Privacy Policy
Effective: April 22, 2026
Slowthought STL Inc. ("the Company") establishes and publishes this Privacy Policy to protect the personal information of users in accordance with the Personal Information Protection Act of Korea and to handle related grievances promptly and smoothly.
No Visitor Data Retention Principle
The Company does not store on its servers the individual visitor data (raw events, user_pseudo_id, client_id, individual session records, etc.) from the GA4 properties and GTM containers connected by users. Such data is retrieved in real time via Google APIs only at the moment a user issues a query, used for analysis, and discarded from memory immediately after the response. What the Company stores is limited to the user's chat history and the aggregated analytical results contained therein.
Article 1 (Categories of Personal Information Collected and Methods of Collection)
The Company collects the following personal information for the provision of the Service.
| Category | Items Collected | Collection Method |
|---|---|---|
| Account (Required) | Email address, name (Google profile), Google profile image URL | Automatically collected on Google OAuth sign-in |
| Service Connection | Google OAuth access/refresh tokens (encrypted at rest), connected GA4 property IDs/names, connected GTM container IDs/names | At the time the user authorizes the GA4/GTM connection |
| Service Usage | Chat session and message history, conversation summary/preference memory, prompt logs, feedback, token usage | Automatically generated during Service use |
| Billing | Subscription plan, status and period, transaction IDs, payment amounts, payment method type, recurring-billing keys (encrypted at rest) | Received from the payment processor on paid checkout |
| Automatic | IP address, browser type, access time, request path | Automatically collected during Service use |
* The Company does not collect or store website-visitor personal data such as raw GA4 events, user_pseudo_id, client_id, or individual visit records from the GA4 properties connected by users.
Article 2 (Purposes of Use)
The Company uses the collected personal information for the following purposes.
- Service provision and operation: member identification, GA4 data analysis, GTM configuration automation, AI-based insight delivery
- Payment processing: subscription billing, recurring billing, refunds
- Service improvement: usage analytics, AI response quality enhancement
- Customer support: responding to inquiries, delivering notices
- Legal compliance: meeting obligations under applicable law
Article 3 (Retention and Use Periods)
After the purpose of collection and use has been achieved, the Company destroys the relevant information without delay.
- Member information: until withdrawal (destroyed immediately upon withdrawal)
- Google OAuth tokens: stored AES-encrypted; destroyed immediately upon user disconnection or withdrawal
- Connected GA4 property / GTM container metadata: until the user disconnects or withdraws
- Raw GA4 event data: not stored — fetched in real time from Google APIs only at query time and discarded from memory immediately after the response
- Chat history and memory: destroyed upon withdrawal or user request
- Payment records: retained for 5 years under applicable laws (e.g., the Act on the Consumer Protection in Electronic Commerce), then destroyed
- Recurring-billing keys: stored encrypted; destroyed immediately upon subscription cancellation or withdrawal
- Access logs: retained for 3 months, then destroyed (per the Protection of Communications Secrets Act)
Article 4 (Provision of Personal Information to Third Parties)
In principle, the Company does not provide users' personal information to third parties. The following are exceptions.
- Where the user has given prior consent
- Where required by law
Article 5 (Outsourcing of Personal Information Processing)
For smooth Service delivery, the Company outsources personal information processing as follows.
| Sub-processor | Entrusted Work | Retention |
|---|---|---|
| Vercel Inc. | Frontend web hosting (static asset delivery) | For the duration of Service use |
| Fly.io (Fly Services Inc.) | Backend application hosting | For the duration of Service use |
| Supabase Inc. | Database storage and management, authentication, embedding processing (Edge Functions) | For the duration of Service use |
| Google LLC | OAuth authentication, GA4 Data/Admin API, GTM API integration | For the duration of Service use |
| Anthropic PBC | AI processing (Claude API) | Only at the moment of query processing (results not retained) |
| KG Mobilians Co., Ltd. | Credit card / simple payment / mobile payment processing and recurring billing | Retention as required by applicable law |
If sub-processors change, the Company will provide advance notice through this Privacy Policy.
Article 6 (Data Processing Agreement (DPA))
- When a user connects a GA4 property or GTM container for which they hold rights to the Service, the user is the Controller of the website-visitor information collected through that property/container, and the Company acts as the user's Processor, handling such information solely for the analytical purposes entrusted by the user.
- By agreeing to the Terms of Service and this Privacy Policy, the user is deemed to have entered into a Data Processing Agreement (DPA) with the Company as required by Article 26 of the Personal Information Protection Act of Korea and Article 28 of the GDPR.
- As a Processor, the Company observes the following:
- Processing only within the scope of purposes specified by the user (GA4 analysis / GTM configuration)
- Not permanently storing individual visitor raw data in any separate datastore (see Article 3)
- Sub-processing only with the sub-processors listed in Article 5 and only to the minimum extent necessary
- TLS encryption in transit and encryption at rest for sensitive information
- Notifying the user without undue delay in the event of a personal-data breach
- Upon termination of the entrustment relationship, destroying or returning user-related data
- Where website visitors (data subjects) managed by the user wish to exercise rights to access, deletion, or restriction of processing of their personal data, the primary obligation to respond rests with the user; the Company will cooperate with the user's request when made.
- Enterprise customers requiring a separate signed DPA may, in lieu of paragraph 2 of this Article, execute the Company's separate DPA form, which will prevail in such case. Please direct requests to pcs3004@naver.com.
Article 7 (Destruction of Personal Information)
- When personal information becomes unnecessary — due to expiry of the retention period, achievement of the processing purpose, etc. — the Company destroys it without delay.
- Information held in electronic files is permanently erased in a manner that prevents recovery; printed personal information is shredded or incinerated.
Article 8 (User Rights and How to Exercise Them)
- Users may at any time request access to, correction of, deletion of, or restriction of processing of their personal information.
- Rights may be exercised through the in-app settings page or by email at pcs3004@naver.com; the Company will act without delay.
- Where a user requests deletion of personal information, the Company will destroy such information without delay.
Article 9 (Measures to Ensure the Security of Personal Information)
The Company implements the following measures to ensure the security of personal information.
- Data encryption: SSL/TLS encryption in transit; sensitive information such as OAuth tokens and billing keys are stored AES-encrypted
- Access controls: access to systems that handle personal information is restricted to the minimum necessary personnel
- Access-log retention: access records to personal-information processing systems are retained for at least one year
- Data minimization: collecting only the minimum information necessary to provide the Service; visitor raw data is not stored
Article 10 (Privacy Officer)
The Company designates the following Privacy Officer to oversee personal-information processing.
Article 11 (Changes to this Privacy Policy)
This Privacy Policy takes effect on the date stated above. Any changes will be announced through in-Service notices.
Article 12 (Remedies for Infringement of Rights)
Users in Korea may contact the following authorities for relief from personal-data infringements:
- KISA Privacy Infringement Reporting Center: 118 (within Korea)
- Personal Information Dispute Mediation Committee: 1833-6972
- Supreme Prosecutors' Office Cybercrime Investigation: 1301 (within Korea)
- Korean National Police Cyber Bureau: 182 (within Korea)
Supplementary Provisions
This Privacy Policy is effective as of April 22, 2026.
For the legally binding Korean original, see /ko/privacy. In the event of any discrepancy, the Korean original prevails.