Privacy Policy

Effective: March 1, 2026 | Last Updated: March 17, 2026

MOTIVE Innovation Co., Ltd. (Republic of Korea) and MOTIVE Global, Inc. (Delaware, United States) (collectively, the "Company," "we," "us," or "our") are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Whistle AI platform ("Service").

This policy is designed to comply with the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable.

1. Information We Collect

1.1 Information You Provide

Category	Data Collected	Purpose
Account (Required)	Email address, password (encrypted)	Account creation, authentication, service access
Manufacturer Profile (Optional)	Company name, representative name, phone number, address, business registration number, product information, bank account details	Export service delivery, document generation, buyer matching
Buyer Profile (Optional)	Company name, contact person, country, phone number, interest categories	Buyer profile setup, product matching
Payment Information	Payment card details (stored by Stripe or TossPayments), transaction records	Payment processing, refund handling

1.2 Information Collected Automatically

Data	Purpose
IP address	Security, fraud prevention, analytics
Browser type and version	Service optimization, compatibility
Service usage logs	Usage analytics, service improvement
Access timestamps	Security monitoring, abuse prevention
Device information	Service optimization, troubleshooting

1.3 Collection Methods

• Direct input by you during registration and service usage
• Automatic generation and collection during service use
• Collection through payment processors (Stripe, TossPayments)

2. How We Use Your Information

1. Service Delivery: AI export analysis, buyer matching, export document generation, communication tools, logistics tracking, and related core platform features
2. Account Management: Identity verification, account maintenance, notifications, and customer support
3. Payment Processing: Subscription billing, per-use charges, auto-renewal, and refund processing
4. Service Improvement: New feature development, usage analytics, performance optimization, and quality assurance
5. Marketing: Event and promotional communications (only with your separate, explicit consent)
6. Legal Compliance: Fulfillment of obligations under applicable laws and regulations
7. Security: Fraud detection, abuse prevention, and platform security

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

• Contract Performance: Processing necessary to fulfill our service agreement with you (account creation, service delivery, payment processing)
• Legitimate Interest: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement, analytics)
• Consent: Processing based on your explicit consent (marketing communications, optional data collection)
• Legal Obligation: Processing required to comply with applicable laws

4. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy. When the purpose of collection is fulfilled, we delete or anonymize your data without delay, except where retention is required by law.

Data Category	Retention Period	Legal Basis
Account and profile data	Until account deletion	Service agreement
Contract and withdrawal records	5 years	Act on Consumer Protection in Electronic Commerce (Korea)
Payment and transaction records	5 years	Act on Consumer Protection in Electronic Commerce (Korea)
Consumer complaint records	3 years	Act on Consumer Protection in Electronic Commerce (Korea)
Access logs	3 months	Protection of Communications Secrets Act (Korea)
Advertising records	6 months	Act on Consumer Protection in Electronic Commerce (Korea)

Upon account deletion, personal data is destroyed without delay. Data that must be retained by law is stored separately in a restricted database and destroyed upon expiration of the required retention period.

5. Sharing and Disclosure of Information

1. We process your personal data only within the scope described in Section 2 and do not sell, rent, or share your data with third parties for their own purposes without your prior consent.
2. Exceptions to the above:
   • You have provided explicit prior consent to the sharing
   • Buyer-manufacturer matching: Upon a successful match and with separate consent, contact information necessary for the transaction is shared with the counterparty
   • Required by law or legal process
   • Requested by law enforcement authorities following legally prescribed procedures

6. Service Providers (Data Processors)

We engage the following third-party service providers to operate the Service. Each provider processes data only as instructed by us and under contractual obligations to maintain confidentiality and security.

Provider	Purpose	Data Processed
Supabase Inc.	Cloud database, authentication	Account data, service data
Anthropic PBC	AI analysis processing (API)	Product/export data for analysis (anonymized where possible)
Stripe, Inc.	Global payment processing	Payment card details, transaction records
TossPayments Co., Ltd.	Korean domestic payment processing	Payment card details, transaction records
Naver Corp.	Product data search (API)	Product search queries
OpenSky Network	Aviation tracking data (public API)	No personal data

7. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States and the Republic of Korea. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA
• Adequacy decisions where applicable
• Contractual protections with all service providers

8. Data Security

We implement the following technical and organizational measures to protect your personal data:

1. Encryption at Rest: Passwords are hashed using bcrypt. Payment information is managed by PCI DSS-compliant processors (Stripe, TossPayments).
2. Encryption in Transit: All data transmission is encrypted via SSL/TLS protocols.
3. Access Controls: Row Level Security (RLS) for data isolation, role-based access management, and least-privilege principle for all system access.
4. Audit Logging: Administrative access is logged and monitored.
5. Personnel Controls: Access to personal data is limited to authorized personnel. Regular security training is conducted.

9. Cookies and Tracking Technologies

1. The Service uses browser local storage for authentication token management.
2. We collect minimal access records for service analytics and quality improvement.
3. You may delete stored data at any time through your browser settings.
4. We do not use third-party advertising trackers.

10. Your Rights

10.1 All Users

Regardless of your location, you have the right to:

1. Access: Request a copy of the personal data we hold about you
2. Correction: Request correction of inaccurate or incomplete personal data
3. Deletion: Request deletion of your personal data (subject to legal retention requirements)
4. Processing Restriction: Request that we restrict the processing of your personal data

To exercise these rights, use the profile settings within the Service or email [email protected]. We will respond within 10 business days.

10.2 Additional Rights for EEA/UK Users (GDPR)

Under the General Data Protection Regulation, you also have the right to:

• Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Object to Processing: Object to processing based on our legitimate interests
• Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Lodge a Complaint: File a complaint with your local data protection supervisory authority

10.3 Additional Rights for California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information collected about you
• Delete: Request deletion of your personal information
• Non-Discrimination: Not be discriminated against for exercising your privacy rights
• Opt Out of Sale: We do not sell your personal information. If this changes, we will provide an opt-out mechanism.

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

12. Data Protection Officer

Detail	Information
Name	Heewoong Chae
Title	CEO / Data Protection Officer
Phone	+82-70-5097-6371
Email	[email protected]

13. Remedies and Complaints

If you have concerns about how your personal data is handled, you may contact the following authorities:

• Korea: Personal Information Infringement Report Center (KISA) — 118 / privacy.kisa.or.kr
• Korea: Personal Information Dispute Mediation Committee — 1833-6972 / kopico.go.kr
• EU: Your local data protection supervisory authority
• US (California): California Attorney General — oag.ca.gov/privacy

14. Changes to This Policy

1. We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices.
2. Material changes will be communicated at least 7 days before the effective date via in-app notification or email.
3. Changes that are materially adverse to you will be communicated at least 30 days in advance.
4. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.