Carve Privacy Policy

Last Updated: May 7, 2025

PeekabooLabs Co.,Ltd. (hereinafter referred to as the "Company") takes your privacy very seriously and complies with personal information protection regulations under relevant laws, including the "Act on Promotion of Information and Communications Network Utilization and Information Protection, etc." and the "Personal Information Protection Act." This Privacy Policy informs you about how your personal information is used in connection with your use of the Carve service (hereinafter referred to as the "Service") provided by the Company, and what measures are being taken to protect your personal information.

Information We Collect and How We Collect It

A. Information We Collect
The Company collects the following minimum personal information as mandatory items for membership registration, smooth customer consultation, and provision of various services.

  1. During Membership Registration

    • Mandatory: Email address (collected through Google account linking and used as your login ID).

    • Optional: Name, company name (if you choose to provide them).

    • (Note: The Company does not directly collect or store passwords for service login; authentication is performed through Google account linking (OAuth 2.0).)

  2. When Using Paid Services

    • Payment Information (The Company does not directly store payment information; it is securely processed through the payment processor, Lemon squeezy. e.g., transaction identification information).

  3. Information Automatically Collected During Service Use

    • IP address, cookies, service usage records (login history, AI model upload/optimization/download history, page visit history, etc.), device information (operating system, browser type and version, etc.).

  4. During Customer Support

    • Inquiry details, email address, (if necessary) contact number.

B. How We Collect Information
The Company collects personal information in the following ways:

  1. When you consent to the collection of personal information and directly enter information or consent to Google account linking during membership registration and service use.

  2. Through automated collection tools (automatically generated when using the website and service).

  3. Your personal information may be collected through web pages, email, fax, phone, etc., during consultation via customer support.

Purpose of Collection and Use of Personal Information

The Company uses the collected personal information for the following purposes:

  1. Fulfillment of Contracts for Service Provision and Fee Settlement for Service Provision

    • Providing content, offering specific customized services, billing and payment for use of paid services.

  2. Member Management

    • Identity verification for use of membership services, personal identification, prevention of fraudulent use by delinquent members and unauthorized use, confirmation of intent to join, handling complaints and civil petitions, delivering notices.

  3. Service Improvement, New Service Development, Marketing, and Advertising

    • Developing new services and providing customized services, providing services and displaying advertisements based on statistical characteristics, verifying service validity, identifying access frequency, statistics on members' service use.

    • Providing information on service-related news, updates, events, and promotions (via email, etc.). You may opt-out of receiving such marketing communications at any time by following the instructions in the emails sent or by contacting our customer support team.

  4. Security, Safety, and Dispute Resolution

    • Preventing violations of terms and conditions, preventing account theft and fraudulent transactions, complying with legal obligations, supporting dispute resolution.

Handling of User Content (AI Models)

The Company handles AI models you upload to the Service (hereinafter "User Content") in accordance with strict security policies. The Company will not view, copy, provide to third parties, or use User Content for any purpose other than providing the Service without your explicit consent. User Content is used solely for the purpose of performing the AI model optimization tasks you request and providing you with the results. If User Content contains personal information, you are solely responsible for managing that personal information.

Sharing and Provision of Personal Information (Third-Party Provision)

The Company uses users' personal information within the scope notified in "Purpose of Collection and Use of Personal Information" and, in principle, does not use it beyond this scope or disclose users' personal information externally without their prior consent. However, the following cases are exceptions:

  1. If users have given prior consent to disclosure or third-party provision.

  2. If required by law, or if there is a request from an investigative agency according to procedures and methods prescribed by law for investigative purposes.

  3. If necessary for fee settlement for the provision of paid services (providing minimum information to payment gateways).

  4. If provided in a form that does not identify specific individuals for statistical compilation, academic research, or market research.

The Company does not "sell" your personal information to third parties or "share" it for cross-context behavioral advertising purposes.

Entrustment of Personal Information Processing

For service improvement, the Company entrusts the processing of personal information to external specialized companies as follows:

  1. Amazon Web Services (AWS): Cloud infrastructure operation, including storage and optimization of uploaded AI models.

  2. Google Cloud Platform (GCP): Cloud infrastructure operation, including storage and optimization of uploaded AI models.

  3. Oracle Cloud Infrastructure (OCI): Cloud infrastructure operation, including storage and optimization of uploaded AI models.

  4. Lemon squeezy: Payment processing and related tasks for use of paid services.
    When concluding entrustment contracts, the Company specifies in contracts or other documents matters concerning responsibilities such as prohibition of personal information processing beyond the purpose of the entrusted task, technical and managerial protective measures, restrictions on re-entrustment, management and supervision of the trustee, and compensation for damages, in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the trustee processes personal information safely.
    If the content of the entrusted task or the trustee changes, we will disclose it without delay through this Privacy Policy.

Retention and Use Period of Personal Information, Destruction Procedures and Methods

In principle, users' personal information is destroyed without delay once the purpose of its collection and use has been achieved or upon membership withdrawal. However, the following information is retained for the period specified for the reasons below:

A. Reasons for Information Retention Under Relevant Laws
If it is necessary to retain member information according to the provisions of relevant laws such as the Commercial Act and the Act on Consumer Protection in Electronic Commerce, etc., the Company retains member information for a certain period prescribed by the relevant laws. In this case, the Company uses the retained information only for the purpose of retention, and the retention periods are as follows:

  1. Records on contracts or withdrawal of offers, etc.: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)

  2. Records on payment of charges and supply of goods, etc.: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)

  3. Records on consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce, etc.)

  4. Website visit records: 3 months (Communication Secrets Protection Act)

B. Personal Information Destruction Procedures and Methods

  1. Destruction Procedure: Information entered by users for membership registration, etc., is transferred to a separate database (or a separate filing cabinet in the case of paper documents) after the purpose is achieved or upon membership withdrawal, and is stored for a certain period according to internal policies and other relevant laws (see Retention and Use Period) before being destroyed. Personal information transferred to a separate database is not used for any other purpose unless required by law.

  2. Destruction Method: Personal information stored in electronic file format is deleted using a technical method that makes it impossible to reproduce the records. Personal information printed on paper is shredded with a shredder or destroyed by incineration.

Rights of Users and Legal Representatives and How to Exercise Them

  1. Users may view or modify their registered personal information at any time and may also request to terminate their membership.

  2. To view or modify personal information, use the 'Edit My Info' function. To terminate membership (withdraw consent), use the 'Withdraw Membership' function. After identity verification, you can directly view, correct, or withdraw.

  3. Alternatively, if you contact the Chief Privacy Officer by email, we will take action without delay.

  4. If a user requests correction of errors in personal information, the relevant personal information will not be used or provided until the correction is completed. If incorrect personal information has already been provided to a third party, the result of the correction will be notified to the third party without delay so that the correction can be made.

  5. Personal information terminated or deleted at the user's request is processed as specified in "Retention and Use Period of Personal Information" and is processed so that it cannot be viewed or used for any other purpose.

  6. The Company does not, in principle, collect personal information from children under the age of 14. If it is confirmed that a child under the age of 14 has registered as a member without the consent of a legal representative, the Company will take necessary measures, such as deleting the account, without delay.

Installation, Operation, and Refusal of Automatic Personal Information Collection Devices (Cookies, etc.)

The Company uses 'cookies' that store and frequently retrieve usage information to provide individual customized services to users.

  1. Purpose of Using Cookies: Analyzing access frequency and visit times of members and non-members, identifying users' preferences and areas of interest and tracking traces, identifying participation levels in various events and visit counts for target marketing and personalized service provision.

  2. Installation, Operation, and Refusal of Cookies: Users have the option to install cookies. Therefore, users can allow all cookies by setting options in their web browser, confirm each time a cookie is saved, or refuse to save all cookies.

    • Example of setting method (for Internet Explorer): Tools at the top of the web browser > Internet Options > Privacy.

    • However, if you refuse to install cookies, there may be difficulties in providing the service.

Technical and Managerial Measures for Personal Information Protection

In processing users' personal information, the Company implements the following technical and managerial measures to ensure safety so that personal information is not lost, stolen, leaked, altered, or damaged.

  1. Use of Secure Authentication Methods: The Company uses Google account linking (OAuth 2.0) for member login and enhances security by not directly collecting or storing members' Google account passwords in this process.

  2. Measures Against Hacking, etc.: The Company does its best to prevent members' personal information from being leaked or damaged by hacking or computer viruses. Data is backed up frequently in preparation for damage to personal information, and the latest antivirus programs are used to prevent users' personal information or data from being leaked or damaged. Personal information is transmitted securely over the network through encrypted communication (SSL, etc.). Unauthorized access from the outside is controlled using an intrusion prevention system, and we strive to equip all possible technical devices to ensure system security.

  3. Minimization and Education of Personal Information Handling Staff: The Company's personal information handling staff is limited to designated personnel, separate access rights are managed for them, and compliance with the Privacy Policy is always emphasized through regular training for the staff.

  4. Establishment and Implementation of Internal Management Plan: An internal management plan is established and implemented for the safe processing of personal information.

Chief Privacy Officer and Contact Information of Responsible Department

You can report all privacy-related complaints arising from your use of the Company's services to the Chief Privacy Officer. The Company will provide prompt and sufficient answers to users' reports.

If you need to report or consult about other personal information infringements, please contact the institutions below:

  • Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972)

  • Korea Internet & Security Agency (KISA) Privacy Invasion Report Center (privacy.kisa.or.kr / Dial 118 without area code)

  • Supreme Prosecutors' Office Cyber Investigation Division (www.spo.go.kr / Dial 1301 without area code)

  • National Police Agency Cyber Bureau (www.police.go.kr/www/security/cyber.jsp / Dial 182 without area code)

International Transfer of Personal Information

The Company stores and processes collected personal information and User Content on cloud servers (AWS, GCP, OCI, etc.) located in the Seoul region, Republic of Korea. For some service functions (e.g., payment processing), personal information may be provided to entrusted third-party service providers located abroad (e.g., Lemon squeezy), in which case data may be transferred to the country where the servers of such providers are located. The Company takes appropriate protective measures to ensure that users' personal information is managed as securely as in Korea and complies with procedures under relevant laws. By agreeing to this Privacy Policy, you are deemed to consent to the international transfer of your personal information.

Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have the following rights under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA):

  1. Right to Know: The right to request information about the categories and specific pieces of personal information the Company has collected, used, disclosed, or sold.

  2. Right to Delete: The right to request the deletion of your personal information collected by the Company, subject to certain exceptions.

  3. Right to Opt-Out of Sale/Sharing: The Company does not "sell" your personal information to third parties or "share" it for cross-context behavioral advertising purposes. Therefore, this right to opt-out does not currently apply to the Company's services.

  4. Right to Correct: The right to request correction of inaccurate personal information.

  5. Right to Limit Use and Disclosure of Sensitive Personal Information.

  6. Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising your rights under the CCPA/CPRA.
    To exercise these rights, please contact us at contact@peekaboolabs.ai.

Your Rights if You are in the European Economic Area (EEA), UK, or Switzerland (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you may have the following rights under the General Data Protection Regulation (GDPR) or relevant laws:

  1. Right of access

  2. Right to rectification

  3. Right to erasure (right to be forgotten)

  4. Right to restriction of processing

  5. Right to data portability

  6. Right to object

  7. Right not to be subject to automated individual decision-making, including profiling.
    The Company accepts and processes requests to exercise these rights via contact@peekaboolabs.ai. You also have the right to lodge a complaint with a supervisory authority regarding the processing of your personal information.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. For example, we may make changes to this Privacy Policy due to:

  • Changes in law or regulatory requirements.

  • Security or safety reasons.

  • Changes made in the usual course of developing our Service or privacy practices.

  • To adapt to new technologies or processing activities.

We will notify you of any changes to this Privacy Policy that materially adversely affect your rights or our obligations regarding your personal information by providing at least 30 days' advance notice through email or an in-product notification before such changes take effect. For all other changes, we will notify you by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page, unless a different effective date is communicated for material changes. Your continued use of the Service after such changes have been notified or posted will constitute your acceptance of the changes.

Addendum
This Privacy Policy shall become effective on May 7, 2025.