Privacy Policy
Effective date: 10 June 2026
Article 1 — Purpose and General Provisions
Sapphire Stream Technology (hereinafter "the Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (PIPA) in order to protect the personal information of data subjects and to handle related grievances promptly and smoothly. This Policy applies to the website operated by the Company (sapphirelink.com) and covers the Company's B2B enquiry service, which does not require account registration or login.
Article 2 — Personal Information Collected and Methods of Collection
The Company collects personal information as set out below.
| Category | Items collected | Purpose | Retention period |
|---|---|---|---|
| Contact form (direct input) | Name, email address, company name, job title, industry, phone number (optional), enquiry content | Receiving and responding to sales enquiries, project consultation | 1 year after enquiry is resolved |
| Google OAuth (optional) | Name and email address from Google account | Contact form auto-fill, email verification | Until form submission (held only in the user's browser) |
| Automatically collected | IP address, User-Agent, access logs, cookies | Security, service operation, authentication request verification | Until the purpose of service operation is fulfilled |
| Analytics (Google Analytics 4·PostHog) | Anonymous behaviour events (page views, the options selected during the enquiry, scrolling, link clicks), device and browser information | Service improvement analytics | Until the purpose of analytics is fulfilled |
The information you enter in the contact form, together with your progress through the enquiry, remains only in your browser until you submit it and is not stored on the Company's servers or databases. Once submitted, your enquiry is forwarded to the Company's email solely for handling your consultation — this is the only form in which it is retained.
Article 3 — Purposes of Processing Personal Information
The Company processes collected personal information for the following purposes only. ① Receiving and responding to enquiries: submitted name, email, and enquiry content are received and replied to by the sales team. ② Service improvement analytics: anonymous behaviour events and the enquiry process are analysed to improve user experience. ③ Security and authentication: processing is performed to prevent request forgery (CSRF), to confirm the integrity of external authentication, and to manage access logs. Personal information is not used for any purpose beyond those stated above. In the event of a change in purpose, separate consent will be sought in accordance with Article 18 of PIPA.
Article 4 — Retention and Use Period
As a rule, the Company destroys personal information without delay once the purpose of collection and use has been fulfilled. ① Contact form submissions: retained for 1 year after the enquiry is resolved (or for any period required by applicable law). ② Analytics event data: retained until the purpose of analytics is fulfilled. Analytics data is collected and stored in a form that does not identify individuals; see Article 10 for how to refuse collection. ③ Access logs: access logs generated for security purposes are retained in accordance with hosting infrastructure policies and applicable law, and destroyed thereafter.
Article 5 — Provision of Personal Information to Third Parties
The Company does not provide personal information of data subjects to third parties beyond the scope stated in Article 3, except in the following cases. ① Where the data subject has given consent. ② Where there is a special statutory provision or where it is unavoidably necessary to comply with a legal obligation. Sub-processing and international transfers are described separately in Articles 6 and 7.
Article 6 — Entrustment of Personal Information Processing
To provide its services smoothly, the Company entrusts personal information processing activities to the following parties.
| Sub-processor | Entrusted task |
|---|---|
| Google LLC | Google OAuth authentication service |
| Email delivery infrastructure provider | Sending and delivering enquiry emails |
| Web hosting / server provider | Website operation and access log retention |
| Analytics service providers (Google Analytics 4, PostHog) | Anonymous behaviour analytics and measurement for service improvement |
Article 7 — International Transfers of Personal Information
The Company transfers personal information internationally as set out below.
| Recipient | Country | Data transferred | Purpose | Timing & method of transfer | Retention period |
|---|---|---|---|---|---|
| Google LLC | United States | Name, email address | Google OAuth authentication | HTTPS network transfer during Google OAuth authentication | Until authentication is completed |
| Email delivery infrastructure provider | United States (and others) | Name, email, enquiry content | Sending enquiry emails | HTTPS transfer when sending enquiry email | Deleted after delivery |
| PostHog, Inc. | United States | Anonymous behaviour events | Service improvement analytics | HTTPS transfer on each analytics event | Until analytics purpose is fulfilled |
| Google LLC (GA4) | United States | GA4 measurement cookies, anonymous events | Visitor behaviour analytics | HTTPS transfer on page view / event | Until analytics purpose is fulfilled |
If you do not wish personal information to be transferred internationally, you may enter your name and email directly in the contact form without using Google authentication. To decline the transfer of analytics data, block cookies in your browser settings or use the refusal methods described in Article 10 below.
Article 8 — Destruction of Personal Information
When the retention period has elapsed or the purpose of processing has been fulfilled, the Company destroys personal information without delay. ① Electronic files: permanently deleted by a method that prevents restoration. ② Printed materials: shredded or incinerated. Where retention is required by law, the information is stored separately for the required period before destruction.
Article 9 — Rights and Obligations of Data Subjects and How to Exercise Them
Data subjects may exercise the following rights against the Company at any time. ① Right to request access to personal information ② Right to request correction of errors ③ Right to request deletion ④ Right to request suspension of processing ⑤ Right to withdraw consent Rights may be exercised by emailing the Privacy Officer named in Article 14, and the Company will respond without delay. Where a data subject exercises a right, the Company will notify the data subject of the outcome within 10 days in accordance with Article 41 of the Enforcement Decree of PIPA.
Article 10 — Installation and Operation of Automatic Data Collection Devices (Cookies and Analytics)
The Company uses cookies and browser storage as follows. ① Language preference cookie: retains the user’s language selection. ② Authentication cookies: used to prevent request forgery (CSRF) and to handle external authentication. ③ Temporary browser storage: used to restore contact form input after returning from external authentication — deleted immediately after restoration. ④ Analytics tools: the Company uses web analytics tools (Google Analytics 4, PostHog) to analyse how the service is used. In doing so, the analytics tools may use cookies (such as the GA4 _ga cookie) and similar technologies (browser storage). The information collected consists of visit records (page views), behaviour events (steps and options selected during the enquiry, scrolling, link clicks), and device and browser information — all collected in a form that does not identify individuals. ⑤ Session Replay: to analyse service usage flows and improve user experience (UX), the Company may record and replay screen interactions (clicks, scrolling, and input screens) for a sample of sessions. All input field values are masked and not recorded (maskAllInputs); areas marked as personal information ([data-pii]) are masked; and sensitive areas ([data-no-record]) are excluded from recording entirely. Session recordings are processed in a form that does not identify individuals. Recordings are retained until the purpose of analysis is fulfilled, in line with the retention periods in Article 6. You can refuse collection as follows. · Block or delete cookies in your browser settings (Settings → Privacy → Block cookies). Note that blocking cookies may prevent some features (such as language preference) from working correctly. · Refuse Google Analytics collection by installing the browser add-on provided by Google (tools.google.com/dlpage/gaoptout). · If you do not use the contact form, no contact information is collected.
Article 11 — Use of External Authentication Services (Google OAuth)
The Company may optionally use Google OAuth to verify the enquirer's email address before submitting the contact form. ① When you click the Google login button, you are redirected to the Google authentication screen. ② The Company receives your name and email address from your Google account only if you consent on the Google authentication screen. ③ The Company does not collect your Google account password. ④ Information received from your Google account is used solely for contact form auto-fill, enquirer identification, and enquiry processing. ⑤ The Company's use and transfer of information received from Google APIs complies with the Google API Services User Data Policy and the Limited Use requirements. You may also enter your name and email directly in the contact form without using Google authentication (method to decline international transfer).
Article 12 — Children Under 14 and Sensitive Information
The Company does not provide services to children under the age of 14 and does not intentionally collect personal information from them. If it is confirmed that personal information of a child under 14 has been collected, it will be destroyed without delay. The Company does not collect sensitive personal information such as national identification numbers, passport numbers, health information, or financial information. Users must not enter such information in the enquiry form.
Article 13 — Measures to Ensure the Security of Personal Information
The Company takes the following technical and administrative security measures to protect personal information. ① Technical measures: HTTPS enforcement, secure separate storage of API keys and authentication secrets, and input masking. ② Administrative measures: minimisation of personnel handling personal information, restricted administrator access, regular security reviews. ③ Physical measures: controlled access to server rooms.
Article 14 — Privacy Officer
The Company designates a Privacy Officer to oversee personal information processing and to handle related grievances. Privacy Officer Email: privacy@sapphirestreamtech.com Data subjects may direct all enquiries, complaints, and requests for remedy relating to personal information arising from use of the Company's services to the contact above.
Article 15 — Remedies for Infringement of Rights
Data subjects may apply to the following bodies for dispute resolution or consultation regarding infringement of personal information rights. ① Personal Information Dispute Mediation Committee Phone: 1833-6972 | Website: www.kopico.go.kr ② Personal Information Infringement Report Centre (KISA — Korea Internet & Security Agency) Phone: 118 | Website: privacy.kisa.or.kr ③ Supreme Prosecutors' Office — Cyber Investigation Division Phone: 1301 ④ National Police Agency — Cyber Investigation Bureau Phone: 182 | Website: ecrm.police.go.kr
Article 16 — Amendments to this Policy and Notice of Effective Date
This Policy takes effect on 10 June 2026. When this Privacy Policy is amended, the Company will post the changes on this page and, for material changes, provide separate notice via a website announcement or email. Previous versions of the Policy are retained and available on request.