Privacy Policy
Last updated: 2026-05-10
SantaHades Co., Ltd. ("the Company") operates the OriPics service (www.ori.pics, "the Service"). This Privacy Policy explains how we collect, use, and protect your personal information in compliance with the Korean Personal Information Protection Act (PIPA) and the EU General Data Protection Regulation (GDPR).
1. Data Controller
- Company: SantaHades Co., Ltd.
- Address: #B01-H306, Terrace Garden, 150-29 Gongse-ro, Giheung-gu, Yongin-si, Gyeonggi-do, 17084, Republic of Korea
- Data Protection Contact: hi@ori.pics
2. Purposes of Processing
- Account creation, authentication, and abuse prevention
- Image proof creation, verification, storage, and shareable link generation
- Device-integrity verification for mobile photo (Verified) tier
- Paid subscription processing and refunds (Pro / Business, after J-7)
- Customer support, service notices, and policy updates
- Service improvement and aggregate analytics (non-identifying)
3. Categories of Personal Data
| Type | Items | Source |
|---|---|---|
| Required | Email address, password (one-way hashed) | Sign-up form |
| Optional | Name, profile picture | Sign-up / profile edit |
| OAuth | Email, name, profile picture (per provider scope) | Google / Naver / Kakao consent |
| Proof data | Uploaded images, image metadata (timestamp, dimensions), GPS coordinates (with explicit user consent) | Auto-collected during proof processing |
| Device-integrity (Verified) | Hash of App Attest / Play Integrity token | Mobile app (after Track D launch) |
| Payment | Billing key identifier. Card numbers and CVCs are not stored by the Company | Subscription checkout (after J-7) |
| Auto-collected | IP address, browser / OS info, session cookies, service usage logs | Generated during service use |
4. Legal Basis (GDPR Art. 6)
- Performance of contract (Art. 6(1)(b)): account, proof, subscription
- Consent (Art. 6(1)(a)): GPS coordinates, optional profile fields, OAuth providers
- Legal obligation (Art. 6(1)(c)): payment records under Korean e-commerce law
- Legitimate interest (Art. 6(1)(f)): abuse prevention, service security
5. Retention Periods
- Account info: until account deletion. Erased upon deletion request.
- Proof images (Standard): 7 days from creation, then auto-deleted.
- Proof images (Pro / Business): retained for the subscription period. After downgrade, 30-day grace period followed by reversion to 7-day policy.
- Credit transaction history: until account deletion (abuse prevention, billing reconciliation).
- Payment records: 5 years (Korean Act on Consumer Protection in E-Commerce).
- Access logs: 3 months (Korean Communications Privacy Act).
6. Recipients and International Transfers
We share data with the following processors solely to operate the Service. Some processors are located outside the Republic of Korea or the EEA; you consent to the relevant international transfers when you sign up.
| Processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Web hosting, CDN, serverless functions | United States (global edge) |
| Supabase Inc. | Database (account, proof metadata) and image storage | United States or company-selected region |
| Google LLC | OAuth login (with user consent) | United States |
| NAVER Corp. | OAuth login (with user consent) | Republic of Korea |
| Kakao Corp. | OAuth login (with user consent) | Republic of Korea |
| SSL.com | C2PA content credentials signing key custody (eSigner Cloud HSM) | United States |
| PortOne | Subscription payment processing (after J-7) | Republic of Korea |
7. Your Rights
You have the following rights regarding your personal data:
- Access, rectification, erasure
- Restriction of processing, data portability
- Objection to processing
- Withdrawal of consent at any time (without affecting prior lawful processing)
- Right to lodge a complaint with the Korea Personal Information Protection Commission or your local EU supervisory authority
To exercise these rights, contact hi@ori.pics. We will respond without undue delay.
8. Data Erasure Procedure
- Upon account deletion or expiration of retention period, we erase data without undue delay.
- Electronic files: irreversibly deleted, including from backups within 7 days.
- Paper records: shredded or incinerated.
9. Security Measures
- Passwords are stored using one-way hashing (bcrypt). We never store plaintext passwords.
- All transport is encrypted with HTTPS (TLS).
- Administrator access is granted on a least-privilege basis with mandatory multi-factor authentication.
- Continuous monitoring via GitHub Dependabot, CodeQL, and Secret Scanning.
- Access logs are retained only for the legally required period and reviewed periodically.
10. Cookies
We use NextAuth session cookies (strictly necessary) to maintain login state. We do not use third-party cookies for advertising or cross-site tracking. You may disable cookies in your browser, but this will prevent login.
11. Automated Decision-Making
We do not perform automated decision-making, including profiling, that produces legal or similarly significant effects on you.
12. Children's Privacy
The Service is not directed to children under 14 (Korea) or under 16 (EU). We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us at hi@ori.pics.
13. Changes to This Policy
- 2026-05-11: Initial publication.
Material changes will be announced on the Service at least 7 days before taking effect (30 days for changes adverse to user rights).