Privacy Policy

Company: Wonjo Works Corp (원조공사)

Service Name: Gyeongo (견고)

CEO / Representative: Lee Hee-cheon (이희천)

Business Registration No.: 816-09-01450

Address: 192 Wondongjo-gyo-ro, Duchon-myeon, Hongcheon-gun, Gangwon-do, Republic of Korea

Phone: +82-10-7129-7083

Email: wonjoworks@gmail.com

Required: Email address, encrypted password (for authentication)

Optional: Display name, phone number, primary trade/specialty

Customer data you enter: If you use the customer management feature, you may enter your clients' names, phone numbers, email addresses, and addresses. This data is stored on your behalf and is under your control.

Usage data: Basic technical logs (e.g., login timestamps) retained for security purposes.

We do not collect sensitive personal data such as racial origin, political opinions, health data, or financial account numbers.

In the past twelve (12) months, we have collected the following categories of personal information, as defined by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

We do not sell or share personal information for cross-context behavioral advertising. We do not collect sensitive personal information as defined by CPRA (such as Social Security numbers, precise geolocation, or race/ethnicity).

California residents have the rights described in Section 8 below. To exercise these rights, contact wonjoworks@gmail.com with subject "CCPA Request".

1. Authentication & Account Management: To create and manage your account and verify your identity.

2. Service Delivery: To provide estimate creation, project management, customer management, and other core features of Gyeongo.

3. Billing & Subscription: To process Pro subscription payments and manage billing records.

4. Service Improvement: To maintain, support, and improve the Service.

5. Legal Compliance: To comply with applicable laws and respond to lawful government requests.

For users in the European Economic Area (EEA), we process your personal data on the following legal bases under GDPR Article 6:

1. Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you have signed up for, including authentication and feature delivery.

2. Legitimate Interests (Art. 6(1)(f)): Processing for security logging, fraud prevention, and service improvement, where such interests are not overridden by your rights.

3. Legal Obligation (Art. 6(1)(c)): Retaining billing records as required by applicable financial and tax regulations.

1. Account data: Retained until you delete your account. Upon account deletion, personal data is erased promptly.

2. Payment records: Retained for 5 years as required by applicable financial regulations.

3. Security logs: Retained for 3 months.

We share your data with the following trusted service providers solely to operate the Service. Each sub-processor is contractually bound to protect your data:

• Supabase, Inc. (USA) — Database, authentication, and file storage. Privacy
• Vercel Inc. (USA) — Web hosting and edge infrastructure (IP address and request logs only, no application data). Privacy
• PayPal Holdings, Inc. (USA) — Payment processing for Pro subscriptions. PayPal handles payment information under its own policy. Privacy
• Upstash, Inc. (USA) — Redis-based rate limiting for API abuse prevention (IP and request counts only; no account or content data). Privacy
• Google LLC (USA) — Google Analytics 4 for aggregated usage statistics. Loaded only after you accept analytics cookies. IP anonymization enabled; ad personalization disabled. Privacy

We do not sell or share your personal data for behavioral advertising. An updated list of sub-processors will be posted on this page; material changes will be announced by email at least 30 days in advance to allow you to object.

As our service providers (Supabase and PayPal) are based in the United States, your personal data may be transferred to and processed in the USA.

For users in the EEA or UK, such transfers are made subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an equivalent level of protection as within the EEA.

GDPR Rights (EEA/UK users):

- Right of Access: Request a copy of personal data we hold about you.

- Right to Rectification: Request correction of inaccurate or incomplete data.

- Right to Erasure: Request deletion of your personal data ("right to be forgotten").

- Right to Data Portability: Request your data in a structured, machine-readable format.

- Right to Object: Object to processing based on legitimate interests.

- Right to Lodge a Complaint: You may lodge a complaint with your local data protection authority.

CCPA Rights (California residents):

- Right to Know: Request disclosure of the categories and specific pieces of personal information collected.

- Right to Delete: Request deletion of personal information we have collected.

- Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.

- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at wonjoworks@gmail.com.

We use only essential session cookies necessary to keep you logged in and maintain your session. We do not use tracking cookies, analytics cookies, or advertising cookies of any kind.

You can manage or delete cookies through your browser settings at any time. Disabling session cookies may prevent you from logging in to the Service.

For more information, see our Cookie Policy.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of affected users, we will notify the competent supervisory authority without undue delay, and where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

Where a breach is likely to result in a high risk, we will also notify affected users without undue delay (GDPR Article 34), describing the nature of the breach, the likely consequences, the measures taken, and the contact for further information.

For users outside the EU, we will provide notice in accordance with applicable breach notification laws (e.g., CCPA §1798.82, US state laws, PIPA for Korea).

For any privacy-related inquiries, data access requests, or complaints, please contact us at:

Gyeongo is not subject to mandatory Data Protection Officer (DPO) designation under GDPR Article 37. Privacy inquiries should be directed to the contact above.

We aim to respond to all privacy requests within 30 days. If your request is complex or numerous, we may extend this period by a further 60 days, in which case we will notify you.