FluxAI Asia INC. (the “Company”) lawfully processes and securely manages users’ personal information in compliance with the Personal Information Protection Act and other applicable laws and regulations in order to protect users’ rights and freedoms.
In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to inform users of the procedures and standards for processing and protecting personal information and to handle related complaints promptly and smoothly.
Purposes of Collection and Use of Personal Information
The Company collects and uses users’ personal information based on the following legal grounds.
| Legal Basis | Category | Purpose of Collection and Use | Personal Information Items |
|---|---|---|---|
| Article 15(1)4 of the Personal Information Protection Act (contract execution and performance) | Membership registration and management | Confirm intent to register / identify and authenticate members / maintain and manage membership status / prevent improper Service use / provide notices and notifications | [Required] Email address, password or password hash, display name, social login identifier and provider information, login history |
| Service provision and operation | Provide generative AI services / process prompt input and generate Outputs / store and manage Content | [Required] Prompts, generation history and generated content, uploaded data, generated Outputs, content safety filtering results | |
| Use of Paid Services | Purchase subscriptions and credits / process and settle payments / process withdrawal of purchase and refunds | [Required] Payment authorization information, payment amount, payment status and history, payment method identification information (payments are processed through an external payment gateway, and the Company does not directly store card numbers) | |
| Team services | Provide team-based generative AI services / manage team members and generated materials | [Required] Team ID and team name, member email accounts, prompts, uploaded data, generated Outputs, Service history such as seat/payment status, aggregated usage status | |
| Article 15(1)1 of the Personal Information Protection Act (consent) | Customer inquiries and support | Verify identity of the complainant / confirm and process inquiries / notify processing results | [Required] Email, processing history, attachments, and inquiry details |
| Service improvement and feedback processing | Develop new features / review and reflect user suggestions | [Optional] User feedback, response data | |
| Automatically collected during Service use | Improve Service and ensure stability / prevent security incidents and unauthorized use | [Required] Service usage records, access logs, IP address, cookie information, device information | |
| Marketing event items | Provide discounts and coupons / deliver news and updates | [Optional] Marketing opt-in status and opt-in date/time, opt-out date/time, referrer/referee codes, event participation history |
The Company collects the minimum personal information necessary through membership registration, profile updates, and tools for collecting generation-related information.
The Company processes Content that users enter or generate in the course of using the Service, including prompts, uploaded data, and Outputs, only for purposes such as Service provision, operation, security, and quality improvement.
Retention and Use Period of Personal Information
The Company processes and retains personal information within the personal information retention and use period consented to by the user when collecting personal information or within the retention and use period required by applicable laws.
Specific processing and retention periods for personal information are as follows:
Membership registration and management information: until membership withdrawal
Service provision and operation information: until expiration of the Service use period
Paid Service use information: until membership withdrawal
Customer inquiries: six (6) months from the date the complaint or inquiry is handled
Service improvement and feedback processing: six (6) months from the date feedback is received
Personal information automatically collected during Service use: destroyed three (3) months after collection
Notwithstanding Paragraph 2, the following information is retained until the periods specified below.
Retention of Information Under the Company’s Internal Policy
| Retained Item | Basis for Retention | Retention Period |
|---|---|---|
| Personal information collected at membership registration | Prevent improper Service use or confusion | Deactivated for fourteen (14) days from the membership withdrawal request date and then destroyed |
Retention of Information Under Applicable Laws
| Retained Item | Basis for Retention | Retention Period |
|---|---|---|
| Records on contracts or withdrawal of purchase | Article 6(1)2 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Etc. | Five (5) years |
| Records on payment and supply of goods, etc. | Article 6(1)3 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Etc. | Five (5) years |
| Records on consumer complaints or dispute handling | Article 6(1)4 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Etc. | Three (3) years |
| Records on display and advertising | Article 6(1)1 of the Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Etc. | Six (6) months |
| Service usage records, access logs, access IP information | Article 15-2(2) of the Protection of Communications Secrets Act | Three (3) months |
Procedures and Methods for Destruction of Personal Information
When personal information becomes unnecessary, including due to expiration of the retention period or achievement of the processing purpose, the Company destroys the personal information without delay.
If personal information must continue to be retained under other laws even after the retention period consented to by the user has expired or the processing purpose has been achieved, the Company moves the relevant personal information to a separate database or stores it in a different location.
The procedures and methods for destruction of personal information are as follows:
Destruction Procedure
The Company selects personal information for which a reason for destruction has arisen and destroys it with the approval of the Company’s personal information protection officer.
Destruction Method
Personal information recorded and stored in electronic file format is destroyed so that the records cannot be restored, and personal information recorded and stored in paper documents is shredded or incinerated.
Provision of Personal Information to Third Parties
The Company processes users’ personal information only within the scope stated in Article 1, Purposes of Collection and Use of Personal Information, and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, including where the user has given separate consent, where special provisions of other laws apply, where it is clearly necessary for the urgent interests of the life, body, or property of the data subject or a third party, or where it is urgently necessary for public safety and security such as public health. Otherwise, the Company does not provide users’ personal information to third parties.
For members using the Team Subscription Service, the Company provides personal information as follows for management and operation of the relevant team or organization.
| Recipient | Purpose of Provision | Items Provided | Retention and Use Period |
|---|---|---|---|
| Administrator of the Team Subscription account to which the member belongs | Monitor team members’ Service usage, manage data, and verify compliance with security policies | [Required] Prompts, uploaded data, generated Outputs, email address, display name (nickname), role, seat status, payment status, aggregated usage status | During the Team Subscription Service use period; provided that information required to be retained under applicable laws is retained for the relevant statutory period |
Entrustment of Personal Information Processing
The Company entrusts personal information processing work as follows for smooth handling of personal information-related operations.
| Processor | Entrusted Work | Retention and Use Period |
|---|---|---|
| Vercel Inc. | Hosting, static/dynamic asset delivery, API routing, web performance measurement, and aggregated analytics (Vercel Analytics) | Until membership withdrawal or termination of the entrustment agreement; provided that information required to be retained under applicable laws is retained for the relevant period |
| Cloudflare, Inc. | DNS management, request metadata (IP, headers, etc.), CDN/proxy, DDoS/WAF and other security processing, email routing | |
| Clerk, Inc. | Member authentication, login, session and token management, account identifier management | |
| Creem (Armitage Labs OÜ) | Payment processing, recurring subscription management, billing and receipts, refunds/cancellations/dispute handling, payment-related webhooks and metadata processing | |
| Google Analytics | Analysis of Service usage behavior, traffic, and visit statistics | |
| Sentry (Functional Software, Inc.) | Processing error events, stack traces, and diagnostic metadata | |
| OpenAI, Google, Replicate, FAL.ai | Generation and processing of prompts, uploaded data, generation parameters, and Outputs according to Service use |
When entering into an entrustment agreement, the Company specifies in documents such as contracts matters concerning prohibition of personal information processing for purposes other than performing the entrusted work, technical and managerial protection measures, restrictions on sub-entrustment, management and supervision of processors, and liability for damages, in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the processor handles personal information securely.
If the details of entrusted work or the processor changes, the Company will disclose the change through this Privacy Policy without delay.
Overseas Transfer of Personal Information
The Company transfers personal information collected from Service users overseas as follows, and provides the following notice regarding overseas transfers in accordance with Article 28-8 of the Personal Information Protection Act. If a user refuses overseas transfer, use of the Service may be restricted. Users who do not want overseas transfer of personal information may withdraw from membership through the official website, mobile web, or app.
| Recipient (Processor) | Country of Transfer | Timing and Method of Transfer | Personal Information Transferred | Purpose of Use | Retention and Use Period |
|---|---|---|---|---|---|
| Vercel Inc. (https://vercel.com/security) | United States | Transferred using TLS encryption when the Service is used | All personal information specified in Article 1 | Hosting, static/dynamic asset delivery, API routing, etc. | Until membership withdrawal or termination of the entrustment agreement |
| Cloudflare, Inc. (https://www.cloudflare.com/trust-hub/) | United States / global | Real-time TLS transfer | Request metadata (IP, headers, etc.), security event information, email address, email headers and transmission metadata | DNS management, CDN/proxy, DDoS/WAF and other security processing, email routing | |
| Clerk, Inc. (https://clerk.com/security) | United States | Transferred using TLS encryption during login/session processing | Authentication identifiers such as email and display name, session/token metadata, login history | Member authentication, login, session and account management | |
| Creem (Armitage Labs OU) (support@creem.io) | Estonia/global | Transferred using TLS encryption during payment and subscription processing | Customer email, payment token, transaction ID, payment amount, currency, payment status, product/plan information | Payment processing, recurring subscription management, billing and receipts, refunds/cancellations/dispute handling | |
| Google Analytics (https://policies.google.com/privacy) | United States | Transferred using TLS encryption when the Service is used | Service usage details, visit/event information, device/browser information, IP-based location information | Analysis of Service usage behavior | |
| Sentry (Functional Software, Inc.) (compliance@sentry.io) | United States / global | Real-time TLS-encrypted transfer when an error/event occurs | Error events, stack traces, diagnostic metadata, device/browser information | Error monitoring and failure analysis | |
| OpenAI (privacy@openai.com), Google (https://policies.google.com/privacy), Replicate (https://replicate.com/privacy), FAL.ai (support@fal.ai) | Service provision regions of each provider | Transferred over the network when the Service is used | Content entered by users (prompts, uploaded data), generated Outputs, and Service use-related data | AI-based content generation and processing | Until the purpose of Service provision is achieved or the entrustment agreement is terminated |
Measures to Ensure Security of Personal Information
The Company takes the following measures to ensure the security of personal information.
Managerial measures: establishment and implementation of an internal management plan, regular employee training, and operation of a dedicated organization
Technical measures: management of access rights to personal information processing systems, installation of access control systems and other relevant safeguards, measures to block internet network access, encryption of personal information, retention and inspection of access logs, installation and updates of security programs, and inspection and remediation of vulnerabilities in personal information processing systems
Physical measures: access control for computer rooms and document storage rooms, storage of documents and auxiliary storage media in secure locked locations, safety measures for disasters and emergencies, and control of removal and return of auxiliary storage media
Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
The Company uses cookies, which store and retrieve usage information from time to time, to provide users with personalized services.
Cookies are small pieces of information sent by the server (HTTP) used to operate a website to a user’s computer browser. They are stored on the user’s computer or mobile device and are automatically transmitted from the user’s browser to the server when the user accesses the website.
Purpose of cookie use: cookies are used to understand users’ visits to and use of each service and website, popular search terms, secure access status, and similar information in order to provide optimized information to users.
If a user refuses to store cookies, the user may experience difficulty using personalized services.
Users may allow or block cookies through browser option settings.
Allowing/blocking cookies in a web browser
Chrome: select the ‘⋮’ icon at the top right of the web browser > New Incognito Window (shortcut: Ctrl+Shift+N)
Edge: select the ‘…’ icon at the top right of the web browser > New InPrivate Window (shortcut: Ctrl+Shift+N)
Allowing/blocking cookies in a mobile browser
Chrome: select the ‘⋮’ icon at the top right of the mobile browser > New Incognito Tab
Safari: mobile device Settings > Safari > Advanced > Block All Cookies
Samsung Internet: select the ‘Tabs’ icon at the bottom of the mobile browser > Turn on Secret mode > Start
Rights of Users and Legal Representatives and How to Exercise Them
Users may exercise rights against the Company, including requests to access, correct, delete, or suspend processing of personal information.
Users may exercise their rights against the Company in writing, by email, by fax, or by other methods in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.
Rights may also be exercised through a legal representative of the user or an authorized agent. In such case, a power of attorney in the form prescribed in Annex Form 11 of the Notice on Personal Information Processing Methods (No. 2020-7) must be submitted.
A user’s rights to request access to and suspension of processing of personal information may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act. However, correction or deletion of personal information may not be requested if other laws specify that the personal information is subject to collection.
When a user requests access, correction, deletion, or suspension of processing under the user’s rights, the Company verifies whether the person making the request is the user or a legitimate representative.
Automated Decision-Making
The Company performs automated processing using generative AI technology to generate Outputs based on information entered by users, including prompts and uploaded Content.
The main types of personal information used for automated processing are as follows:
Input data such as text, images, and files entered by users
Outputs generated during use of the Service
Technical information such as Service usage records, access logs, and device information
The foregoing personal information is processed only within the scope of purposes such as Service provision, operation, storage, security maintenance, and prevention of unauthorized use.
The automated processing process proceeds as follows, and generated results are derived through probabilistic calculation in this process; accuracy, completeness, or fitness for a particular purpose may not be guaranteed.
The user enters a prompt or Content
The information is delivered to an AI model for analysis and processing
The model generates an Output through probabilistic computation and inference
The generated Output is provided to and stored for the user
As a general rule, the Company does not collect or use sensitive information or personal information of children under fourteen (14) years of age in automated processing. However, if a user voluntarily enters sensitive information or a child’s personal information while using the Service, such information may be temporarily processed to generate Outputs in response to the user’s request. The Company does not recommend entering such information and applies protective measures under applicable laws.
Users may exercise the following rights regarding automated processing. These rights may be requested through the customer center or the personal information protection officer, and the Company will take necessary measures without delay within the scope prescribed by applicable laws.
Request an explanation of automated processing results
Request correction or deletion of automated processing
Object to or request restriction of automated processing
Personal Information Protection Officer and Responsible Department
The Company designates the following personal information protection officer to oversee personal information processing and handle complaints and remedies related to personal information processing.
| Personal Information Protection Officer | Name: Seung Hyun Han / Position: PO / Contact: support@craisee.com |
|---|
Users may contact the personal information protection officer for all personal information protection-related inquiries, complaints, and remedies arising while using the Company’s Service. The Company will respond to and handle user inquiries without delay.
Users may submit requests to access personal information under Article 35 of the Personal Information Protection Act to the personal information protection officer. The Company will endeavor to handle users’ personal information access requests promptly.
Remedies for Infringement of Rights
Users may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency Personal Information Infringement Report Center, or other institutions to obtain remedies for personal information infringement. For other reports or consultations regarding personal information infringement, please contact the following institutions.
Personal Information Dispute Mediation Committee: www.kopico.go.kr / 1833-6972 (no area code)
Personal Information Infringement Report Center: privacy.kisa.or.kr / 118 (no area code)
National Police Agency: ecrm.police.go.kr / 182 (no area code)
Application to Overseas Users
The Company may provide the Service in various countries, including the Republic of Korea, and if a user uses the Service outside the Republic of Korea, privacy-related laws and regulations of the relevant country or region may apply.
Notwithstanding this Privacy Policy, if applicable laws of the user’s residence or the region where the Service is provided conflict with this Policy, those laws prevail.
The Company may apply separate standards as necessary to guarantee user rights under the laws and regulations of each country or region, including the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Application of this Privacy Policy
This Privacy Policy applies to the CRAISEE official website, mobile web, app, and related services provided by the Company. This Privacy Policy does not apply where personal information is collected by other companies’ websites linked within the Service.
This Privacy Policy is effective as of May 18, 2026.