Privacy Policy of GenON Co., Ltd.
Effective Date: May 26, 2026
🇰🇷 한국어 버전GenON Co., Ltd. (hereinafter "the Company") complies with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects in providing its products and services, and lawfully processes and safely manages personal information.
In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards for processing personal information and to handle related grievances promptly and smoothly.
This Privacy Policy may be updated in accordance with changes in relevant laws and regulations or internal operating policies. Any changes will be disclosed through this Policy.
- 1. Purposes of Collecting and Using Personal Information
- 2. Items of Personal Information Collected and Retention Period
- 3. Processing of Personal Information of Children Under 14
- 4. Provision of Personal Information to Third Parties
- 5. Entrustment of Personal Information Processing
- 6. International Transfer of Personal Information
- 7. Procedures and Methods for Destroying Personal Information
- 8. Automated Decision-Making
- 9. Rights and Obligations of Data Subjects and Legal Representatives
- 10. Installation, Operation, and Rejection of Automatic Collection Devices
- 11. Measures to Ensure Safety of Personal Information
- 12. Personal Information Processing for Generative AI Services
- 13. Personal Information Protection Officer and Complaint Service
- 14. Remedies for Infringement of Data Subject Rights
- 15. Exclusions from Privacy Policy
- 16. Changes to Privacy Policy
1. Purposes of Collecting and Using Personal Information
A. The Company collects the minimum necessary personal information and processes it only for the following purposes. If the purpose of use changes, necessary measures such as obtaining separate consent will be taken in accordance with Article 18 of the Personal Information Protection Act.
| Service | Type | Purpose |
|---|---|---|
| GenON Website | Complaint/Inquiry Handling | Consultation on product/technology and purchase inquiries |
| Provision of Goods or Services | Service, content, and customized service provision / Consultation on product/technology and purchase inquiries | |
| Marketing & Advertising | Development of new services and customized service provision / Events, promotional information, and statistics | |
| GenA | Membership Registration & Management | Verification of intent to join / Identity verification / Membership maintenance and management / Prevention of service misuse / Notifications / Complaint handling |
| Provision of Goods or Services | Provision of GenA service (AI-based conversation, generation, and inference) / Service usage history confirmation / Response generation for user requests and queries / Content provision | |
| AI Inference Service | AI model inference service provision / Performance monitoring | |
| Service Operation & Improvement | Service usage analysis / Service quality improvement / Error and failure response / Security and fraud detection | |
| Customer Support | Handling service inquiries and complaints / Record preservation for dispute resolution / Notice delivery | |
| AI Model Training & Improvement (Consent-based) | Training/retraining AI models and improving response quality using user-input content (prompts, uploaded files, conversation history, etc.) and usage records / Developing new AI features, improving accuracy and safety | |
| OneAgent | Membership Registration & Management | Verification of intent to join / Identity verification / Membership maintenance and management / Prevention of service misuse / Notifications / Complaint handling |
| Provision of Goods or Services | Provision of OneAgent service (AI agent-based task automation and assistance) / Service usage history confirmation / Response generation for user requests | |
| AI Inference Service | AI model inference service provision / Performance monitoring | |
| Service Operation & Improvement | Service usage analysis / Service quality improvement / Error and failure response / Security and fraud detection | |
| Customer Support | Handling service inquiries and complaints / Record preservation for dispute resolution / Notice delivery | |
| AI Model Training & Improvement (Consent-based) | Training/retraining AI models using user-input content and usage records / Developing new AI features, improving accuracy and safety |
B. The Company does not directly collect personal information for recruitment; applications are processed through external platforms. Personal information processing in such cases is governed by the platform's own privacy policy.
C. The Company operates "GenOS," its own AI platform built on domestic infrastructure, for AI inference processing in GenA and OneAgent. GenOS is an internal system and does not constitute third-party entrustment, nor is it transferred overseas.
To improve service quality, the Company may also enter into entrustment agreements with external AI model providers (Anthropic, OpenAI, etc.). When input data is transmitted to external providers, it is handled as described in Sections 5 and 6 below.
2. Items of Personal Information Collected and Retention Period
The Company collects the minimum necessary personal information. The processing and retention periods for each category are as follows.
| Service | Type | Purpose | Items Collected | Retention Period |
|---|---|---|---|---|
| GenON Website | Marketing | Product promotion, event/promotion information, newsletter delivery | (Required) Email, name, company, phone / (Optional) Department | Deleted immediately upon achievement of purpose |
| GenA | Membership Registration | Member identification and intent verification | (Required) Email, nickname, profile image, Google account unique identifier | Until membership withdrawal (or as required by law) |
| Service Personalization | Service personalization and user analysis | (Optional) Birth year, industry, interests, referral source | Until membership withdrawal | |
| Service Use | AI inference service provision, usage history confirmation | User-input content (prompts, uploaded files, conversation history), AI responses, service usage records | Until membership withdrawal | |
| Service Operation | Service operation, security, fraud prevention | IP address, access logs, cookies, device info (OS, browser, device ID), usage records | Per applicable law (Communication Secrets Protection Act: 3 months for access logs) | |
| Customer Inquiry | Inquiry/complaint handling, dispute resolution | Inquirer's email, inquiry content, attachments | 3 years after inquiry resolution (E-Commerce Act) | |
| AI Training (Consent-based) | AI model training and quality improvement | User-input content, usage records | Until consent withdrawal or membership withdrawal | |
| OneAgent | Membership Registration | Member identification and intent verification | (Required) Email, name, profile photo | Until membership withdrawal (or as required by law) |
| Service Use | AI inference service provision, usage history confirmation | User-input content (prompts, uploaded files, conversation history), AI responses, service usage records | Until membership withdrawal | |
| Service Operation | Service operation, security, fraud prevention | IP address, access logs, cookies, device info (OS, browser, device ID), usage records | Per applicable law (Communication Secrets Protection Act: 3 months for access logs) | |
| Customer Inquiry | Inquiry/complaint handling, dispute resolution | Inquirer's email, inquiry content, attachments | 3 years after inquiry resolution (E-Commerce Act) | |
| AI Training (Consent-based) | AI model training and quality improvement | User-input content, usage records | Until consent withdrawal or membership withdrawal |
3. Processing of Personal Information of Children Under 14
The Company does not, in principle, collect or process personal information of children under the age of 14.
The Company restricts membership registration by children under 14 through a birth year verification process during sign-up. If a user is found to be under 14, their membership application may be rejected or their membership may be revoked.
If personal information of a child under 14 is found to have been collected without the consent of a legal guardian, the Company will destroy such information without delay.
4. Provision of Personal Information to Third Parties
A. The Company processes personal information only within the scope specified in this Policy and does not provide it to third parties beyond the original purpose without the prior consent of the data subject. However, personal information may be provided without consent in cases falling under Article 17(1)(2) and Article 18(2) of the Personal Information Protection Act.
B. Cases where the Company provides personal information to third parties based on the consent of the data subject are as follows.
| Service | Recipient | Purpose | Items | Retention Period |
|---|---|---|---|---|
| – | There is currently no regular or ongoing provision of personal information to third parties based on data subject consent. If provision becomes necessary, separate consent will be obtained in advance and disclosed through this Policy. |
C. The Company may provide personal information in accordance with applicable laws, such as when required by special legal provisions, to fulfill legal obligations, or in response to a warrant from investigative authorities.
5. Entrustment of Personal Information Processing
A. The Company entrusts personal information processing as follows for smooth service provision.
| Entrusted Company | Entrusted Tasks | Retention & Use Period |
|---|---|---|
| Salesforce | Customer DB data management for service provision | Until purpose achieved, membership withdrawal, or contract termination |
| Stibee Co., Ltd. | Newsletter delivery | Until purpose achieved or contract termination |
| Peat Co., Ltd. | Brochure provision solution | Until purpose achieved or contract termination |
| Bizgo | SMS, LMS, MMS delivery | Until purpose achieved, membership withdrawal, or contract termination |
| Forms.app | Service and event application form collection solution | Until purpose achieved or contract termination |
| Remember & Company Co., Ltd. | Customer DB data management for service provision | Until purpose achieved or contract termination |
| Wanted Lab Co., Ltd. | Recruitment management solution | Until purpose achieved or contract termination |
| Celonis, Inc. | Customer inquiry and event form collection, customer DB data management | Until purpose achieved or contract termination |
| Google LLC | System operation and customer DB data management / Social login (SSO) authentication | Until purpose achieved, membership withdrawal, or contract termination |
| Microsoft Corporation (Microsoft Azure) | Cloud infrastructure provision and operation for GenA and OneAgent (Korea Central region, domestic) | Until membership withdrawal or contract termination |
| Anthropic, PBC | Claude model inference processing for GenA and OneAgent | Until membership withdrawal or contract termination |
| OpenAI, LLC | GPT model inference processing for GenA and OneAgent | Until membership withdrawal or contract termination |
| OpenRouter, Inc. | AI model routing and inference processing for OneAgent | Until membership withdrawal or contract termination |
| Microsoft Corporation (Microsoft Clarity) | Web behavior analysis for GenA service (page visits, clicks, mouse movements, scrolls, device/browser info) | Per Microsoft Clarity retention policy (up to 1 year) |
B. When entering into entrustment agreements, the Company specifies in writing matters concerning prohibition of personal information processing outside the entrusted purpose, technical and administrative protective measures, restrictions on re-entrustment, management and supervision of entrusted companies, and liability for damages, in accordance with Article 26 of the Personal Information Protection Act.
C. If the content of the entrusted work or the entrusted company changes, such changes will be disclosed through this Privacy Policy without delay.
D. Entrustment to overseas-based companies is covered comprehensively in Section 6 below.
6. International Transfer of Personal Information
The Company transfers personal information collected from users overseas as follows, in accordance with Article 28-8 of the Personal Information Protection Act.
| Service | Legal Basis | Recipient (Contact) | Country | Timing & Method | Items | Purpose | Retention Period |
|---|---|---|---|---|---|---|---|
| GenON Website | Art. 28-8(1)3 (Processing entrustment for contract performance) | Google LLC (privacy-policy-support@google.com) | USA | Upon service use / Remote transmission via TLS-encrypted network | Email, name, company, phone, department | Service provision and customer management | Deleted immediately upon purpose achievement |
| Art. 28-8(1)3 | Salesforce, Inc. (privacy@salesforce.com) | Japan | Upon service use / Remote transmission via TLS-encrypted network | Email, name, company, phone, department | Service provision and customer management | Deleted immediately upon purpose achievement | |
| Art. 28-8(1)3 | Forms.app (support@forms.app) | Turkey | Upon service use / Remote transmission via TLS-encrypted network | Email, name, company, phone, department | Service provision and customer management | Deleted immediately upon purpose achievement | |
| Art. 28-8(1)3 | Celonis, Inc. (privacy@celonis.com) | Czech Republic, USA | Upon service use / Remote transmission via TLS-encrypted network | Email, name, company, phone, department | Service provision and customer management | Deleted immediately upon purpose achievement | |
| GenA / OneAgent | Art. 28-8(1)3 (Processing entrustment for contract performance) | Anthropic, PBC (privacy@anthropic.com) | USA | Upon prompt input/submission / Remote transmission via TLS-encrypted internet | Conversation content (queries, documents, may include personal info), attachments | AI response generation and service provision | Until membership withdrawal or contract termination (per provider policy and agreement) |
| Art. 28-8(1)3 | OpenAI, LLC (privacy@openai.com) | USA | Upon prompt input/submission / Remote transmission via TLS-encrypted internet | Conversation content (queries, documents, may include personal info), attachments | AI response generation and service provision | Until membership withdrawal or contract termination (per provider policy and agreement) | |
| GenA | Art. 28-8(1)3 (Processing entrustment for contract performance) | Microsoft Corporation – Microsoft Clarity (privacy@microsoft.com) | USA | Upon visiting/using GenA service pages / Remote transmission via TLS-encrypted internet | Page URL, click events, mouse movements, scrolls, device info, browser info, IP address, session identifier | Web behavior analysis, UX improvement | Per Microsoft Clarity retention policy (up to 1 year) |
| OneAgent | Art. 28-8(1)3 | OpenRouter, Inc. (support@openrouter.ai) | USA | Upon inference request / Remote transmission via TLS-encrypted internet | AI inference request context (prompts, file content, screenshots, terminal output, system environment info, etc.) | AI model routing and inference processing | Until membership withdrawal or contract termination (per provider policy and agreement) |
7. Procedures and Methods for Destroying Personal Information
A. The Company destroys personal information without delay when it becomes unnecessary, such as when the retention period has expired or the processing purpose has been achieved, in accordance with Article 21 of the Personal Information Protection Act.
B. If personal information must be retained in accordance with other laws despite the expiration of the retention period or achievement of the processing purpose, such information will be moved to a separate database or stored in a different location.
C. Destruction Procedures and Methods
(1) Destruction Procedure
The Company selects personal information for which destruction reasons have arisen and destroys it with approval from the Personal Information Protection Officer.
(2) Destruction Method
- Personal information recorded/stored in electronic file format: Destroyed using technical methods that make records unrecoverable (low-level formatting, degaussing, physical destruction, etc.).
- Personal information recorded/stored in paper documents: Destroyed by shredding or incineration.
8. Automated Decision-Making
The Company processes personal information through fully automated AI systems in its GenA and OneAgent services to generate responses and inference results. In accordance with Article 37-2 of the Personal Information Protection Act, the following information is provided regarding automated decision-making.
A. Fact, Purpose, and Scope of Automated Decision-Making
- Target services: GenA (AI-based conversation, generation, and inference service), OneAgent (AI agent-based task automation and assistance service)
- Purpose: To automatically generate and provide natural language responses, content, and task results by analyzing prompts, files, and context input by users
- Scope of data subjects: All members using the relevant services
B. Types of Personal Information Used and Their Role
- User input data: Prompts (text), uploaded files, conversation history, screenshots, terminal output, etc.
- Usage context: System environment information, previous conversation context, user settings
- The above information is used as input to the AI model and determines the content, accuracy, and relevance of responses.
C. Considerations and Processing Flow
- Step 1 (Input receipt): User-submitted prompts and files are received. The Company does not review or filter input content in advance; data is passed to the inference stage as-is.
- Step 2 (Model inference): Inference is performed by the AI model designated for each service. Inference is conducted on the Company's own AI platform GenOS (domestic infrastructure), or input is transmitted via a secure channel (TLS) to an external AI model provider (Anthropic, OpenAI, etc.) contracted by the Company.
- Step 3 (Response delivery): The generated response is returned to the user. How the external AI model provider stores, uses, and trains on transmitted data is governed by the provider's own policy and the entrustment agreement with the Company.
- Considerations: Response accuracy, potential bias, hallucination risk, exposure of sensitive information, and preservation of user control.
D. Sensitive Information or Personal Information of Children Under 14
The Company does not intentionally collect or process sensitive information or personal information of children under 14 in the automated decision-making process. However, since the Company does not review or filter user inputs in advance, sensitive information voluntarily entered by users may be processed during inference.
E. Right to Refuse and Request Explanation
Data subjects may refuse automated decisions that have a significant impact on their rights or obligations, and may request an explanation of such decisions.
- How to exercise: Apply via Settings > Customer Support > Automated Decision Refusal/Explanation Request in the service, or via email to the Personal Information Protection Officer.
- Technical limitations: Once data has been incorporated into AI model training, it may be technically impossible to separately isolate and delete data belonging to a specific individual. However, data that has not yet been used for training can always be refused or deleted upon request.
9. Rights and Obligations of Data Subjects and Legal Representatives
A. Data subjects may at any time exercise rights such as access, data portability, correction, deletion, suspension of processing, withdrawal of consent, and refusal of or request for explanation of automated decisions.
B. Rights may be exercised in writing, by phone, email, fax, or internet in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act. The Company will act without delay.
- Data subjects may directly access, correct, delete, suspend processing of, or withdraw consent to their personal information at any time via My Info > Account Information within the service, or request access through Customer Support.
- Requests to refuse automated decisions or request explanations may be submitted via Settings > Customer Support or by email to the Personal Information Protection Officer.
C. Rights may also be exercised through a legal representative or authorized agent. In such cases, a power of attorney as prescribed in Attachment 11 of the Notice on Personal Information Processing Methods must be submitted.
D. Rights to access and suspension of processing may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
E. Deletion of personal information that is specified as a collection target under other laws cannot be requested.
F. The Company verifies whether the person exercising a right is the data subject or a legitimate representative.
G. The Company will respond within 10 days of receiving a rights exercise request from a data subject.
H. Data subjects are responsible for protecting their own personal information. The Company is not liable for issues arising from theft or misuse of IDs, passwords, or other credentials due to the data subject's own negligence without fault on the part of the Company.
10. Installation, Operation, and Rejection of Automatic Personal Information Collection Devices
A. Cookie Operation
The Company uses cookies to store and retrieve usage information to provide personalized services to users.
- Purpose of cookie use: To provide optimized information by identifying visit and usage patterns, popular search terms, and secure access status.
- How to refuse: Cookie storage can be rejected via Tools > Settings > Privacy & Security in the web browser.
- Refusing cookies may cause difficulties in using personalized services.
B. Google Analytics
The Company uses Google Analytics in accordance with Article 15(1)(1) (consent) of the Personal Information Protection Act. Only non-identifiable information is collected through this tool.
- Opt-out: Install the Google Analytics blocking browser add-on (https://tools.google.com/dlpage/gaoptout)
C. Microsoft Clarity (GenA Service Behavior Data Collection)
The Company uses Microsoft Clarity, a web analytics tool provided by Microsoft, to improve the user experience (UX) and analyze usability of the GenA service. Microsoft Clarity collects behavioral data through cookies and other automatic collection devices.
- Legal basis: Article 15(1)(1) of the Personal Information Protection Act (consent of data subject)
- Items collected: Page URL and visit history, click events, mouse movements, scrolls, user interaction data, device info (OS, screen resolution, etc.), browser info, IP address, session identifier
- Collection method: Automatically collected when users access and use GenA service pages
- Purpose: Web behavior analysis, UX and service improvement, error/failure diagnosis
- Retention period: Per Microsoft Clarity's own retention policy (up to 1 year)
- How to refuse: If a user enables the "Do Not Track (DNT)" setting in their browser, Microsoft Clarity will automatically disable data collection per its own policy. DNT settings can be found in each browser's privacy settings menu.
D. How to Block Cookies by Browser
- Chrome: Settings > Privacy and security > Third-party cookies > Block
- Edge: Settings > Privacy, search, and services > Tracking prevention > Strict
- Safari: Preferences > Privacy > Block all cookies
- Firefox: Settings > Privacy & Security > Custom > Block cookies
11. Measures to Ensure Safety of Personal Information
The Company implements the following safety measures in accordance with Article 29 of the Personal Information Protection Act and the Standards for Ensuring Safety of Personal Information (Personal Information Protection Commission Notice).
A. Administrative Measures
- Establishment and implementation of internal management plans for safe processing of personal information
- Regular training for personal information handlers and collection of security pledge
- Operation of a dedicated personal information protection organization and internal audits
- Minimization of personal information handlers and differential access rights
B. Technical Measures
- Access rights management and access control systems for personal information processing systems
- One-way encryption of critical information such as passwords
- Use of encrypted communication channels (TLS/SSL) for transmission/reception of personal information
- Preservation of access records and measures to prevent forgery/alteration
- Installation, operation, and regular updates of antivirus and security programs
- Vulnerability checks and remediation against external intrusions
C. Physical Measures
- Access control for server rooms, data storage rooms, etc.
- Storage of documents and auxiliary storage media in secure locations with locks
- Control over the movement of auxiliary storage media
- Safety measures against disasters and emergencies
12. Personal Information Processing for Generative AI Services
In operating generative AI services including GenA and OneAgent, the Company provides the following information with reference to the Appendix on Generative AI Service Privacy Policies in the Personal Information Processing Policy Writing Guidelines (April 2026) issued by the Personal Information Protection Commission.
A. Processing of User-Input Information
Information directly input by users during service use (text, documents, images, attachments, etc.) and results generated during service use (responses, search results, etc.) are collected and used under Article 15(1)(4) of the Personal Information Protection Act (performance of contract).
B. User Cautions Regarding Sensitive Information Input
The Company does not review or filter the content voluntarily entered by users in the chat window in advance. Due to the nature of the service, free-form input is permitted. Users should take special care not to enter the following types of information belonging to themselves or others.
- Unique identification information: Resident registration number, passport number, driver's license number, alien registration number
- Sensitive information: Beliefs, union/party membership or withdrawal, political views, health/sexual life information, genetic information, criminal records, etc.
- Financial information: Credit card numbers, account numbers, passwords
- Other confidential information: Internal corporate secrets, trade secrets, other individuals' personal information, etc.
If users enter such information, it may be transmitted to the external AI model providers specified in Section 6, and responsibility for any resulting consequences lies with the user who entered the information.
C. AI Model Training Use and Opt-Out
The Company uses input data for AI model training and performance improvement only when the user has consented. Users may withdraw their consent at any time by the following means.
- How to opt out: Send a request to refuse training use to the personal information protection department email (hello@genon.ai) or via Customer Support.
- Processing period: The Company will process the request within 10 business days of receipt and notify the user of the result.
- Effect: Input data collected after the opt-out request is processed will not be used for model training.
- Limitation: Some personalization features are based on training, so opting out may result in some degradation of service quality.
D. External AI Model Provider Entrustment
In addition to its own model (GenOS), the Company has entered into entrustment agreements with external AI model providers (Anthropic, OpenAI, etc.) to provide inference services. The Company designates which model to use for each service.
- How the external AI model provider stores, uses, trains on, and destroys transmitted data is governed by the provider's policies and the entrustment agreement with the Company.
- Details regarding external AI model providers can be found in Sections 5 and 6.
E. Technical Limitations on Rights Exercise
After AI model training is complete, it may be technically difficult to separately isolate and delete specific individuals' data from the model. However, data that has not yet been used for training can always be refused or deleted upon request.
F. Feedback and Reporting Inappropriate Responses
If users receive responses containing sensitive personal information or otherwise inappropriate content during service use, they may submit feedback or reports via:
- Feedback: Click the positive/negative feedback button on the response
- Report: Customer Support > Report within the service, or via email to the Personal Information Protection Officer
13. Personal Information Protection Officer and Complaint Service
The Company designates the following Personal Information Protection Officer and department to oversee all personal information processing matters and to handle complaints and remedy damages related to personal information processing.
| Personal Information Protection Officer | Personal Information Protection Department |
|---|---|
| Name: Kim Min-kyung Title: Senior Manager Email: hello@genon.ai Phone: 02-2088-6035 | Department: Business Support Group Email: hello@genon.ai Phone: 02-2088-6035 |
Data subjects may submit requests for access to personal information under Article 35 of the Personal Information Protection Act to the above department. The Company will respond to data subjects' inquiries without delay.
14. Remedies for Infringement of Data Subject Rights
Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, Korea Internet & Security Agency Personal Information Infringement Report Center, etc. to receive relief from personal information infringement.
| Organization | Phone (no area code) | Website |
|---|---|---|
| Personal Information Infringement Report Center | 118 | privacy.kisa.or.kr |
| Personal Information Dispute Mediation Committee | 1833-6972 | www.kopico.go.kr |
| Supreme Prosecutors' Office Cyber Investigation Division | 1301 | www.spo.go.kr |
| National Police Agency Cyber Crime Report System (ECRM) | 182 | ecrm.cyber.go.kr |
15. Exclusions from Privacy Policy
The Company may provide links to other websites or resources through its homepage. In such cases, the Company has no control over those external sites, and this Privacy Policy does not apply to personal information collected by those sites. When navigating to another site via a link provided by the Company, please be sure to review that site's privacy policy.
16. Changes to Privacy Policy
A. This Privacy Policy is effective as of May 26, 2026.
B. When this Privacy Policy is revised, the effective date and content of changes will be disclosed on the Company's website without delay. For changes that significantly affect users' rights or obligations, notice will be provided at least 7 days before the effective date, along with a comparison table showing previous and updated content.
C. Previous versions of this Privacy Policy can be viewed below.
© 2026 GenON Inc. All rights reserved.
