Version
privacy-2026-07-20
Effective date
2026-07-20
Policy change history

Privacy Policy

Gonggamgak (hereinafter “Company”) establishes and publicly discloses this privacy policy in order to protect the personal information of data subjects in accordance with Article 30 of the Personal Information Protection Act, and to promptly and smoothly handle grievances related to personal information processing.

Article 1 (Purposes of Processing Personal Information)

  1. Membership registration & account management: identity verification, social login linking, age verification, session management, prevention of fraudulent use
  2. Service provision: sheet music search, preview, purchase, viewing, download, audio playback, library, group, custom order, and customer support
  3. Contract and payment: orders, payments, credits, membership, refunds, receipts, and authority management
  4. AI functions: processing of inputs and attached files according to user consent, result generation, safety checks, usage limits and record management
  5. Service improvement and analysis: usage statistics, service usage flow, error and performance analysis based on user consent
  6. Legal obligations and safety: compliance with laws, security incident response, dispute handling, rights infringement and fraud prevention
  7. Marketing: provision of event and advertising information only when separate consent is obtained

Article 2 (Categories of Personal Information Processed and Collection Methods)

CategoryProcessing ItemsCollection Method
Social membership registration & loginName or nickname, email, profile image, OAuth provider and provider-specific identifierGoogle, Kakao, Naver, Apple or Meta OAuth
Administrator-issued credentialsUsername, one-way hash value of passwordIssued and processed only for accounts approved by the Company
Registration & account settingsPreferred language, confirmation of being 14 years of age or older and timestamp, agreement and withdrawal history for terms, privacy, AI processingUser input and service records
Order & paymentOrder number, product, amount, currency, country, payment method type, payment/cancellation/refund status, credit/membership detailsPayment/purchase process and PG company response
Service usagePurchase, viewing, download, group, custom order, inquiry records, search, UI interactions, error and security logsGenerated during service use
AI and creation toolsPrompt, conversation, uploaded images/files, generated results, model usage, safety processing recordsInput or generation when the user utilizes the function
Technical & analysis informationIP address, user agent, cookie/session identifiers, randomly generated analysis identifiers, internal identifiers for analysis of logged-in users, page path, service usage events, language settings, access timestampAutomatically collected during web/app use

Article 3 (Processing and Retention Period)

The Company shall destroy personal information without delay once the processing purpose has been achieved. However, the following information may be retained separately for periods required by law, dispute response, or fraud prevention.

InformationRetention Standard
Member account and profileUntil member withdrawal is completed. Upon completion, login sessions and service access are terminated immediately, and information required to be preserved by applicable laws is retained for the statutory period.
Contract, subscription withdrawal, payment, supply records5 years in accordance with the Act on Electronic Commerce
Consumer complaints or dispute handling records3 years in accordance with the Act on Electronic Commerce
Display & advertising records6 months in accordance with the Act on Electronic Commerce
Access logs3 months where required by the Act on Protection of Communications Secrets and related statutes
Active login sessionsUntil expiration or logout/withdrawal
AI profile, poster, Vision tool storage history90 days from creation or until the user deletes it directly
Personal data export file24 hours after creation
Consent, withdrawal, and security/audit recordsFor periods necessary for legal obligations and dispute/fraud response

Currently, member withdrawal immediately terminates service access and active sessions. Transaction, consent, and audit records may remain limitedly according to applicable laws and dispute response purposes, and physical deletion/anonymization of account and profile data follows a separate data lifecycle policy. Users can request view, export, or deletion via the ‘Personal Information & Data’ menu of their account.

Article 4 (Provision of Personal Information to Third Parties)

The Company does not provide users’ personal information to third parties in principle. It is provided only within the necessary scope when the data subject gives separate consent or when a special legal basis exists. Processing by external vendors related to payment, hosting, authentication, email, analytics, and AI functions may constitute personal information processing entrustment, third‑party provision, or overseas transfer depending on the actual contract and processing purpose; specific details are provided in the following articles and related items.

Article 5 (Processing Through External Vendors)

External VendorRelated Services
Toss Payments Co., Ltd.Domestic payment approval, settlement, cancellation, refund, and fraud prevention
PayPal, Inc.Approval, settlement, cancellation, refund, and fraud prevention for supported overseas payments
Cloudflare, Inc.CDN & web traffic delivery & security, Workers application execution, R2 object storage, consent‑based web usage statistics, AI Gateway mediation and Workers AI processing
Neon, Inc.PostgreSQL database hosting
Google LLCGoogle account login authentication and account linking
Google LLCGoogle Analytics 4 usage statistics analysis based on user consent
Google LLCProcessing of inputs and results for Gemini‑based AI functions selected by the user
Kakao Corp., NAVER Corp., Apple Inc., Meta Platforms, Inc.Social login authentication and account linking selected by the user
Anthropic PBCProcessing of Claude AI functions selected by the user
OpenAI, L.L.C.Processing of OpenAI AI functions selected by the user
Resend, Inc.Transaction, account, and service email delivery

Article 6 (Overseas Transfer of Personal Information)

The Company may transfer and store the following personal information abroad during service use. When the user utilizes the relevant function or when processing is required for contract performance, the transfer occurs continuously via TLS‑encrypted networks. The legal basis for each transfer is applied according to consent, contract formation/performance, or processing entrustment as stipulated in the Personal Information Protection Act Article 28‑8 and related statutes.

Recipient & ContactCountry/RegionTransferred ItemsPurpose of TransferTiming & MethodLegal BasisRetention & Use PeriodMethod of Refusal and Impact
Cloudflare, Inc. (privacyquestions@cloudflare.com)United States and Cloudflare’s global network operation regions. Processing and storage locations may vary according to the product used, account settings, and request pathAccount & service records, IP/device/analysis information, object files, information entered by users into AIHosting, security, storage, consent‑based analysis, AI mediationContinuous transfer & storage during service use, TLS transmissionContract performance and processing entrustmentDomestic retention periods per item or periods according to contract/product settingsOptional analysis & AI can be refused by withdrawing consent, but the function will be limited. Refusing essential hosting makes service provision difficult.
Neon, Inc. (privacy@neon.tech)Singapore (AWS ap-southeast-1)Member, transaction, consent, service usage recordsPostgreSQL database storageContinuous transfer & storage during service use, TLS transmissionContract performance and processing entrustmentDomestic retention periods per item or until the entrustment contract endsRefusing essential storage processing makes account‑based service provision difficult.
Google LLC (googlekrsupport@google.com)United States and other Google processing regionsOAuth identification information, analysis identifiers & events, or AI input, attachment, outputOAuth authentication, consent‑based GA4 analysis, selected Gemini functionsTLS transmission when the function is usedConsent per function or contract performancePeriod required for authentication, analysis, and function provision and according to Google policiesEach selected function can be not used or consent withdrawn, resulting in limitation of that function.
Apple Inc., Meta Platforms, Inc.United States and each provider’s processing regionsProvider identifiers, name, email, profile informationSelected OAuth authentication and account linkingTLS transmission at login & linkingContract performancePeriod until account unlinking/withdrawal or as per provider policiesUser may choose not to select that login method, and the authentication method will be unavailable.
PayPal, Inc. (privacy@paypal.com)United States and other PayPal processing regionsPayer identification information, order number, amount, currency, payment/cancellation/refund statusOverseas payment processing selected by the userTLS transmission at payment requestContract performanceRetention period under the Electronic Commerce Act and PayPal policiesUser may opt not to select overseas payment; the payment method will be unavailable.
Anthropic PBC (privacy@anthropic.com)United StatesAI input, output, and safety processing informationClaude function selected by the userTLS transmission when the function is usedOptional AI processing consentPeriod required for function provision and according to Anthropic contract & policiesUser may not use the AI function or withdraw consent, resulting in limitation of that function.
OpenAI, L.L.C. (privacy@openai.com)United StatesAI input, output, and safety processing informationOpenAI function selected by the userTLS transmission when the function is usedOptional AI processing consentPeriod required for function provision and according to OpenAI contract & policiesUser may not use the AI function or withdraw consent, resulting in limitation of that function.
Resend, Inc. (privacy@resend.com)United StatesRecipient email, name, message and transmission recordsTransaction, account, and service email deliveryTLS transmission at sendingContract performance and processing entrustmentPeriod required for sending and incident response and according to Resend contract & policiesRefusing essential transaction/account email processing may make related service provision difficult.

Users may refuse overseas transfer by not using optional AI functions, optional analytics, or overseas payments, or by withdrawing related consent. Refusing processing necessary for login authentication, hosting, database, or essential email sending may make related functions or services difficult to provide. Inquiries and member withdrawal requests are received via the ‘Personal Information & Data’ menu of the account or at support@sheetmusic.kr.

Article 7 (Personal Information Processing in AI Functions)

  1. AI functions process text, image, file inputs entered directly by the user and generated results for the purposes of function provision, safety checks, error response, and usage limit management.
  2. Users must not input sensitive information, resident registration numbers, or other uniquely identifying information under the Korean Personal Information Protection Act, nor any other person’s private personal information without lawful authority, into AI functions.
  3. The service does not use users’ AI inputs or outputs as training data for its own general models. The Company uses external AI providers’ APIs or enterprise settings, and where supported, configures them so that inputs and outputs are not used for the provider’s general model training. Retention periods and safety review methods vary by provider, model, and contract terms.
  4. Consent for AI processing can be withdrawn at any time in the ‘Personal Information & Data’ section of the account. Withdrawal does not affect the legality of prior processing, but AI functions will be limited thereafter.
  5. Improper AI results or personal information related objections can be reported to support@sheetmusic.kr.

Article 8 (Behavioral Information and Cookies·Local Storage)

  1. The service uses cookies and browser local·session storage to maintain login, security, language settings, shopping cart, and function states.
  2. Google Analytics 4 may process randomly generated analysis identifiers, internal identifiers for analysis of logged-in users, page paths, service usage events, language settings, device·browser information, and access timestamps when the user has given consent.
  3. Cloudflare Web Analytics and service performance analysis functions may process page request, device·browser, and network‑related information; actual identification methods and retention scopes follow the applied product settings.
  4. Analysis consent can be refused or withdrawn via the banner or the ‘Personal Information & Data’ section of the account. Refusal does not prevent use of core services.
  5. Cookies can be blocked in browser settings, but blocking essential cookies may cause login, payment, and other functions to malfunction.

Article 9 (Rights of Data Subjects and Legal Representatives)

  1. Data subjects may request access, correction·deletion, suspension of processing, and withdrawal of consent to the extent permitted by applicable law. They may also obtain a copy of their personal data via the Company’s data export function.
  2. Requests can be made through the ‘Personal Information & Data’ menu, email, or phone; the Company will verify the identity of the requester or legitimate representative and process the request in accordance with applicable law.
  3. If legal preservation obligations exist or there is a risk of infringing another’s rights, some requests may be limited, and the reasons will be communicated.
  4. The service does not allow membership registration for children under 14 years of age. If the Company becomes aware that a child under 14 has registered, it will verify age, restrict account use, and delete personal information as necessary. However, information that must be retained by law may be kept separately for the required period.

Article 10 (Destruction of Personal Information)

  1. Information whose retention period has expired or whose processing purpose has been achieved shall be destroyed without delay.
  2. Information required to be retained by law shall be stored with restricted access so that it is not used for other purposes, and destroyed after the retention period ends.
  3. Electronic files containing personal information shall be deleted or anonymized using secure methods that make recovery or reconstruction difficult.

Article 11 (Safety Measures)

  1. Administrative measures: limit personnel who can access personal information to the necessary scope and manage related work procedures and protection standards.
  2. Technical measures: access rights management, authentication and access control, TLS encryption for transmission, separation and secure storage of critical information, and vulnerability checks.
  3. Physical measures: apply physical security and access control of the cloud and data center providers used by the Company.
  4. Incident response measures: security incident detection, log inspection, backup·recovery, and operation of incident assessment·response procedures.

Article 12 (Personal Information Protection Officer and Rights Request Reception)

Personal Information Protection Officer: Jo Chang-hyun (CEO)

Email: support@sheetmusic.kr

Phone: 070-4617-6352

Article 13 (Remedies for Rights Violations)

  1. Personal Information Infringement Reporting Center: 118, privacy.kisa.or.kr
  2. Personal Information Dispute Mediation Committee: 1833-6972, www.kopico.go.kr
  3. Supreme Prosecutors’ Office: 1301, www.spo.go.kr
  4. National Police Agency: 182, ecrm.police.go.kr

Article 14 (Changes to the Processing Policy)

When the processing policy is changed, the effective date and major changes will be disclosed in the service and policy change history. Changes that significantly affect the rights or obligations of data subjects will be separately notified in advance in accordance with the period prescribed by law or a reasonable period.

Supplementary provisions

This privacy policy is effective from July 20, 2026.

Company name: Gonggamgak | CEO: Jo Chang-hyun

Business registration number: 872-49-00248 | Mail-order Business Report: No. 2021-Goyang-Deokyang-gu-1669

Address: 403, 27 Hwajeong-ro, Deokyang-gu, Goyang-si, Gyeonggi-do (Hwajeong-dong)

Phone: 070-4617-6352 | Email: support@sheetmusic.kr