Privacy Policy

The operator (the “Company”) handles user personal data with care while operating PALs (the “Service”), and complies with the Korean Personal Information Protection Act and the Network Act.

This policy explains what we collect, how we use, store, share, and dispose of it, and which rights you can exercise over your data.

Account & authentication: email, password (hashed); for OAuth, Google profile (name, email, profile image URL).

Payment: payment-method tokens and processor transaction IDs. The Company does not store raw card data; PCI-DSS scope is handled by Toss Payments / Stripe.

Automatically collected during use: IP, browser, OS, access time, cookies, navigation history, usage statistics, analysis input (channel URLs, keywords, comments), and AI output / user-authored notes.

User identification, authentication, and account management.

Service provision — channel analysis, negotiation cards, analysis-note storage.

Paid-plan billing and receipts.

Customer support and service improvement.

Usage analytics for product improvement.

Legal compliance and dispute response.

We do not share personal data externally as a rule. The following sub-processors handle specific operational tasks: Supabase (database & auth infrastructure), Vercel (hosting & CDN), Google (Gemini API for AI analysis, YouTube Data API for public channel/video data), Anthropic (Claude API for AI analysis), Resend (transactional email), Toss Payments / Stripe (payment processing).

Some sub-processors are based outside Korea; cross-border transfer may occur. The Company verifies safeguards (Standard Contractual Clauses or processor security certifications such as SOC 2 / ISO 27001).

Account data: deleted immediately upon withdrawal.

User-generated content (notes, campaigns): deleted immediately upon withdrawal.

Access logs: retained for 3 months under the Korean Communications Privacy Act.

Payment & tax records: retained for 5 years under the Korean E-commerce Consumer Protection Act.

Electronic financial transaction records: retained for 5 years under the Electronic Financial Transactions Act.

Consumer complaint / dispute records: retained for 3 years under the E-commerce Consumer Protection Act.

Electronic files: permanently erased so they cannot be restored.

Paper documents: shredded or incinerated.

Database backups: automatically deleted after the backup retention period (max 30 days).

Users may request access, correction, deletion, or suspension of processing of their personal data.

Requests can be made via in-service settings or by emailing admin@kfera.co.kr; the Company will respond within 10 days of receipt.

Cookies are used for session continuity and analytics.

Essential cookies: login session, CSRF protection.

Analytics cookies: Google Analytics 4 with IP anonymization.

Users may disable cookies in their browser, with possible loss of functionality.

In-transit encryption (HTTPS/TLS).

At-rest password hashing (bcrypt or equivalent).

Least-privilege access for operations staff.

Access logging and periodic security review.

Secrets (API keys, tokens) isolated via a vault system.

Officer: Jaeun Do (CEO).

Contact: admin@kfera.co.kr.

Korean privacy-violation hotlines: KISA 118, Personal Information Dispute Mediation 1833-6972, Cyber Investigation 1301, Cyber Bureau 182.

This policy may be amended in line with law, policy, or security technology changes. We provide in-service or email notice at least 7 days before the effective date (30 days for changes adverse to users).