Privacy Policy

The company complies with applicable personal-data protection laws and publishes this Privacy Policy to explain how user data is handled lawfully and transparently.

This policy applies across LeanCOO, including account management, document drafting, approval workflows, client management, timelines, monthly status views, support functions, and AI-assisted features.

• Identifying users, processing login, and managing account and organization permissions
• Providing core service functions such as quotes, clients, approvals, timelines, monthly status, and support
• Performing AI-assisted features requested by the user, including analysis, drafting, summarization, and recommendation
• Responding to incidents, checking security, preventing abuse, improving quality, and handling support
• Complying with law, handling disputes, billing and settlement, and sending important notices

• When a user requests AI drafting, analysis, summarization, or recommendation, the company may process document text and related inputs to the extent necessary to fulfill that request.
• The company may use reliable infrastructure or AI processing partners where necessary to provide the service, and will apply appropriate safeguards in doing so.
• The company does not sell user material as publicly released data or disclose it arbitrarily without separate consent, except where required by law, requested by the user, or otherwise necessary to provide the service.

• Member and organization information is retained until account withdrawal or termination of the service agreement, unless a longer retention period is required by law.
• Business data and files written or uploaded by the user are retained until the user deletes them or until the account or organization ceases to use the service.
• Session data, login tokens, invitation tokens, and authentication logs are retained until their purpose is completed, they expire, or any security need ends.
• Inquiry and dispute-response records may be retained for a reasonable period to prevent and respond to disputes.

The following records may be retained separately for a statutory period under applicable law.

• Records concerning contracts or withdrawal of offers: 5 years
• Records concerning payment and supply of goods or services: 5 years
• Records concerning consumer complaints or dispute resolution: 3 years
• Records concerning advertising and display: 6 months

• Personal data is destroyed without undue delay once the retention period expires or the processing purpose is fulfilled.
• Where separate retention is required by law, the information is securely stored apart from ordinary service data and destroyed once that legal period ends.
• Electronic files are deleted using reasonable methods that make recovery difficult, and printed material is destroyed through shredding, incineration, or similar means.

As a rule, the company does not provide personal data to external parties. However, data may be shared or delegated to the extent necessary in the following cases.

• Where the user has consented in advance or directly selected an integration feature
• Where disclosure is required by law or requested lawfully by an authorized public body
• Where required to provide the service, including for operations, security, storage, email delivery, authentication, or AI processing support

The company may rely on the following external infrastructure or integration layers to operate the service.

• Amazon Web Services and related services for infrastructure, storage, logs, and email delivery
• Login providers such as Google or Kakao when the user explicitly chooses those authentication methods
• AI processing partners for user-requested drafting, analysis, and summarization features

• The company may use essential cookies and session information needed for login persistence, security checks, and organization switching.
• The current service prioritizes a minimal cookie footprint required for authentication and operational stability.
• Users can refuse cookie storage through browser settings, but doing so may limit login persistence or some features.

• Users may request access, correction, deletion, suspension of processing, withdrawal of consent, or withdrawal from the service with respect to their own personal data.
• Because organization-level data may be linked to administrative or shared permissions, the company may verify the requester's authority before responding.
• Requests can be submitted through service functions or support channels, and the company will try to respond without delay in accordance with applicable law.

• Minimizing access rights and managing account and role permissions
• Protecting authentication data, securing data in transit, monitoring logs, and detecting suspicious activity
• Managing backup and operational procedures for incident response and recovery
• Applying internal access control so only the minimum necessary personnel can handle personal data

• The company may update this policy when laws, service structure, or processing practices change.
• Material changes affecting rights or obligations will be announced in advance through reasonable means such as the service UI, notices, or email.
• The updated policy will be published with its effective date and can be reviewed from the service after publication.

• Service or privacy requests: support@leancoo.com
• Privacy infringement reporting: Personal Information Infringement Report Center (118)
• Privacy dispute mediation: Personal Information Dispute Mediation Committee (+82-1833-6972)

Other consultations related to privacy infringement may be directed to the Personal Information Protection Commission or other relevant institutions.