Privacy Policy

Privacy Policy

bitsensing Inc. (hereinafter referred to as "the Company") establishes and discloses this Privacy Policy in accordance with the Article 30 of the Personal Information Protection Act of the Republic of Korea (“PIPA”, hereafter) and relevant laws to protect the personal information and rights of users and to facilitate the resolution of related complaints.

This Privacy Policy is formulated in compliance with the ISO/IEC 27001:2022 standard and is operated as part of the Company’s Information Security Management System (ISMS).

1. Purpose of Processing Personal Information and Types of Personal Information Processed

The Company processes personal information for the following purposes and does not use it for any other purposes unless otherwise stated. If there is a change in the intended use, necessary measures, such as obtaining additional consent, will be taken in accordance with Article 18 of the Personal Information Protection Act.

  1. Service Enrollment and AI Learning
    • Purpose: Program learning and service enrollment and provision.
    • Personal Information: Name, date of birth, gender, contact details (email address, phone number), service usage records.
  2. Service Usage Statistics and Analysis
    • Purpose: Compiling usage statistics, service improvement, and development.
    • Personal Information: Age, region, gender, service usage records, access logs.
  3. Execution of Contracts and Billing
    • Purpose: Providing services and reports, customized services, payment (including subscription fees), issuing receipts, handling refunds, etc.
    • Personal Information: Name, date of birth, address, phone number, email address, credit card information, bank account details.
  4. User Management
    • Purpose: Verifying identity, preventing misuse, processing complaints, delivering notifications, and dispute resolution.
    • Personal Information: Name, ID, password, email address, service usage records, IP address.
  5. Service Improvement and Statistical Analysis
    • Purpose: Evaluating service performance and quality, identifying access patterns.
    • Personal Information: Name, email address, service usage records, cookies, IP address, access logs.
  6. Marketing and Advertising
    • Purpose: Developing new services, providing customized services, offering event opportunities, verifying service effectiveness, identifying access frequency.
    • Personal Information: Name, email address, service usage records, cookies, access logs.

2. Retention and Processing Period for Personal Information

The Company retains personal information within the legally permitted duration or the agreed-upon retention period specified when collecting personal information.

A. Retention for Internal Policies

  • Records of Misuse
    • Reason: Preventing unauthorized usage and signups.
    • Details Retained: Email address, name, phone number.
    • Retention Period: 1 year from the date of withdrawal.
  • Customer Complaint Records
    • Reason: Resolving complaints and improving services.
    • Details Retained: Email address, name, phone number.
    • Retention Period: 1 year from the date of withdrawal.

B. Retention as Mandated by Relevant Laws

The Company retains personal information as required by applicable laws, including the Commercial Act and the Consumer Protection Act in Electronic Commerce. The information is used only for these purposes.

  • Records on Contracts or Cancellations: Retained for 5 years (Consumer Protection Act).
  • Records on Payments and Supply of Goods: Retained for 5 years (Consumer Protection Act).
  • Consumer Complaints or Dispute Records: Retained for 3 years (Consumer Protection Act).
  • Records on Advertising and Display: Retained for 6 months (Consumer Protection Act).
  • Records on Identity Verification: Retained for 6 months (Information Network Act).
  • Records on Website Visits: Retained for 3 months (Telecommunications Protection Act).
  • Records on Electronic Financial Transactions: Retained for 5 years (Electronic Financial Transaction Act).

3. Third-Party Provision of Personal Information

As pursuant to the Article 17 and 18 of the PIPA, the company may provide or share personal information of users to a third party in any of the circumstances where (i) the consent is obtained from the user, or (ii) the personal information is provided within the scope of purposes for which it is collected. In such cases, the company shall inform an user of (i) the recipient of personal information, (ii) the purpose for which the recipient of personal information uses such information, (iii) particulars of personal information to be provided, (iv) the period during which the recipient retains and uses personal information, and (v) the fact that the user is entitled to deny consent, and disadvantages if any, resulting from the denial of consent. In addition, the Company shall inform a user of the matters provided for above and obtain the consent from the user in order to provide personal information to a third party overseas; and shall not enter into a contract for the cross-border transfer of personal information in violation of the Personal Information Protection Act of the Republic of Korea.

The Company may provide personal information without the consent of a user within the scope reasonably related to the purposes for which the personal information was initially collected, while taking into consideration whether disadvantages are caused to the user, whether necessary measures to secure safety, such as encryption, have been taken, etc.

The Company shall not use personal information beyond the scope provided or provide it to any third party beyond the scope provided. However, (i) where additional consent is obtained from the user, (ii) where special provisions exist in other laws, or (iii) where it is deemed manifestly necessary for the protection of life, (iv) where it is necessary to provide personal information to a foreign government or international organization to perform a treaty or other international convention, (v) where it is necessary for the investigation of a crime, indictment and prosecution, (vi) where it is necessary for a court to proceed with trial-related duties, or (vii) where it is necessary for the enforcement of punishment, probation and custody, bodily or property interests of the user or third party from imminent danger where the user or his or her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses, the Company may use personal information or provide it to a third party for other purposes, unless doing so is likely to unfairly infringe on the interest of an user or third party.

4. Rights and Duties of Users and Their Exercise

As pursuant to the Article 35 of PIPA, an user has the right to request access to their personal information processed by the Company. This request can be made directly to the Company; provided, however, that when the personal information is held by a public institution, the user has the option to request access either directly from the public institution or indirectly through the Protection Commission, as outlined by the Personal Information Protection Act. Upon receiving a request for access, the Company shall provide the user access to their personal information as promptly as possible. If there are justifiable reasons for delaying access, the Company must notify the user of these reasons and grant access as soon as the hindrances are resolved.

In certain circumstances, the Company may limit or deny access to personal information; in such a situation, the controller shall inform the user of the reasons for the denial. The limitations may apply in the cases where (i) access is prohibited or limited by law, (ii) access could cause harm to the life or body of a third party or result in unjustified infringement on another person’s property or other interests, and (iii) access may significantly hinder the performance of critical duties by public institutions, such as (a) tax-related processes, including imposition, collection, or refunds, (b) evaluation and admission processes in educational institutions, (c) testing, qualification examinations, or employment assessments, (d) ongoing evaluations related to compensation or grant assessments, and (e) ongoing audits and examinations required by law.

5. Destruction of Personal Information

As pursuant to the Article 21 of PIPA, the Company shall destroy personal information within five (5) days after the expiration of the retention period or the attainment of the purpose for which the personal information was processed. If the retention of such personal information is mandated by other statutes, however, the Company must comply with those legal requirements. When destroying personal information, the Company must take all necessary measures to ensure that the information cannot be recovered or revived. If retention is required under the statutory exception, the personal information in question must be stored and managed separately from other personal information.

The methods for destroying personal information may vary depending on the format of the data. Personal information in electronic files must be permanently erased in a manner that ensures the data cannot be restored. For physical records, such as printouts, paper documents, and other media, the destruction must be carried out by shredding or incineration.

6. Measures to Ensure Security

As pursuant to the Article 29 of PIPA, the Company is committed to safeguarding personal information from loss, theft, unauthorized disclosure, forgery, alteration, or damage. To achieve this, the Company implements technical, managerial, and physical measures, including the establishment of an internal management plan and the preservation of access records. These measures are designed to ensure the safety and integrity of personal information. The Company shall ensure that the following are prepared and functioning:

(i) Internal Management Plan: the Company formulates and implements an internal management plan to oversee the secure processing of personal information, ensuring compliance with data protection standards and practices.

(ii) Access Control: measures are taken to control access to personal information by restricting access rights based on necessity and implementing robust authentication mechanisms.

(iii) Encryption Technology: the Company adopts advanced encryption technologies to securely store and transmit personal information, thereby protecting it from unauthorized access or breaches.

(iv) Retention of Login Records: login records are preserved to respond effectively to potential data breach incidents. Steps are also taken to prevent the forgery or falsification of these records.

(v) Security Programs: security programs are installed and regularly updated to provide ongoing protection against cyber threats and unauthorized access to personal information.

(vi) Physical Measures: the Company implements physical safeguards, such as secure storage facilities and locking systems, to protect personal information from unauthorized physical access or damage.

7. Use of Cookies

The Company may use "cookies" to store and retrieve user information from time to time to provide personalized and customized services. A cookie is a very small text file that the server operating the company’s services sends to the user’s computer and is stored on the user’s device. When the user revisits the company’s services, the server reads the contents of the cookie stored on the user’s device to maintain user preferences and provide customized services. Cookies do not automatically or actively collect information that identifies individuals, and users can refuse or delete the storage of these cookies at any time.

The purpose of using cookies is to analyze the visit and usage patterns of the services and websites visited by users, as well as the status of secure connections, to provide optimized information to users.

Users have the option to manage cookie installations. By adjusting the settings in their web browser or the applications provided by the company, users can allow all cookies, be notified each time a cookie is stored, or refuse the storage of all cookies. However, refusing to store cookies may result in difficulties in using personalized and customized services.

8. Contact Information

As the Company assumes overall responsibility for the processing of personal information and addressing complaints and remedies for damages related to the processing of personal information, the Company designates the following person(s) to be in charge of the aforementioned tasks:

  • Privacy Officer: Jae Hyun Kim, CISO (privacy@bitsensing.com).
  • Information Protection Team: privacy@bitsensing.com.

Users may direct all inquiries, complaints, and requests for remedies related to personal information protection that arise while using the Company’s services (or business) to the person above and the designated department. The Company shall respond to and handle such inquiries without delay.

9. Remedies for Rights Infringement

For personal information-related complaints, contact the following institutions:

  • Personal Information Dispute Mediation Committee: 1833-6972
  • Personal Information Infringement Report Center: 118

10. Policy Changes

This Privacy Policy may be amended, and changes will be announced at least 7 days prior to implementation.

Effective Date: September 1, 2023.