Privacy Policy
Effective Date: March 4, 2026
ArcSolve ("Company") establishes and discloses this Privacy Policy as follows in order to protect users' personal information in accordance with the Personal Information Protection Act and to ensure that related complaints can be handled promptly and smoothly.
For data collected through ArcSolve Chrome Extension, ArcSolve complies with the Chrome Web Store User Data Policy, including the Limited Use requirements.
1. Categories of Personal Information Collected
The Company collects the following personal information to provide the Service.
A. Member Information
Through social login account linking (Google, Kakao), the following information is collected.
| Category | Items Collected |
|---|---|
| Required | Email address, social account identifier |
| Optional | Profile image, name |
B. User Content
Materials uploaded or entered by users into the Service, including documents, images, audio, text, URLs, and similar materials, may contain personal information. The Company processes such materials only for the purpose of providing the Service and protects them at the same level.
C. Derived Data
Derived data, such as summaries, transcriptions, analysis results, and search indexes generated by AI based on user content, may be created in the course of using the Service.
D. Automatically Collected Information
| Items Collected | Purpose of Collection |
|---|---|
| IP address, browser and device information | Security and prevention of misuse |
| Service usage records, access logs | Ensuring service stability and responding to errors |
| Cookies, device identifiers | Maintaining login state and improving the Service |
The Company does not collect sensitive information (such as ideology, beliefs, health, or genetic information) or unique identifying information (such as resident registration numbers).
2. Purposes of Collection and Use of Personal Information
| Purpose Category | Detailed Purpose | Legal Basis |
|---|---|---|
| Service provision | Sign-up and authentication, document management, provision of AI features (chat, summarization, transcription, image generation, web search), generation of search indexes | Conclusion and performance of a contract (Article 15(1)4 of the Act) |
| Billing and settlement | Paid service billing, usage tracking, refund processing | Conclusion and performance of a contract, statutory obligations (Electronic Commerce Act) |
| Customer support | Responding to inquiries, dispute resolution, delivery of notices | Conclusion and performance of a contract |
| Security and misuse prevention | Detection of abnormal usage, access control, incident investigation | Legitimate interest (Article 15(1)6 of the Act) |
| Service improvement | Analysis of usage statistics and feature improvement (based on de-identified and statistical processing) | Legitimate interest (Article 15(1)6 of the Act) |
3. Retention and Use Period of Personal Information
The Company destroys personal information without delay once the purpose of collection and use has been achieved. However, in the following cases, such information is retained separately for the periods below.
| Data Type | Retention Period | Basis |
|---|---|---|
| User content and derived data | Destroyed without delay upon deletion request or account withdrawal | Internal policy |
| Records regarding contracts or withdrawal of subscription/applications | 5 years | Electronic Commerce Act |
| Records regarding payment and supply of goods/services | 5 years | Electronic Commerce Act |
| Records regarding consumer complaints or dispute resolution | 3 years | Electronic Commerce Act |
| Records regarding display and advertising | 6 months | Electronic Commerce Act |
| Access logs | At least 3 months | Protection of Communications Secrets Act |
| Security and misuse prevention records | 1 year | Internal policy |
4. Procedures and Methods of Destruction of Personal Information
- Destruction procedure: Personal information whose retention purpose has been fulfilled or whose retention period has expired is moved to a separate database (or separate storage) and retained for a certain period before destruction.
- Destruction method: Electronic files are deleted using methods that make recovery impossible, and paper documents are shredded or incinerated.
- Deletion of derived data: If user content is deleted, summaries, transcriptions, search indexes, and other data derived from that content are also deleted together.
5. Provision of Personal Information to Third Parties
The Company does not provide users' personal information to third parties without consent. Exceptions are as follows.
- Where the user has given prior consent
- Where disclosure is required by law or requested in accordance with procedures prescribed by law for investigative purposes
6. Entrustment of Personal Information Processing
The Company entrusts the following personal information processing tasks for smooth service operation.
| Entrusted Party | Entrusted Task | Retention Period |
|---|---|---|
| Toss Payments Co., Ltd. | Payment processing and settlement | Until the end of the entrustment contract |
| Google LLC (Google Cloud Platform) | Server hosting and asynchronous job processing | Until the end of the entrustment contract |
| Cloudflare, Inc. | File storage (R2) and CDN | Until the end of the entrustment contract |
| Supabase, Inc. | Member authentication processing | Until the end of the entrustment contract |
| Mixpanel, Inc. | Service usage statistics analysis | 1 year |
| Google LLC (Google Analytics) | Web traffic analysis | In accordance with Google's policy |
Any changes to the list of entrusted parties will be announced through this Policy.
7. Cross-Border Transfer of Personal Information
The Company transfers personal information internationally as follows in order to provide the Service. All cross-border transfers occur only when the user directly uses the relevant feature. If the feature is not used, no data is transmitted.
| Transfer Trigger (Feature) | Data Transferred | Recipient (Country) | Purpose of Transfer | Basis for Transfer | Retention Period |
|---|---|---|---|---|---|
| When using AI chat, summarization, or translation features | User input text, document content (in part or in full) | Via OpenRouter, Inc. (United States) — including OpenAI, Anthropic, DeepSeek, and others | Generation of AI responses | Processing necessary for contract performance | Not retained after processing is complete |
| When using AI chat, summarization, or translation features | Same as above | Google LLC (United States, Vertex AI) | Generation of AI responses | Processing necessary for contract performance | Not retained after processing is complete |
| When using the speech transcription feature | Real-time audio stream | Fireworks AI, Inc. (United States) | Speech-to-text conversion | Processing necessary for contract performance | Not retained after processing is complete |
| When using the image generation feature | User input prompt | Google LLC (Korea, Vertex AI Imagen) | Image generation | Processing necessary for contract performance | Not retained after processing is complete |
| When generating document search indexes | Document text chunks | OpenAI, Inc. (United States) | Generation of text embeddings | Processing necessary for contract performance | Not retained after processing is complete |
| When parsing PDFs | PDF files | RunPod, Inc. (United States/EU) | PDF-to-text conversion | Processing necessary for contract performance | Not retained after processing is complete |
| When using web search features | Search query | Google LLC (United States, Custom Search) | Delivery of web search results | Processing necessary for contract performance | Not retained after processing is complete |
| When using YouTube search features | Search query | Google LLC (United States, YouTube Data API) | Delivery of YouTube search results | Processing necessary for contract performance | Not retained after processing is complete |
| When using the Service (automatic) | Feature usage records, device and browser information | Mixpanel, Inc. (United States) | Analysis of service usage statistics | Legitimate interest | 1 year |
| When accessing the web service (automatic) | Pageviews, sessions, referral paths | Google LLC (United States, Google Analytics) | Analysis of web traffic | Legitimate interest | In accordance with Google's policy |
The speech transcription server relays audio and text in real time only and does not store them in memory or on disk. External AI providers receive data only for the purpose of processing service features and do not retain it after processing is complete.
8. Data Processing in AI Services
- No training use policy: The Company does not use user content or derived data to train AI models.
- Scope of processing: AI features are processed in real time at the user's request and access user content only to the extent necessary to fulfill the request.
- Human review: In principle, Company personnel do not review user content. However, access may occur within the minimum necessary scope in the following cases:
- Where the user has directly shared the content through an inquiry or report
- Where required to respond to a service disruption or security incident
- Where required by law
9. Automatically Collected Information and Cookies
- The Company may automatically collect cookies, service usage records, device information, and similar information in the course of providing the Service. The cookies currently used are as follows.
| Name | Purpose | Type | Expiration |
|---|---|---|---|
Session cookies (sb-*) | Maintain login status | HttpOnly, Secure cookies, essential | Up to 400 days |
Google Analytics (_ga, _ga_*) | Web traffic analysis (pageviews, sessions) | Cookies, analytics | Up to 2 years |
Mixpanel (mp_*) | Service usage analytics | localStorage, analytics | 1 year |
- Users may refuse cookie storage or delete localStorage data through browser settings. In that case, use of some features, including login, may be restricted.
- To ensure service stability and improve quality, the Company collects usage records through Mixpanel (feature usage statistics) and Google Analytics (web traffic). In this process, the body content of user content is restricted from being included.
10. Automated Decision-Making
- The Company may use AI technology to perform automated processing such as document classification, summarization, and recommendations.
- Automated processing results are provided for reference purposes only and are not used for decisions that affect users' legal rights or significant interests.
- Users may request an explanation of automated processing or raise an objection to it.
11. Measures to Ensure the Security of Personal Information
The Company takes the following measures to ensure the security of personal information.
- Administrative measures: Privacy training, establishment and implementation of internal management plans, minimization of access rights
- Technical measures:
- Session management: Application of HttpOnly, Secure, and SameSite cookie policies
- Authentication: Social login based on OAuth 2.0 PKCE and JWT authentication between services
- CSRF protection: Combined verification of Origin, Fetch Metadata, and extension headers
- CORS: Credential transmission permitted only for trusted domains
- Rate limiting: Request rate limits by API endpoint
- Data transmission: TLS-encrypted communication
- Access control: Application of the role-based least privilege principle
12. Users' Rights and How to Exercise Them
- Users may request access to, correction of, deletion of, or suspension of processing of their personal information at any time.
- Such rights may be exercised through in-service settings or by emailing the Data Protection Officer, and the Company will take action without delay.
- Users can directly use the following functions within the Service:
- Account deletion (withdrawal)
- Individual deletion of user content
13. Personal Information of Children Under 14
The Company does not allow children under the age of 14 to register for the Service and does not collect personal information from children under the age of 14.
14. Data Protection Officer and Remedies
Data Protection Officer
- Name: Kyungmin Cho
- Title: Chief Executive Officer
- Email: privacy@arcsolve.ai
Remedy Institutions
If you require consultation regarding a personal information infringement, you may contact the following institutions.
- Personal Information Dispute Mediation Committee: www.kopico.go.kr / +82-1833-6972
- Personal Information Infringement Report Center: privacy.kisa.or.kr / 118
- Cyber Investigation Division, Supreme Prosecutors' Office: www.spo.go.kr / 1301
- Cyber Bureau, Korean National Police Agency: ecrm.police.go.kr / 182
15. Changes to This Privacy Policy
This Privacy Policy takes effect on the effective date, and any changes will be announced through the Service at least 7 days before the effective date of the changes.
For questions about this Policy, please contact privacy@arcsolve.ai.