Privacy Policy

C&2K Co., Ltd. (operator of Autoagens) — how we collect, use, store, transfer, and delete your personal information in compliance with PIPA, GDPR, and CCPA.

Last updated:

C&2K Co., Ltd. ("we", "us"), the operator of Autoagens, has established this Privacy Policy under Article 30 of the Korean Personal Information Protection Act ("PIPA"). This English version is a summary; in case of conflict, the Korean original prevails.

1. Information We Collect

Required: email, social-login identifiers (e.g., Google sub, Apple user ID), hashed password, account profile (display name, optional phone/address), business profile (when provided), uploaded media (logo, store photos, product/menu images).

Service usage: prompts, generation history, coin and subscription balances, automated-publishing connections (OAuth tokens for currently active platforms — YouTube and our autoagens.com child blog).

Automatically collected: IP, cookies, device/browser identifiers, service logs, error logs, advertising IDs (only with consent).

We do not collect resident registration numbers and do not collect sensitive information unless you explicitly opt in for a feature that requires it.

2. Purposes of Processing

Account authentication and lifecycle management; preventing abuse and verifying that members are at least 14 years old.

Delivering the AI service (blog automation, video / image / music generation, workflow templates) and personalizing content from the identity / business / image data you provide.

Billing and refunds (subscriptions, coins, auto-renewal, anti-fraud); customer support and dispute handling.

Marketing and personalization (only when you opt in); statistical analysis and product improvement.

AI model operation, abuse detection, and — only with separate opt-in — pseudonymized model evaluation and improvement.

Automated publishing to currently active connected platforms (YouTube, autoagens.com child blog). Future platforms will be added only after a separate opt-in flow that discloses the data fields, purpose, retention, and consequences of refusal (PIPA-compliant).

3. Retention Period

Member account: until withdrawal. After a withdrawal request, account data and user-generated content are quarantined for a 100-day grace period (during which you may download content or revoke withdrawal) before permanent deletion. You may request immediate deletion under PIPA Article 36.

Payment / e-commerce records: 5 years (Korean E-Commerce Consumer Protection Act). Customer dispute records: 3 years. Display & advertising records: 6 months. Tax records: 5 years (Korean Tax Framework Act).

Login logs: 3 months (Communication Secrets Protection Act). Anti-abuse sanction records: 3 years.

Dormant accounts (no use for 12 months) may be moved to a separate database after prior notice.

4. Processors & Cross-border Transfers

We rely on the following processors. You may consent or refuse, though refusal limits the corresponding features.

Supabase Inc. — HQ US, data region Singapore; Postgres, auth, Realtime, file storage. Privacy: supabase.com/privacy.

DashScope / Alibaba Cloud — Singapore instance; image edits via qwen-image-edit-max. Note: parent group China-based — disclosure requests under Chinese national-security / data-security law cannot be ruled out.

OpenAI, L.P. (US) — image generation/edit, embeddings, text generation; standard API policy excludes our inputs from training (as of May 2026).

Google LLC (US, Vertex AI us-central1) — Gemini/Veo/Vertex AI inference, GCS for KYC docs, YouTube Data API, OAuth, Search Console.

fal.ai (US) — Veo3, Kling, Seedance, LTX 2.3 video, Stable Audio BGM, MiniMax Music.

Perplexity AI (US) — search. SerpAPI (US) — fallback search. Creatomate (US) — template video composition. ElevenLabs (US) — TTS voiceover. Resend, Inc. (US) — transactional and inbound email; account-withdrawal blog backup zip.

Vercel Inc. — serverless execution in Seoul ICN1 (Korean processor under PIPA §26); account / build / Vercel Analytics aggregation in the US (cross-border under §28-8 ① 3).

Cloudflare, Inc. — edge processing in Korean / Hong Kong PoPs (immediate disposal); US backend Zero Trust dashboard retains 30 days.

Microsoft Bing Webmaster Tools (US) — sitemap submission for child blogs.

Self-hosted infrastructure (n8n, NVIDIA DGX Spark running ComfyUI / LTX-2 / Remotion) is operated by us in Korea and is not a processor; calls those systems make to external AI APIs are tracked under the providers above. All transfers use TLS-encrypted APIs and only at the moment a feature requires it.

5. Third-Party Sharing

We do not regularly share personal data with third parties. Sharing is performed only with your separate consent or where the law requires it.

Domestic processing is delegated to: payment gateways, SMS / KakaoTalk providers, email senders, customer-support platforms. We supervise each processor under PIPA Article 26.

6. Cookies & Behavioral Data

We use cookies for session, security, language preference, analytics, and product improvement. You can disable cookies in your browser, but some features may stop working.

Vercel Analytics (US) collects pageviews, anonymized IP (last octet masked), device/browser info, navigation paths, and Core Web Vitals; retention is 13 months. You can opt out via the in-product privacy settings, the cookie banner, "Do Not Track", Google Analytics opt-out (tools.google.com/dlpage/gaoptout), or by resetting / limiting your mobile advertising ID.

7. Your Rights

You may request access, correction, deletion, processing restriction, withdrawal of consent, and data portability (where MyData applies).

You may also object to or request explanation / human review of automated decisions (PIPA Article 37-2).

Submit requests via your dashboard, by email to the contact below, or through the Korean Privacy Portal (privacy.go.kr). We respond within 10 days where possible.

8. Automated Decisions

We operate automated decisions only in: content generation and safety filtering, automated publishing schedules, fraud / abuse detection, and quota / coin enforcement.

We do not run automated decisions for hiring, credit scoring, or anything that materially impacts your civil rights. You may object, request explanation, or ask for human review at any time.

9. Generative AI Notice

Outputs are produced by generative AI (OpenAI, Google Gemini / Veo, fal.ai, in-house open-source models). They may contain inaccuracies; you must review before publishing.

We may apply AI-content labels (watermark, metadata) per Article 31 of the Korean AI Framework Act. We process your business / identity / image data only to fulfil the content you request, never to generate content for other users, and never for model training without separate opt-in.

When we auto-upload AI-generated video to YouTube on your behalf, we apply the AI-content tag to metadata, insert an "Generated by AI" subtitle, and apply YouTube's AI-generated content label to honor both YouTube policy and AI Framework Act §31.

10. Security Measures

Administrative: internal management plan, designated CPO, access-permission matrix, periodic training.

Technical: TLS in transit, encryption at rest, hashed passwords, intrusion detection, audit logs, separate vault for OAuth tokens (KMS).

Operational: EXIF metadata stripped from uploaded media; on-prem open-source models run in isolated networks; abnormal-publishing detection; immediate token revocation on disconnect (currently active connections: YouTube, autoagens.com child blog).

11. Data Protection Officer & Complaints

Data protection contact: [email protected]

Korean redress agencies: Personal Information Dispute Mediation Committee (1833-6972, kopico.go.kr); KISA Privacy Center (118, privacy.kisa.or.kr); Cyber Crime Investigation Bureau (police 182, prosecutors 1301).

12. Changes to this Policy

We will announce changes at least 7 days before they take effect (30 days for materially adverse changes). The Korean original prevails over this English translation in case of conflict.