Studio XID Korea, Inc., including its affiliates and subsidiaries (collectively, “Studio XID” and also referred to as “we,” “us,” and “our”) respects your privacy and is committed to protecting it through our compliance with this Privacy Policy. This Policy provides a framework for ensuring that Studio XID meets its obligations under applicable data protection laws.

Please read this Policy carefully to understand our practices regarding your personal information and how we will treat it. If you do not agree with our Policy, your choice is not to use our Services. By creating an account and using our Services, you agree to this Privacy Policy. This Policy may change from time to time, and your continued use of our Services after we make changes is deemed to be acceptance of those changes. Therefore, please check the Policy periodically for updates.

You may click on one of the links below to jump to the listed section:

• Scope of Privacy Policy
• Collection of Your Personal Information
  • Information Provided by You
  • Information Collected Automatically
  • Cookies and Similar Technologies
• Use of Personal Information
  • Marketing Communications and Outreach
• Legal Basis of Processing Your Personal Information
• Data Retention
• Sharing and International Transfers of Your Personal Information
• Your Legal Rights
• Data Subjects Access Requests
  • Excessive or Unfounded Requests
• Data Security and Safety
  • Data Breaches
• Children’s Information
• Amendments to Privacy Policy
• Contact Information
• Complaints to Supervisory Authorities
• Additional Information and Jurisdiction-Specific Notices
  • Notice to Residents of South Korea

Scope of Privacy Policy

This Privacy Policy applies to the personal information we process through our official website (https://www.protopie.io/, ProtoPie School (https://learn.protopie.io/), and our products ProtoPie Studio, ProtoPie Cloud, ProtoPie Player, and ProtoPie Connect (collectively, the "Services"). This Privacy Policy does not apply to any third-party websites, services, or applications, even if they are accessible through our Services.

Collection of Your Personal Information

The personal information we collect depends on how you interact with us, the Services you use, and the choices you make.

Information Provided by You

You may directly provide us with your personal information when you sign up to our website. This includes personal information you submit when you subscribe to our marketing communications or reach out via Contact Us or Talk to Sales. The personal information we collect may include the following:

• IDENTITY DATA including [first name and last name, user ID, company/organization name, job title, country].

• CONTACT DATA including [email address].

• MARKETING COMMUNICATIONS DATA including [your preferences regarding the receipt of marketing communications from us].

Information Collected Automatically

As you navigate through and interact with our website, we may automatically collect technical data and usage data. We collect this information by using cookies, server log files, and other similar technologies. The data we collect includes:

• TECHNICAL DATA including [Internet protocol (IP) address, browser type and version, operating system, and device type].

• GEOLOCATION DATA including [geographical information based on your IP address].

• USAGE DATA including [information about how you interact with and use our website, cookies and other tracking technologies].

Cookies and Similar Technologies

We, along with our third-party service providers, may use cookies, pixel tags, web beacons, scripts, and other similar technologies to automatically collect information through the Services. These technologies are essentially small data files placed on your device that allow us to record certain pieces of information whenever you visit or interact with our Services.

• Browser Cookies. Cookies are small text files that are stored by the Internet browser on your device. A cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. You may refuse to accept browser cookies by activating the appropriate settings on your browser. However, if you select this setting, you may be unable to access certain parts of our website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our website.

• Third-Party Cookies. We also use third-party cookies on our website. The legal basis for the use of cookies and the subsequent data processing is your explicit consent. The following third parties may set cookies on your device: Amplitude, Google, Facebook, DoubleClick, LinkedIn, Twitter, Naver, HubSpot, Hotjar, Microsoft, ZoomInfo, Survicate, SendBird, Common Room, Drip, YouTube, Unbounce, Zendesk, and Gartner.

• Pixel Tag/Web Beacons/Clear GIF. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects information about engagement on the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page. We may also use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients. This allows us to gauge the effectiveness of certain communications and the effectiveness of our marketing communications.

Use of Personal Information

We use your personal information for the purposes enumerated below.

• Providing the Services, such as:

  • Creating and managing your account;

  • Responding to and handling inquiries, customer and technical support requests, and feature requests; and

  • Processing payment card and/or other financial information to facilitate your use of the Services.

• Administering and protecting our business and the Services, including:

  • Troubleshooting, system maintenance, technical support, internal quality control, security, and data hosting.

• Communicating with you about our products, Services, events, and conducting surveys.

• Enforcing our agreements, and complying with our legal obligations including disclosure of information to law enforcement, the courts, and other authorities where required by applicable law.

• De-identifying personal information upon account deletion in accordance with applicable data protection laws and internal retention policies.

Marketing Communications and Outreach

We may collect and use certain personal information to send you marketing communications and to better understand your engagement with our Services for marketing purposes.

• Personal Information Collected. Name (first and last), email address, country, user ID, company/organization name, and job title.

• Purpose of Use. We may use this information to send you marketing communications including but not limited to newsletters, promotional offers, and other relevant updates; to analyze user behavior and segment users into more relevant audiences for more targeted marketing; to enrich user profiles using third-party sources to tailor outreach; and to conduct outreach through email.

• Legal Basis. Where required by applicable law, we will only send you marketing communications with your explicit consent. In some cases, and subject to local legal requirements, we may rely on legitimate interests to carry out user analysis, segmentation, data enrichment, and outreach, provided that such activities do not override your fundamental rights and freedom and that you have not objected to such use.

• Retention Period. We will retain your personal information for marketing communication purposes until you withdraw your consent or delete your account, whichever occurs first.

• Opt Out. Your decision to opt in or opt out of marketing communications will not affect your access to or use of our Services. You may withdraw your consent or object to the processing of your personal information for marketing purposes at any time. If you choose to opt out, we will respect your preferences and ensure that you no longer receive marketing communications via email but may continue to send you service-related or legally required communications as necessary.

Legal Basis of Processing Your Personal Information

• Consent. We may process your personal information if you have given us permission (i.e., consent) to use your personal information for a specific purpose, for example placing cookies on your device; before we send you certain electronic marketing communications; and in any other situation where personal data processing relies on your consent. You can withdraw your consent at any time.

• Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services; and responding to and handling your inquiries submitted via Contact Us or Talk to Sales.

• Legitimate Interests. We may process your personal information when we believe it is reasonably necessary to achieve our legitimate business interests, for example, to prevent fraud and enable us to give you the best and most secure customer experience. We consider and balance any potential impact on you and your rights before processing your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law. Examples of such use may include protecting our rights, privacy, safety, or property of Studio XID; analyzing your interactions with the website or with our Services to improve our products, services, and business activities; responding to and handling your queries or requests; providing you with related customer service; digitizing files and incoming mails; and reaching out to you to provide information about our products or request input on surveys to evaluate our products or services for quality assurance.

• Legal Obligations. We may process your personal information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body and regulatory agency, exercise or defend our legal rights, or disclose your personal information as evidence in litigation in which we are involved.

Data Retention

How long we are legally required to keep your personal information depends on both the jurisdiction in which our headquarters is located and the jurisdiction in which you are located at the time you share your personal information with us. Where multiple legal requirements apply, the requirement that provides the most protective retention standards would govern. In general, we do not retain your personal information longer than necessary for the purposes for which it was collected.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process personal information, and whether we can achieve those purposes through other means. By law and by default, we will retain your personal information only as long as necessary to fulfill the purpose for which it was collected.

You have the right to request deletion of your personal information at any time, subject to certain exceptions (see "Your Legal Rights" below).

Sharing and International Transfers of Your Personal Information

We may share your personal information with third-party service providers to provide our Services to you. These parties may process personal information on our behalf for purposes such as hosting, analytics, customer support, and learning management.

Some of this personal information may be transferred to, processed, and stored in jurisdictions that may have different data protection laws from the laws where you are located and may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to applicable laws.

To protect your personal information when transferred internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection laws, including the GDPR, and these safeguards include the following:

• Transfers based on an adequacy decision by the European Commission;

• Use of the Standard Contractual Clauses (SCCs) approved by the European Commission;

• Other legal mechanisms or contractual safeguards permitted under applicable data protection laws.

Outlined below is how we share personal information with third parties and transfer it to countries outside of South Korea.

• Bright Market, LLC (FastSpring)

  • Personal Information Transferred: Email address, cardholder's name, last four digits of the card number, and country
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during service use
  • Retention Period: Until termination of the data processing agreement

• Paddle.com Inc.

  • Personal Information Transferred: Email address, cardholder's name, last four digits of the card number, and country
  • Country of Destination: United Kingdom
  • Timing and Method of Transfer: Transmission via network during service use
  • Retention Period: Until termination of the data processing agreement

• Salesforce, Inc.

  • Personal Information Transferred: Name, email address, phone number, company/organization name, job title, region (country, and address)
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during the establishment of customer touchpoints
  • Retention Period: Until termination of the data processing agreement

• Zendesk, Inc.

  • Personal Information Transferred: Name, and email address
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during service use
  • Retention Period: Until termination of the data processing agreement

• Amplitude, Inc.

  • Personal Information Transferred: Name, email address, UUID, device information (device type, OS version), IP address, and region (city)
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during service use
  • Retention Period: Until termination of the data processing agreement

• Common Room, Inc.

  • Personal Information Transferred: Name, email address, company/organization name, job title, and engagement data
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during community engagement analysis
  • Retention Period: Until termination of the data processing agreement

• Drip Global, Inc.

  • Personal Information Transferred: Name, email address, and marketing preferences
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during marketing automation
  • Retention Period: Until termination of the data processing agreement

• Amazon Web Services, Inc.

  • Personal Information Transferred: User data stored in cloud infrastructure
  • Country of Destination: United States and various global regions
  • Timing and Method of Transfer: Continuous transmission via secure network for cloud hosting
  • Retention Period: Until termination of the data processing agreement

• LearnWorlds Ltd.

  • Personal Information Transferred: Name, email address, learning progress data
  • Country of Destination: European Union
  • Timing and Method of Transfer: Transmission via network during learning platform use
  • Retention Period: Until termination of the data processing agreement

• Canny, Inc.

  • Personal Information Transferred: Name, email address, feedback data
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during feedback submission
  • Retention Period: Until termination of the data processing agreement

• ZoomInfo Technologies LLC

  • Personal Information Transferred: Business contact information (name, email address, company/organization name, job title)
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during business contact enrichment
  • Retention Period: Until termination of the data processing agreement

• HubSpot, Inc.

  • Personal Information Transferred: Name, email address, company/organization name, job title, communication history
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during CRM and marketing activities
  • Retention Period: Until termination of the data processing agreement

• ChurnZero, Inc.

  • Personal Information Transferred: Name, email address, usage data, customer success metrics
  • Country of Destination: United States
  • Timing and Method of Transfer: Transmission via network during customer success management
  • Retention Period: Until termination of the data processing agreement

Your Legal Rights

The rights available to you depend on the legal basis on which we process your personal information and the laws applicable in your jurisdiction. Subject to these factors, you may have the right to:

• Right to Be Informed. Be informed about the collection and use of your personal information.

• Right of Access. Have access to personal information about you. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

• Right to Erasure (Right to Be Forgotten). Have information about you deleted. This enables you to ask us to delete or remove personal information when there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

• Right to Rectification. Have information about you corrected. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.

• Right to Object or Restrict Processing. Object or restrict the processing of your personal information where we rely on a legitimate interest as the legal basis for that particular use of your data. If you object to data processing, it will not occur in the future unless we can demonstrate compelling legitimate grounds for further processing that override your interest in objecting.

• Right to Data Portability. Data portability allows you to obtain and reuse your personal information for your own purposes, across different services. This permits you to move, copy, or transfer personal information easily from one IT environment to another in a safe and secure way, without affecting its usability. We will provide you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right applies only to automated information in cases where you initially provided consent for its use, or where we used the information to perform a contract with you.

Data Subjects Access Requests

Once we have verified your identity, we will respond and resolve all Subject Access Requests we receive from you regarding your personal information within the 30 days of receipt. Occasionally, it could take us longer than a month if your request is particularly complex or you have made multiple requests. In such cases, we will notify you of the delay and keep you updated on the progress.

Please make sure to submit your Subject Access Request via email, and we will respond using the same format in which we received your request, unless otherwise requested.

We will always explain the reason if we are unable to comply with your Subject Access Request. For example, if your request to access personal information that we no longer hold because it has been deleted in accordance with our data retention policy, we will inform you accordingly.

You will not pay a fee to access your personal information or to exercise any of the other rights.

Excessive or Unfounded Requests

We may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances. If Subject Access Requests made by you are deemed to be excessive or unfounded we reserve the right granted to us under the applicable laws to:

• Refuse to provide you with the information, always justifying in writing the reasons behind our refusal

• Charge a reasonable administration fee and again, always justifying in writing the reason for any fees

• If your Subject Access Request is particularly complex, for example, we will write to you within the first 30 days of you making the Subject Access Request and inform you why it will take us longer to comply with your request.

Data Security and Safety

We take the following steps to ensure the tightest security and apply suitable technical measures to protect your personal information at rest and in transit.

• All communications related to the provision of the Services are always protected with encryption technology using HTTPS with TLS 1.2.

• Access to personal information is strictly limited to authorized personnel who have undergone regular information security training.

• Our data centers are protected by a 24-hour security monitoring system.

• We use strong passwords generated in accordance with our internal policies and enforce biometric two-factor authentication (2FA) for access to our systems.

• Our Information Security Management System complies with the ISO 27001 and 27701 standards and our compliance is certified by DQS.

For more details regarding our extensive security measures, please visit: https://www.protopie.io/learn/docs/security/overview

Data Breaches

In the unfortunate and rare event of a data breach that poses a risk to you, we will inform you without undue delay and, where feasible, as soon as possible after becoming aware of the breach.

We may be exempt from individually informing you of any data breaches if appropriate technical and organizational procedural measures were applied after a data breach; subsequent measures were taken to ensure the risk no longer exists; or notifying each affected individual would involve disproportionate effort, in which case we will provide a public communication or use a similar measure to inform you.

Children's Information

In certain jurisdictions, the minimum age for consent to data processing may vary, and we do not knowingly collect or process personal information from individuals under the applicable minimum age requirement, which may be as low as 13 years of age.

If you believe we may have any personal information from or about a child under 16 (or under the minimum age required by applicable data protection laws in your jurisdiction), please contact us using the Contact Information below. If we become aware that we have inadvertently collected or received personal information from a minor without verified parental consent, we will delete such information immediately.

Amendments to Privacy Policy

We regularly review our Privacy Policy to ensure it is up-to-date and accurate. The date of the last update can be found at the beginning of this Privacy Policy. We recommend that you visit this page regularly to check for any updates that may have been made.

Contact Information

If you have any questions about this Privacy Policy or our privacy practices, or if you wish to submit a Subject Access Request, please reach out to us at:

• Attn: Data Protection Officer (DPO)

• Email Address: privacy@protopie.io

• Postal Address: ProtoPie Building, 37-6, Hoenamu-ro 13ga-gil, Yongsan-gu, Seoul, 04344, South Korea

Complaints to Supervisory Authorities

If you are unhappy about how we have handled your personal information, you can contact our DPO who will investigate the matter and report back to you. We would appreciate the opportunity to address your concerns before you contact regulatory authorities, so we request that you contact us directly first.

If you are not satisfied with our response or believe we are not handling your personal information in accordance with applicable laws, you may lodge a complaint with the relevant supervisory authority:

[US] The Federal Trade Commission (FTC) at www.ftc.gov or your state's Attorney General, depending on your jurisdiction

[Canada] The Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca or your provincial privacy regulator, where applicable.

[UK] The Information Commissioner's Office (ICO) at www.ico.org.uk.

[EU] Your local Data Protection Authority (DPA) which supervises the application of data protection laws and has the power to issue fines or other penalties against companies in your country or region.

Additional Information and Jurisdiction-Specific Notices

Notice to Residents of South Korea