EON Privacy Policy

1. Purposes of Personal Information Processing

The Company processes personal information for the following purposes:

• Account registration and management (email, nickname)
• Providing destiny analysis service (date of birth, time of birth, place of birth, gender)
• AI-based personalized consultation (chat content)
• Payment and Dokaebi Fire management
• Service quality improvement and error analysis

2. Personal Information Processed

• Required: Email address, nickname, date of birth (solar/lunar), time of birth, place of birth, gender
• Automatically collected: IP address (SHA-256 hashed), country of access, service usage records
• Optional: Sexual orientation, relationship status (for personalized readings)

3. Retention Periods

• Member information: Deleted immediately upon account termination (hard delete)
• Terminated-member snapshot (email, nickname — encrypted): Automatically deleted after 1 year
• Payment records: Retained for 5 years pursuant to the Act on Consumer Protection in Electronic Commerce
• Operational logs: Retained for 7 days

4. Disclosure to Third Parties

The Company does not disclose personal information to external parties except for the following limited purposes:

• Payment card information is collected and processed directly by Stripe; the Company does not store it.
• Birth information sent to AI services is used solely for destiny analysis purposes and is not used for AI model training.

5. Entrustment of Personal Information Processing

The Company entrusts the following processing tasks for the smooth operation of the Service. Processors are listed below in order of personal data sensitivity.

• Processors are contractually obligated to use personal information only for the entrusted purpose and to manage it securely.
• The Company provides prior notice through this Policy when a processor is changed or added.

6. Rights of Data Subjects

Under the Personal Information Protection Act, users may exercise the following rights:

• Request access, correction, deletion, or suspension of processing
• Direct modification/deletion through the account settings page
• Immediate deletion of all personal information upon account termination (hard delete)
• Contact: eon.ai.master@gmail.com

7. Destruction of Personal Information

• Upon termination: auth.users deletion → CASCADE deletes all related data immediately
• Terminated-member snapshot (email, nickname — encrypted): Auto-deleted after 1 year
• Destruction method: Electronic files are deleted using methods that prevent recovery

8. Security Measures

The Company implements the following technical and administrative measures to protect personal information:

Technical Measures

• Encryption at rest: AES-256-GCM (name, date of birth, time of birth, place of birth, gender, reading results, conversation content)
• One-way hashing: SHA-256 (IP address, OTP codes)
• Database access control: Supabase Row Level Security (RLS) — users can access only their own data
• Encryption in transit: TLSv1.3, AES-256-GCM, X25519MLKEM768 (post-quantum key exchange) applied. Same level applied to processors (including Render)
• Rate limiting: Prevents malicious access

Personal Data Protection at Processor (Render)

• The AI Destiny Analysis Computation Engine does not persist birth information to disk (stateless architecture).
• Birth information used in computation is erased from memory immediately after processing.
• Server request logs record only metadata (path, method, status code, duration). Request bodies (raw birth information) are not recorded in logs.
• Operational logs are automatically discarded after 7 days.

Administrative Measures

• Minimized number of personnel handling personal information
• Data Processing Agreements (DPAs) signed with processors
• Regular processor audits

9. Children Under 14

The Company does not collect personal information from children under 14 years of age.

During registration, age 14+ is verified. If a user is subsequently found to be under 14, the account is terminated immediately.

10. Cookies and Automatic Collection Devices

• Authentication cookies: Login session maintenance (Supabase Auth)
• Google Analytics: Service usage statistics (anonymous)
• Local storage: UI settings (tab selection, etc.)

11. Data Protection Officer

The Company designates the following contact to oversee personal information processing and handle user complaints and remedies:

12. Business Information

13. Rights of Users in Specific Jurisdictions

The Service is operated from the Republic of Korea and transfers personal data to processors located in the United States and other jurisdictions. Users in the following regions have additional rights:

EEA/UK Users (GDPR)

• Right of access, rectification, erasure ("right to be forgotten")
• Right to restriction of processing, data portability, objection
• Right to lodge a complaint with a supervisory authority
• Legal basis: Contract performance (Art. 6(1)(b)) and, where specific data is processed, consent (Art. 6(1)(a))
• Cross-border transfer: Transfers to the United States and other jurisdictions rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) where contained in the Data Processing Agreements with major processors (e.g., Supabase, Google, Stripe, Vercel, Cloudflare, Render). For certain processors handling non-PII data only (e.g., text prompts sent to image generation services), transfers rely on contract performance with additional safeguards.

Japan Users (APPI)

• Right to request disclosure, correction, addition, or deletion of retained personal data
• Right to request cessation of use or third-party provision
• Contact point for complaints: eon.ai.master@gmail.com

Thailand Users (PDPA)

• Right to access, correct, delete, and port personal data
• Right to withdraw consent and object to processing
• Right to file a complaint with the Personal Data Protection Committee

To exercise these rights, contact eon.ai.master@gmail.com.

14. Remedies for Rights Violations (Republic of Korea)

Korean users may contact the following institutions for dispute resolution or consultation regarding personal information infringement:

• Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
• Personal Information Infringement Reporting Center: 118 (privacy.kisa.or.kr)
• Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
• National Police Agency: 182 (ecrm.cyber.go.kr)

15. Changes to This Privacy Policy

• Changes to this Policy will be posted within the Service at least 7 days prior to taking effect, specifying the reason for and content of the change.
• Changes unfavorable to users will be posted at least 30 days prior.
• Effective date: April 28, 2026