Documentation
Guides
Terms & policies
Privacy Policy (2024-08-01)

Upstage service privacy policy

Upstage Co., Ltd. (here in after referred to as the “Company”) is committed to protecting the personal information of its users in accordance with the 「Personal Information Protection Act」 and to ensure that any complaints regarding the same are promptly and smoothly addressed, hereby establishes this Privacy Policy.

The table of contents for this Privacy Policy is as follows. It includes the mandatory items for a privacy policy required by law and other items deemed important by Upstage for the protection of user privacy.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The personal information processed will not be used for purposes other than those listed below, and if the purpose of use changes, separate consent will be obtained in accordance with the 「Personal Information Protection Act」, or necessary measures will be taken.

  1. Membership sign-up and management For the purpose of verifying and authenticating individuals for membership services, maintaining and managing membership status, preventing and responding to fraudulent use of services, enhancing user security, improving the quality of services, developing new features and services, providing various notifications and communications, and handling complaints.
  2. Provision of goods or services For the purpose of providing services, processing payment and settlement, and providing customized services.
  3. Marketing information utilization For the purpose of sending newsletters, providing event and advertising information, and utilizing demographic characteristics and user interests and preferences for targeted advertising.

Article 2 (Period of retention and holding of personal information)

The company will process and hold personal information within the period of retention and use of personal information under the Act or within the period of retention and use of personal information agreed with the information subject when collecting personal information. However, personal information collected for the following information will be retained for the specified period of time for the following reasons.

A. Under the internal policies of the company, the following personal information is retained:

  1. Personal information items collected for the performance of the contract related to the provision of services and fee settlement in accordance with Article 7:
    • Service usage period
  2. Personal information items collected for member management as stipulated in Article 7:
    • Service usage period

B. In accordance with relevant laws, the following information is retained:

  1. Records related to transactions, including display/advertisements, contract content, and performance, as required by the "Act on Consumer Protection in Electronic Commerce, etc."
    1. Records related to display/advertisements: 6 months
    2. Records related to contracts or withdrawal of subscriptions, payment of fees, supply of goods, etc.: 5 years
    3. Records related to consumer complaints or dispute resolution: 3 years
  2. Preservation of communication fact confirmation data in accordance with the "Act on the Protection of Communication Secrets"
    1. Service usage records, connection logs, connection IP information: 3 months

Article 3 (Providing Personal Information to Third Parties)

The Company shall process the personal information of the subject of personal information only within the scope of the purposes of processing personal information specified in Article 1 (Purpose of Processing Personal Information), and shall provide the personal information of the subject of personal information to a third party only in cases corresponding to the following items 1. and 2., where there is consent from the subject of personal information, special provisions of law, etc. under the same Act.

Article 4 (Matters related to the entrustment of personal information processing)

The Company entrusts the handling of personal information to the following parties for smooth handling of personal information matters, and when signing an entrustment agreement, specifies in the agreement the matters prescribed by Article 26 of the 「Personal Information Protection Act」, such as prohibition of processing personal information for purposes other than those for which the entrusted party is entrusted, technical and management measures for protection, limitation on re-entrustment, supervision and control over the entrusted party, and liability for damages. The company supervises the entrusted party to ensure that the personal information is handled safely.

The entrusted party (processor)Details of the entrusted tasks
Amazon Web Services, Inc.Analysis, processing, linkage, integration, editing, correction, restoration, and utilization of personal information for various processing tasks.
BREVOSending emails for marketing purposes.
salesforceCustomer database management and email sending.
Zapier, Inc.Customer database management.
StripeProviding payment services.
ElfsightCustomer Service Data Collection and Management
Atlassian Corp.Customer Service Data Collection and Management
Fireworks.aiProviding inference services.
Together Computer, Inc.Providing inference services.
Friendli aiProviding inference services.

In the event that the contents of the entrusted work or the entrustee are changed, we will disclose them through this Privacy Policy without delay.

Article 5 (Matters Regarding Transfer of Personal Information Outside of Korea)

Our company transfers or stores personal information to the following entities outside Korea.

Entity receiving the entrustmentsalesforce
Personal information items being transferredinformation items specified in Article 7
Transferring CountryJapan
Date and method of transferPersonal data can be transferred by transmission over a network at the time of collection, when it is stored in a cloud server managed by a company.
Corporate name and contact information of the receiving company

Corporate name : Salesforce
privacy@salesforce.com, 1-844-287-7147
415 Mission St., 3rd Floor
San Francisco, CA 94105, USA

Name of the Information Management Officer of the company receiving the transferSalesforce Data Protection Officer (Salesforce Privacy Team)
Purpose of personal information use, and retention/use period of the transferee of personal information
  • To store your personal information.
  • Consistent with the retention period specified in Article 2
Entity receiving the entrustmentElfsight
Personal information items being transferredinformation items specified in Article 7
Transferring CountryArmenia
Date and method of transferPersonal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company
  • Corporate Name: Elfsight
  • Address: 015, Armenia, Yerevan, Paronyana str., 19/3, 201
  • Contact: help.elfsight.com
Purpose of personal information use, and retention/use period of the transferee of personal information
  • To store your personal information.
  • Consistent with the retention period specified in Article 2
Entity receiving the entrustmentBREVO
Personal information items being transferredinformation items specified in Article 7
Transferring CountryUnited States, France
Date and method of transferPersonal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company

Corporate Name: BREVO
contact@sendinblue.com

Name of the Information Management OfficerArmand Thiberge
Purpose of personal information use, and retention/use period of the transferee of personal information

• To store your personal information.
• Consistent with the retention period specified in Article 2

Entity receiving the entrustmentZapier, Inc.
Personal information items being transferredinformation items specified in Article 7
Transferring CountryUnited States
Date and method of transferPersonal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company

Corporate NameZapier, Inc. contact@zapier.com

  • 1-877-381-8743
  • 548 Market St. #62411, San Francisco, CA 94104-5401, USA
Name of the Information Management OfficerWade Foster
Purpose of personal information use, and retention/use period of the transferee of personal information

• To store your personal information.
• Consistent with the retention period specified in Article 2

Entity receiving the entrustmentStripe
Personal information items being transferredinformation items specified in Article 7
Transferring CountryUnited States
Date and method of transferPersonal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company

Corporate Name : Stripe, Inc
privacy@stripe.com

Stripe, Inc.

354 Oyster Point Boulevard

South San Francisco, California, 94080, USA

Attention: Stripe Legal

Purpose of personal information use, and retention/use period of the transferee of personal information

• To store your personal information.
• Consistent with the retention period specified in Article 2

Entity receiving the entrustmentAtlassian Corp.
Personal information items being transferredinformation items specified in Article 7
Transferring CountryAustralia
Date and method of transferPersonal information can be transferred through network transmission at the time it is collected and stored on the company-managed cloud server.
Corporate name and contact information of the receiving company

Corporate Name : Atlassian Corp.
+61 2 9262 1443Level 6, 341 George Street,
Sydney, NSW 2000, Australia

Purpose of personal information use, and retention/use period of the transferee of personal information

• To store your personal information.
• Consistent with the retention period specified in Article 2

Entity receiving the entrustmentFireworks.ai
Personal information items being transferredinformation items specified in Article 7
Transferring CountryUnited States
Date and method of transferPersonal information can be transferred through network transmission when processed on the company-managed cloud server.
Corporate name and contact information of the receiving company

Corporate Name : Fireworks.ai
help@fireworks.ai

Purpose of personal information use, and retention/use period of the transferee of personal information

• To provide inference service.
• Use for inference and does not store.

Entity receiving the entrustmentTogether Computer, Inc.
Personal information items being transferredinformation items specified in Article 7
Transferring CountryUnited States
Date and method of transferPersonal information can be transferred through network transmission when processed on the company-managed cloud server.
Corporate name and contact information of the receiving company

Corporate Name : Together Computer, Inc.
privacy@together.ai

584 Castro Street #2050

San Francisco, California, 94114, USA

Purpose of personal information use, and retention/use period of the transferee of personal information

• To provide inference service.
• Use for inference and does not store.

Entity receiving the entrustmentFriendliAI Inc.
Personal information items being transferredinformation items specified in Article 7
Transferring CountryUnited States
Date and method of transferPersonal information can be transferred through network transmission when processed on the company-managed cloud server.
Corporate name and contact information of the receiving company

Corporate Name : FriendliAI Inc.
privacy@friendli.ai
303 Twin Dolphin Drive, Suite 600 Unit 6009,
Redwood City, CA 94065

Purpose of personal information use, and retention/use period of the transferee of personal information

• To provide inference service.
• Use for inference and does not store.

Article 6 (Rights and Duties of the Data Subject and Legal Representative, and Method of Exercise)

  1. The data subject can exercise the right to request access, correction, deletion, and suspension of processing of personal information from the company at any time.
  2. The exercise of rights according to Paragraph 1 can be done through the email infosec@upstage.ai, and the company will take immediate action in response.
  3. The rights exercise mentioned in Paragraph 1 can be carried out by the legal representative of the data subject or a duly authorized person. In this case, a power of attorney in accordance with the "Notice on the Method of Processing Personal Information (No. 2020-7) Annex 11 (opens in a new tab)" must be submitted.
  4. The request for access to and suspension of processing of personal information may be limited under Article 35, Paragraph 4, and Article 37, Paragraph 2 of the Personal Information Protection Act.
  5. Requests for correction and deletion of personal information cannot be made if the personal information is specified as a collection target in other laws.
  6. When a request for access, correction, deletion, or suspension of processing is made, the company will verify whether the requester is the individual themselves or a legitimate representative.

Article 7 (Items of Personal Information Processed)

  1. The company is processing the following personal information items.

    ServicePurpose of collectionItems collectedStorage and usage period
    Membership Registration and ManagementConfirmation of intention to join as a member, identification and authentication of individuals for the purpose of providing a membership service, maintenance and management of membership status, prevention of illegal use of the service, enhancement of user security, improvement of service quality, development of new features and services(Mandatory) Name, EmailUntil membership withdrawal
    Provision of Goods or ServicesService provision, fee payment and settlement, provision of customized services
    • (Mandatory) Card number, card expiration date, CVC number
    • (Optional) Data entered by the user in the service, data automatically generated during service use

    Until the supply of goods or services is completed and fee payment and settlement are finalized

    ※However, if required to be preserved and not destroyed according to relevant laws, then until the end of the specified period

    PlaygroundProvision of LLM and Document OCR servicesDialogue content, uploaded documents, voting details entered by the member.Until membership withdrawal or termination of the outsourcing contract
    Document Parse (Asynchronous)Document OCR servicesInference request data, Inference result data

    Inference request data: Temporarily stored until inference completion, then deleted.
    Inference result data: Retained for 30 days post-inference, then deleted.

    Marketing Information UtilizationSending newsletters(Optional) Name, Email addressUntil the expression of refusal to receive or withdrawal of consent from the date of consent
    Marketing Information UtilizationProvision of event and promotional information(Optional) Name, Email address, Phone number, Affiliation (Company and department/school and department name), Position

    Until the expression of refusal to receive or withdrawal of consent from the date of consent

  2. In the process of using our Internet service, the following personal information may be collected.

    1. Data entered by users: regardless of the form, including images, text, video, etc.
    2. containing personal information Data automatically generated in the process of using our service: IP address, cookies, service usage records, visit logs, service results
  3. Others

    1. Our company does not provide services to children under the age of 14 and does not collect personal information from them. When changes are made to the purposes and items of personal information processed by the company, prior consent will be obtained in accordance with relevant laws and regulations.
    2. The company collects personal information in the following ways and obtains prior consent before collecting it.
      1. The method by which users directly enter personal information online
      2. The method by which cookies, access logs, etc. are automatically generated and collected in the process of using the service

Article 8 (Matters Concerning the Procedure and Method of Personal Information Destruction)

  1. The company will destroy the relevant personal information without delay when personal information becomes unnecessary, such as upon the expiration of the personal information retention period or the achievement of the processing purpose.
  2. Even if the retention period agreed upon by the data subject has expired or the processing purpose has been achieved, if personal information must be continuously preserved according to other laws and regulations, the company will move such personal information to a separate database (DB) or store it in a different location. These include:
  3. Records related to display/advertisement, contract content and fulfillment, etc., in accordance with the "Act on the Consumer Protection in Electronic Commerce, Etc.":
    1. Records on display/advertisement: 6 months
    2. Records on contract or withdrawal of offer, payment, supply of goods, etc.: 5 years
    3. Records on consumer complaints or dispute resolution: 3 years
  4. Preservation of telecommunication fact confirmation data under the "Protection of Communications Secrets Act":
    1. Subscriber's telecommunication date and time, start/end time, counterpart subscriber number, frequency of use, location tracking data of the outgoing base station: 1 year
    2. Computer communication, internet log record data, access location tracking data: 3 months
  5. The procedure and method of personal information destruction are as follows:
  6. Destruction Procedure: The company selects personal information for which a reason for destruction has occurred and destroys the personal information upon the approval of the company's personal information protection officer.
  7. Destruction Method: The company destroys electronic file format records and stored personal information in a way that makes the records non-reproducible, and shreds or incinerates documents with recorded and stored personal information.

Article 9 (Matters to be Handled with Regard to the Measures for Securing Safety)

Our company takes the following measures to ensure the safety of personal information.

  1. Administrative measures: establishment and implementation of internal management plans, regular employee training, etc.
  2. Technical measures: access control management for personal information processing systems, etc., installation of access control systems, encryption of personal identification numbers, etc., installation of security programs
  3. Physical measures: control of access to data centers, storage rooms, etc.

Article 10 (Installation and Operation of Automatic Personal Information Collection Devices and the Refusal Thereof)

  1. The company uses 'cookies' to store and retrieve usage information to provide individual customized services to website users.
  2. A cookie is a small piece of information sent by the server (http) operating the website to the user's computer browser and may be stored on the hard disk of the user's PC.
  3. Purpose of using cookies: Cookies are used to identify the visit and usage patterns of users for each service and website, popular search terms, whether secure connection is used, etc., to provide optimized information to users.
  4. Installation, operation, and refusal of cookies: In Internet Explorer, cookie storage can be refused through the options setting in the Tools > Internet Options > Privacy > Advanced menu. In Chrome, it can be done through the Settings menu on the right side of the web browser > Privacy and security > Cookies and other site data.
  5. Refusing cookie storage may lead to difficulties in using customized services.

Article 11 (Matters Concerning the Personal Information Protection Officer)

  1. The company has appointed a Personal Information Protection Officer as below, who is responsible for overseeing all tasks related to personal information processing, and for handling complaints and damage relief related to personal information processing from data subjects.
Chief Information Security Officer(CISO)/
Data Protection Officer(DPO)
Name : Jo Sung-hwan
Contact : 070-8098-3023, infosec@upstage.ai
Personal Data Protection DepartmentDepartment name : Infra&Security
Contact person : Jo Sung-hwan
Contact number : 070-8098-3023, infosec@upstage.ai
  1. Data subjects can direct all inquiries, complaints, and requests for redress related to personal information protection that arise while using the company's services (or business) to the Personal Information Protection Officer and the relevant department. The company will respond to and address these inquiries without delay.

Article 12 (The department receiving and processing the request of access to personal information)

‘Personal information protection department’ that is written in ‘Article 11 Personal Information Protection Responsible’ is responsible for handling personal information access request.

Article 13 (Method of obtaining remedy)

In order to receive remedy for damages resulting from infringement of his/her personal information, a person may apply for resolution of dispute or consultation etc. to Personal information dispute resolution commission, or personal information infringement reporting center of KISA(Korea Internet & Security Agency). For reporting, consulting on the infringement of personal information, please contact the following organization.

  1. Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr (opens in a new tab))
  2. Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr)
  3. Supreme Prosecutors' Office: (without area code) 1301 (www.spo.go.kr (opens in a new tab))
  4. National Police Agency: (without area code) 182 (ecrm.police.go.kr)

Article 14 (Matters concerning the change of the personal information processing policy)

  • This personal information processing policy is effective from August 1, 2024.

Disclaimer: Governing Law

Please note that this Privacy Policy has been formulated in accordance with the laws and regulations of the Republic of Korea. While it is applicable to our global operations, the policy is primarily governed by South Korean legal standards and practices. Users outside of South Korea should be aware that the policy might reference legal concepts and frameworks specific to South Korea, which may differ from local laws.

개인정보처리방침 - 한국어

Previous versions can be found below.