Privacy Policy
June 2, 2026
This document is authoritative in its Korean version. Translations are provided for reference only.
# X-IoT Co., Ltd. Privacy Policy
## Article 1 (General Provisions)
주식회사 엑시엇 (hereinafter referred to as the "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (PIPA) in order to protect the personal information of data subjects and promptly and efficiently handle related grievances.
## Article 2 (Purposes of Processing Personal Information)
The Company processes personal information for the following purposes. The personal information being processed shall not be used for purposes other than those specified below, and if the purpose of use changes, the Company shall take necessary measures, including obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act (PIPA).
1. **Inquiry Submission and Response**
- Responding to and replying to user inquiries
- Processing quotations, partnership requests, and other business inquiries
2. **Site Usage Statistics and Service Improvement**
- Improving services through analysis of Site usage patterns
- Preparation of anonymized statistical data
## Article 3 (Items of Personal Information Collected and Collection Methods)
### 1. Information Collected Upon Inquiry Submission
| Category | Items Collected | Collection Method |
|----------|----------------|-------------------|
| Required | Name (required), Email (required), Company Name (required), Contact Number (Telephone Number) (required), Inquiry Details (required) | Directly entered by the user into the inquiry form |
| Optional | Inquiry Type (optional) | Directly entered by the user into the inquiry form |
### 2. Automatically Collected Information
| Category | Items Collected | Collection Method |
|----------|----------------|-------------------|
| Automatic | IP address (stored after SHA-256 hashing), access date and time, browser information, device information | Automatically generated and collected during Site use |
## Article 4 (Retention and Use Period of Personal Information)
1. The Company processes and retains personal information within the retention and use period prescribed by applicable laws or agreed to by the data subject at the time of collection.
2. The retention and use periods for each category of personal information are as follows.
| Purpose of Processing | Retention Period | Remarks |
|----------------------|-----------------|---------|
| Inquiry submission and response | One (1) year after completion of processing | For handling follow-up inquiries and dispute resolution |
| Automatically collected information | One (1) year | Destroyed after preparation of anonymized statistical data |
3. However, in the following cases, personal information shall be retained until the relevant matter is resolved:
- Where investigations or inquiries related to violations of applicable laws are in progress
- Where rights and obligations arising from use of the Site remain outstanding
## Article 5 (Provision of Personal Information to Third Parties)
1. The Company processes personal information only within the scope of the purposes specified in Article 2 and shall not process or provide personal information to third parties beyond the original scope without the prior consent of the data subject.
2. However, exceptions apply in the following cases:
- Where separate consent has been obtained from the data subject
- Where special provisions exist under other laws
- Where the data subject or legal representative is unable to express intent or prior consent cannot be obtained due to unknown address or similar circumstances, and the provision is clearly necessary for the urgent protection of the life, body, or property of the data subject or a third party
## Article 6 (Outsourcing of Personal Information Processing)
1. The Company outsources certain personal information processing tasks as follows in order to provide services smoothly.
| Processor | Outsourced Tasks | Location of Personal Information Processing |
|-----------|-----------------|---------------------------------------------|
| Supabase, Inc. | Operation of content database (storage of inquiry data) | Singapore (`ap-southeast-1`) |
| Vercel, Inc. | Site hosting, operation, and collection of anonymized usage statistics | United States |
| Cloudflare, Inc. | DNS management and traffic security | United States |
2. When entering into outsourcing agreements, the Company specifies in written documents, including contracts, matters required under Article 26 of the Personal Information Protection Act (PIPA), such as prohibition of processing personal information beyond the purpose of outsourced tasks, technical and administrative protection measures, restrictions on re-outsourcing, supervision of processors, and liability for damages, and supervises whether processors safely handle personal information.
3. If there are any changes to outsourced tasks or processors, the Company shall disclose such changes without delay through this Privacy Policy.
## Article 7 (Cross-Border Transfer of Personal Information)
1. Personal information processing tasks outsourced by the Company are processed overseas as follows. The timing and method of transfer are, in common, conducted on an ongoing basis through information and communications networks during operation of the Site.
| Processor | Destination Country | Purpose of Use by Recipient | Items Transferred | Retention and Use Period |
|-----------|--------------------|-----------------------------|-------------------|------------------------|
| Supabase, Inc. | Singapore (`ap-southeast-1`) | Database hosting (storage of inquiries and content) | All collected items specified in Article 3, Paragraph 1 (inquiry data) | Same as the retention period specified in Article 4 |
| Vercel, Inc. | United States | Web hosting and edge distribution | Automatically collected items specified in Article 3, Paragraph 2 (access logs) | During the service provision period |
| Cloudflare, Inc. | United States | DNS, CDN, and DDoS protection | Automatically collected items specified in Article 3, Paragraph 2 (access logs) | During the service provision period |
2. Data subjects may refuse the cross-border transfer of personal information. If a data subject expresses refusal, the Company shall not collect the relevant personal information; however, this may limit the use of the Site.
## Article 8 (Rights and Obligations of Data Subjects and Methods of Exercise)
1. Data subjects may exercise the following rights with respect to the Company at any time:
1. Request access to personal information
2. Request correction in the event of errors
3. Request deletion
4. Request suspension of processing
2. The above rights may be exercised by submitting a request to the Company in writing, by email, or through other means, and the Company shall take action without delay.
3. If a data subject requests correction or deletion of personal information due to errors or inaccuracies, the Company shall not use or provide such personal information until the correction or deletion is completed.
4. Rights may also be exercised through a legal representative or an authorized agent of the data subject. In such cases, a power of attorney in the form prescribed by Appendix Form No. 11 of the Notice on the Methods of Processing Personal Information must be submitted.
## Article 9 (Procedures and Methods for Destruction of Personal Information)
1. The Company shall destroy personal information without delay when such information becomes unnecessary due to expiration of the retention period or achievement of the processing purpose.
2. The procedures and methods for destruction are as follows.
- **Destruction Procedure**: The Company selects personal information subject to destruction and destroys such information with the approval of the Company's Chief Privacy Officer (CPO).
- **Destruction Method**: Information stored in electronic file format is deleted using technical methods that prevent restoration. Personal information printed on paper is destroyed by shredding or incineration.
## Article 10 (Measures to Ensure Security of Personal Information)
The Company implements the following measures to ensure the security of personal information.
1. **Administrative Measures**: Establishment and implementation of internal management plans; designation and minimization of personnel handling personal information
2. **Technical Measures**:
- Management of access rights to personal information processing systems
- Installation of access control systems and prevention of unauthorized access
- Application of encryption (TLS/HTTPS) for communication channels
- Encryption of data stored in databases
- Installation and regular inspection of security programs
3. **Physical Measures**: Physical security of external infrastructure (processors) where data is stored is managed in accordance with the respective processors' security policies.
## Article 11 (Installation, Operation, and Refusal of Automatic Collection Devices)
1. The Company currently does not use cookies.
2. The Company uses a cookie-free anonymous web analytics tool (Vercel Analytics) to understand Site usage status and improve services. This tool does not collect personally identifiable information and collects only anonymized pageview statistics and performance metrics.
3. If the Company uses cookies in the future for service improvement purposes, it shall revise this Policy in advance and notify users accordingly.
## Article 12 (Chief Privacy Officer)
1. The Company designates the following Chief Privacy Officer (CPO) to oversee personal information processing and handle complaints and remedies related to personal information protection.
**Chief Privacy Officer (CPO)**
- Name: Park Hongjong
- Position: Chief Executive Officer
- Contact Number: 031-306-1101
- Email: xinquiry@x-iot.co.kr
2. Data subjects may contact the Chief Privacy Officer (CPO) or the relevant department regarding all inquiries, complaints, or remedies related to personal information protection arising while using the Company's services. The Company shall respond to and process such inquiries without delay.
## Article 13 (Methods of Remedy for Rights Infringement)
Data subjects may apply for dispute resolution or consultation regarding personal information infringement through the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center of the Korea Internet & Security Agency, and other relevant institutions. For reports and consultations regarding other personal information infringements, please contact the following organizations.
1. Personal Information Dispute Mediation Committee: 1833-6972 (without area code) / www.kopico.go.kr
2. Personal Information Infringement Report Center: 118 (without area code) / privacy.kisa.or.kr
3. Supreme Prosecutors' Office: 1301 (without area code) / www.spo.go.kr
4. National Police Agency: 182 (without area code) / cyberbureau.police.go.kr
## Article 14 (Amendment of the Privacy Policy)
1. This Privacy Policy shall take effect from the effective date, and if there are additions, deletions, or corrections due to changes in laws or policies, the Company shall provide notice through the Site's notices section at least seven (7) days prior to the effective date of such changes.
2. Previous versions of the Privacy Policy shall be retained and made available on the Site.
---
## Supplementary Provision
This Privacy Policy shall take effect on June 2, 2026.