Privacy Policy

Last Revised:
March 7, 2025

This Privacy Policy complies with the “Personal Information Protection Act” and related laws and regulations to protect the freedom and rights of information subjects (users) who use Upstage Co., Ltd.(collectively the "Company")'s official website and the Upstage Console service(collectively the "Console") to process and safely manage personal information legally. In compliance with Article 30 of the Personal Information Protection Act, Upstage establishes and discloses the following privacy policy to inform information subjects of the procedures and standards for processing personal information and to handle grievances promptly and smoothly.

Disclaimer: Governing law

So, as you know, the laws and regulations of the Republic of Korea have formulated this privacy policy. While it applies to our global operations, the policy is primarily governed by South Korean legal standards and practices. Users outside of South Korea should be aware that the policy might reference legal concepts and frameworks specific to South Korea, which may differ from local laws.

1. Purpose, items, and retention period of personal information processing

The Company processes personal information for the following purposes. It obtains the data subject's consent for processing their personal information items by Article 15 Paragraph 1 Clause 1 and Article 22 Paragraph 1 Clause 7 of the Personal Information Protection Act. If the purpose of use changes, the Company will take necessary measures such as obtaining separate consent by Article 18 of the Personal Information Protection Act.

A. Membership registration and management: Until the member withdraws

However, in the following cases, until the end of the relevant reason
• If there is an ongoing investigation or inquiry due to a violation of related laws, until the end of the investigation or inquiry
• If there is a remaining debt or credit relationship due to the service use until the settlement of the debt or credit relationship

B. Provision of goods or services: Until the completion of the supply of goods or services and the payment and settlement of fees

However, in the following cases, until the end of the relevant period
• Records on display, advertisement, contract contents, performance, and transactions under the Act on Consumer Protection in Electronic Commerce, etc.
• Records on display and advertisement: 6 months
• Records on contract or withdrawal of the offer, payment of the price, and supply of goods, etc.: 5 years
• Records on consumer complaints or dispute resolution: 3 years
• Communication confirmation data retention under Article 41 Paragraph 2 of the Enforcement Decree of the Protection of Communications Secrets Act
• Service usage records, access logs, access IP addresses: 3 months

C. Non-member services are provided for one year.

• However, if a non-member requests deletion through a personal information access request, it will be deleted without delay.

Service Category Purpose of collection Items collected Retention and use period
Console Membership registration and management To confirm the intention of membership registration, to identify and authenticate the member for the provision of membership services, to maintain and manage the membership status, to prevent fraudulent use of services, to enhance user security, to improve service quality, to develop new features and services, to deliver various notices and notifications. (Required) Email address,Password. However, if you sign up without a password with Google Oauth, we collect email as a required field and password as an optional field Retained for 90 days after withdrawal, then deleted
Console Provide goods or services • We are providing services, payment processing, and settlement for personalized services. (Required) Card number, card expiry, CVC code.(Optional) Data entered by the user in the service is automatically generated during service usage. ​Completed supply of goods or services, and payment settled.Exceptions: Preservation by law is required for five years.
Console Playground • To provide LLM and Document AI services
• To improve and develop our Services and conduct research, for example to develop new product features.		 Conversation content, uploaded documents, and voting content entered by the user who registered for membership Until the withdrawal of membership or the termination of the outsourcing contract
Console Non-member services(Playground) • To provide LLM and Document AI services
• To improve and develop our Services and conduct research, for example to develop new product features.		 Conversation content, uploaded documents, and voting content entered by non-member users. 1 year
*However, if a non-member user requests deletion through a personal information access request, it will be deleted without delay.
Console Asynchronous API • To provide Document AI services Inference request data, inference result data Inference request data: Temporarily store inference requests until completion.Inference Result Data: Store inference results for 30 days after completion.
Console Support • Consumer Complaints
• Handling Grievances		 Counseling services, the purpose of the request, name, phone number, email, consultation records (contents, date, and time), complaint or grievance resolution. Three years
Console Marketing information utilization • To send newsletters (Optional) Email address Until the user expresses their intention to refuse to receive or withdraw their consent
• Provision of events and advertising information (Optional) Name, email address, phone number, affiliation (company and department name/school and department name), job title Until the user expresses their intention to refuse to receive or withdraw their consent
Official website Contact Us Provision of events and advertising information Name, email address, phone number, company name, industry, position, inquiry content 1 year
Official website Newsletter • To send newsletters
• Provision of events and advertising information		 Email address 1 year
Official website Careers Career Name, email address, phone number(optional) Information included in the resume (education, work experience, military service, qualifications, language skills) 3 years
*However, if the applicant wishes to delete, the deletion should be made immediately.

2. Children’s Privacy

a. We do not intend for our websites or online services to be used by anyone under the age of 14. We do not knowingly collect, sell, or share information of the ages of 14.  If you are a parent or guardian and believe we may have collected information about your child, please contact us immediately as described in this Policy's “10. Chief Privacy Officer and Personal Information Disclosure Claim” section. For more information, please see our Terms of Use.

3. Entrustment of personal information processing

a. The Company entrusts the following personal information processing tasks to external service providers for efficient personal information management.

Service Recipient (Beneficiary) Outsource tasks Assigning tasks to subcontractors Retention and Use Duration
Common (Official website, Console) Amazon Web Services, Inc. Analysis, processing, linking, interfacing, editing, correction, recovery, use, and other related tasks of personal information https://aws.amazon.com/privacy/ Until the withdrawal of membership or the termination of the outsourcing contract
Common (Official website, Console) BREVO Email sending for marketing purposes https://www.brevo.com/legal/privacypolicy/ Until the withdrawal of membership or the termination of the outsourcing contract
Common (Official website, Console) salesforce Customer DB management and email sending https://www.salesforce.com/kr/company/privacy/ Until the withdrawal of membership or the termination of the outsourcing contract
Common (Official website, Console) Zapier, Inc. Customer DB management https://zapier.com/privacy Until the withdrawal of membership or the termination of the outsourcing contract
Console Stripe Payment service provision https://stripe.com/legal/service-providers Until the withdrawal of membership or the termination of the outsourcing contract
Console Elfsight Customer CS collection and management https://elfsight.com/privacy-policy/ Until the withdrawal of membership or the termination of the outsourcing contract
Console Atlassian Corp. Customer CS collection and management https://www.atlassian.com/legal/privacy-policy Until the withdrawal of membership or the termination of the outsourcing contract
Console OpenAI, Inc. OpenAI model provision for model comparison in Playground > Chat service https://openai.com/policies/privacy-policy/ Until the withdrawal of membership or the termination of the outsourcing contract
Console NAVER Cloud Corp. HyperCLOVA X model provision for model comparison in Playground > Chat service https://www.ncloud.com/policy/infou/infou Until the withdrawal of membership or the termination of the outsourcing contract
Console Microsoft Clarity Web log analysis https://clarity.microsoft.com/privacy Until the withdrawal of membership or the termination of the outsourcing contract
Console Google Customer DB management, Web log analysis https://policies.google.com/ Until the withdrawal of membership or the termination of the outsourcing contract
Console Fireworks.ai Model inference service provision https://fireworks.ai/privacy-policy Services not saved after temporary use.
Console Together Computer, Inc. Model inference service provision https://www.together.ai/privacy Services not saved after temporary use.
Console FriendliAI Inc. Model inference service provision https://friendli.ai/privacypolicy Services not saved after temporary use.
Console OctoAI, Inc. Model inference service provision https://octo.ai/legals/privacy-policy/ Services not saved after temporary use.
Official website recruitee(by Tellent) Career https://recruitee.com/privacy-policy 3 years
*However, if the applicant wishes to delete, the deletion should be made rapidly.

b. When entering into a contract for entrustment, the Company shall specify the matters concerning the prohibition of personal information processing other than the purpose of performing the entrusted tasks, technical and administrative protection measures, restrictions on re-entrustment, management, and supervision of the trustee, and liability for damages in the contract or other documents by Article 26 of the Personal Information Protection Act, and shall supervise the trustee to ensure that the personal information is processed safely.
c. By Article 26, paragraph 6 of the Personal Information Protection Act, the trustee shall obtain the consent of the Company when re-entrusting the personal information processing tasks entrusted by the Company.
d. If the content of the entrusted tasks or the trustee changes, we will disclose it immediately through this Privacy Policy.
e. If we entrust personal information processing tasks overseas, we will inform you in '04. Transfer of Personal Information Overseas'.

4. Personal data transfer abroad

The company provides and outsources services for marketing, customer management, and AI models overseas.

Contact information help@fireworks.ai Personal information items entrusted Conversation content, uploaded documents, and voting results entered by a registered user into the service Contents of the entrusted tasks To provide inference services. Retention and use period of personal information Services not saved after temporary use. How to refuse the transfer of personal information, procedure, and effect of refusal • How to refuse overseas transfer (procedure): To refuse the transfer of personal information abroad, please indicate your refusal to support.
• Impact of refusing overseas transfer: If you refuse an overseas transfer, you may experience difficulties using the inference service. Legal basis for overseas transfer • Article 28-8, paragraph 1, item 1 (consent of the information subject)
• Article 28-8, paragraph 1, item 3 (processing and storage for contract execution)
Subcontractors Together Computer, Inc.
Location of the subcontractors The United States
Date and method of entrusting Personal information may be transferred to the company's managed cloud server for processing through network transmission.
Contact information privacy@together.ai
Personal information items entrusted Conversation content, uploaded documents, and voting results entered by a registered user in the service
Contents of the entrusted tasks To provide inference services.
Retention and use period of personal information Services not saved after temporary use.
How to refuse the transfer of personal information, procedure, and effect of refusal • How to refuse overseas transfer (procedure): To refuse the transfer of personal information abroad, please indicate your refusal to support.
• Impact of refusing overseas transfer: If you refuse an overseas transfer, you may experience difficulties using the inference service.
Legal basis for overseas transfer • Article 28-8, paragraph 1, item 1 (consent of the information subject)
• Article 28-8, paragraph 1, item 3 (processing and storage for contract execution)
Subcontractors FriendliAI Inc.
Location of the subcontractors The United States
Date and method of entrusting Personal information may be transferred to the company's managed cloud server for processing through network transmission.
Contact information privacy@friendli.ai
Personal information items entrusted Conversation content, uploaded documents, and voting content entered by a member into the service
Contents of the entrusted tasks To provide inference services.
Retention and use period of personal information Services not saved after temporary use.
How to refuse the transfer of personal information, procedure, and effect of refusal • How to refuse overseas transfer (procedure): To refuse the transfer of personal information abroad, please indicate your refusal to support.
• Impact of refusing overseas transfer: If you refuse an overseas transfer, you may experience difficulties using the inference service.
Legal basis for overseas transfer • Article 28-8, paragraph 1, item 1 (consent of the information subject)
• Article 28-8, paragraph 1, item 3 (processing and storage for contract execution)
Subcontractors OctoAI, Inc.
Location of the subcontractors The United States
Date and method of entrusting Personal information may be transferred to the company's managed cloud server for processing through network transmission.
Contact information contact@octo.ai
Personal information items entrusted Conversation content, uploaded documents, and voting content entered by a member into the service
Contents of the entrusted tasks To provide inference services.
Retention and use period of personal information Services not saved after temporary use.
How to refuse the transfer of personal information, procedure, and effect of refusal • How to refuse overseas transfer (procedure): To refuse the transfer of personal information abroad, please indicate your refusal to support.
• Impact of refusing overseas transfer: If you refuse an overseas transfer, you may experience difficulties using the inference service.
Legal basis for overseas transfer • Article 28-8, paragraph 1, item 1 (consent of the information subject)
• Article 28-8, paragraph 1, item 3 (processing and storage for contract execution)
Subcontractors recruitee(by Tellent)
Location of the subcontractors The Netherlands
Date and method of entrusting Personal information may be transferred to the company's managed cloud server for processing through network transmission.
Contact information hello@recruitee.com
Personal information items entrusted The applicant information entered by the applicant for the Upstage recruitment application (name, email, phone number (optional) information included in the resume (education, experience, military service, qualifications, languages))
Contents of the entrusted tasks For the hiring process
Retention and use period of personal information 3 years
*However, if the applicant wishes to delete, the deletion should be made rapidly.
How to refuse the transfer of personal information, procedure, and effect of refusal • How to refuse overseas transfer (procedure): To refuse the transfer of personal information abroad, please indicate your refusal by email(careers@upstage.ai).
• Impact of refusing overseas transfer: If you refuse an overseas transfer, you may cause difficulties in the hiring process.
Legal basis for overseas transfer • Article 28-8, paragraph 1, item 1 (consent of the information subject)
• Article 28-8, paragraph 1, item 3 (processing and storage for contract execution)

5. Procedure and method of destroying personal information

a. The Company shall destroy personal information without delay when it is no longer necessary to retain the personal information, such as when the retention period of personal information expires or when the purpose of processing is achieved.
b. Even if the retention period of personal information has expired or the purpose of processing has been achieved, if it is necessary to preserve personal information under other statutes, the Company shall transfer it to a separate database (DB) or store it in a separate storage place.
c. The procedure and method of destroying personal information are as follows. • Destruction procedure The company selects personal information for which the destruction reason has occurred and destroys the personal information according to internal regulations. • Destruction method The company destroys personal information recorded and stored in electronic files, making reproducing the record impossible. It also shreds the personal information recorded and stores it in paper documents.

6. Rights, obligations, and exercise methods of the information subject and legal representative

a. The information subject may exercise the following rights against the company at any time.
※ The company does not collect and provide services for the personal information of children under 14.
b. The exercise of rights may be made by written, e-mail, facsimile, etc., to the company by Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act, and the company will take action without delay.
c. The exercise of rights may be made through a representative such as a legal representative or a person entrusted with the exercise of rights. In this case, a power of attorney by the attached Form 11 of the "Enforcement Decree of the Personal Information Protection Act" must be submitted.
d. The right to request the disclosure of personal information and the right to request the correction, deletion, and suspension of processing may be limited by Article 35 (4) and Article 37 (2) of the Personal Information Protection Act.
e. The company may refuse to delete personal information if specified as the collection subject in other statutes.
f. The company verifies whether the person who has requested the disclosure is the person who has asked for the disclosure or a legitimate representative.

7. Measures to ensure the safety of personal information

The company is taking the following measures to ensure the safety of personal information.
• Administrative measures: Establishment and implementation of internal management plans, operation of dedicated organizations, and regular employee education
• Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, Installation and updating of security programs
• Physical measures: Access control of computer centers, etc.

8. Installation and operation of personal information automatic collection devices and refusal

a. The company uses Google Analytics, a web log analysis tool that Google provides. Google Analytics collects information about service users through cookies (Cookie) ; in this case, only non-identifiable information that cannot identify individual users is collected.
Nevertheless, users can refuse to use Google Analytics by installing the Google Analytics blocking browser add-on (https://tools.google.com/dlpage/gaoptout) or by refusing to set cookies on the web browser.
b. Cookies are small pieces of information sent to the user's computer browser by the server (HTTP) used to operate the website and are stored on the hard disk of the user's PC.
• Purpose of use of cookies: This information is used to understand each service visited by the user, including the types of visits and usage, search terms, and whether a secure connection was used to provide optimized information to the user.
• Installation, operation, and refusal of cookies: In Chrome, you cannot store cookies through the settings menu > privacy and security > cookies and other site data.
• You may experience difficulties using customized services if you refuse to store cookies.

9. Additional use·provision judgment criteria

a. The company may use and provide personal information without the consent of the information subject by Article 15 (3) and Article 17 (4) of the 「Personal Information Protection Act」 and Article 14-2 of the Enforcement Decree of the 「Personal Information Protection Act」.

Category Purpose of use and provision. Retention and Use Duration
Email Sending additional service-related notifications regularly Immediate destruction after purpose

b. Accordingly, the company has considered the following matters to use and provide additional information without the consent of the information subject.
• Whether the purpose of using and providing personal information is related to the original purpose of collection
• Whether there is a predictability of additional use and provision in light of the circumstances in which personal information is collected or the processing practices
• Whether the additional use and provision of personal information unreasonably infringes the interests of the information subject
• Whether necessary measures have been taken to ensure safety, such as pseudonymization or cryptography

10. Chief Privacy Officer and Personal Information Disclosure Claim

a. The company has designated a Chief Privacy Officer responsible for managing personal information and handling complaints and remedies related to processing personal data.

b. The information subject may request the disclosure of personal information under Article 35 of the "Personal Information Protection Act" to the department below. The company will make every effort to ensure that the request for the disclosure of personal information is processed promptly.

Category Contact Information Contact
Category Contact Information Contact
Chief Privacy Officer Position: Chief Privacy Officer, Name: Lucy Park Contact: 070-8098-3023, Email: infosec@upstage.ai
Personal Information Disclosure Claim Department Name: Console Contact: 070-8098-3023, Email: contact@upstage.ai

c. The information subject may inquire about all matters related to protecting personal information, such as complaints and remedies, by contacting the Chief Privacy Officer and the department in charge. The company will respond to the information subject's inquiry quickly.

11. Methods of Exercising Rights

a. The company is committed to protecting the information subject's right to self-determination and is making efforts to provide counseling and remedies for personal information infringement. If you need to report or consult, please contact the department below.

Category Contact Information Contact
Chief Privacy Officer Position: Chief Privacy Officer, Name: Lucy Park Contact: 070-8098-3023, Email: infosec@upstage.ai
Personal Information Protection Department Department Name: Infra&Security Contact: 070-8098-3023, Email: infosec@upstage.ai

b. The information subject may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency, etc., for remedies for personal information infringement. Please contact agencies for other reports on personal information infringement, consultations, etc.
• Personal Information Dispute Mediation Committee: +82 1833-6972 (www.kopico.go.kr)
• Personal Information Infringement Reporting Center: +82 118 (privacy.kisa.or.kr)
• Supreme Prosecutors' Office: +82 1301 (www.spo.go.kr)
• National Police Agency: +82 182 (ecrm.police.go.kr)

c. If the information subject has suffered damage due to the disposition or non-action of the head of the public institution regarding the request for the exercise of rights under Article 35 (Access to Personal Information), Article 36 (Correction, Deletion, etc. of Personal Information), and Article 37 (Suspension of Processing of Personal Information) of the Personal Information Protection Act, he/she may file an administrative appeal by the Administrative Appeals Act.
• Central Administrative Appeals Commission: +82 110 (www.simpan.go.kr)

12. Changes to the privacy policy

a. This privacy policy will take effect on March 08, 2025.
b. The previous privacy policy can be found at the link below.
• 2024. 12. 19 ~ 2025. 03. 07 (Click)
• 2024. 11. 29 ~ 2024. 12. 18 (Click)
• 2024.  9. 26 ~ 2024. 11. 28 (Click)
• 2024.  8.  1 ~ 2024.  9. 25 (Click)
• 2024.  7. 12 ~ 2024.  7. 31 (Click)
• 2024.  3. 13 ~ 2024.  7. 11 (Click)
• 2024.  2. 28 ~ 2024.  3. 12 (Click)
• 2023. 12. 20 ~ 2024.  2. 28 (Click)