Privacy Policy
Effective Date: July 15, 2026
1. Introduction Bangguseok Company (“we,” “our,” or “us”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service Mudangbibi (the “Service”).
We are located in the Republic of Korea. By using the Service, you consent to the processing of your information in Korea.
2. Statement under PIPA Article 30 This Privacy Policy is established and disclosed pursuant to Article 30 of the Personal Information Protection Act (PIPA) of the Republic of Korea, in order to protect the personal information of data subjects and to handle related grievances promptly and smoothly.
3. Information We Collect
A. Required (necessary for us to provide the service)
| Purpose | Items | Retention Period | |
|---|---|---|---|
| Account creation & management | Email, password (or external login identifier), nickname, country, language | Until account deletion | |
| Saju service delivery | Gender, date of birth, time of birth | Until account deletion | |
| Service usage | Device info (OS, model), push notification token (FCM token), access logs, IP address, cookies | Until account deletion or statutory retention period |
B. Optional (collected only when you have provided optional consent)
| Purpose | Items | Retention Period |
|---|---|---|
| Service improvement — demographic analysis | Gender, year of birth (or age bracket), language used, behavioral logs linked to user identifier | Until consent is withdrawn |
| In-house AI model training | Chat history, AI chatbot conversations and input text, 7-day fortune exam inputs and results, generated saju results | Until consent is withdrawn |
| Service quality & analytics (Microsoft Clarity) | Session recordings, clicks/taps, navigation paths, device info | Within 1 year (or per Microsoft Clarity retention policy; see Consent for Behavioral Tracking and Analytics) |
Korean statutory retention periods. Certain records must be retained beyond account deletion under Korean law: * Log records: 3 months (Protection of Communications Secrets Act) * Contract / order-cancellation records: 5 years (Act on Consumer Protection in E-Commerce, etc.)
3.1. Regional Classifications of Sensitive Data Depending on your location, certain data processed for our Service is legally classified as “sensitive personal data.
4. How We Use Your Information We use your Personal Data on the following legal grounds (Contract, Consent, or Legitimate Interest): * To provide and maintain the Service. * To manage your account and send administrative information. * To prevent fraud and ensure security. * To comply with legal obligations. * (With separate consent only) To analyze user demographics for product improvement. * (With separate consent only) To train an in-house Saju AI model. * (With separate consent only) To analyze how users interact with the Service to improve our Service via Microsoft Clarity.
5. Destruction Procedure and Method 1. We destroy personal data without delay once the retention period has elapsed or the processing purpose has been achieved. 2. Method: personal data stored in electronic form is destroyed in a manner that prevents recovery; personal data on paper is shredded or incinerated.
6. International Data Transfers The Service runs on AI and the cross-border transfers below are necessary for service performance — without them the Service cannot operate. Your separate, explicit consent for these transfers is collected at signup through the International Data Transfer Consent document (PIPA Article 28-8). Refusing that consent means you cannot use the Service.
| Recipient | Country | Method | Items Transferred | Retention |
|---|---|---|---|---|
| Google LLC (Firebase, Gemini, Sign-In, Analytics) | United States | Network transmission during use | Authentication identifiers, device/log info, AI input text, usage statistics | Until account deletion or end of service agreement |
| OpenAI L.L.C. | United States | Network transmission upon AI request | AI input text | Up to 30 days for data safety and abuse monitoring, then permanently deleted per OpenAI API terms |
We apply Standard Contractual Clauses (SCC), encryption in transit (TLS), and strict access controls required by PIPA and global data protection authorities in connection with the transfers above.
Our primary servers run on secured cloud infrastructure. To comply with regional laws, the Company localizes or mirrors user data within local jurisdictions where legally mandated, while central processing infrastructure is securely hosted in South Korea.
7. Service Providers (Processors) We do not sell your personal data. We share your information with the following processors who act on our behalf:
| Processor | Delegated Task | Retention |
|---|---|---|
| Oracle Cloud Infrastructure (Chuncheon, Korea) | Hosting, server operation, data storage | Until account deletion or end of service agreement |
| Google Firebase | Authentication (Auth), Realtime Database, Push Notifications (FCM), File Storage | Until account deletion or end of service agreement |
| Google LLC | Generative AI response (Gemini API) | Immediately upon processing (per API call) |
| Google LLC (Google Analytics) | Usage statistics collection and analysis | Within 1 year (or per GA retention policy) |
| OpenAI L.L.C. | Large-language-model inference for response generation | Up to 30 days for data safety and abuse monitoring, then permanently deleted per OpenAI API terms |
We may also disclose your information to public authorities if required by law or in response to valid requests (e.g., a court order or government agency).
8. Third-Party Identity Providers For your convenience, the Service supports the following third-party identity providers. Unlike processors, these providers act as independent controllers, and we receive only the information you authorize them to share at sign-in.
- Apple (Sign in with Apple): Apple ID identifier, name as you provide, email (which may be a private-relay address @privaterelay.appleid.com).
- Google (Sign in with Google): Google account identifier, email, name.
Their handling of your data is governed by their own privacy policies.
9. Your Data Protection Rights Depending on your location (e.g., Korea, EEA, California), you may have the following rights: * Right to Access: Request copies of your personal data. * Right to Rectification: Request correction of inaccurate information. * Right to Erasure (“Right to be Forgotten”): Request deletion of your data. * Right to Restrict Processing: Ask us to restrict the processing of your data. * Right to Object / Suspend Processing: Object to or suspend specific processing activities. * Right to Data Portability: Request transfer of your data to another organization.
We do not sell your personal data to any third party.
To exercise these rights, please contact us at [dev@bangguseok.co.kr].
10. Optional Consents
We operate three independent optional consents. Each is separate from the others; refusing any one does not restrict your access to the core Service.
- AI Training Data Consent — uses your chat history and generated saju results to train an in-house Saju AI model. To safeguard your privacy, all personal data items, identifiers, and chat logs are fully anonymized and stripped of identifiers prior to training ingestion. The resulting trained model weights contain only anonymous, aggregated patterns, and no personal data remains retrievable or identifiable within the trained model weights. See the separate “AI Training Data Consent” document.
- Consent for Behavioral Tracking and Analytics —
- Service Improvement Data Consent — links demographics (gender, year of birth or age bracket, language used) to behavioral logs for user-preference analysis and product improvement. See the separate “Service Improvement Data Consent” document.
You may withdraw either consent at any time through the in-app settings or by emailing [dev@bangguseok.co.kr].
11. Children’s Privacy The Service is not directed to minors (the definition of which varies by jurisdiction). We do not knowingly collect or process personal data from minors without appropriate parental or legal guardian consent where required by local laws. If we discover data has been collected without valid consent, we will delete it immediately.
12. Data Protection Officer (CPO) Pursuant to Article 31 of PIPA, we designate the following Data Protection Officer to oversee personal-information processing and to handle related complaints and remedies:
- Name: Hyunwoo Kim
- Title: Head of Development
- Email: [dev@bangguseok.co.kr]
13. Right to File a Complaint with Korean Authorities You may seek dispute resolution or counsel from the following Korean agencies in case of personal-information infringement:
- Personal Information Infringement Report Center (KISA): dial 118 (no area code) / privacy.kisa.or.kr
- Personal Information Dispute Mediation Committee: dial 1833-6972 / www.kopico.go.kr
- Cybercrime Investigation Division, Supreme Prosecutors’ Office: dial 1301 / www.spo.go.kr
- Cyber Bureau, Korean National Police Agency: dial 182 / ecrm.police.go.kr
14. Jurisdiction-Specific Provisions
If you reside in or access the Service from any of the following jurisdictions, the respective local provisions below apply to you and shall override any conflicting terms in the main body of this Privacy Policy.
-----------------------------------------------------------------
UNITED STATES (CALIFORNIA RESIDENTS ONLY)
-----------------------------------------------------------------
This section applies solely to residents of California pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA").
(a) Categories of Personal Information Collected & Disclosed: In the preceding 12 months, the Company has collected, and disclosed for business operational purposes, the following categories of personal information as defined by the CCPA/CPRA:
• Identifiers (e.g., account credentials, email, IP addresses).
• Personal Information Categories Listed in the California Customer Records Statute (e.g., gender, date of birth, time of birth).
• Internet or Other Electronic Network Activity Information (e.g., app interaction logs, chatbot chat inputs).
• Inferences Drawn from Other Personal Information (e.g., AI-generated Saju or fortune-telling profiles).
(b) Sources and Commercial Purposes: We collect this data directly from you and automatically via your device. We use this data to deliver AI fortune-telling services, secure our application, and improve our technology.
(c) No Sale or Sharing of Personal Information: The Company does not "sell" your personal information for monetary or valuable consideration, nor do we "share" your personal information with third parties for cross-context behavioral advertising.
(d) Your California Privacy Rights: You have the right to:
1. Know and Access what personal information we collect, use, and disclose.
2. Delete personal information collected from you (subject to legal exceptions).
3. Correct inaccurate personal information that we maintain about you.
4. Opt-Out of Automated Decision-Making Technology or profiling (if utilized for legally binding or similarly significant decisions).
5. Non-Discrimination: We will not discriminate or penalize you for exercising your CCPA/CPRA privacy rights.
To exercise these rights, please submit a verifiable request to our Privacy Team at [dev@bangguseok.co.kr].
-----------------------------------------------------------------
TAIWAN
-----------------------------------------------------------------
Pursuant to the Taiwan Personal Data Protection Act (PDPA), you possess statutory rights to request access to, review, make copies of, supplement, correct, or demand the cessation of collection, processing, use, or deletion of your personal data.
• Local Regulatory Body: If you believe your data privacy rights have been infringed, you have the right to lodge a complaint with Taiwan's Personal Data Protection Commission (PDPC).
-----------------------------------------------------------------
PHILIPPINES
-----------------------------------------------------------------
Users in the Philippines are protected under Republic Act No. 10173 (Data Privacy Act of 2012). You have the explicit right to object to processing, access your data, dispute inaccuracies, and seek damages for unauthorized or negligent data utilization.
• Local Regulatory Body: If you believe your data privacy rights have been infringed, you have the right to lodge a complaint with the National Privacy Commission (NPC).
-----------------------------------------------------------------
THAILAND
-----------------------------------------------------------------
Pursuant to Thailand’s Personal Data Protection Act B.E. 2562 (2019), Thai data subjects possess the legal right to data portability, processing restriction, and withdrawal of optional consent at any time without penalty.
• Local Regulatory Body: If you believe your data privacy rights have been infringed, you have the right to lodge a complaint with the Office of the Personal Data Protection Committee (PDPC).
15. Contact Us If you have questions about this Privacy Policy, please contact us: * Email: [dev@bangguseok.co.kr] * Postal Address: Unit 226, Unyang-dong-101, 54, 765 Taejang-ro, Gimpo-si, Gyeonggi-do, Republic of Korea