Privacy Policy — serversim

serversim (https://serversim.io, “Company”) values your privacy. This page summarizes — in English — what personal data we collect, why, how long we keep it, and your rights. It is aligned with the Korean Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization, the EU GDPR, and the Google API Services User Data Policy.

1. Data we collect

1.1 Sign-in (Google OAuth 2.0)

We receive only the minimum scopes from Google:

email address (email scope) — account identifier & notifications
display name / profile picture URL (profile scope) — UI personalization
stable Google user ID (sub) (openid scope) — durable account linkage

We never access Gmail, Drive, Calendar, Contacts, or any other Google Workspace data. Use of Google data is restricted to the Limited Use requirements of the Google API Services User Data Policy.

1.2 Account & usage data

Auth session tokens (HTTP-only cookies)
Saved scenarios (architecture JSON you create) — only stored when you explicitly save
Subscription state (Pro plan tier, validity dates) — once we enable billing
Aggregated, anonymous usage metrics — page views, error rates

1.3 What we never collect

No address, phone number, age, gender, ID number, behavioral profiling, or third-party ad-tracking pixels.

2. Purpose of processing

Authenticating your account and personalizing the UI
Storing scenarios you choose to save
Processing subscription billing (when enabled)
Anonymous service quality measurement

3. Retention

Personal data is kept while your account is active. On account deletion we erase your record within 30 days (legal retention obligations excepted). Saved scenarios are deleted immediately on request.

4. Sub-processors

We use the following sub-processors. Each operates under its own privacy notice and is bound by data-processing agreements where required.

Supabase, Inc. (USA, AWS-backed) — authentication & database
Vercel Inc. (USA) — global edge hosting & CDN
Lemonsqueezy (USA, Delaware) — Merchant of Record for billing
Anthropic Inc. (USA) — AI Review API (when used)
Cloudflare (USA) — DDoS mitigation & partial CDN
Google LLC (USA) — OAuth identity provider only

5. Your rights

You may at any time:

Access, correct, export, or delete your data
Withdraw consent (revoke the Google OAuth grant in your Google Account > Security > Third-party access)
Object to or restrict processing
Lodge a complaint with your local data protection authority (e.g. the Korean PIPC for KR residents, your EU member-state DPA for EU residents)

To exercise these rights, email pajamasi726@gmail.com. We respond within 30 days under GDPR / KR PIPA timelines.

6. Cookies

We use essential cookies only (auth session, locale preference). No advertising or cross-site tracking cookies. See our Cookies page for details.

7. Security

HTTPS / TLS 1.2+ everywhere
Passwords delegated to Google (we never store passwords)
Server-side Supabase Row-Level Security (RLS)
Webhook signature verification (HMAC-SHA256)

8. International transfers

Sub-processors operate in the United States. Transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

9. Google API data policy compliance

We comply with the Google API Services User Data Policy, including the Limited Use requirements:

We never sell or transfer Google data to third parties.
We never use Google data for advertising.
We never let humans read Google data, except for: security investigations, legal obligations, explicit user consent, or anonymized aggregate analytics.

10. Changes

Material changes are announced 7 days in advance (30 days when the change is adverse to users). Continued use after the effective date constitutes acceptance.

11. Governing law

This summary is informational. The Korean version is the authoritative legal text. Disputes are governed by the laws of the Republic of Korea.

Contact: pajamasi726@gmail.com

1. Data we collect

1.1 Sign-in (Google OAuth 2.0)

We receive only the minimum scopes from Google:

email address (email scope) — account identifier & notifications
display name / profile picture URL (profile scope) — UI personalization
stable Google user ID (sub) (openid scope) — durable account linkage

1.2 Account & usage data

Auth session tokens (HTTP-only cookies)
Saved scenarios (architecture JSON you create) — only stored when you explicitly save
Subscription state (Pro plan tier, validity dates) — once we enable billing
Aggregated, anonymous usage metrics — page views, error rates

1.3 What we never collect

No address, phone number, age, gender, ID number, behavioral profiling, or third-party ad-tracking pixels.

2. Purpose of processing

Authenticating your account and personalizing the UI
Storing scenarios you choose to save
Processing subscription billing (when enabled)
Anonymous service quality measurement

3. Retention

Personal data is kept while your account is active. On account deletion we erase your record within 30 days (legal retention obligations excepted). Saved scenarios are deleted immediately on request.

4. Sub-processors

We use the following sub-processors. Each operates under its own privacy notice and is bound by data-processing agreements where required.

Supabase, Inc. (USA, AWS-backed) — authentication & database
Vercel Inc. (USA) — global edge hosting & CDN
Lemonsqueezy (USA, Delaware) — Merchant of Record for billing
Anthropic Inc. (USA) — AI Review API (when used)
Cloudflare (USA) — DDoS mitigation & partial CDN
Google LLC (USA) — OAuth identity provider only

5. Your rights

You may at any time:

Access, correct, export, or delete your data
Withdraw consent (revoke the Google OAuth grant in your Google Account > Security > Third-party access)
Object to or restrict processing
Lodge a complaint with your local data protection authority (e.g. the Korean PIPC for KR residents, your EU member-state DPA for EU residents)

To exercise these rights, email pajamasi726@gmail.com. We respond within 30 days under GDPR / KR PIPA timelines.

6. Cookies

We use essential cookies only (auth session, locale preference). No advertising or cross-site tracking cookies. See our Cookies page for details.

7. Security

HTTPS / TLS 1.2+ everywhere
Passwords delegated to Google (we never store passwords)
Server-side Supabase Row-Level Security (RLS)
Webhook signature verification (HMAC-SHA256)

8. International transfers

Sub-processors operate in the United States. Transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

9. Google API data policy compliance

We comply with the Google API Services User Data Policy, including the Limited Use requirements:

We never sell or transfer Google data to third parties.
We never use Google data for advertising.
We never let humans read Google data, except for: security investigations, legal obligations, explicit user consent, or anonymized aggregate analytics.

10. Changes

Material changes are announced 7 days in advance (30 days when the change is adverse to users). Continued use after the effective date constitutes acceptance.

11. Governing law

This summary is informational. The Korean version is the authoritative legal text. Disputes are governed by the laws of the Republic of Korea.

Contact: pajamasi726@gmail.com

개인정보처리방침

1. Data we collect

1.1 Sign-in (Google OAuth 2.0)

1.2 Account & usage data

1.3 What we never collect

2. Purpose of processing

3. Retention

4. Sub-processors

5. Your rights

6. Cookies

7. Security

8. International transfers

9. Google API data policy compliance

10. Changes

11. Governing law

개인정보처리방침

1. Data we collect

1.1 Sign-in (Google OAuth 2.0)

1.2 Account & usage data

1.3 What we never collect

2. Purpose of processing

3. Retention

4. Sub-processors

5. Your rights

6. Cookies

7. Security

8. International transfers

9. Google API data policy compliance

10. Changes

11. Governing law