BIMFactory Co., Ltd. ("Company") values the personal data of its users and establishes this Privacy Policy pursuant to Article 30 of the Personal Information Protection Act of Korea ("PIPA") and Articles 13–14 of the EU General Data Protection Regulation ("GDPR").
This Policy applies to the service "Forecast AI" operated by the Company (the "Service").
1. Controller and Contact
- Controller: BIMFactory Co., Ltd.
- Representative: Seo Hee-chang
- Business Registration No.: 261-86-03265
- Address: 3F–5F, S&C Tower, 223-1 Yulgok-ro, Jongno-gu, Seoul, Republic of Korea
- Email: forecast-ai@bimfactory.co.kr
- Website: https://forecastai.co.kr
2. Purposes of Processing and Legal Bases
The Company processes personal data for the following purposes and on the following legal bases (GDPR Art. 6).
| Purpose | Legal Basis |
|---|---|
| Account registration, identity verification, account management | Contract performance (Art. 6(1)(b)) |
| Provision of the Service (persona simulation, AI analysis, generated outputs) | Contract performance |
| Payment processing and refunds | Contract performance |
| Customer support and complaint handling | Contract performance |
| Service improvement and new feature development (aggregated usage analysis) | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interest |
| Marketing, promotions, event notifications | Consent (Art. 6(1)(a)) |
| AI model training and quality improvement | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations (tax, e-commerce law) | Legal obligation (Art. 6(1)(c)) |
Processed data shall not be used for purposes other than those listed above without separate consent.
3. Categories of Personal Data Collected
3.1 Account and Authentication
- Required: email address, password (hashed), nickname, avatar URL
- Social login: OAuth identifier, name, email, profile picture (when using Google or Kakao)
3.2 Payment and Billing
- Individual: payment history (amount, product, timestamp, payment method), refund records
- B2B / Enterprise: contact name, email, phone, representative name, business registration number, company address
- Card details are collected and stored by the payment processor (Payple, Lemon Squeezy); the Company stores only payment identification tokens.
3.3 Service Usage
- Simulation records (persona, conversation content, turn count, timestamps)
- AI-generated outputs (analysis reports, slide decks, scripts, next-simulation suggestions)
- User-created custom personas and scenarios
- User-uploaded files (documents and persona knowledge materials; audio/meeting recordings and their transcription/diarization results)
3.4 Automatically Collected Data
- IP address, browser and device information (User-Agent), access logs, service usage logs
- Cookies (login session, CSRF token, language preference)
- Google Analytics 4 identifiers (non-essential; can be disabled via browser settings)
- GA4 User-ID: a non-PII pseudonymous internal UUID of logged-in users, transmitted to enable cross-device and cross-session analytics (no email, name, or other directly identifying data is sent)
- Sentry error-tracking data (error message, stack trace, browser/OS, error URL)
3.5 Collection Methods
- Direct input by the user during registration or use of the Service
- Transmitted via API from social login providers
- Automatically generated and logged during Service use
3.6 Children Under 14
The Company does not knowingly collect personal data from children under the age of 14 and does not permit such users to register. If the Company becomes aware that a user is under 14, the account will be suspended and related information will be deleted.
4. Retention Periods
4.1 Internal Retention Policy
| Item | Retention Period |
|---|---|
| Account information (email, nickname) | Retained for 1 year after withdrawal, then destroyed (to prevent re-registration abuse) |
| Simulation usage records | Retained for 1 year after withdrawal (data subject to legal retention kept separately) |
| Dormant accounts | Converted to dormant status after 1 year of inactivity; destroyed 1 year after conversion |
| Marketing consent record | Until consent withdrawal |
| AI-training consent record | Until consent withdrawal |
4.2 Statutory Retention (Republic of Korea)
| Item | Period | Legal Basis |
|---|---|---|
| Records of contract or withdrawal of offer | 5 years | Act on the Consumer Protection in Electronic Commerce |
| Records of payment and supply of goods | 5 years | Act on the Consumer Protection in Electronic Commerce |
| Records of consumer complaints or dispute resolution | 3 years | Act on the Consumer Protection in Electronic Commerce |
| Records of display/advertisement | 6 months | Act on the Consumer Protection in Electronic Commerce |
| Website access logs (IP) | 3 months | Protection of Communications Secrets Act |
5. Disclosure to Third Parties
The Company does not disclose personal data to third parties except:
- With the user's prior consent;
- When required by law or compelled to do so by law enforcement authorities through legally prescribed procedures;
- When required for imminent threats to the life, body, or property of the data subject or third parties;
- As necessary for the conclusion or performance of a contract related to the provision of the Service, where it is difficult to obtain ordinary consent.
6. Processors (Entrusted Parties)
The Company entrusts the following processors to provide the Service. Contracts include GDPR Art. 28-compliant data-processing terms.
| Processor | Entrusted Task | Location |
|---|---|---|
| Supabase Inc. | Authentication and database hosting, verification emails | USA |
| Vercel Inc. | Web hosting, CDN, basic logging | USA |
| Resend Inc. | Transactional and marketing email delivery | USA |
| Payple Inc. | Domestic (KR) card payment processing | Republic of Korea |
| Lemon Squeezy (Paddle.com Market Ltd.) | International payment processing (Merchant of Record) | USA / UK |
| Google LLC | Social login (OAuth), web analytics (GA4), Gemini AI | USA |
| Kakao Corp. | Social login (OAuth) | Republic of Korea |
| OpenAI, L.L.C. | AI simulation and analysis (GPT models) | USA |
| Anthropic, PBC | AI simulation and analysis (Claude models) | USA |
| AssemblyAI, Inc. | Speech-to-text and speaker diarization of uploaded audio/meeting recordings | USA |
| Perplexity AI, Inc. | AI web search | USA |
| Functional Software, Inc. (Sentry) | Error tracking and monitoring | USA |
7. International Data Transfers
The Company transfers personal data outside Korea / the EEA to the processors listed in Section 6. Transfers are carried out pursuant to Article 28-8 of PIPA and Chapter V (Articles 44–50) of GDPR.
Appropriate safeguards are in place:
- Standard Contractual Clauses (SCC) entered into with each processor located outside the EEA (Art. 46(2)(c)), or
- Adequacy decisions of the European Commission where applicable.
Users may request a copy of the applicable safeguards by contacting the Company at the address listed in Section 1.
| Recipient | Country | Data Transferred | Transfer Method | Retention |
|---|---|---|---|---|
| Supabase Inc. | USA | All categories in Section 3 | HTTPS/TLS | Per Section 4 |
| Vercel Inc. | USA | IP, cookies, access logs | HTTPS/TLS | Per Section 4 |
| Resend Inc. | USA | Email, nickname | HTTPS/TLS | 30 days after dispatch |
| Google LLC | USA | OAuth identifier, GA4 identifier, GA4 User-ID (non-PII UUID), prompts | HTTPS/TLS | Per Section 4 |
| OpenAI, L.L.C. | USA | Simulation conversation content; user-uploaded documents and persona knowledge content; persona profiles | HTTPS/TLS | Per Section 4 |
| Anthropic, PBC | USA | Simulation conversation content; user-uploaded documents and persona knowledge content; persona profiles | HTTPS/TLS | Per Section 4 |
| AssemblyAI, Inc. | USA | Uploaded audio/meeting recordings and their transcription/diarization results | HTTPS/TLS | Per Section 4 |
| Perplexity AI, Inc. | USA | Web search queries (may include partial simulation context) | HTTPS/TLS | Per Section 4 |
| Lemon Squeezy | USA/UK | Payment identifier, email, amount | HTTPS/TLS | Per Section 4 |
| Functional Software, Inc. | USA | IP, browser/OS, error message | HTTPS/TLS | 90 days |
8. Data Subject Rights
Users may exercise the following rights regarding their personal data at any time:
- Right of access — confirm processing and obtain a copy of the data (PIPA §35; GDPR Art. 15)
- Right to rectification — correct inaccurate or incomplete data (PIPA §36; GDPR Art. 16)
- Right to erasure — request deletion ("right to be forgotten") (PIPA §36; GDPR Art. 17), except where retention is mandated by law
- Right to restrict processing (PIPA §37; GDPR Art. 18)
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing
- Right to data portability — receive personal data in a machine-readable format and transmit it to another controller (PIPA §35-2; GDPR Art. 20)
- Right to object to processing based on legitimate interest or for direct marketing (GDPR Art. 21)
- Right not to be subject to automated decision-making (PIPA §37-2; GDPR Art. 22) — see Section 9
- Right to lodge a complaint with a supervisory authority (GDPR Art. 77)
How to exercise your rights:
- In-service: Settings → Account → Privacy Management
- Email: forecast-ai@bimfactory.co.kr
- Requests by an authorized representative require a written authorization.
The Company responds within 10 days (PIPA) or 30 days (GDPR, extendable by 60 days for complex requests).
9. Automated Decision-Making
Pursuant to PIPA Article 37-2 and GDPR Article 22:
- The Company currently does not perform solely automated decisions that produce legal or similarly significant effects on users (e.g., eligibility determination, tiered pricing based on profiling, account suspension without human review).
- AI-generated outputs provided through the Service are advisory reference material. Final decisions and actions remain with the user.
- Where the user has given separate consent for AI training, conversation data is used in a form from which personal identifiers have been removed for model quality improvement. Consent may be withdrawn at any time, and data is not used for training thereafter.
- Users may request an explanation of, or object to, any automated decision (see Section 8, Right 8).
10. Cookies and Behavioral Data
10.1 Categories
| Category | Description | Consent Required |
|---|---|---|
| Essential | Session, CSRF, language preference — required to operate the Service | No |
| Functional | Theme, onboarding state — user convenience | No or Optional |
| Analytics | Google Analytics 4 (_ga, _ga_*) |
No (can be disabled via browser settings) |
| Advertising | Not in use (separate consent will be obtained if introduced) | N/A |
10.2 Managing Cookies
Users may refuse cookies through their browser settings:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions → Cookies and stored data
- Firefox: Preferences → Privacy & Security → Cookies and Site Data
10.3 Behavioral / Interest-Based Advertising
The Company does not currently conduct behavioral advertising. If introduced, the Policy will be updated and separate consent obtained.
11. Security Measures
Administrative
- Minimization and regular training of personnel handling personal data
- Internal management plan establishing responsibilities
- Retention and review of personal-data processing records
Technical
- Password hashing (bcrypt) and one-way encryption
- TLS 1.2+ encryption in transit
- Role-based access control and principle of least privilege
- Security monitoring and periodic reviews
- Firewall and intrusion detection systems
Physical
- Physical security of cloud infrastructure (Supabase, Vercel) in accordance with the respective providers' security policies
- Access control to office premises
12. Data Protection Officer (DPO) / Chief Privacy Officer (CPO)
- Name: Seo Hee-chang
- Title: Chief Privacy Officer (concurrent CEO)
- Email: forecast-ai@bimfactory.co.kr
Intake department for access and complaint requests:
- Department: Privacy Team
- Email: forecast-ai@bimfactory.co.kr
- Hours: Weekdays 08:00–17:00 KST (closed weekends and public holidays)
13. Responsibility of the Business Operator
Pursuant to PIPA Article 30-3 (effective 2026.9.11), the business operator and the representative of the Company bear overall responsibility for personal data processing, including publication of this Policy, implementation of safeguards, and notification and remedial action in the event of a personal-data breach.
14. Data Breach Notification
In the event of a personal-data breach, the Company will notify affected data subjects without undue delay and report to the relevant supervisory authority within 72 hours pursuant to GDPR Art. 33–34 and PIPA Art. 34 (as amended 2026.9.11), including:
- The categories of personal data affected
- When and how the breach occurred
- Steps the user can take to minimize harm
- Measures taken by the Company and the remedies available
- The point of contact for further information
15. Remedies
Users may contact the following authorities for grievance resolution related to personal data.
Republic of Korea
| Authority | Contact | Website |
|---|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 | https://www.kopico.go.kr |
| KISA Privacy Infringement Report Center | 118 | https://privacy.kisa.or.kr |
| Cyber Investigation Bureau, Supreme Prosecutors' Office | 1301 | https://www.spo.go.kr |
| Cyber Investigation Bureau, National Police Agency | 182 | https://ecrm.police.go.kr |
EU / EEA
Users residing in the EU/EEA may lodge a complaint with their national supervisory authority. A list is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
16. Changes to this Policy
This Policy is effective as of April 20, 2026. Material changes will be announced at least 30 days prior to their effective date through the Service's notice section; other changes will be announced at least 7 days prior.
- Publication date: April 20, 2026
- Effective date: April 20, 2026