Effective: March 1, 2026 | Last Updated: July 4, 2026
(주)모티브이노베이션 (Republic of Korea) and MOTIVE Global, Inc. (Delaware, United States) (collectively, the "Company," "we," "us," or "our") are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Whistle AI platform ("Service").
This policy is designed to comply with the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable.
| User / Transaction Type | Responsible Entity | Applicable Law |
|---|---|---|
| Users based in the Republic of Korea; KRW-denominated subscriptions | (주)모티브이노베이션 3F #307, 28 Nonhyeon-ro 98-gil, Gangnam-gu, Seoul, Republic of Korea | Korean PIPA, E-Commerce Consumer Protection Act |
| Users outside Korea; USD/foreign-currency payments via Stripe | MOTIVE Global, Inc. Delaware C-Corp, United States | U.S. state law (Delaware); GDPR where applicable; CCPA for California residents |
| AI analysis, shared platform infrastructure, data security | Both entities jointly | GDPR Art. 26 joint-controller arrangement; PIPA Art. 26 joint processing |
For GDPR purposes, (주)모티브이노베이션 is the lead controller for Korean-law obligations and MOTIVE Global, Inc. is the lead controller for EU/EEA GDPR obligations. A joint-controller agreement (GDPR Art. 26) governs the allocation of responsibilities between the two entities. You may contact either entity to exercise your rights; each will coordinate to fulfill your request.
| Category | Data Collected | Purpose |
|---|---|---|
| Account (Required) | Email address, password (encrypted) | Account creation, authentication, service access |
| Manufacturer Profile (Optional) | Company name, representative name, phone number, address, business registration number, product information, bank account details | Export service delivery, document generation, buyer matching |
| Buyer Profile (Optional) | Company name, contact person, country, phone number, interest categories | Buyer profile setup, product matching |
| Payment Information | Payment card details (stored by Stripe), transaction records | Payment processing, refund handling |
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, analytics |
| Browser type and version | Service optimization, compatibility |
| Service usage logs | Usage analytics, service improvement |
| Access timestamps | Security monitoring, abuse prevention |
| Device information | Service optimization, troubleshooting |
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:
We retain your personal data only as long as necessary for the purposes described in this policy. When the purpose of collection is fulfilled, we delete or anonymize your data without delay, except where retention is required by law.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account and profile data | Until account deletion | Service agreement |
| Contract and withdrawal records | 5 years | Act on Consumer Protection in Electronic Commerce (Korea) |
| Payment and transaction records | 5 years | Act on Consumer Protection in Electronic Commerce (Korea) |
| Consumer complaint records | 3 years | Act on Consumer Protection in Electronic Commerce (Korea) |
| Access logs | 3 months | Protection of Communications Secrets Act (Korea) |
| Advertising records | 6 months | Act on Consumer Protection in Electronic Commerce (Korea) |
Upon account deletion, personal data is destroyed without delay. Data that must be retained by law is stored separately in a restricted database and destroyed upon expiration of the required retention period.
We engage the following third-party service providers to operate the Service. Each provider processes data only as instructed by us and under contractual obligations to maintain confidentiality and security. Locations below reflect the actual storage/processing region as of July 4, 2026.
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Cloud database, authentication, file storage, realtime | Account data, profiles, chats, service data | US (HQ) / Singapore (storage — AWS ap-southeast-1) |
| Anthropic PBC | AI analysis (Claude API); inputs not used for model training | Product/export text submitted for analysis (PII minimized) | US |
| Stripe, Inc. | Global payment processing, escrow (manual capture) | Payment card details (tokenized), transaction records | US |
| Cloudflare, Inc. | Hosting (Pages), CDN, DDoS protection, TLS termination | IP address, access logs, cached content | US (HQ) / Global edge network |
| Resend, Inc. | Transactional and marketing email delivery | Email address, recipient name, subject and body | US |
| MOTIVE Global, Inc. | USD settlement, overseas customer support (group entity) | Account, profile, payment, transaction data | US (Delaware) |
| Apollo Data Inc. (Apollo.io) | Prospective buyer lead database (API) | Buyer search criteria; retrieved public business contacts | US |
| Telegram Messenger Inc. | Operator notifications (Bot API) | Admin summaries (PII minimized) | BVI / UAE |
| Naver Corp. | Product data search (public API) | Search queries (no PII) | Republic of Korea |
| OpenSky Network | Aviation tracking (public API) | No personal data | Switzerland |
Your personal data may be transferred to and processed in countries outside your country of residence, including Singapore, the United States, and other jurisdictions via global CDN edges. For Korean users, this is disclosed under Article 28-8 of the Korean Personal Information Protection Act (PIPA); by accepting our Terms and this Privacy Policy at account creation, you consent to such transfers. We comply with GDPR Articles 44–49 for EEA/UK users and ensure appropriate safeguards for all international transfers.
Recipient, country of storage/processing, items transferred, timing/method, retention period, and legal basis are disclosed below. Region information is verified against our Supabase Management API on July 4, 2026 (project id: lylktgxngrlxmsldxdqj, region: ap-southeast-1).
| Recipient (Country / Region) | Data Processed | Timing & Method | Retention | Legal Basis for Transfer |
|---|---|---|---|---|
| Supabase Inc. HQ: US (Delaware) / Storage region: Singapore (AWS ap-southeast-1) | Account data, business profiles, product data, chats, IP address, service logs | Real-time TLS 1.2+ transfer during service use | Until account deletion or contract termination (plus statutory retention where applicable) | Standard Contractual Clauses (SCCs); DPA in place |
| Anthropic PBC United States (California) | Product/export text submitted for AI analysis (PII minimized) | On-demand TLS API call during analysis | Processor: retained up to 30 days for trust & safety per Anthropic Commercial Terms, then deleted. Our DB: until account deletion | SCCs; Anthropic Commercial Terms and DPA (inputs not used for model training) |
| Stripe, Inc. United States (California / Delaware); EU processing via Stripe Payments Europe | Payment card details (tokenized), billing details, transaction records | Direct TLS transfer from user browser to Stripe via Elements/Checkout at payment time | PCI DSS and US tax law retention (typically 7 years) or per Stripe policy | EU-US Data Privacy Framework (DPF); PCI DSS Level 1; SCCs; Stripe DPA |
| Cloudflare, Inc. United States (California); global edge including Seoul PoP | IP addresses, User-Agent, request URLs, access logs, cached responses | Automatic routing to nearest edge node on user access | Cloudflare log policy: up to 30 days (our designated logs: 3 months per Korean law) | EU-US Data Privacy Framework (DPF); SCCs; Cloudflare DPA |
| Resend, Inc. United States (California) | Email address, recipient name, subject and body of transactional/marketing emails | TLS API call at send-event trigger | Resend policy: send logs up to 30 days (email body not retained) | SCCs; Resend DPA |
| MOTIVE Global, Inc. (group entity) United States (Delaware) | Overseas users' account, profile, payment, transaction data | TLS transfer on overseas payment events and support activity | Until account deletion (plus statutory retention where applicable) | SCCs; Intra-group Data Processing Agreement |
| Apollo Data Inc. (Apollo.io) United States (California) | Buyer search criteria (not PII) and retrieved public business contacts (work email, title) | TLS API call at buyer-discovery execution | Stored in our DB after retrieval until account deletion | SCCs; Apollo Terms and DPA |
| Telegram Messenger Inc. BVI / UAE (Dubai) | Operator notification summaries (PII minimized) | Bot API TLS transfer on event occurrence | Operator chat history retained per Telegram policy (deletion on user request) | Contractual necessity; PII minimized at source |
| (주)모티브이노베이션 (Motive Innovation Co., Ltd.) Republic of Korea | All service data for operation and support | Continuous, secure administrative access | Until account deletion (plus statutory retention where applicable) | EU-Korea Adequacy Decision (17 Dec 2021, GDPR Art. 45) |
You have the right to:
To exercise these rights or request copies of SCCs, contact: [email protected]
We implement the following technical and organizational measures to protect your personal data:
Regardless of your location, you have the right to:
To exercise these rights, use the profile settings within the Service or email [email protected]. We will respond within 10 business days.
Under the General Data Protection Regulation, you also have the right to:
Under the California Consumer Privacy Act, California residents have the right to:
California Privacy Rights — Do Not Sell My Personal Information
Whistle AI does not sell, rent, or share your personal information with third parties for their direct marketing purposes. To exercise your CCPA rights (access, deletion, or opt-out), contact us:
✉ Submit Privacy Request (Do Not Sell)The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
| Detail | Information |
|---|---|
| Name | Heewoong Chae |
| Title | CEO / Data Protection Officer |
| Phone | +82-70-5097-6371 |
| [email protected] |
If you have concerns about how your personal data is handled, you may contact the following authorities:
Supplementary Provision
This Privacy Policy is effective as of March 1, 2026. The July 4, 2026 amendment expanded and corrected disclosures on international data transfers and sub-processors (in particular the accurate storage region for Supabase — Singapore, AWS ap-southeast-1 — and the inclusion of Cloudflare, Resend, Apollo.io, and Telegram). Notice of the amendment was provided at least 7 days in advance via in-app notification and email.
Contact Information
(주)모티브이노베이션 (Korea) / MOTIVE Global, Inc. (US)
Email: [email protected]
Phone: +82-70-5097-6371
Address: 3F #307, 28 Nonhyeon-ro 98-gil, Gangnam-gu, Seoul, Republic of Korea