ESTsoft, Inc. (hereinafter referred to as the "Company") highly values the personal information of users and strictly complies with the Personal Information Protection Act and relevant laws to process personal information lawfully and manage such securely.


In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses the Privacy Policy below for users of the PERSO service (including mobile and web) to guide users on the procedures and standards for processing personal information and to handle related grievances promptly and efficiently.

This Privacy Policy includes the following information:

  1. Article 1 Purpose of Processing Personal Information
  2. Article 2 Notice on the Collection and Use of Personal Information
  3. Article 3 Processing of Personal Information for Children Under the Age of 14
  4. Article 4 Installation and Refusal of Automated Personal Information Collection Devices
  5. Article 5 Retention, Use Period, and Disposal of Personal Information
  6. Article 6 Entrustment of Personal Information Processing
  7. Article 7 Cross-Border Transfer of Personal Information
  8. Article 8 Measures to Ensure the Security of Personal Information
  9. Article 9 Rights of Users and Legal Representatives and Methods of Exercising Those Rights
  10. Article 10 Privacy Officer and Responsible Department
  11. Article 11 Remedies for Infringement of Users’ Rights
  12. Article 12 Changes to the Privacy Policy

1. Purpose of Processing Personal Information

The Company uses personal information solely for the following purposes including membership management, service development, provision, and enhancement of the PERSO service (including mobile and web):


- Personal information is used for membership management purposes such as confirming the user’s intention to register, verifying age and obtaining consent from the legal representative, verifying the identity of users and their legal representatives, identifying users, and confirming the intention to withdraw membership.

- In addition to providing existing services (including advertisements), personal information is used for discovering new service elements and improving existing services through demographic analysis and analysis of service visits and use records.

- The Company collects personal information provided by Members including text, voice, scripts, images, videos, and biometric data. This information is used to generate videos, avatars, and other forms of output along with collecting metadata related to the input. Additionally, the input provided by users may be employed to improve Services or to train models.

- Personal information is used to protect users and operate services by implementing use restrictions for Members violating laws or PERSO Terms of Service, preventing and sanctioning actions that hinder smooth service operation, delivering notices such as amendments of Terms and Conditions, and handling complaints.

- Personal information is used for identity verification, purchases, and payment processing related to providing paid service.

- Personal information is used for marketing and promotional purposes.

- Personal information is used for analyzing service use records and access frequency, compiling statistics of service use, and conducting service analysis and statistics processing.

- Personal information is used to establish a secure service environment, ensuring that users can use the Service with confidence in terms of security, privacy, and safety.

2. Notice on the Collection and Use of Personal Information

1) The Company collects only the minimum personal information necessary for service use.
2) The Company processes users’ personal information as follows:

Personal Information Processed Without the Data Subject’s Consent
Legal Basis Category Purpose of Collection Information Collected Retention and Use Period
Article 15(1)(4) of the Personal Information Protection Act (Performance of a contract) Membership registration and service use User registration and identification Email, password 6 months after membership withdrawal
Inquiry and complaint handling Name, mobile phone number, email Up to 3 years in accordance with relevant laws
Password reset Email, password 6 months after membership withdrawal
Social media membership registration Google, Microsoft name/email 6 months after membership withdrawal
Service operation and management Payment card registration and payment Card number, expiration date, first two digits of card password, date of birth/business registration number, email Until membership withdrawal or up to 5 years according to relevant laws
Service development, provision, and improvement Images, videos, audio recordings, voice data, texts, scripts, biometric information, etc. Stored for the period permitted by relevant laws
Model generation and interpretation(Processes video recordings and voice recordings provided for Services such as video and voice synthesis, dubbing, and translation to generate models.) Images, videos, audio recordings, voice data, texts, scripts, biometric information, etc. Stored for the period permitted by relevant laws
Entered data verification(Personal data may be processed to prevent malicious, fraudulent, and illegal activities and “deepfake” creation.) Images, videos, audio recordings, voice data, texts, scripts, etc. Stored for the period permitted by relevant laws
In-service sharing feature(Allows sharing with other users) Templates, videos, other content Stored for the period permitted by relevant laws


Personal Information Processed with the Data Subject’s Consent
Category Purpose of Collection Information Collected Retention and Use Period
Membership registration and service use User registration and identification Name 6 months after membership withdrawal
Social media membership registration User-selected settings 6 months after membership withdrawal
Marketing Personalized marketing, sending promotional benefits, service updates and information Email, name Until consent is withdrawn

Notice on the Processing of Personal Information Without Consent
- The Company will notify data subjects of the categories and legal basis for processing personal information without consent through methods prescribed by the Presidential Decree, such as email.
- During service use and while handling service-related tasks, the following information may be generated or additionally collected:
- IP address, cookies, access logs, visit date and time, service usage records, and records of misuse.
To provide specialized services, the Company may collect additional personal information beyond what is commonly collected through the PERSO account only after obtaining the data subject’s consent.
In cases where personal information is collected, the Company will inform the data subject in advance and obtain consent. The Company collects personal information through the following methods:
- When the data subject agrees to the collection of personal information and directly inputs their information during the PERSO account creation process on the website.
- When personal information is provided by affiliated services or organizations.
- When the data subject provides information during service consultations via email, fax, or phone call or in writing.

3. Processing of Personal Information for Children Under the Age of 14

1) The Company does not collect personal information from children under the age of 14. If consent is required, however, the Company will obtain consent from the child’s legal guardian.

2) When obtaining consent from a legal guardian regarding the processing of personal information for children under 14, the Company may request minimal information such as the legal guardian’s name and contact details. The legal guardian may indicate their consent on an Internet website where the consent details are provided, and the Company will verify such consent via a text message sent to the legal guardian’s mobile phone.

4. Installation and Refusal of Automated Personal Information Collection Devices

To provide personalized and customized services, the Company uses “cookies” that store and retrieve user information as needed.

Definition of Cookies
Cookies are small text files sent from the web server to the data subject’s browser and stored on the data subject’s computer hard drive.

Purpose of Use
Cookies help users conveniently use the website according to their preferences when they revisit. Cookies are also used to provide personalized and customized services based on the data subject’s website visit records and use patterns.

Rejection of Cookie Collection
Cookies do not store information that personally identifies individuals, and data subjects can choose whether to allow cookies. Data subjects can configure their web browser settings to allow all cookies, confirm each time a cookie is stored, or block cookies entirely.

Examples of Cookie Settings:
[Web]
Internet Explorer: Go to the Tools menu at the top of the web browser > Internet Options > Privacy > Settings
Chrome: Click the Settings menu on the top right of the web browser > Scroll down and click Show Advanced Settings > Click the Content Settings button under Privacy > Cookies

[App]
(1) (Android) ① Settings → ② Privacy → ③ Ads → ④ Reset or Delete Advertising ID
(2) (iPhone) ① Settings → ② Privacy → ③ Track → ④ Turn off Allow Apps to Request to Track
※ The menu options and methods may vary slightly depending on the mobile OS version.

Collection of Behavioral Information

Legal Basis Behavioral Information Collected Collection Method Purpose of Collection Retention and Use Period
Article 15(1)(4) of the Personal Information Protection Act (Performance of a contract) IP address, cookies, access logs, visit date and time, service usage records, and records of misuse. Automatically collected when visiting the website To provide personalized and customized services -

5. Retention, Use Period, and Disposal of Personal Information

1. The Company promptly destroys personal information without delay when the retention period of personal information consented to by the user has expired or when the purpose of processing has been achieved, making the information no longer necessary. In the case of electronic files, deletion will be performed in a manner that prevents recovery or reproduction. For records, printed materials, and written documents, destruction will be carried out by shredding or incineration.

2. In case of a need to retain personal information in accordance with the Company's internal policies or relevant laws and regulations, however, the information will be securely stored in a separate database (DB) for the period explicitly stated below for the reasons described below. During this retention period, the Company will store personal information in compliance with legal requirements and refrain from using this information for any other purpose.

3. The reasons and periods for retaining personal information are as follows:

Retention Due to the Company's Internal Policy
Information Retained Reason for Retention Retention Period
User information Prevention of fraudulent registration and use upon withdrawal (stored and processed in an unidentifiable state) 6 months from the date of withdrawal
User records Refund processing and complaint handling 6 months from the completion date of processing


Retention Required by Relevant Laws
Information Retained Legal Basis Retention Period
Records on contracts or subscription withdrawals Act on Consumer Protection in Electronic Commerce 5 years
Records on payments and supply of goods 5 years
Records on consumer complaints or dispute resolution 3 years
Records on labeling/advertising 6 months
All books and supporting documents related to transactions stipulated by tax laws Framework Act on National Taxes 5 years
Records related to electronic financial transactions Electronic Financial Transactions Act 5 years
Records on access Protection of Communications Secrets Act 3 months
Records on communication verification Protection of Communications Secrets Act 12 months

6. Entrustment of Personal Information Processing

1. The Company entrusts certain personal information processing tasks to third parties to ensure smooth operations of personal information handling.
2. When entering into an outsourcing agreement, the Company explicitly specifies in documents such as agreements—in accordance with Article 26 of the Personal Information Protection Act—matters regarding the prohibition of personal information processing for purposes other than performing the outsourced tasks as well as technical and managerial protection measures and supervises whether the entrusted party safely processes personal information.
3. If the details of the outsourced work or the entrusted party are added or changed, the Company will promptly disclose the changes made through prior consent notice in accordance with the relevant laws or through this Privacy Policy.

Entrusted Personal Information Processing Tasks and Entrusted Companies
Entrusted Party Entrusted Tasks
Intercom Customer service processing and operation related to service use
Google LLC Web usability analysis and improvement, account verification, and service provision for membership services
ESTsoft Inc. Payment processing for paid services
Stripe, Inc. Payment processing for paid services
Noticeable Service-related update notifications
MS Azure Data storage and IT system operation and management
Microsoft Account verification and service provision for membership services
Hotjar Service usage behavior analysis

7. Cross-Border Transfer of Personal Information

The Company does not provide personal information to overseas businesses. To fulfill agreements related to the provision of information and communication services and to enhance user convenience, however, the Company transmits personal information overseas for processing tasks as outlined below. If personal information is not to be transferred overseas, notification of refusal may be made by contacting the personal information protection department via email at (privacy@estsoft.com). In such case, however, using the relevant services may no longer be possible.

Personal Information Transferred Overseas
Legal Basis Purpose Categories Time and Method Retention and Use Period Company and Country
Article 28-8(1)(3) of the Personal Information Protection Act (Entrusted Processing/Storage for Contract Fulfillment) Web usability analysis and improvement Visit date and time, service usage records, Cookie ID Transmitted through an encrypted network during service provision Until contract termination or up to 5 years from the date of collection Google LLC/ United States
Article 28-8(1)(3) of the Personal Information Protection Act (Entrusted Processing/Storage for Contract Fulfillment) Paid service provision Transaction amount, card number, expiration date, first two digits of the card password, date of birth/business registration number, email Transmitted through an encrypted network during service provision Until membership withdrawal or up to 5 years according to relevant laws ESTsoft Inc./ United States
Article 28-8(1)(3) of the Personal Information Protection Act (Entrusted Processing/Storage for Contract Fulfillment) Paid service provision Transaction amount, card number, expiration date, first two digits of the card password, date of birth/business registration number, email Transmitted through an encrypted network during service provision Until membership withdrawal or up to 5 years according to relevant laws Stripe, Inc./ United States
Article 28-8(1)(3) of the Personal Information Protection Act (Entrusted Processing/Storage for Contract Fulfillment) Account verification and service provision for membership services Transmitted through an encrypted network during service provision Microsoft/ United States

8. Measures to Ensure the Security of Personal Information

The Company takes the following measures to ensure the security of personal information:
1. Administrative Measures: Establishment and implementation of internal management plans, regular employee training
2. Technical Measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, installation and regular updates of security programs
3. Physical Measures: Access control to computer rooms and data storage rooms

9. Rights of Users and Legal Representatives and Methods of Exercising Those Rights

1. Users may exercise their rights to request access, correction, deletion, and suspension of processing of their personal information at any time. Users may also withdraw their consent to the use of their provided personal information by submitting a cancellation request.
- Personal information can be accessed and edited in the "Account Settings" menu.
- Service cancellation and withdrawal can be requested in the "Account Settings > Membership Withdrawal" menu.
2. The rights under Paragraph 1 may be exercised by submitting a written request, an email, or a fax in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act. The Company will promptly respond to such requests.
3. The rights under Paragraph 1 may also be exercised by the user’s legal representative or an authorized agent. In such case, a power of attorney must be submitted using the form prescribed in Annex 11 of the Notice on Personal Information Processing Methods (No. 2020-7).
4. Requests for access to or suspension of processing of personal information may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
5. Requests for correction or deletion of personal information cannot be made if the information is specified as a collection target under other laws.
6. When a user requests access, correction, deletion, or suspension of processing, the Company will verify whether the requester is the user himself/herself or a legal representative.

Personal Information Access Request Reception and Processing Department

Department: ESTsoft Customer Center
Contact: 1544-8209
FAX: (02)-882-1155
Email: perso.info@estsoft.com

10. Privacy Officer and Responsible Department

1. The Company designates a Privacy Officer who assumes full responsibility for personal information processing and handles user complaints and damage relief related to personal information.
2. Users can contact the Privacy Officer and the relevant department for all inquiries, complaints, and damage relief related to personal information protection while using the Company’s services. The Company will respond and handle inquiries without delay.

Privacy Officer
Name: Gwon Taek-sun
Position: CTO

Privacy Department
Department: Information Security Team, IT Infrastructure Office
Telephone: 02-583-4620
Email: privacy@estsoft.com

11. Remedies for Infringement of Users' Rights

Users may request dispute resolution or consultation regarding personal information infringement by contacting the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center of the Korea Internet & Security Agency (KISA), or similar organizations. To file a report or consult on other personal information infringements, please contact the organizations listed below.

Personal Information Dispute Mediation Committee
Website https://www.kopico.go.kr/ Phone (without area code): 1833-6972
Personal Information Infringement Report Center (Operated by KISA)
Website https://privacy.kisa.or.kr/ Phone (without area code): 118
Cybercrime Investigation Division, Supreme Prosecutors’ Office
Website https://www.spo.go.kr/ Phone (without area code): 1301
Korea National Police Agency
Website https://ecrm.police.go.kr/ Phone (without area code): 182

12. Changes to the Privacy Policy

If there are any additions, deletions, or modifications to the provisions of this Privacy Policy, the Company will notify users at least seven (7) days in advance.
In case of significant changes affecting users’ rights such as changes to the categories of collected personal information or purpose of use, however, the Company will notify users at least thirty (30) days in advance and may obtain additional consent if necessary.

1. This Privacy Policy is effective from February 23, 2025.
2. In the event of changes to the Privacy Policy, the Company will immediately notify users through the “Notice” section of the Company’s website.

- Notice Date: January 24, 2025
- Effective Date: February 23, 2025