Privacy Policy

Effective Date: January 30, 2026

Goongoom (hereinafter referred to as the "Service") is operated by an independent developer (hereinafter referred to as the "Operator"). The Operator values your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in accordance with the Personal Information Protection Act and other relevant laws.

1. Purpose of Processing Personal Information

The Operator processes personal information for the following purposes. The processed personal information will not be used for purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act will be implemented.

1. Service Provision and Management: Processing personal information for purposes such as confirming the intention to join as a member, user identification/authentication, maintaining/managing membership qualifications, preventing unauthorized use of the service, and various notices/notifications.
2. Service Delivery: Processing personal information to provide the core functions of the service, such as posting questions and answers, providing content, and offering personalized services.
3. Customer Inquiry Handling: Processing personal information for the purpose of confirming user inquiries, contacting/notifying for factual investigation, and notifying processing results.
4. Internal Analysis for Service Quality and Other Services: The Operator may use collected member information and other data generated during service use (including user-created content such as questions, answers, and comments, and service usage records) for internal statistical/analytical purposes to maintain and improve the Service and to develop other services that the Operator may provide in the future. In such cases, the Operator will process the data in a de-identified or pseudonymized form so that individuals cannot be identified, and will not disclose or sell it externally.
5. Service Security and Stability: Processing personal information for the purpose of detecting and preventing service errors, monitoring service performance, preventing abuse, and maintaining the security and stability of the Service.

2. Personal Information Items Processed

The Operator collects the minimum personal information necessary to provide the service.

1. Membership Registration and Management (Required): Phone number, username, profile picture, account identifiers.
2. Information Generated During Service Use: Content directly created by the user (questions, answers, comments), profile information (bio, social links, etc.), push notification subscription data (endpoint URL, encryption keys, browser/device information for push delivery).
3. Items Automatically Generated and Collected During Internet Service Use: IP address, cookies, service use records, visit records, device information (browser type, operating system), location data (country, region/state, city, postal code, and geographic coordinates such as latitude and longitude), referring URL (website/page from which the user arrived), browser language preferences.
4. Items Collected for Service Security and Error Monitoring: Action/activity logs (user actions, related metadata, entity information, success/failure status, and error messages), error tracking data (error details, stack traces, and related technical information), session replay recordings (visual recordings of user interactions with the Service, including screen content, mouse movements, clicks, and scrolling behavior, collected on a sampling basis for error diagnosis and service quality improvement).
5. Items Collected for Product Analytics: Feature usage events (such as button clicks, feature interactions, and navigation patterns), user identifier for analytics purposes, session data, and device/browser information for product improvement and optimization.

3. Retention and Use Period of Personal Information

1. The Operator processes and retains personal information within the personal information retention/use period according to laws or the personal information retention/use period agreed upon when collecting personal information from the user.
2. The processing and retention periods for each personal information are as follows:
   • Membership Registration and Management: Until withdrawal from the service. However, if an investigation/inquiry due to a violation of relevant laws is in progress, it will be retained until the end of the investigation/inquiry.
   • Service Provision: Until the completion of service supply and confirmation of fee payment/settlement (if applicable).

4. Provision of Personal Information to Third Parties

The Operator processes the user's personal information only within the scope specified in Article 1 (Purpose of Processing Personal Information) and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as the user's consent or special provisions of the law. Currently, Goongoom does not provide users' personal information to third parties.

5. Entrustment and Overseas Transfer of Personal Information Processing

The Operator entrusts the following personal information processing tasks for smooth personal information business processing. As the Operator uses overseas cloud services for service infrastructure operation, personal information is transferred abroad.

Trustees and Transfer Details

1. Vercel Inc.
   • Entrusted Task (Purpose of Transfer): Web hosting, infrastructure operation, and analytics (Analytics, Speed Insights)
   • Transfer Country: USA
   • Transfer Date and Method: Transmission via network upon service use
   • Personal Information Items: IP address, device info, location data, service use records, etc.
   • Retention and Use Period: Until service withdrawal or termination of entrustment contract
2. Clerk, Inc.
   • Entrusted Task (Purpose of Transfer): User authentication and account management
   • Transfer Country: USA
   • Transfer Date and Method: Transmission via network upon registration and login
   • Personal Information Items: Phone number, username, profile picture, account identifiers, etc.
   • Retention and Use Period: Until service withdrawal or termination of entrustment contract
3. Convex, Inc.
   • Entrusted Task (Purpose of Transfer): Database management and data storage
   • Transfer Country: USA
   • Transfer Date and Method: Transmission via network upon service use
   • Personal Information Items: Account info, user-created content, profile info, log data, etc.
   • Retention and Use Period: Until service withdrawal or termination of entrustment contract
4. Sentry, Inc.
   • Entrusted Task (Purpose of Transfer): Error monitoring, performance tracking, session replay, and service stability analysis
   • Transfer Country: USA
   • Transfer Date and Method: Transmission via network upon service use
   • Personal Information Items: IP address, device info, location data, user actions, error data, performance data, session replay recordings, etc.
   • Retention and Use Period: Until service withdrawal or termination of entrustment contract
5. PostHog, Inc.
   • Entrusted Task (Purpose of Transfer): Product analytics, user behavior analysis, and feature usage tracking
   • Transfer Country: USA
   • Transfer Date and Method: Transmission via network upon service use
   • Personal Information Items: User identifier, feature usage events, interaction data, device info, IP address, session data, etc.
   • Retention and Use Period: Until service withdrawal or termination of entrustment contract
6. OpenAI, Inc. (via Vercel AI Gateway)
   • Entrusted Task (Purpose of Transfer): AI-powered content translation and language processing
   • Transfer Country: USA
   • Transfer Date and Method: Transmission via network when using translation features
   • Personal Information Items: Text content submitted for translation, request metadata
   • Retention and Use Period: Processed in real-time; not retained after processing

Notice on Overseas Transfer

• Clerk: Protects data through EU-U.S. Data Privacy Framework (DPF) certification.
• Convex: Protects data through Standard Contractual Clauses (SCCs) and GDPR-compliant Data Processing Agreement (DPA), with data securely managed in the AWS US-East region.
• Sentry: Protects data through Standard Contractual Clauses (SCCs) and GDPR-compliant Data Processing Agreement (DPA), with data stored and processed securely in the United States.
• PostHog: Protects data through SOC 2 Type II certification and GDPR-compliant Data Processing Agreement (DPA), with data stored and processed securely in the United States.
• OpenAI: Data is transmitted through Vercel AI Gateway. OpenAI processes data in accordance with their Data Processing Agreement (DPA) and does not use API-submitted data for training purposes. Text is processed in real-time and not retained after processing.

6. Procedure and Method of Personal Information Destruction

1. The Operator destroys the personal information without delay when the personal information becomes unnecessary, such as the expiration of the personal information retention period or the achievement of the processing purpose.
2. If personal information must be continuously preserved according to other laws despite the expiration of the personal information retention period agreed upon by the user or the achievement of the processing purpose, the personal information is moved to a separate database (DB) or preserved in a different storage location.
3. The procedure and method of personal information destruction are as follows:
   • Destruction Procedure: The Operator selects the personal information for which the reason for destruction has occurred and destroys the personal information with the Operator's approval.
   • Destruction Method: Information in the form of electronic files is deleted using technical methods that cannot reproduce the records.

7. Rights and Obligations of Data Subjects and Legal Representatives and How to Exercise Them

1. Users can exercise their rights, such as requesting access to, correction of, deletion of, or suspension of processing of personal information, at any time against the Operator.
2. The exercise of rights can be made in writing or by email to the Operator, and the Operator will take action without delay.
3. The exercise of rights can be made through a representative, such as a legal representative of the user or a person who has been delegated. In this case, a power of attorney according to the form in Attachment No. 11 of the "Notice on Personal Information Processing Methods" must be submitted.
4. Requests for access to and suspension of processing of personal information may be restricted according to Article 35 (4) and Article 37 (2) of the Personal Information Protection Act.
5. Requests for correction and deletion of personal information cannot be made if the personal information is specified as a collection target in other laws.

8. Measures to Ensure the Safety of Personal Information

The Operator takes the following measures to ensure the safety of personal information:

1. Administrative Measures: Establishment and implementation of internal management plans, etc.
2. Technical Measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of unique identification information, and installation of security programs.
3. Physical Measures: Access control to data storage locations.

9. Installation, Operation, and Rejection of Automatic Personal Information Collection Devices

1. The Operator uses 'cookies' that store and frequently retrieve usage information to provide individual customized services to users.
2. Cookies are a small amount of information sent by the server (http) used to operate the website to the user's computer browser and are sometimes stored on the hard disk within the user's PC computer.
   • Purpose of Using Cookies: Used to provide optimized information to users by identifying the visit and usage patterns, popular search terms, and secure connection status for each service and website visited by the user.
   • Installation, Operation, and Rejection of Cookies: You can set options to allow or block cookies through browser option settings. (e.g., for Chrome: Settings > Privacy and Security > Clear Browsing Data)
   • If you refuse to store cookies, you may experience difficulties in using customized services.

10. Personal Information Protection Officer

The Operator is in charge of the overall responsibility for personal information processing and has designated a Personal Information Protection Officer as follows for handling user complaints and damage relief related to personal information processing.

Personal Information Protection Officer

• Name: Sunghyun Cho
• Contact: support@goongoom.com

Users can inquire about all personal information protection-related inquiries, complaint handling, and damage relief that occurred while using the service to the Personal Information Protection Officer and the department in charge. The Operator will answer and process the user's inquiries without delay.

11. Changes to the Privacy Policy

1. This Privacy Policy is applied from the effective date, and if there are additions, deletions, or corrections of changes according to laws and policies, they will be notified through announcements from 7 days before the implementation of the changes.
2. Previous versions of the Privacy Policy can be found here.

12. Effective Date

• This Privacy Policy is effective from January 30, 2026.