Privacy Policy
newmean.ai (hereinafter "Company") values the personal information of service users (hereinafter "data subjects") and establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (hereinafter "PIPA") and Article 31 of its Enforcement Decree.
Last Revised: 2026-04-22
Effective Date: 2026-04-22
Article 1 Purposes of Processing Personal Information
The Company processes personal information for the following purposes. Personal information processed shall not be used for purposes other than those stated below, and separate consent will be sought if the purpose changes.
| Processing Purpose | Details |
|---|---|
| Member registration and management | User identification and authentication, service usage history management |
| Service provision | Survey data statistical analysis, APA-style interpretation generation, storage and retrieval of analysis results |
| Payment and transactions | Payment processing, transaction record keeping (pursuant to the Act on the Consumer Protection in Electronic Commerce, Article 6) |
| Customer support | Handling inquiries and disputes |
| Legal obligations | Issuance of tax invoices, compliance with statutory retention obligations |
Article 2 Items of Personal Information Processed
The Company collects personal information as follows.
| Collection Source | Items Collected | Collection Method | Required/Optional | Storage Location | Retention Period |
|---|---|---|---|---|---|
| Google OAuth login | Email address, Google account ID | OAuth 2.0 authentication flow | Required | Railway database | Deleted immediately upon membership withdrawal (statutory retention periods may apply) |
| Payment | Payment order ID, amount, discount applied, refund consent timestamp | API request | Required | Railway database | 5 years from payment date (pursuant to Act on Consumer Protection in Electronic Commerce, Article 6) |
| Service use | Analysis session ID, filename, analysis status, analysis result JSON | Auto-generated during service use | Required for service delivery | Railway database | Deleted immediately upon membership withdrawal (payment-related analyses retained for 5 years) |
| Cookies | Session cookie, authentication token, CSRF token | Automatically stored in browser | Required for service operation | User's browser | Upon session end or maximum 7 days |
**No Permanent Storage of Survey Files**: Survey files uploaded by users (.xlsx, .csv, .sav, etc.) are loaded into memory only during analysis processing and are deleted immediately upon completion. These files are never permanently stored on the server.
Article 3 Processing of Children Under 14
The Company's Terms of Service do not permit users under the age of 14 to register. The Company does not collect or process personal information of children under 14. If a user under 14 is identified, the relevant account will be immediately deleted and all associated information will be destroyed. Accordingly, the legal guardian consent system under Article 22-2 of PIPA does not apply.
Article 4 Retention and Use Period of Personal Information
The Company processes personal information within the retention and use period stipulated by applicable law or agreed upon with the data subject.
| Item | Retention Period | Basis |
|---|---|---|
| Member information (email, Google ID) | Deleted immediately upon membership withdrawal | Termination of service contract |
| Payment records (order ID, amount, consent timestamp) | 5 years | Act on Consumer Protection in Electronic Commerce, Article 6 (records of contracts and subscription withdrawal) |
| Consumer complaint and dispute records | 3 years | Act on Consumer Protection in Electronic Commerce, Article 6 |
| Advertising and display records | 6 months | Act on Consumer Protection in Electronic Commerce, Article 6 |
| Access logs of the personal information processing system (user ID, access timestamp, IP address, action performed) | At least 1 year | Enforcement Decree of the Personal Information Protection Act, Article 30(1)(6) |
Article 5 Procedure and Method for Destruction of Personal Information
Personal information whose processing purpose has been achieved or whose retention period has expired is destroyed without delay.
- **Electronic files**: Permanently deleted by methods that render recovery or restoration impossible.
- **Paper documents**: Not applicable (the Company retains personal information in electronic form only).
- **Survey files**: Deleted from memory immediately upon completion of analysis (no server storage).
Article 6 Provision of Personal Information to Third Parties
The Company does not, in principle, provide personal information to third parties. Exceptions apply in the following cases:
- Where the user has given prior consent
- Where required by applicable law (e.g., lawful requests from investigative authorities)
**Regarding the Payment Gateway (PortOne)**: Payment information (amount, order ID) is shared with the payment processing provider (PortOne and its underlying card networks) as part of payment processing. This constitutes **entrustment of processing**, not provision to a third party (see Article 7).
Article 7 Entrustment of Personal Information Processing
The Company entrusts personal information processing as follows for service delivery.
| Data Processor | Entrusted Work | Personal Information Items | Retention Period | Location |
|---|---|---|---|---|
| Vercel Inc. | Frontend application hosting and CDN | Server request logs (IP address, User-Agent) | Per Vercel policy (recommended maximum 30 days) | United States |
| Railway Corporation | Backend API server hosting and database | Email, analysis data, payment records | Duration of entrustment agreement | United States |
| Google LLC | OAuth 2.0 authentication service | Google account ID, email address | Per Google's privacy policy | United States |
| Anthropic PBC | AI language model (Claude) — APA interpretation generation | Aggregate statistical results (raw survey respondent data not transmitted) | Deleted immediately after processing (per Anthropic policy) | United States |
| PortOne Inc. | Payment processing | Payment amount, order ID | Per payment processor policy after transaction completion | Republic of Korea |
| Upstash | Redis session store (authentication token management) | Authentication tokens (hashed values) | Auto-deleted upon session expiry (maximum 7 days) | United States |
Article 8 Cross-Border Transfer of Personal Information (PIPA Article 28-8)
The Company transfers personal information to the following overseas entities as part of service operations. Data subjects have the right to refuse such transfers. Refusal may restrict access to the relevant service functions.
Vercel Inc.
| Item | Details |
|---|---|
| Personal information items transferred | Server request logs (IP address, User-Agent, request path) |
| Recipient | Vercel Inc. |
| Transfer country | United States |
| Transfer timing and method | Real-time upon service use, transmitted via HTTPS encryption |
| Purpose of use | Frontend application hosting and global CDN delivery |
| Retention period | Per Vercel policy (recommended maximum 30 days) |
| Right to refuse and method | Submit request to contact@newmean.ai. Note: refusal makes the service unavailable |
| Consequences of refusal | Service becomes entirely unavailable |
Railway Corporation
| Item | Details |
|---|---|
| Personal information items transferred | Email address, Google account ID, analysis result data, payment records |
| Recipient | Railway Corporation |
| Transfer country | United States |
| Transfer timing and method | Real-time upon service use, transmitted via HTTPS/TLS encryption |
| Purpose of use | Backend API server operation and database management |
| Retention period | Duration of entrustment agreement (destroyed within 30 days after service termination) |
| Right to refuse and method | Submit request to contact@newmean.ai. Note: refusal makes the service unavailable |
| Consequences of refusal | Service becomes entirely unavailable |
Google LLC
| Item | Details |
|---|---|
| Personal information items transferred | Google account ID, email address |
| Recipient | Google LLC |
| Transfer country | United States |
| Transfer timing and method | Upon login via OAuth 2.0 protocol, transmitted via HTTPS encryption |
| Purpose of use | User authentication (Google OAuth 2.0) |
| Retention period | Per Google's Privacy Policy |
| Right to refuse and method | Submit request to contact@newmean.ai. Note: Google login is the sole authentication method; refusal makes the service unavailable |
| Consequences of refusal | Service becomes unavailable |
Anthropic PBC
| Item | Details |
|---|---|
| Personal information items transferred | Aggregate statistical result values (numerical values, variable names, etc.; individual survey respondent identifiers excluded) |
| Recipient | Anthropic PBC |
| Transfer country | United States |
| Transfer timing and method | Upon APA interpretation generation request, transmitted via HTTPS API encryption |
| Purpose of use | Automated APA-style interpretation of statistical results using Claude AI model |
| Retention period | Per Anthropic Terms of Service (recommended deletion immediately after processing) |
| Right to refuse and method | Submit request to contact@newmean.ai. Note: refusal disables the APA interpretation generation feature |
| Consequences of refusal | APA interpretation generation feature becomes unavailable |
Upstash, Inc.
| Item | Details |
|---|---|
| Personal information items transferred | Authentication tokens (hashed values), session identifiers |
| Recipient | Upstash, Inc. |
| Transfer country | United States |
| Transfer timing and method | Real-time during login and session maintenance, transmitted via TLS encryption |
| Purpose of use | Operation of the Redis-based session store and management of authentication tokens |
| Retention period | Automatically deleted upon session expiry (maximum 7 days) |
| Right to refuse and method | Submit request to contact@newmean.ai. Because the session store is essential for maintaining authentication, refusal makes the Service unusable |
| Consequences of refusal | Service cannot be used |
Article 9 Measures to Ensure the Security of Personal Information
The Company takes the following measures to ensure the security of personal information.
Administrative measures
- Designation and operation of a Data Protection Officer (DPO/CPO)
- Minimization of employees with access to personal information
- Management of access rights to personal information
Technical measures
- HTTPS/TLS encryption for all communications
- JWT + Refresh Token Rotation for authentication token management
- Redis TLS-encrypted session store
- CSRF token-based protection against request forgery
- Masking of sensitive information (passwords, card numbers, etc.) in server logs
- SQL injection prevention (via SQLAlchemy ORM)
Physical measures
- Server infrastructure is operated by Vercel (frontend) and Railway (backend) cloud providers, and the Company complies with their physical security policies.
Article 10 Automatic Collection of Personal Information (Cookies)
The Company uses cookies to provide personalized services to users.
What are cookies? Cookies are small pieces of information sent by the server operating the website to the user's browser, stored on the user's computer hard drive.
| Cookie Name | Purpose | Expiry |
|---|---|---|
access_token | Maintain login status (JWT authentication) | 30 minutes |
refresh_token | Automatic login renewal | 7 days |
csrf_token | Protection against CSRF attacks | Upon session end |
locale | Store language preference | 1 year |
How to refuse cookie installation: Users may refuse cookie storage through browser settings. Note that refusing cookies may cause difficulties when using services that require login.
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Cookies and website data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
No behavioral advertising: The Company does not collect behavioral information (information for interest-based targeted advertising) or provide it to third parties.
Article 11 Rights and Obligations of Data Subjects and Legal Representatives, and How to Exercise Them
Data subjects (users) may exercise the following rights.
| Right | Content |
|---|---|
| Right of access | Request to access personal information being processed |
| Right to rectification | Request correction of inaccurate personal information |
| Right to erasure | Request deletion of personal information (except where statutory retention obligations apply) |
| Right to restriction of processing | Request restriction of personal information processing |
| Right to withdraw consent | Withdraw consent to personal information processing |
How to exercise rights: Send an email to contact@newmean.ai or use the "Withdraw membership" function within the service.
Processing deadline: Requests will be processed within 10 days of receipt.
Exercise by representative: Rights may be exercised by the data subject's legal representative or a duly authorized agent. In such cases, a power of attorney and proof of identity of the representative must be submitted.
Article 12 Automated Decision-Making (PIPA Article 37-2)
The Company automatically generates APA (American Psychological Association) 7th edition format interpretations of users' statistical analysis results using the Anthropic Claude AI language model.
This constitutes automated decision-making as defined under Article 37-2 of the Personal Information Protection Act.
| Item | Details |
|---|---|
| Content of automated decision | Automatic generation of APA-format interpretations based on statistical analysis results |
| AI model used | Anthropic Claude (large language model) |
| Legal or significant effects | No direct legal effect; may be used as reference material for academic paper writing |
| User rights | |
| — Right to refuse | Users who do not wish to have interpretations generated may submit a request to contact@newmean.ai |
| — Right to explanation | Users may request an explanation of the basis for the generated interpretation |
| — Right to object | Users with objections to the generated result may contact contact@newmean.ai |
**Reference material notice**: The APA interpretations generated by AI are supplementary reference materials based on statistical figures; final interpretive judgment rests with the user.
Article 13 Data Protection Officer (DPO / CPO)
The Company has designated the following Data Protection Officer to oversee all personal information processing matters and handle complaints and remedies related to personal information processing.
| Item | Details |
|---|---|
| Name | Hoonjae Lee |
| Position | CEO |
| Organization | newmean.ai |
| Phone | 070-7954-7067 |
| hoonjae@newmean.ai |
Data subjects may direct all inquiries, complaints, and requests for remedy regarding personal information protection arising from use of the Company's services to the Data Protection Officer.
Article 14 Remedies for Infringement of Rights
Data subjects may seek assistance or consultation from the following agencies regarding personal information infringement.
| Agency | Contact | Services |
|---|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 / www.kopico.go.kr | Personal information dispute mediation |
| Personal Information Infringement Report Center | 118 / privacy.kisa.or.kr | Report and consultation on personal information infringement |
| Supreme Prosecutors' Office | 1301 / www.spo.go.kr | Report personal information infringement crimes |
| National Police Agency | 182 / ecrm.cyber.go.kr | Report personal information infringement crimes |
Change History
| Version | Effective Date | Summary of Changes | Author |
|---|---|---|---|
| v1.0.0 | 2026-04-21 | Initial release — 14 sections newly established | newmean.ai |
| v1.1.0 | 2026-04-22 | Added "access logs of the personal information processing system — at least 1 year" (PIPA Enforcement Decree Article 30) to the retention table in Article 4; added Upstash, Inc. (United States, Redis session store) to the cross-border transfer disclosures in Article 8 | newmean.ai |
The Korean version is the legally binding original. This English translation is provided for reference only. In case of any conflict between the Korean and English versions, the Korean version prevails.
The Korean version is available at: https://research79.kr/privacy