Privacy Policy

EN · 한국어

VirtualFlow, Inc. (“Company”) takes the privacy of users of the BrewYourCode service (“Service”) seriously. This Policy is published in accordance with the Republic of Korea’s Personal Information Protection Act (PIPA) and related laws.

Article 1. Categories of Personal Information Collected and Methods of Collection

1. Categories collected

(a) Account creation and authentication

• Identifiers (the OAuth sub ID) and email address provided by Google OAuth or GitHub OAuth.
• An internally generated cloud user ID.
• The Company does not collect or store additional fields included in OAuth responses, such as display name or profile picture (privacy minimization).

(b) User-set display name (optional)

• Used for content attribution such as the “by <name>” label inside the Service.
• The User may enter, change, or remove it at any time from the Options screen. When unset, the cloud user ID is shown instead.
• An operator (admin) may amend the display name when separately requested or required by law; in that case, the User is notified before or after the change.

(c) Use of the Service

• Cloud-synced content assets (prop / world / project metadata, etc.).
• Service usage logs (API call timestamps, error logs, access IP).

(d) Automatic collection (optional)

• Device information for service stability (operating system, app version).
• Cookies / local storage (for session continuity).

2. Information explicitly NOT collected

• External AI API keys (Anthropic, Google Gemini, etc.) — stored only on the User’s device; not transmitted to the Company.
• Project content stored only locally — projects that have not been synced to the cloud remain on the User’s device only.

3. Methods of collection

• Received from OAuth providers with the User’s consent during sign-up / sign-in.
• Generated and collected automatically while using the Service.

Article 2. Purposes of Processing

Personal information is processed only for the following purposes; any change of purpose is subject to separate consent.

1. Member identification and authentication.
2. Cloud asset sync and download.
3. Public sharing of a project at the User’s request via a time-limited public link (the “Share” feature). Content the User chooses to share is uploaded to public cloud storage and is accessible by anyone who has the link for the duration of the share.
4. Service operation, improvement, incident response, and security.
5. Customer support and inquiry handling.
6. Fulfilling statutory obligations (e.g., the Act on the Consumer Protection in Electronic Commerce).

Article 3. Retention and Use Periods

Personal information is destroyed without delay once the purpose of collection and use is achieved, except where applicable law requires retention for a defined period.

Item	Retention period	Basis
Member identification info (email, sub ID, etc.)	Until account withdrawal	User consent
Consumer complaints / dispute records	3 years	Act on the Consumer Protection in Electronic Commerce
Access logs (IP, etc.)	3 months	Protection of Communications Secrets Act
Cloud-synced assets	Until account withdrawal or User-initiated deletion	User consent
Shared content (Share feature: project data + assets on public storage)	Public for the share window (7 days during beta), then deleted; deleted immediately when the User stops sharing. The window/policy may change after beta.	User consent

Items no longer subject to a statutory retention obligation at the time of withdrawal are destroyed immediately.

Article 4. Provision of Personal Information to Third Parties

The Company does not provide personal information to third parties, except:

1. where the User has consented in advance; or
2. where investigative authorities or other government agencies make a lawful request under applicable law.

Article 5. Outsourcing of Personal Information Processing

The Company outsources processing of personal information to the following providers in order to deliver the Service.

Processor	Outsourced activities	Information processed	Period
Google LLC (Cloud Storage)	Storage of content assets	User-ID-based file paths, asset binaries	Until account withdrawal or User-initiated deletion
Google LLC (OAuth)	Member authentication	Profile fields within consent scope	Validity period of the authentication token
GitHub, Inc. (OAuth, optional)	Member authentication (when GitHub login is chosen)	Profile fields within consent scope	Validity period of the authentication token

The Company has entered into outsourcing contracts with each processor that include data-protection obligations.

Article 6. Overseas Transfer of Personal Information

The Company transfers certain personal information overseas as follows.

Recipient	Country	Transfer timing & method	Items	Period
Google LLC	United States (subject to Cloud Storage region)	HTTPS API on asset sync	User ID, asset binaries	Until account withdrawal or User-initiated deletion
Google LLC	United States	HTTPS API on OAuth authentication	User identifier, profile within consent scope	Validity period of the authentication token

By agreeing to this Policy, the User is deemed to consent to the overseas transfer above. The User may decline consent; in that case, certain features such as cloud sync may be limited.

Article 7. User-Owned API Keys and External AI Services

The User may register their own external AI API keys (Anthropic Claude, Google Gemini, etc.) with the Service.

1. API keys are stored only on the User’s device (local storage); they are not transmitted to or kept on the Company’s servers.
2. Prompts and content the User sends to external AI services are transmitted directly from the User’s device to the external provider, without passing through the Company.
3. External AI services handle personal information according to their own policies. The Company is not responsible for those providers’ data processing.

Article 8. Rights of the Data Subject and How to Exercise Them

The User may exercise the following rights with respect to their personal information processed by the Company:

1. Request access to personal information.
2. Request correction or deletion of personal information.
3. Request suspension of processing of personal information.
4. Withdraw consent to processing — withdrawal results in account termination.

Requests can be made in writing, by phone, or by email to the contact set out in Article 12, and the Company will act without delay. The Company may request additional information to verify identity.

Article 9. Procedure and Method of Destruction

Personal information is destroyed without delay once the purpose of processing has been achieved or the retention period has expired.

• Electronic files: permanently deleted by means that prevent recovery or reproduction.
• Paper documents (where applicable): shredded or incinerated.

Article 10. Measures to Ensure Security

The Company takes the following measures pursuant to Article 29 of PIPA:

1. Administrative: minimization of access rights for personnel handling personal information, periodic training.
2. Technical: HTTPS in transit, hashing / encryption of secrets such as passwords and API keys, operation of access-control systems.
3. Physical: access control of the data centers operated by processors.
4. Local data: content and API keys stored on the User’s device follow the security features of the User’s operating system.

Article 11. Operation of Automatic Collection Devices and How to Opt Out

The Company uses cookies and local storage to provide a convenient experience.

• Purpose: maintaining the login session and preserving user options (language, UI settings).
• Items collected: session identifier, user preference values.
• Opting out: cookies and local storage can be blocked in browser or app settings. Some features (e.g., auto sign-in) may be limited as a result.

Article 12. Personal Information Protection Officer and Contact

The Company designates a Personal Information Protection Officer responsible for the overall handling of personal information and for addressing complaints and remedies for users.

• Contact: info@virtualflowinc.com
• Operator: VirtualFlow, Inc.

Users may report complaints, inquiries, or requests for remedy concerning personal information processing to the above contact. The Company will respond without delay.

Article 13. Remedies for Infringement of Rights

For reports or consultations regarding infringement of personal information (Korea), the following authorities may be contacted:

Authority	Phone	Website
Personal Information Dispute Mediation Committee	1833-6972	kopico.go.kr
Korea Internet & Security Agency — Privacy Center	118	privacy.kisa.or.kr
Supreme Prosecutors’ Office — Cyber Investigation Division	1301	spo.go.kr
National Police Agency — Cyber Bureau	182	ecrm.police.go.kr

Article 14. Amendments to this Policy

This Policy may be amended in line with applicable laws or changes to the Service. Amendments are announced through the Service at least 7 days before the effective date (30 days for changes unfavorable to Users).