Privacy Policy

Version v2.1 · Effective 2026-07-11 · Last updated 2026-07-11

This English translation is provided for convenience. The Korean original is the controlling text. If this translation conflicts with the Korean original, the Korean original prevails. View the Korean original.

encer (the "Company") complies with the Personal Information Protection Act and other applicable laws. The Company establishes and publishes this Privacy Policy to protect data subjects' personal information and promptly handle related concerns.

Article 1 (Personal Information We Process)

The Company processes the following personal information to provide the Service.

  • Required for registration: Email address and password (stored as a one-way hash).
  • Optional profile information: Display name, bio, profile image, and language preference.
  • Optional identity verification: When verification is requested, the handle of an external social-media account and submitted verification documents (deleted after the applicable retention period).
  • Automatically generated or collected: Access date and time, browser and device information, Service usage records, and cookies.
  • Consent-based web analytics (Google Analytics and first-party statistics): Paths of pages visited, page views and clicks, device and browser information, and cookie-based pseudonymous analytics identifiers that do not directly identify an individual.
  • Consent-based attribution analytics: Referring source and medium, pre-registered campaign and public-template identifiers, and referring-page identifiers (linked to an account upon registration).

Article 2 (Purposes of Processing Personal Information)

  1. Identifying and authenticating Members and providing the Service.
  2. Account security and administration, including password resets and email verification.
  3. Providing statistics about consenting visitors' page views and clicks only to the relevant Member and improving the Service.
  4. Preventing spam and abuse, including request rate limiting and bot protection.
  5. Responding to customer inquiries and handling disputes.
  6. Complying with legal obligations.

The Company does not use personal information for purposes other than those above. If a purpose changes, the Company will obtain separate consent as required by applicable law.

Article 3 (Processing and Retention Periods)

  • Member information, including email addresses and password hashes: Until account closure.
  • Access IP hashes: 90 days, after which they are automatically anonymized.
  • Login (refresh) token hashes: 30 days after issuance.
  • Address-search result cache: Up to 30 days to avoid repeated requests to the public geocoding service. Do not enter secret, sensitive, or confidential information in an address search.
  • Password-reset and email-verification tokens: Deleted within seven days after use or expiration.
  • Identity-verification documents: Deleted within 30 days after review is completed; metadata is retained separately.
  • Content such as guestbook entries, polls, and giveaways: Until deletion is requested by the Member or author.
  • Registration and activation attribution records: Up to 540 days or until the relevant Member closes their account. If the referring page is deleted, only the referring-page identifier is dissociated. A random pre-registration cookie identifier is retained for up to 30 days and deleted upon registration.
  • Records subject to statutory retention requirements: Retained for the applicable statutory period.
    • Contract and withdrawal records: Five years under the Electronic Commerce Act, when a Paid Service is used.
    • Payment and supply records: Five years under the Electronic Commerce Act, when a Paid Service is used.
    • Consumer complaint and dispute-resolution records: Three years under the Electronic Commerce Act.

Article 4 (Disclosure of Personal Information to Third Parties)

The Company processes personal information within the purposes stated in Article 2 and discloses it to a third party only where Article 17 or 18 of the Personal Information Protection Act applies, including where the data subject has consented or a specific provision of law permits disclosure. The Company currently makes no regular disclosure of personal information to third parties.

Article 5 (Service Providers Processing Personal Information)

The Company delegates the following personal-information processing tasks in order to provide the Service.

Service providerProcessing task
Google LLCWeb traffic analytics (Google Analytics)
Resend, Inc.Transactional and verification email delivery, including password resets and email verification
Cloudflare, Inc.Bot protection (Turnstile) and network security, when enabled
OpenStreetMap FoundationAddress geocoding and maps requested by the user
Kakao Corp.Kakao maps requested by the user

For providers with which the Company has a contractual processing relationship, it specifies safeguards as required by applicable law and the relevant agreement. Public APIs and map embeds are used under their published terms and privacy policies. The Company will disclose changes to providers or processing tasks through this Policy.

Article 6 (Cross-Border Transfers of Personal Information)

The service providers listed in Article 5 are located outside Korea, so some personal information may be processed abroad.

  • Recipients: Google LLC, Resend, Inc., and Cloudflare, Inc. (United States and other countries), and OpenStreetMap Foundation (United Kingdom and service-delivery locations).
  • Information transferred: Automatically collected and analytics information listed in Article 1, recipient email addresses required for email delivery, address-search terms, and technical request data when the user loads a map.
  • Purposes: Web analytics, transactional and verification email delivery, bot protection, address geocoding, and delivery of maps requested by the user.
  • Timing and method: Transferred from time to time over information and communications networks when the Service is used.
  • Retention and use period: As provided in each service provider's policy and until the relevant service purpose is fulfilled.

A data subject may refuse a cross-border transfer. Refusal may limit the relevant feature, such as analytics cookies, but will not prevent use of the core Service.

Article 7 (Data Subject Rights, Obligations, and How to Exercise Them)

  1. A data subject may at any time request access to, correction or deletion of, or suspension of processing of their personal information.
  2. Rights may be exercised through features within the Service or by contacting [email protected]. The Company will act without undue delay and within ten days where required by applicable law.
  3. A Member may request deletion of personal information by closing their account. Information required to prevent impersonation or to comply with statutory retention obligations will be stored separately for the periods in Article 3 and then deleted.
  4. A data subject must keep their personal information accurate and is responsible for disadvantages arising from inaccurate information they provide.

Article 8 (Personal Information Deletion Procedures and Methods)

  1. The Company deletes personal information without undue delay when it is no longer needed, including when its retention period expires or its processing purpose is fulfilled.
  2. Electronic files are permanently deleted by a method that prevents recovery or reconstruction. Paper documents are shredded or incinerated.
  3. Automatically collected information such as IP hashes is automatically anonymized or deleted when its retention period expires through scheduled cleanup jobs (cron).

Article 9 (Cookies and Other Automatic Collection Technologies)

The Company uses cookies needed to provide the Service, including authentication cookies (access_token and refresh_token) and the language cookie (lang), plus browser local storage for the active page choice (encer:activePageId). Only after the visitor gives separate consent, the Service loads a pseudonymous attribution cookie (encer_attribution), encer's Google Analytics, and any GA4 analytics configured by the page creator. Meta and TikTok advertising pixels are not executed until purpose-specific consent controls are available. The attribution cookie retains the first valid referral source for up to 30 days. Its random identifier is deleted upon registration, and the Company does not store email addresses, full source URLs, or search terms in that cookie. An external map connects to its provider only after the visitor selects the on-screen load-map control.

A data subject may reject analytics or withdraw consent at any time through the on-screen "Privacy choices" control, and may also refuse cookies through browser settings. Rejecting essential cookies may limit parts of the Service, including login. Analytics cookies can also be rejected with Google's Google Analytics Opt-out Browser Add-on. Rejecting analytics does not affect use of the core Service.

Article 10 (Measures to Safeguard Personal Information)

  • Passwords are stored as one-way bcrypt hashes and are never stored in plain text.
  • Login and recovery tokens are not stored in their original form and are stored only as SHA-256 hashes.
  • Service usage records are managed only to the extent necessary for security and abuse prevention.
  • HTTPS encryption is applied to all communications.
  • Access to systems that process personal information is limited to the minimum number of personnel necessary.
  • Data is backed up regularly to protect against loss.

Article 11 (Privacy Officer)

The Company designates a Privacy Officer to oversee personal-information processing and to handle data subjects' complaints and requests for relief.

Article 12 (Remedies for Infringement of Rights)

A data subject may contact the following Korean institutions for dispute resolution or advice concerning an infringement of personal information rights.

  • Personal Information Dispute Mediation Committee: 1833-6972 (no area code) / www.kopico.go.kr
  • Personal Information Infringement Report Center: 118 (no area code) / privacy.kisa.or.kr
  • Supreme Prosecutors' Office Cyber Investigation Division: 1301 (no area code) / www.spo.go.kr
  • Korean National Police Agency Cyber Bureau: 182 (no area code) / ecrm.police.go.kr

Article 13 (Children Under 14)

In principle, the Company does not accept registrations from children under 14. If the Company discovers that it has collected personal information from a child under 14, it will delete that information without undue delay.

Article 14 (Changes to this Policy)

This Policy applies from its effective date and may be supplemented, deleted, or amended in response to changes in law, policy, or security technology. The Company will announce important changes within the Service 30 days before they take effect. Where applicable law requires renewed consent for a material change, the Company will request it before relying on that change.

Privacy Policy | encer