Privacy Policy

Effective Date: July 17, 2025
Last Revised: July 17, 2025 (Established: July 17, 2025)

Get-A Inc. (hereinafter "the Company") establishes and publishes this Privacy Policy (hereinafter "this Policy") as follows to comply with the Personal Information Protection Act and related laws, and to safely protect users’ personal information.

Article 1 (Purpose)

The purpose of this Policy is to stipulate the procedures for collection, use, retention, destruction of the minimum personal information actually collected and used by the Company in relation to all services provided (including web and mobile, hereinafter “Services”), and the exercise of users’ rights.

Article 2 (Definitions)

  1. “Personal Information” means information about a living individual that can identify the individual alone or in combination with other information.
  2. “Processing” means any operation performed on personal information such as collection, creation, recording, storage, retention, processing, editing, search, output, correction, restoration, use, provision, disclosure, destruction, etc.
  3. Other terms are defined in relevant laws and the Terms of Service.

Article 3 (Principles of Personal Information Processing)

  1. The Company processes the minimum necessary personal information in a lawful and fair manner.
  2. The Company does not retain or use personal information beyond the period necessary to achieve the processing purposes.
  3. The Company does not provide or entrust personal information to third parties without statutory grounds or user consent, except as permitted by law (e.g., lawful requests by investigative agencies).

Article 4 (Publication and Amendment of this Policy)

  1. This Policy is published at all times on the website's or mobile app's main or linked pages.
  2. In case of amendment, prior notice will be given at least 7 days before enforcement (30 days for amendments significantly affecting user rights) via website notice, pop-up, email, etc.

Article 5 (Collected Personal Information Items, Purposes, Retention Periods)

Category
Purpose of Processing
Collected Items
Retention Period
RegistrationConclusion of service contract and identity verificationEmail address, password, name (optional)Destroyed within 30 days after withdrawal
Service Use & Content StorageService provision, storage of user content, service quality improvement, statisticsService ID, user inputs (variables, prompts, uploaded files), generated results, cookies, access IP, browser/OS informationPseudonymized within 30 days after withdrawal and retained for 3 years, then destroyed
Social Login (Optional)Convenient authenticationPlatform account ID, email address, name, profile picture (Google, Kakao, Naver, Facebook, etc.)Destroyed immediately upon consent withdrawal or account deletion
Fraud PreventionDetection of duplicate accounts and terms violationsService usage records, cookies, access IP, device information, hashed identifiers of withdrawn accounts (email, phone encrypted)1 year after withdrawal
Marketing & Events (Optional)Notification of new services and eventsphone numberDestroyed immediately upon consent withdrawal or account deletion

Collection Methods

Registration screen, customer inquiries, automated devices (cookies, logs, etc.)

Article 6 (Provision to Third Parties)

None. (Provided only upon lawful request by authorities or user consent, with prior notice of items, purposes, and period.)

Article 7 (Entrustment and Overseas Transfer of Personal Information)

Vendor
Country/Server Location
Entrusted Task
Transferred Data
Transfer Timing/Method
Retention Period
Amazon Web Services, Inc.Multiple regions (USA, Singapore, etc.)Cloud infrastructure operations and storageUser database, logsReal-time TLS-encrypted transmission, DR backup30 days after contract termination or user withdrawal (S3 versions/snapshots auto-deleted within 30±3 days and destroyed securely) (aws-korea-privacy@amazon.com)
OpenAI LLCUSAContent generation and model inferenceUser inputs (prompts), session IDs (pseudonymized)TLS-encrypted API callsVariable based on volume, sensitivity, risk of unauthorized use or disclosure, OpenAI's processing purposes, and legal requirements (privacy@openai.com)
Anthropic PBCUSAContent generation and model inferenceUser inputs (prompts), session IDs (pseudonymized)TLS-encrypted API callsAutomatically deleted within 30 days per user request (privacy@anthropic.com)
Leonardo Interactive Pty LtdUSAContent generation and model inferenceUser inputs (prompts), session IDs (pseudonymized)TLS-encrypted API callsDetermined by data volume, sensitivity, risk, processing purposes, and applicable laws/regulations
※ Google Analytics (USA) receives IP, cookie ID, and traffic data; retained for 2 years after initial banner consent. If declined: configure in My Page > Cookie Settings.

Article 8 (Exercise of User Rights)

  1. Submit requests for access, correction, deletion, processing suspension, and consent withdrawal by email (bloomingtales.customer@get-a.io) or by mail to 3F, 10, Seongnam-daero 43beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea (HaNa EZ Tower, Gumi-dong), Attn: Data Protection Officer → Response within 10 business days
  2. Allowed to request viewing, correction, deletion, processing suspension, and consent withdrawal
  3. Requests may be restricted in case of repetitive/abusive requests or concerns of infringing others’ rights

Article 9 (Cookie Management)

  1. Essential cookies (session) / analytical cookies (Analytics): set upon initial banner consent; if declined, analytics functionality is limited
  2. Consent and withdrawal history stored securely for 2 years, then destroyed

Article 10 (Retention and Destruction)

  1. User personal information is destroyed promptly when retention period expires, purpose is achieved, or upon user deletion/withdrawal request.
  2. However, for service improvement/statistics, user inputs and generated results may be pseudonymized (hashed, identifiers removed) and retained for 3 years; such pseudonymized data cannot be used to re-identify individuals and is used solely for AI model training and service quality improvement.
  3. Electronic files are unrecoverably deleted; paper records are shredded or incinerated.

Article 11 (Access Log Retention)

IP and login records: 6 months (3 months if daily active users <10,000). Audit logs: 13 months.

Article 12 (Dormant Account Policy)

Accounts inactive for 1 year are converted to dormant status and stored separately, with 30 days prior email notice; data retained for 4 years then destroyed.

Article 13 (Breach Notification)

Report to KISA within 24 hours; notify affected users within 48 hours.

Article 14 (Security Measures)

Encryption (SHA-256), least privilege principle, WAF, 2FA, annual training and inspection.

Article 15 (Person in Charge)

Role
Name
Contact
Email
CPOSungmook Park010-8920-3726sungmook.park@get-a.io

Article 16 (Business Information)

Business Registration No.
Address
Representative
732-81-028603F, 10, Seongnam-daero 43beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea (HaNa EZ Tower, Gumi-dong)Sungmook Park

Article 17 (Supplementary Provisions)

This Policy has been in effect since July 17, 2025; any functional additions will be revised and notified immediately.