GenON Co., Ltd. (hereinafter referred to as "the Company") complies with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects in providing its products and services, and lawfully processes and safely manages personal information.
In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards for processing personal information and to handle related grievances promptly and smoothly.
1. Purpose of Processing Personal Information
The Company processes personal information for the following purposes. Personal information being processed will not be used for purposes other than the following, and if the purpose of use changes, necessary measures will be taken, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
- Handling complaints or inquiries: Consultation on product/technology and purchase inquiries
- Provision of goods or services: Service provision, content provision, customized service provision
- Use for marketing and advertising: Development of new services (products) and provision of customized services, verification of service validity, measurement of access frequency, provision of events and promotional information, and statistics
- Recruitment operations: Conducting hiring processes and smooth communication with applicants
2. Items and Retention Period of Personal Information Processing
A. Items of Personal Information Processed
| Category | Personal Information Items |
|---|---|
| Product and service inquiries | [Required] Name, company name, department, title, email, mobile phone |
| Brochure request | [Required] Name, company name, department, title, email |
| Online/offline event registration | [Required] Name, company name, email, mobile phone, industry, title |
| Newsletter | [Required] Name, company name, email [Optional] Department |
| Marketing and advertising | [Optional] Name, company name, department, title, industry, email, mobile phone |
| Recruitment | [Required] Basic information (name, date of birth, email, mobile phone number, address), education (school name, enrollment period, major), work experience |
| API Inference Service | [Required] API key, IP address, request/response content (prompts and generated results), token usage, request time |
In addition, activity records such as IP, access URL, cookies, device information, visit time, and service usage records may be generated and collected during service use.
B. Processing and Retention Period of Personal Information
| Category | Legal Basis | Retention Period |
|---|---|---|
| Product and service inquiries | Article 15(1) of the Personal Information Protection Act (Collection and Use of Personal Information) | 3 years |
| Brochure request | 3 years | |
| Online/offline event registration | 3 years | |
| Newsletter | Until opt-out request from consent date | |
| Marketing and advertising | Until opt-out request from consent date | |
| Recruitment | 3 years (deleted immediately upon applicant's request) | |
| API Inference Service | Request/response data: 30 days, Usage metadata (anonymized): 12 months |
3. Entrustment of Personal Information Processing
A. The Company entrusts personal information processing as follows for smooth service provision.
| Entrusted Company | Entrusted Tasks | Retention and Use Period |
|---|---|---|
| System operation for service provision, customer DB data management | Until termination of entrustment contract | |
| Salesforce | Customer DB data management for service provision | Until termination of entrustment contract |
| Stibee Co., Ltd. | Newsletter delivery | Until termination of entrustment contract |
| Peat Co., Ltd. | Brochure provision solution usage | Until termination of entrustment contract |
| Wanted Lab Co., Ltd. | Recruitment management solution usage | Until termination of entrustment contract |
| Bizgo | SMS, LMS, MMS delivery | Until termination of entrustment contract |
| forms.app | Service and event application form collection solution usage | Until termination of entrustment contract |
| Remember & Company Co., Ltd. | Customer DB data management for service provision | Until termination of entrustment contract |
| Celonis, Inc. | Customer inquiry and event application form collection, customer DB data management for service provision | Until termination of entrustment contract |
B. When entering into entrustment contracts, the Company specifies matters concerning prohibition of personal information processing outside the purpose of entrusted work, technical and administrative protective measures, restrictions on re-entrustment, management and supervision of entrusted companies, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises entrusted companies to ensure they do not violate personal information protection laws.
4. International Transfer of Personal Information
The Company transfers (stores) personal information overseas as follows for stable service provision. If you do not wish to have your personal information transferred overseas, you may refuse the international transfer through the Company's Personal Information Protection Officer and relevant department.
- Article 28-8(1)1 of the Personal Information Protection Act (Consent of data subject)
- Article 28-8(1)3 of the Personal Information Protection Act (Processing entrustment/storage for contract performance)
RecipientGoogle (USA)
- Items transferred: Name, company name, department, title, email, mobile phone, industry
- Purpose of transfer: System operation for service provision, customer DB data management
- Retention period: Until termination of entrustment contract
- Contact: https://support.google.com/
RecipientSalesforce (Japan)
- Items transferred: Name, company name, department, title, email, mobile phone, industry
- Purpose of transfer: Customer DB data management for service provision
- Retention period: Until termination of entrustment contract
- Contact: privacy@salesforce.com
Recipientforms.app (Turkey)
- Items transferred: Name, company name, department, title, email, mobile phone, industry
- Purpose of transfer: Service and event application form collection solution usage
- Retention period: Until termination of entrustment contract
- Contact: https://my.forms.app/forms/your-privacy-rights
RecipientCelonis, Inc. (Czech Republic)
- Items transferred: Name, company name, department, title, email, mobile phone, industry
- Purpose of transfer: Customer DB data management
- Retention period: Until termination of entrustment contract
- Contact: privacy@celonis.com
5. Procedures and Methods for Destroying Personal Information
A. The Company destroys personal information without delay when it becomes unnecessary, such as when the retention period has expired or the processing purpose has been achieved.
B. If personal information must be retained in accordance with other laws despite the expiration of the retention period consented to by the data subject or achievement of the processing purpose, such personal information will be moved to a separate database (DB) or stored in a different location.
C. The procedures and methods for destroying personal information are as follows:
- Destruction procedure: The Company selects personal information for which destruction reasons have arisen and destroys the personal information with approval from GenON's Personal Information Protection Officer.
- Destruction method: Personal information in electronic file format is destroyed using technical methods that make records unrecoverable.
6. Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercising Them
A. Data subjects may exercise rights such as requesting access, correction, deletion, and suspension of processing of personal information from the Company at any time.
B. The exercise of rights under paragraph 1 may be made to the Company in writing, by email, or by facsimile (FAX) in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and GenON will take action without delay.
C. The exercise of rights under paragraph 1 may be made through a legal representative of the data subject or an authorized agent. In this case, a power of attorney in the form of Attachment 11 of the "Notice on Personal Information Processing Methods (No. 2020-7)" must be submitted.
D. Requests for access to and suspension of processing of personal information may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
E. Requests for correction and deletion of personal information cannot be made if such personal information is specified as a collection target under other laws.
F. The Company verifies whether the person making requests for access, correction, deletion, or suspension of processing is the data subject or a legitimate representative.
7. Measures to Ensure Safety of Personal Information
The Company takes the following measures to ensure the safety of personal information:
A. Establishment and implementation of internal management plan: An internal management plan has been established and implemented for safe processing of personal information.
B. Access restrictions to personal information: Necessary measures are taken to control access to personal information through granting, changing, and canceling access rights to database systems that process personal information, and intrusion prevention systems are used to control unauthorized external access.
C. Access control for unauthorized persons: Physical storage locations for personal information are separately maintained with established and operated access control procedures.
8. Installation, Operation, and Rejection of Automatic Personal Information Collection Devices
A. The Company uses Google Analytics, a web log analysis tool provided by Google, in accordance with Article 15(1)1 (consent) of the Personal Information Protection Act.
Through this tool, service user information is collected, and only non-identifiable information that cannot identify individual users is collected. Nevertheless, users may refuse use through tool-specific settings.
- Google Analytics: Installation of blocking browser add-on (https://tools.google.com/dlpage/gaoptout) or Cookie settings below
B. The Company uses 'cookies' to store and retrieve usage information to provide personalized services to users.
Cookies are small pieces of information sent by the server (https) operating the website to the user's computer browser and may be stored on the hard disk of the user's PC computer.
- Purpose of cookie use: Used to provide optimized information to users by identifying visit and usage patterns for each service and website visited, popular search terms, secure access status, etc.
- Cookie installation, operation, and rejection: Cookie storage can be rejected through the Tools > Internet Options > Privacy menu options at the top of the web browser.
- Refusing cookie storage may cause difficulties in using personalized services.
9. Personal Information Protection Officer and Personal Information Access Requests
A. The Company designates the following Personal Information Protection Officer to be responsible for overall personal information processing and to handle complaints and remedy damages related to personal information processing of data subjects.
Personal Information Protection Officer
Contact Information
Business Support Department, Senior Manager Kim Min-kyung
Contact
02-2088-6035
hello@genon.ai
B. Data subjects may make requests for access to personal information under Article 35 of the Personal Information Protection Act to the department below. The Company will make efforts to process data subjects' personal information access requests promptly.
C. Data subjects may inquire about all matters related to personal information protection, complaints, and damage relief arising from use of the Company's services (or business) to the Personal Information Protection Officer and relevant department. The Company will respond and process data subjects' inquiries without delay.
10. Methods for Remedying Rights Infringement
A. Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, Korea Internet & Security Agency Personal Information Infringement Report Center, etc. to receive relief from personal information infringement. For other personal information infringement reports and consultations, please contact the following organizations:
- Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office: (without area code) 1301 (www.spo.go.kr)
- National Police Agency: (without area code) 182 (cyberbureau.police.go.kr)
B. Persons whose rights or interests have been infringed by dispositions or omissions by the heads of public institutions in response to requests under Articles 35 (Access to Personal Information), 36 (Correction and Deletion of Personal Information), and 37 (Suspension of Processing of Personal Information) of the Personal Information Protection Act may file administrative appeals as prescribed by the Administrative Appeals Act.
- For details on administrative appeals, please refer to the Central Administrative Appeals Commission website (www.simpan.go.kr).
11. Personal Information Processing for API Inference Services
The Company processes personal information as follows for providing AI model inference API services.
A. Information Collected
| Category | Items Collected |
|---|---|
| Required information | API key, IP address, request timestamp |
| Request data | Prompts (input text), model parameters |
| Response data | Generated text (completions) |
| Usage information | Input/output token counts, response latency |
B. Purpose of Data Use
- Providing and improving API inference services
- Service performance monitoring and incident response
- Billing calculation and payment processing
- Abuse prevention and security maintenance
- Legal compliance
C. No Training on Your Data Policy
The Company does NOT use prompts or generated results received through the API for training, fine-tuning, or improving AI models. Your data is used solely to provide the inference service you requested.
D. Data Retention Period
| Data Type | Retention Period |
|---|---|
| Request/response content (prompts, generated results) | 30 days (for debugging and abuse prevention), then permanently deleted |
| Usage metadata (anonymized token counts, latency) | 12 months |
| Error logs | 90 days |
E. Data Security
- All API communications are encrypted with TLS 1.3
- Stored data is encrypted with AES-256
- Only authorized personnel can access the data
- Operated in security-certified data centers in South Korea
F. Immediate Deletion Request: Customers may request immediate deletion of their API request/response data at any time. Please contact the Personal Information Protection Officer for deletion requests.
G. Zero-Logging Option: Zero-logging options that do not log any request/response content can be provided to enterprise customers upon request.
12. Changes to Privacy Policy
A. This Privacy Policy is effective from January 10, 2025.
B. Previous Privacy Policies can be viewed at the link below.
- Effective until 2025.11.09 (Click)
