Privacy Policy
Privacy Policy
Effective: April 1, 2026 | Version 3.0
Notice Regarding Personal Information Processing
D-mail (hereinafter referred to as the "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Korean Personal Information Protection Act (PIPA) to protect the personal information of data subjects and to promptly and smoothly handle related grievances. This policy defines the responsibilities and obligations of the Company in relation to the use of its services.
Article 1 (General Provisions)
1. Purpose of This Policy
This Privacy Policy is established to protect the personal information of data subjects who use the D-mail service (hereinafter referred to as the "Service") provided by the Company, and to safeguard their rights and interests.
2. Definitions
- β’"Personal Information" refers to information about a living individual that can be used to identify that individual, such as name, email address, etc.
- β’"Data Subject" refers to a person who can be identified by the information being processed and who is the subject of that information.
- β’"Processing" refers to the collection, generation, linking, integration, recording, storage, retention, processing, editing, retrieval, output, correction, recovery, use, provision, disclosure, destruction, and other similar acts performed on personal information.
3. Scope of Application
- β’This policy applies to all services provided by the Company (website, Discord bot, API, etc.).
- β’Third-party services (Google, Discord, etc.) are governed by their respective privacy policies.
Article 2 (Personal Information Collected & Methods of Collection)
1. Categories of Personal Information Collected
| Category | Required Items | Optional Items |
|---|---|---|
| Service Usage | Discord user ID, linked email address, OAuth access token (stored encrypted) | Notification settings, channel integration information |
| Web Dashboard | Discord OAuth authentication data, session cookies, dashboard access logs | IMAP server configuration |
| Contact Management | Contact group names, contact email addresses, contact display names | - |
| Mail Forwarding | Target Discord server ID, channel ID, linked email address | - |
| AI Processing | Email body content (for verification code extraction, processed temporarily) | - |
| User Settings | Security settings, convenience settings, notification preferences, third-party consent timestamp | - |
| Service Usage Records | Date and time of service usage, access IP address, command usage records, security events | - |
| Customer Support | Inquiry details, contact information (email or Discord ID) | - |
| Payment (if applicable) | Payment records, payment method information (provided by payment processor) | - |
2. Methods of Collection
- β’Collection through Discord bot invitation and command execution
- β’Email account integration through Google OAuth authentication
- β’Web dashboard login through Discord OAuth
- β’Automatic collection upon website and dashboard access (server logs, session data)
- β’Direct user input (contact groups, IMAP settings, user preferences, etc.)
- β’Automated processing through AI services (temporary analysis of email content)
- β’Collection through customer support inquiries
Article 3 (Purpose of Processing Personal Information)
The Company processes collected personal information for the following purposes. Personal information shall not be used for purposes other than those listed below, and if the purpose of use changes, the Company will obtain separate consent and take other necessary measures.
| Purpose | Details | Legal Basis |
|---|---|---|
| Service Provision | Email notifications, email sending, mail forwarding, contact management, web dashboard, user identification | Performance of Contract |
| AI-Based Features | Automatic verification code extraction from emails, email summarization (in development), and other AI-powered features | Consent & Legitimate Interest |
| Service Improvement | Analyzing service usage statistics, improving features, fixing errors, improving AI model quality | Legitimate Interest |
| Customer Support | Responding to inquiries, handling complaints, delivering notices | Performance of Contract |
| Security & Fraud Prevention | Detecting abnormal usage, responding to security threats, investigating terms violations, user blocking management | Legitimate Interest |
| Account Management | Account deletion request processing, email verification, withdrawal processing | Performance of Contract |
| Legal Compliance | Record retention as required by applicable laws, responding to legal requests | Legal Obligation |
Article 4 (Retention & Usage Period of Personal Information)
1. Principle
The Company destroys personal information without delay once the purpose of collection and use has been fulfilled. However, in the following cases, the information is retained for the period specified.
2. Service-Related Retention
| Item | Retention Period | Destruction Timing |
|---|---|---|
| Email account integration information | Until integration is disconnected | Immediately upon disconnection |
| Discord user information | Until service usage ends | Within 30 days after account deletion |
| Contact group information | Until service usage ends | Within 30 days after account deletion |
| Mail forwarding settings | Until settings are removed | Immediately upon removal |
| AI-processed data (email content) | Destroyed immediately after processing | Immediately after processing |
| Service usage records and security events | 3 years | After retention period expires |
| Customer inquiry records | 1 year after inquiry resolution | After retention period expires |
3. Retention Required by Law
| Item | Retention Period | Applicable Law |
|---|---|---|
| Records of contracts or subscription withdrawal | 5 years | Act on Consumer Protection in Electronic Commerce |
| Records of payment and supply of goods | 5 years | Act on Consumer Protection in Electronic Commerce |
| Records of consumer complaints or dispute resolution | 3 years | Act on Consumer Protection in Electronic Commerce |
| Records of advertising and display | 6 months | Act on Consumer Protection in Electronic Commerce |
| Website access records | 3 months | Protection of Communications Secrets Act |
Article 5 (Disclosure of Personal Information to Third Parties)
1. Principle
The Company processes the personal information of data subjects only within the scope of purposes specified in Article 3, and does not provide personal information to third parties without the separate consent of the data subject.
2. Exceptions
Personal information may be provided without consent in the following cases:
- β’When there are special provisions in law or when it is unavoidable to comply with legal obligations
- β’When a public institution requires it for the performance of duties prescribed by laws and regulations
- β’When the data subject or their legal representative is unable to express their intent, or when prior consent cannot be obtained due to unknown address or similar reasons, and it is clearly necessary for the urgent benefit of the life, body, or property of the data subject or a third party
- β’When there is a lawful request from an investigative authority
Article 6 (Outsourcing of Personal Information Processing)
1. Outsourcing Status
The Company outsources the processing of personal information as follows for the smooth provision of services.
| Service Provider | Outsourced Tasks | Retention & Usage Period |
|---|---|---|
| Railway or cloud service providers | Service hosting, data storage | Until outsourcing contract terminates |
| Resend Inc. | Account verification emails, account deletion confirmation emails | Until outsourcing contract terminates |
| Payment processor (if applicable) | Payment processing | As required by applicable laws |
2. Outsourcing Management
- β’When entering into outsourcing contracts, the Company stipulates necessary provisions to ensure the safe management of personal information in accordance with the Personal Information Protection Act.
- β’If the scope of outsourced tasks or the service provider changes, such changes will be disclosed through this policy.
Article 7 (International Transfer of Personal Information)
1. International Transfer Status
The Company may transfer personal information overseas as follows for the provision of services.
| Recipient | Country | Items Transferred | Purpose of Transfer |
|---|---|---|---|
| Google LLC (Gmail API) | United States | Email address, OAuth token | Gmail API integration, email send/receive |
| Google LLC (Gemini API) | United States | Email body content (temporarily transmitted) | AI-based verification code extraction |
| Discord Inc. | United States | User ID, message content | Discord bot service, web dashboard authentication |
| Resend Inc. | United States | Email address | Account verification and deletion confirmation emails |
2. Protective Measures
- β’Appropriate protective measures are taken in accordance with the Personal Information Protection Act when transferring personal information overseas.
- β’The Company verifies that recipients comply with international standards for personal information protection.
Article 8 (AI-Based Data Processing)
1. Overview of AI Processing
The Company may utilize AI technologies, including the Google Gemini API, to process users' email content for the purpose of providing convenience features. AI processing is activated based on user settings, and users may disable AI processing at any time by changing their settings.
2. AI Processing Items and Purposes
| Feature | Data Processed | Purpose |
|---|---|---|
| Verification Code Extraction | Email subject and body | Automatic identification and display of verification codes |
| Email Summarization (in development) | Email subject and body | Providing email content summaries |
3. AI Processing Principles
- β’Email content transmitted for AI processing is destroyed immediately upon completion and is not separately stored on Company servers.
- β’The data processing policies of the AI service provider (Google) may apply separately, and the Company shall not be held liable for such policies.
- β’Whether data is used for training, model improvement, or other purposes by third-party AI service providers is subject to the respective provider's policies, and the Company does not control such use.
4. AI Processing Disclaimer
- β’The Company does not guarantee the accuracy or completeness of AI processing results, and shall not be liable for any damages arising from reliance on AI processing results.
- β’The Company shall not be liable for service interruptions caused by the AI service provider's service failures, policy changes, or API limitations.
- β’By enabling AI processing features, users are deemed to have consented to the transmission of their email content to third-party AI services.
Article 9 (Destruction of Personal Information)
1. Destruction Procedures
- β’When personal information becomes unnecessary due to expiration of the retention period, achievement of the processing purpose, or similar reasons, the Company destroys such information without delay.
- β’If personal information must be retained pursuant to other laws despite the expiration of the consent-based retention period or achievement of the processing purpose, the information shall be moved to a separate database (DB) or stored in a different location.
2. Methods of Destruction
- β’Electronic files: Permanently deleted using methods that make recovery impossible.
- β’Paper documents: Shredded or incinerated.
Article 10 (Rights & Obligations of Data Subjects and How to Exercise Them)
1. Rights of Data Subjects
Data subjects may exercise the following personal information protection rights against the Company at any time:
- β’Right to request access to personal information processing status
- β’Right to request correction in case of errors
- β’Right to request deletion
- β’Right to request suspension of processing
2. How to Exercise Rights
- β’Request via email ([email protected])
- β’Request through the Discord customer support channel
3. Processing Timeline
- β’The Company will take action within 10 days from the date of receiving the data subject's request and notify the data subject of the results.
4. Restrictions on Exercising Rights
- β’When there are special provisions in law or when it is unavoidable to comply with legal obligations
- β’When there is a risk of harm to the life or body of another person, or of unjustly infringing on the property or interests of another person
- β’When performance of the contract would be difficult, such as being unable to provide the agreed-upon service, if personal information is not processed
Article 11 (Personal Information of Children Under 14)
- β’The Company does not collect personal information from children under the age of 14, and the Service is not intended for children under 14.
- β’If the Company becomes aware that personal information of a child under 14 has been collected, it will destroy such information without delay.
- β’Legal representatives may request access to, correction, deletion, or suspension of processing of a child's personal information.
Article 12 (Installation, Operation, and Rejection of Automatic Data Collection Devices)
1. Use of Cookies
The Company uses session cookies for the web dashboard service. These are essential cookies for maintaining user login status and are automatically set when using the dashboard. Users may refuse cookies through browser settings; however, dashboard service usage may be restricted in such cases.
2. Server Logs
- β’Access IP addresses, access timestamps, and requested URLs may be automatically recorded in server logs for service operation purposes.
- β’Such information is used solely for service security and quality improvement purposes and is retained in accordance with applicable laws.
Article 13 (Collection & Use of Behavioral Information)
- β’The Company does not collect or use behavioral information for the purpose of providing personalized advertising.
- β’Usage pattern analysis for service improvement is based on anonymized statistical data.
Article 14 (Security Measures for Personal Information)
The Company takes the following measures to ensure the security of personal information:
1. Administrative Measures
- β’Establishment and implementation of an internal management plan for personal information protection
- β’Minimizing and training personnel who handle personal information
2. Technical Measures
- β’Encrypted storage and transmission of personal information (TLS/SSL, Fernet encryption)
- β’Technical countermeasures against hacking and other threats (security software, access controls)
- β’Retention and tamper-prevention of personal information access logs
3. Physical Measures
- β’Verification of security certifications of cloud service providers
Article 15 (Privacy Protection Officer)
The Company has designated a Privacy Protection Officer as follows to oversee personal information processing, handle complaints from data subjects, and provide remedies for damages related to personal information processing.
Privacy Protection Officer
- Department:Service Operations Team
- Email:[email protected]
Article 16 (Remedies for Rights Infringement)
Data subjects may apply for dispute resolution or consultation with the following organizations to seek remedies for personal information infringement.
| Organization | Contact | Website |
|---|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 | www.kopico.go.kr |
| Personal Information Infringement Report Center (KISA) | 118 | privacy.kisa.or.kr |
| Supreme Prosecutors' Office | 1301 | www.spo.go.kr |
| National Police Agency | 182 | ecrm.cyber.go.kr |
Article 17 (Disclaimer)
This article contains important provisions defining the scope of the Company's liability.
1. Limitation of Liability
- β’The Company takes commercially reasonable measures to protect personal information, but does not guarantee that its security is infallible.
- β’The Company is not liable for personal information leaks caused by the negligence or carelessness of the data subject.
- β’The Company is not liable for personal information leaks resulting from security incidents at third-party services (Google, Discord, etc.).
2. Grounds for Exemption
- β’Damages caused by events beyond the Company's control, such as natural disasters, war, or hacking
- β’Damages resulting from personal information voluntarily disclosed by the data subject
- β’Personal information leaks caused by issues with the data subject's device environment or network
- β’Damages arising from data processing by AI service providers (Google Gemini, etc.)
- β’Damages caused by errors in user-provided IMAP settings, contact information, etc.
- β’Exposure of personal information in public channels configured by the user through mail forwarding
- β’Personal information leaks due to negligent session management on the web dashboard (e.g., failure to log out on shared devices)
Article 18 (Changes to This Privacy Policy)
- β’When additions, deletions, or modifications are made to this Privacy Policy due to changes in laws, policies, or security technologies, the Company will provide notice at least 7 days before the effective date of the changes through announcements on the website or within the Service.
- β’For changes that are disadvantageous to data subjects, notice will be provided at least 30 days in advance.
- β’Continued use of the Service after the effective date of the revised policy shall be deemed as consent to the revised policy.
Revision History
| Version | Effective Date | Major Changes |
|---|---|---|
| 3.0 | 2026.04.01 | AI data processing provisions added, web dashboard/contacts/mail forwarding/IMAP settings/account deletion features reflected, disclaimer strengthened, collection items and outsourcing/international transfer updated |
| 2.0 | 2025.01.21 | Comprehensive revision (disclaimer provisions added, international transfer provisions newly established) |
| 1.0 | 2024.12.01 | Initial publication |
This Privacy Policy is effective as of April 1, 2026.
D-mail Operations Team