Privacy Policy
Noleji.ai ("we", "us", "the Service") respects your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal information. We comply with the Personal Information Protection Act of Korea (PIPA), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable laws.
1. Information We Collect
- Newsletter sign-up: email address, sign-up timestamp.
- Paid membership: email, payment processor token, billing history.
- OAuth login (Threads, Instagram, Facebook, Google, etc.): platform user ID, public profile information (name, profile picture), email address, access and refresh tokens.
- Advertising SaaS users: ad account IDs, campaign metadata, platform API tokens.
- Comments and reactions: login account identifier, content_slug, content_date, comment body, reaction kind, and timestamp.
- Feedback: email address, message content, and page path.
- Anonymous dwell measurement: when consented, content_slug, content_date, pillar, session_id cookie, and dwell_ms. The widget does not include an IP address in the payload, and the API storage policy is to not store IP addresses for dwell measurement.
- Security/access logs: hosting or security infrastructure may temporarily process browser, operating system, referrer, access time, and transport-layer IP for abuse prevention.
- Inquiries: email address and message content.
We do not knowingly collect personal information from children under the age of 14 (under 16 in the EU).
2. Purposes of Processing
- Delivering newsletters and content, verifying membership eligibility.
- Processing payments, settlements, and refunds for paid services.
- Exercising OAuth permissions you explicitly grant to publish, manage, and analyze content on social platforms.
- Operating and reporting advertising campaigns and settling with advertisers.
- Providing comments, saving reactions, receiving feedback, and replying where appropriate.
- Improving content quality and page reliability through consent-based anonymous dwell measurement.
- Responding to inquiries and resolving disputes.
- Improving service quality, developing new services, preventing fraud and abuse.
- Complying with legal obligations.
3. Legal Basis (GDPR)
For users in the European Economic Area and the United Kingdom, we rely on the following legal bases under GDPR Article 6:
- Consent for newsletters, OAuth scope grants, and optional cookies.
- Performance of a contract for paid memberships and advertising services.
- Legitimate interests for security, fraud prevention, and basic analytics.
- Legal obligation for tax, accounting, and lawful requests.
4. Retention Periods
- Newsletter sign-up: until you unsubscribe. Deleted within 30 days of unsubscription.
- Membership and payment records: 5 years (Korean Act on the Consumer Protection in Electronic Commerce, Article 6).
- OAuth tokens: deleted immediately upon token revocation or account disconnection. In no event retained longer than 90 days.
- Comments and reactions: until the comment, article, or account deletion request is processed, unless a legal dispute requires limited retention.
- Feedback records: 3 years after resolution.
- Anonymous dwell records: up to 13 months after collection. The session_id cookie lasts up to 180 days.
- Access logs: 3 months (Korean Protection of Communications Secrets Act).
- Support inquiries: 3 years after resolution.
After the retention period ends, personal information is permanently and irreversibly deleted.
5. Sharing with Third Parties
We do not sell, rent, or share your personal information with third parties except:
- With your explicit prior consent.
- When required by law or valid legal process.
- For advertising SaaS users, with the ad platforms (Meta, Naver, Kakao, etc.) you have authorized, limited to the scope strictly necessary to operate your campaigns.
6. Service Providers
- Hosting: self-hosted static web service, Cloudflare — static assets and caching.
- Email delivery: ESP provider — newsletter delivery (named here upon adoption).
- Membership API: Vercel and Supabase — login, comments, reactions, feedback, and consent-based anonymous dwell measurement.
- Payments: Toss Payments / Stripe — payment processing.
- Analytics: self-hosted analytics or cookieless tools such as Plausible / Cloudflare Web Analytics.
All service providers are contractually prohibited from using personal information for purposes beyond providing the contracted service.
7. International Data Transfers
Some service providers (Cloudflare, Stripe, etc.) may process data outside the Republic of Korea. We apply appropriate safeguards under PIPA Article 28-8 and GDPR Articles 46–49, including Standard Contractual Clauses where applicable.
8. Your Rights
You may exercise the following rights at any time:
- Access, rectification, deletion, and restriction of processing.
- Withdrawal of consent.
- Account termination.
- GDPR users: data portability, objection to processing, the right not to be subject to automated decision-making.
- CCPA/CPRA users: the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right to non-discrimination.
To exercise these rights, contact noleji.ai@gmail.com or use the Data Deletion page. We respond within 30 days (extendable once, where permitted).
9. Security
- Administrative: access controls, periodic reviews.
- Technical: TLS in transit, encryption of OAuth tokens at rest, intrusion prevention.
- Physical: locked NAS, isolated backups.
10. Cookies and Similar Technologies
We use strictly necessary cookies to provide the Service (e.g., session continuity). The static-site widget may use noleji_privacy_consent to store your consent choice and noleji_session_id for consent-based anonymous dwell measurement. We prefer cookieless analytics. We do not use cross-site tracking cookies that identify you without separate consent. You may control cookie use in your browser settings.
11. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority (Personal Information Protection Commission of Korea, and where applicable EU/UK data protection authorities) and affected users within 72 hours of becoming aware of the breach.
12. Meta Platforms (Threads / Instagram / Facebook) Addendum
The following terms apply when the Service is connected to Meta platforms via OAuth.
- We access data only within the OAuth scopes you explicitly authorize.
- We do not use data received from Meta to build advertising targeting databases, to sell to other parties, or to perform credit scoring.
- You may revoke our access at any time from your Meta account settings under "Apps and Websites". Upon revocation, we delete the associated tokens immediately.
- You may request data deletion through our Data Deletion page.
13. Data Protection Officer / Contact
- Controller: Noleji.ai (sole operator).
- Contact: noleji.ai@gmail.com
14. Complaints and Redress
You may lodge a complaint with the supervisory authority of your residence. In Korea:
- Personal Information Dispute Mediation Committee (privacy.go.kr / 1833-6972)
- Korea Internet & Security Agency, Privacy Infringement Report Center (privacy.go.kr / 118)
15. Changes to This Policy
We will post any changes to this Privacy Policy on this page at least 7 days before they take effect (30 days for material changes).