Privacy Policy
Effective: April 29, 2026 | Updated: June 12, 2026
SoMyung helps parents understand a child’s temperament through Saju-based analysis. This notice explains what personal data is processed, why it is needed, and how it is protected.
1. Personal Data We Process
| Context | Data | Purpose | Retention |
|---|---|---|---|
| Free preview | Child nickname or name, birth date/time, gender, birth place, optional parent role and parent birth date/time | Generate a temperament preview | Not stored in the database. Temporary infrastructure/API logs may be retained by service providers |
| Paid or promo report | Preview inputs, email, generated Saju data, AI report, PDF | Generate, display, deliver, and support the report | Kept for limited report access and support. Deleted on request except records legally required to retain |
| Payment | Email, PayPal order/approval data, payment status, amount | Payment processing, refunds, transaction record keeping | Retained as required for commerce, tax, dispute, and audit purposes |
| Analytics cookies | Google Analytics cookies/identifiers | Service improvement analytics | Used only after consent. You can reset consent in the footer |
2. Lawful Bases for Processing (GDPR Art. 6)
Where the EU/UK GDPR applies, we rely on the following lawful bases:
- Free preview: your consent (Art. 6(1)(a)). You may withdraw consent at any time.
- Paid or promo report: performance of a contract with you (Art. 6(1)(b)).
- Payment and transaction records: compliance with legal obligations (Art. 6(1)(c)) and performance of a contract (Art. 6(1)(b)).
- Analytics cookies: your consent (Art. 6(1)(a)), collected through the cookie banner.
3. Children’s Data and Guardian Role
This service is directed to parents and guardians, not to children acting on their own. Data about a child must be entered only by a parent or legal guardian who has authority to do so.
This service is designed for parents and legal guardians to use on behalf of their children. We do not knowingly collect personal information directly from children under 13. If you believe a child under 13 has provided data directly to us, contact [email protected] and we will delete it promptly (COPPA).
4. International Processing and Providers
We treat birth date, birth time, gender, birth place, and generated reports as personal data when they relate to a child or family, even if a direct legal name is not sent to every provider.
Where personal data is processed outside the EEA, the United Kingdom, or Korea, it is transferred under Standard Contractual Clauses (SCC) approved by the European Commission or equivalent legal safeguards.
| Provider | Region | Data | Purpose |
|---|---|---|---|
| Supabase | US/global | Account, report, payment-related database data | Database and authentication |
| AWS | Korea/global | API request and server processing data | Backend execution and logs |
| Cloudflare | Global | Web requests, cache, security logs | Website hosting and security |
| OpenAI or Google Gemini | US/global | Saju calculation output and minimum input data needed for analysis | AI report generation |
| PayPal | Global | Payer, order, authorization, and payment status data | Payment processing |
| Resend | US/global | Email address, report email content/PDF | Report email delivery |
| Google Analytics | Global | Cookies, device and usage events | Consent-based analytics |
5. Retention Periods
- Free preview inputs: not stored in our database.
- Payment and transaction records: retained for 5 years under the Korean Act on Consumer Protection in Electronic Commerce and applicable tax laws.
- Paid reading records (inputs, generated Saju data, report, PDF): retained until you request deletion, or at most 24 months after your last access (default operational period; may be adjusted), after which they are deleted or anonymized.
6. Security Measures
- Reports and PDFs require a server-issued time-limited token.
- Payment capture requires both the PayPal order ID and a server-issued payment token.
- Analytics scripts load only after cookie consent.
- Support logs minimize directly identifying data where practical.
7. Your Rights
You may request access, correction, deletion, restriction, or withdrawal of consent by emailing [email protected]. Some payment or transaction records may need to be retained for legal, tax, audit, refund, or dispute purposes.
- Data portability (GDPR Art. 20): you may request a copy of the data you provided in a structured, commonly used, machine-readable format.
- Automated decision-making (GDPR Art. 22): reports are generated automatically by AI based on the birth information you provide. This is AI-generated profiling offered for informational, self-reflection, and entertainment purposes only; it produces no legal or similarly significant effects, is not used to make decisions about you or your child, and you may object to this processing or request a human review at [email protected].
8. California Privacy Rights (CCPA/CPRA)
We do not sell or share personal information as defined by the California Consumer Privacy Act. "Do Not Sell or Share My Personal Information": we do not sell; California residents may contact [email protected] to exercise their rights to know, delete, correct, and not be discriminated against.
9. Privacy Officer and Contact
Chief Privacy Officer (CPO, 개인정보보호책임자): Yohan Lee ([email protected])
Privacy contact: [email protected]
Operator: HarmonyOn / Representative: Yohan Lee
Delete Account and Reports
Signed-in users can delete their account and linked reports here. Payment and transaction records may be retained in minimized form where legally required.
Sign in to delete your account here. For guest report deletion, email [email protected].