Privacy Policy

Effective date: 2026-05-08 / Last updated: 2026-05-08

1. Overview

32personas ("Service") respects user privacy and complies with applicable laws including the Korean Personal Information Protection Act (PIPA). This policy describes what personal information is collected, used, shared, and disposed.

2. Information collected (minimization principle)

Email address — for account creation, newsletter subscription, result saving, and customer support responses
Personality type selection result — MBTI-based 16-32 types, anonymized
Age group, gender, country — optional, for statistical analysis
Payment information — processed by Polar (third-party payment processor); this Service retains only the Polar customer ID

3. Purpose and retention

Item	Purpose	Retention
Account email	Account management + service delivery	Deleted immediately on account deletion (PIPA §21)
Customer support	Response + dispute resolution	3 years (Framework Act on Consumers, Enforcement Decree §8)
Payment records	Payment processing + accounting	5 years (Act on Consumer Protection in Electronic Commerce §6, delegated to Polar)
Quiz results (personality type)	Service quality improvement	Anonymized on account deletion, then retained (non-identifiable)
External sign-in link records (oauth_identities)	Map external sign-in identifiers (e.g. Google) to your account	Permanently deleted immediately upon unlink or account deletion

Item: Account email
Purpose: Account management + service delivery
Retention: Deleted immediately on account deletion (PIPA §21)

Item: Customer support
Purpose: Response + dispute resolution
Retention: 3 years (Framework Act on Consumers, Enforcement Decree §8)

Item: Payment records
Purpose: Payment processing + accounting
Retention: 5 years (Act on Consumer Protection in Electronic Commerce §6, delegated to Polar)

Item: Quiz results (personality type)
Purpose: Service quality improvement
Retention: Anonymized on account deletion, then retained (non-identifiable)

Item: External sign-in link records (oauth_identities)
Purpose: Map external sign-in identifiers (e.g. Google) to your account
Retention: Permanently deleted immediately upon unlink or account deletion

4. User rights

Under PIPA, users may exercise the following rights, processed within 30 days of request. Use /account/data/request or email support@monday.red:

Right to access — view collected personal information and processing status
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of personal information
Right to restriction — request suspension of processing
Right to opt out of / request explanation for automated decisions (PIPA Art. 37-2) — this service performs two automated processing functions: (a) SLOAN personality scoring algorithm, (b) external LLM-based saju narrative interpretation. Contact support@monday.red to opt out or request explanation. Opt-out triggers immediate deletion + access-disable of the automated output. Payment-related matters follow the separate refund policy (/legal/refund-policy).

5. Third-party sharing and international transfers (Korean PIPA Arts. 17, 26, 28-8)

Personal information is not shared with third parties for advertising purposes. Personal data is transferred internationally to the following processors; please refer to each processor's privacy policy. (1) Supabase, Inc. — USA, database storage, from signup through account deletion + 30 days (5-year payment record retention under the Electronic Commerce Act applies separately) — transfer method: HTTPS API. (2) Polar Software Inc. — USA, payment processing, from payment time for the duration of payment/refund records and tax/accounting obligations — transfer method: HTTPS API. (3) PostHog Inc. — USA/EU, analytics telemetry (distinct_id, $pageview, click events), 30 to 365 days by event type, can be opted out — transfer method: HTTPS API. (4) Vercel Inc. — USA, static asset hosting and function execution, at request time; Vercel-side edge/function log retention follows Vercel's published policy — transfer method: HTTPS. (5) Resend — USA, transactional email delivery (account verification, data export, refund notices), from send time for the period specified in Resend's published policy — transfer method: HTTPS API. (6) DeepSeek (Hangzhou DeepSeek) — China, saju narrative interpretation (birth date/time/gender), at call time for the period specified in DeepSeek's published policy — transfer method: HTTPS API + audit_logs.input_hash recorded. Right to refuse: email support@monday.red and we will stop the optional functions that depend on the relevant processor (e.g. AI saju interpretation — DeepSeek, analytics — PostHog, transactional email — Resend). Refusal of essential processors (Supabase database, Vercel hosting, Polar payment) means the service itself cannot be provided.

6. Security measures

Supabase Row Level Security (RLS), HTTPS encryption, weekly RLS coverage audits.

7. Cookies and automatic collection devices (Korean PIPA Art. 30)

This service uses the following automatic collection devices. (1) pm_sid (HTTP-Only cookie) — purpose: session identification, retention: 30 days, opt-out: sign out or clear browser cookies. (2) pm_consent (signed cookie) — purpose: store analytics consent decision, retention: 1 year, opt-out: clearing it re-shows the consent banner on next visit. (3) NEXT_LOCALE (cookie) — purpose: remember language selection, retention: 1 year, opt-out: clear browser cookies. (4) pm_variant (cookie) — purpose: landing A/B variant stickiness, retention: 30 days, opt-out: clear browser cookies. (5) PostHog analytics identifier (localStorage + cookie) — purpose: analytics telemetry identifier, retention: 365 days, opt-out: via the opt-out path disclosed in these Terms or by enabling tracking blockers in your browser. Non-KR visitors are presented with a consent banner on first visit (declining blocks PostHog calls). KR visitors are processed under these Terms and this Policy; you may email support@monday.red at any time to opt out of analytics identifier use. Opt-out requests are processed within 7 business days.

8. External Sign-in (Google OAuth) Data Handling

When you use Sign in with Google, we receive limited information from Google. The specifics of how we handle Google user data are as follows.

Collect: During the Google sign-in handshake we transiently receive from Google: (a) your email address, (b) your Google account identifier (the OpenID Connect sub claim), and (c) your profile display name and avatar URL if available. We persist only three of these in our database: your email address, your Google account identifier (sub), and the last sign-in timestamp. Display name and avatar URL are not stored. We do not request and do not receive data from other Google services such as Gmail, Drive, Calendar, or Contacts.
Use: We use this information solely for account identification and sign-in authentication. We do not use it for marketing email, ad targeting, profiling, or automated decision-making. Your Google sign-in link is visible to you on the account security page.
Share: We do not sell, share, or transfer data received from Google to third parties. The data does not leave the processors listed in §6 above (Supabase database storage).
Delete: You can unlink your Google account at any time on the account security page (/account/security) under "Linked external sign-in." Unlinking deletes the corresponding row in our oauth_identities table immediately. Deleting your account (/account/delete-request) also deletes the linked identity immediately.

9. Business Identity & Contact

Operator information (mandated by Act on the Consumer Protection in Electronic Commerce §10 + Personal Information Protection Act §30)

Company: 프로젝트먼데이 (Project Monday) · Business registration number: 106-68-00711

Contact channel

support@monday.red (privacy rights, refunds, terms questions, technical support — response SLA 1–2 business days)

The Data Protection Officer (DPO) is appointed alongside the business identity disclosure above. Until appointment, support@monday.red serves as the interim DPO channel.