Privacy Policy
What we collect, why, how long we keep it, and what control you have over it.
Effective 2026-05-27.
1. Who we are
GIGASCOPE is operated as a Korean sole proprietorship by Jaebin Kim, registered as GIGASCOPE, business registration number 568-24-02193, based at 42, Hongik-ro 5an-gil, Mapo-gu, Seoul 04039, Republic of Korea. Contact: support@gigascope.xyz.
We are the “data controller” for the personal data described below. The same individual serves as the personal-information manager (개인정보 보호책임자) under the Korean Personal Information Protection Act (PIPA).
2. What we collect
We minimize collection. The categories we collect are:
- Email address. Collected when you subscribe to the free digest or start a paid subscription. Used to send the digest, billing receipts, and service notices.
- Subscription tier and status. Whether you are on the free digest, paid charter tier, or unsubscribed; the timestamp of state changes; the source string identifying which page you signed up from.
- Telegram chat ID. Only if you explicitly link a Telegram account at /account. Used to deliver alerts you opted into.
- Server-side request data. Standard web-server access logs (IP address, user-agent, request path, timestamp). The signup IP is held for at most one hour as a per-IP rate-limit counter and is never linked to an email address. Visit-counter records hash the IP plus user-agent (SHA-256, truncated) so the underlying IP cannot be recovered from our store.
- Payment and billing data. Processed by a third-party payment provider acting as our Merchant of Record. We receive only subscription status, customer identifier, and country (for tax classification). We do not store card numbers, bank details, or full billing addresses.
We do not run third-party advertising trackers. The site uses a privacy-respecting visit counter that stores only an aggregate count per IP per day in our Upstash Redis store.
3. Why we collect (lawful basis)
- Consent (GDPR Art. 6(1)(a); PIPA Art. 15(1)(1)). Free-digest signup is consent-based. Submitting the email form counts as consent; you can withdraw it at any time via the unsubscribe link in every email or by emailing us.
- Performance of contract (GDPR Art. 6(1)(b); PIPA Art. 15(1)(4)). To deliver paid charter features, billing receipts, and refunds you signed up for.
- Legitimate interest (GDPR Art. 6(1)(f)). To operate, secure, and improve the service (rate-limiting, anti-abuse, debugging).
- Consent. For optional features such as Telegram linking and any future marketing emails (none currently sent).
- Legal obligation (GDPR Art. 6(1)(c)). Tax record-keeping as required by Korean Commercial Code Art. 33 and the Framework Act on National Taxes (5-year retention).
4. Where your data is actually stored
For full transparency, here is every place we hold data tied to your email address. Records that are not listed are not collected.
| Store | What it contains | Retention |
|---|---|---|
| subscribers:emails | Active mailing-list set (email only). | Until unsubscribe. |
| subscriber:<email> | Email, tier, signup-source string, timestamp; paid-only: Stripe IDs, plan, paidAt. | Free: until unsubscribe. Paid: 5 years after last transaction (KR tax). |
| subscribers:timeline | Sorted set of email → signup timestamp. | Same as subscriber hash above. |
| telegram:chat:<email> / telegram:email:<chat_id> | Bidirectional link between email and Telegram chat ID (only if you used /start). | Until you send /stop to the bot, or unsubscribe. |
| drip:sent:<email>:dN | Flag that drip N was already sent to this email (dedup). | 400 days, or deleted on unsubscribe. |
| catalyst:alert:sent:<email>:<id>:<window> | Flag that a T-7 / T-1 / T-0 milestone alert was already sent. | 400 days, or deleted on unsubscribe. |
| ratelimit:subscribe:<ip> | Per-IP signup counter (anti-abuse). Not linked to any email. | 1 hour TTL. |
| visits:<date>:uniques | SHA-256 hash of IP+UA. Pseudonymous; not reversible to PII. | 48 hours. |
| metric:sent:<type>:* | Aggregate per-email-type send counts. No per-user data. | 90 days per-day; lifetime total has no TTL. |
5. Sub-processors
We share data only with the service providers needed to operate the site. We do not sell personal data.
- Upstash, Inc. (United States)— Redis storage for the subscriber list, Telegram links, dedup flags, and visit counters. Bound by Upstash’s standard Data Processing Addendum including EU Standard Contractual Clauses.
- Resend, Inc. (United States)— Transactional and digest email delivery. Bound by Resend’s Data Processing Addendum incorporating EU SCCs.
- Vercel, Inc. (United States)— Hosting, serverless function execution, edge request logs. Bound by Vercel’s DPA and SCCs.
- Telegram FZ-LLC (Dubai, UAE)— Delivers bot messages if and only if you choose to link a Telegram chat. Telegram’s own privacy policy governs its handling of the chat ID.
- Payment Merchant of Record — Currently onboarding; once live, the active provider will be named on the checkout page and every billing receipt. It will act as a separate controller for tax-invoicing purposes and as a processor for fraud-prevention purposes.
Each provider receives only the minimum data needed for its function, and is contractually bound to use that data only for service delivery.
6. International data transfer
The personal data we collect is exported from Korea to the United States so that Upstash, Resend, and Vercel can process it. This transfer is performed under:
- For EU / UK / EEA data subjects: the European Commission’s Standard Contractual Clauses incorporated in each processor’s DPA (GDPR Art. 46(2)(c)).
- For Korean data subjects: explicit consent at signup pursuant to PIPA Art. 28(8), with the recipient, transfer purpose, data categories, retention period, and refusal rights disclosed here. The recipients are the three US processors named in section 5; the purpose is operating the digest, alerts, and paid-subscription service; the retention follows section 7; you may refuse cross-border transfer by not subscribing, in which case the service is not available.
7. How long we keep data
- Free subscribers: email + subscription state kept until you unsubscribe. On unsubscribe, every record listed in section 4 above is deleted within 24 hours; an event-level unsubscribe log (timestamp only, no email retained) may be kept for one year to comply with anti-spam laws.
- Paid subscribers: subscription record kept for the duration of the subscription plus 5 years after the last transaction, in line with Korean tax record-retention rules for businesses (Framework Act on National Taxes; Commercial Code Art. 33).
- Server access logs: 30 days at Vercel’s edge, then discarded.
- Telegram chat link: kept until you /stop the bot or unsubscribe.
- Visit-counter hashes: 48 hours per-day; lifetime aggregate is a non-reversible HyperLogLog approximation, not personal data.
8. Your rights — GDPR / UK GDPR / CCPA
If you are in the EU, UK, or California you have the right to:
- Access the personal data we hold about you (GDPR Art. 15; CCPA §1798.110).
- Correct inaccurate data (GDPR Art. 16).
- Delete your data (GDPR Art. 17; CCPA §1798.105), subject to retention obligations above.
- Export your data in a portable JSON format (GDPR Art. 20).
- Object to processing based on legitimate interest (GDPR Art. 21).
- Withdraw consent for any processing based on consent.
- Opt-out of sale or sharing of personal data (CCPA §1798.120). We do not sell or share for cross-context advertising; this right is informational.
- Lodge a complaint with the EU Member State DPA, the UK ICO, or the California Privacy Protection Agency.
To exercise any of these, email support@gigascope.xyz from the address associated with your subscription with subject line “Privacy request”. We respond within 30 days (GDPR) or 45 days (CCPA). Identity is verified by sending a one-click confirmation link to the registered email.
9. Your rights — PIPA (Korea)
Korean residents have the following rights under the Personal Information Protection Act:
- Right to be informed of processing purposes, items, retention, and recipients (PIPA Art. 4(1), Art. 20) — this policy itself.
- Right to access personal information held about you (PIPA Art. 35).
- Right to correction or deletion (PIPA Art. 36).
- Right to suspend processing (PIPA Art. 37).
- Right to refuse consent to cross-border transfer (PIPA Art. 28(8)). The consequence is that the service cannot be provided.
- Right to file a complaint with the Personal Information Protection Commission (개인정보보호위원회) on www.privacy.go.kr or the Korea Internet & Security Agency (KISA) on 118.
- Right to compensation for damage caused by violations (PIPA Art. 39).
Personal-information manager (개인정보 보호책임자): Jaebin Kim, contact support@gigascope.xyz. Korean-language requests are accepted and answered in Korean.
Cross-border transfer notice (PIPA Art. 28(8)): By subscribing, you consent to transfer of your email and Telegram chat ID (if linked) to the United States for storage and processing by Upstash, Resend, and Vercel as listed in section 5, for the purposes and retention periods described in this policy.
10. Cookies
The site uses no marketing or tracking cookies. Strictly-necessary cookies may be set by our hosting and payment providers for fraud prevention, session continuity, and billing flow.
11. Children
The service is not directed to children. We do not knowingly collect personal data from anyone under 14 (Korea), under 16 (EU), or under 13 (US). If you believe we have collected data from a child, email the contact above and we will delete the data without delay.
12. Security
All traffic between you and the service is TLS-encrypted. Subscriber data at rest is stored on Upstash and Vercel infrastructure with encryption at rest. Payment data is never stored on our infrastructure. It lives only with the third-party payment provider. Access to production systems is restricted to the operator using a personal credential.
Breach notification: if a personal-data breach is likely to result in a risk to your rights or freedoms, we will notify the lead supervisory authority within 72 hours (GDPR Art. 33) and the Personal Information Protection Commission and affected individuals within 72 hours (PIPA Art. 34 / Notification on Personal Information Safety Measures). Notice to affected users is delivered by email to the address on file and, when material, posted on this page.
13. Changes to this policy
Material changes will be communicated by email to active subscribers at least 30 days before they take effect. The current version date is shown at the bottom of this page; prior versions are available on request.
14. Contact
For privacy questions, data-subject requests, or complaints: support@gigascope.xyz. Mark the subject line “Privacy request” for fastest handling. You may write in English or Korean.