1. Overview & Operator
Stats (the AI survey SaaS, the “Services”) is operated by STA (the “Company”). We comply with the Korean Personal Information Protection Act (PIPA), the Act on Promotion of Information and Communications Network Utilization, and the EU General Data Protection Regulation (GDPR). This Policy applies to all activity on stats.sta-suite.com, including the public response page at /s/[slug].
| Legal name | STA |
|---|---|
| Representative | Youngjun Choi |
| Registered address | 3F S43, 37 Ewhayeodae 7-gil, Seodaemun-gu, Seoul, Republic of Korea |
| Business registration no. | 313-19-02361 |
| Mail-order registration no. | 신고 준비 중 |
| Privacy inquiries | privacy@sta-suite.com |
| General support | support@sta-suite.com |
2. Roles — Workspace Owner / Respondent
Stats handles two distinct categories of data subject; their legal basis structures differ, so we describe them separately.
2.1 Workspace Owner
- A member who signs up directly with the Company and creates a Stats account.
- Designs, publishes, and analyzes surveys.
- We act as the controller for the Owner’s account, billing, and usage logs.
2.2 Respondent
- A person who receives a survey link (
/s/[slug]) and submits answers, typically without signing up. - The data submitted as answers (name, email, business number, etc.) is collected via questions defined by the Workspace Owner.
- For answer content the Company is a processor and the Workspace Owner is the controller. The Company directly collects and manages system metadata such as the respondent’s IP and device.
- Respondents may also be bound by the Workspace Owner’s own privacy policy in addition to this Policy.
3. Information We Collect — Owners
3.1 Account registration
- Required: email address, password (one-way hashed) or OAuth identifier (Google)
- Optional: display name
3.2 Automatically collected
- IP address, access logs, cookies (session, locale), device/browser information
- Usage logs (which surveys were created and accessed when — for operations analytics)
- Crash and error reports
3.3 Payment information (paid plans)
- Payment method (issuer name, masked PAN — full card numbers are never stored on our servers)
- Transaction history (item, amount, timestamp, authorization code)
- Workspace name (for receipts)
4. Respondent Data
Data submitted by respondents at /s/[slug] is stored in our database (Supabase, Seoul region).
4.1 Answer content
- Answers typed or selected by the respondent (single/multi choice, short/long text, matrix, ranking, rating, NPS, slider, date, number, etc.).
- Depending on the questions, answers may include personally identifiable information (PII) such as:
- Email address (for OTP verification — 6-digit code)
- Phone number (with country-specific format validation)
- Business / tax number (Korean 사업자번호, US EIN, JP 法人番号 — checksum-validated)
- Country, region, industry classification
- Name, affiliation, or any free-text input provided by the respondent
- Email OTP codes are single-use and discarded immediately on verification or expiry.
4.2 Automatically collected response metadata
- IP address — hashed at storage time; used to deduplicate and block abuse
- User-Agent (operating system, browser)
- Start and end timestamps, time-to-complete — used to compute a response quality score
- (When the Owner enables it) regional distribution from IP geolocation, aggregated only at the province / state level
4.3 Separation and protection of respondent PII
Sensitive fields (email, phone, business number, etc.) are stored in a separate respondent_pii table protected by Row-Level Security and service-key authorization. Only members of the owning workspace can read them. The dashboard masks PII by default (J*n D*e, +82-10-****-1234); revealing it writes an audit log entry. Business numbers are additionally stored as SHA-256 hashes so deduplication can run on the hash while display uses the cleartext value.
5. Purposes of Use
- Identify and authenticate Owners
- Provide the Services — survey builder, response collection, results dashboard
- Store, aggregate, and chart response data
- Process payments and refunds, issue receipts
- Customer support — inquiries, abuse reports, error handling
- Improve the Services using anonymized, aggregated analytics
- Comply with legal obligations (e-commerce, tax, e-invoice)
- Prevent abuse — duplicate responses, bots, spam (via hashed IP comparison)
- (With consent) Marketing communications and product news
6. Retention Period
We delete personal data without delay once the purpose for which it was collected is fulfilled. The following data is retained for the periods required by law.
| Category | Period | Legal basis |
|---|---|---|
| Owner account / workspace | Deleted immediately on account closure | User request |
| Response data (within an Owner’s surveys) | Until the Owner deletes the survey — at most the lifetime of the workspace | Owner decision |
| Respondent PII (email, phone, business number, etc.) | Same as response retention; deleted with the Owner’s response, or upon respondent request | User request |
| Email OTP | 10 minutes after issue, or immediately on verification | Security |
| Respondent IP (hashed) | Same as the corresponding response retention | Abuse prevention |
| Contracts and withdrawal records | 5 years | e-Commerce Act §6 |
| Payment and supply records | 5 years | e-Commerce Act §6 |
| Consumer complaints / disputes | 3 years | e-Commerce Act §6 |
| Access logs (IP, etc.) | 3 months | Communications Privacy Act §15-2 |
| Tax invoices | 5 years | Framework Act on National Taxes §85-3 |
Electronic records are permanently deleted using non-recoverable methods.
7. Sharing with Third Parties
We do not share personal information with third parties except in the following cases:
- You have given explicit, prior consent (e.g. enabling a Webhook or Google Sheets integration)
- Required by law or in response to a valid legal request from law enforcement
- Transmission to payment processors strictly necessary to charge you
Result-export integrations (Webhook, Google Sheets, Slack, STA) are enabled and disabled by the Workspace Owner; response data only flows out within the scope they authorize.
8. Processors & Sub-processors
We engage the following processors. All are bound by data-protection obligations under our processing agreements.
| Processor | Activity | Location |
|---|---|---|
| Supabase Inc. | Database, auth, storage, realtime sync | Republic of Korea (ap-northeast-2 Seoul) |
| Vercel Inc. | Web hosting and serverless functions | Global CDN (US · EU · APAC) |
| Google LLC (Gemini API) | AI features — survey generation, option generation, insight analysis | Google data centers (US, etc.) |
| TossPayments Corp. | Domestic card and bank-transfer processing | Republic of Korea |
| Stripe, Inc. | Card payments outside Korea | United States |
When response data is sent to an AI feature (for example result-insight analysis) it may be transmitted to an external model for processing. See the Gemini API data policy for details. We will update this Policy if we change processors or the scope of processing.
9. Your Rights
You may exercise the following rights at any time:
- Access — view the personal data we hold about you
- Rectification / Erasure — correct or delete data
- Restriction — limit specific processing (e.g. analytics, marketing)
- Withdrawal of consent — for optional processing
- Account deletion — from the Account menu in the Stats dashboard
- Data export — export response data in CSV, PDF, and other standard formats (Owners)
Send requests via the in-app tools or to privacy@sta-suite.com. After identity verification we will respond within 7 business days.
10. Response Export & Erasure
10.1 Workspace Owner rights
- Export: download response data from the results page as CSV or PDF (subject to plan limits).
- Erasure: deleting a survey permanently removes all responses (including PII) that belong to it.
- Workspace deletion: deleting a workspace immediately destroys all surveys and responses owned by it.
10.2 Respondent rights
Respondents may request deletion or correction of their submissions. Because Stats itself does not directly hold respondent identities (response PII is only collected via questions the Owner defines), we process such requests in one of two ways:
- Contact the Workspace Owner who runs the survey directly (fastest).
- Email
privacy@sta-suite.comwith information that lets us verify you (email used to respond, time of submission, etc.).
Responses that included an email-verification question can be authenticated using the verified email; once identity is confirmed we act without delay (within 7 business days).
10.3 Right to data portability
Requests for portability under GDPR or PIPA can be sent to privacy@sta-suite.com; we will provide the data in a machine-readable standard format (JSON or CSV).
11. EU/EEA Users (GDPR)
The following additional terms apply to users in the EU, EEA, and UK.
11.1 Lawful basis
- Performance of a contract (Art. 6(1)(b)) — account, service delivery, payments
- Consent (Art. 6(1)(a)) — survey response submission, optional integrations, marketing
- Legal obligation (Art. 6(1)(c)) — tax and accounting
- Legitimate interest (Art. 6(1)(f)) — abuse / bot prevention, security
11.2 International transfers
Our primary data location is the Republic of Korea (Supabase Seoul region). The European Commission has granted Korea an adequacy decision (December 2021), so EU→KR transfers require no additional safeguards. Transfers to other jurisdictions (Vercel, Stripe, Google in the US) rely on Standard Contractual Clauses or equivalent certifications.
11.3 Right to lodge a complaint
EU users may lodge a complaint with their national supervisory authority. A list is maintained by the European Data Protection Board: edpb.europa.eu.
12. Security Measures
- Encryption in transit — all communication uses HTTPS / TLS 1.2+
- Encryption at rest — passwords are one-way hashed (bcrypt class); respondent PII is stored in a separate AES-256-GCM-encrypted table
- Access control — Supabase Row-Level Security, principle of least privilege
- Audit logging — every PII decryption writes an audit-log entry
- Internal management — the smallest possible set of staff (operations team) processes personal data
- Physical security — provided by our cloud infrastructure (Supabase, Vercel) data-center standards
14. Children’s Information
Stats is not intended for children under 14. If you run a survey targeting minors, you (the Owner) must obtain verifiable consent from a legal guardian. If we become aware that an account or respondent is under 14 we will delete the account and related data immediately.
15. Data Protection Contact
| Contact | STA Team (privacy operations) |
|---|---|
| privacy@sta-suite.com | |
| General support | support@sta-suite.com |
Korean users may also contact:
- Korea Internet & Security Agency Privacy Center — privacy.kisa.or.kr · 118
- Personal Information Dispute Mediation Committee — kopico.go.kr · 1833-6972
- Korean National Police Cybercrime Bureau — ecrm.police.go.kr · 182
16. Changes to this Policy
When this Policy changes, we will notify you at least 7 days before the effective date (or 30 days for material changes) by email and on the web.
Revision history — v1.0 · 2026-05-24 initial release