Personal data processing and protection at Lawmadi OS
Lawmadi OS (hereinafter referred to as the "Service") processes personal information for the following purposes. Personal information collected will not be used for purposes other than those stated below. Prior consent will be obtained if the purpose of processing changes.
The Service collects the following personal information:
| Category | Data Collected | Collection Method |
|---|---|---|
| Required | Query text, IP address, visit time | Automatically collected during use |
| Service usage | Conversation history, uploaded documents | Automatically collected during use |
| Credit payment | Payment email address | Entered by user during checkout |
| Email verification (OTP) | Email address, verification code (SHA-256 hash) | Entered by user / system-generated |
| Session management | Session token (encrypted), expiration date | Auto-generated upon authentication |
| Auto-collected | Browser information, access logs | Automatically generated by system |
| Device identification | Device fingerprint (canvas/screen-based hash), device token (UUID) | Auto-generated by system (stored in localStorage) |
| Attorney search | Search criteria (specialty, region, etc.), search and view history | Automatically collected during Attorney Search Service use |
| User reviews/feedback | Review text, consultation/engagement verification materials | Directly entered by user |
The Service will destroy personal information without delay once the purpose of collection and use has been fulfilled. Electronic files are permanently deleted using methods that prevent recovery, and any printed materials are shredded or incinerated (PIPA Enforcement Decree, Art. 16). The retention period for each item is as follows:
| Item | Retention Period | Basis |
|---|---|---|
| Conversation history | 1 year | Service quality improvement |
| Uploaded documents | 7 days | Auto-deleted after analysis |
| Visit statistics | 1 year | Service operation and statistics |
| Payment email | 1 year after credits used or refunded | E-Commerce Act, Article 6 |
| OTP verification code | 5 minutes after issuance (auto-deleted on expiry) | Authentication purpose fulfilled |
| Session token | 30 days (immediately deleted on logout) | Login session maintenance |
| Device identification | Non-logged-in: daily reset (KST 00:00) / Logged-in: deleted on withdrawal | Fraud prevention |
| Attorney search history | 1 year | Service improvement |
| User reviews/feedback | Duration of posting + 30 days after deletion | Service operation and dispute resolution |
The Service uses the following cookies.
| Cookie | Type | Purpose | Expiry |
|---|---|---|---|
| __session | Essential | Maintaining login status after email verification, credit usage | 30 days |
| _ga, _ga_* | Analytics (optional) | Service usage statistics via Google Analytics | 2 years |
The Service integrates with the following external services for legal information analysis. Personal information is processed only to the minimum extent necessary for service provision.
Each external service provider processes data according to their own privacy policy. Only query text is sent to Gemini API, only payment email to Paddle, and only anonymized usage statistics to Google Analytics.
The Service transfers personal data overseas for legal analysis and payment processing (PIPA Art. 28-8):
| Recipient | Country | Data Transferred | Safeguards |
|---|---|---|---|
| Google (Gemini API) | United States | Query text | Google Cloud DPA, SOC 2/3, ISO 27001 |
| Google (Analytics) | United States | Anonymized usage statistics | Google DPA, IP anonymization applied |
| Paddle | UK/US | Payment email | Paddle DPA, PCI DSS compliant |
| Recipient | Purpose | Data Provided | Basis |
|---|---|---|---|
| Korean Bar Association / Local bar associations | Notification of confirmed name-lending or unauthorized consultation | Attorney identification info, violation details | Attorney Search Service Guidelines Art. 15(2) |
Profile information provided by member attorneys (name, office address, local bar association, specialties, contact information, etc.) is disclosed to users through search results and profile pages. Member attorneys retain the right to access, rectify, delete, and withdraw their information as data subjects.
Users (data subjects) may exercise the following rights under the Personal Information Protection Act:
Request to view personal data processing status
Request correction of inaccurate personal data
Request deletion of personal data
Request suspension of personal data processing
These rights may be exercised through the following channels. Processing results will be notified within 10 days of receipt:
Member Attorney Rights: Member attorneys registered with the Attorney Search Service may also exercise their data subject rights to access, rectify, delete, and withdraw their profile information (name, office address, specialties, contact info, etc.). Requests are processed through the same channel (email).
The Service implements the following technical and administrative measures to ensure the security of personal information:
API access limited to authorized domains only
All external API requests are authenticated
XSS, CSRF and other attack defense headers applied
The Service is not intended for children under the age of 14, and we do not knowingly collect personal information from children under 14.
A Privacy Officer has been designated to oversee personal information processing and to handle data subject complaints and remedies.
Inquiries, access/correction/deletion requests, and complaint handling regarding personal information
Contact: choepeter@outlook.kr
Effective Date