Privacy Policy

1. Who We Are (Data Controller)

SajuAstrology (the “Service”) is operated by Rimfactory, a business entity registered in the Republic of Korea.

For the purposes of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, Korea’s Personal Information Protection Act (“PIPA”), and the California Consumer Privacy Act as amended by the CPRA (“CCPA”), Rimfactory is the data controller (or “business” under CCPA) responsible for your personal information. All privacy-related inquiries should be directed to info@rimfactory.io.

2. Information We Collect

Account information. When you sign in via Google OAuth or Apple Sign-in, we receive your name, email address, and (when provided) profile picture. We never receive or store your password. If you use Apple’s Hide My Email option, we use the relay address provided.

Birth data. Name, gender, date and time of birth, and city of birth that you voluntarily enter for Saju readings, compatibility checks, and consultations. Because this combination can identify a natural person, we treat it as personal data under GDPR/PIPA and apply appropriate safeguards.

Soram conversation data. If you use the Soram chat feature, your questions and Soram’s responses are stored in your account so you can review them on the dashboard and so Soram can remember context across sessions. We may also generate a periodic short summary of recurring themes from your conversations to improve continuity. You can delete this history at any time by deleting your account.

Subscription state (Soram Companion). If you subscribe, we store the subscription start/end dates, current status (active/canceled/expired), and the platform that processes the subscription (Creem / PayPal / Apple App Store / Google Play). We do not store your payment card.

Usage and device data. Pages visited, features used, interactions, device type, operating system, browser type, approximate location (inferred from IP at country/city level), and performance telemetry. Collected via Google Analytics 4, Mixpanel (web), Firebase Analytics (mobile app), and Vercel Analytics.

Purchase data. Transaction identifiers, product IDs, purchase timestamps, and platform (web / iOS / Android). Full payment-card data is never received or stored by us — it is handled by Creem.io (our Merchant of Record on the web for global card processing, including Korean cards), PayPal (alternative web checkout), or Apple / Google (mobile app in-app purchase).

Communications. Any email you send to us (including support requests).

3. Why We Use Your Data (Purposes and Legal Basis)

We do not use your personal data for profiling that produces legal or similarly significant effects on you, for automated decisions other than generating AI readings you have explicitly requested, or for advertising or ad-targeting.

4. AI Processing of Your Birth Data

Your birth data is transmitted to Google Gemini (via Google’s generative AI APIs) and to Anthropic Claude (fallback and verification) as prompt input to generate your reading. These providers act as our data processors.

We do not knowingly submit your birth data to these providers for the purpose of training their foundation models. For the providers’ own data-handling and retention practices, please refer to their respective privacy policies, which govern their processing of the input they receive. We monitor these policies and will update this notice materially if they change in a way that affects your rights.

5. Sharing and Third-Party Processors

We share personal data only with the following categories of processors and partners, under written data-processing agreements where required by law:

• Identity providers: Google (OAuth), Apple (Sign-in).
• Database and infrastructure: Supabase (authentication, relational storage with Row Level Security), Vercel (web hosting and edge delivery).
• AI model providers: Google (Gemini API), Anthropic (Claude).
• Payment processors: Creem.io (Merchant of Record on the web for global card processing, including Korean cards), PayPal (alternative web checkout for non-Korean users), Apple App Store (iOS in-app purchase), Google Play (Android in-app purchase). On the Creem flow, Creem is the contracting seller of record for the transaction; Rimfactory remains the supplier of the underlying digital reading.
• Analytics: Google Analytics 4, Mixpanel, Firebase Analytics (mobile), Vercel Analytics.
• Error and performance monitoring: Vercel, and limited logging within our own infrastructure.

We do not sell your personal information in the traditional sense, and we do not “share” it for cross-context behavioural advertising as defined by the CCPA/CPRA.

6. International Data Transfers

The Service is operated from the Republic of Korea, and our processors are located in the United States, the European Union, and other jurisdictions. When we transfer personal data internationally, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses, Korea’s cross-border transfer provisions under PIPA, and the adequacy decisions of the receiving jurisdictions where applicable.

7. Retention

We keep your personal data only as long as necessary for the purposes described:

• Account, readings, and Soram conversation history: until you delete your account (30 days to complete deletion).
• Subscription state (Soram Companion): retained while the subscription is active and for up to 5 years after termination, in line with Korean commercial and tax law, in a minimized form.
• Contract and payment records: up to 5 years as required by Korean commercial and tax law (Act on the Consumer Protection in Electronic Commerce, Art. 6), in a minimized form.
• Records of consumer complaints or disputes: up to 3 years.
• Analytics: up to 14 months (Google Analytics 4 default) or 12 months (Mixpanel), then deleted or aggregated.
• Logs and security events: up to 90 days, unless required longer for investigation.

8. Security

All connections are encrypted via HTTPS/TLS. Account credentials never reach our servers — authentication is delegated to Google OAuth and Apple Sign-in. Database access is protected with Row Level Security, access controls, and network restrictions. Despite these measures, no internet service can guarantee absolute security; we encourage you to use strong and unique authentication with your identity provider.

9. Your Rights

Depending on where you live, you may have some or all of the following rights:

• Access and portability — request a copy of the personal data we hold about you in a structured, commonly used format.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion / “right to be forgotten” — delete your account and personal data at any time from your dashboard, or by emailing us.
• Restriction and objection — object to or restrict certain processing based on legitimate interest.
• Withdrawal of consent — where we rely on consent, you may withdraw it at any time without affecting processing that already took place.
• Complaint — lodge a complaint with your data-protection authority. EU/EEA residents may contact their local DPA; UK residents may contact the ICO; Korean residents may contact the Personal Information Protection Commission (PIPC); California residents may contact the California Privacy Protection Agency (CPPA).
• California residents (CCPA/CPRA) — the right to know, delete, correct, and limit use of sensitive personal information; and the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioural advertising.

To exercise any right, email info@rimfactory.io. We will respond within 30 days (or as legally required). Primary support language is English.

10. Children

The Service is not intended for children under the age of 14 (the minimum digital-consent age under Korea’s PIPA). EU/EEA residents must meet their member state’s minimum digital-consent age (generally 16). We do not knowingly collect personal data from children below these ages. If you believe a child has submitted data, contact us and we will delete it promptly.

11. Cookies and Similar Technologies

We use a minimal set of cookies and local-storage items required to keep you signed in, remember your language, and measure product usage. Vercel Analytics is cookieless. Google Analytics, Mixpanel, and Firebase may set analytics cookies or use localStorage to generate anonymous identifiers. PayPal and Creem.io may set essential cookies during their respective checkout flows. You can control cookies via your browser settings; disabling non-essential cookies will not prevent use of the Service.

12. Important Disclaimer

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will announce material changes on the Website with an updated “Last updated” date, and, where required by law, via email. Continued use of the Service after changes means you accept the updated policy.

Contact