Announcement Date: April 28, 2026
Effective Date: May 5, 2026
This Policy apply immediately to creators who newly join on or after April 28, 2026, and from May 5, 2026 for existing participants.
Indent Corporation (https://spray.io, hereinafter referred to as the “Company” or “Spray”) complies with the personal information protection regulations under applicable laws that information and communication service providers must observe, including the Protection of Communications Secrets Act, the Telecommunications Business Act, the Personal Information Protection Act, and the Act on Promotion of Information and Communications Network Utilization and Information Protection, and establishes this Privacy Policy in accordance with such laws and regulations in order to make best efforts to protect the rights and interests of users.
This Privacy Policy may be changed due to amendments to laws or guidelines related to personal information, or due to changes in the Company’s policies. In the event of such changes, the Company will notify users without delay and will post the details on the Privacy Policy change history page so that users can review them at any time.
The Company’s Privacy Policy contains the following:
A. Items of Personal Information Collected
The Company collects the following personal information for the operation of affiliate marketing campaigns of campaign-operating brands:
Information of individuals participating in the campaign (hereinafter referred to as “Campaigner” or “User”):
Name, mobile phone number, email address, SNS ID, and additional information requested by the brand within the scope necessary for campaign operation (such as address, PayPal ID, etc., as optional items).
B. Method of Collection
The Company collects information directly entered by campaign participants through input forms within the Spray platform or information provided by brands for campaign operation.
C. Purpose of Collection
The Company collects and uses necessary information related to the operation of affiliate marketing campaigns based on the legitimate interests for the performance of campaign participation contracts and enhancement of services.
The Company does not provide personal information to third parties except in cases where the information subject has given separate consent or where special provisions exist under laws such as Article 17 of the Personal Information Protection Act.
The Company entrusts personal information processing as follows to improve services, and stipulates necessary matters in accordance with applicable laws so that personal information is safely managed during the entrustment contract.
A. Entrusted Organizations and Details of Entrusted Work
1. Service Infrastructure Operation
Entrustee: Amazon Web Services, Inc., Google LLC, Twilio Inc.
Entrusted Work: Operation of infrastructure where personal information is stored, email delivery services
Retention Period: Until the purpose of use is achieved or the retention period required by applicable laws expires
2. Marketing Operation Outsourcing
The Company may entrust personal information processing to agencies designated by the brand at the request of the campaign-operating brand
Entrustee: Marketing agencies designated by the campaign-operating brand
Entrusted Work: All marketing operations including campaign management, advertisement execution, and performance analysis
Retention Period: Until the purpose of use is achieved or the retention period required by applicable laws expires
3. Logistics Outsourcing
The Company may entrust personal information processing to agencies designated by the brand at the request of the campaign-operating brand.
Entrustee: Logistics agencies designated by the campaign-operating brand
Entrusted Work: All logistics operations including delivery of provided goods and management of delivery history
Retention Period: Until the purpose of use is achieved or the retention period required by applicable laws expires
B. Overseas Processing of Entrusted Personal Information
The information subject may refuse consent to overseas transfer; however, in such case, use of the service may be restricted.
Amazon Web Services, Inc.
Country: United States, etc. (location of data centers)
Timing/Method: Transferred via network at the time of service use
Items: Service usage records or collected personal information
Purpose: Data storage and cloud infrastructure operation
Retention Period: Until the retention period required by applicable laws expires
Google LLC
Contact: https://cloud.google.com/contact
Country: United States, etc.
Timing/Method: Real-time transfer via network at the time of email transmission
Items: Recipient email address
Purpose: Email delivery service
Retention Period: Until the retention period required by applicable laws expires
Twilio Inc.
Contact: privacy@twilio.com
Country: United States
Timing/Method: Real-time transfer via network at the time of email transmission
Items: Recipient email address and SNS ID
Purpose: Email delivery service
Retention Period: Until the purpose of use is achieved
The Company collects personal information of users within the minimum scope necessary to provide services and uses such information only within the scope of consent. The Company does not use or disclose personal information beyond the scope of consent without prior consent. The Company collects, uses, retains, and destroys personal information as follows depending on the services provided.
Relevant Law | Information Collected | Retention Period |
|---|---|---|
Protection of Communications Secrets Act | Personal information related to service use (login records) | 3 months |
Act on Consumer Protection in Electronic Commerce, etc. | Personal information related to service use (login records) | 5 years |
Act on Consumer Protection in Electronic Commerce, etc. | Records on payment and supply of goods | 5 years |
Act on Consumer Protection in Electronic Commerce, etc. | Records on consumer complaints or dispute resolution | 3 years |
Internal Policy | Records of fraudulent or abnormal use (mobile phone number, email address, IP, log records) | 1 year |
In principle, the Company destroys collected personal information immediately after the purpose of use has been achieved. However, if personal information must be preserved in accordance with other laws even after the retention period has expired or the purpose has been achieved, such personal information shall be transferred to a separate database (DB) or stored in a different location.
A. Destruction Procedure
After the purpose of collection and use has been achieved, the information shall be destroyed without delay. However, it may be stored for a certain period in accordance with applicable laws before destruction.
B. Method of Destruction
Personal information stored in electronic file form shall be destroyed using a method that makes it irrecoverable.
Personal information printed on paper (printouts, written documents, etc.) shall be destroyed by shredding or incineration.
Users and their legal representatives may request access, correction, withdrawal of consent, deletion, and data portability of personal information processed by the Company at any time, and may also request account deletion.
However, withdrawal of consent to personal information collection and processing or account deletion may restrict the use of part or all of the services.
Where a user requests correction of errors in personal information, the Company shall not use or provide such personal information until the correction is completed. In addition, where incorrect personal information has been provided to a third party, the Company shall notify such third party of the corrected information without delay upon the user’s request so that correction may be made.
The Company processes personal information requested for termination of the service use contract or account deletion by the user or legal representative in accordance with the “Retention and Use Period of Personal Information” and shall ensure that such information is not used or accessed for any other purpose.
The Company uses “cookies” to store and retrieve user information in order to provide appropriate services to visitors to the Company’s website. Cookies are small pieces of information sent by a server (HTTP) used in operating the website to the user’s browser and may be stored on the hard disk of the user’s computer.
A. Purpose of Use of Cookies
Cookies are used as functional cookies to enhance user convenience.
B. Installation/Operation and Refusal of Cookies
Users have the option to install cookies. Accordingly, users may allow all cookies, confirm each time a cookie is saved, or refuse the storage of all cookies by setting options in the web browser.
Example setting method: Tools > Internet Options > Privacy in the web browser.
If cookie settings are refused, some service functions may be restricted.
In accordance with Article 29 of the Personal Information Protection Act, the Company implements the following technical, administrative, and physical measures necessary to ensure safety.
A. Minimization of Personnel Handling Personal Information
The Company designates employees who handle personal information and limits access rights to the minimum necessary.
B. Establishment and Implementation of Internal Management Plans
The Company establishes and implements internal management plans for safe processing of personal information.
The Company provides regular internal and external training to employees handling personal information regarding acquisition of new security technologies and obligations related to personal information protection.
The handover of duties related to personal information is conducted thoroughly while maintaining security, and responsibilities for personal information incidents are clearly defined before and after employment.
New employees are required to sign information security or personal information protection pledges to prevent information leakage in advance, and internal procedures are established and continuously implemented to audit compliance with the Privacy Policy and employee adherence.
Upon resignation, employees sign confidentiality agreements to prevent disclosure, damage, or infringement of personal information obtained during their duties.
In addition, if personal information is lost, leaked, altered, or damaged due to internal management error or technical issues, the Company will immediately notify the user and prepare appropriate countermeasures and compensation.
C. Encryption of Personal Information
Passwords are stored and managed in encrypted form so that only the user can know them, and important data is protected using additional security measures such as encryption of files and transmission data or file locking.
D. Restriction of Access to Personal Information
The Company takes necessary measures to control access to personal information by granting, modifying, and revoking access rights to database systems processing personal information and uses intrusion prevention systems to prevent unauthorized external access.
The Company designates the following person in charge to oversee personal information processing and handle complaints and remedies related to personal information:
Personal Information Protection Officer
Name: Jeon Suyeol (CTO)
Email: contact@indentcorp.com
Department for Handling Privacy Complaints
Department: Customer Success Team
Email: contact@indentcorp.com
Users may contact the above officer and department regarding all matters related to personal information protection, complaints, and remedies, and the Company will respond without delay.
Users may also apply for consultation or dispute resolution regarding personal information infringement to the following institutions:
Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972)
Personal Information Infringement Report Center (privacy.kisa.or.kr / 118)
Personal information protection supervisory authority in the user’s jurisdiction
As the Republic of Korea has received an adequacy decision from the European Union, personal information of Campaigners residing in the European Economic Area (EEA) is transferred to the Republic of Korea and safely protected.
This Privacy Policy shall apply from the effective date. Where the Company amends the Privacy Policy, it shall continuously disclose the timing and details of the changes, and the amended content shall be disclosed at least 7 days prior by comparing before and after versions so that users can easily review them.