Draph, Inc. Privacy Policy
Draph, Inc. (hereinafter "the Company") establishes and discloses this Privacy Policy in accordance with the Personal Information Protection Act and other applicable laws of the Republic of Korea, in order to protect users' personal information and to handle related complaints promptly and efficiently.
Article 1 (Purpose of Processing Personal Information)
The Company processes personal information for the following purposes. Personal information being processed shall not be used for any purpose other than those stated below. If the purpose of use is changed, the Company will take necessary measures, such as obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act.
•Membership registration, user identification, member management, and service statistics: Personal information is processed for the purpose of confirming membership registration intent, identifying and authenticating users for membership-based services, maintaining and managing membership status, and analyzing service usage statistics.
•Fraud prevention: Personal information is processed for the purpose of detecting and preventing fraudulent use of the Services and blocking unauthorized access.
•Service improvement: User-submitted materials (inputs) and AI-generated outputs are processed for the purpose of improving the quality and technology of our AI-based content creation and processing services. Such inputs and outputs consist of advertising banners and marketing materials and do not contain personal information.
•Marketing and promotional communications (optional): With the user's separate consent, personal information is processed for the purpose of sending service launches, new feature updates, event information, promotional offers, and other marketing and advertising information via electronic transmission media (email, SMS/MMS, SNS messages, phone calls, etc.). Currently, only email is used for such communications.
Article 2 (Retention and Use Period of Personal Information)
•The Company retains and uses personal information within the retention and use period prescribed by applicable laws or within the retention and use period agreed upon at the time of collection from the data subject.
•The retention and use period for each category of personal information is as follows:
•Email and encrypted password: Retained for 90 days after account termination, then destroyed (internal policy for fraud prevention and dispute resolution).
•Fraud-flagged email addresses and fraud records: Retained for 180 days after account termination, then destroyed (internal policy for fraud prevention).
•Inputs and outputs: This data consists of advertising banners and marketing materials that do not contain personal information and is retained permanently for service improvement purposes. Users may request deletion at any time.
•Email for marketing purposes: Destroyed upon withdrawal of consent to receive promotional information or upon account termination. Users may change (withdraw) their consent settings at any time via [My Page > Edit Account Information].
•However, in the following cases, personal information shall be retained until the end of the applicable period:
•Where an investigation or inquiry related to a violation of applicable laws is in progress: Until the conclusion of the investigation or inquiry.
•Where outstanding claims or obligations from service use remain: Until settlement of such claims or obligations.
•Transaction records under the Act on Consumer Protection in Electronic Commerce:
•Records relating to labeling and advertising: 6 months
•Records relating to contracts, withdrawal of offers, payment, and supply of goods/services: 5 years
•Records relating to consumer complaints or dispute resolution: 3 years
•Retention of communications data under the Protection of Communications Secrets Act:
•Computer communications, internet log records, and access tracking data: 3 months
Article 3 (Categories of Personal Information Processed)
The Company processes the following categories of personal information:
•Membership registration, user identification, member management, and service statistics
•Items collected: Email, password (stored with one-way encryption/hashing)
•Fraud prevention
•Items collected: Fraud-flagged email addresses, fraud activity records
•Service improvement
•Items collected: Inputs (reference materials provided by the user, etc.), outputs (AI-generated content such as banners) * Does not contain personal information
•Consent to receive marketing and promotional information (optional)
•Items collected: Email
Article 4 (Entrustment of Personal Information Processing)
•The Company entrusts personal information processing to the following parties for efficient handling of personal information operations:
[Entrustment Details]
•Entrusted party: Amazon Web Services Korea LLC | Entrusted tasks: Cloud infrastructure provision and database management/storage for service operation | Personal information processed: Member information (email, encrypted password, etc.), service usage records, payment records, and all other personal information necessary for service operation | Data storage location: Seoul Region, Republic of Korea (ap-northeast-2) | Entrustment period: Until termination of the entrustment contract
•Entrusted party: Stibee, Inc. | Entrusted tasks: Sending newsletters and marketing content via email, sending service-related notification emails | Personal information processed: Email, name | Entrustment period: Destroyed without delay upon completion of entrusted tasks
•When entering into entrustment contracts, the Company specifies in the contract documents the prohibition of processing personal information beyond the purpose of the entrusted tasks, technical and administrative safeguards, restrictions on re-entrustment, supervision of the entrusted party, and liability including damages, in accordance with Article 26 of the Personal Information Protection Act. The Company oversees whether the entrusted parties process personal information safely.
•Any changes to the content of entrusted tasks or the entrusted parties will be disclosed without delay through this Privacy Policy.
Article 5 (International Transfer of Personal Information)
The Company entrusts personal information processing to the following overseas entity for cloud infrastructure operation:
•Recipient: Amazon Web Services, Inc. (United States)
•Country of transfer: United States
•Timing and method of transfer: Remote access via network at the time of service use
•Personal information items transferred: Member information (email, encrypted password, etc.), service usage records, payment records, and all other personal information necessary for service operation
•Purpose of use by the recipient: Cloud infrastructure operation and maintenance, system failure response, security management
•Retention and use period by the recipient: Until termination of the entrustment contract or until the purpose of personal information processing is achieved
However, the storage and retention of personal information takes place exclusively within the Seoul Region (ap-northeast-2) in the Republic of Korea. Access by the U.S. headquarters may occur only to the minimum extent necessary for infrastructure operation, maintenance, and security management purposes. The Company takes necessary measures to ensure that users' personal information is safely protected in accordance with Article 28-8 of the Personal Information Protection Act.
Article 6 (Procedures and Methods for Destruction of Personal Information)
•The Company destroys personal information without delay when it becomes unnecessary due to expiration of the retention period, achievement of the processing purpose, or other reasons.
•Where personal information must continue to be retained pursuant to other laws despite the expiration of the agreed-upon retention period or achievement of the processing purpose, such personal information shall be transferred to a separate database (DB) or stored in a different location for retention.
•The procedures and methods for the destruction of personal information are as follows:
•Destruction procedure: The Company selects personal information subject to destruction and destroys it with the approval of the Company's Personal Information Protection Officer.
•Destruction method: Information in electronic file format is destroyed using technical methods that render the records irreproducible. Personal information printed on paper is destroyed by shredding or incineration.
Article 7 (Rights and Obligations of Data Subjects and Legal Representatives, and Methods of Exercising Such Rights)
•Data subjects may exercise their rights to request access to, correction, deletion, or suspension of processing of their personal information from the Company at any time.
•Such rights may be exercised in writing, by email, or by fax in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.
•The rights under Paragraph 1 may be exercised through a legal representative or an authorized agent. In such cases, a power of attorney in the form prescribed by Annex No. 11 of the Public Notice on Methods of Processing Personal Information (No. 2020-7) must be submitted.
•The exercise of rights under this Article may be restricted pursuant to Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.
•Requests for correction or deletion of personal information may be restricted where such personal information is specified as a subject of collection under other laws.
•The Company verifies whether the person making the request for access, correction/deletion, or suspension of processing is the data subject or a legitimate representative.
Article 8 (Measures to Ensure the Security of Personal Information)
The Company takes the following measures to ensure the security of personal information:
•Administrative measures
•Regular internal audits: Internal audits are conducted on a regular basis (once per quarter) to ensure the security of personal information handling.
•Minimization and training of personal information handlers: The number of employees handling personal information is minimized by designating and limiting access to authorized personnel only.
•Establishment and implementation of an internal management plan: An internal management plan has been established and implemented for the safe processing of personal information.
•Technical measures
•Technical countermeasures against hacking: The Company installs security programs and performs periodic updates and inspections to prevent the leakage and corruption of personal information caused by hacking or computer viruses. Systems are installed in access-controlled areas and are technically and physically monitored and blocked.
•Encryption of personal information: Users' passwords are stored and managed using one-way encryption (hashing), so that no one, including the Company's officers and employees, can view or restore the original password. Other sensitive data is protected through encryption of files and transmitted data or through the use of file locking features.
•Retention and tamper-prevention of access logs: Access logs to personal information processing systems are retained and managed for at least one year. Where personal information of 50,000 or more data subjects is added, or where unique identifying information or sensitive information is processed, such logs are retained for at least two years. Security features are used to prevent tampering, theft, or loss of access logs.
•Physical measures
•Access restrictions to personal information: Access controls are implemented through the granting, modification, and revocation of access rights to database systems processing personal information, and intrusion prevention systems are used to block unauthorized external access.
•Use of locking devices for document security: Documents and auxiliary storage media containing personal information are kept in secure locations with locking devices.
•Access control for unauthorized personnel: Physical storage locations for personal information are maintained separately, and access control procedures are established and operated.
Article 9 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)
•The Company uses 'cookies' that store and retrieve usage information to provide individually customized services to users.
•Cookies are small pieces of information sent by the server operating the website to the user's computer browser and may be stored on the user's hard drive.
•Purpose of cookie use: Cookies are used to analyze visit and usage patterns, popular search terms, security access status, etc. for each service and website visited, in order to provide optimized information to the user.
•Installation, operation, and rejection of cookies: You may refuse cookie storage through the following methods:
[Web]
- Internet Explorer: Tools at the top of the browser > Internet Options > Privacy menu options
- Microsoft Edge: Menu at the top of the browser > Settings > View Advanced Settings > Cookie menu options
- Chrome: Menu at the top of the browser > Settings > Advanced > Content Settings > Cookie menu options
- Chrome Mobile: Chrome App > More (top right) > History > Clear Browsing Data > Select time range > Check "Cookies and site data" and "Cached images and files" > Clear data
- Safari Mobile: Safari App > Clear History and Website Data > Confirm
- Naver Mobile: Naver App > Settings > Clear Cache + Browsing History > Clear Cookies
•Refusing to store cookies may result in difficulty using customized services.
Article 10 (Collection, Use, Provision, and Rejection of Behavioral Information)
•The Company collects and uses behavioral information to provide data subjects with optimized customized services, benefits, and targeted online advertising during the course of service use.
•The Company collects behavioral information as follows:
•Behavioral information items collected: Service usage history including visits, searches, and purchases within the website/app
•Method of collection: Automatically collected during website/app use
•Purpose of collection: To provide personalized product recommendation services (including advertising) based on the user's interests and preferences
•Retention/use period and subsequent processing: Destroyed upon account termination
•The Company permits the following online targeted advertising providers to collect and process behavioral information:
•Advertising provider collecting and processing behavioral information: Google LLC (Google Analytics, Google Ads)
•Method of collection: Automatically collected and transmitted when the user visits the Company's website or launches the app
•Behavioral information items collected/processed: Web/app visit history, search history, purchase history
•Retention/use period: Up to 14 months from the date of collection (per Google Analytics default policy)
•The Company collects only the minimum behavioral information necessary for online targeted advertising and does not collect sensitive behavioral information that could clearly infringe upon the rights, interests, or privacy of individuals, such as ideology, beliefs, family relationships, educational or medical history, or other social activity records.
•The Company collects and uses advertising identifiers for online targeted advertising in mobile apps. Data subjects may block or allow targeted advertising in apps by changing the settings on their mobile devices.
•Data subjects may block or allow online targeted advertising collectively by changing their web browser cookie settings. However, changing cookie settings may affect the use of certain services such as automatic website login.
Article 11 (Criteria for Additional Use and Provision)
The Company may additionally use or provide personal information without the data subject's consent in accordance with Article 15, Paragraph 3 and Article 17, Paragraph 4 of the Personal Information Protection Act, considering the matters prescribed in Article 14-2 of the Enforcement Decree of the same Act. The Company has considered the following matters for such additional use or provision without consent:
•Whether the purpose of additional use or provision is related to the original purpose of collection
•Whether there is predictability of additional use or provision in light of the circumstances of collection or processing practices
•Whether additional use or provision unfairly infringes upon the interests of the data subject
•Whether necessary measures for ensuring safety, such as pseudonymization or encryption, have been taken
Article 12 (Personal Information Protection Officer)
•The Company has designated the following Personal Information Protection Officer to oversee personal information processing operations and to handle complaints and remedies related to personal information processing:
Personal Information Protection Officer
•Department: R&D Team
•Contact person: Taehoon Kim
•Contact: hi@draph.ai
•Data subjects may direct all inquiries, complaints, and remedies related to personal information protection arising from the use of the Company's services to the Personal Information Protection Officer and the responsible department. The Company will respond to and process such inquiries without delay.
Article 13 (Department for Receiving and Processing Personal Information Access Requests)
Data subjects may submit requests for access to personal information under Article 35 of the Personal Information Protection Act to the privacy protection department specified in the preceding Article. The Company will endeavor to process data subjects' access requests promptly.
•Department: R&D Team
•Contact person: Taehoon Kim
•Contact: hi@draph.ai
Article 14 (Remedies for Infringement of Data Subject Rights)
•Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center, or other organizations to obtain remedies for personal information infringement. For reports or consultations regarding personal information infringement, please contact the following organizations:
•Personal Information Dispute Mediation Committee: 1833-6972, www.kopico.go.kr
•Personal Information Infringement Report Center: 118, privacy.kisa.or.kr
•Supreme Prosecutors' Office: 1301, www.spo.go.kr
•National Police Agency: 182, ecrm.cyber.go.kr
•The Company is committed to guaranteeing data subjects' right to informational self-determination and to providing consultations and remedies for personal information infringement. For reports or consultations, please contact the privacy protection department specified in Article 12.
•Department: R&D Team
•Contact person: Taehoon Kim
•Contact: hi@draph.ai
Article 15 (Changes to This Privacy Policy)
•This Privacy Policy is effective as of March 11, 2026.