Privacy Policy
Last updated: 2026-06-05
코딕스(CODIX) ("the Company") complies with the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, and other relevant laws of the Republic of Korea, and operates this Privacy Policy to safeguard members' personal information.
1. Categories of Personal Information Collected
The Company collects the following personal information for member registration and service provision.
A. Collected at sign-up
- Email address, password (stored as a one-way hash)
- When using social login: identifier, email, and nickname provided by the external authentication provider
B. Collected during service use (sensitive information)
- Birth information: date of birth, time of birth, place of birth (including coordinates)
- Profile information: name (alias), gender
- AI consultation conversation history
C. Collected at payment
- Payment processing is handled by Toss Payments; the Company does not directly store card numbers.
- Payment identifier (billing key), payment date, payment amount, subscription status
D. Automatically collected
- Access IP address, browser information, access logs, usage logs (for fraud detection and service quality improvement)
2. Methods of Collection
- Input via the sign-up form or external authentication providers (Google, Kakao, etc.)
- Direct input during service use and via automated collection tools
- Transferred from the payment processor during payment method registration
3. Purposes of Use
- Member identification and authentication; service provision and operation
- Birth chart calculation and AI analysis response generation
- Paid subscription management, payment processing, refunds, and fraud prevention
- Service quality improvement, new feature development, statistical analysis
- Customer inquiry response and notice delivery
4. Retention and Use Period
- Member information: until the member withdraws. Where there is just cause such as fraud prevention, information may be retained for the period prescribed by applicable law.
- E-commerce related records: retained for the following periods under the Korean Act on Consumer Protection in Electronic Commerce.
- Records of contracts or withdrawal of subscriptions: 5 years
- Records of payment and supply of goods: 5 years
- Records of consumer complaints or dispute resolution: 3 years
- AI memory (RAG): 365 days for Basic plan, indefinite for Pro plan — members may delete it at any time.
- Access logs: 3 months under the Korean Protection of Communications Secrets Act
- Right to data portability: You can download your personal data as a ZIP archive at any time to transfer it to another service. Request from Settings > Data; a download link is sent by email and expires in 24 hours.
5. Provision of Personal Information to Third Parties
The Company does not provide members' personal information to third parties, except in the following cases.
- When the member has given prior consent
- When required by law or by an investigative authority through lawful procedures
6. Outsourcing of Personal Information Processing
The Company outsources personal information processing as follows for service provision.
| Trustee | Outsourced Work | Information Processed |
|---|---|---|
| Toss Payments | Payment processing, recurring billing | Email, payment identifier, payment information |
| Supabase Inc. | Database hosting | Member information, birth information, conversation history |
| Google LLC (Vertex AI) | AI model inference (Gemini, primary provider) | AI consultation conversation content (real-time processing, not used for training) |
| OpenAI Inc. | AI model inference (auxiliary provider used as automatic fallback during Gemini outages) | AI consultation conversation content (real-time processing, not used for training) |
| Resend Inc. | Email delivery (verification, password reset, feedback replies, etc.) | Email address |
Some trustees are located overseas (United States), so personal information may be transferred internationally. The Company takes safety measures in accordance with applicable laws.
7. Rights of Data Subjects and How to Exercise Them
Members may exercise the following rights at any time.
- Request access, correction, or deletion of personal information
- Request suspension of personal information processing
- Withdraw membership (can be done directly via the in-service settings page or customer support)
Rights may be exercised directly within the service or by contacting customer support ([email protected]).
8. Safeguards for Personal Information
- Passwords are stored using a one-way hash algorithm (bcrypt); the original cannot be recovered.
- All communication channels are encrypted with HTTPS/TLS.
- Database access is restricted to authorized backend servers, with Row Level Security ensuring members can access only their own data.
- Birth information, conversation history, and other data are stored in databases under the access controls above and are not exposed externally.
- Administrator access logs are recorded and regularly reviewed to monitor for abnormal access.
- Authorized administrators may review pseudonymized conversation content for the purposes of service quality improvement, security, and legal compliance. Personally identifiable information in messages is automatically masked, and every access is recorded in an audit log.
9. International Data Transfers
Some of the data processors listed in Section 6 are located outside the Republic of Korea (for example, in the United States). When you use the Service, your personal information may be transferred to and processed in those countries. The Company takes the safeguards required by applicable law for such international transfers. Regardless of where you are located, you may exercise your rights as a data subject — including access, correction, deletion, and suspension of processing — at any time as described in Section 7.
10. Personal Information Protection Officer
11. Changes to This Policy
When this Privacy Policy is amended, the Company will notify members via in-service announcements at least 7 days before the effective date. For changes that materially affect member rights, notice will be given at least 30 days in advance.
This policy is effective from 2026-06-05.