Privacy Policy
Roovook Inc. (hereinafter referred to as the "Company") establishes and publishes this Privacy Policy in accordance with the Personal Information Protection Act (๊ฐ์ธ์ ๋ณด๋ณดํธ๋ฒ) and related laws, to protect the personal information of service providers (service provider staff) and to promptly and smoothly handle related grievances.
This Policy applies to the personal information of service providers (service provider staff) collected and processed on business.roovook.com (product introduction page), the EMS dashboard (ems.roovook.com), and the email integration features operated by the Company. The personal information of general users (event organizers, bookers, etc.) is managed under a separate B2C Privacy Policy.
Article 1 (Purposes of Processing Personal Information)
The Company processes personal information for the following purposes. Processed personal information shall not be used for purposes other than those below, and if the purpose of use is changed, the Company will implement separate measures such as obtaining prior consent in accordance with Article 18 of the Personal Information Protection Act.
- SaaS service provision and account management: creation and authentication of EMS accounts, management of service usage permissions, subscription status management
- Handling demo and adoption inquiries: receipt and response to demo requests and adoption inquiries made through business.roovook.com
- Email integration service: Roovook EMS provides a feature that integrates the user's email account so that business email can be managed (read, compose, send, delete) in a unified manner within the EMS. The supported integration methods are as follows:
- Microsoft Outlook (Microsoft Graph API, OAuth 2.0)
- Gmail (Gmail API, OAuth 2.0)
- Email accounts supporting IMAP/POP3
- External channel integration service: A feature that integrates with external messengers such as Slack and Microsoft Teams to deliver customer inquiry notifications to the service provider's work channels.
- Service improvement and statistical analysis: analysis of service usage, development of new features, and compilation of statistics in a form that does not identify individuals
Article 2 (Items of Personal Information Collected)
The Company collects the following personal information.
(1) Service Provider Staff Account Information
| Type | Items |
|---|---|
| Required | Name, email address, phone number, name of affiliated facility, job title |
| Optional | Profile picture, department name |
(2) Items Collected for Demo / Adoption Inquiries
| Type | Items |
|---|---|
| Required | Name, email address, phone number, facility name |
| Optional | Facility scale, features of interest, other inquiry content |
(3) Items Collected During the Email Integration Process
- OAuth 2.0 method (Microsoft Outlook, Gmail): email subject, body, attachments, sender/recipient information, email metadata (date, read status, folder information, etc.). Such data is accessed only within the scope of permissions explicitly consented to by the user through OAuth 2.0 authentication, and the user's password is not stored by Roovook.
- Gmail API scopes: gmail.readonly, gmail.send, gmail.modify, userinfo.email
- Microsoft Graph API scopes: Mail.Read, Mail.Send, User.Read, offline_access
- IMAP/POP3 method: email address, password or app password, mail server address (IMAP/POP3/SMTP), port number. These authentication credentials are encrypted and stored using industry-standard encryption (AES-256). The Company accesses email subject, body, attachments, sender/recipient information, and email metadata.
(4) Items Automatically Collected During Service Use
- IP address, access date and time, access history, and page usage records
- Device information (model name, OS version), browser information
- Information collected through cookies and similar tracking technologies
The Company does not collect unique identification information of service providers such as resident registration numbers, passport numbers, or driver's license numbers.
Article 3 (Retention and Use Period of Personal Information)
The Company processes and retains personal information within the retention/use period prescribed by law or the period consented to by the service provider at the time of collection.
- Principle: Personal information is destroyed without delay when the purpose of collection and use has been achieved.
- EMS account information: Retained until termination of the SaaS usage agreement. Destroyed within 30 days after termination of the agreement.
- Email integration data: Deleted immediately upon disconnection of email integration. Deleted within 30 days upon account withdrawal. OAuth 2.0 access tokens and refresh tokens are discarded immediately upon disconnection.
- Demo/adoption inquiries: 1 year after inquiry handling is completed. However, if a contract is signed, the information is retained for the duration of the contract.
- Statutory retention:
- Records on contracts or withdrawal of subscription: 5 years (Act on the Consumer Protection in Electronic Commerce, etc.)
- Records on payment and supply of goods, etc.: 5 years (same Act)
- Website/app visit records: 3 months (Protection of Communications Secrets Act)
Article 4 (Entrustment of Personal Information Processing)
To facilitate smooth service provision, the Company entrusts the following tasks to external specialized companies. Upon entrustment, the Company specifies in the agreement, in accordance with Article 26 of the Personal Information Protection Act, prohibitions on processing personal information beyond the purpose of the entrusted work, technical and administrative protective measures, restrictions on re-entrustment, and supervision of the processor, and supervises the processor to ensure safe handling of personal information.
| Processor | Scope of Entrusted Work |
|---|---|
| Google LLC (USA) | Google Cloud Platform infrastructure operation (service hosting, data storage, network processing) |
| Anthropic, PBC (USA) | Internal workflow automation such as automatic summarization and classification of inquiries (using Claude API). Data is not provided for AI training purposes. |
| OpenAI, L.L.C. (USA) | Internal workflow automation such as automatic summarization and classification of inquiries (using GPT API). Data is not provided for AI training purposes. |
| Google LLC (USA) | Internal workflow automation such as automatic summarization and classification of inquiries (using Gemini API). Data is not provided for AI training purposes. |
| Microsoft Corporation (USA) | EMS email integration: reading and sending Outlook email (OAuth 2.0) |
| Google LLC (USA) | EMS email integration: reading, composing, and sending Gmail email (OAuth 2.0). Data is not provided for AI training purposes. |
| Salesforce, Inc. (USA) | EMS external channel integration: delivery of customer inquiry notifications to Slack workspace channels (Bot OAuth 2.0) |
| Microsoft Corporation (USA) | EMS external channel integration: delivery of customer inquiry notifications to Teams channels (Graph API, OAuth 2.0) |
| Return Zero Inc. ((์ฃผ)๋ฆฌํด์ ๋ก) | Speech-to-Text conversion of call recording files (using VITO API). The converted text is used only for verifying and summarizing consultation content. |
| Daou Tech Inc. ((์ฃผ)๋ค์ฐ๊ธฐ์ ) | Message dispatching including SMS, LMS, email, and KakaoTalk AlimTalk |
In the event of addition or change of any processor, the Company will amend this Policy and provide notice.
Article 5 (Cross-Border Transfer of Personal Information)
The Company uses overseas cloud and AI services for the smooth operation of its services, and accordingly, the service provider's personal information is transferred to, stored in, and processed outside of Korea.
| Transferee | Country | Transferred Items | Purpose of Transfer | Method of Transfer | Retention and Use Period |
|---|---|---|---|---|---|
| Google LLC | USA | All collected items | Google Cloud Platform infrastructure operation (service hosting, data storage) | Encrypted network transmission | Until contract termination or termination of the entrustment agreement |
| Anthropic, PBC | USA | Inquiry content and the minimum items necessary for processing | Internal workflow automation such as inquiry summarization/classification (Claude API) | Encrypted API call | Immediately upon completion of API processing (not used for training) |
| OpenAI, L.L.C. | USA | Inquiry content and the minimum items necessary for processing | Internal workflow automation such as inquiry summarization/classification (GPT API) | Encrypted API call | Immediately upon completion of API processing (not used for training) |
| Google LLC | USA | Inquiry content and the minimum items necessary for processing | Internal workflow automation such as inquiry summarization/classification (Gemini API) | Encrypted API call | Immediately upon completion of API processing (not used for training) |
| Microsoft Corporation | USA | Email subject/body/attachments/sender/recipient information/metadata | EMS email integration (Outlook, Microsoft Graph API) | Encrypted API call (OAuth 2.0) | Immediately upon disconnection of email integration; within 30 days of account withdrawal |
| Google LLC | USA | Email subject/body/attachments/sender/recipient information/metadata | EMS email integration (Gmail API) | Encrypted API call (OAuth 2.0) | Immediately upon disconnection of email integration; within 30 days of account withdrawal (not used for training) |
| Slack Technologies | USA | Customer inquiry notification content (name, inquiry summary) | EMS external channel integration (Slack Bot) | Encrypted API call (OAuth 2.0) | Immediately upon disconnection |
| Microsoft Corporation | USA | Customer inquiry notification content (name, inquiry summary) | EMS external channel integration (Teams Graph API) | Encrypted API call (OAuth 2.0) | Immediately upon disconnection |
The Company implements necessary protective measures (execution of standard contracts, encrypted transmission, access controls, etc.) upon cross-border transfer, in accordance with Article 28-8 of the Personal Information Protection Act. Service providers have the right to refuse cross-border transfer, but some services may be restricted if refused.
Article 6 (Management of Email Integration Data)
(1) Disconnection and Revocation of Permissions
Users may disconnect email integration at any time.
- Within EMS: disconnect the email account in the Settings menu
- Microsoft Outlook: revoke the "Roovook EMS" app permission at myaccount.microsoft.com/permissions
- Gmail: revoke the "Roovook EMS" app permission at myaccount.google.com/permissions
- IMAP/POP3: stored authentication credentials (including password) are deleted immediately when disconnected in the EMS
Upon disconnection, cached email data and OAuth 2.0 tokens are immediately deleted and discarded.
(2) Data Deletion Requests
If a user wishes to delete specific data separately from email integration disconnection, the user may send a request to support@roovook.com, which will be processed within 30 days. Upon account deletion, all email integration data (cache, tokens, metadata) is completely deleted within 30 days.
(3) Access Restriction
Roovook processes email data only through automated systems, and staff do not directly view individual email content. Viewing is permitted only in exceptional cases such as the user's explicit consent (technical support, etc.), security incident investigation, or fulfillment of statutory obligations.
Article 7 (Google API Services User Data Policy)
- Roovook's use of the Gmail API and transfer of information received from the Gmail API to other apps complies with the Google API Services User Data Policy, including the Limited Use requirements.
- Roovook does not use user data obtained through Google Workspace APIs to develop, improve, or train generalized AI and/or ML models.
- Email data accessed through the Gmail API is used solely for the purpose of providing the email management features (reading, composing, sending) requested by the user.
- Roovook does not sell user data received through the Gmail API to third parties such as advertising platforms or data brokers.
- Roovook does not use user data received through the Gmail API for advertising purposes (including retargeting, personalized ads, and interest-based ads).
- Roovook does not use user data received through the Gmail API for credit scoring, loan screening, or comparable purposes.
Article 8 (Operation of Cookies and Automatically Collected Information)
(1) What Is a Cookie
The Company uses cookies to provide individualized services to users. A cookie is a small piece of information that a website transmits to a user's browser, which may also be stored on the user's device.
(2) Purposes of Using Cookies and Third-Party Tools
The Company uses cookies and similar tracking technologies for the following purposes, and uses third-party tools for certain features.
- Essential cookies: cookies strictly necessary for basic service operation such as maintaining login and security
- Functional cookies: cookies for user convenience features such as language settings and preservation of input content from previous visits
- Analytical cookies: cookies for compiling service usage statistics and service improvement
| Third-Party Tool | Provider | Purpose of Use | Country of Transfer |
|---|---|---|---|
| Google Analytics | Google LLC | Analysis of usage statistics such as page visits, dwell time, and acquisition paths | USA |
| Hotjar | Hotjar Ltd. | Analysis of user behavior (scroll, click) and UX improvement | Malta (EU) / USA |
| Microsoft Clarity | Microsoft Corporation | Analysis of user behavior (click, scroll, heatmap) and UX improvement | USA |
| Kakao SDK | Kakao Corp. (์ฃผ์ํ์ฌ ์นด์นด์ค) | KakaoTalk account social login authentication | Korea |
| Facebook SDK | Meta Platforms, Inc. | Facebook account social login authentication | USA |
| Firebase Authentication | Google LLC | Phone/email/social account identity verification | USA |
The information collected by the above third-party tools includes cookie identifiers, IP addresses, device/browser information, and page usage records. Social login SDKs process only the minimum information needed for authentication (account identifier, authentication token); identifying information of individual users (name, phone number, etc.) is not passed to analytics tools.
(3) How to Refuse Cookies
Users may refuse the installation of cookies. Through browser settings, users may allow, block, or delete all cookies, or allow them selectively. Blocking essential cookies may limit service usage.
Article 9 (Measures to Ensure Security of Personal Information)
Pursuant to Article 29 of the Personal Information Protection Act and the Personal Information Protection Commission Notification "Standards for Security Measures for Personal Information," the Company implements the following security measures.
- Administrative measures: establishment and implementation of an internal management plan, regular personal information protection training for employees and processors, operation of access authority management procedures
- Technical measures: access control to the personal information processing system, encrypted storage and transmission of passwords and important personal information, installation and operation of security systems against hacking, storage and regular review of access logs
- Physical measures: access control to server rooms and data storage rooms
Article 10 (Rights and Duties of Data Subjects and Methods of Exercise)
Service providers may, at any time, exercise the following rights concerning their personal information against the Company.
- Request for access to personal information
- Request for correction or deletion of personal information
- Request for suspension of processing of personal information
- Request for withdrawal of consent and deletion of account
The exercise of the above rights may be made in writing, by email (support@roovook.com), or by phone in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will act on such requests within 10 days (Article 38 of the Personal Information Protection Act).
Article 11 (Data Protection Officer and Contact)
The Company has overall responsibility for tasks related to the processing of personal information and designates the following Data Protection Officer to handle service provider complaints and remedy damages related to personal information processing.
- Data Protection Officer: Sungmo Kim (๊น์ฑ๋ชจ)
- Email: support@roovook.com
- Company: Roovook Inc. (์ฃผ์ํ์ฌ ๋ฃจ๋ถ)
In addition, for reports or consultation regarding personal information infringement, you may contact the following agencies.
- Personal Information Infringement Report Center (privacy.kisa.or.kr / 118 without area code)
- Personal Information Dispute Mediation Committee (kopico.go.kr / 1833-6972)
- Supreme Prosecutors' Office Cybercrime Investigation Division (spo.go.kr / 1301 without area code)
- National Police Agency Cyber Investigation Bureau (ecrm.police.go.kr / 182 without area code)
Article 12 (Revision History and Notification Duties)
This Privacy Policy applies from the effective date. Any additions, deletions, or corrections of changes required by law or policy will be announced through notices at least 7 days before the effective date.
| Version | Effective Date | Key Changes |
|---|---|---|
| 1.0 | 2026.04.17 | Initial establishment (separated from the B2C Privacy Policy into B2B) |
Last amended: April 17, 2026