Privacy Policy - Lawmadi OS

target

Purpose of Processing

Art. 15

Lawmadi OS (hereinafter referred to as the "Service") processes personal information for the following purposes. Personal information collected will not be used for purposes other than those stated below. Prior consent will be obtained if the purpose of processing changes.

Providing legal analysis services — To analyze user queries and provide legal information
Service security and stability — Detecting abnormal access, preventing service abuse, and maintaining system stability
Service improvement and statistical analysis — Improving service quality and features through usage pattern analysis

database

Data Collected

The Service collects the following personal information:

Category	Data Collected	Collection Method
Required	Query text, IP address, visit time	Automatically collected during use
Service usage	Conversation history, uploaded documents	Automatically collected during use
Attorney inquiry	Name, phone number	Directly entered by user
Credit payment	Payment email address	Entered by user during checkout
Email verification (OTP)	Email address, verification code (SHA-256 hash)	Entered by user / system-generated
Session management	Session token (encrypted), expiration date	Auto-generated upon authentication
Auto-collected	Browser information, access logs	Automatically generated by system

schedule

Retention Period

Art. 21

The Service will destroy personal information without delay once the purpose of collection and use has been fulfilled. Electronic files are permanently deleted using methods that prevent recovery, and any printed materials are shredded or incinerated (PIPA Enforcement Decree, Art. 16). The retention period for each item is as follows:

Item	Retention Period	Basis
Conversation history	1 year	Service quality improvement
Uploaded documents	7 days	Auto-deleted after analysis
Visit statistics	1 year	Service operation and statistics
Payment email	1 year after credits used or refunded	E-Commerce Act, Article 6
OTP verification code	5 minutes after issuance (auto-deleted on expiry)	Authentication purpose fulfilled
Session token	30 days (immediately deleted on logout)	Login session maintenance
Attorney inquiry info	Deleted immediately after connection	Deleted upon purpose fulfillment

cookie

Cookies and Automatic Collection

The Service uses the following cookies.

Cookie	Type	Purpose	Expiry
__session	Essential	Maintaining login status after email verification, credit usage	30 days
_ga, _ga_*	Analytics (optional)	Service usage statistics via Google Analytics	2 years

Essential cookies (__session) are only created after the user completes email verification (OTP) and are protected with the HttpOnly attribute. They are immediately deleted upon logout.
Analytics cookies (Google Analytics) are only activated with the user's explicit consent. You can accept or decline via the cookie consent banner at the bottom of the page.
You may block cookies in your browser settings, but blocking essential cookies may limit access to credit-based services.

share

Third-Party Sharing

The Service integrates with the following external services for legal information analysis. Personal information is processed only to the minimum extent necessary for service provision.

Google Gemini API

Legal query analysis and response generation

Korea National Law Info Center DRF API

Real-time statute, case law, and constitutional court decision verification

Ministry of Government Legislation DRF API

Real-time national law search and verification

Paddle

Credit payment processing (Merchant of Record)

Google Analytics (GA4)

Service usage statistics analysis (activated only with user consent)

Each external service provider processes data according to their own privacy policy. Only query text is sent to Gemini API, only payment email to Paddle, and only anonymized usage statistics to Google Analytics.

Cross-border Transfer of Personal Data

The Service transfers personal data overseas for legal analysis and payment processing (PIPA Art. 28-8):

Recipient	Country	Data Transferred	Safeguards
Google (Gemini API)	United States	Query text	Google Cloud DPA, SOC 2/3, ISO 27001
Google (Analytics)	United States	Anonymized usage statistics	Google DPA, IP anonymization applied
Paddle	UK/US	Payment email	Paddle DPA, PCI DSS compliant

verified_user

Data Subject Rights

Art. 35-37

Users (data subjects) may exercise the following rights under the Personal Information Protection Act:

visibility

Right of Access

Request to view personal data processing status

edit

Right to Rectification

Request correction of inaccurate personal data

delete

Right to Erasure

Request deletion of personal data

pause_circle

Right to Suspend Processing

Request suspension of personal data processing

These rights may be exercised through the following channels. Processing results will be notified within 10 days of receipt:

Email request: Contact choepeter@outlook.kr for access, rectification, erasure, or suspension requests
Analytics cookie consent withdrawal: Decline via the cookie consent banner at the bottom of the page, or delete cookies in browser settings
Account deletion: Request account deletion via email; all personal data (session, payment email, conversation history) will be immediately deleted

security

Security Measures

The Service implements the following technical and administrative measures to ensure the security of personal information:

language

CORS Restrictions

API access limited to authorized domains only

key

API Key Authentication

All external API requests are authenticated

shield

Security Headers

XSS, CSRF and other attack defense headers applied

Encrypted communication via HTTPS
Server access log recording and monitoring
Regular security vulnerability assessments

child_care

Children Under 14

Art. 22

The Service is not intended for children under the age of 14, and we do not knowingly collect personal information from children under 14.

If we become aware that personal information of a child under 14 has been collected, we will promptly delete such information.
Legal guardians may request access to, rectification of, or deletion of a child's personal information.
Contact: choepeter@outlook.kr

person

Privacy Officer

A Privacy Officer has been designated to oversee personal information processing and to handle data subject complaints and remedies.

mail

Privacy Officer: Jainam Choe

Inquiries, access/correction/deletion requests, and complaint handling regarding personal information

Contact: choepeter@outlook.kr