Privacy Policy

① The Company collects the following personal information for service provision.

Required items: Email address, password (encrypted), nickname, service usage records, access logs, device information (OS, browser, IP).

Optional items: Profile image, date of birth, gender, areas of interest.

Social login: Basic profile information provided by the platform (name, email, profile photo).

Automatically collected: Cookies, access frequency, service usage patterns, AI agent conversation metadata.

② Collection methods: Automatic or direct collection during registration, service use, customer inquiries, and event participation.

Collected personal information is used only for the following purposes: Service provision and account management, user identification and authentication, AI agent service quality improvement (after anonymization), personalized service provision and recommendations, service usage statistical analysis, customer support and complaint handling, service-related announcements and event notifications (with optional consent), and legal obligation fulfillment and dispute resolution.

① Upon membership withdrawal, personal information is destroyed without delay. However, the following are retained for the specified periods.

Records of contracts or subscription withdrawal: 5 years (E-Commerce Act)

Records of payment and supply of goods: 5 years (E-Commerce Act)

Records of consumer complaints or dispute resolution: 3 years (E-Commerce Act)

Records of access: 3 months (Protection of Communications Secrets Act)

AI service operation records per AI Basic Act: 5 years

Content filtering and sanction records: 5 years

② When the retention period expires or the processing purpose is achieved, the personal information is destroyed within 5 days.

① The Company does not, in principle, provide users' personal information to third parties. However, the following exceptions apply.

- When the user has given prior consent

- When required by law or requested through legally prescribed procedures for investigative purposes

② When external AI services are used, minimal conversation context may transit provider servers. We minimize and encrypt transfers; retention follows each provider's policy (we do not warrant immediate deletion).

The Company may outsource personal information processing for service improvement. When outsourcing, the Company discloses the outsourcing details in accordance with applicable laws and supervises the processor to ensure safe handling of personal information.

① Users (or legal representatives) may exercise the following rights at any time: request to access, correct, delete, or suspend processing of personal information.

② Rights may be exercised through service settings or email (help@xenlook.com), and the Company will take action without delay.

③ Users may request access to, download, or deletion of their AI agent conversation records.

① The Company uses cookies to provide personalized services to users.

② Users may refuse cookie storage through browser settings, which may result in some limitations in service use.

③ Cookies expire upon browser closure or logout.

① Conversations with AI agents may be used for service quality improvement and AI model enhancement, in which case de-identification (anonymization) is mandatory.

② Users may consent to or refuse the use of AI conversation data for training, with no disadvantage for refusal.

③ Private mode conversations are not stored on servers and are not used for training.

④ XENLOOK adopts a Local-First architecture, processing data locally whenever possible. When cloud transmission is necessary, explicit user consent is obtained, and end-to-end encryption is applied.

⑤ Users may withdraw consent for AI conversation data used for training at any time and may request deletion of previously learned data.

⑥ The Company discloses data usage status at least once per year in a transparency report.

⑦ EU GDPR users may exercise the Right to Portability.

The Company implements the following security measures: Administrative measures (internal management plans, minimizing and training personnel handling personal information), technical measures (encryption, access control, security programs, access log retention), and physical measures (access control to server rooms and storage facilities).

① The Company obtains parental consent when collecting personal information of children under 14.

② Legal representatives of children under 14 may request access to, correction, or deletion of the child's personal information.

① To provide AI services, minimal conversation context may be transferred to foreign AI/search providers such as Google LLC (Vertex AI Gemini), DeepSeek, xAI (Grok), OpenAI (images), Suno (music), Fal.ai (video), and Brave (search). Upstage Solar is not used in the current production routing path. Service infrastructure (CDN/security) may transit Cloudflare Inc.

② For cross-border transfers, users are informed of and consent to the transferred items, destination country, timing and method, and the recipient's purpose and retention period.

We designate a Chief Privacy Officer (CPO) for personal data processing.

Privacy Officer: Nam Ki-yeon (Rep. Director, severally) · help@xenlook.com

Users may consult the following organizations for remedies regarding personal information infringement.

Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)

Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)

Supreme Prosecutors' Office: 1301 (www.spo.go.kr)

Korean National Police Agency: 182 (ecrm.cyber.go.kr)

This policy is effective from the enforcement date. Any additions, deletions, or modifications due to changes in laws, policies, or security technologies will be announced through service notices at least 7 days before implementation.

① In the event of a personal data breach, the Company shall promptly notify affected users of the breach, the categories of personal data compromised, mitigation measures taken, and contact information.

② For EU users, the Company shall notify the supervisory authority within 72 hours in accordance with GDPR Article 33, and where high risk is anticipated, shall also notify affected individuals without undue delay per Article 34.

③ For Chinese users, the Company shall notify in accordance with Article 57 of the PIPL. For Korean users, the Company shall take one or more measures without delay in accordance with Article 34 of the Personal Information Protection Act.

① The Company does not make fully automated decisions through AI that produce legal effects for users. All significant decisions are accompanied by human review.

② EU users have the right to request human intervention regarding automated processing in accordance with GDPR Article 22, and may do so by contacting help@xenlook.com.

③ When objecting to automated decisions or requesting human review, the Company notifies results within 7 business days.

This Privacy Policy shall take effect on June 1, 2026.