Privacy Policy of Upstage Co., Ltd. (ver 1.4)

Upstage Co., Ltd. (hereinafter referred to as the 'Company') establishes and discloses the following personal privacy policy in order to protect the personal information of the information subject in accordance with Article 30 of the Personal Information Protection Act and to ensure that grievances related thereto can be dealt with quickly and smoothly. 


- Table of Contents -

Article 1 Purpose of Processing Personal Information 

Article 2 Period of Personal Information Processing and Retention

Article 3 Matters Concerning the Provision of Personal Information to Third Parties

Article 4 Matters Concerning the Consignment of Personal Information Processing 

Article 5 Matters Concerning the Overseas Transfer of Personal Information

Article 6 Rights, Obligations and Methods of Exercise of Information Subjects and Legal Representatives

Article 7 Personal Information Items to be Processed

Article 8 Matters Concerning Procedures and Methods for Destroying Personal Information

Article 9 Matters Concerning Measures to Ensure the Safety of Personal Information

Article 10 Matters Concerning Installation, Operation and Refusal of Automatic Collection of Personal Information. 

Article 11 Matters Concerning the Person in Charge of Personal Information Protection

Article 12 Criteria for Judgment on the Considerations of Each Paragraph of Article 14-2 Paragraph 1 Relating to Additional Use and Provision

Article 13 Department that Receives and Processes Requests for Access to Personal Information

Article 14 Remedies for Infringement of Rights and Interests

Article 15 Matters Concerning Changes to the Privacy Policy



Article 1 Purpose of processing personal information

The Company processes personal information for the following purposes. The personal information being processed will not be used for any purpose other than the purposes specified below, and if the purpose of use is changed, necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act. will be implemented 

[Management of customer inquiries]

Personal information is processed for the purpose of consultation and provision of services, sending contracts and bills, provision of content and customized services, payment, settlement, and debt collection.

 

[Providing Demo experience in Playground]

Personal information inputs from user(s) is processed to provide appropriate contents provided by Demo in Playground.

[Use in Marketing and Advertising]

Personal information collected from user(s) with prior consent to receiving newsletters and marketing information is processed for the purpose of developing new services (products) and providing customized services, providing information for event and advertisement and providing opportunities for participation, providing services and developing advertisements according to demographic characteristics, verifying the validity of services, understanding the frequency of access, or statistics on members' use of the services.

 

Article 2 Period of Personal Information Processing and Retention

The Company processes and retains personal information within the period of retention and use of personal information in accordance with laws and regulations or the period of retention and use of personal information agreed upon at the time of collecting personal information from the information subject. However, the following information is retained for a stated period of time under the reasons below.

A. Information retention under the Company's internal policy

1) Personal information collected for management of customer inauries, as prescribed in Article 7

  • 1 year from the date of processing customer inquiry

2) Personal information collected for providing Demo experience in Playground

  • As soon as the demo function is provided, it is automatically destroyed

B. Information retention under the relevant laws and regulations

1) Records of transactions such as display, advertisement, contract contents and performance in accordance with the "Act on Consumer Protection in Electronic Commerce, etc."

  • Records on display & advertisement: 6 months

  • Records of supply of contracts or subscription withdrawals, payment, goods, etc.: 5 years

  • Records on consumer complaints or disputes: 3 years

2) Storage of communication fact verification data in accordance with the "Protection of Communications Secrets Act"

  • Date and time of subscriber telecommunication, start and end time, subscriber number of the other party, number of uses, location tracking data of the originating base station: 1 year

  • Computer communication, Internet log recording data, access point tracking data: 3 months

 

Article 3 Matters Concerning the Provision of Personal Information to Third Parties

The company shall process the personal information of the information subject only within the scope specified in Article 1 Purpose of processing personal information, and shall provide personal information to third parties only when it falls under Articles 17 and 18 of the Personal Information Protection Act, such that the consent of the information subject is obtained and special provisions of the law dictates it.

 

Article 4 Matters Concerning the Consignment of Personal Information Processing 

The company entrusts the following personal information processing tasks for smooth personal information processing and states in documents like contracts, responsibilities such as prohibition of processing of personal information other than for the purpose of performing entrusted tasks, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of trustees, and compensation for damages in accordance with Article 26 of the 「Personal Information Protection Act」 when consignment contract is concluded. The company also oversees the trustee's safe handling of personal information.

Trustee (Trustee)The content of the entrusted work
Amazon Web Services, Inc.Processing Tasks such as analysis, processing, linkage, editing, correction, recovery, and use of personal information
BREVOSending emails for marketing purposes
salesforceManagement of CUSTOMER DB and Sending EMAILS
ZapierManagement of CUSTOMER DB

In case of amendment in contents of the consignment business or the trustee, it will be disclosed through this Privacy Policy without delay.

 

Article 5 Matters Concerning the Overseas Transfer of Personal Information

The Company entrusts the processing or storage of personal information to parties located outside the country as follows. 

Entrusted partysalesforce
Personal information items to be transferredPersonal information items stipulated in Article 7
Countries to be transferred toJapan
Date and method of transferPersonal information may be transferred by way of transmission over the network at the time of collection and storage on a cloud server managed by the Company.
The corporate name and contact information of the receiving companyCorporate Name: salesforce
Name of the Information Management Officer: Salesforce Data Protection Officer (Salesforce Privacy Team)
contact:
privacy@salesforce.com,
1-844-287-7147
415 Mission St., 3rd Floor
San Francisco, CA 94105, USA
Purpose of use of personal information of the receiving party and the period of retention and use
  • In order to store the Company's personal information
  • - Consistent with the retention period stipulated in Article 2

  • Entrusted partyBREVO
    Personal information items to be transferredPersonal information items stipulated in Article 7
    Countries to be transferred toUnited States, France
    Date and method of transferPersonal information may be transferred by way of transmission over the network at the time of collection and storage on a cloud server managed by the Company.
    The corporate name and contact information of the receiving companyCorporate Name: BREVO
    Information Management Officer Name: Armand Thiberge
    Contact: contact@sendinblue.com
    Purpose of use of personal information of the receiving party and the period of retention and use
  • In order to store the Company's personal information
  • - Consistent with the retention period stipulated in Article 2

  • Entrusted partyZapier, Inc.
    Personal information items to be transferredPersonal information items stipulated in Article 7
    Countries to be transferred toUnited States
    Date and method of transferPersonal information may be transferred by way of transmission over the network at the time of collection and storage on a cloud server managed by the Company.
    The corporate name and contact information of the receiving companyCorporate name: Zaiper, Inc.Name of the Information Management Officer: Wade FosterContact: contact@zapier.com 1-877-381-8743548 Market St. #62411,San Francisco, CA 94104-5401, USA
    Purpose of use of personal information of the receiving party and the period of retention and use
  • In order to store the Company's personal information
  • - Consistent with the retention period stipulated in Article 2

  •  

    Article 6 Rights, Obligations and Methods of Exercise of Information Subjects and Legal Representatives 

    ① The information subject may exercise the right to view, correct, delete, and request suspension of processing of personal information at any time with respect to the Company.

    ② The exercise of rights under paragraph (1) may be made through e-mail infosec @upstage.ai , and the Company will take action on this without delay.

    ③ The exercise of rights pursuant to paragraph (1) may be made through an agent such as the legal representative of the information subject or a person who has been delegated. In this case, a power of attorney in accordance with the form of "Notice on the Method of Processing Personal Information (No. 2020-7)" Form No. 11. must be submitted.

    ④ Requests for viewing and suspension of processing of personal information by information subject may be restricted by Article 35 (4) and Article 37 (2) of the Personal Information Protection Act.

    ⑤ Requests for correction and deletion of personal information cannot be requested if the personal information is specified as the object of collection in other laws and regulations

    ⑥ In the event of a request for access, correction/deletion, or suspension of processing according to the rights of the information subject, the company confirms whether the person making the request for viewing, etc. is the person him/herself or a legitimate agent.

     

    Article 7 Personal Information Items to be Processed 

    ① The Company processes the following personal information items.

    Collection routePurpose of collectionRequired
    Collected during the process of receiving 'contact us' inquiriesProvision of servicesName, email address, telephone number, affiliation (company and department name/school and department name), job function
    Collected in the process of providing demo experiences in PlaygroundProvision of demo experienceData entered by demo user(s)
    Collected through 'contact us' inquiry reception process and various events Use in Marketing and Advertising NewsletterName, Email
    Provision of event and advertising information and opportunities to participateName, email address, telephone number, affiliation (company and department name/school and department name), job function
    Development of new services (products) and provision of customized servicesName, email address, telephone number, affiliation (company and department name/school and department name), job function

    ② The following personal information items may be automatically generated and collected in the course of using the Internet service,

    • IP ADDRESS, COOKIES, MAC ADDRESS, SERVICE USE HISTORY, VISIT HISTORY 

    ③ Others

    • The Company does not provide the Services to children under the age of 14 and does not collect personal information in this regard.

    • If the purpose and items of the member information processed by the Company change, consent of user will be requested in advance in accordance with relevant laws and regulations

    • The Company collects personal information in the following manner and obtains prior consent before collection.

    1. By in which users enter their personal information directly online

    2. By in which personal information is collected offline such as fairs, conferences, and events.

    3. By in which personal information is collected through automatic generation and collection such as cookies, access logs, etc. in the process of using the service

     

    Article 8 Matters Concerning Procedures and Methods for Destroying Personal Information

    ① The Company, when personal information becomes unnecessary, such as when the retention period of personal information has elapsed or the purpose of processing has been achieved, destroys the personal information without delay.

    ② If the personal information retention period agreed by the information subject has passed, or if the processing purpose has been achieved but the personal information must be kept in accordance with the following other laws and regulations, the personal information must be stored, the company preserves the personal information by moving it to a separate database (DB) or by changing the storage location.

    1) Records of transactions such as display, advertising, contract contents and performance in accordance with the "Act on Consumer Protection in Electronic Commerce, etc."

    • Records on display & advertising: 6 months

    • Records of supply of contracts or subscription withdrawals, payment, goods, etc.: 5 years

    • Records on consumer complaints or disputes: 3 years

    2) Storage of communication fact verification data in accordance with the "Protection of Communications Secrets Act"

    • Date and time of subscriber telecommunication, start and end time, subscriber number of the other party, number of uses, location tracking data of the originating base station: 1 year

    • Computer communication, Internet log recording data, access point tracking data: 3 months

    ③ The procedure and method of destroying personal information are as follows.

    1. Destruction Procedure

    The company selects the personal information for which the reason for destruction has occurred, and destroys the personal information with the approval of the person in charge of personal information protection of the company.

    2. Method of destruction

    The company destroys personal information recorded and stored in electronic file format so that the record cannot be reproduced, and personal information recorded and stored in paper documents is crushed or incinerated.

     

    Article 9 Matters Concerning Measures to Ensure the Safety of Personal Information

    The company takes the following measures to ensure the security of personal information. 

    1. Administrative measures: Establishment and implementation of internal management plans, regular staff training, etc. 

    2. Technical measures: Management of access right of personal information processing system, installation of access control system, encryption of unique identification information, installation of security program 

    3. Physical measures: Control of access to computer rooms, data storage rooms, etc.

     

    Article 10 Matters Concerning Installation, Operation and Refusal of Automatic Collection of Personal Information. 

    ① The company uses 'cookies' that store and retrieve usage information from time to time in order to provide customized services to website users

    ② Cookies are small amount of information sent by the server (http) used to operate a website to user’s computer browser, and may be stored on the hard disk of user’s PC.

    A. Purpose of use of cookies: It is used to provide optimized information to users by identifying the types of visits and usage of each service and website visited by users, popular search terms, security of access, etc.

    B. Installation, Operation and Refusal of Cookies: In Internet Explorer, the user can refuse to save cookies through the option settings in the Tools >Internet Options> Privacy menu at the top of the web browser, > in Chrome through the settings menu on the right side of the web browser > the display of advanced settings at the bottom of the screen, the content setting button for personal information, >. 

    C.  If the user refuses to store cookies, the user may experience difficulties in using customized services.

    ③ The company obtains information of user through service sessions. A session is a system file sent from the service server to the user's computer when the user visits the service site, and is a file that stays on the user's computer for a while to maintain the user's connection. These sessions are only used to maintain the current connection and are deleted when the user closes the browser.

    ④ In the case of mobile device, the Company may collect the user's ADID and IDFA. ADID (Android OS) and IDFA (iOS) are the ad identification values of mobile app users. ADID and IDFA are collected and used to provide customized services and benefits optimized for users, such as online personalized advertising.

    1. ADID/IDFA COLLECTION METHOD: Automatically collected when users visit/run the app

    2. ADID/IDFA retention/use period:  1 year from the date of collection

    3. Method of exercise of user control

      A.  Android: > Settings, Google (Google setting) > Ad > Ad Customization deselect

      B. iOS: Setting > Privacy > Ad> Restrict ad tracking

     

    Article 11 Matters Concerning the Person in Charge of Personal Information Protection

    ① The company is generally responsible for the business related to personal information processing, and has designated the person in charge of personal information protection as follows for grievances processing and damage relief of the information subject related to personal information processing.

    ▶ Personal Information Protection Officer

    Name: SeongHwan Cho
    Position: CISO
    Contact: 070-8098-3023, infosec@upstage.ai
     

    ▶ Department in charge of personal information protection

    Department name: Infra&Security
    Person in charge: SeongHwan Cho
    Contact: 070-8098-3023, infosec@upstage.ai
     

    ② The information subject can inquire about all personal information protection inquiries, complaint handling, damage relief, etc. that occur while using the company's services (or business) to the personal information protection officer and the department in charge. The company will respond and handle the inquiries of the information subject without delay.

     

    Article 12 Criteria for Judgment on the Considerations of Each Paragraph of Article 14-2 Paragraph 1 Relating to Additional Use and Provision

    The Company, in accordance with Article 15(3) and Article 17(4) of the 「Personal Information Protection Act」, may additionally use and provide personal information without the consent of the information subject in consideration of the matters in accordance with Article 14-2 of the Enforcement Decree of the Personal Information Protection Act.

    Accordingly, the company considers the following in order for the company to use and provide additional information without the consent of the information subject.

    ▶ Whether or not the purpose for which the additional use and provision of personal information is relevant to the purpose for which it was originally collected

    ▶ Whether or not there is a predictability for further use and provision in light of the circumstances under which the personal information was collected or the processing practices

    ▶ Whether or not the further use and provision of personal information unreasonably infringes on the interests of the data subject

    ▶ Whether or not the company has taken the necessary measures to ensure safety, such as pseudonymization or encryption.

     

    Article 13 Department that Receives and Processes Requests for Access to Personal Information

    The 'Department in Charge of Personal Information Protection' listed in 'Matters Concerning the Person in Charge of Personal Information Protection' in Article 10 is in charge of request of access to personal information.

     

    Article 14 Remedies for Infringement of Rights and Interests

    The information subject may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee or the Korea Internet & Security Agency's Personal Information Infringement Report Center in order to obtain relief from personal information infringement. In addition, for other personal information infringement reports and consultations, please contact the following organizations.

     

    1. Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr)

    2. Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr)

    3. Supreme Prosecutors' Office: (without area code) 1301 (www.spo.go.kr)

    4. Police Department: (without area code) 182 (cyberbureau.police.go.kr) 

     

    Regarding the request made by the provisions of Article 35 (Viewing of Personal Information), Article 36 (Correction and Deletion of Personal Information), and Article 37 (Suspension of Processing of Personal Information, etc.) of the Personal Information Protection Act, a person who has been infringed on his / her rights or interests due to a disposition or omission performed by the head of a public institution may request an administrative judgement as provided for by the Administrative Appeals Act. For details on administrative judgments, please refer to the homepage of the Central Administrative Appeals Committee (www.simpan.go.kr).

     

    Article 15 Matters Concerning Changes to the Privacy Policy

    This Privacy Policy is effective as of May 10, 2023.
    The previous privacy policy can be found below.

    • 2023. 02. 03. ~ 2023. 05. 09. Application ( click )

    • Effective for 2022. 11. 03. ~ 2023. 02. 03. ( click )

    • Effective for 2022. 04. 19. ~ 2022. 11. 03. ( click )

    • Effective for 2022. 01. 01. ~ 2022. 04. 18. (click)