Privacy Policy
1. Who we are
The data controller for personal information processed through orienteller.com (the “Service”) is MonoInc Inc., a corporation registered in the Republic of Korea (Business Registration Number 866-35-01473), operating at Room 101, Dream Plaza B138, Yeongjung-ro, Yeongdeungpo-gu, Seoul 07255, Republic of Korea. Contact: [email protected] (general support: [email protected]).
1-1. Chief Privacy Officer (CPO)
Pursuant to Article 31 of the Personal Information Protection Act of Korea, we appoint a Chief Privacy Officer with overall responsibility for personal information processing:
- Name / Title: Hyohun Kim · CEO
- Contact: [email protected]
- Responsibilities: Setting and enforcing privacy policy, safeguarding data-subject rights, breach response, processor oversight.
2. What we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, salted bcrypt password hash, account creation timestamp | You provide at signup |
| Birth data (chart inputs) | Subject name (optional), date and time of birth, birth place, gender, hour-unknown flag, daylight-saving / longitude options | You provide when drawing a reading |
| Reading content | The computed Palja chart, deterministic analysis, and the AI-generated narrative reading associated with your account | Generated by the Service |
| Wallet and credit logs | Credit balance, grant/spend history, reason codes | Generated by the Service |
| Payment data | We do not store your card or bank details. Gumroad collects and processes those directly. We receive only the order ID, pack identifier, amount, currency, and country code. | Gumroad (Merchant of Record) |
| Technical data | IP address (in server logs, short-term), user-agent string, request paths and timestamps | Your browser and our servers |
| Cookies | One first-party session cookie (HMAC-signed, HttpOnly, Secure, SameSite=Lax). No third-party tracking cookies. | Set by our server |
3. Why we process it (purposes and legal bases)
- Provide the Service (contract; Personal Information Protection Act of Korea, art. 15(1)(4)): authenticate you, compute your chart, generate and store readings, manage your credit wallet.
- Process payments (contract; GDPR art. 6(1)(b)): via Gumroad as Merchant of Record. Gumroad is an independent controller for payment, tax, and fraud-prevention purposes.
- Security and abuse prevention (legitimate interests; GDPR art. 6(1)(f)): short-term server logs to detect attacks, abuse, and failures.
- Customer support (legitimate interests / contract): handling refund and account questions.
- Legal compliance (legal obligation): tax record retention as required by Korean law.
We do not use your data for behavioural advertising, train any model on your readings, or sell your data.
4. Who we share it with
- Gumroad, Inc. (UK) — Merchant of Record. Processes your payment, billing email, country, and tax-relevant identifiers. Gumroad Privacy Policy.
- Anthropic, PBC (USA) — provider of the language model that generates reading prose. When you draw a reading, we transmit the deterministic chart, your configured options, and your subject name (if any) as prompt context. We do not transmit your email, password, payment details, IP, or account history. Anthropic processes this data as our processor under commercial terms and, per its policy, does not use API inputs to train models.
- Cloudflare, Inc. (USA / global edge) — CDN and tunnel provider. Cloudflare processes request metadata (IP, headers) to deliver traffic to our origin.
- Hosting infrastructure — the Service runs on hardware located in the Republic of Korea operated by us.
- We may share data when required by law, court order, or to protect rights, property, or safety.
5. International transfers
Gumroad (UK), Anthropic (USA), and Cloudflare (global) are located outside the Republic of Korea. Where required (e.g., EU/EEA data subjects), transfers rely on Standard Contractual Clauses or equivalent safeguards. Korean users acknowledge cross-border transfer of the data categories above under PIPA art. 28-8 as a necessary part of using the Service; without these processors we cannot generate AI readings or accept global payments.
6. Retention
- Account, wallet, and reading data: retained while your account is active. Deleted within 30 days after account closure, except where retention is required by law.
- Server logs containing IP: rolling 30 days.
- Tax-relevant transaction records: 5 years (Korean Framework Act on National Taxes art. 85-3) or longer where local tax law requires; Gumroad retains separately under its policy.
- Backups: encrypted snapshots are rotated and overwritten within 60 days.
7. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Have inaccurate data corrected;
- Have your data deleted (subject to retention obligations above);
- Restrict or object to certain processing;
- Receive a portable copy of data you provided;
- Withdraw consent where processing is based on consent;
- Lodge a complaint with a supervisory authority — in Korea, the Personal Information Protection Commission (PIPC, pipc.go.kr); in the EU/EEA, your local DPA; in the UK, the ICO.
To exercise these rights, email [email protected] from the address on your account. We respond within 30 days.
8. Security
- Passwords stored as bcrypt hashes; we never see your password.
- HTTPS-only (HSTS via Cloudflare) for all traffic.
- Session cookies are HttpOnly, Secure, SameSite=Lax, HMAC-signed.
- SQLite database with WAL on dedicated hardware, with access restricted to the operator.
- Periodic offsite encrypted backups.
- Payment card data is never received or stored by us — it is processed entirely by Gumroad.
9. Children
The Service is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has signed up, contact us and we will delete the account.
10. Cookies
We use a single first-party session cookie strictly necessary to keep you signed in. No consent banner is required for strictly necessary cookies under EU rules. We do not use third-party analytics or advertising cookies.
11. Changes to this policy
We will announce material changes via email or a site banner at least 14 days before they take effect.
12. Contact and complaints
Privacy contact: [email protected]
Korean Personal Information Protection Commission (PIPC):
pipc.go.kr · Privacy
infringement reporting center 118 (without area code, from Korea).