Privacy Policy

Effective: 2026-04-30 · Bilingual (EN / KO) · Multi-jurisdiction notices

SmileStory operates assess.smilestory.ai, a self-serve AI compliance assessment SaaS. This policy explains what data we collect, why, and how we comply with GDPR (EU), CCPA/CPRA (California), and APPI (Japan).

2. How we use it

To generate your compliance report, deliver the PDF, send admin alerts (Telegram), and improve the diagnostic models in aggregate, anonymized form. We never sell your data.

EUGDPR Notice (Articles 13 & 14)

Controller: SmileStory · dpo@smilestory.ai
Legal basis: Article 6(1)(b) (contract performance — generating your report) and 6(1)(f) (legitimate interest — service security).
Your rights: access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent. Contact the DPO above.
Cross-border transfers: data may be processed in the Republic of Korea. We use the EU-approved Standard Contractual Clauses (SCC) for transfers outside the EEA.
Retention: diagnosis answers 30 days; aggregate, anonymized statistics indefinitely.
Lodge a complaint: your local supervisory authority (e.g., CNIL, BfDI).

USCCPA / CPRA Notice (California)

"Do Not Sell or Share My Personal Information": we do not sell or share personal information for cross-context behavioral advertising. No action is required, but you may still confirm by emailing privacy@smilestory.ai.
Categories collected: identifiers (email), commercial information (purchase), internet activity (logs).
Your rights: right to know, delete, correct, limit use of sensitive PI, and non-discrimination.

JPAPPI Notice (Japan)

事業者: SmileStory
利用目的: AI コンプライアンス診断レポートの生成・配信、サービス改善。
第三者提供・国外移転: 大韓民国(韓国)で処理されます。同意の撤回・開示・訂正・削除請求は privacy@smilestory.ai までお問い合わせください。

3. Cookies

We use only strictly necessary cookies (session, language preference, cart). No advertising trackers.

4. Contact

SmileStory · privacy@smilestory.ai · DPO: dpo@smilestory.ai