Privacy Policy

1.1 Information You Provide

• Account registration (email): Email address, username (minimum 3 characters), password (stored encrypted)
• Account registration (Google OAuth): Email address, name or display name, profile picture URL
• Guest access: An automatically generated username (with "guest_" prefix) — no personal information is required
• Support inquiries: Contact email address (required for guest users, optional for members; may differ from your account email), inquiry type, and message content
• Profile updates: Optional avatar image

1.2 Information Collected Automatically

• Usage data: Pages viewed, features used, and interaction patterns (collected via Google Analytics)
• Device and browser information: Browser type, operating system, screen resolution, and language preferences
• IP address: Collected through Google Analytics and Cloudflare Turnstile for security and analytics purposes
• Cookies and similar technologies: Authentication tokens, locale preferences, and analytics identifiers (see Section 8)

1.3 Payment Information

Payment processing is handled entirely by Toss Payments Co., Ltd. We receive only the order ID, payment confirmation status, payment amount, and your remaining document balance (the number of unused documents in your account). We do not collect, store, or have access to your credit card numbers, bank account details, or other payment method information.

1.4 Information We Do NOT Collect

We do not collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, biometric data, health data, or sexual orientation. We do not collect precise geolocation data.

Excel/CSV source files uploaded for PDF generation are never stored on our servers. They are processed entirely in memory and discarded immediately upon completion of the generation task.

Sub-processors

• Supabase Inc. (United States): Authentication, database hosting, and file storage (templates and fonts). Data is stored on AWS infrastructure.
• Toss Payments Co., Ltd. (Republic of Korea): Payment processing and payment gateway services.
• Google LLC (United States): Website analytics (Google Analytics), advertising services (Google AdSense), and tag management (Google Tag Manager).
• Cloudflare Inc. (United States / Global CDN): Bot prevention and CAPTCHA service (Cloudflare Turnstile).

Other Disclosures

We may disclose your information if required by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

Safeguards for EU/EEA Users

For transfers of personal data from the EU/EEA, we rely on the following transfer mechanisms as permitted under Chapter V of the GDPR:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable (Note: The EU adequacy decision for Korea covers personal data regulated by Korea's Personal Information Protection Commission (PIPC). Payment transaction data processed by Toss Payments under the supervision of the Financial Services Commission may require additional safeguards.)
• Data Processing Agreements (DPAs) included in each sub-processor's service agreements ensuring adequate levels of data protection

Transfer Destinations

• Republic of Korea: Primary service operation, data processing, Toss Payments Co., Ltd. (payment processing)
• United States: Supabase (authentication, database, storage), Google (analytics, advertising), Cloudflare (security)
• Global: Cloudflare CDN nodes for CAPTCHA verification

Retention Periods

• Account data (profile, email, username): Retained until you delete your account (after deletion, data is retained for 7 days for recovery purposes, then permanently deleted)
• Guest account data: Marked for deletion 24 hours after creation, permanently deleted within 7 days thereafter
• Uploaded templates and fonts: Retained until account deletion or manual deletion by you
• Excel/CSV source files: Not stored. Discarded from memory immediately upon completion of PDF generation
• Pseudonymized records for dispute resolution: A hashed email address, consent version history, account registration and deletion timestamps, and a payment summary are retained for up to 5 years after account deletion (based on the applicable statute of limitations). This processing is based on our legitimate interests (GDPR Art. 6(1)(f)) in defending against legal claims, and is limited strictly to that purpose.
• Payment records: 5 years (required by Korean tax law and e-commerce consumer protection law)
• Support inquiry records: 3 years (required by Korean e-commerce consumer protection law)
• Analytics data: Retained according to Google Analytics data retention settings (14 months, as configured by the Company)

Data Deletion

When you delete your account, your profile data is marked for deletion and permanently removed within 7 days. During this period, your data is inaccessible and cannot be used for any purpose other than enabling account recovery if requested. After permanent deletion, only pseudonymized records (hashed email, consent version history, registration/deletion dates, and payment summary) are retained for dispute resolution purposes for up to 5 years.

Data required to be retained by law (e.g., payment records, tax records) is kept for the mandatory retention period and then securely deleted.

7.1 Rights Under the GDPR (EU/EEA Residents)

If you are located in the EU/EEA, you have the following rights under the GDPR:

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to restriction (Art. 18): Request that we limit the processing of your personal data
• Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, and machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes
• Right not to be subject to automated decision-making (Art. 22): We do not currently make decisions based solely on automated processing that produce legal effects
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your EU/EEA member state

7.2 Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the CCPA:

• Right to know: Request information about the categories and specific pieces of personal information we have collected about you
• Right to delete: Request deletion of your personal information
• Right to opt-out of sale: We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

7.3 How to Exercise Your Rights

You can exercise most of these rights directly through your account settings in the Service. For requests that cannot be handled through account settings, contact us at contact@nostoslab.space or call +82-70-8098-0467.

We will respond to your request within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

Types of Cookies We Use

• Essential cookies: Supabase authentication cookies to maintain your login session, and payment verification tokens. These are necessary for the Service to function and cannot be disabled.
• Functional cookies: Locale preference cookies to remember your language setting.
• Analytics cookies: Google Analytics cookies to understand how users interact with the Service. These help us improve the Service.
• Advertising cookies: Google AdSense cookies for personalized advertising. These are used to show you relevant ads.

Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a new cookie is set. Please note that disabling essential cookies may prevent you from using certain features of the Service (such as logging in).

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on. You can manage Google ad personalization at https://adssettings.google.com.

If we become aware that we have collected personal information from a child below the applicable age threshold without proper consent, we will immediately suspend the account and take steps to delete that information promptly. If you believe we have inadvertently collected such information, please contact us immediately.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

Data Protection Contact

• Company: Nostos
• Data Protection Officer: Ji-hyeong Lee (CEO)
• Email: contact@nostoslab.space
• Phone: +82-70-8098-0467
• Address: 605-15, 28-9 Sangrijungsim-sangga-gil, Bongdam-eup, Hyohaeng-gu, Hwaseong-si, Gyeonggi-do, Republic of Korea

Supervisory Authority

If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

If you are a California resident, you may contact the California Attorney General at https://oag.ca.gov/privacy for privacy-related complaints.

For other jurisdictions, please contact your local data protection authority.