Privacy Policy
Effective date: 20 April 2026
Neural AI ('the Company') values the personal information of data subjects and complies with the Personal Information Protection Act (PIPA) and related laws.
Article 1 – Purposes of processing personal information
The Company processes personal information for the following purposes only. Personal information will not be used for any other purpose. If the purpose changes, the Company will take the necessary steps in accordance with Article 18 of PIPA. ① Receiving and responding to enquiries To receive and handle service-related enquiries. ② Service sign-up and account creation To process subscriptions, create academy accounts, and send invitation emails. ③ Payment processing To process subscription fees, maintain payment records, and comply with statutory record-keeping requirements. ④ Service improvement and statistics To conduct anonymised statistical analysis and improve the Service using information collected via the consultation diagnosis questionnaire. ⑤ Compliance with legal obligations To fulfil record-keeping and other obligations required under applicable laws.
Article 2 – Categories of personal information processed
The personal information the Company processes is as follows. [Service enquiries] - Required: name, phone number, email address - Optional: company/organisation name, industry, message - Automatically collected: IP address, access timestamp [Consultation diagnosis form] - Automatically collected: IP address, browser localStorage identifier (UUID) - Optional: primary inquiry channel, average daily inquiries, missed-call frequency, types of repetitive inquiries, SMS interest, free-text description of desired AI-handled inquiries [Subscription and payment] - Required: name, academy name, phone number, email address - Automatically collected: payment transaction ID (TID), amount, timestamp
Article 3 – Retention and processing period
The Company retains personal information only for the period required by law or agreed at the time of collection, and destroys it without delay once the purpose is achieved or the period expires. [Enquiry data] Retention period: 3 years from date of receipt Legal basis: Article 6 and Enforcement Decree Article 6 of the Act on Consumer Protection in Electronic Commerce [Diagnosis data] Retention period: 1 year from collection date Basis: Service operation and improvement (destroyed after purpose is achieved) [Payment data] Retention period: 5 years from payment date Legal basis: Article 6 and Enforcement Decree Article 6 of the Act on Consumer Protection in Electronic Commerce [Access logs and IP addresses] Retention period: 3 months Legal basis: Article 15-2 of the Protection of Communications Secrets Act
Article 4 – Provision of personal information to third parties
The Company does not, in principle, provide personal information to third parties. Exceptions are as follows. ① Where the data subject has given prior consent ② Where required by specific statutory provisions or necessary to comply with a legal obligation ③ Where a public agency requires the information for its statutory duties and disclosure would not unfairly prejudice the data subject's interests
Article 5 – Entrustment of personal information processing
The Company entrusts the following personal information processing tasks to third parties to provide the Service smoothly.
| Processor | Processing activity | Retention period |
|---|---|---|
| KG Inicis | Credit card payment processing | As required by applicable law after payment is completed |
| Resend Inc. (USA) | Sending subscription invitation emails | Deleted immediately after sending |
| Amazon Web Services, Inc. (USA) | Cloud server infrastructure and data storage | Duration of service operation and as required by law |
| Slack Technologies, Inc. (USA) | Sending internal operational notifications | Subject to Slack's data retention policy after sending |
Resend Inc., Amazon Web Services, Inc., and Slack Technologies, Inc. are located in the United States. Certain personal information may be transferred to the USA for email delivery, server infrastructure, and notification purposes. These transfers are handled in accordance with Article 28-8 of PIPA.
When entering into entrustment agreements, the Company specifies in writing, in accordance with Article 26 of PIPA, prohibitions on processing for purposes other than the entrusted task, technical and administrative safeguards, restrictions on re-entrustment, supervisory obligations, and liability, and monitors processors to ensure compliant handling.
Article 6 – Procedures and methods for destroying personal information
The Company destroys personal information without delay once it is no longer necessary due to expiry of the retention period or achievement of the processing purpose. [Procedure] Personal information is destroyed upon approval by the privacy officer. Information that must be retained by law is moved to a separate database and destroyed once the statutory period expires. [Method] - Electronic files: deleted by technical means that make recovery impossible - Non-electronic records (printouts, etc.): shredded or incinerated
Article 7 – Rights and obligations of data subjects and legal representatives
Data subjects may exercise the following rights against the Company at any time. ① Right to access personal information ② Right to correct inaccurate information ③ Right to request deletion ④ Right to suspend processing Requests may be submitted by email to the privacy officer. The Company will respond without delay in accordance with Article 41 of the PIPA Enforcement Decree. For children under 14, a legal representative may exercise these rights on the child's behalf and must provide their own personal information at the same time.
Article 8 – Measures to ensure the security of personal information
The Company takes the following measures to ensure the security of personal information pursuant to Article 29 of PIPA. ① Minimising access and providing training Staff who handle personal information are designated and kept to a minimum, and regular privacy-protection training is conducted. ② Access controls Access rights to personal-information processing systems are granted, changed, and revoked on a controlled basis; intrusion-prevention systems block unauthorised external access. ③ Retention and integrity of access records Access records for personal-information processing systems are retained and managed for at least one year. ④ Encryption Sensitive personal information is encrypted in storage and transit; payment data is processed by KG Inicis using encryption. ⑤ Security software Security software is installed and updated regularly to prevent hacking and other external attacks.
Article 9 – Use of automatic data-collection devices
The Company does not use cookies. However, the consultation diagnosis feature uses the browser's localStorage to store a visitor identifier. [localStorage usage] - Item: neural_visitor_id - Purpose: preventing duplicate diagnoses from the same visitor and supporting statistical analysis for service improvement - Retention: until the user clears browser data - How to opt out: delete site data or localStorage via browser settings, or use private/incognito mode. Note that doing so may limit the diagnosis feature. The Company does not use behavioural tracking, personalised advertising, or third-party analytics tools (e.g. Google Analytics, Meta Pixel).
Article 10 – Privacy officer
The Company has designated a privacy officer responsible for overseeing personal information processing and handling complaints and remedies.
- Name
- Soyeon Kim
- Title
- Privacy Officer
- [email protected]
- Phone
- 010-3397-2750
Data subjects may direct all personal-information-related enquiries, complaints, and requests for remedies to the privacy officer.
Article 11 – Remedies for infringement of rights
Data subjects may apply to the following bodies for dispute resolution or consultation regarding personal information infringement.
- Personal Information Infringement Report Centre — privacy.go.kr / ☎ 118 (no area code)
- Personal Information Dispute Mediation Committee — www.kopico.go.kr / ☎ 1833-6972
- Supreme Prosecutors' Office — www.spo.go.kr / ☎ 301 (no area code)
- National Police Agency — ecrm.cyber.go.kr / ☎ 182 (no area code)
Article 12 – Changes to this Privacy Policy
This Privacy Policy is effective from 20 April 2026. If any additions, deletions, or amendments are made, the Company will notify data subjects at least 7 days before the changes take effect via the website notice board or by email. For material changes that significantly affect data subjects' rights, at least 30 days' prior notice will be given.