Rallypi Privacy Policy

1. Categories of Personal Information We Process

In the course of providing the Service, we may process the following personal information.

1. Information provided directly by users
   • Registration and login: email address and account identifiers permitted by the authentication provider
   • Account settings: service preference information such as language settings
   • Customer inquiries: email address, inquiry details, and information included in attachments
2. Information automatically generated or collected during Service use
   • Service usage records, access times, browser type, operating system, device and app environment information, language settings, referrer information, error logs, and diagnostic logs
   • Search history, watchlist or saved-item records, alert settings, page views and click records, vote attempts and participation records, and records related to security and fraud prevention
   • Session identifiers, anonymous user identifiers, and usage pattern information needed for risk assessment
   • For non-members or anonymous users, random session identifiers or anonymous identifiers may be created and stored through cookies for service operation and security purposes.
3. Information collected through external authentication or in the course of providing the Service
   • For registration and login, we currently use Google OAuth and may process the email address and the minimum account identifiers permitted by the authentication provider for authenticated users.
   • Technical processing information required to operate the Service in connection with cloud, security, analytics, email delivery, and AI features

In principle, we do not collect unique identification numbers such as resident registration numbers or sensitive personal information. Where such processing is exceptionally required by law, we will do so in accordance with the procedures prescribed by applicable law.

1-1. Information We Generally Do Not Collect

• Name, phone number, or date of birth
• Payment or billing information before any paid service is introduced
• Passwords or raw OAuth tokens
• Device fingerprinting information beyond ordinary session cookies
• Raw IP addresses stored in our database

2. Purposes of Processing Personal Information

We process personal information for the following purposes.

1. Registration, login, identity verification, and account and authentication management
2. Providing service features such as settings, translation requests, and notifications
3. Responding to customer inquiries, delivering notices, and handling disputes
4. Service security, prevention of abuse, blocking abnormal traffic, and account protection
5. Performance analysis, error correction, quality improvement, and user experience enhancement
6. Providing AI-based summaries, translations, personalized ranking, or recommendation features
7. Legal compliance, protection of rights, and incident investigation and response
8. Improving advertising effectiveness

We process personal information only to the minimum extent necessary within the scope of the stated purposes. If the purpose changes, we will take the measures required by applicable law.

3. Retention and Use Period of Personal Information

We retain and use personal information until the purpose disclosed at the time of collection is achieved. However, if retention is required by applicable law, we will store the information safely and separately for the required period.

General retention periods are as follows.

• Member account information: until membership withdrawal
• Customer inquiry records: 3 years after processing is completed
• Security and operational logs: up to 12 months from the date of collection
• Anonymous user identifiers and session-related records: deleted or de-identified without delay after the operational purpose is achieved

When necessary for abuse prevention, security response, dispute handling, or legal compliance, some information may be retained for an additional period to the extent permitted by applicable law.

4. Provision of Personal Information to Third Parties

In principle, we do not provide users' personal information to external parties. Exceptions apply in the following cases.

1. Where the user has given prior consent
2. Where there is a specific provision in law or a lawful request under due process
3. Where there is an urgent need to protect the life, body, or property of the user
4. Where necessary for providing the Service within the scope permitted by law

If personal information is provided to a third party, we will separately disclose or reflect in this Policy the recipient, purpose of provision, items provided, and retention and use period. Personal information is provided to third parties only where consent or another legal basis exists.

5. Entrustment of Personal Information Processing

To provide the Service smoothly, we may entrust part of the personal information processing work to external specialist providers. Examples include the following.

• Cloud infrastructure operation and data storage
• Email delivery
• Operation of customer support tools
• Security and traffic blocking
• Web and app analytics and error tracking
• Processing AI-based summary and translation features
• Providing external authentication

When entering into outsourcing agreements, we reflect legally required privacy protection matters in the contract and supervise the entrusted parties.

Examples of current or expected major entrusted work are as follows.

• Amazon Web Services: cloud infrastructure, data storage, and log management
• Cloudflare: CDN, security, WAF, and rate limiting
• Google: login authentication, work tools, or email-related functions
• AI feature providers such as OpenAI: summary, translation, and analysis processing
• Email delivery service providers: sending customer inquiry messages

The actual list of entrusted providers may change depending on the service operating structure, and we will update this Policy when there is a material change.

6. Cross-border Transfer of Personal Information

In the course of operating the Service, personal information may be processed or stored outside the Republic of Korea. If we use global cloud, security, authentication, or AI providers, personal information may be processed abroad.

In accordance with applicable law, we disclose or notify the following matters regarding cross-border transfer.

• Recipient of the transfer
• Country of transfer
• Date, time, and method of transfer
• Categories of personal information transferred
• Purpose of transfer
• Retention and use period

Examples of cross-border transfer are as follows.

1. Amazon Web Services
   • Country of transfer: may include regions outside Korea depending on the service operating environment
   • Purpose of transfer: cloud hosting, data storage, and log management
   • Items transferred: account information, usage records, inquiry information, and other information necessary for service operation
   • Retention and use period: during the service period and the retention period required under applicable law
2. Google
   • Country of transfer: the United States and others
   • Purpose of transfer: external authentication and work or email-related service provision
   • Items transferred: email address, account identifiers, and authentication-related information
   • Retention and use period: until the purpose is achieved or for the period set by applicable policies
3. AI feature providers such as OpenAI
   • Country of transfer: the United States and others
   • Purpose of transfer: processing summary, translation, and analysis features
   • Items transferred: input information necessary for the relevant service feature
   • Retention and use period: until the processing purpose is achieved or for the period set by each provider's policy

The actual status of cross-border transfers will be separately disclosed or reflected in this Policy according to the service providers and configuration in operation.

7. Use of Cookies and Similar Technologies

1. We may use cookies or similar technologies to maintain login sessions, store preferences, support security, analyze traffic, and improve the Service.
2. Users may refuse or delete cookies through browser settings. However, some parts of the Service may be restricted as a result.
3. If cookies are used for advertising or analytics purposes, consent procedures will be applied where required by applicable law.
4. We may use session cookies for authentication and anonymous identifier cookies for service continuity and security analysis.

8. Procedure and Method for Destruction of Personal Information

1. If the retention period expires or the processing purpose has been achieved, the relevant personal information is destroyed without delay.
2. Electronic files are deleted using secure technical methods so that they cannot be recovered or restored.
3. If continued retention is required by law, the information is stored safely in a separated manner from other personal information.

9. Rights of Users and Legal Representatives and How to Exercise Them

1. Users may request access to, correction of, deletion of, suspension of processing of, withdrawal of consent for, or membership withdrawal relating to their personal information.
2. Unless there is a legally recognized reason not to do so, we will take the necessary measures without delay.
3. Rights may be exercised through a legal representative or duly authorized agent.

10. Automated Processing and Personalization

To provide more relevant content, we may analyze viewing history, click patterns, language settings, and market interest through automated methods and use the results for the following functions.

• Adjusting content display order
• Suggesting recommendations or related tickers
• Providing summaries and translations
• Prioritizing alerts or key information
• Assessing security risk and limiting advertising exposure

Where required by applicable law, we will provide procedures for explanation, objection, or review requests relating to automated processing.

11. Security Measures for Personal Information

We take the following measures to ensure the security of personal information.

• Minimization of access rights and access control management
• Protection measures for authentication information
• Encryption in transit such as HTTPS
• Operation of security log monitoring and incident response procedures
• Security controls such as WAF and rate limiting
• Security updates and vulnerability checks
• Administrative safeguards for entrusted providers and internal personnel

12. Children's Personal Information

If we must unavoidably process personal information of children under the age of 14, we will take necessary measures such as obtaining consent from a legal representative in accordance with applicable law.

13. External Links

The Service may contain links to third-party websites or services. The privacy practices of those external services are governed by the policies of the relevant operators, and Rallypi is not responsible for them.

14. Privacy Officer and Contact Information

• Privacy officer: rallypi
• Email: support@rallypi.com

If users need consultation or wish to file a report regarding a personal information infringement, they may contact the relevant authorities such as the Personal Information Infringement Report Center.

15. Notice for Overseas Users

1. This is a web service established in the Republic of Korea.
2. For overseas users, the personal information protection laws or consumer protection laws of the place of residence may additionally apply.
3. If we target users in a specific country or region or if separate notices are required under the laws of that jurisdiction, we may provide additional notices.

16. Changes to This Privacy Policy

We may revise this Policy due to changes in law, service content, or personal information processing practices. If there is a material change, we will provide notice at least 7 days in advance through in-service notices, email, or other appropriate means.