Myeongbun

Myeongbun (hereinafter "the Company") values users' personal information and complies with the Personal Information Protection Act (「개인정보 보호법」) and related laws. This Privacy Policy explains the categories of personal information the Company collects, the purposes of use, retention periods, and users' rights.

Article 1 (Categories and Methods of Personal Information Collection)

The Company collects the following personal information to provide its services.

Required Information

Social login information: email address, nickname (automatically collected upon linking a Google or Kakao account)

Additional Information Collected During Reading Generation

Date and time of birth: solar/lunar calendar distinction, year, month, day, hour, and minute (required for reading generation)
Gender: reference information for interpreting reading results
Birth location longitude: information used to correct for true solar time

Optional Information

Profile image URL (if provided by the social login provider)

Automatically Collected Information

IP address (de-identified — hashed)
Service usage history and access logs
Browser and device information (User-Agent)
Cookies

Information Collected During Payment

Transaction records (order number, payment amount, payment status)
Payment instrument details such as card numbers are managed directly by the payment gateway (PG company); the Company does not retain this information.

Collection Methods

Automatic collection via social login (Google, Kakao)
Direct input by the user during service use
Automatically generated in the course of service use

Article 2 (Purposes of Collecting and Using Personal Information)

Collected personal information is used only for the following purposes.

Service Provision: Generating and delivering personalized readings, creating AI reports, and providing chat features
Member Management: Member identification, identity verification, and prevention of fraudulent use of the service
Payment Processing: Processing payments and refunds for paid services
AI Analysis: Transmitting de-identified birth-data calculations to AI to generate personalized reports
Service Improvement: De-identified statistical analysis, improving service quality, and developing new features
Customer Support: Responding to inquiries and delivering notices

Article 3 (Retention and Use Period of Personal Information)

General Principle: Personal information is destroyed immediately upon achieving the purpose of collection or upon membership withdrawal. However, information is retained for the applicable period when retention is required by law.
Retention Periods Required by Law:
- Records related to contracts or withdrawal of offers: 5 years (Act on the Consumer Protection in Electronic Commerce, 「전자상거래 등에서의 소비자보호에 관한 법률」)
- Records related to payment and supply of goods or services: 5 years (Act on the Consumer Protection in Electronic Commerce, 「전자상거래 등에서의 소비자보호에 관한 법률」)
- Records related to consumer complaints or dispute resolution: 3 years (Act on the Consumer Protection in Electronic Commerce, 「전자상거래 등에서의 소비자보호에 관한 법률」)
- Access logs: 3 months (Protection of Communications Secrets Act, 「통신비밀보호법」)
- Records related to electronic financial transactions: 5 years (Electronic Financial Transactions Act, 「전자금융거래법」)

Article 4 (Provision of Personal Information to Third Parties)

As a general rule, the Company does not provide users' personal information to third parties. However, the following exceptions apply.

When the user has given prior consent
When providing necessary transaction information to a payment gateway for payment processing:

Recipient	Information Provided	Purpose	Retention Period
Toss Payments Co., Ltd.	Transaction information (order number, payment amount)	Payment processing	Until payment is completed
Sold through Link, LLC	Transaction information (order number, payment amount)	Overseas payment processing	Until payment is completed

When required by law

Article 5 (Delegation of Personal Information Processing)

The Company delegates personal information processing as follows to provide its services.

Processor	Delegated Work	Retention Period
Oracle Corporation	Data storage and server operation	Until termination of delegation agreement
Vercel Inc.	Web application hosting	Until termination of delegation agreement
Cloudflare, Inc.	CDN and domain management	Until termination of delegation agreement

When entering into delegation agreements, the Company clearly stipulates compliance with personal information protection laws, confidentiality obligations, prohibition on provision to third parties, and liability for damages in the event of an incident, and manages and supervises processors to ensure they handle personal information safely.

Article 6 (Cross-border Transfer of Personal Information)

To provide the service, users' personal information is transferred overseas as follows.

Recipient	Country	Information Transferred	Purpose	Retention Period
Oracle Corporation	United States (Virginia)	Data required for service use	Database storage and server operation	Until termination of delegation agreement
Anthropic, PBC	United States	Birth-data calculations (de-identified)	AI report generation	Deleted immediately after API processing
OpenAI OpCo, LLC	United States	Birth-data calculations (de-identified)	AI report generation	Deleted immediately after API processing
Google LLC	United States	Birth-data calculations (de-identified)	AI report generation	Deleted immediately after API processing
Vercel Inc.	USA HQ + global CDN edges	Static assets, cookies	Web application hosting	Until termination of delegation agreement
Cloudflare, Inc.	USA HQ + global CDN edges	Network traffic data	CDN and security services	Automatically deleted
Sold through Link, LLC	United States	Transaction information (order number, payment amount)	Overseas payment processing as authorized reseller and Merchant of Record	Until payment is completed

Legal Basis: Article 28-8 of the Personal Information Protection Act (「개인정보보호법」) (Cross-border transfer for performance of a service contract)
Protective Measures: Encrypted transmission via HTTPS/TLS, data protection in accordance with each provider's security policies, and immediate deletion upon completion of processing

Users may withdraw their consent to the cross-border transfer of personal information described above, in which case the use of certain services such as AI Report generation may be restricted. The method of withdrawing consent is as described in Article 8 (Users' Rights and How to Exercise Them).

Article 7 (AI Services and Personal Information)

The Company generates AI reports based on reading results. Personal information processing related to AI services is as follows.

Data Transmitted to AI: Birth-chart-based personality framework values (paired stems-and-branches and elemental balances) — abstracted structural data used as inputs for personality-pattern interpretation.
Data Not Transmitted to AI: Email address, nickname, profile image, IP address, original date and time of birth, and member identification information.
Data Processing by AI Providers: In accordance with the API terms of use of each AI provider (Anthropic, OpenAI, Google), transmitted data is not used for model training.
Automated Decision-Making: Reading results are used solely to generate reflective reference information, not for automated decision-making. Saju (Korean birth-chart analysis) is processed as personality-pattern data, not as prediction or divination output. Reports generated by AI do not replace the user's important decisions and serve only as reference material.

Article 8 (Users' Rights and How to Exercise Them)

Users may exercise the following rights at any time.

Right of Access: You may access the status of processing of your own personal information.
Right to Rectification and Erasure: You may request correction or deletion of inaccurate personal information.
Right to Suspend Processing: You may request suspension of the processing of your personal information.
Right to Withdraw Consent: You may withdraw consent to the collection and use of your personal information.

How to Exercise: Requests may be submitted through the Settings menu within the service or via email (privacy@myeongbun.com).
Processing Deadline: Requests will be processed within 10 days from the date of the request.
You will not suffer any disadvantage for exercising these rights. However, if you request the deletion of personal information that is essential for service provision, use of that service may be restricted.

Article 9 (Personal Information of Children Under Age 14)

The Company does not collect personal information from children under the age of 14.
The service requires registration via social login (Google, Kakao), and the minimum age requirements of each social service (age 13–14 or older) effectively restrict registration by users under the age of 14.
If it is confirmed that personal information of a user under the age of 14 has been collected, such information will be deleted without delay.

Article 10 (Cookies and Automated Collection Devices)

Purpose of Cookie Use: Maintaining login sessions and providing convenience in service use
Types and Attributes of Cookies:
- Session cookie (iron-session): Login session management
- HttpOnly: Blocks access via JavaScript
- Secure: Transmitted only over HTTPS connections
- SameSite=Lax: Prevents cross-site request forgery (CSRF)
Cookie Validity Period: 7 days
How to Refuse Cookies: You may refuse cookie storage through your browser settings. However, refusing cookies may restrict use of services that require login.

Article 11 (Measures to Ensure the Security of Personal Information)

The Company takes the following measures to ensure the security of personal information.

Encrypted transmission of personal information (HTTPS/TLS)
Access rights management and minimization
De-identification (hashing) of IP addresses
Retention and inspection of personal information access records
Secure management of authentication tokens (Refresh Token stored as SHA-256 hash)
Regular security audits

Article 12 (Procedures and Methods for Destroying Personal Information)

Timing of Destruction: Upon expiration of the retention period, achievement of the processing purpose, or membership withdrawal
Methods of Destruction:
- Electronic files: Deleted using technical methods that prevent recovery
- Records (paper documents): Shredded or incinerated
Personal information for which a retention period remains under applicable law is stored separately from other personal information and destroyed immediately after that period expires.

Article 13 (Chief Privacy Officer)

For inquiries, complaints, or requests for relief regarding personal information processing, please contact the Chief Privacy Officer (CPO) below.

Name: Oh Seungyong
Position: Representative (serving concurrently as Chief Privacy Officer)
Email: privacy@myeongbun.com
Phone: +82-70-8064-7927

Article 14 (Remedies for Infringement of Rights)

Users may apply to the following agencies for consultation and relief regarding personal information infringement.

Personal Information Dispute Mediation Committee (개인정보분쟁조정위원회): (without area code) 1833-6972 (www.kopico.go.kr)
KISA Personal Information Infringement Report Center (한국인터넷진흥원 개인정보침해신고센터): (without area code) 118 (privacy.kisa.or.kr)
Supreme Prosecutors' Office Cybercrime Division (대검찰청 사이버수사과): (without area code) 1301 (www.spo.go.kr)
National Police Agency Cyber Safety Bureau (경찰청 사이버안전국): (without area code) 182 (ecrm.cyber.go.kr)

Article 15 (Obligation to Notify)

This Privacy Policy may be revised in accordance with changes to applicable laws, guidelines, or Company policies. When revised, notice will be provided through in-service announcements at least 7 days prior to the effective date. For changes that have a significant impact on users, notice will be given at least 30 days in advance.

Supplementary Provisions

This Privacy Policy takes effect as of March 31, 2026.