Privacy Policy

Article 1. Purpose of Processing Personal Information

Gleezor (the "Company") processes personal information for the following purposes. Personal information collected will not be used for any purpose other than those stated below. If the purpose of use changes, necessary measures such as obtaining separate consent will be taken in accordance with Article 18 of the Personal Information Protection Act (PIPA).

A. Membership registration & management: Identity verification, membership maintenance, prevention of fraudulent use, and delivery of notices.

B. Service provision: Software license authentication and management, host registration/monitoring/update delivery via the Central Server, remote access relay (ICE/TURN) services, and customer support.

C. Marketing (with separate consent): New service development, customized services, event information and promotional materials.

D. Service improvement: Analysis of access patterns and usage statistics.

Article 2. Categories of Personal Information Collected & Methods

(1) The Company processes the following personal information:

A. At registration (required): Name (display name), email address, password (stored with one-way encryption), company/organization name.

B. Sales inquiries (required): Name, work email, company name, number of employees, inquiry details.

C. Automatically collected during service use: IP address, access date/time, service usage records, browser type and OS information, device identification (host fingerprint).

(2) Collection methods: Website (registration, contact form), host registration via Central Server API, and automatic generation/collection during service use.

Article 3. Retention and Use Period

(1) The Company processes and retains personal information within the retention period agreed upon at collection or as required by applicable laws.

(2) Specific retention periods:

A. Membership information: Until membership withdrawal. However, if an investigation or inquiry is in progress, retention continues until its conclusion; if outstanding debts remain, retention continues until settlement.

B. Retention under applicable laws:

- Records of contracts or withdrawal: 5 years (Act on Consumer Protection in Electronic Commerce)

- Records of payment and supply: 5 years (same Act)

- Records of consumer complaints or disputes: 3 years (same Act)

- Records of display/advertising: 6 months (same Act)

- Service access logs: 3 months (Protection of Communications Secrets Act)

- Tax-related records (invoices, etc.): 5 years (Framework Act on National Taxes)

Article 4. Provision of Personal Information to Third Parties

(1) The Company processes personal information only within the scope stated in Article 1 and provides personal information to third parties only when falling under Articles 17 and 18 of PIPA, including cases of user consent or special legal provisions.

(2) The Company does not currently provide personal information to third parties. If such provision becomes necessary in the future, this policy will be updated and data subjects will be notified.

Article 5. Entrustment of Personal Information Processing

(1) The Company entrusts personal information processing as follows for smooth service delivery:

- Trustee: Cloudflare, Inc. / Scope: Website CDN and security services / Retention: Until termination of entrustment contract.

- Trustee: Resend, Inc. / Scope: Email delivery (verification emails, notifications) / Retention: Until termination of entrustment contract.

(2) When entering entrustment contracts, the Company specifies in writing, in accordance with Article 26 of PIPA: prohibition of processing beyond the entrusted scope, technical and managerial safeguards, restrictions on re-entrustment, supervision of trustees, and liability for damages.

Article 6. Data Processing on On-Premises Host Servers

(1) Gleezor software is installed and operated on the customer's own server (on-premises). All data stored on the on-premises host server (VM workstations, file storage, AI assistant data) exists only on the customer's own infrastructure and is not transmitted to the Company's Central Server.

(2) Information received by the Central Server from host servers is limited to: hostname, IP address, software version, hardware fingerprint (for license authentication), and CPU/memory/disk utilization (for monitoring).

(3) The customer (business operator) who operates the on-premises server is responsible for the protection of employee personal information processed on that server (employee accounts, files, workstation data).

Article 7. Procedures and Methods for Destruction of Personal Information

(1) The Company destroys personal information without delay when it becomes unnecessary due to the expiration of the retention period or achievement of the processing purpose.

(2) If personal information must be retained under other laws despite the expiration of the agreed retention period, it is transferred to a separate database or stored in a different location.

(3) Destruction procedures and methods:

- Procedure: Personal information eligible for destruction is selected and destroyed with the approval of the Chief Privacy Officer.

- Methods: Electronic files are deleted using technical methods that prevent reproduction. Printed information is shredded or incinerated.

Article 8. Rights of Data Subjects and Methods of Exercise

(1) Data subjects may exercise the right to access, correct, delete, or suspend processing of their personal information at any time.

(2) These rights may be exercised via written request, email ([email protected]), or the in-service dashboard settings, in accordance with Article 41(1) of the Enforcement Decree of PIPA. The Company will take action without delay.

(3) Rights may be exercised through a legal representative or authorized agent. In such cases, a power of attorney must be submitted.

(4) The right to access or suspend processing may be restricted under Articles 35(4) and 37(2) of PIPA.

(5) Requests for correction or deletion cannot be made for personal information that is specified as a collection item under other laws.

Article 9. Measures to Ensure the Security of Personal Information

The Company takes the following technical, managerial, and physical measures to ensure the security of personal information in accordance with Article 29 of PIPA:

A. Managerial measures: Establishment and implementation of internal management plans, minimization of personnel handling personal information, and regular training.

B. Technical measures: Access control for personal information processing systems, installation of intrusion prevention systems, encryption of unique identification information. Passwords are stored using one-way encryption (Argon2), making the original unrecoverable by anyone including the Company.

C. Physical measures: The Central Server operates from data centers located in the Republic of Korea, with access control implemented for server rooms and data storage areas.

Article 10. Installation, Operation, and Rejection of Automatic Data Collection Devices

(1) The Company uses "cookies" that store and retrieve usage information to provide personalized services.

(2) Purpose of cookies: Login session maintenance, service usage statistical analysis, and security (CSRF prevention).

(3) Installation and rejection of cookies: You may refuse cookie storage through your web browser settings (Tools > Internet Options > Privacy). However, refusing cookies may limit access to certain services that require login.

(4) The Company does not use third-party advertising or behavioral tracking cookies.

Article 11. Chief Privacy Officer

(1) The Company has designated a Chief Privacy Officer to oversee personal information processing and handle complaints and remedies related to personal information protection.

- Chief Privacy Officer: Gleezor Security Team

- Contact: [email protected]

(2) Data subjects may contact the Chief Privacy Officer regarding any personal information protection inquiries, complaints, or remedies arising from the use of the Company's services. The Company will respond and process inquiries without delay (within 10 days).

Article 12. Remedies for Infringement of Rights

Data subjects may apply for dispute resolution or consultation with the following organizations for remedies regarding personal information infringement:

- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)

- Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)

- Supreme Prosecutors' Office Cyber Investigation Division: 1301 (www.spo.go.kr)

- National Police Agency Cyber Bureau: 182 (ecrm.cyber.go.kr)

Article 13. Changes to This Privacy Policy

This Privacy Policy is effective as of March 3, 2026. Previous versions can be viewed below.

Any changes will be announced through the website notice board at least 7 days prior to the effective date. For material changes affecting the rights of data subjects, notice will be given at least 30 days in advance.