Announcement Date: Apr 28, 2026
Effective Date: May 5, 2026
Indent Corporation (https://spray.io, hereinafter referred to as the “Company” or “Spray”) complies with the personal information protection regulations under relevant laws that information and communications service providers must observe, such as the Protection of Communications Secrets Act, the Telecommunications Business Act, the Personal Information Protection Act, and the Act on Promotion of Information and Communications Network Utilization and Information Protection, and has established this Privacy Policy in accordance with relevant laws to make its best efforts to protect the rights and interests of users.
This Privacy Policy may be changed when there are changes in laws or guidelines related to personal information or when the Company’s policies change. The Company will notify users without delay of such changes and will disclose and post them on the Privacy Policy change history page so that they can be checked at any time.
The Company’s Privacy Policy contains the following contents:
The Company collects the following personal information for the provision of Spray (spray.io) services and campaign operation management based on legitimate interests for the performance of service contracts and service enhancement.
1) Member Information
Collection Timing: At the time of membership registration, inquiry consultation, and provision of service and message sending functions
Collected Items:
(At registration) Name, email address, encrypted password
(At inquiry) Name, email address or mobile phone number
(During service and message sending) Brand name, email address
(When receiving newsletters and automatic notification emails) Name, brand name, email address, business location, contact person name, consent to receive marketing
Purpose of Use: Use of membership services and identity verification, confirmation of intent to join and use, performance and provision of service contracts, sending newsletters and automatic notification emails, responding to and supporting inquiries related to service provision and delivering notices, and prevention of fraudulent use by bad members
2) Non-member Information
Collection Timing: When applying for an introduction consultation
Collected Items: Company name, name, email address, mobile phone number
Purpose of Use: Responding to and supporting inquiries related to service provision and consultation for service introduction
3) Payment Information
Collection Timing: When paying service usage fees
Collected Items:
(Card payment) Card company, card type, card number, expiration date, business registration number, date of birth, encrypted card identification information (Key)
(Bank transfer) Business name, business registration number, business address, contact person name, contact person email address
Purpose of Use: Performance and provision of service contracts, billing and settlement
4) Creator Information
Collection Timing: When a campaign participant directly enters information through an input form within the Spray platform or when a member (brand) provides it for campaign operation
Collected Items: Name, mobile phone number, email address, SNS ID, additional information requested by the brand within the scope necessary for campaign operation (optional items such as address, PayPal ID, etc.)
Purpose of Use: Performance and provision of service contracts
5) Information Automatically Collected During Service Use
Collection Timing: When accessing and using the service (or visiting the website)
Collected Items: Service usage records, access logs, cookies, access IP information, payment records, suspension of use records
Purpose of Use: Development of new services and improvement, statistical analysis of service use, service satisfaction surveys, and operation optimization
The Company collects information entered by users through electronic methods provided by the Company, such as the Spray website (spray.io) or mobile app services. In some cases, information may also be collected through printed paper documents, email, or messenger chatbots.
The Company does not provide personal information to third parties except in cases corresponding to Article 17 of the Personal Information Protection Act, such as when there is separate consent from the data subject or special provisions in law.
The Company entrusts personal information as follows for service improvement and stipulates necessary matters so that personal information can be safely managed during entrustment contracts in accordance with relevant laws.
Service Infrastructure Operation
Entrusted Party: Amazon Web Services, Inc., Google LLC, Twilio Inc., Stripe, LLC
Scope of Work: Operation of infrastructure where personal information is stored, email sending agency, payment processing, and prevention of fraudulent payments
Retention Period: Until the purpose of use is achieved or until the retention period required by relevant laws expires
Counseling and Inquiry Service
Entrusted Party: Channel Corporation
Scope of Work: Maintenance and repair of inquiry and consultation systems
Retention Period: Until the purpose of use is achieved or until the retention period required by relevant laws expires
Automatic Notification Email and Newsletter Sending Service
Entrusted Party: Stibee Inc.
Scope of Work: Sending of email newsletters and automatic notification emails (such as membership registration), and analysis of sending statistics
Retention Period: Until the purpose of use is achieved or until the retention period required by relevant laws expires
The data subject may refuse to consent to overseas transfer, and service use may be restricted if consent is refused.
Amazon Web Services, Inc.
Country: United States, etc. (data center location)
Time and Method of Transfer: Transferred via network at the time of service use
Items Transferred: Service usage records or collected personal information
Purpose: Data storage and cloud infrastructure operation for service provision
Retention and Use Period: Until the purpose is achieved or the retention period required by relevant laws expires
Google LLC
Contact: https://cloud.google.com/contact
Country: United States, etc. (data center location)
Time and Method of Transfer: Transferred via network when linking Gmail account and using the service
Items Transferred: Google account authentication information (OAuth token), email address
Purpose: Providing email sending function through Gmail linkage and API authentication
Use limitations of Google Workspace API (including Gmail API):
No data collected through Google Workspace APIs will be used to develop, improve, or train generalized AI or machine learning models
Collected data is used only for direct service functions of Spray
The Company complies with Google’s API Services User Data Policy
Retention and Use Period: Until account linkage is terminated or the purpose is achieved or the retention period required by relevant laws expires
Twilio Inc.
Contact: privacy@twilio.com
Country: United States
Time and Method of Transfer: Real-time transmission via network at the time of email sending
Items Transferred: Reply email address entered by the member, recipient information (email address, SNS ID)
Purpose: Email sending agency for service provision
Retention and Use Period: Until the purpose is achieved or the retention period required by relevant laws expires
Stripe, LLC
Contact: privacy@stripe.com
Country: United States, etc. (global hubs)
Time and Method of Transfer: Transferred via network when using payment services
Items Transferred: Payment-related information such as card company, card type, card number, expiration date, encrypted card identification information (Key), etc.
Purpose: Payment of service fees, identity verification, and prevention of fraudulent payments
Retention and Use Period: Until the purpose is achieved or the retention period required by relevant laws expires
The Company collects personal information to the minimum extent necessary for service provision and uses it only within the scope consented to by the user.
Member Personal Information
Retention Purpose: Service use and management
Retention Period: After withdrawal, service usage history and related information are stored for 3 months and then completely deleted. However, to prevent fraudulent use, fraudulent/bad usage records may be stored for up to 1 year
Fraudulent/Bad Usage Records
Retention Purpose: Prevention of fraudulent use and re-registration
Retention Period: 1 year
Even in the above cases, if retention is required under other laws, it will be handled in accordance with those laws.
Item | Reason | Period |
|---|---|---|
Records of contracts or withdrawal | Act on Consumer Protection in Electronic Commerce | 5 years |
Records of payment and supply | Act on Consumer Protection in Electronic Commerce | 5 years |
Records of consumer complaints or dispute resolution | Act on Consumer Protection in Electronic Commerce | 3 years |
Service access records | Protection of Communications Secrets Act | 3 months |
Tax-related transaction records | Framework Act on National Taxes | 5 years |
Electronic financial transaction records | Electronic Financial Transactions Act | 5 years |
In principle, personal information is destroyed immediately after the purpose of collection and use is achieved. If it must be preserved under other laws even after the retention period expires or the purpose is achieved, it will be transferred to a separate database (DB) or stored in a different storage location.
Destruction Procedure: Destroyed without delay after the purpose is achieved, or after a certain period if required by law
Destruction Method: Electronic files are destroyed in a way that cannot be restored, and printed documents are destroyed by shredding or incineration
Users and legal representatives may request access, correction, withdrawal of consent, deletion, and data portability of personal information at any time, and may request account deletion. However, withdrawal of consent or account deletion may result in restriction of part or all of service use.
If a user requests correction of an error, the Company will not use or provide the information until the correction is completed. If incorrect information has already been provided to a third party, the Company will notify the third party without delay so that correction is made.
The Company processes personal information requested for termination of paid service contracts, membership withdrawal, or account deletion in accordance with the retention and use period of personal information and ensures that it cannot be used or viewed for other purposes.
The Company uses “cookies” to store and retrieve user information to provide appropriate services. Cookies are small pieces of information sent by the server (HTTP) used to operate the website to the user’s computer browser and may also be stored on the user’s PC hard disk.
A. Purpose of Use of Cookies
Functional cookies are used to improve user convenience.
B. Installation/Operation and Refusal
Users have the right to choose whether to install cookies. Accordingly, users can allow all cookies, confirm each time cookies are stored, or refuse all cookies by setting options in their web browser.
Example setting method: Tools > Internet Options > Privacy
If cookie storage is refused, some functions may be restricted.
The Company takes the following measures pursuant to Article 29 of the Personal Information Protection Act.
A. Minimization of personnel handling personal information
The Company designates employees handling personal information and limits access rights to the minimum necessary.
B. Establishment and implementation of internal management plans
The Company establishes and implements internal management plans for safe processing of personal information.
The Company conducts regular internal and external training for employees handling personal information regarding acquisition of new security technologies and obligations for personal information protection.
Handover of duties related to personal information processing is conducted thoroughly in a secure state, and responsibility for personal information incidents before and after employment is clearly defined.
New employees sign information protection or personal information protection pledges to prevent information leakage in advance, and the Company has established internal procedures to audit compliance with the Privacy Policy and employee adherence.
Upon resignation, employees sign confidentiality agreements to prevent damage, infringement, or leakage of personal information learned during their duties.
If personal information is lost, leaked, altered, or damaged due to mistakes by internal administrators or technical management issues, the Company will immediately notify users and prepare appropriate measures and compensation.
C. Encryption of passwords
User passwords are encrypted and stored and managed so that only the user can know them, and important data is protected by applying separate security functions such as file and transmission data encryption or file locking.
D. Restriction of access to personal information
Necessary measures are taken to control access to personal information by granting, changing, and revoking access rights to the database system, and unauthorized access from outside is controlled using intrusion prevention systems.
The Company designates a Personal Information Protection Officer to take overall responsibility for personal information processing and to handle complaints and damage relief.
Personal Information Protection Officer
Name: Jeon Suyeol (CTO)
Email: contact@indentcorp.com
Department in charge of personal information complaints
Department: Customer Success Team
Email: contact@indentcorp.com
Users may contact the above officer or department for all inquiries, complaints, and damage relief related to personal information protection arising from use of the Company’s services, and the Company will respond without delay.
Users may also apply for dispute resolution or consultation regarding personal information infringement to the following institutions:
Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972)
Personal Information Infringement Report Center (privacy.kisa.or.kr / 118)
Supervisory authority for personal information protection in the user’s place of residence
Republic of Korea has received an adequacy decision from the European Union, and personal information of users residing in the European Economic Area (EEA) is transferred to Korea and safely protected.
This Privacy Policy applies from the effective date. When the Company changes the Privacy Policy, it will continuously disclose the timing of the change and the changed content, and will disclose the changes at least 7 days in advance by comparing the before and after versions so that users can easily check them.