Murple Inc. values your privacy and is committed to protecting your personal information. We comply with relevant personal information protection regulations, including but not limited to the Protection of Personal Information Act (PIPA), and other applicable data protection laws. This Privacy Policy outlines how we collect, use, store, and protect your personal data when you use our services.
Article 1: Items of Personal Information Collected and Purposes
1.1 Mandatory Items Collected
We collect the following mandatory personal information to provide you with our services:
- Name: Required for account identification and service delivery
- Email Address: Used for account management, communications, and password recovery
- Position and Affiliation: Collected to better understand our user base and provide relevant services
- Profile Picture: Visual identifier for your account
- Service Usage Records: Data regarding how you interact with our platform and features
- Access Logs: Records of when and how you access our services
- Cookies: Used to maintain session information and improve your experience
- Access IP Address: Recorded for security and fraud prevention purposes
- Payment Records: Transaction history and billing information for subscription management
1.2 Optional Items
During membership registration, you may optionally provide additional information to enhance your profile and experience with our services.
1.3 Processing Purposes
Your personal information is collected and processed for the following purposes:
- Customer Registration: To create and maintain your account
- Identity Verification: To ensure account security and prevent unauthorized access
- Membership Management: To administer subscription tiers and access levels
- Payment Processing: To process payments and maintain billing records
- Educational Content: To provide relevant tutorials, documentation, and learning materials
- Events and Announcements: To inform you about webinars, new features, and product updates
- Service Improvement: To analyze usage patterns and optimize our platform
Article 2: Processing and Retention Period
We retain your personal information for different periods depending on the type of data and the purposes for which it was collected:
| Data Category | Retention Period | Reason |
|---|---|---|
| Contract/Subscription Records | 5 Years | Legal and contractual compliance |
| Payment/Supply Records | 5 Years | Financial audit and tax compliance |
| Consumer Complaints | 3 Years | Dispute resolution and service improvement |
| Display and Advertisement Data | 6 Months | Marketing analytics and campaign optimization |
| Service Visit Records | 3 Months | Service delivery tracking |
| Electronic Financial Transactions | 5 Years | Financial regulation and fraud prevention |
After the retention period expires, we securely delete or anonymize your personal information in accordance with our data destruction procedures outlined in Article 6.
Article 3: Provision to Third Parties
Murple Inc. does not provide your personal information to third parties without your explicit consent. We do not sell, rent, or share your data with external organizations for commercial purposes.
The only exceptions to this policy are:
- When required by law or legal process (court orders, government requests)
- When necessary to provide services you have requested (service providers with contractual obligations)
- When you have explicitly given your consent for specific third-party sharing
In all cases, we ensure that third parties are bound by strict confidentiality obligations and comply with applicable data protection regulations.
Article 4: Consignment of Processing
We engage third-party service providers to assist in processing your personal information. These processors are carefully selected and contractually obligated to protect your data:
4.1 Domestic Service Providers
- PortOne Inc. (cs@portone.io): Domestic payment processing and payment gateway services for KRW payments.
4.2 Overseas Service Providers
- Amplitude Inc. (United States): Analytics and user behavior analysis. Amplitude helps us understand how users interact with our platform to improve service quality.
- Google LLC / Google Analytics (Ireland): Web analytics and traffic analysis. Google Analytics provides insights into website usage patterns and user engagement.
- Paddle.com Market Ltd (United Kingdom): Overseas (USD) payment processing, invoicing, subscription renewals, and refunds as the Merchant of Record. Contact: privacy@paddle.com.
- OpenAI, L.L.C. (United States): AI features. Processes user-submitted content (documents, text, code, etc.) to generate AI assistance such as writing/editing support, summarization, translation, and code generation. Data submitted through the provider's API is not used to train its AI models.
- Fireworks.ai, Inc. (United States): AI features. Processes user-submitted content to run AI model inference for assistance such as writing/editing support, summarization, translation, and code generation. Input submitted through the provider's API is not used to train its models.
All overseas processors comply with international data transfer agreements and maintain adequate safeguards for your personal information.
Article 4-2: Overseas Transfer of Personal Information
To provide the Service, the Company transfers personal information overseas (as processing consignments) as set out below. These transfers are made for the performance of the contract with the data subject and for the User's convenience; in accordance with Article 28-8(1)3 of the Personal Information Protection Act (PIPA), the disclosure of the following items in this Privacy Policy serves in lieu of separate consent.
1. AI Features
- Recipients: OpenAI, L.L.C. (contact: privacy@openai.com); Fireworks.ai, Inc. (contact: support@fireworks.ai)
- Country of transfer: United States
- Time and method of transfer: at the time the User uses an AI Feature, via encrypted transmission over the network (API calls)
- Items transferred: content such as documents, text, and code that the User inputs or attaches to the AI Features, and information accompanying the request
- Purpose of use: generating and providing AI Output (writing/editing assistance, summarization, translation, code generation, etc.)
- Retention and use period: for the period necessary to process the request; provided that data may be retained for up to thirty (30) days under the recipient's abuse-monitoring (trust and safety) policies before deletion
2. Overseas Payments
- Recipient: Paddle.com Market Ltd (contact: privacy@paddle.com)
- Country of transfer: United Kingdom
- Time and method of transfer: at the time the User makes an overseas (USD) payment, via encrypted transmission over the network
- Items transferred: information necessary for payment processing, such as name, email address, payment method information, and payment records
- Purpose of use: overseas (USD) payment processing, invoicing, subscription renewals, and refunds (as Merchant of Record)
- Retention and use period: until the termination of the consignment agreement or as required by applicable law
3. Service Usage Analytics
- Recipients: Amplitude, Inc. (contact: privacy@amplitude.com / United States); Google LLC — Google Analytics (Ireland)
- Time and method of transfer: at the time the User uses the Service, via encrypted transmission over the network
- Items transferred: service usage records, access logs, cookies, and access IP address
- Purpose of use: usage analytics and improvement of the user experience
- Retention and use period: until the termination of the consignment agreement or membership withdrawal
The AI Feature recipients do not use data that Users input through the AI Features to train their artificial intelligence models.
Users may refuse the overseas transfer of their personal information. However, because each transfer is essential to providing the relevant feature, refusing the transfer may restrict the use of the AI Features or overseas payments (no such transfer occurs if the User does not use the relevant feature). Transfers for usage analytics can be stopped by, for example, rejecting cookies. To refuse a transfer or for related inquiries, please contact the Data Protection Officer in Article 9.
For users in the EEA and the UK, additional terms apply to such transfers under the GDPR / UK GDPR (including a data processing agreement and Standard Contractual Clauses); see "Article 11: International Users (GDPR/UK GDPR)" below.
Article 5: Data Subject Rights
As a data subject, you have the following rights regarding your personal information:
5.1 Right to Access
You have the right to request access to your personal information that we hold. We will provide you with a copy of your data in a clear and understandable format within 30 days of your request.
5.2 Right to Correction
If you believe any of your personal information is inaccurate, incomplete, or outdated, you have the right to request correction. We will update your information promptly and notify you of the changes.
5.3 Right to Deletion
You may request the deletion of your personal information, subject to legal and contractual obligations. Upon your request, we will delete your data within 30 days, unless we are legally required to retain it for compliance purposes.
5.4 Right to Suspend Processing
You may request that we suspend processing of your personal information for a specified period. During the suspension, we will not use your data for any purpose other than maintaining necessary security measures.
5.5 How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Officer at the details provided in Article 9. Your request will be processed in accordance with applicable data protection laws.
Article 6: Destruction Procedures
When your personal information reaches the end of its retention period, or when you request deletion, we employ secure destruction methods to ensure complete removal:
6.1 Electronic Data Destruction
Electronic data is destroyed using technical methods that prevent the records from being restored or reproduced.
6.2 Physical Document Destruction
Printed documents containing personal information are destroyed by shredding or incineration.
6.3 Timeline
Personal information whose retention period has expired is destroyed within 5 days of the end of the retention period.
Article 7: Security Measures
Murple Inc. implements comprehensive technical and managerial security measures to protect your personal information from unauthorized access, alteration, or disclosure.
7.1 Technical Security Measures
- Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 encryption.
- Antivirus and Anti-Malware Protection: We maintain continuous scanning and protection against malicious software on all systems processing personal information.
- Intrusion Prevention Systems: Advanced firewalls and intrusion detection systems monitor and prevent unauthorized access attempts.
- Access Controls: Authentication and authorization mechanisms limit access to personal information.
7.2 Managerial Security Measures
- Employee Training: All employees with access to personal information receive regular privacy and security training.
- Confidentiality Agreements: Employees sign strict confidentiality agreements regarding the protection of personal information.
- Access Restrictions: Only authorized personnel with legitimate business needs can access personal information.
- Incident Response: We maintain procedures to identify and mitigate security breaches in accordance with applicable law.
Article 8: Remedies and Complaints
If you have concerns about how we handle your personal information or believe your rights have been violated, you have several options for recourse:
8.1 Internal Resolution
Please contact our Data Protection Officer (see Article 9) to file a complaint. We will investigate your concerns and respond within 30 days.
8.2 External Regulatory Bodies
You may file a complaint with the following regulatory authorities:
- Korean Personal Information Protection Commission (KOPICO): The primary data protection authority in Korea
- Korea Internet Security Agency (KISA): For cybersecurity-related complaints and incidents
- ePrivacy Committee: For privacy concerns related to electronic communications
- Prosecutor's Office: For criminal violations of data protection laws
- Cyber Police (경찰청 사이버범죄 신고): For cybercrime-related incidents involving personal data
Article 9: Data Protection Officer
Murple Inc. has appointed a Data Protection Officer responsible for overseeing our privacy practices and addressing your concerns:
Name: Shounan An (CEO)
Title:Chief Executive Officer & Data Protection Officer
Phone: 010-5379-3771
Email: admin@murple.ai
You may contact our Data Protection Officer for any privacy-related inquiries, complaints, or to exercise your data subject rights. We aim to respond to all requests within 10 business days.
Article 10: Obligation to Notify Changes
This Privacy Policy may be updated from time to time to reflect changes in our data handling practices, legal requirements, or technological advancements.
10.1 Notice of Changes
We will announce any changes to this Privacy Policy through service notices at least 7 days before they take effect. For material changes, we may additionally notify you by email.
10.2 Acceptance of Changes
Continued use of our services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with any changes, you have the right to discontinue using our services and request deletion of your account.
10.3 Version Control
We maintain a version history of our Privacy Policy, and you can request previous versions if needed.
Article 11: Additional Information for EEA and UK Users (GDPR / UK GDPR)
This Article applies to users located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, and supplements the other provisions of this Privacy Policy. Where the EU General Data Protection Regulation (GDPR) or the UK GDPR applies and any provision of this Policy conflicts with this Article, this Article prevails for such users.
11.1 Controller and Contact
Murple Inc. is the controller of your personal data. You may contact the Company, or its Data Protection Officer, using the details in Article 9. Where required by law, the Company will designate a representative in the EU and/or the UK and publish their contact details.
11.2 Legal Bases for Processing
We process your personal data on the following legal bases under Article 6(1) of the GDPR:
- Performance of a contract: to provide the Service you request, including account management, payment processing, and AI features.
- Legitimate interests: to operate, secure, and improve the Service and to prevent abuse, where such interests are not overridden by your rights and freedoms.
- Legal obligation: to comply with applicable law, such as tax and accounting requirements.
- Consent: where we rely on your consent (for example, certain marketing communications), which you may withdraw at any time without affecting processing carried out before withdrawal.
11.3 Your Rights
In addition to the rights described in Article 5, you have the right to access, rectify, erase, and restrict the processing of your personal data, the right to data portability, the right to object to processing based on legitimate interests, the right to withdraw consent, and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. To exercise these rights, contact the Data Protection Officer in Article 9; we will respond within one month as required by the GDPR.
11.4 International Transfers
Your personal data may be transferred to and processed in the United States and other countries outside the EEA and the UK, including by the processors and sub-processors listed in Article 4 and Article 4-2 (for example, OpenAI, L.L.C. and Fireworks.ai, Inc. for AI features). Where we transfer personal data outside the EEA/UK, we put in place a data processing agreement (DPA) with the recipient and appropriate safeguards — in particular the European Commission's Standard Contractual Clauses (SCC) and, for the UK, the UK International Data Transfer Addendum (IDTA). A copy of the relevant safeguards is available on request from the Data Protection Officer.
11.5 Sub-processors
We use the processors and sub-processors identified in Article 4 (Consignment of Processing) and Article 4-2 (Overseas Transfer of Personal Information), including their recipient, location, and purpose. A current list is maintained there and available on request, and we will provide reasonable notice of material changes.
11.6 Retention and Complaints
We retain personal data for the periods described in Article 2 and only for as long as necessary for the purposes described in this Policy. If you consider that our processing infringes the GDPR or the UK GDPR, you have the right to lodge a complaint with your local supervisory authority — for example, your national data protection authority in the EEA, or the UK Information Commissioner's Office (ICO).
Effective Date: This Privacy Policy is effective from July 14, 2026. (Previous effective date: March 7, 2025.)
For questions or inquiries about this policy, please contact our Data Protection Officer using the information provided in Article 9.