Privacy Policy
Gonggamgak (hereinafter “Company”) establishes and publicly discloses this privacy policy in order to protect the personal information of data subjects in accordance with Article 30 of the Personal Information Protection Act, and to promptly and smoothly handle grievances related to personal information processing.
Article 1 (Purposes of Processing Personal Information)
- Membership registration & account management: identity verification, social login linking, age verification, session management, prevention of fraudulent use
- Service provision: sheet music search, preview, purchase, viewing, download, audio playback, library, group, custom order, and customer support
- Contract and payment: orders, payments, credits, membership, refunds, receipts, and authority management
- AI functions: processing of inputs and attached files according to user consent, result generation, safety checks, usage limits and record management
- Service improvement and analysis: usage statistics, service usage flow, error and performance analysis based on user consent
- Legal obligations and safety: compliance with laws, security incident response, dispute handling, rights infringement and fraud prevention
- Marketing: provision of event and advertising information only when separate consent is obtained
Article 2 (Categories of Personal Information Processed and Collection Methods)
| Category | Processing Items | Collection Method |
|---|---|---|
| Social membership registration & login | Name or nickname, email, profile image, OAuth provider and provider-specific identifier | Google, Kakao, Naver, Apple or Meta OAuth |
| Administrator-issued credentials | Username, one-way hash value of password | Issued and processed only for accounts approved by the Company |
| Registration & account settings | Preferred language, confirmation of being 14 years of age or older and timestamp, agreement and withdrawal history for terms, privacy, AI processing | User input and service records |
| Order & payment | Order number, product, amount, currency, country, payment method type, payment/cancellation/refund status, credit/membership details | Payment/purchase process and PG company response |
| Service usage | Purchase, viewing, download, group, custom order, inquiry records, search, UI interactions, error and security logs | Generated during service use |
| AI and creation tools | Prompt, conversation, uploaded images/files, generated results, model usage, safety processing records | Input or generation when the user utilizes the function |
| Technical & analysis information | IP address, user agent, cookie/session identifiers, randomly generated analysis identifiers, internal identifiers for analysis of logged-in users, page path, service usage events, language settings, access timestamp | Automatically collected during web/app use |
Article 3 (Processing and Retention Period)
The Company shall destroy personal information without delay once the processing purpose has been achieved. However, the following information may be retained separately for periods required by law, dispute response, or fraud prevention.
| Information | Retention Standard |
|---|---|
| Member account and profile | Until member withdrawal is completed. Upon completion, login sessions and service access are terminated immediately, and information required to be preserved by applicable laws is retained for the statutory period. |
| Contract, subscription withdrawal, payment, supply records | 5 years in accordance with the Act on Electronic Commerce |
| Consumer complaints or dispute handling records | 3 years in accordance with the Act on Electronic Commerce |
| Display & advertising records | 6 months in accordance with the Act on Electronic Commerce |
| Access logs | 3 months where required by the Act on Protection of Communications Secrets and related statutes |
| Active login sessions | Until expiration or logout/withdrawal |
| AI profile, poster, Vision tool storage history | 90 days from creation or until the user deletes it directly |
| Personal data export file | 24 hours after creation |
| Consent, withdrawal, and security/audit records | For periods necessary for legal obligations and dispute/fraud response |
Currently, member withdrawal immediately terminates service access and active sessions. Transaction, consent, and audit records may remain limitedly according to applicable laws and dispute response purposes, and physical deletion/anonymization of account and profile data follows a separate data lifecycle policy. Users can request view, export, or deletion via the ‘Personal Information & Data’ menu of their account.
Article 4 (Provision of Personal Information to Third Parties)
The Company does not provide users’ personal information to third parties in principle. It is provided only within the necessary scope when the data subject gives separate consent or when a special legal basis exists. Processing by external vendors related to payment, hosting, authentication, email, analytics, and AI functions may constitute personal information processing entrustment, third‑party provision, or overseas transfer depending on the actual contract and processing purpose; specific details are provided in the following articles and related items.
Article 5 (Processing Through External Vendors)
| External Vendor | Related Services |
|---|---|
| Toss Payments Co., Ltd. | Domestic payment approval, settlement, cancellation, refund, and fraud prevention |
| PayPal, Inc. | Approval, settlement, cancellation, refund, and fraud prevention for supported overseas payments |
| Cloudflare, Inc. | CDN & web traffic delivery & security, Workers application execution, R2 object storage, consent‑based web usage statistics, AI Gateway mediation and Workers AI processing |
| Neon, Inc. | PostgreSQL database hosting |
| Google LLC | Google account login authentication and account linking |
| Google LLC | Google Analytics 4 usage statistics analysis based on user consent |
| Google LLC | Processing of inputs and results for Gemini‑based AI functions selected by the user |
| Kakao Corp., NAVER Corp., Apple Inc., Meta Platforms, Inc. | Social login authentication and account linking selected by the user |
| Anthropic PBC | Processing of Claude AI functions selected by the user |
| OpenAI, L.L.C. | Processing of OpenAI AI functions selected by the user |
| Resend, Inc. | Transaction, account, and service email delivery |
Article 6 (Overseas Transfer of Personal Information)
The Company may transfer and store the following personal information abroad during service use. When the user utilizes the relevant function or when processing is required for contract performance, the transfer occurs continuously via TLS‑encrypted networks. The legal basis for each transfer is applied according to consent, contract formation/performance, or processing entrustment as stipulated in the Personal Information Protection Act Article 28‑8 and related statutes.
| Recipient & Contact | Country/Region | Transferred Items | Purpose of Transfer | Timing & Method | Legal Basis | Retention & Use Period | Method of Refusal and Impact |
|---|---|---|---|---|---|---|---|
| Cloudflare, Inc. (privacyquestions@cloudflare.com) | United States and Cloudflare’s global network operation regions. Processing and storage locations may vary according to the product used, account settings, and request path | Account & service records, IP/device/analysis information, object files, information entered by users into AI | Hosting, security, storage, consent‑based analysis, AI mediation | Continuous transfer & storage during service use, TLS transmission | Contract performance and processing entrustment | Domestic retention periods per item or periods according to contract/product settings | Optional analysis & AI can be refused by withdrawing consent, but the function will be limited. Refusing essential hosting makes service provision difficult. |
| Neon, Inc. (privacy@neon.tech) | Singapore (AWS ap-southeast-1) | Member, transaction, consent, service usage records | PostgreSQL database storage | Continuous transfer & storage during service use, TLS transmission | Contract performance and processing entrustment | Domestic retention periods per item or until the entrustment contract ends | Refusing essential storage processing makes account‑based service provision difficult. |
| Google LLC (googlekrsupport@google.com) | United States and other Google processing regions | OAuth identification information, analysis identifiers & events, or AI input, attachment, output | OAuth authentication, consent‑based GA4 analysis, selected Gemini functions | TLS transmission when the function is used | Consent per function or contract performance | Period required for authentication, analysis, and function provision and according to Google policies | Each selected function can be not used or consent withdrawn, resulting in limitation of that function. |
| Apple Inc., Meta Platforms, Inc. | United States and each provider’s processing regions | Provider identifiers, name, email, profile information | Selected OAuth authentication and account linking | TLS transmission at login & linking | Contract performance | Period until account unlinking/withdrawal or as per provider policies | User may choose not to select that login method, and the authentication method will be unavailable. |
| PayPal, Inc. (privacy@paypal.com) | United States and other PayPal processing regions | Payer identification information, order number, amount, currency, payment/cancellation/refund status | Overseas payment processing selected by the user | TLS transmission at payment request | Contract performance | Retention period under the Electronic Commerce Act and PayPal policies | User may opt not to select overseas payment; the payment method will be unavailable. |
| Anthropic PBC (privacy@anthropic.com) | United States | AI input, output, and safety processing information | Claude function selected by the user | TLS transmission when the function is used | Optional AI processing consent | Period required for function provision and according to Anthropic contract & policies | User may not use the AI function or withdraw consent, resulting in limitation of that function. |
| OpenAI, L.L.C. (privacy@openai.com) | United States | AI input, output, and safety processing information | OpenAI function selected by the user | TLS transmission when the function is used | Optional AI processing consent | Period required for function provision and according to OpenAI contract & policies | User may not use the AI function or withdraw consent, resulting in limitation of that function. |
| Resend, Inc. (privacy@resend.com) | United States | Recipient email, name, message and transmission records | Transaction, account, and service email delivery | TLS transmission at sending | Contract performance and processing entrustment | Period required for sending and incident response and according to Resend contract & policies | Refusing essential transaction/account email processing may make related service provision difficult. |
Users may refuse overseas transfer by not using optional AI functions, optional analytics, or overseas payments, or by withdrawing related consent. Refusing processing necessary for login authentication, hosting, database, or essential email sending may make related functions or services difficult to provide. Inquiries and member withdrawal requests are received via the ‘Personal Information & Data’ menu of the account or at support@sheetmusic.kr.
Article 7 (Personal Information Processing in AI Functions)
- AI functions process text, image, file inputs entered directly by the user and generated results for the purposes of function provision, safety checks, error response, and usage limit management.
- Users must not input sensitive information, resident registration numbers, or other uniquely identifying information under the Korean Personal Information Protection Act, nor any other person’s private personal information without lawful authority, into AI functions.
- The service does not use users’ AI inputs or outputs as training data for its own general models. The Company uses external AI providers’ APIs or enterprise settings, and where supported, configures them so that inputs and outputs are not used for the provider’s general model training. Retention periods and safety review methods vary by provider, model, and contract terms.
- Consent for AI processing can be withdrawn at any time in the ‘Personal Information & Data’ section of the account. Withdrawal does not affect the legality of prior processing, but AI functions will be limited thereafter.
- Improper AI results or personal information related objections can be reported to support@sheetmusic.kr.
Article 8 (Behavioral Information and Cookies·Local Storage)
- The service uses cookies and browser local·session storage to maintain login, security, language settings, shopping cart, and function states.
- Google Analytics 4 may process randomly generated analysis identifiers, internal identifiers for analysis of logged-in users, page paths, service usage events, language settings, device·browser information, and access timestamps when the user has given consent.
- Cloudflare Web Analytics and service performance analysis functions may process page request, device·browser, and network‑related information; actual identification methods and retention scopes follow the applied product settings.
- Analysis consent can be refused or withdrawn via the banner or the ‘Personal Information & Data’ section of the account. Refusal does not prevent use of core services.
- Cookies can be blocked in browser settings, but blocking essential cookies may cause login, payment, and other functions to malfunction.
Article 9 (Rights of Data Subjects and Legal Representatives)
- Data subjects may request access, correction·deletion, suspension of processing, and withdrawal of consent to the extent permitted by applicable law. They may also obtain a copy of their personal data via the Company’s data export function.
- Requests can be made through the ‘Personal Information & Data’ menu, email, or phone; the Company will verify the identity of the requester or legitimate representative and process the request in accordance with applicable law.
- If legal preservation obligations exist or there is a risk of infringing another’s rights, some requests may be limited, and the reasons will be communicated.
- The service does not allow membership registration for children under 14 years of age. If the Company becomes aware that a child under 14 has registered, it will verify age, restrict account use, and delete personal information as necessary. However, information that must be retained by law may be kept separately for the required period.
Article 10 (Destruction of Personal Information)
- Information whose retention period has expired or whose processing purpose has been achieved shall be destroyed without delay.
- Information required to be retained by law shall be stored with restricted access so that it is not used for other purposes, and destroyed after the retention period ends.
- Electronic files containing personal information shall be deleted or anonymized using secure methods that make recovery or reconstruction difficult.
Article 11 (Safety Measures)
- Administrative measures: limit personnel who can access personal information to the necessary scope and manage related work procedures and protection standards.
- Technical measures: access rights management, authentication and access control, TLS encryption for transmission, separation and secure storage of critical information, and vulnerability checks.
- Physical measures: apply physical security and access control of the cloud and data center providers used by the Company.
- Incident response measures: security incident detection, log inspection, backup·recovery, and operation of incident assessment·response procedures.
Article 12 (Personal Information Protection Officer and Rights Request Reception)
Personal Information Protection Officer: Jo Chang-hyun (CEO)
Email: support@sheetmusic.kr
Phone: 070-4617-6352
Article 13 (Remedies for Rights Violations)
- Personal Information Infringement Reporting Center: 118, privacy.kisa.or.kr
- Personal Information Dispute Mediation Committee: 1833-6972, www.kopico.go.kr
- Supreme Prosecutors’ Office: 1301, www.spo.go.kr
- National Police Agency: 182, ecrm.police.go.kr
Article 14 (Changes to the Processing Policy)
When the processing policy is changed, the effective date and major changes will be disclosed in the service and policy change history. Changes that significantly affect the rights or obligations of data subjects will be separately notified in advance in accordance with the period prescribed by law or a reasonable period.
Supplementary provisions
This privacy policy is effective from July 20, 2026.