Privacy Policy

Specnote (specnote.io, "the Service"), operated by Dannect, Inc. ("the Company"), establishes and publishes this Privacy Policy in accordance with Article 30 of the Korean Personal Information Protection Act (PIPA) to protect the personal information of data subjects and to address related grievances promptly.

The Service is an AI-powered scenario verification and test-automation service: it organizes the checks a user describes in natural language into test scenarios, verifies them by operating a real browser like a human, and provides a results report. In this process, the Service may automatically access and operate a third-party website designated by the user, using test-account credentials the user has registered.

This policy takes effect on July 8, 2026.

Article 1 — Personal information collected and collection methods

1. Required items

  • Sign-up: email address, name, password (stored only as a one-way hash (bcrypt); the actual password is not stored)
  • Social login (Google · GitHub): email address, profile name, profile image URL, social account identifier
  • Usage environment: country / currency (used to route payment)
  • Paid billing: card issuer name, last 4 digits of the card number, billing email, and the recurring-billing key (billing key) delivered by the payment processor (Toss Payments / Paddle). The billing key is stored encrypted with AES-256; the full card number and CVC (card security code) are not stored.
  • Scenario verification automation: third-party website addresses the user registers as verification targets, test-account credentials the user registers (IDs, passwords, etc. — stored encrypted), and the verification scenarios/steps the user creates
  • Auto-collected: access IP address, browser/device information (User-Agent), cookies, access and usage logs

2. Optional items

  • Marketing consent: opt-in to promotional information, notification settings
  • Organization info: company name, role (when subscribing to team/enterprise plans)

※ The Company does not collect date of birth. Whether a user is at least 14 years old is confirmed through an identity-verification step at sign-up (Article 12).

3. Collection methods

  • Direct input on sign-up and login forms
  • Direct input on screens for registering verification-target sites and test accounts
  • Automatically generated and collected during service usage
  • Payment information delivered through Toss Payments / Paddle at checkout
  • Email and contact-form submissions for customer inquiries

Article 2 — Purposes of collection and use

  • Member management: identification, identity verification, sign-up intent verification, abuse prevention, restriction of users under 14
  • Service delivery: organizing verification scenarios, running automated verification in a real browser, providing results reports, storing/syncing verification data, collaboration features
  • Paid billing: charging, identity verification, billing-key management, recurring billing, settlement, refunds
  • Notifications: terms changes, policy changes, service maintenance, billing-date prior notices
  • Customer support: receiving and handling inquiries (support via tools such as Channel Talk)
  • Marketing (separate consent): new-service announcements, event information, promotional information
  • Statistics and analysis: service quality improvement, new-feature development, statistical analysis (pseudonymized/anonymized)

Article 3 — Retention periods

We destroy personal information without delay once the collection/use purpose is achieved. However, the following are retained for the period prescribed by law:

  • Sign-up information: until member withdrawal (destroyed within 30 days after)
  • Test-account credentials registered by the user: until the user deletes them or withdraws membership (destroyed immediately at that point)
  • Contract/withdrawal records: 5 years (Korean E-Commerce Act §6)
  • Payment and supply records: 5 years (Korean E-Commerce Act §6)
  • Consumer complaints/disputes: 3 years (Korean E-Commerce Act §6)
  • Display/advertising records: 6 months (Korean E-Commerce Act §6)
  • Access logs/IP info: 3 months (Korean Communication Privacy Act §15-2)
  • Identity verification records: 6 months (Korean Information Communications Act §44-5)
  • Abuse records: 1 year (abuse-prevention purpose)

Article 4 — Third-party disclosure

We do not disclose personal information to third parties without prior consent from the data subject, except in the following cases:

  • Toss Payments Co., Ltd. / Paddle.com Market Limited: paid-billing processing, billing-key issuance, recurring billing — name, email, card details — for the period prescribed by the E-Commerce Act.

When there is a legal basis or a lawful request from an investigative authority, we may provide information without consent.

Article 5 — Processing entrustment

For smooth service delivery, we entrust personal information processing to the following parties:

  • Amazon Web Services, Inc. (AWS): cloud infrastructure hosting, email delivery (AWS SES), AI verification/analysis processing (AWS Bedrock) — until contract termination
  • Toss Payments Co., Ltd.: domestic payment processing and recurring-billing management — for the period prescribed by the E-Commerce Act
  • Paddle.com Market Limited: international payment processing (Merchant of Record) — for the period prescribed by the E-Commerce Act
  • Google LLC: usage-behavior analytics (Google Analytics 4) — until the analytics purpose is achieved
  • PostHog, Inc.: product-usage analytics — until the analytics purpose is achieved
  • Functional Software, Inc. (Sentry): error/exception log collection and monitoring — 90 days
  • Google LLC / GitHub, Inc.: social-login identity verification — at the time of authentication
  • Channel Corporation: operating the customer-support widget (Channel Talk), receiving and handling inquiries — no separate retention period beyond the support session (subject to Channel Talk's own policy). A domestic Korean entity (headquartered in Seoul), so this is not an international transfer.

Article 6 — International transfers

The Company transfers personal information overseas as follows (PIPA Article 28-8). Transfers occur via information and communications networks (network transmission) at the time of service use.

  • Google LLC (United States) — Items: access IP, device information, usage logs (Google Analytics 4) / Purpose: usage-behavior analytics / Retention: until the analytics purpose is achieved / Method: network transmission
  • PostHog, Inc. (United States) — Items: usage logs, device information / Purpose: product-usage analytics / Retention: until the analytics purpose is achieved / Method: network transmission
  • Amazon Web Services, Inc. (United States — AWS Bedrock, us-west-2) — Items: verification scenarios, user-input text, and other data needed for AI processing / Purpose: AI scenario verification and analysis / Retention: at the time of processing (not stored) / Method: network transmission
  • Paddle.com Market Limited (United Kingdom / EU) — Items: name, email, payment-related information / Purpose: international payment processing / Retention: for the period prescribed by the E-Commerce Act / Method: network transmission

※ AWS infrastructure hosting and email delivery (AWS SES) are processed in a domestic region (ap-northeast-2, Seoul). Data subjects may refuse the above international transfers; refusal may limit the use of the corresponding features (analytics, international payment, etc.).

Article 7 — Data subject rights and exercise method

Data subjects may exercise the following rights at any time:

  1. Request to inspect personal information
  2. Request to correct errors
  3. Request to delete
  4. Request to suspend processing
  5. Withdraw consent
  6. Right to data portability (PIPA §35-2)

Some information can be edited directly at "My Page → Account." Rights such as inspection, deletion, and suspension of processing can be requested by emailing the Data Protection Officer at privacy@specnote.io. We respond within 10 days.

Article 8 — Destruction procedure and method

  • Procedure: After the retention period, data is moved to a separate database and stored under internal policy for a defined period, then destroyed.
  • Method: Electronic files are permanently deleted in an unrecoverable manner (NIST SP 800-88 standard); paper documents are shredded or incinerated.

Article 9 — Cookies and opt-out

We use cookies to provide the Service and to analyze usage.

  • Essential cookies: login session, security (CSRF defense) — until session ends
  • Functional cookies: user settings (theme, language) — 1 year
  • Analytics cookies: service usage statistics via Google Analytics 4 and PostHog — until the analytics purpose is achieved
  • Support cookies: operating the Channel Talk customer-support widget — until the support session ends

In regions that require prior consent — such as the EU, the European Economic Area (EEA), and the United Kingdom — analytics cookies operate only after the user's consent; elsewhere they operate by default. Users may withdraw consent or block cookies at any time. Support cookies enable a feature the user directly requests (treated like essential/functional cookies) and are provided without a separate consent step; no marketing pop-ups are sent through this channel.

Cookie opt-out: cookies can be blocked in browser settings. Blocking essential cookies may limit some service features.

Article 10 — Security safeguards

  • Technical: one-way password hashing (bcrypt), TLS 1.3 in transit, billing keys encrypted with AES-256-GCM, test-account credentials protected with AWS KMS envelope encryption, encrypted backups
  • Administrative: minimized number of data-handling personnel, regular security training, separation of access privileges, access logs retained for at least 6 months
  • Physical: AWS data centers (ISO 27001 certified), office access control

Article 11 — Data Protection Officer and operator

  • Operator: Dannect, Inc. (CEO Wonyoung Choi)
  • Business registration number: 425-87-03610
  • Address: 3F, Room 304-92, 10 Chunghon-gil 52beon-gil, Chuncheon-si, Gangwon State, Republic of Korea (Onui-dong)
  • Phone: +82-70-7777-9433
  • Data Protection Officer: Wonyoung Choi (CEO) — privacy@specnote.io
  • Customer inquiries: support@specnote.io

Remedies for rights infringement (Korea):

  • Personal Information Dispute Mediation Committee (privacy.go.kr / 1833-6972)
  • Personal Information Infringement Reporting Center (privacy.go.kr / 118)
  • Supreme Prosecutor's Office Cyber Investigation (spo.go.kr / 1301)
  • Korean National Police Cyber Bureau (ecrm.cyber.go.kr / 182)

Article 12 — Personal information of children under 14

Only users aged 14 or older may register as members, and each user confirms that they are at least 14 years old at sign-up. The Company does not collect the personal information of children under 14. If an account is later identified as belonging to a child under 14, membership is terminated immediately and all collected personal information is destroyed.

Article 13 — Changes to this Privacy Policy

We will notify users via service announcements at least 7 days before any change takes effect, when content is added, removed, or modified due to law, policy, or security technology. When material changes to user rights are involved, we notify at least 30 days in advance.


  • Amended: July 1, 2026
  • Effective: July 8, 2026
  • Previous effective date: June 24, 2026