Privacy Policy
CurrentUpdated privacy standards aligned with how Viral Pulse currently operates.
Summary of changes
Announced
2026-04-03
Effective
2026-04-03
First published
2025-01-08
Latest revision version
2026-04-03
What changed in this revision
- Added the external services currently used in production, including Google OAuth, YouTube Analytics, PostHog, Google Analytics, AdSense, and Creem.
- Reorganized the policy around actual service flows such as overseas transfers, cookies and analytics, payments and subscriptions, and marketing consent.
- Added on-screen version history so previous notices can be reviewed directly from the policy page.
Version history
Version
Effective: 2026-04-03
Effective: 2025-02-07
Full text
1. General
Shorts Story (the "Company") publishes this Privacy Policy to explain how personal data is processed while operating the Viral Pulse service (the "Service") in compliance with the Personal Information Protection Act of Korea and other applicable laws.
This Policy applies to personal data processed through the website, web application, customer support, payment workflows, and subscription management.
2. Personal data we process and how we collect it
The Company collects or generates personal data through the following methods.
2-1. Information provided directly by users
- Information received through Google OAuth login: email address, name, profile image
- Information submitted through support or refund/payment inquiries: name, email address, message contents, attached materials
- Marketing preference data: email marketing consent status
2-2. Information collected automatically while using the Service
- Access logs, IP address, browser/device information, operating system, access time, referrer, cookies, and similar identifiers
- Page visits, button clicks, feature usage records, error logs, session information, and usage patterns
- Online identifiers and usage data generated for traffic analytics or ad performance measurement
2-3. Information processed for specific features
- When YouTube Analytics is connected: Google account-based identifiers plus channel identifiers and analytics metrics for channels the user has authorized
- When paid services are used: order number, payment method category, payment amount, currency, payment status, subscription status, refund/cancellation history
The Company does not directly store sensitive payment instrument details such as full card numbers, bank account numbers, expiry dates, or CVC codes. Those details are processed by payment providers or payment infrastructure vendors under their own legal and security obligations.
3. Purposes of processing
The Company processes personal data only for the purposes below.
| Category | Purpose |
|---|---|
| Sign-up and login | User identification, account creation, session management, fraud prevention |
| Service delivery | Shorts/channel analytics, saved items, dashboards, customer support, service notices |
| YouTube-connected features | Analytics retrieval and insights for channels explicitly connected by the user |
| Payments and subscriptions | Payment processing, recurring billing status, refunds/cancellations, invoices and transaction history |
| Service improvement | Usage analysis, error detection, performance tuning, UX improvement |
| Marketing and updates | Product updates, events, benefit notices, newsletters where the user opted in |
| Legal compliance | Tax/accounting retention, dispute handling, compliance with applicable laws |
The Company does not use personal data beyond what is necessary for these purposes. If the purpose changes, the Company will take any required legal steps.
4. Categories of personal data
4-1. Required items
- Account data: email address, name
- Service usage data: access logs, IP address, browser/device data, cookies, access timestamps, page and feature usage history
- Payment/subscription data: order number, product/plan information, amount, payment status, refund status, subscription status
4-2. Optional or feature-based items
- Profile image
- Email marketing consent status
- YouTube channel identifiers and analytics metrics when YouTube Analytics is connected
- Additional materials submitted in support requests
4-3. Items not directly stored by the Company
- Full payment instrument details such as card number, bank account number, expiry date, and CVC
- Authentication credentials stored by payment providers or external platforms
5. Retention period
The Company retains and uses personal data for the period required by law or necessary to fulfill the service contract.
| Category | Retention period |
|---|---|
| Account data | Until account deletion |
| Service logs and analytics data | Up to 24 months from collection or until the purpose is fulfilled |
| YouTube-connected data | Until the user disconnects the integration or deletes the account |
| Marketing consent records | Until consent is withdrawn or the account is deleted |
| Records on contracts or withdrawal requests | 5 years |
| Records on payments and service supply | 5 years |
| Records on consumer complaints or dispute handling | 3 years |
| Access records where legally required | For the period required by applicable law |
If additional retention is required for fraud prevention, investigations, or dispute resolution, the Company may retain the relevant data until that purpose is completed.
6. Provision to third parties
The Company does not provide user personal data to third parties in principle, except where:
- the user gave prior consent,
- disclosure is required by law or a lawful government request, or
- disclosure is urgently necessary to protect life, body, or property.
Most external vendors used by the Company fall under entrusted processing or overseas processing, described in Sections 7 and 8 below, rather than ordinary third-party provision.
7. Entrusted processing
To operate the Service efficiently, the Company may entrust part of personal data processing to external vendors.
| Vendor | Entrusted work |
|---|---|
| Google LLC | Authentication, login, YouTube Analytics API integration |
| PortOne | Domestic payment processing, approvals/cancellations, payment-method change support |
| Creem (Armitage Labs OÜ) | Overseas payments and subscriptions, tax/invoicing/refund handling |
| PostHog | Product analytics, event and visit-log analysis |
| Google LLC (GA4/AdSense) | Traffic analytics, ad performance measurement, ad delivery |
When entering into vendor arrangements, the Company manages data protection obligations, security requirements, subcontracting restrictions, and incident response in accordance with applicable law.
8. Overseas transfers
Because the Service integrates external login, analytics, ad measurement, and overseas billing tools, personal data may be processed outside Korea. Transfers occur over encrypted networks when the relevant feature is used.
| Recipient | Country | Data transferred | Timing / method | Purpose | Retention / control standard | Basis |
|---|---|---|---|---|---|---|
| Google LLC | United States | Email, name, profile image, login identifiers, YouTube-connected data, visit/usage data | Transmitted when login, YouTube Analytics, GA, or AdSense loads | Authentication, channel analytics, traffic measurement, ad performance measurement | Until unlinking or according to the vendor's own policy | User-requested feature delivery |
| PostHog Inc. | United States | Page visits, event logs, browser/device data, email identifier after login | HTTPS transmission during use of the Service | Product analytics, feature improvement, error tracking | Until the purpose is fulfilled or the vendor relationship ends | Service operations and improvement |
| Armitage Labs OÜ (Creem) | Estonia | Payer email, order/payment details, subscription status, transaction identifiers | HTTPS transmission when overseas checkout or subscription is used | Overseas payment processing, tax handling, invoicing, refunds, disputes | According to legal retention duties and vendor policy after the transaction ends | Contract performance requested by the user |
Users may contact the Company regarding overseas transfers, and the Company will explain available safeguards within the scope allowed by law.
9. Data subject rights
Users may request any of the following at any time:
- access to personal data,
- correction or deletion,
- suspension of processing,
- withdrawal of consent, and
- explanations regarding overseas transfers, entrustment, or retention periods.
Requests may be submitted through the privacy contact below.
- Email: [email protected]
- In-service support/contact channels
The Company will respond without undue delay within the timeframe required by law, unless a legal exception or another person's rights would be affected.
10. Deletion of personal data
When the retention period expires or the purpose of processing is fulfilled, the Company deletes the relevant personal data without undue delay.
10-1. Procedure
- The Company identifies data subject to deletion after the purpose is fulfilled or the retention period expires.
- Data subject to statutory retention duties is separated and stored until the legal retention period ends.
10-2. Method
- Electronic records: securely deleted in a manner that makes restoration difficult
- Paper records: shredded or incinerated
11. Security measures
The Company implements the following security measures to protect personal data.
- Access control and least-privilege permissions
- Encryption in transit (HTTPS and similar controls)
- Access-log monitoring and anomaly detection
- Security patching and vulnerability review
- Internal operational procedures and authorization controls
Because no internet environment is perfectly secure, the Company continuously improves reasonable safeguards appropriate to the service.
12. Cookies and online identifiers
The Company may use cookies and similar technologies for session maintenance, service quality improvement, traffic analytics, and advertising/performance measurement.
Purposes
- Maintaining login state and essential functionality
- Understanding visit frequency, traffic paths, and page flows
- Improving the product through usage analysis
- Measuring advertising exposure and performance
How to refuse cookies
Users can block or delete cookies through browser settings. However, doing so may limit certain functions such as login persistence, payments, or personalized features.
- Chrome: Settings > Privacy and Security > Cookies and other site data
- Safari: Settings > Safari > Advanced > Block All Cookies, etc.
- Edge: Settings > Cookies and site permissions
13. Privacy contact
The Company designates the following person in charge of privacy.
- Name: Hyeongcheol Shin
- Title: CEO
- Email: [email protected]
- Main contact number: +82-507-1389-9403
For privacy complaints or harm relief, users may also contact relevant authorities in Korea, including the Personal Information Infringement Report Center (118) or the Personal Information Dispute Mediation Committee (1833-6972).
14. Changes to this Policy
This Privacy Policy takes effect on April 3, 2026.
The Company may revise this Policy when required by law or when service operations, vendors, or overseas-processing structures change. Material updates will be announced through the service, the policy page, or another appropriate channel.
Previous versions of this Privacy Policy are available from the version selector on this page.