocation records, and API access logs are retained until the customer's deletion request, app deactivation, contract termination, or achievement of the processing purpose. Minimum records necessary for security, audit, and dispute response may be stored separately for a limited period.
- Quick sign-in and external authentication linkage information is retained for the period necessary to maintain account linking status, provide login, prevent abuse, and respond to disputes. If a user unlinks an account or requests account deletion, we deactivate or delete the information except for records that must be retained under applicable law.
- AI chat conversations are not stored in the service database. However, if a user saves or applies an AI suggestion, the generated output and AI metadata such as model name and token usage may be retained together with the relevant data. AI API usage logs may be retained for the period necessary to check usage, manage costs, respond to errors or security issues, and handle disputes.
- However, under applicable laws such as the Act on Consumer Protection in Electronic Commerce, etc., records on advertising and display may be retained for six months, records on contracts or subscription withdrawals for five years, records on payment and supply of goods or services for five years, and records on consumer complaints or dispute resolution for three years.
- Where additional retention is required by applicable law, a lawful request from an investigative or supervisory authority, or dispute response needs, the information may be stored separately for the relevant period.
- The minimum access or usage records necessary for service stability, fraud prevention, and security incident response may be retained for a limited period.
Destruction Procedures and Methods
When the retention period expires or the processing purpose has been achieved, we destroy personal information without undue delay.
- Electronic files are deleted using secure methods so that they cannot readily be restored or reproduced.
- Printed materials and paper documents are destroyed by shredding, incineration, or equivalent methods.
- Information that must be retained separately under applicable law is stored apart from ordinary user information and destroyed when the statutory period expires.
Security Measures for Personal Information
We apply necessary technical and organizational safeguards to protect personal information, including access control, encryption in transit, access log retention and review, backup and incident response, vulnerability checks, and internal staff training. However, no online platform is completely secure, and we cannot guarantee absolute data security.
Cookies and Behavioral Data
Our web service may use cookies or similar technologies for user convenience, service improvement, and analytics.
- Cookies may be used to maintain login status, store preferences, and analyze usage statistics.
- You may refuse the storage of cookies or delete cookies that have already been stored through your browser settings.
- On the web service, we currently do not allow third parties to collect browser-based behavioral data for targeted advertising purposes. However, analytics tools such as Google Analytics may use page views, events, and device or browser information for statistical analysis to improve the Service.
- To limit Google Analytics-related collection, you may use your browser's cookie blocking or deletion features, or blocking tools and advertising settings provided by Google.
- Refusing cookies may limit the availability of certain features.
Automated Decisions
We currently do not make fully automated decisions that have a significant effect on a user's rights or obligations.
- SteadyBackend license status checks, API usage limits, and security or abuse detection may be processed for service operation and access control based on customer settings, contract terms, or operational policies, but they are not operated as automated decisions that have a significant effect on a user's rights or obligations.
- If we introduce such automated decisions in the future, we will disclose the criteria and procedures for the decision, how personal information is processed, and how to request refusal or explanation through this Privacy Policy or a separate notice.
Children's Privacy
Our Service is not directed at children under the age of 14, and we do not knowingly collect personal information from children under 14. If collection is unavoidable, we will comply with applicable law, including obtaining consent from a legal representative where required. If we learn that personal information of a child under 14 has been collected without the required legal representative consent, we will delete it without undue delay or take other necessary protective measures. If a SteadyBackend customer entrusts the processing of personal information of children under 14 in its own client service, that customer must establish the required lawful basis, including legal representative consent where applicable, and we process such information only within the entrusted scope based on the customer's lawful instructions.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page, and the footer will indicate the effective date and the last updated date.
Privacy Contact Channel and Request Handling
Questions about this Privacy Policy, requests for access, correction, deletion, or suspension of processing, account withdrawal and account deletion requests, and privacy-related complaints may be submitted through our Customer Center or by using the email address below.
Privacy-related requests submitted through the Customer Center or by email are reviewed by our Chief Privacy Officer and internal handling team, and we may ask for additional information to verify the requester's identity or confirm the facts necessary to process the request.
How to Seek Relief for Privacy Infringement
If our own response to a privacy complaint or request does not resolve the issue, or if you need further assistance, you may contact the following institutions.
- Personal Information Dispute Mediation Committee: +82-1833-6972 / www.kopico.go.kr
- Personal Information Infringement Report Center (KISA): 118 (without area code) / privacy.kisa.or.kr