Privacy Policy
Effective Date: February 18, 2026
Plumbug Studio (hereinafter "Company") places great importance on the protection of personal information of data subjects while operating SubX (hereinafter "Service", domain: subx.dev), a SaaS platform for in-app subscription payment management. The Company complies with applicable laws and regulations, including the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection.
This Privacy Policy provides guidance on the categories, purposes, and retention periods of personal information collected by the Company, third-party disclosures, processing entrustment, the rights and obligations of data subjects and how to exercise them, and measures to ensure security.
1. Purposes of Processing Personal Information
The Company processes personal information for the following purposes. Personal information processed shall not be used for any purposes other than those specified. If purposes change, the Company will take necessary measures, such as obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act.
- Member Registration and Management: Member identification, conclusion/maintenance/performance of service use agreements, identity verification, account security management, email authentication, and delivery of notices.
- Service Provision: In-app subscription payment management, API key issuance and authentication, management of project and application information, receipt validation, subscription status inquiry, and provision of analytics data.
- Payment Processing: Processing paid plan subscription payments via Paddle, invoice issuance, and refund processing.
- Customer Support: Receiving and processing inquiries, resolving complaints, and providing technical support.
- Service Improvement and Analytics: Statistical analysis of service usage, error detection, development of new features, and improvement of service quality.
- Legal Compliance: Record retention pursuant to applicable laws and regulations, dispute resolution, and response to legal claims.
2. Categories of Personal Information Processed and Retention Periods
The categories of personal information processed by the Company, processing purposes, and retention periods are as follows.
| Category | Items Collected | Purpose | Retention Period |
|---|---|---|---|
| Registration | Email address, name (nickname), password (bcrypt hash) | Member identification, authentication, account management | Until account deletion (immediately destroyed upon deletion) |
| Service Use | Project information, application information (bundle ID, package name), API keys, subscription event logs | Service provision, analytics | Until account deletion (immediately destroyed upon deletion) |
| Payment | Email, name, billing country (transmitted to Paddle), Paddle customer ID, subscription ID, plan information (Payment instrument details such as credit card numbers are collected and stored directly by Paddle and are not stored by SubX.) | Payment processing, invoice management | 5 years pursuant to the E-Commerce Act |
| Auto-collected | IP address, browser/OS information (User-Agent), service access date and time, cookies (JWT authentication token), page visit logs | Security, unauthorized access detection, service analytics | 3 months pursuant to the Protection of Communications Secrets Act |
| Inquiries | Email, inquiry content, attachments | Inquiry processing, dispute resolution | 3 years after resolution |
Statutory Retention Periods: The Company retains relevant records for the following periods in accordance with applicable laws.
- Records of contracts and withdrawal of offers: 5 years (Act on Consumer Protection in Electronic Commerce)
- Records of payment and supply of goods: 5 years (same Act)
- Records of consumer complaints and dispute resolution: 3 years (same Act)
- Access logs and access IP information: 3 months (Protection of Communications Secrets Act)
- Tax invoices and transaction evidence: 5 years (Framework Act on National Taxes)
3. Disclosure of Personal Information to Third Parties
As a general rule, the Company does not disclose personal information of data subjects to external parties. However, such information may be disclosed as described below based on the consent of data subjects or in accordance with applicable laws.
| Recipient | Purpose | Items Disclosed | Retention Period |
|---|---|---|---|
| Paddle.com Market Ltd (Payment processor, United Kingdom) | Processing paid subscription payments, acting as Merchant of Record | Email, name, billing country | Subject to Paddle's Privacy Policy (statutory retention period after payment completion) |
Paddle complies with the EU General Data Protection Regulation (GDPR) and UK GDPR, and bears legal responsibility related to payments as Merchant of Record. Paddle's privacy policy is available at paddle.com/legal/privacy.
In addition, personal information may be disclosed in accordance with applicable laws in response to requests from investigative authorities pursuant to relevant laws and regulations, or when urgently necessary to protect the life, physical safety, or property of a data subject.
4. Entrustment of Personal Information Processing
The Company entrusts personal information processing tasks as described below for the purpose of service provision. In entrustment agreements, the Company stipulates necessary provisions to ensure that personal information is managed securely in accordance with applicable laws.
| Processor | Entrusted Tasks | Retention Period |
|---|---|---|
| Google LLC (smtp-relay.gmail.com) | Email delivery (authentication emails, service notices, notifications) | Until termination of entrustment agreement |
The Company's server infrastructure (databases, web servers) is operated on its own servers and is not entrusted to any third-party cloud hosting provider. Web analytics for the service is conducted using a self-hosted Umami instance (analytics.plumbug.studio), and collected data is not transmitted to any external parties.
5. Rights and Obligations of Data Subjects and How to Exercise Them
Data subjects (users) may exercise the following personal information protection rights against the Company at any time.
- Right to Access: Data subjects may verify the processing status, purposes, and categories of personal information held by the Company.
- Right to Rectification and Erasure: Data subjects may request rectification of inaccurate or incomplete personal information, and may request erasure where the processing purpose has been fulfilled or is no longer necessary. However, erasure may be restricted where the information is designated as subject to collection under other applicable laws.
- Right to Restriction of Processing: Data subjects may request that the processing of their personal information be suspended. However, such requests may be refused where there are special provisions under applicable laws or where compliance with a legal obligation makes suspension unavoidable.
- Right to Withdraw Consent: Data subjects may withdraw their consent to the collection and use of personal information at any time. However, withdrawal of consent may restrict access to certain services.
How to Exercise Rights
- In-service Settings: After logging in, data subjects may directly modify their information or delete their account on the account settings page.
- Email Inquiry: Submit a request to support@subx.dev stating your full name, email address, and the nature of your request.
- Processing Timeline: The Company will process requests and notify data subjects of the outcome within 10 days of receipt.
- Legal Representative: The legal representative of a child under the age of 14 may exercise rights with respect to that child's personal information. (The Company does not permit children under the age of 14 to register for the service.)
6. Procedures and Methods for Destroying Personal Information
When personal information becomes unnecessary — due to the expiration of its retention period or the fulfillment of the processing purpose — the Company destroys such information without delay.
Destruction Procedures
When a user requests account deletion or the retention period expires, the Company destroys the information without delay (generally within 5 days) under the supervision of the Personal Information Protection Officer. However, where retention is required by applicable laws, the information is separated into a dedicated database, retained for the prescribed period, and then destroyed.
Destruction Methods
- Electronic Files: Permanently deleted from the database using a method that prevents recovery (DELETE SQL or row-level overwriting).
- Paper Documents: Shredded or incinerated. (The Company does not currently collect personal information in paper form.)
7. Measures to Ensure the Security of Personal Information
The Company implements the following security measures in accordance with Article 29 of the Personal Information Protection Act and the Standards for Ensuring the Security of Personal Information.
- Password Encryption: User passwords are stored as one-way hashes using the bcrypt algorithm, preventing even Company employees from viewing the original plaintext.
- Communication Encryption: HTTPS with TLS 1.2 or higher is applied across all service channels to encrypt personal information in transit.
- Access Control: Access to personal information is restricted to the minimum necessary for job performance, and access rights are immediately revoked upon personnel changes such as resignation or department transfers.
- Access Log Retention and Tamper Prevention: Access logs for personal information processing systems are retained for a minimum of 6 months and are reviewed on a regular basis.
- API Key Security: Issued API keys are displayed in plaintext only at the time of creation; thereafter, only the hash value is retained.
- Vulnerability Management: System security is maintained through periodic security vulnerability assessments and patching.
- Minimum Collection of Personal Information: Only the minimum amount of personal information necessary for service provision is collected.
8. Installation, Operation, and Opt-out of Automatic Personal Information Collection Devices
Use of Cookies
The Company uses cookies to provide personalized services to users. A cookie is a small text file sent by the server operating the website to the user's browser, which is stored on the user's computer hard disk.
Purposes of Cookie Use
- Authentication Cookies (Essential): Used to maintain login status based on JWT (JSON Web Token). Services requiring login cannot be used without these cookies.
- Session Cookies: Temporary cookies that are automatically deleted upon closing the browser, used to manage the current session state.
How to Opt Out of Cookies
Users may refuse or delete cookie storage through their web browser settings. However, if cookie storage is refused, services requiring login will be unavailable.
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Manage Website Data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Edge: Settings → Privacy, search, and services → Cookies and site data
Analytics Tools
The Company uses a self-hosted web analytics tool, Umami (analytics.plumbug.studio), for the purpose of service improvement. Umami does not use cookies, and collected data is stored solely on the Company's own servers and is not transmitted to any third parties. Items collected: number of page visits, visit time, visitor country (estimated from IP address; detailed IP addresses are not stored), and browser type.
9. Personal Information Protection Officer
The Company has designated a Personal Information Protection Officer as set out below, who is responsible for overseeing all personal information processing activities and for handling complaints and providing remedies related to data subjects' personal information.
Name
Junsu Kim (CEO)
Organization
Plumbug Studio
Response Deadline
Within 10 days of receipt
Data subjects may direct any inquiries, complaints, or requests for remedies regarding personal information protection arising from the use of the Company's services (or business operations) to the Personal Information Protection Officer. The Company will respond to and process such inquiries without delay.
10. Cross-border Transfer of Personal Information
For payment processing purposes, the Company transfers users' email addresses and names to Paddle.com Market Ltd, located in the United Kingdom.
| Recipient | Destination Country | Purpose | Items Transferred | Safeguards |
|---|---|---|---|---|
| Paddle.com Market Ltd | United Kingdom | Payment processing | Email, name, billing country | Compliant with UK GDPR and GDPR |
11. Remedies for Infringement of Rights
Data subjects may seek assistance from the following authorities to obtain remedies for damages caused by personal information infringement. These organizations are independent of the Company; please contact them if you are not satisfied with the Company's own complaint handling or require further assistance.
Personal Information Infringement Report Center (operated by Korea Internet & Security Agency, KISA)
- Website: privacy.kisa.or.kr
- Phone: 118 (no area code required)
- Jurisdiction: Reporting and consultation on personal information infringement
Personal Information Dispute Mediation Committee
- Website: www.kopico.go.kr
- Phone: 1833-6972
- Jurisdiction: Mediation of personal information-related disputes
Supreme Prosecutors' Office Cybercrime Investigation Division
- Website: www.spo.go.kr
- Phone: 1301 (no area code required)
National Police Agency Cyber Bureau
- Website: cyberbureau.police.go.kr
- Phone: 182 (no area code required)
12. Changes to the Privacy Policy
This Privacy Policy is effective from February 18, 2026. In the event of any additions, deletions, or modifications to this Privacy Policy, the Company will provide advance notice through in-service announcements (or separate notices) and email no later than 7 days before the changes take effect.
However, where changes materially affect the rights of data subjects — such as changes to the categories of personal information collected, the purposes of use, or third-party disclosures — the Company will provide at least 30 days' advance notice.
Previous Privacy Policies
The currently effective policy is the first version. (Effective February 18, 2026)
Plumbug Studio Inc. © 2026