Upstage service privacy policy

Upstage Co., Ltd. (here in after referred to as the “Company”) is committed to protecting the personal information of its users in accordance with the ｢Personal Information Protection Act｣ and to ensure that any complaints regarding the same are promptly and smoothly addressed, hereby establishes this Privacy Policy.

The table of contents for this Privacy Policy is as follows. It includes the mandatory items for a privacy policy required by law and other items deemed important by Upstage for the protection of user privacy.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The personal information processed will not be used for purposes other than those listed below, and if the purpose of use changes, separate consent will be obtained in accordance with the ｢Personal Information Protection Act｣, or necessary measures will be taken.

Membership sign-up and management For the purpose of verifying and authenticating individuals for membership services, maintaining and managing membership status, preventing and responding to fraudulent use of services, enhancing user security, improving the quality of services, developing new features and services, providing various notifications and communications, and handling complaints.
Provision of goods or services For the purpose of providing services, processing payment and settlement, and providing customized services.
Marketing information utilization For the purpose of sending newsletters, providing event and advertising information, and utilizing demographic characteristics and user interests and preferences for targeted advertising.

Article 2 (Period of retention and holding of personal information)

The company will process and hold personal information within the period of retention and use of personal information under the Act or within the period of retention and use of personal information agreed with the information subject when collecting personal information. However, personal information collected for the following information will be retained for the specified period of time for the following reasons.

A. Under the internal policies of the company, the following personal information is retained:

Personal information items collected for the performance of the contract related to the provision of services and fee settlement in accordance with Article 7:
- Service usage period
Personal information items collected for member management as stipulated in Article 7:
- Service usage period

B. In accordance with relevant laws, the following information is retained:

Records related to transactions, including display/advertisements, contract content, and performance, as required by the "Act on Consumer Protection in Electronic Commerce, etc."
1. Records related to display/advertisements: 6 months
2. Records related to contracts or withdrawal of subscriptions, payment of fees, supply of goods, etc.: 5 years
3. Records related to consumer complaints or dispute resolution: 3 years
Preservation of communication fact confirmation data in accordance with the "Act on the Protection of Communication Secrets"
1. Service usage records, connection logs, connection IP information: 3 months

Article 3 (Providing Personal Information to Third Parties)

The Company shall process the personal information of the subject of personal information only within the scope of the purposes of processing personal information specified in Article 1 (Purpose of Processing Personal Information), and shall provide the personal information of the subject of personal information to a third party only in cases corresponding to the following items 1. and 2., where there is consent from the subject of personal information, special provisions of law, etc. under the same Act.

Article 4 (Matters related to the entrustment of personal information processing)

The Company entrusts the handling of personal information to the following parties for smooth handling of personal information matters, and when signing an entrustment agreement, specifies in the agreement the matters prescribed by Article 26 of the ｢Personal Information Protection Act｣, such as prohibition of processing personal information for purposes other than those for which the entrusted party is entrusted, technical and management measures for protection, limitation on re-entrustment, supervision and control over the entrusted party, and liability for damages. The company supervises the entrusted party to ensure that the personal information is handled safely.

The entrusted party (processor)	Details of the entrusted tasks
Amazon Web Services, Inc.	Analysis, processing, linkage, integration, editing, correction, restoration, and utilization of personal information for various processing tasks.
BREVO	Sending emails for marketing purposes.
salesforce	Customer database management and email sending.
Zapier, Inc.	Customer database management.
Stripe	Providing payment services.
Elfsight	Customer Service Data Collection and Management
Atlassian Corp.	Customer Service Data Collection and Management
Fireworks.ai	Providing inference services.
Together Computer, Inc.	Providing inference services.
Friendli ai	Providing inference services.

In the event that the contents of the entrusted work or the entrustee are changed, we will disclose them through this Privacy Policy without delay.

Article 5 (Matters Regarding Transfer of Personal Information Outside of Korea)

Our company transfers or stores personal information to the following entities outside Korea.

Entity receiving the entrustment	salesforce
Personal information items being transferred	information items specified in Article 7
Transferring Country	Japan
Date and method of transfer	Personal data can be transferred by transmission over a network at the time of collection, when it is stored in a cloud server managed by a company.
Corporate name and contact information of the receiving company	Corporate name : Salesforce privacy@salesforce.com, 1-844-287-7147 415 Mission St., 3rd Floor San Francisco, CA 94105, USA
Name of the Information Management Officer of the company receiving the transfer	Salesforce Data Protection Officer (Salesforce Privacy Team)
Purpose of personal information use, and retention/use period of the transferee of personal information	To store your personal information. Consistent with the retention period specified in Article 2

Entity receiving the entrustment	Elfsight
Personal information items being transferred	information items specified in Article 7
Transferring Country	Armenia
Date and method of transfer	Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company	Corporate Name: Elfsight Address: 015, Armenia, Yerevan, Paronyana str., 19/3, 201 Contact: help.elfsight.com
Purpose of personal information use, and retention/use period of the transferee of personal information	To store your personal information. Consistent with the retention period specified in Article 2

Entity receiving the entrustment	BREVO
Personal information items being transferred	information items specified in Article 7
Transferring Country	United States, France
Date and method of transfer	Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company	Corporate Name: BREVO contact@sendinblue.com
Name of the Information Management Officer	Armand Thiberge
Purpose of personal information use, and retention/use period of the transferee of personal information	• To store your personal information. • Consistent with the retention period specified in Article 2

Entity receiving the entrustment	Zapier, Inc.
Personal information items being transferred	information items specified in Article 7
Transferring Country	United States
Date and method of transfer	Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company	Corporate NameZapier, Inc. contact@zapier.com 1-877-381-8743 548 Market St. #62411, San Francisco, CA 94104-5401, USA
Name of the Information Management Officer	Wade Foster
Purpose of personal information use, and retention/use period of the transferee of personal information	• To store your personal information. • Consistent with the retention period specified in Article 2

Entity receiving the entrustment	Stripe
Personal information items being transferred	information items specified in Article 7
Transferring Country	United States
Date and method of transfer	Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company	Corporate Name : Stripe, Inc privacy@stripe.com Stripe, Inc. 354 Oyster Point Boulevard South San Francisco, California, 94080, USA Attention: Stripe Legal
Purpose of personal information use, and retention/use period of the transferee of personal information	• To store your personal information. • Consistent with the retention period specified in Article 2

Entity receiving the entrustment	Atlassian Corp.
Personal information items being transferred	information items specified in Article 7
Transferring Country	Australia
Date and method of transfer	Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company	Corporate Name : Atlassian Corp. +61 2 9262 1443Level 6, 341 George Street, Sydney, NSW 2000, Australia
Purpose of personal information use, and retention/use period of the transferee of personal information	• To store your personal information. • Consistent with the retention period specified in Article 2

Entity receiving the entrustment	Fireworks.ai
Personal information items being transferred	information items specified in Article 7
Transferring Country	United States
Date and method of transfer	Personal information can be transferred through network transmission when processed on the company-managed cloud server.
Corporate name and contact information of the receiving company	Corporate Name : Fireworks.ai help@fireworks.ai
Purpose of personal information use, and retention/use period of the transferee of personal information	• To provide inference service. • Use for inference and does not store.

Entity receiving the entrustment	Together Computer, Inc.
Personal information items being transferred	information items specified in Article 7
Transferring Country	United States
Date and method of transfer	Personal information can be transferred through network transmission when processed on the company-managed cloud server.
Corporate name and contact information of the receiving company	Corporate Name : Together Computer, Inc. privacy@together.ai 584 Castro Street #2050 San Francisco, California, 94114, USA
Purpose of personal information use, and retention/use period of the transferee of personal information	• To provide inference service. • Use for inference and does not store.

Entity receiving the entrustment	FriendliAI Inc.
Personal information items being transferred	information items specified in Article 7
Transferring Country	United States
Date and method of transfer	Personal information can be transferred through network transmission when processed on the company-managed cloud server.
Corporate name and contact information of the receiving company	Corporate Name : FriendliAI Inc. privacy@friendli.ai 303 Twin Dolphin Drive, Suite 600 Unit 6009, Redwood City, CA 94065
Purpose of personal information use, and retention/use period of the transferee of personal information	• To provide inference service. • Use for inference and does not store.

Article 6 (Rights and Duties of the Data Subject and Legal Representative, and Method of Exercise)

The data subject can exercise the right to request access, correction, deletion, and suspension of processing of personal information from the company at any time.
The exercise of rights according to Paragraph 1 can be done through the email infosec@upstage.ai, and the company will take immediate action in response.
The rights exercise mentioned in Paragraph 1 can be carried out by the legal representative of the data subject or a duly authorized person. In this case, a power of attorney in accordance with the "Notice on the Method of Processing Personal Information (No. 2020-7) Annex 11 (opens in a new tab)" must be submitted.
The request for access to and suspension of processing of personal information may be limited under Article 35, Paragraph 4, and Article 37, Paragraph 2 of the Personal Information Protection Act.
Requests for correction and deletion of personal information cannot be made if the personal information is specified as a collection target in other laws.
When a request for access, correction, deletion, or suspension of processing is made, the company will verify whether the requester is the individual themselves or a legitimate representative.

Article 7 (Items of Personal Information Processed)

The company is processing the following personal information items.

Service	Purpose of collection	Items collected	Storage and usage period
Membership Registration and Management	Confirmation of intention to join as a member, identification and authentication of individuals for the purpose of providing a membership service, maintenance and management of membership status, prevention of illegal use of the service, enhancement of user security, improvement of service quality, development of new features and services	(Mandatory) Name, Email	Until membership withdrawal
Provision of Goods or Services	Service provision, fee payment and settlement, provision of customized services	(Mandatory) Card number, card expiration date, CVC number (Optional) Data entered by the user in the service, data automatically generated during service use	Until the supply of goods or services is completed and fee payment and settlement are finalized ※However, if required to be preserved and not destroyed according to relevant laws, then until the end of the specified period
Playground	Provision of LLM and Document OCR services	Dialogue content, uploaded documents, voting details entered by the member.	Until membership withdrawal or termination of the outsourcing contract
Layout Analysis (Asynchronous)	Document OCR services	Inference request data, Inference result data	Inference request data: Temporarily stored until inference completion, then deleted. Inference result data: Retained for 30 days post-inference, then deleted.
Marketing Information Utilization	Sending newsletters	(Optional) Name, Email address	Until the expression of refusal to receive or withdrawal of consent from the date of consent
Marketing Information Utilization	Provision of event and promotional information	(Optional) Name, Email address, Phone number, Affiliation (Company and department/school and department name), Position	Until the expression of refusal to receive or withdrawal of consent from the date of consent

In the process of using our Internet service, the following personal information may be collected.
1. Data entered by users: regardless of the form, including images, text, video, etc.
2. containing personal information Data automatically generated in the process of using our service: IP address, cookies, service usage records, visit logs, service results
Others
1. Our company does not provide services to children under the age of 14 and does not collect personal information from them. When changes are made to the purposes and items of personal information processed by the company, prior consent will be obtained in accordance with relevant laws and regulations.
2. The company collects personal information in the following ways and obtains prior consent before collecting it.
  1. The method by which users directly enter personal information online
  2. The method by which cookies, access logs, etc. are automatically generated and collected in the process of using the service

Article 8 (Matters Concerning the Procedure and Method of Personal Information Destruction)

The company will destroy the relevant personal information without delay when personal information becomes unnecessary, such as upon the expiration of the personal information retention period or the achievement of the processing purpose.
Even if the retention period agreed upon by the data subject has expired or the processing purpose has been achieved, if personal information must be continuously preserved according to other laws and regulations, the company will move such personal information to a separate database (DB) or store it in a different location. These include:
Records related to display/advertisement, contract content and fulfillment, etc., in accordance with the "Act on the Consumer Protection in Electronic Commerce, Etc.":
1. Records on display/advertisement: 6 months
2. Records on contract or withdrawal of offer, payment, supply of goods, etc.: 5 years
3. Records on consumer complaints or dispute resolution: 3 years
Preservation of telecommunication fact confirmation data under the "Protection of Communications Secrets Act":
1. Subscriber's telecommunication date and time, start/end time, counterpart subscriber number, frequency of use, location tracking data of the outgoing base station: 1 year
2. Computer communication, internet log record data, access location tracking data: 3 months
The procedure and method of personal information destruction are as follows:
Destruction Procedure: The company selects personal information for which a reason for destruction has occurred and destroys the personal information upon the approval of the company's personal information protection officer.
Destruction Method: The company destroys electronic file format records and stored personal information in a way that makes the records non-reproducible, and shreds or incinerates documents with recorded and stored personal information.

Article 9 (Matters to be Handled with Regard to the Measures for Securing Safety)

Our company takes the following measures to ensure the safety of personal information.

Administrative measures: establishment and implementation of internal management plans, regular employee training, etc.
Technical measures: access control management for personal information processing systems, etc., installation of access control systems, encryption of personal identification numbers, etc., installation of security programs
Physical measures: control of access to data centers, storage rooms, etc.

Article 10 (Installation and Operation of Automatic Personal Information Collection Devices and the Refusal Thereof)

The company uses 'cookies' to store and retrieve usage information to provide individual customized services to website users.
A cookie is a small piece of information sent by the server (http) operating the website to the user's computer browser and may be stored on the hard disk of the user's PC.
Purpose of using cookies: Cookies are used to identify the visit and usage patterns of users for each service and website, popular search terms, whether secure connection is used, etc., to provide optimized information to users.
Installation, operation, and refusal of cookies: In Internet Explorer, cookie storage can be refused through the options setting in the Tools > Internet Options > Privacy > Advanced menu. In Chrome, it can be done through the Settings menu on the right side of the web browser > Privacy and security > Cookies and other site data.
Refusing cookie storage may lead to difficulties in using customized services.

Article 11 (Matters Concerning the Personal Information Protection Officer)

The company has appointed a Personal Information Protection Officer as below, who is responsible for overseeing all tasks related to personal information processing, and for handling complaints and damage relief related to personal information processing from data subjects.


Chief Information Security Officer(CISO)/ Data Protection Officer(DPO)	Name : Jo Sung-hwan Contact : 070-8098-3023, infosec@upstage.ai
Personal Data Protection Department	Department name : Infra&Security Contact person : Jo Sung-hwan Contact number : 070-8098-3023, infosec@upstage.ai

Data subjects can direct all inquiries, complaints, and requests for redress related to personal information protection that arise while using the company's services (or business) to the Personal Information Protection Officer and the relevant department. The company will respond to and address these inquiries without delay.

Article 12 (The department receiving and processing the request of access to personal information)

‘Personal information protection department’ that is written in ‘Article 11 Personal Information Protection Responsible’ is responsible for handling personal information access request.

Article 13 (Method of obtaining remedy)

In order to receive remedy for damages resulting from infringement of his/her personal information, a person may apply for resolution of dispute or consultation etc. to Personal information dispute resolution commission, or personal information infringement reporting center of KISA(Korea Internet & Security Agency). For reporting, consulting on the infringement of personal information, please contact the following organization.

Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr (opens in a new tab))
Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr)
Supreme Prosecutors' Office: (without area code) 1301 (www.spo.go.kr (opens in a new tab))
National Police Agency: (without area code) 182 (ecrm.police.go.kr)

Article 14 (Matters concerning the change of the personal information processing policy)

This personal information processing policy is effective from August 1, 2024.

Disclaimer: Governing Law

Please note that this Privacy Policy has been formulated in accordance with the laws and regulations of the Republic of Korea. While it is applicable to our global operations, the policy is primarily governed by South Korean legal standards and practices. Users outside of South Korea should be aware that the policy might reference legal concepts and frameworks specific to South Korea, which may differ from local laws.

개인정보처리방침 - 한국어

Previous versions can be found below.

1. 1. 12 ~ 2024. 7. 31 (클릭)
1. 1. 13 ~ 2024. 7. 11 (클릭)
1. 1. 28 ~ 2024. 3. 12 (클릭)
1. 1. 20 ~ 2024. 2. 28 (클릭)