Impactive AI’s Privacy Policy

This Privacy Policy describes how Impactive AI, Inc. (“Impactive AI”) collects, uses, and manages personal information in accordance with applicable laws and regulations, including the Personal Information Protection Act of the Republic of Korea.

‍

1. Purpose of Processing Personal Information

Impactive AI collects and processes only the minimum personal information necessary for the following purposes, and may additionally collect personal information for the purpose of providing marketing information, depending on the user’s choice. Personal information being processed shall not be used for purposes other than those specified below, and if the purpose of use is changed, the Company will obtain separate consent from the user in accordance with Article 18 of the Personal Information Protection Act.

- Membership Registration and Management: To confirm the intention to register, identify and authenticate the customer in connection with the provision of services, maintain and manage membership eligibility, issue various notices, and handle grievances.

- Provision of Goods or Services: To supply goods or services, send contracts or invoices, and process payments and settlements.

- Service Analysis, Improvement, and Development: To analyze service usage, improve services, and develop new services.

- Provision of Marketing Information: To process personal information only when the user has consented to receive advertisements.

‍

2. Retention and Use Period of Personal Information

1) Impactive AI processes and retains personal information within the retention and use period consented to by the data subject at the time of collection, or within the retention and use period prescribed by relevant laws and regulations.

2) The respective processing and retention periods of personal information are as follows:

① Website Membership Registration and Management: Until withdrawal of membership.

However, in the following cases, personal information shall be retained until the relevant reason has been resolved:

- Where an investigation or inquiry due to a violation of relevant laws and regulations is ongoing: until the completion of such investigation or inquiry

- Where claims or debts remain in relation to the use of the website: until such claims or debts have been settled

② Provision of Goods or Services: Until the completion of supply of goods or services and the completion of payment and settlement.

However, in the following cases, personal information shall be retained until the expiration of the relevant period:

- Records concerning contracts or withdrawal of subscription: 5 years (Article 6 (1) 2 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc.)

- Records concerning payment and supply of goods, etc.: 5 years (Article 6 (1) 3 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc.)

- Records concerning consumer complaints or dispute resolution: 3 years (Article 6 (1) 4 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc.)

- Records concerning labeling or advertising: 6 months (Article 6 (1) 1 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, etc.)

‍

3. Items of Personal Information Processed

Impactive AI processes the following items of personal information.

1) At the time of membership registration (Member)

If a user refuses to provide mandatory items, the use of services may be restricted.

2) When Making Customer Inquiries (Non-Members)

If a user refuses to provide mandatory items, customer inquiry and consultation services may be restricted.

3) Impactive AI does not permit membership registration by children under the age of 14, for which the consent of a legal representative would be required.

‍

4. Provision of Personal Information

Impactive AI does not provide users’ personal information to external parties without prior consent. However, personal information may be provided to third parties without the user’s consent in the following cases, in accordance with relevant laws and regulations:

1) Where an investigation agency or other governmental authority lawfully requests information pursuant to due legal procedures
2) Where otherwise required by applicable laws

‍

5. Installation, Operation, and Refusal of Automatic Collection Devices (Cookies)

Impactive AI uses “cookies,” which store and retrieve user information, in order to provide personalized services.

- Definition of Cookies: A cookie is a small piece of information that a server (HTTP/HTTPS) operating a website sends to a user’s web browser, and which may be stored on the hard disk of the user’s personal computer.

- Purpose of Using Cookies: Cookies are used to identify the user’s visit history and patterns of use for each service and website, popular search terms, and whether secure connections are in use, in order to provide optimized information to the user.

- Refusal of Cookie Storage: Users may refuse the storage of cookies by selecting options in the privacy menu under Tools > Internet Options at the top of the web browser. However, if the storage of cookies is refused, difficulties may arise in using customized services.

‍

6. Outsourcing of Personal Information Processing and Cross-Border Transfer

Impactive AI outsources part of its business operations to external specialized service providers and other third parties in order to improve service quality. For this purpose, the Company entrusts third parties with tasks that may involve the collection, storage, processing, use, provision, management, and destruction of users’ personal information and customer information held by the Company. The entrusted processors and the details of outsourced tasks are as follows:

If the user does not use the services related to the tasks outsourced to the entrusted company, the user’s personal information will not be provided to such company. Impactive AI specifies the necessary matters in accordance with the Personal Information Protection Act to ensure that the entrusted company processes personal information safely, and supervises and manages the entrusted company accordingly. In addition, if it becomes necessary to newly outsource personal information processing to other third parties, the Company will amend this Privacy Policy to disclose such outsourcing and take the legally required measures.

Impactive AI does not provide personal information to overseas business operators. However, for the performance of contracts relating to the provision of information and communications services and to improve user convenience, the Company outsources certain personal information processing tasks abroad as follows. Likewise, if the relevant services are not used, users’ personal information will not be provided to the entrusted company.

‍

7. Rights and Obligations of Data Subjects and Their Legal Representatives, and Methods of Exercise

Users, as data subjects, may exercise the following rights regarding their personal information: request for access, correction of errors, deletion, or suspension of processing. These rights may be exercised via email or other means, and Impactive AI will take prompt action upon receiving such requests. However, if the personal information is explicitly designated as subject to collection under other laws, deletion may not be requested.

Such rights may also be exercised through a legal representative of the data subject, or through an agent who has been delegated authority. In such cases, a power of attorney must be submitted in accordance with the prescribed form (Form No. 11) under the “Guidelines on Personal Information Processing Methods (Notice No. 2020-7).”

‍

8. Destruction of Personal Information

In principle, Impactive AI destroys personal information without delay once the purpose of processing has been achieved. Achievement of processing purposes includes, for example, membership withdrawal, expiration of service contracts, or requests for withdrawal. The procedures, deadlines, and methods of destruction are as follows:

- Destruction Procedure: Information entered by users is transferred to a separate database (or stored in separate documents, in the case of paper records) after the purpose has been achieved, and is retained for a certain period in accordance with internal policies and other applicable laws before being destroyed, or is destroyed immediately. Personal information transferred to a separate database shall not be used for any purposes other than those permitted by law.

- Destruction Deadline: Where the retention period of personal information has expired, such information shall be destroyed within 5 days from the end date of the retention period. Where the purpose of processing has been achieved, or the relevant service has been terminated, or the business has been closed, thereby rendering the personal information unnecessary, such information shall be destroyed within 5 days from the date on which it is deemed unnecessary to retain the personal information.

‍

9. Measures to Ensure the Security of Personal Information

In accordance with Article 29 of the Personal Information Protection Act, Impactive AI takes the following technical, managerial, and physical measures necessary to secure the safety of personal information:

1) Minimization and Training of Personnel Handling Personal Information: The Company designates staff who handle personal information, limits them to specific persons in charge, and implements measures to minimize and manage access to personal information.

2) Technical Measures Against Hacking, etc.: To prevent the leakage or damage of personal information caused by hacking, computer viruses, etc., the Company installs security programs, conducts periodic updates and inspections, installs systems in access-controlled areas, and monitors and blocks unauthorized access both technically and physically.

3) Encryption of Personal Information: Users’ personal information, including passwords, is encrypted for storage and management so that only the user can know it. Important data is secured through additional security functions such as encrypting files and transmission data or using file lock functions.

4) Retention and Prevention of Forgery of Access Records: Records of access to the personal information processing system are retained and managed for at least 6 months, and security functions are used to prevent alteration, theft, or loss of such records.

5) Restriction of Access to Personal Information: Necessary measures are taken to control access to personal information by granting, changing, or revoking access rights to database systems that process personal information, and unauthorized access from outside is controlled through intrusion prevention systems.

‍

10. Remedies for Infringement of Data Subjects’ Rights

Impactive AI collects users’ opinions regarding personal information protection and has established procedures and methods for handling complaints. Users may report complaints to Impactive AI’s personal information management officer or staff, and the Company will respond accordingly.

If users are not satisfied with the Company’s own handling of complaints or remedies for damages, or if they require further assistance, they may contact the following government agencies established and operated for this purpose:

▶ Personal Information Infringement Report Center (operated by the Korea Internet & Security Agency)
– Responsibilities: Reporting personal information infringements, filing consultation requests
– Website: privacy.kisa.or.kr
– Phone: 118 (no area code required)
– Address: 3F, Personal Information Infringement Report Center, 9 Jinheung-gil, Naju-si, Jeollanam-do, 58324, Republic of Korea

▶ Personal Information Dispute Mediation Committee
– Responsibilities: Applications for mediation of personal information disputes, collective dispute mediation (civil resolution)
– Website: www.kopico.go.kr
– Phone: 1833-6972 (no area code required)
– Address: 4F, Government Complex Seoul, 209 Sejong-daero, Jongno-gu, Seoul 03171, Republic of Korea

▶ Supreme Prosecutors’ Office – Cybercrime Investigation Division
– Phone: +82-2-3480-3573
– Website: www.spo.go.kr

▶ National Police Agency – Cyber Bureau
– Phone: 182
– Website: http://cyberbureau.police.go.kr

‍

11. Personal Information Protection Officer

1) Impactive AI assumes overall responsibility for tasks related to the processing of personal information, and designates the following Personal Information Protection Officer to handle complaints and remedies related to the processing of personal information:

▶ Personal Information Protection Officer

- Name: Doohee Chung
- Title: Representative
- Position: CEO
- Contact: dh@impactive-ai.com

※ This will be connected to the department in charge of personal information protection.

▶ Department in Charge of Personal Information Protection

- Department: Business Planning Team
- Person in Charge: Junghyun Park
- Contact: jh@impactive-ai.com

2) For all inquiries, complaints, or remedies related to personal information protection that arise while using Impactive AI’s services (or business), users may contact the Personal Information Protection Officer or the department in charge. Impactive AI will respond to and process inquiries without delay.

‍

12. Amendments to the Privacy Policy

This Privacy Policy shall take effect from September 22, 2025. In the event of any additions, deletions, or modifications pursuant to laws or internal policies, such changes will be notified via website pop-ups or announcements at least 7 days prior to the effective date.

- Major Amendments: Addition of purpose for collecting personal information (provision of marketing information upon consent to receive advertisements), Addition of details regarding outsourcing and cross-border transfer of personal information (Stibee, Inc. and Google Analytics)

‍