Skip to content

Privacy Policy

Last updated: 2026-04-06

unJaena AI ("the Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data. This policy is written to reflect key requirements of the Korean Personal Information Protection Act (PIPA), EU General Data Protection Regulation (GDPR), Japan's Act on Protection of Personal Information (APPI), and China's Personal Information Protection Law (PIPL). Effective date: April 6, 2026.

1. Data Controller, Processor Roles, and Jurisdictional Representatives

unJaena (Korean legal name: 언제나), a Korean business operating at https://app.unjaena.com, acts as the Data Controller for personal data processed through this Service. [Controller / Processor Split for Analysis Services] For data uploaded by users for analysis (digital forensic artifacts, malware samples, contracts), the **user (or the user's organization) is the Data Controller** under GDPR Article 4(7) / PIPA Article 2(5), and **unJaena acts as Data Processor** under GDPR Article 28 / PIPA Article 26. unJaena processes such uploaded data only on documented instructions from the user (specifically: the analysis task selected at upload time and the consent terms accepted) and applies the technical and organizational measures described in this policy. For account, billing, authentication, marketing, and service-operation data, unJaena is the Data Controller. [Business Registration] · Business name: unJaena (Korean: 언제나) · CEO: 함륜석 (Ryunseok Ham) · Business Registration Number: 857-21-02506 · Address: My Workspace #6-291, Stark Gangnam Building, 8 Gangnam-daero 53-gil, Seocho-gu, Seoul 06621, Republic of Korea · Phone: +82-2-5678-030 · Email: contact@unjaena.com Data Protection Officer (DPO / CPO): Ryan Ham Email: dpo@unjaena.com General contact: contact@unjaena.com Privacy requests: privacy@unjaena.com [Jurisdictional Representatives] · EU/EEA Representative (GDPR Article 27): Data subjects in the EEA may reach us via dpo@unjaena.com. We periodically reassess eligibility for the Art. 27(2)(a) exemption (occasional processing, small-scale, no special category data on regular basis) and will appoint a dedicated EU Representative (e.g., Prighter or equivalent) if thresholds are met. · UK Representative (UK GDPR Article 27): Data subjects in the UK may reach us via dpo@unjaena.com. A dedicated UK Representative will be appointed when the scale of UK data subject processing requires it. · Brazil LGPD (Article 5 XIV / Article 41): For Brazilian data subjects and ANPD (Autoridade Nacional de Proteção de Dados) inquiries, contact dpo@unjaena.com. The above DPO has been designated as the Data Protection Officer under LGPD. · United States (CCPA/CPRA): California residents may exercise their rights or contact us regarding the California Privacy Protection Agency (CPPA) via privacy@unjaena.com or the /legal/do-not-sell page. · Japan (APPI): Data subjects in Japan may contact us via dpo@unjaena.com and may also file complaints with Japan's Personal Information Protection Commission (PPC). · South Korea: Complaints may be filed with the Personal Information Protection Commission (PIPC) at www.pipc.go.kr or 118.

2. Legal Basis for Processing

We process personal data on the following legal bases: 1. Performance of a Contract (GDPR Art. 6(1)(b) / PIPA Art. 15(1)(4)): Account creation, case management, evidence processing, and delivery of analysis results. 2. Legitimate Interests (GDPR Art. 6(1)(f)): Platform security, fraud prevention, service quality improvement, and system reliability. 3. Legal Obligation (GDPR Art. 6(1)(c) / PIPA Art. 15(1)(2)): Tax record-keeping, data breach notification, and responses to lawful government requests. 4. Consent (GDPR Art. 6(1)(a) / PIPA Art. 15(1)(1)): Analytics cookies, marketing communications, and processing of sensitive information. You may withdraw consent at any time without affecting the lawfulness of prior processing. 5. Public Interest and Legitimate Forensic Purposes: The Service is designed for authorized forensic investigators and law enforcement. Processing of uploaded forensic evidence is performed under the lawful authority of the uploading user.

3. Categories of Personal Data Collected

We collect and process the following categories of personal data: [Required Items] 1. Account Information: Email address, name, profile information, authentication credentials. Purpose: Account creation, authentication, service delivery. 2. Payment and Billing Data: Billing name, address, payment method details, transaction history. Purpose: Payment processing, tax compliance. Note: Payments are handled by Paddle.com Market Ltd as Merchant of Record. We do not directly store full payment card details. [Optional Items] - Organization name, job title [Forensic Analysis Data] 3. Forensic Case Data: Digital forensic artifacts uploaded by users through the Collector tool, processed solely for forensic analysis and processed for deletion after the retention period. This may include system artifacts, user activity records, browser, email, and application traces, mobile device data, and operating-system logs or configuration records. Note: The above data may contain personal and sensitive information. Separate notice is provided during the data collection consent step. Purpose: AI-powered forensic analysis, report generation. Users are responsible for ensuring lawful authority to upload such data. 4. Malware Samples: Executable files and suspicious binaries submitted for analysis. Purpose: Malware identification, behavioral analysis. [Automatically Collected] 5. Usage and Technical Data: IP address, browser type, device information, access timestamps, feature usage patterns. Purpose: Service operation, security monitoring, troubleshooting. 6. Communication Data: Support requests, feedback, correspondence. Purpose: Customer support. 7. Cookie Data: Cookie identifiers, session tokens. Purpose: Authentication, preferences, analytics (see Cookies section). Collection Methods: 1. Direct input during registration and service use 2. Artifact uploads through the Collector tool 3. Automatically generated information during service use (server logs, cookies, device information)

4. How We Use Your Data

Your data is used for: (1) Service Delivery — operating the platform, processing cases, generating reports; (2) Account Management — authentication, subscription management; (3) Payment Processing — through Paddle as Merchant of Record; (4) Security — protecting against unauthorized access, fraud detection; (5) Service Improvement — aggregate usage analysis, performance optimization; (6) Legal Compliance — applicable laws, lawful authority requests; (7) Communication — service notifications, security alerts, policy updates. We adhere to the principle of data minimization (GDPR Art. 5(1)(c) / PIPA Art. 3(1)). We collect only data necessary for specified purposes.

5. AI Training and Model Usage

We do NOT use your forensic case data, uploaded evidence, malware samples, or support conversations to train general-purpose AI or machine-learning models. This is a foundational principle of our service. - In-case processing: Within a single case analysis session, uploaded data is passed to our managed analysis pipeline solely to produce the user-requested analysis. Analysis requests and context are not retained for training by us or by any third-party AI provider (we do not relay analysis requests to OpenAI/Anthropic/Google by default). - Redaction: Before AI processing, we apply automated redaction to strip obvious sensitive-data patterns (national IDs, payment card numbers, API keys, etc.). - Improvement data: Aggregate, de-identified service metrics (query latency, feature usage frequencies) may be used to improve the service. These contain no uploaded content. - Opt-in exceptions: If we ever introduce an opt-in program to use anonymized evidence to improve our detection models, it will require explicit separate consent and you may withdraw at any time.

6. Data Retention Periods

1. Forensic Case Data and Malware Samples: 30 days from upload (default, configurable by user). Users may select shorter retention periods through account settings. Permanently destroyed upon expiration. 2. Account Information: Duration of active account. Upon deletion request, removed within 30 days subject to legal retention obligations. 3. Payment and Billing Records: 5 years from transaction date (required by Korean tax law and EU VAT regulations). 4. Server Logs: 90 days, then automatically purged. 5. Communication Records: Duration of account plus 1 year. 6. Consumer Complaint or Dispute Records: 3 years (required by Korean Act on Consumer Protection in Electronic Commerce). 7. Contract or Subscription Records: 5 years (required by Korean Commercial Act). When retention periods expire, data is destroyed per our destruction procedures described in this policy.

7. Data Processors and Entrustees

Per GDPR Article 28 and PIPA Article 26, we engage the following data processors, each bound by data processing agreements: 1. Clerk, Inc. (United States) — User authentication, identity management. Contact: https://clerk.com/legal/privacy - Retention: Deleted upon account closure 2. RunPod, Inc. (United States) — AI analysis processing infrastructure. Contact: https://www.runpod.io/privacy-policy - Retention: Processed according to purpose completion or the user-configured retention period 3. Cloudflare, Inc. (United States) — Security, network protection, content delivery, and data hosting infrastructure. Contact: https://www.cloudflare.com/privacypolicy/ - Retention: User-configured period or period necessary for service operation 4. Google LLC (United States) — Social login. Contact: https://support.google.com/accounts - Retention: Deleted upon session end 5. Paddle.com Market Ltd (United Kingdom) — Merchant of Record for payments, billing, tax, refunds. Paddle acts as an independent controller for payment transaction data. Contact: https://www.paddle.com/legal/privacy - Retention: Legal requirement (5 years) 6. Resend, Inc. (United States) — Transactional and notification email delivery (account verification, security alerts, retention notices, newsletter). Contact: https://resend.com/legal/privacy-policy - Retention: Email metadata up to 30 days; content not stored beyond delivery Sub-Processor Changes: We will notify users at least 30 days in advance of any changes to our data processors, including additions or replacements. If you object to a new processor, you may terminate your account.

8. Cross-Border Data Transfers

Your data may be transferred to: · United States: authentication, AI analysis processing, security infrastructure, and email delivery service providers · United Kingdom: payment, tax, and refund merchant-of-record provider · Republic of Korea: unJaena AI primary operations [Legal Transfer Mechanisms] 1. EU/EEA → non-adequate countries (US, UK): - GDPR Articles 44-49 - EU Commission Standard Contractual Clauses (SCCs, Decision 2021/914 — Modules 2 and 3) - EU-US Data Privacy Framework (DPF) where the US processor maintains DPF certification, used as a supplementary transfer basis - Transfer Impact Assessment (TIA) conducted and documented 2. United Kingdom (UK GDPR) → US: - UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs - UK-US Data Bridge adequacy decision (effective October 2023) 3. Republic of Korea → EU transfers: - Korea is subject to an EU adequacy decision (adopted December 2021), so no additional mechanism is required for transfers to Korea 4. Republic of Korea → US / UK / other non-adequate countries: - Separate consent under PIPA Article 28-8, or recognised protection schemes under Article 28-9 (e.g., CBPR, ISO/IEC 27701) 5. Japan (APPI) → EU / US: - EU adequacy decision adopted January 2019; US DPF-certified processors used where available (APPI Article 28) 6. China (PIPL) → EU / US (where applicable): - Separate consent, Standard Contract, or certified security assessment under PIPL Articles 38-39 [Safeguards] · Forensic data encryption · TLS 1.2+ in transit · Standard Data Processing Agreements (DPAs) with every processor · Annual Transfer Impact Assessment review Consent Withdrawal: You may withdraw consent for cross-border transfers at any time by contacting dpo@unjaena.com. Certain Service features rely on cross-border processing, so withdrawal may limit their availability. SCC / DPA Copies: Upon request to dpo@unjaena.com, we will provide redacted copies of the SCCs and DPAs we have in place with our key processors.

9. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share data only: 1. With Data Processors as described above, under binding agreements. 2. When required by law, regulation, or valid legal process (with notification where legally permitted). 3. To protect the rights, property, or safety of unJaena AI, our users, or the public. 4. In connection with a merger, acquisition, or asset sale (with notice to affected users). 5. With your explicit consent. Forensic case data and malware samples are never shared between users. Each user's data is logically isolated.

10. Sensitive / Special Category Information

Forensic evidence and contract documents may contain sensitive personal information. Under GDPR Article 9 special categories, this includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, data concerning sex life or sexual orientation. PIPL Article 28 additionally covers medical/health data, financial accounts, location tracking, and personal data of minors under 14. PIPA Article 23 covers ideology/belief, political views, health/sex life, genetic and biometric information, and criminal history. 1. User Responsibility: Users uploading forensic data must ensure lawful authority and, where required, appropriate legal basis (including explicit consent under GDPR Art. 9(2)(a), separate consent under PIPA Art. 23, and PIPL Art. 29) to process sensitive information. 2. Separate Consent: Where applicable law requires it and sensitive information is knowingly processed, we obtain separate, specific, explicit consent at the data collection consent step. 3. Purpose Limitation: Sensitive information within forensic / contract data is processed solely for the analysis task selected by the user. 4. Enhanced Protection: All forensic and contract data is encrypted with AES-256-GCM using per-case isolated keys with strict access controls. 5. GDPR Article 10 (Criminal-Offense Data): Forensic case data may include allegations or records of criminal conduct. Such data is processed under the controller-processor model (user is controller; unJaena is processor) and access is restricted to those acting under the user's authority for the analysis task.

11. Data Relating to Criminal Convictions and Offences (GDPR Art. 10)

Forensic evidence may qualify as "personal data relating to criminal convictions and offences or related security measures" under GDPR Art. 10 and equivalent Member State laws. This is separate from special-category data under GDPR Art. 9 and is subject to stricter processing conditions. 1. User's obligation to establish legal basis: EU/EEA users represent and warrant under our Terms of Service §21 (userWarranties) that they possess at least one of the following: (a) device ownership; (b) written consent of the data subject; (c) a valid court order or warrant; (d) a lawful forensic mandate recognised by Member State law (e.g., incident response, insurance investigation, corporate internal investigation). 2. Controller-Processor structure: The service is operated under a structure in which the uploading user is the Controller and the Company is the Processor. This structure is designed so that the user directly establishes the "control of official authority or authorisation by Member State law" basis required by Art. 10. 3. Member State specific laws: Where EU Member State laws specific to criminal offence data processing apply to the user (e.g., Germany BDSG, France Loi Informatique et Libertés, UK DPA 2018 Schedule 1), the user must independently comply with any additional requirements (registration, notification, reporting, etc.) such laws impose. 4. Korea, Japan, US, Brazil, other jurisdictions: Users must comply with applicable regional laws — Korea PIPA Art. 18 and the Act on the Lapse of Criminal Sentences, Japan's Criminal Investigation Rules and requiring-consideration-personal-information provisions, US federal/state laws, Brazil LGPD and Lei de Acesso à Informação, and similar. 5. Our role: We act as a technical Processor, enter into a GDPR Art. 28 DPA with users, and process criminal-offence-related data solely on the user's documented instructions. We do NOT maintain a comprehensive register of criminal convictions.

12. Third-Party Data Subjects in Forensic Evidence

Forensic artifacts uploaded by our customers routinely contain personal data of individuals who are NOT our users (e.g., message recipients, photo subjects, call-log counterparties). Per GDPR Article 14 and equivalent laws, the source of this data is the uploading customer, who represents lawful authority to collect and analyze it under their forensic mandate (court order, incident response authorization, or data-subject consent). Rights of Third-Party Data Subjects: If you believe your personal data has been included in a case uploaded by someone else, you may exercise your rights (access, rectification, erasure, objection) through our public portal at https://app.unjaena.com/privacy/erasure-request or by emailing dpo@unjaena.com. We will verify your identity and route confirmed requests to the uploading customer as joint or sole controller of the specific case. Limitations: Requests may be denied or limited where: (a) the evidence is subject to a legal hold or ongoing criminal investigation; (b) erasure would impair the legitimate interest of the uploading customer in defending a legal claim; (c) audit-log retention under GDPR Art. 30 requires preservation. We document the basis for any denial. Retention: Case data is processed for deletion according to the retention period set by the uploading customer (default 30 days). Audit logs of processing activities are retained for 3 years per GDPR Art. 30.

13. Automated Decision-Making and AI Processing

Per GDPR Article 22 and PIPA Article 37-2: 1. Our Service uses AI models (MITRE ATT&CK mapping, malware behavioral analysis, semantic search, timeline reconstruction) as core analytical tools. 2. No Solely Automated Decisions with Legal Effect: AI analysis produces advisory reports for human investigators. The Service does not autonomously make legal determinations or enforcement actions. 3. Qualified-Investigator Oversight: Results are intended for review by qualified professionals. 4. Your Rights: You may obtain information about the logic involved, request a qualified-investigator review (analyst review), express your views, and contest findings. Contact: dpo@unjaena.com 5. AI analysis may contain inaccuracies. Users should independently verify critical findings. We have conducted Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 for processing operations involving AI analysis of forensic evidence. DPIA summaries are available upon request to dpo@unjaena.com. This disclosure is provided pursuant to GDPR Article 22, PIPA Article 37-2, and AI Basic Act Article 4.

14. Your Data Subject Rights

You may exercise these rights via the Settings → Privacy page or by contacting dpo@unjaena.com. 1. Right of Access (GDPR Art. 15 / PIPA Art. 35 / LGPD Art. 18-II) 2. Right to Rectification (GDPR Art. 16 / PIPA Art. 36 / LGPD Art. 18-III) 3. Right to Erasure (GDPR Art. 17 / PIPA Art. 36 / LGPD Art. 18-VI) 4. Right to Restriction of Processing (GDPR Art. 18) 5. Right to Data Portability (GDPR Art. 20 / LGPD Art. 18-V) 6. Right to Object (GDPR Art. 21 / PIPA Art. 37 / LGPD Art. 18-VI) 7. Right to Withdraw Consent (GDPR Art. 7(3) / PIPA Art. 37 / LGPD Art. 8§5) 8. Right Regarding Automated Decisions (GDPR Art. 22 / PIPA Art. 37-2 / LGPD Art. 20) Response Timeframes: - Korea (PIPA): Within 10 days - EU/EEA (GDPR): Within 30 days (extendable by 60 days for complex requests) - UK (UK GDPR): Within 30 days (extendable by 60 days) - Japan (APPI): Without undue delay - Brazil (LGPD): Within 15 days - United States - California (CCPA/CPRA): Within 45 days (extendable by 45 days) We may verify your identity before processing requests. No fee for reasonable requests.

15. Right to Lodge a Complaint

You may file a complaint with a supervisory authority: 1. Korea — Personal Information Protection Commission (PIPC): https://www.pipc.go.kr, +82-2-2100-3399 - Korea Internet & Security Agency (KISA): privacy.kisa.or.kr / 118 - Personal Information Dispute Mediation Committee (KOPICO): kopico.go.kr / 1833-6972 - Supreme Prosecutors' Office Cyber Investigation Division: spo.go.kr / 1301 - National Police Agency Cyber Bureau: ecrm.police.go.kr / 182 2. EU — Data Protection Authority of your member state (e.g., Ireland DPC, France CNIL, Germany BfDI) 3. Japan — Personal Information Protection Commission (PPC): https://www.ppc.go.jp 4. United Kingdom — Information Commissioner's Office (ICO): https://ico.org.uk We encourage contacting dpo@unjaena.com first to resolve concerns directly.

16. California Residents (CCPA/CPRA Notice)

This section applies to California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code §1798.100 et seq. Categories of Personal Information collected in the past 12 months (per §1798.140(v)): - Identifiers: name, email, IP address, account IDs - Customer records / commercial info: billing, transaction history - Internet/network activity: usage logs, feature interactions - Geolocation: approximate location derived from IP - Professional info: role, organization - Sensitive Personal Information (§1798.140(ae)): precise geolocation from EXIF (if in uploaded evidence), communications content (messages/emails in uploaded evidence), biometric identifiers (in uploaded forensic data), health information (if in uploaded evidence). SPI is handled under the Limit Use right. Sources: you, your Collector uploads, and third-party authentication you choose to use. Business/commercial purposes: forensic analysis, fraud prevention, account management, legal compliance. Categories of third parties: data processors listed above, government authorities under valid legal process. Sale/Share Disclosure: We do NOT sell or share Personal Information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals as opt-out requests. Your Rights under CCPA/CPRA: 1. Right to Know what PI we collect, use, disclose, and sell/share (§1798.100, 110, 115) 2. Right to Delete (§1798.105) 3. Right to Correct (§1798.106) 4. Right to Opt-Out of Sale or Sharing (§1798.120) — we do neither, but the GPC signal still triggers a tracked opt-out 5. Right to Limit Use and Disclosure of Sensitive PI (§1798.121) 6. Right to Non-Discrimination for exercising any CCPA right (§1798.125) How to exercise: email dpo@unjaena.com or use the data-subject portal at https://app.unjaena.com/privacy/erasure-request. We will verify your identity and respond within 45 days (one 45-day extension available). Financial Incentives: none offered. Authorized Agents: you may designate an agent; written authorization and identity verification required.

17. Brazil (LGPD — Lei 13.709/2018)

This section applies to data subjects in Brazil under the Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018). Legal bases (Art. 7): contract performance, legitimate interest, legal obligation, consent. Sensitive data bases (Art. 11): specific consent; legal obligation; health protection. Your rights (Art. 18): confirmation and access, correction, anonymization/blocking/deletion, portability, information about public and private entities with whom data has been shared, information about the possibility of denying consent, revocation of consent. International transfer (Art. 33): we transfer data based on standard contractual clauses and/or specific consent. Recipient countries and safeguards are listed in the Cross-Border Data Transfers section. DPO (Encarregado) contact: dpo@unjaena.com. Requests: handled within 15 days per Art. 19 §1 for confirmation of processing; longer for complex requests. You may also lodge a complaint with ANPD (Autoridade Nacional de Proteção de Dados, https://www.gov.br/anpd).

18. Canada (PIPEDA)

Personal information of Canadian residents is processed under the Personal Information Protection and Electronic Documents Act (PIPEDA). We comply with the 10 Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, challenging compliance. Accountable person: dpo@unjaena.com. You may challenge our compliance with PIPEDA and request access to your personal information through this contact. Unresolved concerns may be referred to the Office of the Privacy Commissioner of Canada (OPC): https://www.priv.gc.ca.

19. Singapore (PDPA)

Personal data of individuals in Singapore is processed under the Personal Data Protection Act (PDPA) 2012. We comply with the 10 obligations: consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation, accountability, data breach notification. DPO (Singapore): dpo@unjaena.com. Data-breach notifications to the PDPC are filed within 72 hours per §26D. You may lodge a complaint with the Personal Data Protection Commission (PDPC): https://www.pdpc.gov.sg.

20. Australia (Privacy Act 1988 — 13 APPs)

Personal information of Australian residents is handled under the Privacy Act 1988 and the 13 Australian Privacy Principles (APPs). We notify individuals of collection (APP 5), accept anonymous/pseudonymous interactions where practicable (APP 2), and disclose overseas recipients (APP 8). Sensitive information is collected only with consent (APP 3). Contact: dpo@unjaena.com. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au.

21. Children's Data

The Service is intended exclusively for adults. Minimum age: 18. We do not knowingly collect data from individuals under 18. This exceeds requirements of GDPR Art. 8 and COPPA. If we discover data from a minor was collected, we will promptly delete it and terminate the associated account. Contact dpo@unjaena.com if you believe we have collected data from a minor. Forensic evidence uploaded by adult users may incidentally contain data relating to minors. The uploading user bears responsibility for compliance with child protection laws.

22. Cookies and Tracking Technologies

1. Strictly Necessary: Authentication sessions, CSRF tokens. Cannot be disabled. Duration: session to 30 days. 2. Functional: Language preference, theme settings. Duration: 1 year. 3. Analytics: Anonymized usage data for service improvement. Set only with your consent. Duration: up to 1 year. 4. We do NOT use: advertising cookies, social media tracking pixels, or cross-site tracking. Upon your first visit, you will be presented with a cookie preference dialog allowing you to accept or reject non-essential cookies. You may manage cookie preferences through your account settings or browser controls. Disabling essential cookies may impair Service functionality.

23. Data Breach Notification

1. Supervisory Authorities: We will notify relevant authorities within 72 hours of becoming aware of a breach likely to risk rights and freedoms (GDPR Art. 33 / PIPA Art. 34). 2. Affected Data Subjects: Where a breach poses high risk, we will notify affected users without undue delay, including: nature of breach, data affected, likely consequences, measures taken, and DPO contact. 3. Preventive Measures: AES-256-GCM encryption, TLS 1.2+, strict access controls, regular security assessments, and logical data isolation.

24. Data Destruction Methods

Per PIPA Article 21: 1. Forensic data: processed through cryptographic erasure and documented deletion procedures. 2. Account, case, and analysis records: securely deleted with verification controls. 3. Service storage data: processed according to the applicable retention period or deletion request. 4. Logs: processed for deletion after the defined retention period. 5. Backups: processed under separate security procedures and backup retention schedules after primary data deletion. Destruction is logged in an auditable manner.

25. Security Measures

We implement the following measures for personal information security: Technical Measures: - AES-256-GCM encryption for all data at rest - TLS 1.2+ encryption for all data in transit - Per-case isolated encryption keys - Regular security assessments and penetration testing Administrative Measures: - Minimized personal information access rights - Staff security training - Personal information processing records maintenance Physical Measures: - Use of certified data centers with ISO 27001 and SOC 2 compliance Personal data access is governed by authentication, role-based authorization, least-privilege controls, and audit logging. Any operational handling is subject to confidentiality obligations.

26. Changes to This Privacy Policy

1. Advance Notice: At least 30 days before material changes take effect, via email and in-service notification. 2. Material Changes include: new data categories, new processing purposes, changes to sharing/transfer practices, retention period changes, changes to rights. 3. Continued Use after the effective date constitutes acknowledgment. If you disagree, discontinue use and request account/data deletion. 4. Translation: Available in Korean, English, and Japanese. In case of conflict, the Korean version prevails for Korean law matters; the English version prevails otherwise.

27. Contact Information

Data Protection Officer: dpo@unjaena.com Response: Within 10 business days (PIPA) / 30 calendar days (GDPR) General Inquiries: contact@unjaena.com Website: https://app.unjaena.com EU Representative: Contact via dpo@unjaena.com unJaena AI, Republic of Korea Effective: April 6, 2026