Privacy Policy
Effective Date: April 11, 2026
ArcSolve (“Company”) establishes and discloses this Privacy Policy in order to protect users’ personal information in accordance with the Personal Information Protection Act and to ensure that related complaints can be handled promptly and smoothly.
For data collected through the ArcSolve Chrome Extension, ArcSolve complies with the Chrome Web Store User Data Policy, including the Limited Use requirements. The same applies to the ArcSolve Light extension.
1. Categories of Personal Information Collected
A. Member Information
Through social login account linking (Google, Kakao), the following information is collected.
| Category | Items Collected |
|---|---|
| Required | Email address, social account identifier (OAuth ID) |
| Optional | Profile image, name |
The following items are generated and stored during the course of Service use:
| Item | Description |
|---|---|
| Preferred language | Target language for summarization and translation (default: ko) |
| Email verification status | Verification state provided by the social login provider |
B. Payment Information
When using Paid Services, the following information is collected and stored through the payment processor (Toss Payments).
| Item | Description | Retention |
|---|---|---|
| Customer key (customerKey) | Random unique value (UUID) for payment processor identification | Until account withdrawal + statutory retention |
| Billing key (billingKey) | Auto-payment token (replaces raw card information) | Until billing key revocation or account withdrawal |
| Card company name | e.g., Hyundai, Samsung | Same as above |
| Masked card number (cardNumberMask) | e.g., ****-****-****-1234 | Same as above |
| Payment status, amount, order ID | Payment history management | 5 years (E-Commerce Act) |
| Payment receipt URL | Receipt link issued by Toss Payments | 5 years (E-Commerce Act) |
| Raw payment response | JSON data for audit and debugging purposes | 90 days after payment completion, then destroyed |
The Company does not directly collect or store full card numbers, CVC, or passwords. All card information is processed by Toss Payments in accordance with PCI-DSS standards. Raw payment response data is separated from essential payment records and retained for a shorter period to comply with the data minimization principle.
C. Usage and Credit Data
| Item | Description |
|---|---|
| Usage log (usage_log) | Feature type, plan tier, consumption amount, timestamp, metadata (document ID, MIME type, duration, page count, model ID) |
| Credit bucket (credit_bucket) | Grant type (free monthly / subscription / coupon / admin adjustment), granted and consumed units, expiration time, status (active / exhausted / expired / revoked) |
D. User Content
Materials uploaded or entered by users into the Service, including documents, images, audio, text, URLs, and similar materials, may contain personal information. The Company processes such materials only for the purpose of providing the Service and protects them at the same level.
E. Derived Data
Derived data such as summaries, transcriptions, analysis results, and search indexes (embedding vectors) may be created in the course of using the Service based on User Content.
F. Automatically Collected Information
| Items Collected | Purpose of Collection |
|---|---|
| IP address, browser and device information | Security and prevention of misuse |
| Service usage records, access logs | Ensuring service stability and responding to errors |
| Cookies, device identifiers | Maintaining login state and improving the Service |
The Company does not collect sensitive information (such as ideology, beliefs, health, or genetic information) or unique identifying information (such as resident registration numbers).
2. Purposes of Collection and Use of Personal Information
| Purpose Category | Detailed Purpose | Legal Basis |
|---|---|---|
| Service provision | Sign-up and authentication, document management, provision of AI features (chat, summarization, transcription, image generation, web/academic search), generation of search indexes | Conclusion and performance of a contract (PIPA Article 15(1)4) |
| Billing and settlement | Paid service billing, usage tracking, credit management, refund processing | Conclusion and performance of a contract; statutory obligations (E-Commerce Act) |
| Customer support | Responding to inquiries, dispute resolution, delivery of notices | Conclusion and performance of a contract |
| Security and misuse prevention | Detection of abnormal usage, access control, incident investigation | Legitimate interest (PIPA Article 15(1)6) |
| Service improvement (analytics) | Analysis of usage statistics and feature improvement (based on de-identified and statistical processing) — activated only with user consent | User consent (PIPA Article 15(1)1) |
3. Retention and Use Period of Personal Information
The Company destroys personal information without delay once the purpose of collection and use has been achieved. However, in the following cases, such information is retained separately for the periods below.
| Data Type | Retention Period | Basis |
|---|---|---|
| User Content and Derived Data | Destroyed without delay upon deletion request or account withdrawal | Internal policy |
| Records regarding contracts or withdrawal of subscriptions | 5 years | E-Commerce Act |
| Records regarding payment and supply of goods/services | 5 years | E-Commerce Act |
| Records regarding consumer complaints or dispute resolution | 3 years | E-Commerce Act |
| Records regarding display and advertising | 6 months | E-Commerce Act |
| Access logs | At least 3 months | Protection of Communications Secrets Act |
| Security and misuse prevention records | 1 year | Internal policy |
| Raw payment response data | 90 days | Internal policy (data minimization) |
4. Procedures and Methods of Destruction of Personal Information
- Destruction procedure: Personal information whose retention purpose has been fulfilled or whose retention period has expired is moved to a separate database (or separate storage) and destroyed after a set period.
- Destruction method: Electronic files are deleted using methods that make recovery impossible, and paper documents are shredded or incinerated.
- Cascading deletion of Derived Data: When User Content is deleted, summaries, transcriptions, search indexes (embeddings), and other data derived from that content are also deleted.
- Credit and usage data: Upon account withdrawal, usage_log and credit_bucket data are destroyed after the statutory retention period for payment records has expired.
5. Provision of Personal Information to Third Parties
The Company does not provide users’ personal information to third parties without consent. Exceptions are as follows:
- Where the user has given prior consent
- Where disclosure is required by law or requested in accordance with procedures prescribed by law for investigative purposes
6. Entrustment of Personal Information Processing
The Company entrusts the following personal information processing tasks for smooth service operation.
| Entrusted Party | Entrusted Task | Retention Period |
|---|---|---|
| Toss Payments Co., Ltd. | Payment processing and settlement | Until the end of the entrustment contract |
| Google LLC (Google Cloud Platform) | Server hosting and asynchronous job processing (Cloud Run, Cloud Tasks) | Until the end of the entrustment contract |
| Cloudflare, Inc. | File storage (R2) and CDN | Until the end of the entrustment contract |
| Supabase, Inc. | Member authentication processing (Better Auth-based auth DB) | Until the end of the entrustment contract |
| Mixpanel, Inc. | Service usage statistics analysis (activated only with user consent) | 1 year |
| Google LLC (Google Analytics) | Web traffic analysis (activated only with user consent) | 26 months (Company-configured GA data retention setting) |
Any changes to the list of entrusted parties will be announced through this Policy.
7. Cross-Border Transfer of Personal Information
The Company transfers personal information internationally as follows in order to provide the Service. All cross-border transfers occur only when the user directly uses the relevant feature. If the feature is not used, no data is transmitted.
A. Transfers for Service Features
These transfers occur only when the user directly uses the corresponding feature. Data is transmitted via API call over TLS-encrypted connections.
How to refuse: Users who do not wish their data to be transferred internationally for a particular feature may simply choose not to use that feature. If a feature is not used, no data is transmitted to the corresponding recipient. Refusal means that the specific feature requiring the transfer will be unavailable, but all other Service features remain unaffected.
| Transfer Trigger (Feature) | Data Transferred | Recipient (Country) | Contact | Purpose of Transfer | Basis for Transfer (PIPA Art. 28-8) | Retention Period |
|---|---|---|---|---|---|---|
| AI chat, summarization, or translation | User input text, document content (in part or in full) | OpenAI, Inc. (United States) | privacy@openai.com | Generation of AI responses | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| AI chat, summarization, or translation | Same as above | Via OpenRouter, Inc. (United States) — see Section 7-C below | support@openrouter.ai | Generation of AI responses | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| AI chat, summarization, or translation | Same as above | Google LLC (Vertex AI, global endpoint — processing region is automatically determined by Google and may include regions outside Korea) | googlecloud-compliance@google.com | Generation of AI responses | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| Speech transcription | Real-time audio stream | Fireworks AI, Inc. (United States) | privacy@fireworks.ai | Speech-to-text conversion | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| Image generation | User input prompt | Google LLC (Vertex AI Imagen) | googlecloud-compliance@google.com | Image generation | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| Document search index generation | Document text chunks | OpenAI, Inc. (United States) | privacy@openai.com | Text embedding generation | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| Document search index generation | Document text chunks | Google LLC (Vertex AI) | googlecloud-compliance@google.com | Text embedding generation | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| PDF parsing | PDF files | RunPod, Inc. (United States/EU) | support@runpod.io | PDF-to-text conversion (Marker) | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| Web search | Search query | Google LLC (United States, Custom Search API) | googlecloud-compliance@google.com | Web search results | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| Academic search | Search query, paper ID | Allen Institute for AI (United States) | privacy@allenai.org | Academic paper search | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
| PDF translation (Light extension) | Extracted PDF text, target language | Google LLC (United States, Google Translate API) | googlecloud-compliance@google.com | PDF text translation | Entrustment/storage necessary for contract performance | Not retained after processing (ZDR configured) |
B. Transfers for Analytics (User Consent Required)
These transfers are activated only when the user consents to analytics data collection. Users may withdraw consent at any time through the in-service privacy settings, in which case analytics data collection and the associated cross-border transfer will cease.
| Transfer Trigger | Data Transferred | Recipient (Country) | Contact | Purpose | Basis for Transfer (PIPA Art. 28-8) | Retention Period |
|---|---|---|---|---|---|---|
| Service use (with consent) | Feature usage records, device and browser info | Mixpanel, Inc. (United States) | compliance@mixpanel.com | Usage statistics analysis | User consent for cross-border transfer | 1 year |
| Web service access (with consent) | Pageviews, sessions, referral paths | Google LLC (United States, Google Analytics) | googlecloud-compliance@google.com | Web traffic analysis | User consent for cross-border transfer | 26 months |
How to refuse or withdraw: Users may refuse or withdraw consent for analytics at any time through the privacy settings within the Service. Upon withdrawal, analytics cookies and localStorage data are no longer written, and previously collected data will be deleted per each provider’s retention schedule. Refusal of analytics does not affect the use of core Service features.
C. Final Recipients via OpenRouter
OpenRouter, Inc. is an API routing intermediary that forwards user request data to the final AI provider based on the model the user selects. Data is transferred to a specific final recipient only when the user selects a model hosted by that recipient. If a model is not selected, no data is sent to that recipient.
| Final Recipient | Country | Models Routed (Examples) | Contact | Infrastructure Processors |
|---|---|---|---|---|
| OpenAI, Inc. | United States | GPT OSS 120B | privacy@openai.com | Novita AI, DeepInfra, Inc. |
| Anthropic, Inc. | United States | Claude Sonnet 4.5, Claude Haiku 4.5 | privacy@anthropic.com | Anthropic |
| DeepSeek | China | DeepSeek V3.2 | privacy@deepseek.com | DeepInfra, Inc. |
| Zhipu AI (Z.ai) | China | GLM 4.7, GLM 5 | service@zhipuai.cn | DeepInfra, Inc. |
| MiniMax | China | MiniMax M2.5 | service@minimaxi.com | — |
| xAI | United States | Grok 4.1 Fast | privacy@x.ai | — |
| Moonshot AI | China | Kimi K2.5 | support@moonshot.cn | Fireworks AI, DeepInfra, Inc. |
Infrastructure processors listed above serve as sub-processors that host and run the AI models on behalf of the final recipient. They may process user input text as part of generating the AI response and are disclosed here as part of the cross-border transfer chain.
Infrastructure Processor Country Contact Purpose Retention DeepInfra, Inc. United States support@deepinfra.com GPU inference hosting for routed models Not retained (ZDR) Novita AI United States support@novita.ai GPU inference hosting for routed models Not retained (ZDR) Fireworks AI, Inc. United States privacy@fireworks.ai GPU inference hosting for routed models Not retained (ZDR) The Company configures OpenRouter with provider pinning (no automatic fallback to unselected providers). Data is routed exclusively to the provider of the model the user selects. No fallback routing to other providers occurs.
China-based providers: When a user selects a model hosted by a China-based provider (DeepSeek, Zhipu AI, MiniMax, or Moonshot AI), user input text is transferred to that provider’s processing infrastructure. The Service indicates the provider’s country in the model selection interface so that users can make an informed choice. The Company contractually requires all recipients to process data only within the scope of the entrustment and to delete data immediately after processing.
Zero Data Retention (ZDR): The Company configures all external AI providers to operate under zero data retention or equivalent no-storage settings where available. Under this configuration, user input is processed in real time and is not retained by the provider after the response is generated. The speech transcription server relays audio and text in real time only and does not store them in memory or on disk. In all cases, the Company does not separately store user input on its own systems beyond what is necessary to deliver the requested feature response.
8. Data Processing in AI Services
- No training use policy: The Company does not use User Content or Derived Data to train AI models.
- Scope of processing: AI features are processed in real time at the user’s request and access User Content only to the extent necessary to fulfill the request.
- Human review: In principle, Company personnel do not review User Content. However, access may occur within the minimum necessary scope in the following cases:
- Where the user has directly shared the content through an inquiry or report
- Where required to respond to a service disruption or security incident
- Where required by law
9. Automatically Collected Information and Cookies
A. Essential Cookies (Always Active)
The following cookies are strictly necessary for the Service to function and are not subject to consent.
| Name | Purpose | Type | Expiration |
|---|---|---|---|
arc-prod.session_token | Maintain login status | HttpOnly, Secure, SameSite cookie | Session validity: 7 days (server session expiry) |
arc-prod.session_data | Cache session information (reduce server load) | HttpOnly, Secure, SameSite cookie | 5 minutes |
Session cookie prefixes vary by environment:
arc-prod,arc-staging,arc-local. The cookie domain is set to.arcsolve.aifor sharing across subdomains.
B. Analytics Cookies and Storage (User Consent Required)
The following analytics tools are activated only when the user consents through the in-service privacy settings. They are not loaded by default.
| Name | Purpose | Type | Expiration |
|---|---|---|---|
Google Analytics (_ga, _ga_*) | Web traffic analysis (pageviews, sessions) | Cookie (analytics) | Up to 2 years |
Mixpanel (mp_*) | Service usage analytics | localStorage (analytics) | 1 year |
Users may refuse or withdraw consent for analytics at any time through the privacy settings. Upon refusal or withdrawal:
- Analytics scripts are not loaded, and no analytics cookies or localStorage entries are created.
- Previously stored analytics cookies and localStorage data may be deleted through browser settings.
- Core Service features, including login, are not affected by refusal of analytics.
In this process, the body content of User Content is restricted from being included in analytics data.
10. Automated Decision-Making
- The Company may use automated or AI-assisted systems for operational purposes, including document classification, summarization, recommendations, credit consumption tracking, usage limit enforcement, and abnormal usage detection.
- The principal categories of personal information used in automated processing are: service usage records, credit consumption data, access logs, and device/browser information. The criteria and logic applied are designed to enforce plan-based quotas and detect patterns indicative of misuse.
- How to request explanation or review: Users may request an explanation of how automated processing was applied to them, or request human review of an automated decision, by contacting the Data Protection Officer at privacy@arcsolve.ai or through the in-service customer support channel. The Company will respond within 10 business days of receiving the request.
- Where an automated decision significantly affects a user’s rights or interests (such as account suspension or prolonged restriction of access), the Company will provide human-involved review upon the user’s request and notify the user of the result. If the review determines the automated decision was incorrect, the Company will promptly rectify the decision and restore access.
11. Measures to Ensure the Security of Personal Information
The Company takes the following measures to ensure the security of personal information.
- Administrative measures: Privacy training, establishment and implementation of internal management plans, minimization of access rights
- Technical measures:
- Session management: Application of HttpOnly, Secure, and SameSite cookie policies
- Authentication: Social login based on OAuth 2.0 PKCE and JWT authentication between services
- CSRF protection: Combined verification of Origin, Fetch Metadata, and extension headers
- CORS: Credential transmission permitted only for trusted domains
- Rate limiting: Request rate limits by API endpoint
- Data transmission: TLS-encrypted communication
- Access control: Application of the role-based least privilege principle and Row Level Security (RLS)
- Database: Per-user RLS policies ensuring users can only query and modify their own data
12. Users’ Rights and How to Exercise Them
- Users may request access to, correction of, deletion of, or suspension of processing of their personal information at any time.
- Such rights may be exercised through in-service settings or by emailing the Data Protection Officer, and the Company will take action without delay.
- Users can directly use the following functions within the Service:
- Account deletion (withdrawal)
- Individual deletion of User Content
- Deletion of payment methods (billing key revocation)
- Analytics consent management (opt-in/opt-out)
13. Personal Information of Children Under 14
The Company does not allow children under the age of 14 to register for the Service. The Company operates an age verification procedure during registration and does not knowingly collect personal information from children under the age of 14. If the Company subsequently discovers that a registered member is under the age of 14, the Company will immediately restrict the account and delete all personal information without delay, except for information that must be retained under applicable laws.
14. Data Protection Officer and Remedies
Data Protection Officer
- Name: Kyungmin Cho
- Title: Chief Executive Officer
- Email: privacy@arcsolve.ai
Remedy Institutions
If you require consultation regarding a personal information infringement, you may contact the following institutions.
- Personal Information Dispute Mediation Committee: www.kopico.go.kr / +82-1833-6972
- Personal Information Infringement Report Center: privacy.kisa.or.kr / 118
- Cyber Investigation Division, Supreme Prosecutors’ Office: www.spo.go.kr / 1301
- Cyber Bureau, Korean National Police Agency: ecrm.police.go.kr / 182
15. Changes to This Privacy Policy
This Privacy Policy takes effect on the effective date, and any changes will be announced through the Service at least 7 days before the effective date of the changes.
For questions about this Policy, please contact privacy@arcsolve.ai.