Privacy Policy
Effective Date: April 20, 2026 Version: 1.1.0
Victrix Co. (the “Company”) has established the following privacy policy in accordance with the Personal Information Protection Act to protect users’ personal information and rights, and to smoothly handle user grievances related to personal information.
Article 1 (Purpose of Processing Personal Information)
The Company processes personal information for the following purposes. Personal information processed will not be used for purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent will be implemented.
-
Member Registration and Management
- Identity verification for membership services
- Maintaining and managing membership, preventing fraudulent use
- Delivering various notices and notifications
-
Service Provision
- Providing services and content
- Subscription payment and settlement
-
Service Improvement
- Developing new services, improving existing services
- Analyzing service usage statistics (anonymized)
- User documents and conversations are never used for AI model training.
Article 2 (Personal Information Items Processed)
The Company processes the following personal information items.
1. Items Collected During Registration
| Category | Collected Items |
|---|---|
| Required | Email address, password (encrypted) |
| Optional | Name, affiliated organization |
2. Items Automatically Collected During Service Use
- Device information (OS version, app version)
- Service usage records (feature usage frequency - anonymized)
- Error logs (excluding personally identifiable information)
- Website visit statistics (website only; does not apply to the desktop app)
- Tool: Cloudflare Web Analytics (Processor: Cloudflare, Inc. — United States)
- Items collected: page URL, referrer, browser type, operating system, country-level region, page load performance metrics (Core Web Vitals)
- Items NOT collected: raw IP address (not stored), cookies, personal identifiers, device fingerprints
- Purpose: website traffic analysis and performance improvement
- Legal basis for cross-border transfer: Personal Information Protection Act Article 28-8
3. Items Collected During Payment (Processed by Paddle)
- Payment-related information is processed directly by Paddle; the Company only retains subscription status information.
Article 3 (Processing and Retention Period of Personal Information)
The Company processes and retains personal information within the personal information retention and use period prescribed by law or within the retention and use period agreed upon when collecting personal information from the data subject.
| Category | Retention Period | Basis |
|---|---|---|
| Member information | Until membership withdrawal | User consent |
| Post-withdrawal member information | 30 days from withdrawal | Preventing fraudulent use |
| Payment records | 5 years | National Tax Basic Act |
| Service usage records | 1 year (after anonymization) | Service improvement |
| Customer inquiry records | 3 years | E-Commerce Act |
Article 4 (Local Data Processing)
Important: Legal Vault is a local-first service.
-
Locally Stored Data
- Legal documents uploaded or created by users
- Document indexes and search data
- Local AI model usage records
- This data is stored only on the user’s device and is not transmitted to Company servers.
-
Data Deletion
- Local data is completely deleted through in-app deletion features or app uninstallation.
- The Company cannot access or recover local data.
Article 5 (Personal Information Processing When Using Cloud AI)
-
Explicit Consent Required
- When using Cloud AI (Claude API) features, data is transmitted externally.
- This feature is activated only when the user explicitly consents.
-
Personal Information Detection and Masking
- Before transmission to Cloud AI, automatic personal information detection is performed.
- Detected personal information is masked and confirmed by the user before transmission.
- Masking targets: names, phone numbers, resident registration numbers, addresses, emails, etc.
-
Data Transmitted Externally
| Processor | Service | Country | Role |
|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud Run Proxy Server | South Korea (Seoul, asia-northeast3) | Cloud AI request relay |
| Anthropic, PBC | Claude (via Vertex AI Model Garden) | United States | AI document analysis |
| Google LLC | Gemini API (via Vertex AI) | United States | AI document analysis |
- Items transferred: PII-masked document content, user queries
- Purpose: AI-based document analysis, summarization, Q&A
- Legal basis for cross-border transfer: Personal Information Protection Act Article 28-8
- Processor privacy protection measures: See each processor’s privacy policy
Article 6 (Cloud Account Data)
Account-related data stored in Supabase cloud:
| Data Type | Content | Purpose |
|---|---|---|
| Authentication info | Email, encrypted password | Login |
| Organization/project info | Organization name, member list | Collaboration features |
| Subscription status | Subscription plan, expiration date | Service provision |
| Consent records | Terms consent date/time, version | Legal compliance |
Article 7 (Provision of Personal Information to Third Parties)
The Company does not, in principle, provide users’ personal information externally. However, the following cases are exceptions:
- When the user has given prior consent
- When required by law or when requested by investigative agencies following procedures prescribed by law for investigation purposes
Article 8 (Destruction of Personal Information)
- The Company destroys personal information without delay when it becomes unnecessary due to expiration of the retention period or achievement of the processing purpose.
- Destruction methods:
- Electronic files: Permanently deleted using methods that prevent recovery
- Paper documents: Shredded or incinerated
Article 9 (Rights and Obligations of Data Subjects and How to Exercise Them)
Users may exercise the following rights as personal information subjects:
- Request to access personal information
- Request to correct or delete personal information
- Request to suspend processing of personal information
- Withdraw consent
Rights may be exercised through written request, email, or in-app settings. The Company will take action within 30 days of receiving the request and notify you of the results.
Article 10 (Measures to Ensure Personal Information Security)
The Company takes the following measures to ensure personal information security:
- Administrative measures: Establishing and implementing internal management plans, regular employee training
- Technical measures: Personal information encryption, access control management, security program installation
- Physical measures: Computer room access control
Article 11 (Personal Information Protection Officer)
The Company designates a Personal Information Protection Officer as follows to handle complaints and remedy damages of data subjects related to personal information processing:
Personal Information Protection Officer
- Name: Miok Shin
- Position: CEO
- Contact: [email protected]
Article 12 (Changes to Privacy Policy)
This Privacy Policy is effective from the effective date, and if there are additions, deletions, or corrections due to changes in laws or policies, notice will be given through announcements at least 7 days before the changes take effect.
Article 13 (Remedies for Rights Infringement)
If you need to report or consult regarding personal information infringement, please contact the following organizations:
- Personal Information Infringement Report Center: 118
- Personal Information Dispute Mediation Committee: 1833-6972
- Supreme Prosecutors’ Office Cyber Investigation Division: 1301
- National Police Agency Cyber Security Bureau: 182
Victrix Co. Seocho-jungang-ro 123, B1 Room 109, Seocho-gu, Seoul, Republic of Korea (Seocho-dong, Ellen Tower)