1. Principles (four core principles)
- Minimum collection — only data essential for the service.
- Minimum retention — data is destroyed promptly after the purpose is fulfilled; anonymization is preferred.
- No purpose-other use — no use beyond the purposes consented to at sign-up.
- Explicit consent — bundled consent is prohibited; consent is collected per item.
2. Collected and retained data
| Category | Items | Collected at | Retention |
|---|---|---|---|
| Identity (required) | user_id, email, password hash | Sign-up | While the account is active |
| Identity (optional) | Nickname, profile photo, bio | Sign-up / update | While the account is active |
| OAuth | External system_user_id, email | Connection | While the connection is active |
| Behavior | fan_signals (cheers, donations, reports) | On action | 30 days raw + permanent aggregates |
| Search / view | search_logs, view_logs | On action | 90 days |
| Payment | Payment records (PG responses) | On payment | 5 years (e-commerce law) |
| Receipt | Donation-receipt identifier (no national ID) | On donation | 5 years (tax law) |
| Device | IP hash, User-Agent hash, fingerprint | On action | 30 days |
| Consent records | consent_records | On consent | Permanent (legal evidence) |
3. No sensitive data
Backers100 does not collect any of the following sensitive categories.
- Resident registration numbers (donation receipts are issued directly by the NGO)
- Religion / political views / philosophical beliefs
- Health information / sexual orientation / ethnicity
- Criminal records
User-authored content in cheer messages or bios remains within the user's freedom of expression; Backers100 does not separately categorize or analyze such content.
4. Consent items (7)
| consent_type | When | Required / optional | If declined |
|---|---|---|---|
| terms_of_service | Sign-up | Required | Sign-up not permitted |
| privacy_policy | Sign-up | Required | Sign-up not permitted |
| fan_signal_tracking | Sign-up | Required | Sign-up not permitted (service essence) |
| cookies_analytics | Sign-up / first visit | Optional | Only anonymous analytics is performed |
| marketing_email | Sign-up / separate | Optional | No marketing emails (system emails are still sent) |
| donation_personal_info | First donation | Required (for donations) | Donations not permitted |
| data_processing_overseas | Sign-up | Required | Sign-up not permitted (Bedrock US) |
Bundled consent is prohibited; explicit checkboxes are presented per item.
5. Delegations and cross-border transfers
| Provider | Service | Location | Transferred data |
|---|---|---|---|
| AWS (Amazon Web Services Korea) | Hosting / DB / storage | Seoul region | All data |
| AWS Bedrock (Anthropic Claude) | AI analysis (sentiment, summary) | US-East-1 | Article bodies, entity metadata (no user PII) |
| Toss Payments | Payments | South Korea | Payment identifier, amount |
| NGO (per organization) | Donation settlement | South Korea | Donor email, amount |
| Cognito (AWS) | Authentication | Seoul region | user_id, email, password hash |
| Naver / Kakao / Google | OAuth authentication | Global | OAuth subject ID, email |
6. Data-subject rights (four core rights)
- 01Right of access (PIPA Art. 35)
All personal data is accessible from the mypage; a JSON download is also provided. Processing time: immediate (within 10 seconds).
- 02Right of correction and deletion (Art. 36)
Nickname, profile, email, and cheer messages may be corrected or deleted by the user. Computed outputs such as Fan Engagement tier are not subject to corrections.
- 03Right to halt processing (Art. 37)
A halt-processing request is honored within 7 days. New data collection is paused; existing aggregates are kept in anonymized form.
- 04Right of portability (Art. 35-2)
Personal data may be exported in machine-readable formats (JSON / CSV). Available as immediate self-service from the mypage.
7. Account closure
- 01Closure request → 30-day grace period (account may be restored)
- 02After 30 days, user_id is replaced with a random UUID
- 03Nickname → "closed user", email → null, OAuth connections disconnected
- 04Behavioral data (fan_signals etc.) is kept in anonymized form for aggregate statistics
- 05Payment and donation transactions are retained for 5 years (e-commerce, tax law) with anonymized identifiers
- 06consent_records are retained permanently (legal evidence)
8. Data-breach response
Upon awareness of an incident, Backers100 responds in accordance with the PIPA procedure.
- Within 24 hours of awareness — initial notice to affected users and relevant authorities (security-incident standard procedure applies)
- Within 72 hours of awareness — formal notice to the Personal Information Protection Commission
- Notification emails follow the standard template in our incident
9. AI PII handling
- user_id, email, and other PII are removed before Bedrock (AI analysis) calls.
- AI summaries are produced at the entity level and do not include user-identifying information.
- Fan Engagement is computed by an internal algorithm; behavior sequences are not sent to Bedrock.
- User data is not provided to external AI models as training data.
10. Privacy officer (CPO)
- Name / title
- (placeholder)
- Support@backersby.com
- Role
- Operation, audit, and external response for personal-information processing
11. Change notice
| Change type | Notice method | When |
|---|---|---|
| Changes unfavorable to user rights | In-app banner + email to all users + changelog | 30 days before effective |
| Simple wording / translation fix | Changelog | On effective date |
| New processing item | In-app + email + re-consent required | 30 days before effective |
| New processor delegation | In-app + email | 7 days before effective |
Change history is preserved permanently at /privacy/changelog.