Leanabl Privacy Policy
Effective Date: March 1, 2026
Leanable Inc. (hereinafter referred to as the 'Company') processes personal information lawfully and manages it safely in compliance with the 「Personal Information Protection Act」 and related laws to protect the freedom and rights of data subjects. Accordingly, pursuant to Article 30 of the 「Personal Information Protection Act」, the Company establishes and discloses this Privacy Policy to guide data subjects on the procedures and standards for processing personal information and to promptly and smoothly handle any related grievances.
This policy is effective as of March 1, 2026.
Table of Contents
- Purpose, Items, and Retention Period of Personal Information Processing
- Procedures and Methods for Destruction of Personal Information
- Provision of Personal Information to Third Parties
- Outsourcing of Personal Information Processing
- Matters Concerning Overseas Collection and Transfer of Personal Information
- Measures for Ensuring Safety of Personal Information
- Matters Concerning Installation, Operation, and Refusal of Automatic Data Collection Tools
- Matters Concerning Collection, Use, and Refusal of Behavioral Information
- Matters Concerning Personal Information Processing of Children Under 14
- Rights and Obligations of Data Subjects and Legal Representatives and How to Exercise Them
- Remedies for Infringement on Rights and Interests of Data Subjects
- Chief Privacy Officer and Grievance Handling Department
- Changes to the Privacy Policy
1. Purpose, Items, and Retention Period of Personal Information Processing
The Company processes and retains personal information within the retention and usage period prescribed by law or within the period agreed upon by the data subject when collecting personal information.
① Processing without the Data Subject's Consent (Contract Performance, etc.)
The Company collects the minimum necessary personal information to provide services.
| Category | Purpose of Processing | Items Collected | Legal Basis | Retention and Usage Period |
|---|---|---|---|---|
| Service Usage | Provision of service and sending contents (Whitepapers, etc.) | Name, Email address, Language information | Article 15(1)(4) of the Act (Execution/Performance of Contract) | Until the purpose of use is achieved (Subject to relevant laws) |
| Auto Collection | Maintaining website access, preventing fraudulent use | IP address, Cookies, Access logs, Visit date/time | Article 15(1)(4) of the Act (Execution/Performance of Contract) | 3 months (Protection of Communications Secrets Act) |
② Processing with the Data Subject's Consent (Marketing, etc.)
| Category | Purpose of Processing | Items Collected | Legal Basis | Retention and Usage Period |
|---|---|---|---|---|
| Marketing | Sending newsletters, Information on new services | Name, Email address | Article 15(1)(1) of the Act (Consent) | Until consent withdrawal (Unsubscription) or 3 years |
③ Retention Reasons Required by Relevant Laws
Even if the retention period agreed upon by the data subject has expired or the purpose of processing has been achieved, if the personal information must be preserved under other laws, the personal information will be moved to a separate database (DB) or stored in a different location.
- Communications Confirmation Data (Log records, IP, etc.): 3 months (Protection of Communications Secrets Act)
- Records on Contract or Withdrawal of Subscription: 5 years (Act on the Consumer Protection in Electronic Commerce, etc. - If applicable to e-commerce)
- Records on Consumer Complaints or Dispute Resolution: 3 years (Act on the Consumer Protection in Electronic Commerce, etc. - If applicable to e-commerce)
2. Procedures and Methods for Destruction of Personal Information
① The Company destroys personal information without delay when the personal information becomes unnecessary, such as upon the expiration of the retention period or the achievement of the processing purpose.
② The procedures and methods for destroying personal information are as follows:
- Destruction Procedure: The Company selects the personal information subject to destruction and destroys it with the approval of the Company's Chief Privacy Officer (CPO).
- Destruction Method: Personal information recorded and stored in electronic file format is destroyed so that the record cannot be reproduced, and personal information recorded and stored in paper documents is destroyed by shredding or incineration.
3. Provision of Personal Information to Third Parties
The Company processes the data subject's personal information only within the scope specified in Article 1 (Purpose of Personal Information Processing) and provides personal information to third parties only in cases falling under Articles 17 and 18 of the 「Personal Information Protection Act」, such as the data subject's consent or special provisions of the law.
Currently, the Company does not provide personal information to third parties without the data subject's consent.
4. Outsourcing of Personal Information Processing
① The Company outsources personal information processing tasks as follows for smooth personal information processing.
| Trustee (Outsourced Company) | Contents of Outsourced Tasks |
|---|---|
| Google LLC (Firebase) | Website hosting, Data storage (Firestore), and Server operation management |
| Google LLC (Analytics) | Web log analysis and Service usage statistics verification |
② When concluding an outsourcing contract, the Company clearly states matters regarding the prohibition of personal information processing for purposes other than the performance of outsourced tasks, technical and administrative protection measures, restrictions on re-outsourcing, supervision of the trustee, and liability for damages in accordance with Article 26 of the 「Personal Information Protection Act」, and supervises whether the trustee processes personal information safely.
③ If the contents of the outsourced tasks or the trustee changes, we will disclose it through this Privacy Policy without delay.
5. Matters Concerning Overseas Collection and Transfer of Personal Information
The Company transfers (outsources processing and stores) personal information overseas as follows for global service linkage and data storage.
1. Google Analytics (Web Log Analysis)
- Recipient: Google LLC (googlekr_support@google.com)
- Transferred Country: USA
- Transferred Items: Cookies, IP address (Anonymized), Service usage records, Device information, Access logs
- Date and Method of Transfer: Transmitted occasionally via network at the time of service use
- Purpose of Use: Website visitor usage statistics analysis and service improvement
- Retention and Usage Period: Upon the data subject's request for destruction or until the Google Analytics data retention setting period (e.g., 14 months)
2. Google Firebase (Hosting and Data Storage)
- Recipient: Google LLC (googlekr_support@google.com)
- Transferred Country: USA and locations of Google data centers
- Transferred Items: Name, Email address, Language information, Service usage records, and all stored data
- Date and Method of Transfer: Transmitted occasionally via network at the time of service use (form submission, etc.)
- Purpose of Use: Data storage, server operation and management, hosting service provision
- Retention and Usage Period: Until the end of the service use contract or membership withdrawal
[Method to Refuse Overseas Transfer]
Data subjects may refuse overseas transfer through the Chief Privacy Officer and the responsible department. However, due to the nature of hosting and data storage services, if overseas transfer is refused, use of the service, such as website access and content download, may be impossible.
6. Measures for Ensuring Safety of Personal Information
The Company takes the following measures to ensure the safety of personal information.
- Administrative Measures: Establishment and implementation of internal management plans, regular employee training.
- Technical Measures: Management of access rights to personal information processing systems, installation of security programs, encryption of communication sections (SSL).
- Physical Measures: Access control for computer rooms, data storage rooms, etc.
7. Matters Concerning Installation, Operation, and Refusal of Automatic Data Collection Tools
① The Company uses 'cookies' that store and retrieve usage information from time to time to provide individually customized services to users.
② Cookies are a small amount of information sent by the server (http) used to operate the website to the user's computer browser and may be stored on the hard disk of the user's PC computer.
- Purpose of using cookies: To analyze the user's access frequency, visit time, usage patterns, etc., to provide personalized services and improve services.
- Installation, Operation, and Refusal of Cookies: You can set options in your web browser to allow cookies or block cookies.
- (Example: Chrome) Web browser top right 'Settings' > 'Privacy and security' > 'Third-party cookies' > Set blocking
- Effect of Refusal: If you refuse to store cookies, you may experience difficulties in using some customized services.
8. Matters Concerning Collection, Use, and Refusal of Behavioral Information
The Company collects and uses behavioral information to provide optimized customized services and benefits to data subjects during the service use process. The Company allows a third party (Google) to collect behavioral information on the website.
- Items of Behavioral Information Collected: User's website visit history, search history, service usage records
- Method of Collection: Automatic collection via Google Analytics
- Purpose of Collection: Interest-based analysis of users, marketing utilization, and service improvement
- Retention and Usage Period: Maximum 14 months from the collection date (Automatically destroyed thereafter)
- Method of Refusal:
- Cookie blocking settings according to Article 7 (Refusal of Automatic Collection Tools)
- Installation of Google Analytics Opt-out Browser Add-on (Install Link)
9. Matters Concerning Personal Information Processing of Children Under 14
The Company does not collect or use the personal information of children under the age of 14 and restricts the sign-up of children. If we become aware that personal information of a child under the age of 14 has been collected, we will destroy the information without delay.
10. Rights and Obligations of Data Subjects and Legal Representatives and How to Exercise Them
① The data subject may exercise rights related to personal information protection, such as requesting access, correction, deletion, or suspension of processing, against the Company at any time.
② The exercise of rights may be made to the Company in writing, by e-mail, facsimile (FAX), etc., in accordance with Article 41(1) of the Enforcement Decree of the 「Personal Information Protection Act」, and the Company will take action without delay.
③ The exercise of rights may be made through an agent, such as the legal representative of the data subject or a person who has been delegated authority. In this case, you must submit a power of attorney in accordance with Form No. 11 of the "Notice on Personal Information Processing Methods (No. 2023-12)".
④ Rights regarding Automated Decision-Making: The Company does not perform automated decision-making using AI, etc. (decisions that have a significant impact on the rights or obligations of the data subject, such as hiring or credit evaluation).
11. Remedies for Infringement on Rights and Interests of Data Subjects
Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the KISA Personal Information Infringement Report Center, etc., to receive relief from personal information infringement. For other reports or consultations regarding personal information infringement, please contact the following organizations.
- Personal Information Dispute Mediation Committee: (Without area code) 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center: (Without area code) 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office: (Without area code) 1301 (www.spo.go.kr)
- National Police Agency: (Without area code) 182 (ecrm.police.go.kr)
12. Chief Privacy Officer and Grievance Handling Department
① The Company designates a Chief Privacy Officer as follows to take overall responsibility for personal information processing tasks and to handle complaints and remedy damages of data subjects related to personal information processing.
[Chief Privacy Officer (CPO)]
- Name: Haeseong Jung
- Position: CEO
- Contact: support@leanabl.com (※ Connected to the department in charge of personal information protection.)
[Department in Charge of Personal Information Protection]
- Department Name: Leadership
- Person in Charge: Haeseong Jung
- Contact: support@leanabl.com
② Data subjects may inquire about all personal information protection-related inquiries, complaint handling, damage relief, etc., that occurred while using the Company's service (or business) to the Chief Privacy Officer and the department in charge. The Company will answer and handle the data subject's inquiries without delay.
13. Changes to the Privacy Policy
① This Privacy Policy applies from March 1, 2026.
② Previous versions of the Privacy Policy can be checked at the top right.