Skip to content

Privacy Policy

Last updated: 2026-04-06

unJaena AI ("the Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data. This policy complies with the Korean Personal Information Protection Act (PIPA), EU General Data Protection Regulation (GDPR), Japan's Act on Protection of Personal Information (APPI), and China's Personal Information Protection Law (PIPL). Effective date: April 6, 2026.

1. Data Controller

unJaena AI, a Korean entity operating at https://app.unjaena.com, acts as the data controller for personal data processed through this Service. Data Protection Officer (DPO): Ian Park Email: dpo@unjaena.com EU Representative (GDPR Article 27): For data subjects in the EEA, our EU representative can be reached via dpo@unjaena.com. Dedicated EU representative contact details will be published upon formal appointment. General contact: contact@unjaena.com

2. Legal Basis for Processing

We process personal data on the following legal bases: 1. Performance of a Contract (GDPR Art. 6(1)(b) / PIPA Art. 15(1)(4)): Account creation, case management, evidence processing, and delivery of analysis results. 2. Legitimate Interests (GDPR Art. 6(1)(f)): Platform security, fraud prevention, service quality improvement, and system reliability. 3. Legal Obligation (GDPR Art. 6(1)(c) / PIPA Art. 15(1)(2)): Tax record-keeping, data breach notification, and responses to lawful government requests. 4. Consent (GDPR Art. 6(1)(a) / PIPA Art. 15(1)(1)): Analytics cookies, marketing communications, and processing of sensitive information. You may withdraw consent at any time without affecting the lawfulness of prior processing. 5. Public Interest and Legitimate Forensic Purposes: The Service is designed for authorized forensic investigators and law enforcement. Processing of uploaded forensic evidence is performed under the lawful authority of the uploading user.

3. Categories of Personal Data Collected

We collect and process the following categories of personal data: [Required Items] 1. Account Information: Email address, name, profile information, authentication credentials (managed by Clerk). Purpose: Account creation, authentication, service delivery. 2. Payment and Billing Data: Billing name, address, payment method details, transaction history. Purpose: Payment processing, tax compliance. Note: Payments are handled by Paddle.com Market Ltd as Merchant of Record. We do not directly store full payment card details. [Optional Items] - Organization name, job title [Forensic Analysis Data] 3. Forensic Case Data: Digital forensic artifacts uploaded by users through the Collector tool, processed solely for forensic analysis and automatically deleted after the retention period. This includes: (a) System Artifacts: Filesystem metadata (MFT, file attributes, timestamps), Registry data (system settings, user activity records), Windows event logs, Prefetch files (program execution records), USB device connection history, Network logs (connection records, DNS cache), Recycle Bin deleted file metadata, Shell Items (LNK files, Jump Lists), Scheduled Tasks, PowerShell history, BITS Jobs. (b) User Activity: Browser visit/download/search history, Email metadata, Cloud sync logs, Application usage records. (c) Volatile Data: Memory dumps (RAM snapshots, process memory). (d) Mobile Devices (iOS/Android): Device system info, installed apps, Wi-Fi history, call/SMS/contact logs, Messenger chat history (KakaoTalk, Telegram, LINE, WhatsApp, iMessage, etc.), Social media activity (Instagram, Facebook, etc.), Location data and route history, Financial app data, Browser and email data. (e) Disk Images and Other OS: Full disk images (E01/RAW format), macOS artifacts (Unified Log, FSEvents, Keychain, Launch Agents/Daemons), Linux artifacts (auth/syslog/kern logs, shell history, SSH, crontab, Docker, web server logs). Note: The above data may contain personal and sensitive information. Separate notice is provided during the data collection consent step. Purpose: AI-powered forensic analysis, report generation. Users are responsible for ensuring lawful authority to upload such data. 4. Malware Samples: Executable files and suspicious binaries submitted for analysis. Purpose: Malware identification, behavioral analysis. [Automatically Collected] 5. Usage and Technical Data: IP address, browser type, device information, access timestamps, feature usage patterns. Purpose: Service operation, security monitoring, troubleshooting. 6. Communication Data: Support requests, feedback, correspondence. Purpose: Customer support. 7. Cookie Data: Cookie identifiers, session tokens. Purpose: Authentication, preferences, analytics (see Cookies section). Collection Methods: 1. Direct input during registration and service use 2. Artifact uploads through the Collector tool 3. Automatically generated information during service use (server logs, cookies, device information)

4. How We Use Your Data

Your data is used for: (1) Service Delivery — operating the platform, processing cases, generating reports; (2) Account Management — authentication, subscription management; (3) Payment Processing — through Paddle as Merchant of Record; (4) Security — protecting against unauthorized access, fraud detection; (5) Service Improvement — aggregate usage analysis, performance optimization; (6) Legal Compliance — applicable laws, lawful authority requests; (7) Communication — service notifications, security alerts, policy updates. We adhere to the principle of data minimization (GDPR Art. 5(1)(c) / PIPA Art. 3(1)). We collect only data necessary for specified purposes.

5. Data Retention Periods

1. Forensic Case Data and Malware Samples: 30 days from upload (default, configurable by user). Users may select shorter retention periods through account settings. Permanently destroyed upon expiration. 2. Account Information: Duration of active account. Upon deletion request, removed within 30 days subject to legal retention obligations. 3. Payment and Billing Records: 5 years from transaction date (required by Korean tax law and EU VAT regulations). 4. Server Logs: 90 days, then automatically purged. 5. Communication Records: Duration of account plus 1 year. 6. Consumer Complaint or Dispute Records: 3 years (required by Korean Act on Consumer Protection in Electronic Commerce). 7. Contract or Subscription Records: 5 years (required by Korean Commercial Act). When retention periods expire, data is destroyed per our destruction procedures described in this policy.

6. Data Processors and Entrustees

Per GDPR Article 28 and PIPA Article 26, we engage the following data processors, each bound by data processing agreements: 1. Clerk, Inc. (United States) — User authentication, identity management. Contact: https://clerk.com/legal/privacy - Retention: Deleted upon account closure 2. RunPod, Inc. (United States) — GPU compute infrastructure for AI forensic analysis. Contact: https://www.runpod.io/privacy-policy - Retention: Deleted immediately after analysis completion 3. Cloudflare, Inc. (United States) — Encrypted object storage (R2), CDN, DDoS protection. Contact: https://www.cloudflare.com/privacypolicy/ - Retention: User-configured period (default 30 days) 4. Google LLC (United States) — Social login (Google OAuth). Contact: https://support.google.com/accounts - Retention: Deleted upon session end 5. Paddle.com Market Ltd (United Kingdom) — Merchant of Record for payments, billing, tax, refunds. Paddle acts as an independent controller for payment transaction data. Contact: https://www.paddle.com/legal/privacy - Retention: Legal requirement (5 years) Sub-Processor Changes: We will notify users at least 30 days in advance of any changes to our data processors, including additions or replacements. If you object to a new processor, you may terminate your account.

7. Cross-Border Data Transfers

Your data may be transferred to: 1. United States: RunPod (compute), Cloudflare (storage), Clerk (authentication) 2. United Kingdom: Paddle (payment processing) 3. Republic of Korea: unJaena AI (primary operations) Safeguards: - EEA/UK transfers: Standard Contractual Clauses (SCCs) per GDPR Articles 44-49, with Transfer Impact Assessments. - Korea: Compliance with PIPA Articles 28-2 and 28-3, with equivalent data protection standards. - Japan: Compliance with APPI Article 28, ensuring equivalent protection levels. - China: Where applicable, compliance with PIPL Articles 38-39, including separate consent for cross-border transfer. All forensic data is encrypted with AES-256-GCM before transfer. Data is transmitted over TLS 1.2+ connections. Consent Withdrawal: You may withdraw consent for international data transfer at any time by contacting dpo@unjaena.com. Withdrawal may limit your ability to use certain Service features that require cross-border data processing.

8. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share data only: 1. With Data Processors as described above, under binding agreements. 2. When required by law, regulation, or valid legal process (with notification where legally permitted). 3. To protect the rights, property, or safety of unJaena AI, our users, or the public. 4. In connection with a merger, acquisition, or asset sale (with notice to affected users). 5. With your explicit consent. Forensic case data and malware samples are never shared between users. Each user's data is logically isolated.

9. Sensitive Information

Forensic evidence may contain sensitive personal information including biometric data, health records, financial information, communications data, or information revealing political opinions or religious beliefs. 1. User Responsibility: Users uploading forensic data must ensure lawful authority and, where required, appropriate legal basis (including separate consent under PIPA Art. 23 and PIPL Art. 29) to process sensitive information. 2. Separate Consent: Where Korean law (PIPA) or Chinese law (PIPL) applies and sensitive information is knowingly processed, we obtain separate, specific consent. 3. Purpose Limitation: Sensitive information within forensic data is processed solely for forensic analysis as directed by the user. 4. Enhanced Protection: All forensic data is encrypted with AES-256-GCM using per-case isolated keys with strict access controls.

10. Automated Decision-Making and AI Processing

Per GDPR Article 22 and PIPA Article 37-2: 1. Our Service uses AI (LLMs, MITRE ATT&CK mapping, malware behavioral analysis, semantic search, timeline reconstruction) as core analytical tools. 2. No Solely Automated Decisions with Legal Effect: AI analysis produces advisory reports for human investigators. The Service does not autonomously make legal determinations or enforcement actions. 3. Human Oversight: Results are intended for review by qualified professionals. 4. Your Rights: You may obtain information about the logic involved, request human review, express your views, and contest findings. Contact: dpo@unjaena.com 5. AI analysis may contain inaccuracies. Users should independently verify critical findings. We have conducted Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 for processing operations involving AI analysis of forensic evidence. DPIA summaries are available upon request to dpo@unjaena.com. This disclosure is provided pursuant to GDPR Article 22, PIPA Article 37-2, and AI Basic Act Article 4.

11. Your Data Subject Rights

You may exercise these rights through your account settings menu or by contacting dpo@unjaena.com. 1. Right of Access (GDPR Art. 15 / PIPA Art. 35) 2. Right to Rectification (GDPR Art. 16 / PIPA Art. 36) 3. Right to Erasure (GDPR Art. 17 / PIPA Art. 36) 4. Right to Restriction of Processing (GDPR Art. 18) 5. Right to Data Portability (GDPR Art. 20) 6. Right to Object (GDPR Art. 21 / PIPA Art. 37) 7. Right to Withdraw Consent (GDPR Art. 7(3) / PIPA Art. 37) 8. Right Regarding Automated Decisions (GDPR Art. 22 / PIPA Art. 37-2) Response Timeframes: - Korea (PIPA): Within 10 days - EU/EEA (GDPR): Within 30 days (extendable by 60 days for complex requests) - Japan (APPI): Without undue delay We may verify your identity before processing requests. No fee for reasonable requests.

12. Right to Lodge a Complaint

You may file a complaint with a supervisory authority: 1. Korea — Personal Information Protection Commission (PIPC): https://www.pipc.go.kr, +82-2-2100-3399 - Korea Internet & Security Agency (KISA): privacy.kisa.or.kr / 118 - Personal Information Dispute Mediation Committee (KOPICO): kopico.go.kr / 1833-6972 - Supreme Prosecutors' Office Cyber Investigation Division: spo.go.kr / 1301 - National Police Agency Cyber Bureau: ecrm.police.go.kr / 182 2. EU — Data Protection Authority of your member state (e.g., Ireland DPC, France CNIL, Germany BfDI) 3. Japan — Personal Information Protection Commission (PPC): https://www.ppc.go.jp 4. United Kingdom — Information Commissioner's Office (ICO): https://ico.org.uk We encourage contacting dpo@unjaena.com first to resolve concerns directly.

13. Children's Data

The Service is intended exclusively for adults. Minimum age: 18. We do not knowingly collect data from individuals under 18. This exceeds requirements of GDPR Art. 8 and COPPA. If we discover data from a minor was collected, we will promptly delete it and terminate the associated account. Contact dpo@unjaena.com if you believe we have collected data from a minor. Forensic evidence uploaded by adult users may incidentally contain data relating to minors. The uploading user bears responsibility for compliance with child protection laws.

14. Cookies and Tracking Technologies

1. Strictly Necessary: Authentication sessions (Clerk), CSRF tokens. Cannot be disabled. Duration: session to 30 days. 2. Functional: Language preference, theme settings. Duration: 1 year. 3. Analytics: Anonymized usage data for service improvement. Set only with your consent. Duration: up to 1 year. 4. We do NOT use: advertising cookies, social media tracking pixels, or cross-site tracking. Upon your first visit, you will be presented with a cookie preference dialog allowing you to accept or reject non-essential cookies. You may manage cookie preferences through your account settings or browser controls. Disabling essential cookies may impair Service functionality.

15. Data Breach Notification

1. Supervisory Authorities: We will notify relevant authorities within 72 hours of becoming aware of a breach likely to risk rights and freedoms (GDPR Art. 33 / PIPA Art. 34). 2. Affected Data Subjects: Where a breach poses high risk, we will notify affected users without undue delay, including: nature of breach, data affected, likely consequences, measures taken, and DPO contact. 3. Preventive Measures: AES-256-GCM encryption, TLS 1.2+, strict access controls, regular security assessments, and logical data isolation.

16. Data Destruction Methods

Per PIPA Article 21: 1. Forensic data: Cryptographic erasure through deletion of per-case AES-256-GCM keys, followed by permanent deletion from storage. 2. Database records: Secure deletion from PostgreSQL with verification. 3. Object storage (R2): Permanent object deletion with verification. 4. Logs: Automatic purge after 90-day retention. 5. Backups: Destroyed within 30 days of primary data deletion. Destruction is logged and auditable across all storage systems.

17. Security Measures

We implement the following measures for personal information security: Technical Measures: - AES-256-GCM encryption for all data at rest - TLS 1.2+ encryption for all data in transit - Per-case isolated encryption keys - Regular security assessments and penetration testing Administrative Measures: - Minimized personal information access rights - Staff security training - Personal information processing records maintenance Physical Measures: - Use of certified data centers with ISO 27001 and SOC 2 compliance Access to personal data is restricted to authorized personnel on a need-to-know basis. All staff and contractors with data access are bound by confidentiality obligations.

18. Changes to This Privacy Policy

1. Advance Notice: At least 30 days before material changes take effect, via email and in-service notification. 2. Material Changes include: new data categories, new processing purposes, changes to sharing/transfer practices, retention period changes, changes to rights. 3. Continued Use after the effective date constitutes acknowledgment. If you disagree, discontinue use and request account/data deletion. 4. Translation: Available in Korean, English, Japanese, and Chinese. In case of conflict, the Korean version prevails for Korean law matters; the English version prevails otherwise.

19. Contact Information

Data Protection Officer: dpo@unjaena.com Response: Within 10 business days (PIPA) / 30 calendar days (GDPR) General Inquiries: contact@unjaena.com Website: https://app.unjaena.com EU Representative: Contact via dpo@unjaena.com unJaena AI, Republic of Korea Effective: April 6, 2026