Privacy Policy

Personal Information We Process

We may collect or process the following personal information:

1. Personal Information Processed Universally

• - Personal Information: Your name, email address, phone number, and any other information you voluntarily provide.
• - Device and Usage Data: Information about the device you use to access our website, app, or related services, including IP address, browser type, operating system, app version, and pages visited.
• - Cookie data used to enhance your experience and collect analytics. You can disable cookies in your browser settings if you prefer.

2. Personal Information Processed by Service

Purposes of Using Personal Information

We use personal information for the following purposes:

• - To improve our Service and user experience.
• - To provide app notifications, check device compatibility, manage app versions, and improve service stability.
• - To process payments, subscription renewals or cancellations, refunds, transaction verification, and dispute handling.
• - To operate SteadyBackend client services, manage client users, licenses, policies, and push messaging, provide APIs, calculate usage, process billing and settlement, and provide customer support.
• - To authenticate SteadyBackend Open API requests, prevent abuse, control access, enforce usage limits, and manage security logs.
• - To support AI chat and content generation, review and apply generated outputs, check AI API usage, and manage costs, errors, and security.
• - To respond to your inquiries and provide customer support.
• - To send newsletters, updates, and promotional materials (with your consent).
• - To comply with legal obligations or resolve disputes.

Criteria for Additional Use or Provision of Personal Information

In principle, we use and provide personal information only within the processing purposes disclosed in this Privacy Policy. If additional use or provision of personal information is necessary, we comprehensively consider the following factors in accordance with applicable law:

• - Whether the additional use or provision is related to the original purpose of collection
• - Whether the relevant user could reasonably foresee the additional use or provision in light of the circumstances of collection or processing practices
• - Whether the additional use or provision unfairly infringes the interests of the relevant user
• - Whether necessary safeguards such as pseudonymization or encryption have been applied
• - Additional use or provision under these criteria is reviewed by the Chief Privacy Officer or responsible department, and where necessary we will obtain consent or another lawful basis.

External Service Providers

We may use the following external service providers in connection with cloud infrastructure, authentication, security, push messaging, payments, AI features, and app marketplace operations, and each provider may process personal information under its own privacy policy.

• • Apple App Store
• • Apple Push Notification service (APNs)
• • Amazon Web Services
• • Cloudflare Turnstile
• • Google Analytics
• • OpenAI
• • Google Play
• • Google Firebase
• • PayPal

Third-Party Provision of Personal Information

We do not provide personal information to third parties in principle, except in the following cases:

• - Where the user has given separate prior consent
• - Where disclosure is required by applicable law or a lawful request from an investigative or supervisory authority
• - Where disclosure is clearly necessary to protect the life, body, or property of the user or a third party

Entrustment of Personal Information Processing

We may entrust certain tasks to external service providers to operate the Service, and we may process personal information as an entrusted processor for SteadyBackend customers' client service operations. The current major entrusted tasks and processing scopes include the following:

• - Tasks entrusted by SteadyBackend customers (client administrators) to SteadySeller.com: client user management, authentication and consent record management, license management, push message delivery and delivery result management, client version and policy management, API provision, and operational support
• - SteadyBackend customers must, as the personal information controller or entrusting party for their own service, provide necessary notices, obtain consents, or establish another lawful basis for their client users. We process personal information only within the entrusted processor role based on the customer's contract, settings, API requests, or other instructions.
• - The customer is responsible for disputes or damages arising from the customer's instructions, input data, delivery requests, or client service operation violating applicable law, third-party rights, or the scope of the customer's own notices, consents, or other lawful basis. This does not exclude liability caused by our intent or negligence or liability that cannot be excluded under applicable law.
• - SteadyBackend entrusted tasks may involve processing by external processors or sub-processors for cloud infrastructure, push messaging, email, security, spam prevention, and similar operations necessary to provide the Service. The main processors and overseas processing destinations are disclosed in this section and in the overseas transfer section.
• - Amazon Web Services: web service hosting, file storage such as images, CDN delivery, email delivery, and log/security operation support
• - Apple Inc. / APNs: iOS push message delivery support
• - Cloudflare, Inc. / Turnstile: spam and bot prevention and CAPTCHA verification
• - Google LLC / Firebase: authentication, push messaging, app operation support, and incident response
• - Google LLC / Google Analytics: web usage analytics
• - OpenAI, L.L.C. / API: AI chat, content generation support, and AI API operation
• - PayPal: web payment processing and payment-related verification
• - When entering into entrustment agreements, we require the service provider to comply with applicable privacy laws, including prohibitions on processing personal information outside the entrusted purpose, privacy protection, restrictions on re-entrustment, security measures, management and supervision, and liability for damages. If the entrusted task or service provider changes, we will disclose the change through this Privacy Policy.

Overseas Processing and Transfer of Personal Information

We may use overseas providers for cloud, authentication, push, analytics, payment, security, and AI services, and personal information may therefore be processed or transferred outside your country. The current main cases include:

• - Legal basis for overseas transfer: processing entrusted or stored as necessary to enter into or perform the service contract, or processing necessary to provide cloud infrastructure, authentication, payment, push, security, and AI features, and, where required, consent or another lawful basis permitted by applicable law.
• - Amazon Web Services: United States and other locations / transmitted or stored over the network when you use the Service, upload images, receive emails, or use APIs / account and contact information, uploaded files and metadata, email recipients and body content, access and usage records, SteadyBackend operation information, etc. / web service hosting, storage, CDN, email delivery, security, and incident response
• - Apple Inc. (APNs): United States and other locations / transmitted over the network when iOS push messages are sent / push tokens, message title, body, and payload / iOS push message delivery
• - Cloudflare, Inc. (Turnstile): United States and other locations / transmitted over the network when CAPTCHA is displayed and verified / CAPTCHA token, IP address, browser, device, and verification-related information / spam and bot prevention and service security
• - Google LLC (Firebase, Google Analytics): United States and other locations / transmitted over the network when you use the Service / device identifiers, access and usage information, and app notification linkage information / authentication, push notifications, analytics, and incident response
• - OpenAI, L.L.C.: United States and other locations / transmitted over the network when you use AI chat or content generation features / prompts, system instructions, conversation context, generated outputs, model names, request identifiers, token usage, etc. / AI response generation, content generation support, and AI API operation
• - PayPal: United States and other locations / transmitted over the network when you make a payment / transaction information necessary for payment processing / payment processing and fraud prevention
• - Recipient contact and retention/use period: governed by each provider's privacy policy or service terms, and policy links for the main providers are disclosed in the external service providers section. You may contact our Customer Center or email us for further details.
• - How to refuse overseas transfer and effect of refusal: users may contact our Customer Center or email us to ask about or refuse overseas transfer. However, if a user refuses cloud, authentication, payment, push, security, or AI processing that is necessary to provide the relevant feature or Service, the relevant feature or Service may be restricted.

User Privacy Rights and How to Exercise Them

Under applicable law, users or their legal representatives may exercise the following rights through our Customer Center or by email.

• - Request access to, correction of, deletion of, suspension of processing of, or withdrawal of consent for personal information
• - Ask about processing history, retention periods, and the status of third-party provision or entrustment
• - Requests from SteadyBackend client users to access, correct, delete, suspend processing of, withdraw consent for, or opt out of push notifications for their personal information are generally received and handled by the SteadyBackend customer operating the relevant client service, and we support such requests as necessary based on the customer's reasonable instructions.
• - Request account withdrawal or deletion, or object to service restriction measures
• - We will process rights requests without undue delay after verifying the requester's identity in accordance with applicable law, and where necessary we will explain the outcome or the reason a request cannot be fulfilled.

Account Withdrawal and Account Deletion

If you wish to withdraw from membership or delete your account, please submit a request through our Customer Center, by email, or through any account deletion option separately provided within the Service.

• - Deleting an app or discontinuing use of the Service alone may not automatically complete account deletion or personal data deletion.
• - If the Service provides an account deletion menu, you may also submit the deletion request directly through that menu.
• - When account deletion is requested, we will delete the relevant information without undue delay or process it in an irrecoverable manner, except where retention is required by applicable law.
• - Information that must be retained for legal compliance, dispute response, fraud prevention, payment settlement, or consumer protection may be stored separately for the applicable statutory period.
• - Additional materials may be requested where necessary to verify the requester's identity or confirm the facts relevant to the request.

Retention and Use Period of Personal Information

We retain and use personal information until the relevant processing purpose has been achieved, and delete it without undue delay once the purpose has been achieved or a deletion request is received. The following exceptions may apply:

• - We retain ordinary personal information only until the relevant processing purpose has been achieved, and delete it without undue delay once a membership withdrawal or deletion request has been completed.
• - SteadyBackend administrator and service contract information is retained for the period necessary to maintain the service contract, process payment and settlement, provide customer support, and respond to disputes, and is deleted without undue delay after contract termination or a deletion request except where retention is required by applicable law.
• - SteadyBackend client user information, license assignment information, push tokens, and delivery histories are retained until the customer's deletion request, API deletion processing, termination of the client service, or achievement of the processing purpose. Minimum records necessary for payment and settlement, security, incident response, and dispute response may be stored separately for a limited period.
• - AI chat conversations are not stored in the service database in principle. However, if a user saves or applies an AI suggestion, the generated output and AI metadata such as model name and token usage may be retained together with the relevant data. AI API usage logs may be retained for the period necessary to check usage, manage costs, respond to errors or security issues, and handle disputes.
• - However, under applicable laws such as the Act on Consumer Protection in Electronic Commerce, etc., records on advertising and display may be retained for six months, records on contracts or subscription withdrawals for five years, records on payment and supply of goods or services for five years, and records on consumer complaints or dispute resolution for three years.
• - Where additional retention is required by applicable law, a lawful request from an investigative or supervisory authority, or dispute response needs, the information may be stored separately for the relevant period.
• - The minimum access or usage records necessary for service stability, fraud prevention, and security incident response may be retained for a limited period.

Destruction Procedures and Methods

When the retention period expires or the processing purpose has been achieved, we destroy personal information without undue delay.

• - Electronic files are deleted using secure methods so that they cannot readily be restored or reproduced.
• - Printed materials and paper documents are destroyed by shredding, incineration, or equivalent methods.
• - Information that must be retained separately under applicable law is stored apart from ordinary user information and destroyed when the statutory period expires.

Security Measures for Personal Information

We apply necessary technical and organizational safeguards to protect personal information, including access control, encryption in transit, access log retention and review, backup and incident response, vulnerability checks, and internal staff training. However, no online platform is completely secure, and we cannot guarantee absolute data security.

Cookies and Behavioral Data

Our web service may use cookies or similar technologies for user convenience, service improvement, and analytics.

• - Cookies may be used to maintain login status, store preferences, and analyze usage statistics.
• - You may refuse the storage of cookies or delete cookies that have already been stored through your browser settings.
• - We currently do not allow third parties to collect behavioral data for targeted advertising purposes. However, analytics tools such as Google Analytics may use page views, events, and device or browser information for statistical analysis to improve the Service.
• - To limit Google Analytics-related collection, you may use your browser's cookie blocking or deletion features, or blocking tools and advertising settings provided by Google.
• - Refusing cookies may limit the availability of certain features.

Automated Decisions

We currently do not make fully automated decisions that have a significant effect on a user's rights or obligations.

• - SteadyBackend license status checks, API usage limits, and security or abuse detection may be processed for service operation and access control based on customer settings, contract terms, or operational policies, but they are not operated as automated decisions that have a significant effect on a user's rights or obligations.
• - If we introduce such automated decisions in the future, we will disclose the criteria and procedures for the decision, how personal information is processed, and how to request refusal or explanation through this Privacy Policy or a separate notice.

Children's Privacy

Our Service is not directed at children under the age of 14, and we do not knowingly collect personal information from children under 14. If collection is unavoidable, we will comply with applicable law, including obtaining consent from a legal representative where required. If we learn that personal information of a child under 14 has been collected without the required legal representative consent, we will delete it without undue delay or take other necessary protective measures. If a SteadyBackend customer entrusts the processing of personal information of children under 14 in its own client service, that customer must establish the required lawful basis, including legal representative consent where applicable, and we process such information only within the entrusted scope based on the customer's lawful instructions.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page, and the footer will indicate the effective date and the last updated date.

Privacy Contact Channel and Request Handling

Questions about this Privacy Policy, requests for access, correction, deletion, or suspension of processing, account withdrawal and account deletion requests, and privacy-related complaints may be submitted through our Customer Center or by using the email address below.

Chief Privacy Officer: Kim Yeongsang

Email: [email protected]

Privacy-related requests submitted through the Customer Center or by email are reviewed by our Chief Privacy Officer and internal handling team, and we may ask for additional information to verify the requester's identity or confirm the facts necessary to process the request.

How to Seek Relief for Privacy Infringement

If our own response to a privacy complaint or request does not resolve the issue, or if you need further assistance, you may contact the following institutions.

• - Personal Information Dispute Mediation Committee: +82-1833-6972 / www.kopico.go.kr
• - Personal Information Infringement Report Center (KISA): 118 (without area code) / privacy.kisa.or.kr
• - Supreme Prosecutors' Office: +82-1301 / www.spo.go.kr
• - National Police Agency: +82-182 / ecrm.police.go.kr