Privacy Policy

Last Updated: August 11, 2025

Preamble

Research Factory Co., Ltd. (“Research Factory,” “Company,” or “we”), a company incorporated under the laws of the Republic of Korea, is committed to respecting your privacy and protecting your personal information. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and process your personal data when you use our software, platform, APIs, documentation, and all related software provided to build, deploy, host, and manage software projects (collectively, the “Services”), including our website medcanvas.ai. It also explains how you can access and update your information, and describes the data protection rights available to you under your country or state laws (including Korea’s Personal Information Protection Act (PIPA), the GDPR/UK GDPR for users in the EEA/UK, and the CCPA for California users).

By accessing or using the Services, you acknowledge that you have been informed of our practices regarding personal information and, where consent is a legal basis for processing, that you consent to such processing. We do not collect, process, or store personal health information, and our Services are not intended for medical or health data management.

This Policy primarily applies where Research Factory acts as the controller of your personal data. Conversely, when we process personal data on behalf of our commercial customers (e.g., where your employer provides a Research Factory account for workplace use), we act as a processor, and the applicable customer agreement governs that processing. The Services must not be used for medical, diagnostic, or treatment purposes. Do not submit any health or medical information.

1. Information We Collect

A. Information You Provide Directly

  • Account Information: Identifiers such as name and email address.
  • Payment Information: Billing address and payment method (credit cards are processed by third-party payment processors).
  • Communications: Contact details and the content of messages sent during inquiries or support.
  • Feedback: Evaluations of Suggestions for your Inputs, ideas for improvements, and related content (“Feedback”).

B. Information Collected Automatically

  • Device Information: Device type, browser/OS details, and network information.
  • Log Information: IP address, browser settings, error logs, and interaction logs.
  • Usage Data: Access dates and times, queries/search history, clicked links, pages viewed, and other usage patterns.
  • Cookies & Similar Technologies: Used for operation, analytics, improvements, personalization, and preference management (see our Cookie Policy for details).

C. Sensitive/Special Categories & Children’s Data

The Services are intended for users aged 18 and older; we do not knowingly collect information from children under 18. We do not intentionally collect sensitive or special categories of personal data as defined by applicable law, except where explicitly provided by you as part of an Input and only where required for functionality and where we have obtained explicit consent if required by law. We strongly discourage submitting such information. If we learn a user is under 18, we will investigate and delete the data/account as required by law.

2. Purposes of Use (Legal Bases for Processing)

  • Provide and maintain the Services (including optional features) — Contract necessity
  • Create, manage, and operate your account; facilitate payments; respond to inquiries — Contract necessity, Legitimate interests
  • Improve, develop, and research the Services; debug and fix issues — Legitimate interests; Consent (where specific data is used for model training per our Terms)
  • Communicate updates, service information, and events — Contract necessity, Legitimate interests; Consent (where required for marketing)
  • Prevent, detect, and investigate fraud, abuse, security incidents, and Terms violations — Legitimate interests, Legal obligations
  • Comply with legal obligations and protect rights, safety, privacy, and property — Legal obligations, Legitimate interests
  • Investigate and resolve disputes or security issues — Legitimate interests, Legal obligations
  • Enforce our Terms and other applicable agreements — Contract necessity, Legitimate interests
  • Aggregate/de-identify data for analytics, improvements, and research — Legitimate interests

3. Sharing of Personal Information (International Transfers)

  • Service Providers & Partners: Hosting, cloud, analytics, customer support, security monitoring, communications, payments, compliance, and other IT functions (processed only as necessary under our instructions and applicable law).
  • Business Transfers: Disclosure or transfer during mergers, acquisitions, restructurings, bankruptcies, or similar transactions.
  • Legal Compliance & Protection: To comply with laws/procedures, respond to lawful requests, protect rights/safety, prevent fraud/security incidents, enforce Terms, and protect against legal liability.
  • Third-Party Services & Integrations: When you use linked/integrated third-party services, their terms and privacy policies apply.
  • Business Account Administrators: If you register with an organization email, certain account information may be shared with that organization; admins may manage your use.
  • Other Users/Third Parties: When you voluntarily share Inputs, Suggestions, or other content via features, the recipients’ terms and policies apply.
  • With Your Consent: Where a specific disclosure requires express permission, we will obtain consent.

For cross-border transfers, we implement appropriate safeguards (e.g., Standard Contractual Clauses (SCCs)) and valid transfer mechanisms as required (see Section 6).

4. Data Retention

We retain personal data only as long as necessary to operate the Services and for lawful business purposes such as legal compliance, safety, dispute resolution, and contract performance. Retention depends on purpose, sensitivity, risk, and legal requirements. When no longer needed, we delete, destroy, de-identify, or anonymize data per law and our internal policies.

5. Technical & Organizational Measures

We implement commercially reasonable technical and organizational measures aligned with industry standards and applicable laws (e.g., PIPA), including encryption, access controls, and periodic security reviews. However, no method of transmission or storage is completely secure. Exercise caution in deciding what to share. We are not responsible for circumvention of privacy settings or security measures of the Services or third-party sites linked through the Services.

6. Your Rights and Choices (Cross-Border Transfers)

Depending on where you live, you may have rights to access, delete, correct, or port your data; to object to or restrict certain processing; to withdraw consent where processing is based on consent; and to lodge a complaint with a supervisory authority. Submit requests to admin@rfactory.kr. We may request information to verify your identity. We do not discriminate for exercising your rights.

  • Right to know categories of data collected, purposes, and categories of recipients
  • Right of access and data portability (where applicable)
  • Right to deletion (subject to legal exceptions)
  • Right to rectification of inaccurate personal data (does not apply to AI-generated outputs)
  • Right to object to certain processing (e.g., direct marketing) and to request restriction
  • Right to withdraw consent where processing relies on consent (without affecting prior lawful processing)
  • No solely automated decisions producing legal/similarly significant effects
  • No “sale”/“sharing” of personal information or targeted advertising as defined under certain U.S. state laws

We process data in various jurisdictions, including Korea and the U.S. For transfers from the EEA/UK to countries outside the EEA/UK, we use SCCs or other valid mechanisms and apply appropriate safeguards, performing transfer impact assessments where required.

7. Jurisdiction-Specific Notices

A. Republic of Korea (PIPA)

Destruction Procedures & Methods

  • Electronic files: Permanently deleted using irrecoverable technical methods
  • Paper documents: Physically destroyed by shredding or incineration
  • Database records: Fully removed across backups/logs

Cookies: Use & Opt-Out

  • Allow all — full functionality
  • Reject — disable in browser settings (some features may be limited)
  • Selectively allow — choose categories in preferences

See our Cookie Policy for details.

Data Protection Officer (DPO)

  • Name: Jungjoo Yoo
  • Title/Dept/Phone: (to be updated)
  • Email: admin@rfactory.kr

Remedies & Assistance

You may request access, correction, deletion, or suspension of processing of your personal information at any time.

B. EEA/UK Users (GDPR/UK GDPR)

We process data on the legal bases described in Section 2. You have the right to lodge a complaint with a supervisory authority. For transfers outside the EEA/UK, we rely on SCCs or other valid mechanisms and, where required, conduct transfer impact assessments (see Section 6).

C. California Users (CCPA/CPRA)

We do not “sell” or “share” personal information, nor do we process sensitive personal information to infer consumer characteristics. Your rights (right to know, delete, correct, and opt out of sale/sharing, etc.) are described in Section 6 and throughout this section. To exercise rights, contact admin@rfactory.kr.

8. Changes to This Privacy Policy

We may update this Policy from time to time. When we do, we will post the revised version and effective date at the top of this page and, where legally required or where changes materially affect your rights, we may provide additional notice (e.g., email or in-service notifications). Your continued use of the site after changes become effective constitutes acceptance of the updated Policy.

9. Contact Us

For questions regarding refunds, cancellations, or data inquiries: admin@rfactory.kr

For questions about this Policy, our data practices, or to exercise your rights:

  • Research Factory Co., Ltd.
  • Data Protection Officer: Jungjoo Yoo
  • Title/Dept/Phone: (to be updated)
  • Email: admin@rfactory.kr

© 2025 Research Factory Co., Ltd. All rights reserved.