Upstage service privacy policy
Upstage Co., Ltd. (here in after referred to as the “Company”) is committed to protecting the personal information of its users in accordance with the 「Personal Information Protection Act」 and to ensure that any complaints regarding the same are promptly and smoothly addressed, hereby establishes this Privacy Policy.
The table of contents for this Privacy Policy is as follows. It includes the mandatory items for a privacy policy required by law and other items deemed important by Upstage for the protection of user privacy.
Article 1 (Purpose of Processing Personal Information)
The Company processes personal information for the following purposes. The personal information processed will not be used for purposes other than those listed below, and if the purpose of use changes, separate consent will be obtained in accordance with the 「Personal Information Protection Act」, or necessary measures will be taken.
- Membership sign-up and management For the purpose of verifying and authenticating individuals for membership services, maintaining and managing membership status, preventing and responding to fraudulent use of services, enhancing user security, improving the quality of services, developing new features and services, providing various notifications and communications, and handling complaints.
- Provision of goods or services For the purpose of providing services, processing payment and settlement, and providing customized services.
- Marketing information utilization For the purpose of sending newsletters, providing event and advertising information, and utilizing demographic characteristics and user interests and preferences for targeted advertising.
Article 2 (Period of retention and holding of personal information)
The company will process and hold personal information within the period of retention and use of personal information under the Act or within the period of retention and use of personal information agreed with the information subject when collecting personal information. However, personal information collected for the following information will be retained for the specified period of time for the following reasons.
A. Under the internal policies of the company, the following personal information is retained:
- Personal information items collected for the performance of the contract related to the provision of services and fee settlement in accordance with Article 7:
- Service usage period
- Personal information items collected for member management as stipulated in Article 7:
- Service usage period
B. In accordance with relevant laws, the following information is retained:
- Records related to transactions, including display/advertisements, contract content, and performance, as required by the "Act on Consumer Protection in Electronic Commerce, etc."
- Records related to display/advertisements: 6 months
- Records related to contracts or withdrawal of subscriptions, payment of fees, supply of goods, etc.: 5 years
- Records related to consumer complaints or dispute resolution: 3 years
- Preservation of communication fact confirmation data in accordance with the "Act on the Protection of Communication Secrets"
- Service usage records, connection logs, connection IP information: 3 months
Article 3 (Providing Personal Information to Third Parties)
The Company shall process the personal information of the subject of personal information only within the scope of the purposes of processing personal information specified in Article 1 (Purpose of Processing Personal Information), and shall provide the personal information of the subject of personal information to a third party only in cases corresponding to the following items 1. and 2., where there is consent from the subject of personal information, special provisions of law, etc. under the same Act.
Article 4 (Matters related to the entrustment of personal information processing)
The Company entrusts the handling of personal information to the following parties for smooth handling of personal information matters, and when signing an entrustment agreement, specifies in the agreement the matters prescribed by Article 26 of the 「Personal Information Protection Act」, such as prohibition of processing personal information for purposes other than those for which the entrusted party is entrusted, technical and management measures for protection, limitation on re-entrustment, supervision and control over the entrusted party, and liability for damages. The company supervises the entrusted party to ensure that the personal information is handled safely.
The entrusted party (processor) | Details of the entrusted tasks |
---|---|
Amazon Web Services, Inc. | Analysis, processing, linkage, integration, editing, correction, restoration, and utilization of personal information for various processing tasks. |
BREVO | Sending emails for marketing purposes. |
salesforce | Customer database management and email sending. |
Zapier, Inc. | Customer database management. |
Stripe | Providing payment services. |
Elfsight | Customer Service Data Collection and Management |
Atlassian Corp. | Customer Service Data Collection and Management |
Fireworks.ai | Providing inference services. |
Together Computer, Inc. | Providing inference services. |
Friendli ai | Providing inference services. |
In the event that the contents of the entrusted work or the entrustee are changed, we will disclose them through this Privacy Policy without delay.
Article 5 (Matters Regarding Transfer of Personal Information Outside of Korea)
Our company transfers or stores personal information to the following entities outside Korea.
Entity receiving the entrustment | salesforce |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | Japan |
Date and method of transfer | Personal data can be transferred by transmission over a network at the time of collection, when it is stored in a cloud server managed by a company. |
Corporate name and contact information of the receiving company | Corporate name : Salesforce |
Name of the Information Management Officer of the company receiving the transfer | Salesforce Data Protection Officer (Salesforce Privacy Team) |
Purpose of personal information use, and retention/use period of the transferee of personal information |
|
Entity receiving the entrustment | Elfsight |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | Armenia |
Date and method of transfer | Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server. |
Corporate name and contact information of the receiving company |
|
Purpose of personal information use, and retention/use period of the transferee of personal information |
|
Entity receiving the entrustment | BREVO |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | United States, France |
Date and method of transfer | Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server. |
Corporate name and contact information of the receiving company | Corporate Name: BREVO |
Name of the Information Management Officer | Armand Thiberge |
Purpose of personal information use, and retention/use period of the transferee of personal information | • To store your personal information. |
Entity receiving the entrustment | Zapier, Inc. |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | United States |
Date and method of transfer | Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server. |
Corporate name and contact information of the receiving company | Corporate NameZapier, Inc. contact@zapier.com
|
Name of the Information Management Officer | Wade Foster |
Purpose of personal information use, and retention/use period of the transferee of personal information | • To store your personal information. |
Entity receiving the entrustment | Stripe |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | United States |
Date and method of transfer | Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server. |
Corporate name and contact information of the receiving company | Corporate Name : Stripe, Inc Stripe, Inc. 354 Oyster Point Boulevard South San Francisco, California, 94080, USA Attention: Stripe Legal |
Purpose of personal information use, and retention/use period of the transferee of personal information | • To store your personal information. |
Entity receiving the entrustment | Atlassian Corp. |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | Australia |
Date and method of transfer | Personal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server. |
Corporate name and contact information of the receiving company | Corporate Name : Atlassian Corp. |
Purpose of personal information use, and retention/use period of the transferee of personal information | • To store your personal information. |
Entity receiving the entrustment | Fireworks.ai |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | United States |
Date and method of transfer | Personal information can be transferred through network transmission when processed on the company-managed cloud server. |
Corporate name and contact information of the receiving company | Corporate Name : Fireworks.ai |
Purpose of personal information use, and retention/use period of the transferee of personal information | • To provide inference service. |
Entity receiving the entrustment | Together Computer, Inc. |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | United States |
Date and method of transfer | Personal information can be transferred through network transmission when processed on the company-managed cloud server. |
Corporate name and contact information of the receiving company | Corporate Name : Together Computer, Inc. 584 Castro Street #2050 San Francisco, California, 94114, USA |
Purpose of personal information use, and retention/use period of the transferee of personal information | • To provide inference service. |
Entity receiving the entrustment | FriendliAI Inc. |
---|---|
Personal information items being transferred | information items specified in Article 7 |
Transferring Country | United States |
Date and method of transfer | Personal information can be transferred through network transmission when processed on the company-managed cloud server. |
Corporate name and contact information of the receiving company | Corporate Name : FriendliAI Inc. |
Purpose of personal information use, and retention/use period of the transferee of personal information | • To provide inference service. |
Article 6 (Rights and Duties of the Data Subject and Legal Representative, and Method of Exercise)
- The data subject can exercise the right to request access, correction, deletion, and suspension of processing of personal information from the company at any time.
- The exercise of rights according to Paragraph 1 can be done through the email infosec@upstage.ai, and the company will take immediate action in response.
- The rights exercise mentioned in Paragraph 1 can be carried out by the legal representative of the data subject or a duly authorized person. In this case, a power of attorney in accordance with the "Notice on the Method of Processing Personal Information (No. 2020-7) Annex 11 (opens in a new tab)" must be submitted.
- The request for access to and suspension of processing of personal information may be limited under Article 35, Paragraph 4, and Article 37, Paragraph 2 of the Personal Information Protection Act.
- Requests for correction and deletion of personal information cannot be made if the personal information is specified as a collection target in other laws.
- When a request for access, correction, deletion, or suspension of processing is made, the company will verify whether the requester is the individual themselves or a legitimate representative.
Article 7 (Items of Personal Information Processed)
-
The company is processing the following personal information items.
Service Purpose of collection Items collected Storage and usage period Membership Registration and Management Confirmation of intention to join as a member, identification and authentication of individuals for the purpose of providing a membership service, maintenance and management of membership status, prevention of illegal use of the service, enhancement of user security, improvement of service quality, development of new features and services (Mandatory) Name, Email Until membership withdrawal Provision of Goods or Services Service provision, fee payment and settlement, provision of customized services - (Mandatory) Card number, card expiration date, CVC number
- (Optional) Data entered by the user in the service, data automatically generated during service use
Until the supply of goods or services is completed and fee payment and settlement are finalized
※However, if required to be preserved and not destroyed according to relevant laws, then until the end of the specified period
Playground Provision of LLM and Document OCR services Dialogue content, uploaded documents, voting details entered by the member. Until membership withdrawal or termination of the outsourcing contract Document Parse (Asynchronous) Document OCR services Inference request data, Inference result data Inference request data: Temporarily stored until inference completion, then deleted.
Inference result data: Retained for 30 days post-inference, then deleted.Marketing Information Utilization Sending newsletters (Optional) Name, Email address Until the expression of refusal to receive or withdrawal of consent from the date of consent Marketing Information Utilization Provision of event and promotional information (Optional) Name, Email address, Phone number, Affiliation (Company and department/school and department name), Position Until the expression of refusal to receive or withdrawal of consent from the date of consent
-
In the process of using our Internet service, the following personal information may be collected.
- Data entered by users: regardless of the form, including images, text, video, etc.
- containing personal information Data automatically generated in the process of using our service: IP address, cookies, service usage records, visit logs, service results
-
Others
- Our company does not provide services to children under the age of 14 and does not collect personal information from them. When changes are made to the purposes and items of personal information processed by the company, prior consent will be obtained in accordance with relevant laws and regulations.
- The company collects personal information in the following ways and obtains prior consent before collecting it.
- The method by which users directly enter personal information online
- The method by which cookies, access logs, etc. are automatically generated and collected in the process of using the service
Article 8 (Matters Concerning the Procedure and Method of Personal Information Destruction)
- The company will destroy the relevant personal information without delay when personal information becomes unnecessary, such as upon the expiration of the personal information retention period or the achievement of the processing purpose.
- Even if the retention period agreed upon by the data subject has expired or the processing purpose has been achieved, if personal information must be continuously preserved according to other laws and regulations, the company will move such personal information to a separate database (DB) or store it in a different location. These include:
- Records related to display/advertisement, contract content and fulfillment, etc., in accordance with the "Act on the Consumer Protection in Electronic Commerce, Etc.":
- Records on display/advertisement: 6 months
- Records on contract or withdrawal of offer, payment, supply of goods, etc.: 5 years
- Records on consumer complaints or dispute resolution: 3 years
- Preservation of telecommunication fact confirmation data under the "Protection of Communications Secrets Act":
- Subscriber's telecommunication date and time, start/end time, counterpart subscriber number, frequency of use, location tracking data of the outgoing base station: 1 year
- Computer communication, internet log record data, access location tracking data: 3 months
- The procedure and method of personal information destruction are as follows:
- Destruction Procedure: The company selects personal information for which a reason for destruction has occurred and destroys the personal information upon the approval of the company's personal information protection officer.
- Destruction Method: The company destroys electronic file format records and stored personal information in a way that makes the records non-reproducible, and shreds or incinerates documents with recorded and stored personal information.
Article 9 (Matters to be Handled with Regard to the Measures for Securing Safety)
Our company takes the following measures to ensure the safety of personal information.
- Administrative measures: establishment and implementation of internal management plans, regular employee training, etc.
- Technical measures: access control management for personal information processing systems, etc., installation of access control systems, encryption of personal identification numbers, etc., installation of security programs
- Physical measures: control of access to data centers, storage rooms, etc.
Article 10 (Installation and Operation of Automatic Personal Information Collection Devices and the Refusal Thereof)
- The company uses 'cookies' to store and retrieve usage information to provide individual customized services to website users.
- A cookie is a small piece of information sent by the server (http) operating the website to the user's computer browser and may be stored on the hard disk of the user's PC.
- Purpose of using cookies: Cookies are used to identify the visit and usage patterns of users for each service and website, popular search terms, whether secure connection is used, etc., to provide optimized information to users.
- Installation, operation, and refusal of cookies: In Internet Explorer, cookie storage can be refused through the options setting in the Tools > Internet Options > Privacy > Advanced menu. In Chrome, it can be done through the Settings menu on the right side of the web browser > Privacy and security > Cookies and other site data.
- Refusing cookie storage may lead to difficulties in using customized services.
Article 11 (Matters Concerning the Personal Information Protection Officer)
- The company has appointed a Personal Information Protection Officer as below, who is responsible for overseeing all tasks related to personal information processing, and for handling complaints and damage relief related to personal information processing from data subjects.
Chief Information Security Officer(CISO)/ Data Protection Officer(DPO) | Name : Jo Sung-hwan Contact : 070-8098-3023, infosec@upstage.ai |
Personal Data Protection Department | Department name : Infra&Security Contact person : Jo Sung-hwan Contact number : 070-8098-3023, infosec@upstage.ai |
- Data subjects can direct all inquiries, complaints, and requests for redress related to personal information protection that arise while using the company's services (or business) to the Personal Information Protection Officer and the relevant department. The company will respond to and address these inquiries without delay.
Article 12 (The department receiving and processing the request of access to personal information)
‘Personal information protection department’ that is written in ‘Article 11 Personal Information Protection Responsible’ is responsible for handling personal information access request.
Article 13 (Method of obtaining remedy)
In order to receive remedy for damages resulting from infringement of his/her personal information, a person may apply for resolution of dispute or consultation etc. to Personal information dispute resolution commission, or personal information infringement reporting center of KISA(Korea Internet & Security Agency). For reporting, consulting on the infringement of personal information, please contact the following organization.
- Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr (opens in a new tab))
- Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office: (without area code) 1301 (www.spo.go.kr (opens in a new tab))
- National Police Agency: (without area code) 182 (ecrm.police.go.kr)
Article 14 (Matters concerning the change of the personal information processing policy)
- This personal information processing policy is effective from August 1, 2024.
Disclaimer: Governing Law
Please note that this Privacy Policy has been formulated in accordance with the laws and regulations of the Republic of Korea. While it is applicable to our global operations, the policy is primarily governed by South Korean legal standards and practices. Users outside of South Korea should be aware that the policy might reference legal concepts and frameworks specific to South Korea, which may differ from local laws.
Previous versions can be found below.