PRIVACY POLICY

Privacy Policy

Effective: March 1, 2026 | Last Updated: July 4, 2026

(주)모티브이노베이션 (Republic of Korea) and MOTIVE Global, Inc. (Delaware, United States) (collectively, the "Company," "we," "us," or "our") are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Whistle AI platform ("Service").

This policy is designed to comply with the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable.

Data Controller — Responsible Entity by User Location

User / Transaction TypeResponsible EntityApplicable Law
Users based in the Republic of Korea; KRW-denominated subscriptions(주)모티브이노베이션
3F #307, 28 Nonhyeon-ro 98-gil, Gangnam-gu, Seoul, Republic of Korea
Korean PIPA, E-Commerce Consumer Protection Act
Users outside Korea; USD/foreign-currency payments via StripeMOTIVE Global, Inc.
Delaware C-Corp, United States
U.S. state law (Delaware); GDPR where applicable; CCPA for California residents
AI analysis, shared platform infrastructure, data securityBoth entities jointlyGDPR Art. 26 joint-controller arrangement; PIPA Art. 26 joint processing

For GDPR purposes, (주)모티브이노베이션 is the lead controller for Korean-law obligations and MOTIVE Global, Inc. is the lead controller for EU/EEA GDPR obligations. A joint-controller agreement (GDPR Art. 26) governs the allocation of responsibilities between the two entities. You may contact either entity to exercise your rights; each will coordinate to fulfill your request.

1. Information We Collect

1.1 Information You Provide

CategoryData CollectedPurpose
Account (Required)Email address, password (encrypted)Account creation, authentication, service access
Manufacturer Profile (Optional)Company name, representative name, phone number, address, business registration number, product information, bank account detailsExport service delivery, document generation, buyer matching
Buyer Profile (Optional)Company name, contact person, country, phone number, interest categoriesBuyer profile setup, product matching
Payment InformationPayment card details (stored by Stripe), transaction recordsPayment processing, refund handling

1.2 Information Collected Automatically

DataPurpose
IP addressSecurity, fraud prevention, analytics
Browser type and versionService optimization, compatibility
Service usage logsUsage analytics, service improvement
Access timestampsSecurity monitoring, abuse prevention
Device informationService optimization, troubleshooting

1.3 Collection Methods

2. How We Use Your Information

  1. Service Delivery: AI export analysis, buyer matching, export document generation, communication tools, logistics tracking, and related core platform features
  2. Account Management: Identity verification, account maintenance, notifications, and customer support
  3. Payment Processing: Subscription billing, per-use charges, auto-renewal, and refund processing
  4. Service Improvement: New feature development, usage analytics, performance optimization, and quality assurance
  5. Marketing: Event and promotional communications (only with your separate, explicit consent)
  6. Legal Compliance: Fulfillment of obligations under applicable laws and regulations
  7. Security: Fraud detection, abuse prevention, and platform security

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

4. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy. When the purpose of collection is fulfilled, we delete or anonymize your data without delay, except where retention is required by law.

Data CategoryRetention PeriodLegal Basis
Account and profile dataUntil account deletionService agreement
Contract and withdrawal records5 yearsAct on Consumer Protection in Electronic Commerce (Korea)
Payment and transaction records5 yearsAct on Consumer Protection in Electronic Commerce (Korea)
Consumer complaint records3 yearsAct on Consumer Protection in Electronic Commerce (Korea)
Access logs3 monthsProtection of Communications Secrets Act (Korea)
Advertising records6 monthsAct on Consumer Protection in Electronic Commerce (Korea)

Upon account deletion, personal data is destroyed without delay. Data that must be retained by law is stored separately in a restricted database and destroyed upon expiration of the required retention period.

5. Sharing and Disclosure of Information

  1. We process your personal data only within the scope described in Section 2 and do not sell, rent, or share your data with third parties for their own purposes without your prior consent.
  2. Exceptions to the above:
    • You have provided explicit prior consent to the sharing
    • Buyer-manufacturer matching: Upon a successful match and with separate consent, contact information necessary for the transaction is shared with the counterparty
    • Required by law or legal process
    • Requested by law enforcement authorities following legally prescribed procedures

6. Service Providers (Data Processors)

We engage the following third-party service providers to operate the Service. Each provider processes data only as instructed by us and under contractual obligations to maintain confidentiality and security. Locations below reflect the actual storage/processing region as of July 4, 2026.

ProviderPurposeData ProcessedLocation
Supabase Inc.Cloud database, authentication, file storage, realtimeAccount data, profiles, chats, service dataUS (HQ) / Singapore (storage — AWS ap-southeast-1)
Anthropic PBCAI analysis (Claude API); inputs not used for model trainingProduct/export text submitted for analysis (PII minimized)US
Stripe, Inc.Global payment processing, escrow (manual capture)Payment card details (tokenized), transaction recordsUS
Cloudflare, Inc.Hosting (Pages), CDN, DDoS protection, TLS terminationIP address, access logs, cached contentUS (HQ) / Global edge network
Resend, Inc.Transactional and marketing email deliveryEmail address, recipient name, subject and bodyUS
MOTIVE Global, Inc.USD settlement, overseas customer support (group entity)Account, profile, payment, transaction dataUS (Delaware)
Apollo Data Inc. (Apollo.io)Prospective buyer lead database (API)Buyer search criteria; retrieved public business contactsUS
Telegram Messenger Inc.Operator notifications (Bot API)Admin summaries (PII minimized)BVI / UAE
Naver Corp.Product data search (public API)Search queries (no PII)Republic of Korea
OpenSky NetworkAviation tracking (public API)No personal dataSwitzerland

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including Singapore, the United States, and other jurisdictions via global CDN edges. For Korean users, this is disclosed under Article 28-8 of the Korean Personal Information Protection Act (PIPA); by accepting our Terms and this Privacy Policy at account creation, you consent to such transfers. We comply with GDPR Articles 44–49 for EEA/UK users and ensure appropriate safeguards for all international transfers.

7.1 Data Transfer Recipients

Recipient, country of storage/processing, items transferred, timing/method, retention period, and legal basis are disclosed below. Region information is verified against our Supabase Management API on July 4, 2026 (project id: lylktgxngrlxmsldxdqj, region: ap-southeast-1).

Recipient (Country / Region)Data ProcessedTiming & MethodRetentionLegal Basis for Transfer
Supabase Inc.
HQ: US (Delaware) / Storage region: Singapore (AWS ap-southeast-1)
Account data, business profiles, product data, chats, IP address, service logsReal-time TLS 1.2+ transfer during service useUntil account deletion or contract termination (plus statutory retention where applicable)Standard Contractual Clauses (SCCs); DPA in place
Anthropic PBC
United States (California)
Product/export text submitted for AI analysis (PII minimized)On-demand TLS API call during analysisProcessor: retained up to 30 days for trust & safety per Anthropic Commercial Terms, then deleted. Our DB: until account deletionSCCs; Anthropic Commercial Terms and DPA (inputs not used for model training)
Stripe, Inc.
United States (California / Delaware); EU processing via Stripe Payments Europe
Payment card details (tokenized), billing details, transaction recordsDirect TLS transfer from user browser to Stripe via Elements/Checkout at payment timePCI DSS and US tax law retention (typically 7 years) or per Stripe policyEU-US Data Privacy Framework (DPF); PCI DSS Level 1; SCCs; Stripe DPA
Cloudflare, Inc.
United States (California); global edge including Seoul PoP
IP addresses, User-Agent, request URLs, access logs, cached responsesAutomatic routing to nearest edge node on user accessCloudflare log policy: up to 30 days (our designated logs: 3 months per Korean law)EU-US Data Privacy Framework (DPF); SCCs; Cloudflare DPA
Resend, Inc.
United States (California)
Email address, recipient name, subject and body of transactional/marketing emailsTLS API call at send-event triggerResend policy: send logs up to 30 days (email body not retained)SCCs; Resend DPA
MOTIVE Global, Inc. (group entity)
United States (Delaware)
Overseas users' account, profile, payment, transaction dataTLS transfer on overseas payment events and support activityUntil account deletion (plus statutory retention where applicable)SCCs; Intra-group Data Processing Agreement
Apollo Data Inc. (Apollo.io)
United States (California)
Buyer search criteria (not PII) and retrieved public business contacts (work email, title)TLS API call at buyer-discovery executionStored in our DB after retrieval until account deletionSCCs; Apollo Terms and DPA
Telegram Messenger Inc.
BVI / UAE (Dubai)
Operator notification summaries (PII minimized)Bot API TLS transfer on event occurrenceOperator chat history retained per Telegram policy (deletion on user request)Contractual necessity; PII minimized at source
(주)모티브이노베이션 (Motive Innovation Co., Ltd.)
Republic of Korea
All service data for operation and supportContinuous, secure administrative accessUntil account deletion (plus statutory retention where applicable)EU-Korea Adequacy Decision (17 Dec 2021, GDPR Art. 45)

7.2 Safeguard Mechanisms (GDPR Art. 46)

7.3 Your Rights Regarding International Transfers

You have the right to:

To exercise these rights or request copies of SCCs, contact: privacy@whistle-ai.com

8. Data Security

We implement the following technical and organizational measures to protect your personal data:

  1. Encryption at Rest: Passwords are hashed using bcrypt. Payment information is managed by PCI DSS-compliant processor (Stripe).
  2. Encryption in Transit: All data transmission is encrypted via SSL/TLS protocols.
  3. Access Controls: Row Level Security (RLS) for data isolation, role-based access management, and least-privilege principle for all system access.
  4. Audit Logging: Administrative access is logged and monitored.
  5. Personnel Controls: Access to personal data is limited to authorized personnel. Regular security training is conducted.

9. Cookies and Tracking Technologies

  1. The Service uses browser local storage for authentication token management.
  2. We collect minimal access records for service analytics and quality improvement.
  3. You may delete stored data at any time through your browser settings.
  4. We do not use third-party advertising trackers.

10. Your Rights

10.1 All Users

Regardless of your location, you have the right to:

  1. Access: Request a copy of the personal data we hold about you
  2. Correction: Request correction of inaccurate or incomplete personal data
  3. Deletion: Request deletion of your personal data (subject to legal retention requirements)
  4. Processing Restriction: Request that we restrict the processing of your personal data

To exercise these rights, use the profile settings within the Service or email creative@mo-tive.com. We will respond within 10 business days.

10.2 Additional Rights for EEA/UK Users (GDPR)

Under the General Data Protection Regulation, you also have the right to:

10.3 Additional Rights for California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to:

California Privacy Rights — Do Not Sell My Personal Information

Whistle AI does not sell, rent, or share your personal information with third parties for their direct marketing purposes. To exercise your CCPA rights (access, deletion, or opt-out), contact us:

✉ Submit Privacy Request (Do Not Sell)

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at creative@mo-tive.com.

12. Data Protection Officer

DetailInformation
NameHeewoong Chae
TitleCEO / Data Protection Officer
Phone+82-70-5097-6371
Emailcreative@mo-tive.com

13. Remedies and Complaints

If you have concerns about how your personal data is handled, you may contact the following authorities:

14. Changes to This Policy

  1. We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices.
  2. Material changes will be communicated at least 7 days before the effective date via in-app notification or email.
  3. Changes that are materially adverse to you will be communicated at least 30 days in advance.
  4. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

Supplementary Provision

This Privacy Policy is effective as of March 1, 2026. The July 4, 2026 amendment expanded and corrected disclosures on international data transfers and sub-processors (in particular the accurate storage region for Supabase — Singapore, AWS ap-southeast-1 — and the inclusion of Cloudflare, Resend, Apollo.io, and Telegram). Notice of the amendment was provided at least 7 days in advance via in-app notification and email.

Contact Information

(주)모티브이노베이션 (Korea) / MOTIVE Global, Inc. (US)

Email: creative@mo-tive.com

Phone: +82-70-5097-6371

Address: 3F #307, 28 Nonhyeon-ro 98-gil, Gangnam-gu, Seoul, Republic of Korea