Privacy Policy

Effective: March 1, 2026 | Last Updated: March 17, 2026

(주)모티브이노베이션 (Republic of Korea) and MOTIVE Global, Inc. (Delaware, United States) (collectively, the "Company," "we," "us," or "our") are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Whistle AI platform ("Service").

This policy is designed to comply with the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable.

Data Controller — Responsible Entity by User Location

User / Transaction Type	Responsible Entity	Applicable Law
Users based in the Republic of Korea; KRW-denominated subscriptions	(주)모티브이노베이션 3F #307, 28 Nonhyeon-ro 98-gil, Gangnam-gu, Seoul, Republic of Korea	Korean PIPA, E-Commerce Consumer Protection Act
Users outside Korea; USD/foreign-currency payments via Stripe	MOTIVE Global, Inc. Delaware C-Corp, United States	U.S. state law (Delaware); GDPR where applicable; CCPA for California residents
AI analysis, shared platform infrastructure, data security	Both entities jointly	GDPR Art. 26 joint-controller arrangement; PIPA Art. 26 joint processing

For GDPR purposes, (주)모티브이노베이션 is the lead controller for Korean-law obligations and MOTIVE Global, Inc. is the lead controller for EU/EEA GDPR obligations. A joint-controller agreement (GDPR Art. 26) governs the allocation of responsibilities between the two entities. You may contact either entity to exercise your rights; each will coordinate to fulfill your request.

1. Information We Collect

1.1 Information You Provide

Category	Data Collected	Purpose
Account (Required)	Email address, password (encrypted)	Account creation, authentication, service access
Manufacturer Profile (Optional)	Company name, representative name, phone number, address, business registration number, product information, bank account details	Export service delivery, document generation, buyer matching
Buyer Profile (Optional)	Company name, contact person, country, phone number, interest categories	Buyer profile setup, product matching
Payment Information	Payment card details (stored by Stripe), transaction records	Payment processing, refund handling

1.2 Information Collected Automatically

Data	Purpose
IP address	Security, fraud prevention, analytics
Browser type and version	Service optimization, compatibility
Service usage logs	Usage analytics, service improvement
Access timestamps	Security monitoring, abuse prevention
Device information	Service optimization, troubleshooting

1.3 Collection Methods

• Direct input by you during registration and service usage
• Automatic generation and collection during service use
• Collection through payment processor (Stripe)

2. How We Use Your Information

1. Service Delivery: AI export analysis, buyer matching, export document generation, communication tools, logistics tracking, and related core platform features
2. Account Management: Identity verification, account maintenance, notifications, and customer support
3. Payment Processing: Subscription billing, per-use charges, auto-renewal, and refund processing
4. Service Improvement: New feature development, usage analytics, performance optimization, and quality assurance
5. Marketing: Event and promotional communications (only with your separate, explicit consent)
6. Legal Compliance: Fulfillment of obligations under applicable laws and regulations
7. Security: Fraud detection, abuse prevention, and platform security

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

• Contract Performance: Processing necessary to fulfill our service agreement with you (account creation, service delivery, payment processing)
• Legitimate Interest: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement, analytics)
• Consent: Processing based on your explicit consent (marketing communications, optional data collection)
• Legal Obligation: Processing required to comply with applicable laws

4. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy. When the purpose of collection is fulfilled, we delete or anonymize your data without delay, except where retention is required by law.

Data Category	Retention Period	Legal Basis
Account and profile data	Until account deletion	Service agreement
Contract and withdrawal records	5 years	Act on Consumer Protection in Electronic Commerce (Korea)
Payment and transaction records	5 years	Act on Consumer Protection in Electronic Commerce (Korea)
Consumer complaint records	3 years	Act on Consumer Protection in Electronic Commerce (Korea)
Access logs	3 months	Protection of Communications Secrets Act (Korea)
Advertising records	6 months	Act on Consumer Protection in Electronic Commerce (Korea)

Upon account deletion, personal data is destroyed without delay. Data that must be retained by law is stored separately in a restricted database and destroyed upon expiration of the required retention period.

5. Sharing and Disclosure of Information

1. We process your personal data only within the scope described in Section 2 and do not sell, rent, or share your data with third parties for their own purposes without your prior consent.
2. Exceptions to the above:
   • You have provided explicit prior consent to the sharing
   • Buyer-manufacturer matching: Upon a successful match and with separate consent, contact information necessary for the transaction is shared with the counterparty
   • Required by law or legal process
   • Requested by law enforcement authorities following legally prescribed procedures

6. Service Providers (Data Processors)

We engage the following third-party service providers to operate the Service. Each provider processes data only as instructed by us and under contractual obligations to maintain confidentiality and security.

Provider	Purpose	Data Processed
Supabase Inc.	Cloud database, authentication	Account data, service data
Anthropic PBC	AI analysis processing (API)	Product/export data for analysis (anonymized where possible)
Stripe, Inc.	Global payment processing	Payment card details, transaction records
Naver Corp.	Product data search (API)	Product search queries
OpenSky Network	Aviation tracking data (public API)	No personal data

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the Republic of Korea and the United States. We comply with GDPR Articles 44–49 regarding cross-border data transfers and ensure appropriate safeguards for all international transfers.

7.1 Data Transfer Recipients

Service Provider	Data Processed	Server Location	Legal Basis for Transfer
Supabase (Database & Auth)	Account data, business profiles, analysis results, communications	United States (AWS)	Standard Contractual Clauses (SCCs); Supabase is certified under the EU-US Data Privacy Framework (DPF)
Stripe (Payments)	Payment information, billing details, transaction records	United States	EU-US Data Privacy Framework (DPF); PCI DSS Level 1 certified
Cloudflare (Hosting & CDN)	IP addresses, access logs, cached content	Global edge network (nearest PoP)	EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs)
MOTIVE Innovation Co., Ltd. (Data Controller)	All service data for operation and support	Republic of Korea	EU-Korea Adequacy Decision (adopted December 2021, effective under GDPR Art. 45)
MOTIVE Global, Inc. (US Subsidiary)	Payment processing, US customer support	United States (Delaware)	Standard Contractual Clauses (SCCs); Intra-group Data Processing Agreement
Anthropic PBC (Claude AI Analysis)	Product/export data submitted for AI analysis (anonymized where possible)	United States	Standard Contractual Clauses (SCCs); Data Processing Addendum; Anthropic Commercial Terms

7.2 Safeguard Mechanisms (GDPR Art. 46)

• Adequacy Decisions (Art. 45): The European Commission recognizes the Republic of Korea as providing an adequate level of data protection (Decision of 17 December 2021). Transfers to Korea are therefore permitted without additional safeguards.
• EU-US Data Privacy Framework: For US-based processors certified under the DPF (Stripe, Cloudflare, Supabase), transfers are made in reliance on the DPF adequacy decision (July 2023).
• Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a supplementary safeguard for transfers to the United States.
• Data Processing Agreements (DPAs): We maintain signed DPAs with all sub-processors, requiring them to implement technical and organizational measures equivalent to those required under GDPR.
• Supplementary Measures: All data in transit is encrypted via TLS 1.2+. Data at rest is encrypted using AES-256. Access is restricted on a need-to-know basis with role-based controls.

7.3 Your Rights Regarding International Transfers

You have the right to:

• Obtain a copy of the safeguards used for international transfers by contacting our DPO
• Lodge a complaint with your local supervisory authority if you believe your data is being transferred without adequate protection
• Request information about which specific sub-processors are processing your data

To exercise these rights or request copies of SCCs, contact: [email protected]

8. Data Security

We implement the following technical and organizational measures to protect your personal data:

1. Encryption at Rest: Passwords are hashed using bcrypt. Payment information is managed by PCI DSS-compliant processor (Stripe).
2. Encryption in Transit: All data transmission is encrypted via SSL/TLS protocols.
3. Access Controls: Row Level Security (RLS) for data isolation, role-based access management, and least-privilege principle for all system access.
4. Audit Logging: Administrative access is logged and monitored.
5. Personnel Controls: Access to personal data is limited to authorized personnel. Regular security training is conducted.

9. Cookies and Tracking Technologies

1. The Service uses browser local storage for authentication token management.
2. We collect minimal access records for service analytics and quality improvement.
3. You may delete stored data at any time through your browser settings.
4. We do not use third-party advertising trackers.

10. Your Rights

10.1 All Users

Regardless of your location, you have the right to:

1. Access: Request a copy of the personal data we hold about you
2. Correction: Request correction of inaccurate or incomplete personal data
3. Deletion: Request deletion of your personal data (subject to legal retention requirements)
4. Processing Restriction: Request that we restrict the processing of your personal data

To exercise these rights, use the profile settings within the Service or email [email protected]. We will respond within 10 business days.

10.2 Additional Rights for EEA/UK Users (GDPR)

Under the General Data Protection Regulation, you also have the right to:

• Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Object to Processing: Object to processing based on our legitimate interests
• Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Lodge a Complaint: File a complaint with your local data protection supervisory authority

10.3 Additional Rights for California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information collected about you
• Delete: Request deletion of your personal information
• Non-Discrimination: Not be discriminated against for exercising your privacy rights
• Opt Out of Sale: We do not sell your personal information. If this changes, we will provide an opt-out mechanism.

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

12. Data Protection Officer

Detail	Information
Name	Heewoong Chae
Title	CEO / Data Protection Officer
Phone	+82-70-5097-6371
Email	[email protected]

13. Remedies and Complaints

If you have concerns about how your personal data is handled, you may contact the following authorities:

• Korea: Personal Information Infringement Report Center (KISA) — 118 / privacy.kisa.or.kr
• Korea: Personal Information Dispute Mediation Committee — 1833-6972 / kopico.go.kr
• EU: Your local data protection supervisory authority
• US (California): California Attorney General — oag.ca.gov/privacy

14. Changes to This Policy

1. We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices.
2. Material changes will be communicated at least 7 days before the effective date via in-app notification or email.
3. Changes that are materially adverse to you will be communicated at least 30 days in advance.
4. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.