Semo Privacy Policy

Semo Labs Co., Ltd. ("Company") considers the personal information of users of the Semo service important and complies with applicable laws. The Company has established and discloses the following Privacy Policy to lawfully and transparently process and securely protect users' personal information.

The Company may process the following personal information.

1. Membership registration, login, and account management

• Items processed: email address, name or nickname, password (in case of direct sign-up), social login identifier, account status information
• Purposes: member identification, login, account creation and maintenance, identity verification, customer support
• Legal basis: conclusion and performance of the Service contract

2. Authentication, security, and prevention of fraudulent use

• Items processed: session tokens, login history, access timestamps, IP address, device identification information, browser information, OS information, app version, security logs, anomaly detection information
• Purposes: account protection, anomaly detection, prevention of fraudulent use, incident response, ensuring service stability
• Legal basis: performance of the Service contract, fulfillment of legal obligations, the Company's legitimate interests

3. Service provision and AI processing

• Items processed: prompts, messages, files, URLs, conversation history, outputs, request and response metadata for the model, usage information (token count, request count, cost), credit change history, feature usage records, error logs
• Purposes: AI response generation, file analysis, output delivery, usage calculation, billing, quality improvement, error handling, security inspection, policy enforcement
• Legal basis: performance of the Service contract, processing of User service requests, the Company's legitimate interests

4. Payment, recurring payment, and refunds

• Items processed: customer identifier, payment method registration status, billing key and other auto-payment identifiers, masked card information (issuer, last 4 digits, etc.), authorization, cancellation, and refund history, payment failure information, billing and settlement history
• Purposes: payment processing, recurring payment operation, settlement of overage fees, refund processing, prevention of duplicate payments, accounting and dispute response
• Legal basis: performance of the Service contract, fulfillment of legal obligations
• Note: The Company does not directly store sensitive payment information such as full card numbers, full expiration dates, or CVCs.

5. Customer inquiries and support

• Items processed: inquiry content, attached files, response history, and information provided by the User during consultation
• Purposes: handling inquiries, technical support, dispute response, service improvement
• Legal basis: performance of the Service contract, the Company's legitimate interests

6. Marketing and benefits

• Items processed: email address, push notification consent status, event participation information
• Purposes: notice of events, benefits, new features, promotions
• Legal basis: User consent
• Users may withdraw their consent at any time.

7. Personal information entered by Users

If the User enters personal information of themselves or third parties in prompts, messages, files, URLs, etc., the Company may process such information to the extent necessary for service provision, security inspection, error handling, customer support, and policy enforcement. When entering third-party personal information, Users shall obtain the legal authority to do so.

1. The Company shall destroy personal information without delay when the purpose of processing has been achieved. However, where retention is required for a certain period under applicable law, the information shall be retained separately for that period.
2. The Company's general retention periods are as follows:
   1. Member information: until membership withdrawal
   2. Payment and transaction-related information: until the retention period required by applicable law
   3. Records of consumer complaints and dispute resolution: until the retention period required by applicable law
   4. Inquiry history: 3 years after the inquiry ends or until the period necessary for dispute response
   5. Marketing consent information: until consent is withdrawn or membership is withdrawn
   6. Access and security logs: until the security and incident response purposes are fulfilled or until the retention period required by applicable law
3. Examples of major information retained pursuant to applicable law are as follows:
   1. Records related to display and advertising: 6 months
   2. Records related to contracts or withdrawal of subscription: 5 years
   3. Records related to payment of fees and supply of goods: 5 years
   4. Records related to consumer complaints or dispute resolution: 3 years
4. The Company may securely retain information subject to legal retention obligations separately from other information.

In principle, the Company does not provide Users' personal information to outside parties. However, the following are exceptions.

1. When the User has provided prior consent
2. When there is a legal basis
3. When there is a request from an investigative agency, court, supervisory authority, or other lawfully authorized body
4. When necessary to protect the life, body, or property interests of the User, where permitted by applicable law

The Company may outsource part of personal information processing to outside vendors for smooth provision of the Service. Current main contractors are as follows.

1. Toss Payments Co., Ltd.
   • Outsourced tasks: payment processing, recurring payment (auto-payment) operation, payment authorization, cancellation, and refund, prevention of fraudulent transactions, and customer support related to payments

When concluding outsourcing contracts, the Company verifies the personal information protection standards of contractors in accordance with applicable law and includes safety measures and oversight provisions in the contracts. When contractors are added or changed, the Company shall amend this Policy or provide separate notice within the Service.

1. The Company may outsource processing or transfer personal information through overseas providers in order to provide AI services.
2. The Company minimizes the items transferred to the scope necessary for service provision and applies protective measures such as use of internal identifiers, encryption in transit, and minimization of logs where possible.
3. The current main international transfers are as follows.

1. OpenRouter, Inc.

• Recipient: OpenRouter, Inc.
• Privacy contact email: privacy@openrouter.ai
• Country of transfer: United States
• Purpose of transfer: AI model routing, inference processing, incident response, and service provision
• Retention and use period: until the purpose of service provision is fulfilled, or until the period required by applicable law and contract

2. Supabase, Inc.

• Recipient: Supabase, Inc.
• Privacy contact email: privacy@supabase.io
• Country of transfer: Singapore
• Purpose of transfer: user authentication, data storage, service operation, and incident response
• Retention and use period: until the purpose of service provision is fulfilled, or until the period required by applicable law and contract

3. Vercel, Inc.

• Recipient: Vercel, Inc.
• Privacy contact email: privacy@vercel.com
• Country of transfer: United States
• Purpose of transfer: website hosting, request processing, deployment operations, log management, and visitor analytics
• Retention and use period: until the purpose of service provision is fulfilled, or until the period required by applicable law and contract

4. Amazon Web Services, Inc.

• Recipient: Amazon Web Services, Inc.
• Privacy contact email: aws-korea-privacy@amazon.com
• Country of transfer: United States
• Purpose of transfer: cloud infrastructure operation, file and log storage, content delivery, incident response, and security inspection
• Retention and use period: until the purpose of service provision is fulfilled, or until the period required by applicable law and contract

Last updated: April 25, 2026

Semo is an AI-powered desktop assistant that helps users manage their email, documents, spreadsheets, calendars, and tasks. This section describes how Semo collects, uses, and protects Google user data when you authorize Google integrations through OAuth.

When you use Semo, we access the following Google user data through OAuth:

• Gmail: Email messages and settings; ability to compose, modify, and send emails
• Google Drive: View, edit, create, and delete files
• Google Docs: View, edit, create, and delete documents
• Google Sheets: View, edit, create, and delete spreadsheets
• Google Calendar: View calendar lists; create, edit, and delete events
• Google Tasks: View, create, edit, and delete tasks

Your Google user data is used solely to provide Semo's AI assistant features that you explicitly request. We do not use your data for any other purpose.

Semo sends your Google user data to third-party large language model (LLM) providers - specifically OpenAI and/or Anthropic Claude - to generate AI assistant responses.

Important safeguards:

• These LLM providers operate under API agreements that prohibit training on user data.
• Your Google user data is NOT used to train, fine-tune, or improve any foundational or machine learning model.
• This processing complies with the Google API Services User Data Policy Limited Use requirements.

We protect your data using industry-standard security measures:

• In transit: All data is encrypted using TLS 1.2 or higher
• At rest: Data stored on our systems (if any) is encrypted using AES-256
• Token storage: OAuth tokens are stored in OS-native secure keystores (Windows Credential Manager, macOS Keychain, or Linux Secret Service)

• We do not retain your Google user data longer than necessary to fulfill your requests.
• You can revoke Semo's access to your Google account at any time through your Google Account settings.
• You can request deletion of your data by contacting us at contact@wekeepgrowing.com.
• All user data is deleted within 30 days of a deletion request.

We never sell, transfer, or share your Google user data with third parties for:

• Advertising
• Analytics or profiling
• Surveillance
• Any secondary purpose beyond providing Semo's AI assistant features

The only third parties that receive your data are the LLM providers (OpenAI, Anthropic) as described above, and solely for the purpose of generating AI responses.

You have the right to:

• Access the data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Revoke Semo's access to your Google account
• Withdraw consent for AI processing

To exercise these rights, contact us at contact@wekeepgrowing.com.

Semo complies with:

• Google API Services User Data Policy
• Google OAuth 2.0 Policies
• Limited Use Requirements for Google user data

Semo is not directed at children under 13. We do not knowingly collect data from children.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this policy.

For privacy-related questions or requests:

Email: contact@wekeepgrowing.com

Website: https://semo.world

Semo's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

1. The Company shall destroy personal information without delay when the retention period has elapsed or the purpose of processing has been achieved.
2. The destruction procedure is as follows:
   1. Personal information for which a destruction reason has arisen is selected.
   2. If there is a legal retention obligation, the information is stored separately and destroyed when the period expires.
   3. Destruction is carried out under the supervision of the Privacy Officer or an authorized person in charge.
3. The methods of destruction are as follows:
   1. Information in electronic file form is deleted using technical methods that prevent recovery.
   2. Information in paper document form is shredded or incinerated.

1. Users may exercise the following rights in respect of their personal information at any time.
   1. Request to access
   2. Request to correct
   3. Request to delete
   4. Request to suspend processing
   5. Request to withdraw consent
   6. Request to withdraw membership
   7. Request to refuse, request explanation about, or request review of automated decisions
2. Users may submit requests to exercise their rights to support@semo.world, and the Company shall take action without delay in accordance with applicable law.
3. The Company may request additional information necessary to verify the identity of the requester.
4. Where access, correction, deletion, or suspension of processing may be restricted under applicable law, the Company shall provide notice of the reason.

1. The Company may use automated processing systems for security, prevention of fraudulent use, ensuring service stability, usage calculation, credit deduction, and fee calculation.
2. As a rule, the Company operates so that decisions that have material effects on the rights or obligations of Users are not made entirely by automated systems.
3. However, where an automated decision having a material effect under law is made, the User may request to refuse, receive an explanation of, or request review of the decision, and the Company shall, in accordance with applicable law, provide reprocessing with human intervention or any necessary explanation.
4. Requests related to automated decisions are accepted under the procedures in Article 7.

The Company implements the following measures to ensure the security of personal information.

1. Minimization of access rights and access control
2. Application of security in transit and at rest
3. Retention of access logs and monitoring of anomalies
4. Vulnerability assessment, security patching, and incident response procedures
5. Training of personal information handlers and operation of internal management plans
6. Inspection of protective measures of contractors and overseas transfer recipients

1. The Company may use cookies and similar technologies for login persistence, security, service improvement, and optimization of the user experience.
2. Users may refuse to store cookies through their browser or app settings.
3. However, refusing cookies may restrict the use of certain features.

1. The Company does not knowingly collect personal information of children under 14 years of age, except as required by applicable law.
2. If the Company becomes aware that personal information of a child under 14 years of age has been collected, it shall promptly delete the information or take other necessary protective measures.

The Company designates the following Privacy Officer to oversee personal information processing and to handle Users' complaints and remedies.

Company name: Semo Labs Co., Ltd.

CEO: Chanbin Park

Privacy Officer: Jaewon Yoon

Email: support@semo.world

Customer support phone: 010-3180-6601

Address: Suite B-713, 401 Yangcheon-ro, Gangseo-gu, Seoul 07528, Republic of Korea

Users may contact the following organizations for consultation and reporting related to personal information infringement.

1. Personal Information Infringement Reporting Center: 118 (toll-free)
2. Personal Information Dispute Mediation Committee: 1833-6972
3. Supreme Prosecutors' Office: 1301 (toll-free)
4. National Police Agency: 182 (toll-free)

1. The Company may amend this Policy in accordance with changes in applicable law, the Service, or internal operating policies.
2. In the event of material changes, prior notice shall be provided through in-Service announcements or other appropriate means.
3. The effective date and version of this Policy shall be indicated at the top of the document.

This Policy takes effect on March 26, 2026. The amendments to this Policy take effect on April 24, 2026.