Privacy Policy for personaxi

Effective Date: February 3, 2026
Operator: PersonaXI (Sole Proprietorship, Republic of Korea)
Address: 충청남도 천안시 서북구 번영로 306-15, 104-101, Republic of Korea
Data Protection Officer: An Yu-chan (Representative) — privacy@personaxi.com

This Privacy Policy is established in accordance with Article 30 of the Personal Information Protection Act (Republic of Korea) to protect the personal information of data subjects and to handle related grievances promptly and smoothly.

Section 1: Purpose of Personal Information Processing

The Company processes personal information for the following purposes. The personal information being processed shall not be used for any purpose other than those listed below. If the purpose of processing changes, the Company shall take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

Account Registration and Management Registration intent confirmation via Google and Kakao social login, identity verification and authentication for membership services, maintenance and management of membership qualifications, prevention of service misuse, and handling of grievances.
Provision of Goods or Services Provision of AI character chat services, conversion of chat responses (text) to speech (TTS), storage and management of Persona settings, provision of file upload functionality (images, VRM, etc.), provision of personalized services, and payment processing.
Identity Verification and Age Verification Processing identity verification data through the integrated authentication service for identity checks, adult verification, age verification, duplicate account prevention, retention of authentication results, and compliance with applicable laws.
Service Improvement and Research User input data (prompts) and AI-generated responses shall be pseudonymized and used for the purpose of improving AI model performance, optimizing algorithms, and developing new features. The specific methods and protective measures for pseudonymization are specified in Section 10.

Section 2: Retention Period of Personal Information

The Company shall process and retain personal information within the retention period agreed upon with the data subject at the time of collection, or within the period required by law.
The specific retention periods are as follows:

Category	Retention Period	Legal Basis
Account registration and management	Until account termination	Consent
Provision of goods or services	Until service delivery and payment settlement are completed	Consent
Records related to contracts or withdrawal of subscription	5 years	Electronic Commerce Act, Art. 6
Records related to payment and supply of goods	5 years	Electronic Commerce Act, Art. 6
Records related to consumer complaints or dispute resolution	3 years	Electronic Commerce Act, Art. 7
Access logs (visit records)	3 months	Act on Protection of Communications Secrets, Art. 2

Section 3: Provision of Personal Information to Third Parties

The Company shall process personal information only within the scope specified in Section 1 and shall not, in principle, provide personal information to third parties without the consent of the data subject.

Section 4: Entrustment and International Transfer of Personal Information

The Company entrusts and transfers personal information processing as follows for the smooth handling of personal information:

Entrusted Party (Country)	Data Transferred	Purpose of Entrustment	Retention Period
Google, LLC (USA)	Email, chat records, Persona settings	AI response generation via Gemini LLM and infrastructure use	Until account termination or end of entrustment contract
Supabase, Inc. (USA)	Member UID, email, uploaded files	User authentication (Auth), database and storage	Until account termination or end of entrustment contract
Oracle Corp. (USA)	All service data	Web server hosting and cloud computing infrastructure	Until account termination or end of entrustment contract
Payment Processor	Payment email, payment records	Payment processing, tax compliance, and fraud prevention	Until the end of the statutory retention period (5 years)
Fish Audio (USA, etc.)	Chat text	AI character voice (TTS) generation and synthesis	Deleted immediately after the purpose is fulfilled
Kakao Corp. (South Korea)	Email, nickname, profile photo	Identity verification and login via Kakao account	Until account termination

The Company supervises entrusted parties to ensure that they process personal information safely in accordance with applicable laws at the time of signing the entrustment agreement.
Explicit Consent for International Transfer: During the registration process, the Company shall explicitly inform the user via a separate consent box that "Your personal information will be transferred to overseas servers (USA - Google, Supabase, Oracle, etc.)" and shall only approve registration if the user acknowledges and consents to this via a checkbox. To withdraw consent, the data subject may request account termination through the account settings or by contacting support@personaxi.com.

Section 5: Rights of Data Subjects and How to Exercise Them

Data subjects may exercise the following rights with respect to their personal information at any time: access, correction, deletion, and suspension of processing.
Rights may be exercised by contacting the Company via email at privacy@personaxi.com.
The Company shall take the necessary action within 15 days of receiving a request and notify the data subject of the result.
If the Company refuses a request, it shall communicate the specific reason for the refusal to the data subject.
Data subjects may also directly inquire with the Company to confirm the existence of their personal information.

Section 6: Categories of Personal Information Processed

Social Login Account Information
- Google: (Required) Email address, profile name, UID / (Optional) Gender, profile photo
- Kakao: (Required) Email address, nickname, UID / (Optional) Gender, profile photo
Identity Verification and Adult Verification Data
- (Required) Name, date of birth, mobile phone number, telecom carrier, domestic/foreign status, encrypted user verification value (CI), duplicate registration verification information (DI)
Service Usage Data
- (Required) Chat records, user prompts, Persona settings (instructions, background, etc.), uploaded files (images, VRM)
Automatically Collected Information
- IP address, cookies, service usage records, browser/OS information, records of misuse

Section 7: Security Measures for Personal Information

The Company takes the following measures to ensure the security of personal information:

Administrative Measures: Establishment and implementation of an internal management plan, regular security training for employees, and access privilege management for personnel handling personal information.
Technical Measures: Access control, prevention of tampering with access records, encryption of key data (during storage and transmission), application of SSL secure servers, and regular security vulnerability assessments.
Physical Measures: Access control and lock management for locations where personal information is stored (e.g., personal PCs) to prevent unauthorized access.

Section 8: Use of Cookies

The Company may use cookies to provide personalized services and analyze usage patterns.
Data subjects may refuse the installation of cookies through browser settings. In such cases, some features of the Service may be restricted.

Section 9: Data Protection Officer

The Company has appointed a Data Protection Officer to oversee all matters related to personal information processing.


Name	An Yu-chan
Position	Representative (Data Protection Officer, concurrent)
Contact	privacy@personaxi.com
Address	충청남도 천안시 서북구 번영로 306-15, 104-101, Republic of Korea

Data subjects may contact the Data Protection Officer for any questions regarding this Privacy Policy or to exercise their rights.

Section 10: Pseudonymization of Personal Information

The Company may pseudonymize personal information for the purpose specified in Section 1, Paragraph 3 (Service Improvement and Research).
The methods and procedures for pseudonymization are as follows:
- Directly identifiable information (e.g., email, UID) shall be removed or replaced with arbitrary values.
- Pseudonymized data shall be encrypted before storage to prevent re-identification.
- Management and security of pseudonymized information shall be handled separately in accordance with the Company's internal regulations.
The Company shall systematically operate re-identification prevention and security measures to ensure the safe management of pseudonymized information.
Research outputs utilizing pseudonymized information shall be verified to ensure that no personal information is included before publication.

The Company complies with the General Data Protection Regulation (GDPR) of the European Union with respect to data subjects within the EU.
Under the GDPR, EU data subjects have the following rights:
- Right of Access (Article 15)
- Right to Rectification (Article 16)
- Right to Erasure ("Right to be Forgotten") (Article 17)
- Right to Restriction of Processing (Article 18)
- Right to Data Portability (Article 20)
- Right to Object (Article 21)
The Company also complies with the California Consumer Privacy Act (CCPA) and ensures the rights of data subjects to whom the Act applies.
To exercise the above rights, please contact privacy@personaxi.com. The Company shall take the necessary action within 30 days of receipt.
Supervisory Authority: EU data subjects have the right to lodge a complaint with the relevant data protection supervisory authority in their EU Member State.

Section 12: Changes to this Privacy Policy

This Privacy Policy is effective as of February 3, 2026.
If the content of this Privacy Policy is added, modified, or changed, the Company shall provide notice through the Service prior to the effective date of the change.

Company: PersonaXI
Address: 충청남도 천안시 서북구 번영로 306-15, 104-101, Republic of Korea
Data Protection Officer: An Yu-chan (privacy@personaxi.com)