1. Overview & Operator
STA (the “Company”, “we”, “our”) values your privacy and complies with the Korean Personal Information Protection Act (PIPA), the Act on Promotion of Information and Communications Network Utilization, the EU General Data Protection Regulation (GDPR), and the privacy guidelines of the Apple App Store and Google Play. This Policy applies to all STA services — the all-in-one STA app (calendar, mail, memo, tasks) and the standalone web survey SaaS Stats — and related integrations (collectively, the “Services”).
| Legal name | STA |
|---|---|
| Representative | Youngjun Choi |
| Registered address | 3F S43, 37 Ewhayeodae 7-gil, Seodaemun-gu, Seoul, Republic of Korea |
| Business registration no. | 313-19-02361 |
| Mail-order registration no. | 신고 준비 중 |
| Privacy inquiries | privacy@sta-suite.com |
| General support | support@sta-suite.com |
2. Information We Collect
2.1 Account registration
- Required: email address, password (stored as one-way hash) or OAuth identifier (Google · Apple)
- Optional: display name, profile image
2.2 Automatically collected
- IP address, access logs, cookies, device identifiers (we do not collect IDFA / AAID advertising identifiers)
- Operating system, app version, locale, time zone
- Usage logs (which features were used and when — anonymized for analytics)
- Crash and error reports
2.3 Payment information
- Payment method (issuer name, masked PAN — full card numbers are never stored on our servers)
- Transaction history (item, amount, timestamp, authorization code)
- Refund reason (when requested)
For in-app purchases on Apple or Google Play, the store handles payment information directly; we receive only receipt tokens and transaction IDs.
2.4 Service-specific data
| Service | Data | Storage |
|---|---|---|
| STA — Mail tab (external accounts) | IMAP/SMTP credentials, message bodies and attachments, contacts | Credentials are stored in the device’s secure storage (FlutterSecureStorage / Keychain / Keystore) with OS-level encryption. Message bodies remain in local cache by default. |
| STA — built-in mail & messenger (@sta-suite.com) | Account ID (= email address), password (one-way hash), recovery email, message/mail bodies, attachments and metadata (from/to, subject, timestamp) | Supabase (Seoul). Inbound via Cloudflare Email Routing → Workers; outbound via Resend. Messages between STA users are in-app DMs; built-in mail/messenger is accessible only through the STA app (no external IMAP/SMTP). |
| STA — Memo tab | Note content, attachments, tags, backlinks | Supabase (Seoul, ap-northeast-2) and local device |
| STA — Calendar tab | Event title, time, location, attendees; Google account ID and calendar data when Google Calendar is connected | Supabase (Seoul) and local device; Google data is synced only within the scope you authorize |
| Stats (Web surveys) | Survey questions and responses (may include PII depending on respondent input), respondent IP and device | Supabase (Seoul) |
3. Purposes of Use
- Identify and authenticate users
- Provide the Services — mail, notes, calendar, survey features, sync, backup
- Process payments and refunds, issue receipts
- Customer support — inquiries, abuse reports, error handling
- Improve the Services using anonymized, aggregated analytics
- Comply with legal obligations (e-commerce, tax, e-invoice)
- Prevent abuse — spam, fraud, automated misuse
- (With consent) Marketing communications and product news
4. Retention Period
We delete personal data without delay once the purpose for which it was collected is fulfilled. The following data is retained for the periods required by law.
| Category | Period | Legal basis |
|---|---|---|
| Account & user content | Deleted immediately on account closure | User request |
| Contracts and withdrawal records | 5 years | e-Commerce Act §6 |
| Payment and supply records | 5 years | e-Commerce Act §6 |
| Consumer complaints / disputes | 3 years | e-Commerce Act §6 |
| Advertising records | 6 months | e-Commerce Act §6 |
| Access logs (IP, etc.) | 3 months | Communications Privacy Act §15-2 |
| Tax invoices | 5 years | Framework Act on National Taxes §85-3 |
Electronic records are permanently deleted using non-recoverable methods; printed documents are shredded or incinerated.
5. Sharing with Third Parties
We do not share personal information with third parties except in the following cases:
- You have given explicit, prior consent (e.g. connecting an external service)
- Required by law or in response to a valid legal request from law enforcement
- Transmission to payment processors strictly necessary to charge you
When you connect Google Calendar, Apple Calendar, or similar services, you authorize access directly via OAuth, and STA processes the data only within the scope you grant.
6. Processors & Sub-processors
We engage the following processors. All processors are bound by data protection obligations under our processing agreements.
| Processor | Activity | Location |
|---|---|---|
| Supabase Inc. | Database, auth, storage, realtime sync | Republic of Korea (ap-northeast-2 Seoul) |
| Vercel Inc. | Web hosting and serverless functions | Global CDN (US · EU · APAC) |
| Cloudflare, Inc. | DNS, DDoS protection, CDN, built-in mail inbound routing (Email Routing · Workers) | Global |
| Resend (Plus Five Five, Inc.) | Outbound delivery for built-in mail (@sta-suite.com) and password-reset codes | United States |
| Google LLC (Gemini API) | AI features — reply drafts, summaries, event extraction, auto-tagging | Google data centers (US, etc.) |
| Google LLC (Firebase) | Push notifications (FCM), crash reporting | Global |
| RevenueCat, Inc. | In-app-purchase receipt validation, subscription management | United States |
| Stripe, Inc. | Card payments outside Korea | United States |
| TossPayments Corp. | Domestic card and bank-transfer processing | Republic of Korea |
| Apple Inc. | App Store in-app purchases and authentication | United States, etc. |
We will update this Policy if we change processors or the scope of processing. Cross-border transfers are made only to perform our contract with you, and are protected by TLS in transit.
7. Your Rights
You may exercise the following rights at any time:
- Access — view the personal data we hold about you
- Rectification / Erasure — correct or delete data
- Restriction — limit specific processing (e.g. analytics, marketing)
- Withdrawal of consent — for optional processing
- Account deletion — directly in the app under Settings → Account → Delete account (per Apple / Google requirements, deletion is available in-app)
- Data export — JSON, iCal, EML and other standard formats
- Object to / explain automated decisions — regarding AI auto-classification and routing (PIPA Art. 37-2; GDPR Art. 22)
STA’s AI auto-classification (routing a memo to calendar / task / mail) is an assistive feature subject to your confirmation; it does not, on its own, make fully automated decisions with legal or similarly significant effects. You may still object or request an explanation of how it works.
Send requests to privacy@sta-suite.com. After identity verification we will respond within 7 business days. A statutory representative may exercise these rights on behalf of children under 14.
8. EU/EEA Users (GDPR)
The following additional terms apply to users in the EU, EEA and UK.
8.1 Lawful basis
- Performance of a contract (Art. 6(1)(b)) — account, service delivery, payments
- Consent (Art. 6(1)(a)) — marketing, analytics cookies, optional integrations
- Legal obligation (Art. 6(1)(c)) — tax and accounting
- Legitimate interest (Art. 6(1)(f)) — security and abuse prevention
8.2 Data subject rights
Under Articles 15–22 GDPR you have rights of access, rectification, erasure (“right to be forgotten”), restriction, data portability, objection and rights regarding automated decision-making. Contact privacy@sta-suite.com — we will respond within one month.
8.3 International transfers
STA’s primary data location is the Republic of Korea (Supabase Seoul region). The European Commission has granted Korea an adequacy decision (December 2021), so EU→KR transfers require no additional safeguards. Transfers to other jurisdictions (e.g. Vercel, Stripe, RevenueCat in the US) rely on Standard Contractual Clauses (SCCs) or equivalent certifications (e.g. Data Privacy Framework).
8.4 DPO and EU representative
STA operates at a scale below the GDPR Art. 37 DPO designation threshold; our operations team acts as data protection contact. An EU representative under Art. 27 will be appointed if our EU activities exceed the relevant thresholds.
8.5 Right to lodge a complaint
EU users may lodge a complaint with their national supervisory authority. A list of authorities is maintained by the European Data Protection Board: edpb.europa.eu.
9. Security Measures
- Encryption in transit — all communication uses HTTPS / TLS 1.2+
- Encryption at rest — passwords are one-way hashed (bcrypt class); mail credentials are kept in OS-level secure storage (Keychain / Keystore)
- Password policy — aligned with US NIST SP 800-63B: minimum 8 characters, long passphrases encouraged, no forced complexity or periodic rotation, common/breached passwords blocked
- Access control — Supabase Row-Level Security (RLS), principle of least privilege
- Audit logging — administrative access is logged
- Internal management — the smallest possible set of staff processes personal data; regular security awareness
- Physical security — provided by our cloud infrastructure (Supabase · Vercel · Google Cloud) data-center standards
11. Children’s Information
STA does not knowingly collect personal information from children under 14. If we become aware that a user is under 14, we will delete the account and related data immediately. Children under 14 may use the Services only with verified consent of a legal guardian. (US users: COPPA applies to children under 13; EU users: GDPR Art. 8 applies, with the age of consent set by each member state between 13 and 16.)
12. App Store Data Disclosure
12.1 Apple App Store — App Privacy
The data declarations in App Store Connect are consistent with this Policy. Summary: Data Linked to You — email, purchase history, user content. Data Used to Track You — none.
12.2 Google Play — Data Safety
Our Play Console Data Safety form is consistent with this Policy. Data is encrypted in transit and you may request deletion at any time.
12.3 Account & data deletion
You may delete your account and all personal data directly in the app under Settings → Account → Delete account, or from the web at /account/delete. Deletion is irreversible; backups are purged within 30 days. (Payment and tax records that we are legally required to keep are retained for 5 years in segregated storage.)
13. Data Protection Contact
For privacy questions, complaints or remediation requests, please contact:
| Contact | STA Team (privacy operations) |
|---|---|
| privacy@sta-suite.com | |
| General support | support@sta-suite.com |
Korean users may also contact:
- Korea Internet & Security Agency Privacy Center — privacy.kisa.or.kr · 118
- Personal Information Dispute Mediation Committee — kopico.go.kr · 1833-6972
- Supreme Prosecutors’ Office Cybercrime Division — spo.go.kr · 1301
- Korean National Police Cybercrime Bureau — ecrm.police.go.kr · 182
14. Changes to this Policy
When this Policy changes, we will notify you at least 7 daysbefore the effective date (or 30 days for material changes) via in-app notice or email. A revision history is preserved at the bottom of this page.
- v1.2 — 2026-05-31 Documented password policy (NIST SP 800-63B), right to object/explain automated decisions (PIPA Art. 37-2), and in-app account deletion path
- v1.1 — 2026-05-31 Added built-in mail/messenger (@sta-suite.com) data items and processors (Resend, Cloudflare inbound routing)
- v1.0 — 2026-05-24 Initial release