Privacy Policy

Scope of This Policy

• •Applies to all users of K-Fate service (website and future mobile apps)
• •Covers personal information collected through all service channels
• •Supplements our Terms of Service

Regulatory Compliance

• •GDPR (EU General Data Protection Regulation) - for European users
• •CCPA (California Consumer Privacy Act) - for California residents
• •PIPEDA (Personal Information Protection and Electronic Documents Act) - for Canadian users
• •Korean Personal Information Protection Act (개인정보보호법) - for Korean users

Our Privacy Principles

• •Data Minimization: We only collect data essential for service delivery
• •Transparency: We clearly explain what data we collect and why
• •User Control: You can access, modify, or delete your data at any time
• •Security First: All data is encrypted in transit and at rest

2.1 Essential Information (Account Registration)

• •Authentication Data (via Auth0): Email address, social login provider ID, password (hashed)
• •Saju Calculation Data: Date of birth (required), time of birth (optional), solar/lunar calendar type
• •Profile Information: Nickname/display name, profile photo (optional)

2.2 Automatically Collected Information

• •Technical Information: IP address, browser type/version, operating system, device type
• •Usage Information: Page views, click events, session duration, counseling completion status
• •Cookies & Tracking: Session cookies, local storage, analytics cookies (Vercel Analytics)

2.3 AI Counseling Data

• •Conversation Content: Your questions (user prompts), AI responses, conversation history
• •Counseling Metadata: Session ID, AI model used (Upstage Solar Pro 2), token usage, counseling category

2.4 Data Processing Purposes

• •Authentication Info: Account registration and login (Legal basis: Contract performance - GDPR 6(1)(b))
• •Birth Date: Saju calculation and AI counseling (Legal basis: Contract performance)
• •Conversation Content: AI counseling provision, service improvement (Legal basis: Legitimate interest - GDPR 6(1)(f))
• •Usage Information: Service analysis, performance improvement (Legal basis: Legitimate interest)
• •Cookies: Session maintenance, personalized experience (Legal basis: Consent - GDPR 6(1)(a))

2.5 Data Retention Periods

• •Account Information: Retained until account deletion, immediate deletion with 30-day grace period
• •Counseling History: Members - Indefinite until user requests deletion / Guests - Until session ends
• •Access Logs: Retained for 90 days, automatic expiration
• •Error Logs: Retained for 1 year, automatic expiration
• •Payment Information: Retained for 5 years (Korean E-commerce Act), deleted after legal obligation period

3.1 Upstage Solar Pro 2 Integration

• •We use Upstage Solar Pro 2 as our primary AI model for counseling services
• •Your birth chart data and questions are sent to Upstage API via encrypted HTTPS connection
• •Upstage stores conversation data for 30 days then automatically deletes it
• •Upstage does NOT use your data for AI model training (confirmed by Upstage Data Policy)

3.2 Personal Information Masking

Before sending data to AI, we mask sensitive information:

• •Birth dates are converted to anonymous IDs
• •Names are replaced with generic placeholders
• •Email addresses are not included in AI requests

3.3 Caching Policy

• •We may temporarily cache AI responses (up to 24 hours) to improve performance
• •Cached responses are stored in encrypted form
• •Cache is automatically cleared after expiration

3.4 Automated Decision-Making

K-Fate uses automated decision-making in the following cases:

4.1 GDPR Rights (EU Users)

4.2 CCPA Rights (California Residents)

4.3 Korean Law Rights

5.1 Online (Self-Service)

You can manage your personal information directly through your account:

• •Access your Account Settings page
• •View, edit, or delete your personal information
• •Download your data (coming soon)

5.2 Email Request

Send your request to:

• •Privacy inquiries: terry.kim3838@gmail.com
• •DPO (Data Protection Officer): terry.kim3838@gmail.com
• •Requirements: Include your registered email address and specific request details

5.3 Response Timeline

• •We will respond within 7 business days (acknowledgment)
• •Full response within 30 days (GDPR requirement)
• •May extend up to 60 days for complex requests (with notification)

5.4 Identity Verification

To protect your privacy, we must verify your identity before processing requests. We may ask for:

• •Registered email address
• •Account password or security question
• •Government-issued ID (for sensitive requests only)

6.1 Essential Cookies (Required)

These cookies are necessary for the website to function and cannot be disabled:

• •Session Cookie (Auth0): Maintains login session, expires at browser close
• •Locale Preference: Remembers language selection, expires after 1 year

6.2 Analytics Cookies (Optional)

These cookies help us understand how you use our service and can be disabled:

• •Vercel Analytics: Tracks page views and user behavior, expires after 1 year

6.3 Cookie Consent Management

• •Accept all cookies (recommended)
• •Accept essential cookies only
• •Browser settings: Most browsers allow you to refuse cookies

7.1 Encryption in Transit

• •All client-server communication uses TLS 1.3 encryption
• •Automatic SSL certificate via Vercel (Let's Encrypt)
• •HSTS (HTTP Strict Transport Security) enabled

7.2 Encryption at Rest

• •Database Encryption: Supabase PostgreSQL with AES-256 encryption
• •Sensitive fields (birth date, birth time) have additional encryption layer
• •Encryption keys managed by Supabase Vault
• •File Storage: Vercel Blob Storage with automatic encryption
• •Profile images and backup files: AES-256 encryption

7.3 Encryption Key Management

• •Vercel Environment Variables: Encrypted environment variable storage
• •Supabase Vault: Database encryption key management
• •Regular key rotation: Every 90 days

8.1 Data Classification

• Critical: Password, payment information (DPO only access)
• Sensitive: Birth date, counseling history (Authorized personnel only)
• Internal: Usage logs, analytics (Development team access)
• Public: Shared Saju results (Public if user chooses to share)

8.2 Access Control

• •Role-Based Access Control (RBAC) via Auth0
• •Multi-factor authentication (MFA) for admin accounts
• •Audit logs for all data access (retained for 1 year)

8.3 Third-Party Data Sharing

We share data with the following service providers:

• •Auth0 (US): Authentication - Email, password hash
• •Upstage (Korea): AI Counseling - Birth chart, questions
• •Supabase (US/EU): Database - All account data
• •Vercel (US/Global CDN): Hosting & Analytics - Usage logs
• •Note: All service providers have signed Data Processing Agreements (DPAs) compliant with GDPR Article 28

8.4 International Data Transfers

Your data may be transferred to and stored in countries outside your residence:

• •EU to US: Standard Contractual Clauses (SCCs)
• •EU to Korea: Adequacy decision (pending - SCCs used meanwhile)
• •All transfers comply with GDPR Chapter V requirements

9.1 Incident Detection

• •24/7 automated monitoring
• •Real-time alerts for suspicious activity
• •Regular security audits

9.2 Breach Notification

• •GDPR (EU): Within 72 hours of discovering a breach (Article 33-34)
• •CCPA (California): Without unreasonable delay
• •Korean Law: Within 24 hours
• •Affected users: We will notify you via email if your data was compromised

9.3 Post-Incident Actions

• •Immediate containment and mitigation
• •Forensic investigation
• •Notification to authorities and affected users
• •Remediation and security improvements

DPO Responsibilities

• •Monitor GDPR compliance
• •Advise on data protection impact assessments
• •Serve as contact point for supervisory authorities
• •Handle user privacy requests and complaints

Alternative Contact

For general privacy questions (non-urgent):

11.1 Update Notification

• •Email notification (for material changes)
• •In-app banner (for 30 days after update)
• •This page (with "Last Updated" date)

11.2 Change Log

Version history of this Privacy Policy:

• •Version 1.0 (November 3, 2025): Initial Privacy Policy published

11.3 Continued Use = Consent

By continuing to use K-Fate after policy updates, you accept the revised Privacy Policy. If you disagree, please discontinue use and delete your account.