Privacy Policy
Studio XID Korea, Inc., including its affiliates and subsidiaries (collectively, “Studio XID” and also referred to as “we,” “us,” and “our”) respects your privacy and is committed to protecting it through our compliance with this Privacy Policy. This Policy provides a framework for ensuring that Studio XID meets its obligations under applicable data protection laws.
Please read this Policy carefully to understand our practices regarding your personal information and how we will treat it. If you do not agree with our Policy, your choice is not to use our Services. By creating an account and using our Services, you agree to this Privacy Policy. This Policy may change from time to time, and your continued use of our Services after we make changes is deemed to be acceptance of those changes. Therefore, please check the Policy periodically for updates.
You may click on one of the links below to jump to the listed section:
- Scope of Privacy Policy
- Collection of Your Personal Information
- Use of Personal Information
- Legal Basis of Processing Your Personal Information
- Data Retention
- Third-Party Service Providers and Cross-Border Transfers
- Your Legal Rights
- Data Subjects Access Requests
- Data Security and Safety
9.1. Data Breaches
- Children’s Information
- Amendments to Privacy Policy
- Contact Information
- Complaints to Supervisory Authorities
- Additional Information and Jurisdiction-Specific Notices
This Privacy Policy applies to the personal information we process through your access to and use of services and websites owned or operated by us, including our official website (https://www.protopie.io/) and ProtoPie School (https://learn.protopie.io/) (collectively, the "Services") and the products we include as part of the Services - ProtoPie Studio, ProtoPie Cloud, ProtoPie Player, and ProtoPie Connect - under the Free, Basic, and Pro (Plus) plans (collectively, the "ProtoPie Software"). This Privacy Policy does not apply to any third-party websites, services, or applications, even if they are accessible through our Services.
The personal information we collect depends on how you interact with us, the Services you use, and the choices you make.
You may directly provide us with your personal information when you sign up for, sign in to, and/or interact with our Services. This includes personal information you submit when you subscribe to our marketing communications or reach out via "Contact Us" or "Talk to Sales". The personal information we collect may include the following:
IDENTITY DATA including [first name and last name, user ID, company/organization name, job title, country].
CONTACT DATA including [email address].
MARKETING COMMUNICATIONS DATA including [your preferences regarding the receipt of marketing communications from us].
PAYMENT DATA including [cardholder’s name, email address, last four digits of the card number, and country].
USER CONTENT that may include personal information, such as names or voice data if you use voice interactions.
As you interact with our Services, we may automatically collect technical data and usage data. We collect this information by using cookies, server log files, and other similar technologies. The personal information we collect includes:
TECHNICAL DATA including [Internet protocol (IP) address, browser type and version, operating system, and device type].
GEOLOCATION DATA including [geographical information based on your IP address].
USAGE DATA including [information about how you interact with and use our Services, including cookies and other tracking technologies].
We, along with our third-party service providers, may use cookies, pixel tags, web beacons, scripts, and other similar technologies to automatically collect information through the Services. These technologies are essentially small data files placed on your device that allow us to record certain pieces of information whenever you visit or interact with our Services.
Browser Cookies. Cookies are small text files that are stored by the Internet browser on your device. A cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. You may refuse to accept browser cookies by activating the appropriate settings on your browser. However, if you select this setting, you may be unable to access certain parts of our Services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our website.
Third-Party Cookies. We also use third-party cookies on our website. The legal basis for the use of cookies and the subsequent data processing is your explicit consent. The following third parties may set cookies on your device: Amplitude, Bing UET, Drip, Facebook Pixel, Google Ads, Google Analytics UA, Google Analytics 4, Google DoubleClick, GoogleOAuth, LinkedIn Insight Tag, Microsoft Clarity, Reddit Pixel, Signals SDK, Twitter (X) Pixel, Youtube, and Zitok.
Pixel Tag/Web Beacons/Clear GIF. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects information about engagement on the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page. We may also use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients. This allows us to gauge the effectiveness of certain communications and the effectiveness of our marketing communications.
We use your personal information for the purposes enumerated below.
Providing and managing the Services, such as:
Creating and managing your account;
Providing access to certain areas, functionalities, features of our Services, including ProtoPie AI if this feature is in use on your account;
Processing payment card and/or other financial information to facilitate your use of the Services; and
Responding to and handling inquiries, customer and technical support requests, and feature requests.
Administering and protecting our business and the Services, including:
Troubleshooting, data analysis, system maintenance, technical support, internal quality control, security, and data hosting.
Communicating with you about our products, Services, events, and conducting surveys.
Contacting customers and/or potential customers about our Services and events we think may be of interest to you, in which case we will seek your marketing consent before sending out marketing materials, except for transactional or legally required communications.
Enforcing our agreements, and complying with our legal obligations including disclosure of information to law enforcement, the courts, and other authorities where required by applicable law.
Improving our Services, including training our AI model if you agree to use the ProtoPie AI feature.
De-identifying personal information upon account deletion in accordance with applicable data protection laws and internal retention policies.
We may collect and use certain personal information to send you marketing communications and to better understand your engagement with our Services and ProtoPie Software for marketing purposes.
Personal Information Collected. Name (first and last), email address, country, user ID, company/organization name, and job title.
Purpose of Use. We may use this information to send you marketing communications including but not limited to newsletters, promotional offers, and other relevant updates; to analyze user behavior and segment users into more relevant audiences for more targeted marketing; to enrich user profiles using third-party sources to tailor outreach and to conduct outreach through email.
Legal Basis. Where required by applicable law, we will only send you marketing communications with your explicit consent. In some cases, and subject to local legal requirements, we may rely on legitimate interests to carry out user analysis, segmentation, data enrichment, and outreach, provided that such activities do not override your fundamental rights and freedom and that you have not objected to such use.
Retention Period. We will retain your personal information for marketing communication purposes until you withdraw your consent or delete your account, whichever occurs first.
Opt Out. Your decision to opt in or opt out of marketing communications will not affect your access to or use of our Services. You may withdraw your consent or object to the processing of your personal information for marketing purposes at any time. If you choose to opt out, we will respect your preferences and ensure that you no longer receive marketing communications via email but may continue to send you service-related or legally required communications as necessary.
Consent. We may process your personal information if you have given us permission (i.e., consent) to use your personal information for a specific purpose, for example placing cookies on your device; before we send you certain electronic marketing communications and in any other situation where personal data processing relies on your consent. You can withdraw your consent at any time.
Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services and responding to and handling your inquiries submitted via Contact Us or Talk to Sales.
Legitimate Interests. We may process your personal information when we believe it is reasonably necessary to achieve our legitimate business interests, for example, to prevent fraud and enable us to give you the best and most secure customer experience. We consider and balance any potential impact on you and your rights before processing your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law. Examples of such use may include protecting our rights, privacy, safety, or property of Studio XID; analyzing your interactions with our Services and ProtoPie Software to improve ProtoPie Software, Services, and business activities; responding to and handling your queries or requests; providing you with related customer service; digitizing files and incoming mails and reaching out to you to provide information about our products or request input on surveys to evaluate our products or services for quality assurance.
Legal Obligations. We may process your personal information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body and regulatory agency, exercise or defend our legal rights, or disclose your personal information as evidence in litigation in which we are involved.
How long we are legally required to keep your personal information depends on both the jurisdiction in which our headquarters is located and the jurisdiction in which you are located at the time you share your personal information with us. Where multiple legal requirements apply, the requirement that provides the most protective retention standards would govern. In general, we do not retain your personal information longer than necessary for the purposes for which it was collected.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process personal information, and whether we can achieve those purposes through other means. By law and by default, we will retain your personal information only as long as necessary to fulfill the purpose for which it was collected.
You have the right to request deletion of your personal information at any time, subject to certain exceptions (see “Your Legal Rights” below).
We may share your personal information with third-party service providers to provide our Services to you. These parties may process personal information to support the delivery of our Services.
Some of this personal information may be transferred to, processed, and stored in jurisdictions that may have different data protection laws from the laws where you are located and may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to applicable laws.
To protect your personal information when transferred internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection laws, including the GDPR, and these safeguards include the following:
Transfers based on an adequacy decision by the European Commission
Use of the Standard Contractual Clauses (SCCs) approved by the European Commission
Other legal mechanisms or contractual safeguards permitted under applicable data protection laws.
Outlined below is how we share personal information with third parties and transfer it to locations within and outside of the Republic of Korea.
Third-Party Service Provider | Personal Information Transferred | Location | Processing Activities | Retention Period |
|---|---|---|---|---|
Amazon Web Services, Inc. | - Personal identifiers (name and email address) - Payment information - Location information - Technical system information - Data necessary for backup and disaster recovery | Republic of Korea, United States, India, and Germany | Cloud infrastructure provider | Personal information shall be retained until the earlier of (i) termination or expiration of the data processing agreement, or (ii) termination of the relevant account, unless a longer retention period is required by applicable law. |
Amplitude, Inc. | - Name - Email address - UUID - Device information - IP address - Region (city) | United States | User behavior monitoring and analytics | |
Bright Market, LLC (FastSpring) | - Email address - Cardholder’s name - Last four digits of the card number - Country | United States | Payment | |
ChurnZero, Inc. | - Name - Email address - Company/organization name - Job title - Phone number And - Address | United States | User analytics | |
Circle | - Full name - Email address - Timezone | United States | Community platform (ProtoPioneers) | |
Common Room, Inc. | - Name - Email address - Country - User ID - Company/organization name - Job title | United States | User analytics | |
Drip Global, Inc. | - Name - Email address | United States | Customer email notifications | |
HubSpot, Inc. | - Name - Email address - Company/organization name - Job title - Phone number - Address | United States | User analytics | |
LearnWorlds Ltd. | - Name - Email address - Job title - Address | United States | Educational materials database | |
Paddle.com Inc. | - Email address - Cardholder’s name - Last four digits of the card number - Country | United Kingdom | Payment | |
Salesforce, Inc. | - Name - Email address - Phone number - Company/organization name - Job title - Region (country and address) | United States | Customer relationship management | |
Tidio | - Name - Email address - Company/organization name - Country or region | European Economic Area ("EEA") | Live chat and automated chatbot | |
Zendesk, Inc. | - Name - Email address | United States | Customer service and technical support (feature request) |
Third-Party Service Provider** | Personal Information Transferred | Location | Processing Activities | Retention Period*** |
|---|---|---|---|---|
Anthropic PBC | - User prompts - Workspace information | United States | AI model provider | 30 days |
Alibaba Cloud (for residents of mainland China only) | - Workspace information | People’s Republic of China | AI model provider | 30 days |
*Please note that this applies solely to the use of ProtoPie AI. Pie files will not be shared with AI Providers.
**We reserve the right, at our sole discretion and without prior notice unless required by applicable law, to change, replace, add, or discontinue any AI Providers or related services we use. We may do so at any time to ensure continuity, security, compliance, performance, or for any other operational or commercial reason. Any such change will not diminish our contractual obligations to you, which will continue to be performed using suitable alternative solutions.
***We will retain your personal information for a maximum of 90 days from the earlier of the date on which we receive your Inputs or the date on which Outputs are generated using those Inputs. This retention period is intentionally longer than the AI Provider's retention period to enable us to improve service quality, investigate and remediate incidents, and comply with applicable legal and regulatory requirements.
The rights available to you depend on the legal basis on which we process your personal information and the laws applicable in your jurisdiction. Subject to these factors, you may have the right to:
Right to Be Informed. Be informed about the collection and use of your personal information.
Right of Access. Have access to personal information about you. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Right to Erasure (Right to Be Forgotten). Have information about you deleted. This enables you to ask us to delete or remove personal information when there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Right to Rectification. Have information about you corrected. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
Right to Object or Restrict Processing. Object or restrict the processing of your personal information where we rely on a legitimate interest as the legal basis for that particular use of your data. If you object to data processing, it will not occur in the future unless we can demonstrate compelling legitimate grounds for further processing that override your interest in objecting.
Right to Data Portability. Data portability allows you to obtain and reuse your personal information for your own purposes, across different services. This permits you to move, copy, or transfer personal information easily from one IT environment to another in a safe and secure way, without affecting its usability. We will provide you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right applies only to automated information in cases where you initially provided consent for its use, or where we used the information to perform a contract with you.
Once we have verified your identity, we will respond and resolve all Subject Access Requests we receive from you regarding your personal information within the 30 days of receipt. Occasionally, it could take us longer than a month if your request is particularly complex or you have made multiple requests. In such cases, we will notify you of the delay and keep you updated on the progress.
Please make sure to submit your Subject Access Request via email, and we will respond using the same format in which we received your request, unless otherwise requested.
We will always explain the reason if we are unable to comply with your Subject Access Request. For example, if your request to access personal information that we no longer hold because it has been deleted in accordance with our data retention policy, we will inform you accordingly.
You will not pay a fee to access your personal information or to exercise any of the other rights.
We may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances. If Subject Access Requests made by you are deemed to be excessive or unfounded we reserve the right granted to us under the applicable laws to:
Refuse to provide you with the information, always justifying in writing the reasons behind our refusal
Charge a reasonable administration fee and again, always justifying in writing the reason for any fees
If your Subject Access Request is particularly complex, for example, we will write to you within the first 30 days of you making the Subject Access Request and inform you why it will take us longer to comply with your request.
We take the following steps to ensure the tightest security and apply suitable technical measures to protect your personal information at rest and in transit.
All communications related to the provision of the Services are always protected with encryption technology using HTTPS with TLS 1.2.
Access to personal information is strictly limited to authorized personnel who have undergone regular information security training.
Our data centers are protected by a 24-hour security monitoring system.
We use strong passwords generated in accordance with our internal policies and enforce biometric two-factor authentication (2FA) for access to our systems.
Our Information Security Management System complies with the ISO 27001 and 27701 standards and our compliance is certified by DQS.
For more details regarding our extensive security measures, please visit: https://www.protopie.io/learn/docs/security/overview
In the unfortunate and rare event of a Data Breach (defined below), we will notify you in writing without undue delay and, where feasible, as soon as practicable after becoming aware of the Data Breach. For the purpose of this Section, a “Data Breach” means a breach of ProtoPie’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, your personal information. Our notification of, or response to, a Data Breach will not be construed as an acknowledgement of any fault or liability with respect to the Data Breach.
We may be exempt from individually informing you of any Data Breach if appropriate technical and organizational procedural measures were applied after the Data Breach; subsequent measures were taken to ensure the risk no longer exists; or notifying each affected individual would involve disproportionate effort, in which case we will provide a public communication or use a similar measure to inform you.
In certain jurisdictions, the minimum age for consent to data processing may vary, and we do not knowingly collect or process personal information from individuals under the applicable minimum age requirement, which may be as low as 13 years of age.
If you believe we may have any personal information from or about a child under 16 (or under the minimum age required by applicable data protection laws in your jurisdiction), please contact us using the Contact Information below. If we become aware that we have inadvertently collected or received personal information from a minor without verified parental consent, we will delete such information immediately.
We reserve the right to amend this Privacy Policy at our discretion and at any time. When we do so, we will publish an updated version and effective date at the top of this page, unless another type of notice is legally required. Your continued use of our Services after any change in this Privacy Policy constitutes your acceptance of such change. We encourage you to periodically review this page for any updates that may have been made.
If you have any questions about this Privacy Policy or our privacy practices, or if you wish to submit a Subject Access Request, please reach out to us at:
Attn: Data Protection Officer (DPO)
Email Address: privacy@protopie.io
Postal Address: 34, Bongeunsa-ro 16-gil, Gangnam-gu, Seoul, Republic of Korea (06124)
If you are unhappy about how we have handled your personal information, you can contact our DPO who will investigate the matter and report back to you. We would appreciate the opportunity to address your concerns before you contact regulatory authorities, so we request that you contact us directly first.
If you are not satisfied with our response or believe we are not handling your personal information in accordance with applicable laws, you may lodge a complaint with the relevant supervisory authority:
[Korea] The Personal Information Dispute Mediation Committee (KOPICO) at www.kopico.go.kr or the Personal Information Infringement Report Center at privacy.kisa.or.kr.
[Japan] The Personal Information Protection Commission (PPC) at www.ppc.go.jp.
[China] The Cyberspace Administration of China (CAC) at www.cac.gov.cn.
[US] The Federal Trade Commission (FTC) at www.ftc.gov or your state’s Attorney General, depending on your jurisdiction
[Canada] The Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca or your provincial privacy regulator, where applicable.
[UK] The Information Commissioner’s Office (ICO) at www.ico.org.uk.
[EU] Your local Data Protection Authority (DPA) which supervises the application of data protection laws and has the power to issue fines or other penalties against companies in your country or region.
14.1. Notice to Residents of South Korea