Privacy Policy
SI (에스아이, "siaisoft"; the "Company") operates prompts3 (prompts3.com; the "Service") and, in accordance with the Personal Information Protection Act of the Republic of Korea and other applicable laws, protects users' personal information and establishes and discloses this privacy policy as set out below.
1. Personal Information We Process
- Guest use — You can browse the catalog without creating an account. In the course of search, copying, prompt-run buttons, ad impression/click counting, rate limiting, and scraping prevention, we may process your IP address, user agent (UA), access time, request path, click/impression events, and a temporary visit key.
- Signed-in members (Apple/Google) — We process the account identifier from your login provider, email address, login provider type, and login session information. As service activity data, your nickname (required to use account features), profile photo, favorited items and notes, recent usage information, collections (topic-based save folders) — their names and saved items, and notification read/dismissed status are stored at the account level and synced across your devices.
- App push notifications — If you allow push notifications in the mobile app, we process your device push token (Android FCM token or iOS APNs token), platform type, and registration time. Tokens are used only to send notifications about account activity, such as image generation completed or rejected.
- Image generation requests, prompt builder, and chatbot — We process input prompts, conversation content, uploaded reference images, image descriptions, AI analysis results, request status (queued, generating, completed, rejected) and rejection reasons, and, if you opt in to attribution, your SNS platform and account handle.
- Email verification (OTP) and advertiser sign-up — Your email address, verification code issuance/expiry/usage status, verification attempt count, login sessions, IP address, and UA may be processed; if you set a password, a password hash and salt are stored.
- Advertiser accounts and ad operations — We may process your email, business name, business registration number, representative, business opening date, contact person's name and contact details, business verification status, ad creatives (title, description, sponsor name, prompt, link, images, video, i2i reference images and generated results), campaign settings, and impression/click performance.
- Payments — We process payment confirmation records such as the Toss Payments order ID, payment key, payment date, payment amount, payment method type, and refund status. Original payment instrument details such as card numbers are held by Toss Payments; the Company does not store them.
- Inquiries, reports, and rights requests — Information you provide directly, such as your email address, name or nickname, inquiry content, and documents verifying rights ownership, may be processed.
- Infrastructure logs — For service stability and security, technical information such as IP address, browser information, access time, and request path may remain in infrastructure logs such as Cloudflare's.
2. Purposes of Processing
- Providing catalog search, browsing, and copy features; storing account-based convenience features (favorites, recent usage, collections, notifications) and syncing them across devices; displaying activity under your nickname.
- Receiving, automatically screening, generating, and publishing image generation requests, and informing you of their progress (on-screen display and app push notifications).
- Assisting with prompt creation and editing, image analysis, duplicate checking, quality and rights review, attribution, and handling listing, edit, and deletion requests.
- Advertiser account management, business verification, ad creative review, ad delivery, payment confirmation, refund processing, settlement, and dispute handling.
- Ad impression/click statistics, rate limiting, prevention of fraudulent use, incident response, and security log analysis.
- Responding to inquiries, handling rights infringement reports, and processing requests for access, correction, deletion, and suspension of processing of personal information.
3. Retention and Use Period
- Member information (account, nickname, profile photo, favorites, collections, notification status) is retained until you withdraw membership (delete your account) and is deleted without delay when the account deletion is processed.
- Login sessions are maintained for up to 30 days by default and are deleted upon logout or account deletion.
- App push tokens are retained with an automatic expiry of up to 180 days from registration and are deleted immediately when you turn off notifications, log out, or delete your account. Invalid tokens that fail delivery are cleaned up at send time.
- Email OTPs expire after about 10 minutes; when a new code is issued or verification is completed, existing unused verification data is invalidated.
- Image generation request history (including status and rejection reasons) is retained for up to 180 days before expiring, and you can directly delete rejected/failed records on screen.
- User-submitted prompts, image review queues, and rate-limit keys expire within a range of several hours to several dozen days depending on the feature, or are retained for the period needed for administrator review, listing, or deletion processing.
- Prompts, images, attribution, and contributor nicknames published in the catalog are retained while the item remains public, and may be edited, unpublished, or deleted at a rights holder's request or by operational decision.
- In accordance with the Act on the Consumer Protection in Electronic Commerce, etc. of Korea and other applicable laws, records of contracts and subscription withdrawals (5 years), records of payment and supply of goods (5 years), and records of consumer complaints and dispute resolution (3 years), as well as access logs under the Protection of Communications Secrets Act (at least 3 months), are stored separately for the respective periods.
4. Automated Decisions (AI Screening)
- Image generation requests and certain submissions are first screened by an AI model for service quality and safety, and may be automatically queued for generation or rejected based on the result.
- If a request is automatically rejected, the reason is shown on screen (My Images) and via notification. You may request an explanation of an automated decision or a re-review (objection) at [email protected]; re-reviews are performed by an operator.
5. Outsourcing and Cross-Border Transfers
The Company outsources personal information processing to the vendors below to provide the Service. Some processors operate systems located outside Korea, so personal information may be processed (transferred and stored) overseas. If you do not wish your data to be transferred overseas, you may stop using the relevant features (login, push notifications, payments, AI-assisted features, etc.) or request account deletion; in that case, however, the provision of the related features will be limited.
| Processor | Outsourced work | Items transferred | Country / when & how | Retention and use period |
|---|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, database (D1), storage (R2), KV, security, AI inference (Workers AI) | Service-stored data in general, access logs | U.S. and other global edge locations / transmitted over the network when using the Service | Until the outsourcing contract ends or deletion is requested |
| Google LLC | Google Sign-In (OAuth), Gemini API (part of the chatbot), Firebase FCM (Android push) | Account identifier and email (login), conversation input (chat), push tokens | U.S. / transmitted over the network at login, chat, and notification delivery | Until the purpose is fulfilled (tokens up to 180 days) |
| Apple Inc. | Sign in with Apple (OAuth), APNs (iOS push) | Account identifier and email (login), push tokens | U.S. / transmitted over the network at login and notification delivery | Until the purpose is fulfilled (tokens up to 180 days) |
| OpenAI, L.L.C. and other AI processing paths | Prompt generation and refinement, image analysis and generation assistance, search intent analysis | Text you enter and uploaded images | U.S. / transmitted over the network when using the features | Until the response generation purpose is fulfilled (no separate storage on the Company's side) |
| Toss Payments Co., Ltd. | Ad payment processing | Order and payment confirmation information | Republic of Korea | Statutory periods under the E-Commerce Act and other laws |
| Resend, Inc. | Sending transactional email (OTP, etc.) | Email address, message content | U.S. / transmitted over the network at send time | Until the sending purpose is fulfilled |
- The Company does not sell or arbitrarily provide personal information to third parties, except where requested pursuant to law or where you have consented.
- If you click an ad link and move to an external site, that external site may process access information or personal data in accordance with its own policies.
6. Cookies, Automatic Collection, and Personalized Ads
- The Service may use cookies, local storage, temporary identifiers, and server logs for login sessions, OAuth state verification, security, visit counting, ad impression/click statistics, rate limiting, and scraping prevention.
- Some convenience data such as favorites, recent inputs, and screen state may remain in browser storage or the app's device storage; signed-in members' collections and notification status are stored in the account and synced across devices.
- Some ad slots without house ads may display Google AdSense ads. In that case, Google may collect and use behavioral information such as cookies to serve personalized ads; you can manage personalized ads in Google Ads Settings (adssettings.google.com) or refuse them by blocking cookies in your browser.
- You can delete stored information via browser settings, deleting the app, logging out, or deleting your account. Note, however, that login, security, and some convenience features may be limited as a result.
7. Children Under 14
- The Service's membership features are intended for users aged 14 or older, and as a rule the Company does not collect personal information from children under 14.
- If it is confirmed that a child under 14 has signed up without the consent of a legal guardian, the account and its personal information will be deleted without delay.
8. Destruction Procedure and Method
- Personal information is destroyed without delay when the retention period expires or the processing purpose has been fulfilled. Information that must be preserved under applicable laws is stored separately in a dedicated storage space and destroyed once the period expires.
- Electronic files are deleted in a non-recoverable manner, by deleting the corresponding records, objects, and keys in storage (D1, R2, KV). Data configured with automatic expiry (TTL) is deleted automatically when the period elapses.
9. Security Measures
- We implement technical and administrative safeguards such as encryption in transit across all segments (HTTPS/TLS), password storage with hash and salt, session token management, access control for administrator features, rate limiting and bot blocking, and security log reviews.
- Access to personal information is limited to the minimum number of personnel necessary for operations.
10. Your Rights and How to Exercise Them
- You may at any time request access to, correction of, deletion of, or suspension of processing of your personal information, and withdraw consent. Signed-in users can directly log out, change their nickname and profile photo, delete favorites, collections, notifications, and image request history, and delete their account from the support screen.
- Written requests are accepted at [email protected], and we may request the minimum information necessary to verify your identity or that of a legitimate representative. Accepted requests are processed within the statutory period (in principle, 10 days) and you will be informed of the outcome.
- Processing of some requests may be limited where retention is required by law or where necessary to protect other users' rights, respond to disputes, or prevent fraudulent use; in such cases, we will inform you of the reason.
- If you need counseling or wish to report a privacy infringement, you may contact Korea's Personal Information Infringement Report Center (privacy.kisa.or.kr / dial 118 without an area code), the Personal Information Dispute Mediation Committee (kopico.go.kr / 1833-6972), or the Korean National Police Agency Cyber Investigation Bureau (ecrm.police.go.kr / 182).
11. Privacy Officer
- Privacy Officer (Personal Information Protection Officer): 정희수 (Jeong Heesoo, CEO of SI) / Contact: [email protected]
- Inquiries about personal information, complaint handling, and requests for access, correction, deletion, or suspension of processing submitted to the contact above will be answered and handled without delay.
12. Changes to This Policy
- This policy may be revised to reflect changes in applicable laws, service features, or processors. Important changes will be announced on the Service or on this page at least 7 days before the effective date (at least 30 days for material changes unfavorable to users).
- Revision history: revised 2026-06-08 (reflecting ads and payments), revised 2026-07-11 (reflecting push notifications, collection/notification sync, automated screening, cross-border transfer details, etc.).
Effective date (last revised): 2026-07-11