Privacy Policy

GNOM Privacy Policy

Article 1 (General Provisions and Definitions)

GENIEIN Co., Ltd. (the "Company") values the personal information of data subjects and has established and publishes this Privacy Policy (the "Policy") to safely manage personal information in compliance with applicable laws, including the Personal Information Protection Act ("PIPA").

This Policy applies in connection with the use of the GNOM service (the "Service") operated by the Company. Terms used in this Policy shall follow the definitions in the GNOM Terms of Service (the "Terms") separately posted by the Company. Key terms used in this Policy are defined as follows:

GNOM Estimator: an AI-based estimation feature that collects and structures requirements through natural-language dialogue and applies a Function Point (IFPUG method) based methodology to estimate project scale, effort, cost, and required personnel
GNOM Studio: a feature that generates source code through Vibe Coding and provides download and hosting on the Company's infrastructure
Estimation Output: all deliverables generated through GNOM Estimator, including requirement specifications, function classification tables, FP estimation tables, effort analysis tables, personnel estimation tables, and quotations (same as the definition in Article 2 of the Terms)
Content: Estimation Output, source code, hosting deliverables, and other materials generated as a result of the User's use of the Service (same as the definition in Article 2 of the Terms)
User: a Member or non-Member who uses the Service under the Terms
Member: a person who has registered with the Company by providing personal information

Article 2 (Personal Information Collected)

Restriction on Children under 14

The Service may only be used by persons aged 14 years or older. The Company does not allow Membership registration for children under 14. If, after registration, a Member is found to be under 14, the Company shall immediately delete the account and related personal information.

1. Membership Registration and Identity Verification (Required)

Category	Items Collected
Email Registration	Email, password (stored with one-way encryption), nickname
Social Sign-On (SSO)	Identifier, email, and basic profile information provided by the SSO provider (Google, Microsoft, Apple, etc.)
Confirmation of Being 14+	"I am 14 years of age or older" consent confirmation
Tax Invoice Pre-Request (Optional)	Business name, business registration number, representative name, business address

2. Information Collected when Using GNOM Estimator (Required)

This section is limited to personally identifiable information that the User directly enters or uploads, and that the Company processes, while using GNOM Estimator.

Natural-language inputs: service ideas, requirements, and contextual information entered through AI dialogue during the requirement analysis phase
Uploaded files: proposals, requirement specifications, reference materials, and other files attached by the User
FP adjustment factor inputs: values entered or selected by the User for FP adjustment factors
User feedback and revision inputs: requests for revision or re-estimation of Estimation Output

Nature of AI-Generated Output (Excluded from this Policy)

The UI mockups, function classifications (ILF/EIF/EI/EO/EQ), function lists with complexity assessments, adjusted FP values, effort (MD) formulas, effort analysis tables, personnel estimation tables, quotations, and other "Estimation Outputs" automatically generated by GNOM Estimator based on the above inputs are considered "Content" as defined in Article 2 of the Terms. Since such outputs are not, by themselves, information that identifies an individual, they are not subject to the personal information processing covered by this Policy. However, where Estimation Outputs are processed by the Company in a form that, in combination with the User's inputs or account identifiers, can identify an individual, this Policy shall apply.

Ownership, use, license, and the Company's right to use Estimation Outputs are governed by the Terms.

3. Information Collected when Using GNOM Studio (Required)

This section is limited to personally identifiable information that the User directly enters or uploads, and that the Company processes, while using GNOM Studio.

Natural-language prompts entered by the User
Uploaded files (images, documents, code, data files, etc.)
Hosting application configuration (service name, domain information, etc.) and identifiable information in operational logs
Authentication tokens and repository identifiers when integrating with external services such as GitHub

Nature of Vibe Coding Output (Excluded from this Policy)

The source code, build artifacts, and hosting outputs automatically generated by GNOM Studio via Vibe Coding based on the above inputs are considered "Content" as defined in Article 2 of the Terms. Since such outputs are not, by themselves, information that identifies an individual, they are not subject to the personal information processing covered by this Policy. However, where such outputs are processed by the Company in a form that, in combination with the User's inputs or account identifiers, can identify an individual, this Policy shall apply.

Ownership, use, license, and the Company's right to use the generated source code and hosting outputs are governed by the Terms.

End-User Data within Hosted Applications

With respect to the personal information of End-Users collected and processed through applications deployed via GNOM Studio, the User (Member) operating such application is the data controller under PIPA, and the Company is the infrastructure provider (e.g., processor or storage operator). The User shall separately prepare and post a privacy policy for such End-Users.

4. Payment Information (Required for paid features)

GNOM currently offers only the One-time Purchase method. Payment is processed via credit card through the Company's designated payment integration solution (PortOne, operated by Korea PortOne Co., Ltd.) and routed to an electronic financial business entity (Toss Payments Co., Ltd.).

Payment instrument information (card issuer, partially masked card number), payment date and amount, payment ID (transaction ID)
Information necessary for refund processing
Under Article 33(2) and Article 46 of the Value-Added Tax Act of Korea, a credit card sales slip issued for card payment substitutes for a tax invoice. Business Users may claim the input VAT deduction with such sales slip. Accordingly, a separate tax invoice will not be issued for card payments
Business Users requiring a tax invoice must submit a pre-payment request to billing@geniein.com, attaching a copy of the business registration certificate and the issuing information (business name, registration number, representative name, address, and contact email). In such case, payment will be made by bank transfer instead of card, and an electronic tax invoice will be issued
Post-payment requests for tax invoice issuance may not be accepted, as the previously issued card sales slip substitutes for a tax invoice, and retroactive issuance may result in double revenue recognition
The Company does not store full card numbers, CVCs, expiration dates, passwords, or other payment authentication information. Such information is processed and stored by the payment integration solution (PortOne) and the electronic financial business entity (Toss Payments)

5. Automatically Collected Information (Required)

The following information is automatically generated and collected during the use of the Service. Such information does not, by itself, identify a specific individual, but is processed as personal information to the extent it is combined with the User's account identifier.

Access information: cookies (for session maintenance), access date and time, IP address, accessed URL
Device information: OS, browser type and version (based on HTTP User-Agent)
Service usage records: GNOM Estimator estimation progress history and download history of outputs; GNOM Studio build/deployment history and source code download history
Usage data: estimation count, prompt count, API call volume, token usage, and other billing/operational metrics
Payment-related information: payment ID, payment date, payment status. (Card numbers and other payment instrument information are stored by the payment service providers and are not retained by the Company)
Error and debug logs: system logs for service operations and incident response

6. Optional Information (Separately Consented; Service Available without Consent)

Item	Purpose	Effect of Refusal
Receipt of marketing information (email/SMS/KakaoTalk, etc.)	Notification of events, promotions, and new features	No marketing communications

* The User's input data may be used for AI model training and service quality improvement after pseudonymization or anonymization, which corresponds to pseudonymized information processing under Article 28-2 of PIPA. Details are described in Article 4 (Disclosure on the Use of Personal Information for AI Model Training).

* The use of "Content" generated by AI (such as Estimation Outputs and source code) for training and service improvement is governed by the Terms, not this Policy.

7. Sensitive Information and Unique Identification Information

The Company does not collect sensitive information (e.g., ideology, political views, health, sexual life) or unique identification information (e.g., resident registration numbers). The User must not enter or upload sensitive or unique identification information of the User or any third party when entering requirements into GNOM Estimator or prompts/files into GNOM Studio.

Article 3 (Methods of Collection)

Direct entry by the User during Membership registration, Service use, and customer inquiries
Automatic generation and collection during Service use (cookies, logs, metering)
From the social sign-on provider upon third-party SSO authentication
From the payment integration solution (PortOne), the electronic financial business entity (Toss Payments), and card issuers, regarding payment results
From external services (such as GitHub) within the scope authorized by the User, upon integration

Article 4 (Purposes of Use)

The Company processes the collected personal information for the following purposes, and shall obtain prior consent if the purposes change.

Service provision and operation: Member identification and authentication, Member management, prevention of fraudulent registration and use; Requirements analysis and FP-based Estimation Output provision through GNOM Estimator; Source code generation, build, deployment, and hosting operation through GNOM Studio; Provision of external service integration features
Payment and settlement: One-time payment processing, refunds, and issuance of receipts/tax invoices; Prevention of fraudulent payments and dispute resolution
Customer support: handling inquiries, delivering notices, and resolving disputes
Service improvement and analytics: Feature improvement, performance optimization, and new feature development through usage pattern analysis; A/B testing and user experience research; Statistical analysis, scientific research, and AI model training using pseudonymized or anonymized personal information (Article 28-2 of PIPA)
Marketing and advertising (upon optional consent): event notifications, customized content, advertising performance measurement
Security and prevention of abuse: detection and blocking of abnormal access, abuse, and bots; security incident investigation
Compliance with legal obligations: compliance with applicable laws (e.g., E-Commerce Consumer Protection Act, tax law, Protection of Communications Secrets Act), dispute response, and legal claim defense

Disclosure on the Use of Personal Information for AI Model Training

(1) Prohibition on Training Using Identifiable Raw Data

The Company does not use raw, personally identifiable data entered by the User (such as natural-language dialogues and uploaded files) for AI model training in its identifiable original form.

(2) Training Use after Pseudonymization or Anonymization (No Separate Consent Required)

The Company may use the User's input data, after pseudonymization or anonymization in accordance with Article 28-2 of PIPA, for statistical analysis and scientific research (including AI model performance improvement research). Pseudonymized information is processed such that a specific individual cannot be identified without additional information, and is stored separately from such additional information. Such use is performed without separate consent from the data subject, as permitted by law.

(3) Separate Consent for Use in Identifiable Form

If the Company wishes to use data in its identifiable original form for training, prior separate consent will be obtained from the User.

(4) Opt-Out Request

The User may at any time request to opt out of the use of personal information for training by contacting privacy@geniein.com. The Company shall, within a reasonable period after receipt, exclude the User's personal information from future training datasets. However, the separation or removal of already pseudonymized/anonymized data from models that have already been trained may not be technically feasible.

(5) Prohibition on Disclosure to External General AI Models for Pretraining

The Company does not disclose the User's personal information to third parties for the pretraining of external general-purpose AI models.

(6) Use of Content for Training

Since 'Content' generated by AI (such as GNOM Estimator outputs and GNOM Studio generated source code) does not contain personally identifiable information, the details and guidelines regarding its use and management for service improvement are governed transparently by the GNOM Terms of Service.

Article 5 (Retention and Use Period)

The Company shall destroy personal information without delay once the collection and use purposes are fulfilled. However, the following information is retained for the specified periods.

1. Member Information

Destroyed within 30 days upon Member withdrawal or fulfillment of purpose. However, backup systems may retain the information for up to 90 days.

2. Retention under Applicable Laws

Information Retained	Retention Period	Applicable Law
Records of contracts or withdrawal of offer	5 years	Act on the Consumer Protection in Electronic Commerce
Records of payment and supply of goods	5 years	Act on the Consumer Protection in Electronic Commerce
Records of consumer complaints or dispute resolution	3 years	Act on the Consumer Protection in Electronic Commerce
Records of indication and advertisement	6 months	Act on the Consumer Protection in Electronic Commerce
Records of electronic financial transactions	5 years	Electronic Financial Transactions Act
Transaction documents (e.g., tax invoices)	5 years	Framework Act on National Taxes, VAT Act

3. Retention under Internal Policy

For stable operation of the Service, prevention of abuse, and security incident response, the Company may retain the following information for a certain period under internal policy.

Records for prevention of fraudulent use and abuse: 1 year
Logs related to security incident investigation and response: 1 year
Service operational logs and error logs: up to 90 days
Access logs of the personal information processing system: 1 year or more

If separate retention is required under applicable laws, the information shall be retained for the period specified by such laws.

4. Pseudonymized and Anonymized Data

Pseudonymized information is stored separately from additional information and may be retained and used without a retention period limit for purposes such as statistical analysis, scientific research, and public-interest record preservation, in accordance with Articles 28-2 and 28-7 of PIPA. Anonymized information from which identifiability has been completely removed is not considered personal information, and therefore no retention period is established.

Safeguards for Pseudonymized Information

When the Company processes pseudonymized personal information for statistical analysis, scientific research, or public-interest record preservation, the following safeguards shall be implemented in accordance with PIPA and Article 29-5 of its Enforcement Decree:

Separate storage of pseudonymized information and additional information (such as original identifiers and mapping tables)
Separation of access privileges for pseudonymized information and additional information, with minimum-privilege assignment
Destruction of additional information without delay when no longer necessary
Recording and management of processing details, including the purpose of pseudonymization, items pseudonymized, usage history, and recipients of third-party provision
Recording and retention of grants, changes, and revocations of access privileges for pseudonymized and additional information
Prohibition of re-identification attempts and imposition of confidentiality obligations on relevant employees
Immediate suspension of processing, recovery, or destruction if the possibility of identifying a specific individual is detected

5. Dormant Accounts

Accounts that have not been accessed for at least 1 year may be converted to a dormant state or destroyed after separate notice (per the Company's operational policy).

Article 6 (Provision to Third Parties)

The Company processes personal information of data subjects only within the scope specified in Article 4 and does not process beyond the original purpose or provide it to third parties without prior consent from the data subject, except in the following cases:

Where the data subject has given prior consent
Where there is a special provision in applicable law or where it is unavoidable for compliance with legal obligations
Where investigative authorities request it in accordance with procedures and methods set by applicable laws
Where it is provided in pseudonymized form for statistical analysis, scientific research, or public-interest record preservation (Article 28-2 of PIPA)

There is currently no routine provision to third parties. If third-party provision becomes necessary in the future, the Company will obtain separate consent from the data subject.

Article 7 (Entrustment of Personal Information Processing)

The Company entrusts personal information processing tasks as set forth below to provide the Service smoothly. In accordance with Article 26 of PIPA, the Company stipulates personal information protection matters in the entrustment agreements and supervises the entrustees for safe management.

Entrustee	Entrusted Task	Items Processed
Amazon Web Services, Inc.	Cloud infrastructure operation (server/DB/storage/logs), GNOM Studio hosting infrastructure	Service usage data in general
Anthropic, PBC	AI model inference for GNOM Estimator and GNOM Studio	User prompts, requirements, attached files
Korea PortOne Co., Ltd.	Operation of payment integration solution (PG connection, payment token management)	Merchant identification, payment tokens, payment date and amount
Toss Payments Co., Ltd.	Credit card / bank transfer payment processing and authentication	Payment authentication and card payment information

If the entrusted tasks or entrustees change, the Company will provide notice through this Policy.

* If the Company introduces email delivery services, customer support messengers, analytics tools, or similar services in the future, it will amend this provision and notify Users prior to use.

Restriction on AI Vendor's Training Use

To provide AI features, the Company may transmit the User's prompts, contents of uploaded files, generated results, and other necessary information to AI model providers.

In selecting AI model providers and configuring contracts/settings, the Company prioritizes policies or settings that ensure the User's data is not used for general-purpose AI model training by such providers. However, AI providers may retain inputs, outputs, metadata, or inference logs for a certain period for service provision, security, incident response, and abuse prevention; specific retention items and periods follow each provider's policies and contractual terms.

The Company limits the scope of external data transmission to the minimum necessary for service provision and takes measures, where feasible, to prevent transmission of sensitive or unnecessary identifying information.

Article 8 (Overseas Transfer of Personal Information)

To provide stable Service, the Company entrusts certain personal information to overseas cloud and AI providers. In accordance with Article 28-8 of PIPA, the Company discloses the following:

Recipient	Country	Time / Method	Items Transferred	Retention Period
Anthropic, PBC	USA	Network transmission upon API call	User prompts and input files	Not retained after inference (provider policy may retain logs for up to 30 days)
Amazon Web Services, Inc.	Singapore	Network transmission to AWS servers in Singapore region during service use	All personal information collected or generated during service use	Until membership withdrawal or termination of entrustment agreement

The contact information of each recipient's data protection officer can be found on the respective provider's privacy policy page.

Objection to Transfer: the User may object to the overseas transfer, in which case use of the relevant features may be restricted. Please notify your objection to support@geniein.com.

Article 9 (Rights, Obligations, and Exercise Methods of Data Subjects)

Data subjects may at any time exercise the following rights against the Company:

Request to access personal information;
Request to correct errors;
Request to delete (except where the personal information is specified as collectable under other laws);
Request to suspend processing;
Withdrawal of consent (in which case use of part or all of the Service may be restricted);
Right to data portability (within the scope set by applicable laws);
Opt-out from the use of personal information for AI training (use of Content is governed by the Terms).

Methods of Exercise

Written request via email to support@geniein.com.

Processing Period

The Company shall process the request within 10 days of receipt and notify the reason if rejected. Requests may be rejected where there is a legal retention obligation, risk of infringement on the rights of others, or manifestly unjustified repeated requests.

Article 10 (Destruction of Personal Information)

The Company shall destroy personal information without delay when it becomes unnecessary, such as upon expiration of the retention period or fulfillment of the processing purpose.

Destruction procedure: occurrence of grounds for destruction → approval by the Privacy Officer → destruction by secure means.

Destruction methods

Electronic files: securely processed in a manner that prevents recovery or reproduction (permanent deletion, degaussing, etc.)
Paper documents: shredded or incinerated

Information retained under applicable laws shall be destroyed in the same procedure upon expiration of the retention period.

Article 11 (Security Measures for Personal Information)

The Company implements the following security measures in accordance with Article 29 of PIPA and its Enforcement Decree:

1. Administrative Measures

Establishment and implementation of an internal management plan for personal information protection
Minimization of personnel handling personal information and periodic review of access privileges
Regular personal information protection training for employees
Execution of confidentiality agreements

2. Technical Measures

Encryption in transit (TLS), one-way encryption of passwords, and encryption of authentication information including payment data
Operation of access control systems and blocking of unauthorized access
Multi-factor authentication (MFA) for administrators
Installation/update of security programs and periodic vulnerability assessments
Retention and review of access logs (beyond legally required periods)

3. Physical Measures

The Company uses data centers operated by cloud infrastructure providers holding international security certifications such as SOC 2 and ISO/IEC 27001. Physical security measures of such data centers (access control, CCTV, environmental protection, etc.) are managed under the cloud infrastructure providers' security policies and certification scopes.

4. Incident Response

Security incidents are handled in accordance with the Company's internal incident response procedures. Where legal notification or reporting obligations arise, the Company shall notify and report to the data subject and the Personal Information Protection Commission, the Korea Internet & Security Agency (KISA), and other competent authorities without delay.

Article 12 (Automatic Collection Devices: Installation, Operation, and Refusal)

The Company uses cookies to operate the Service.

1. Purposes of Cookie Use

Maintenance of login sessions and security verification
Storage of User preferences

2. Types of Cookies

Essential cookies: required for Service operation such as login and security. Refusal may restrict Service use
Functional cookies: store User preferences

* The Company does not currently operate analytics tools or advertising/marketing pixels. If analytical or marketing cookies are introduced in the future, this provision will be amended and operated with separate consent procedures.

3. How to Refuse Cookies

Directly block or delete cookies through web browser settings
However, blocking essential cookies may prevent use of part of the Service

Article 13 (Privacy Officer)

The Company designates the following Privacy Officer to oversee personal information processing and to handle complaints and remedies of data subjects related to personal information processing.

Privacy Officer

Name: Jung Eun Joo
Position: CEO
Email: support@geniein.com

Data subjects may contact the above for any inquiries, complaints, or remedies regarding personal information protection arising during the use of the Service. The Company shall respond and process without delay.

Article 14 (Remedies for Infringement)

Data subjects may apply for dispute resolution or consultation with the following organizations to seek remedies for personal information infringement:

Personal Information Dispute Mediation Committee: (without area code) 1833-6972 / www.kopico.go.kr
Personal Information Infringement Report Center (KISA): (without area code) 118 / privacy.kisa.or.kr
Supreme Prosecutors' Office Cyber Investigation Division: (without area code) 1301 / www.spo.go.kr
National Police Agency Cyber Investigation Bureau: (without area code) 182 / ecrm.cyber.go.kr

Article 15 (Relationship with Terms of Service)

This Policy applies together with the GNOM Terms of Service separately posted by the Company. Terms not defined in this Policy shall follow the definitions in the Terms. In case of conflict between this Policy and the Terms, this Policy shall prevail with respect to personal information protection matters.

Article 16 (Amendments to this Policy)

This Policy applies from its effective date. If additions, deletions, or corrections are made due to changes in laws, policies, or security technology, the Company shall notify Users through the Service notice or by email at least 7 days prior to the effective date (30 days prior, where the change is unfavorable to the User).

Supplementary Provisions

This Policy shall take effect on June 1, 2026.

Business Information

Company Name: GENIEIN Co., Ltd.

Representative: Jung Eun Joo

Business Registration Number: 645-81-03508

Address: 720, 7F, 8-4 Hwangsaeul-ro 319beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do

Privacy Inquiries: support@geniein.com