BackendX Privacy Policy

Effective Date: April 25th, 2026 Last Updated: April 24th, 2026

BackendX Inc. (주식회사 백엔드엑스) ("Company") complies with the Personal Information Protection Act of the Republic of Korea ("PIPA") and other applicable laws.

BackendX is a software-as-a-service (SaaS) platform that enables users to generate, deploy, and manage backend services online. This Privacy Policy describes how the Company collects, uses, and protects personal information of users of the BackendX Service ("Service").

This Policy applies to users located both inside and outside the Republic of Korea.

1. Personal Information Collected

The Company may collect and process the following personal information.

A. Information Provided by Users

• Email address
• Account identification information
• User-submitted requirements, configuration data, and text inputs
• GitHub account information (for repository integration or delivery)

B. Information Collected Automatically

• IP address, access time, browser type, and device information
• Service usage records, task request history, and Credit usage
• Error logs, system logs, and traffic-related metadata

C. California Notice at Collection

For California residents, this section serves as the notice required by the California Consumer Privacy Act (Cal. Civ. Code §1798.100(a)). The Company collects the categories of personal information listed in Sections 1.A and 1.B from the sources described in those sections, for the purposes listed in Section 2, retained for the periods listed in Section 4. The Company does not sell or share personal information as those terms are defined by the CCPA/CPRA and does not use sensitive personal information for purposes other than those permitted under Cal. Civ. Code §1798.121 without providing the right to limit. California residents may exercise the rights described in Section 8 at any time.

2. Purpose of Processing

Personal information is processed for the following purposes:

1. Providing and operating the BackendX Service
2. Account management and user identification
3. Management of Credits, subscriptions, and payment processing
4. Providing AI-powered service features
5. Service quality improvement and error analysis
6. Prevention of illegal use, abuse, and violations of the Terms
7. Compliance with legal obligations and dispute resolution

3. Automated Analysis and Use of AI Tools

1. To prevent illegal activities, abuse, and violations of the Terms, the Company may analyze user-submitted requirements and configurations using automated methods.
2. For this purpose, the Company may use third-party AI tools solely as auxiliary means to assess potential illegality.
3. Only the minimum information necessary for analysis is used. Third-party AI providers engaged for this purpose are contracted and configured to prohibit use of transmitted content to train external AI models, subject to the providers' configuration options and constraints selected by the Company to minimize such use.
4. Automated analysis results are used as supporting indicators only and do not constitute final legal determinations.
5. Automated decision-making disclosure (GDPR Art. 13(2)(f) / 22). The logic of automated analysis uses a combination of rule-based checks and third-party AI classification to flag potential Acceptable Use Policy violations. The analysis produces indicators of likely-violating activity, not final decisions. Any decision that produces legal or similarly significant effects for the User — including suspension, restriction, or termination of access to the Service — will include human review before enforcement, and the User may contest such a decision by contacting the Chief Privacy Officer at privacy@backendx.ai. The envisaged consequence of an adverse decision is restriction or termination of Service access and, where relevant, notification to competent authorities as required by law.
6. No training of the Company's own models. The Company does not operate or train its own generative AI models. The Company does not use Requirements, interview conversations, configurations, or other customer content to train any AI model (whether the Company's own model or any third-party model), except where specific additional consent has been obtained from the User.

4. Retention Period

Personal information is retained only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by applicable law. Category-specific retention periods are as follows:

Upon account deletion, personal information is deleted without undue delay, unless retention is required by the laws cited above or is necessary to resolve an active dispute. Retained records are segregated and access-controlled.

5. Disclosure to Third Parties

1. The Company does not sell personal information and does not disclose personal information to third parties except (a) where the User has given prior consent, (b) where disclosure is required by applicable law, court order, or lawful request from a competent authority, or (c) in connection with a corporate transaction (merger, acquisition, asset transfer), subject to prior notice to affected Users where required by law.
2. "Sale" and "sharing" as defined by the California Consumer Privacy Act (CCPA/CPRA): the Company does not sell or share personal information for cross-context behavioral advertising.

6. Outsourcing of Processing (Consignment under PIPA Article 26)

The Company outsources ("consigns") certain processing activities. In accordance with PIPA Article 26, the current consignees and consigned tasks are:

The current list of consignees is maintained on the Service and updated when changes occur. The Company requires each consignee to implement appropriate technical and organizational safeguards, restricts processing to the consigned purpose, prohibits sub-consignment without approval, and supervises compliance in accordance with PIPA Article 26.

7. Cross-Border Transfer of Personal Information

Platform data processed by the Company is primarily stored in the AWS Asia Pacific (Seoul) region (ap-northeast-2). Personal information may be transferred to and processed in countries outside the Republic of Korea (principally the United States) where the consignees listed in Section 6 operate — for example, when third-party AI providers, payment processors, or source-code hosts process data in their respective regions.

1. Items transferred: the data categories listed in Section 1.
2. Purpose: as described in Section 2 and Section 6.
3. Recipients and destinations: as listed in Section 6.
4. Retention at recipient: as described in Section 4, or for such shorter period as the recipient's contract requires.
5. Transfer mechanism (GDPR / UK GDPR): where personal data of data subjects in the European Economic Area or the United Kingdom is transferred to a country without an adequacy decision, the Company relies on the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, together with supplementary technical and organizational measures (encryption in transit and at rest, access controls, minimization) as documented in a transfer impact assessment available on request.
6. Transfer mechanism (PIPA): the Company provides the disclosures required by PIPA Article 28-8 and, where legally required, obtains separate consent.
7. Users may refuse cross-border transfer; however, refusal may make some or all Service features unavailable.

8. Rights of Users (PIPA, GDPR, UK GDPR, CCPA/CPRA)

Subject to applicable law, Users have the following rights:

• Access — obtain confirmation of, and a copy of, personal information processed about them.
• Rectification / correction — request correction of inaccurate or incomplete data.
• Erasure / deletion ("right to be forgotten") — request deletion subject to legal retention obligations.
• Restriction of processing — request that processing be limited in certain circumstances.
• Objection — object to processing based on legitimate interests, including profiling and direct marketing.
• Data portability — receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Withdrawal of consent — where processing is based on consent, withdraw consent at any time without affecting prior lawfulness.
• Right not to be subject to automated decision-making (GDPR Art. 22) — the Company's automated illegality-detection outputs are supporting indicators only; any decision that produces legal or similarly significant effects for the User (such as suspension or termination) will include human review, and the User may contest the decision by contacting the Company.
• Lodge a complaint — data subjects in the EEA/UK may lodge a complaint with their local supervisory authority; Korean data subjects may contact the Personal Information Protection Commission (privacy.go.kr) or the Korea Internet & Security Agency (privacy.kisa.or.kr); California residents may contact the California Privacy Protection Agency or Attorney General.
• California-specific rights (CCPA/CPRA): right to know categories/specific pieces of PI collected, sources, purposes, and third parties; right to delete; right to correct; right to opt out of sale/sharing (the Company does not sell or share); right to limit use of sensitive PI; right to non-discrimination for exercising these rights. Authorized-agent requests are accepted with verification.

Requests may be submitted to privacy@backendx.ai or team@email.backendx.ai. The Company will verify the requestor's identity and respond within the statutory timeframe (30 days under GDPR, extendable by 60 days; 45 days under CCPA, extendable by 45 days; 10 days for initial response under PIPA).

9. Security Measures

The Company implements technical and organizational measures to protect personal information, proportionate to the nature, scope, context, and purposes of processing and the risks to individuals.

Current measures include:

• Access control and authentication — role-based access with least-privilege defaults; multi-factor authentication on administrative accounts.
• Encryption in transit — TLS 1.2 or higher on all external interfaces and on connections to third-party processors (cloud providers, AI providers, payment processors, source-code hosts).
• Encryption at rest — storage-level encryption on databases and backups; additional application-level (column-level) encryption using an envelope pattern with key-management-service (KMS) keys for higher-sensitivity stores, including user-submitted Requirements and interview conversations. Decrypt operations on higher-sensitivity stores are logged.
• Secret scrubbing before external AI processing — where user-submitted content is sent to third-party AI providers for automated analysis (see Section 3), the Company applies deterministic redaction to remove obvious secrets (such as cloud access keys, bearer tokens, and payment-instrument patterns) before transmission. Third-party AI providers are engaged under contracts that prohibit use of transmitted content to train external models, subject to provider constraints.
• Logging and monitoring — access and activity logs retained per Section 4, with anomaly alerting for privileged access and decryption events.
• Incident response — documented procedures for detection, containment, investigation, and notification, aligned with the data-breach notification requirements in Section 14.
• Vendor due diligence — the Company enters into Data Processing Agreements (or PIPA-equivalent consignment agreements) with consignees listed in Section 6 and periodically reviews their security posture.

10. Legal Bases for Processing (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, the Company processes personal data on the following legal bases:

Users must not submit special-category personal data (GDPR Art. 9; PIPA Art. 23) in Requirements or interview conversations. Where such data is nonetheless submitted, the Company will process it only under a lawful basis permitting such processing (such as explicit consent under Art. 9(2)(a) or an applicable Art. 9(2) / PIPA Art. 23 exception) or will delete it upon identification. The Company does not knowingly process special-category data for purposes beyond operating the Service and complying with legal obligations.

11. Chief Privacy Officer (PIPA Article 31)

In accordance with PIPA Article 31, the Company designates a Chief Privacy Officer (개인정보보호책임자) responsible for overall management of personal information and handling of User requests and complaints.

• Chief Privacy Officer: DK Moon, Representative Director, BackendX Inc. (주식회사 백엔드엑스)
• Email: privacy@backendx.ai
• Postal address: 43, Changeop-ro, Eopmoo-dong, 4F 9-ho, Sujeong-gu, Seongnam-si, Gyeonggi-do, 13449, Republic of Korea

Users may contact the CPO for any privacy-related inquiry, request, or complaint. The CPO will respond within the statutory timeframe and will endeavor to resolve issues promptly.

12. EU / UK Representative (GDPR Art. 27 / UK GDPR)

To the extent GDPR Article 27 requires the Company to designate a representative in the European Union, and/or UK GDPR requires a UK representative, the Company will designate such representative(s) and publish their contact details in this Policy once appointed. Until a representative is formally designated, EEA/UK data subjects may contact the Chief Privacy Officer at privacy@backendx.ai to exercise their rights; the Company will not use the absence of a designated representative to deny or delay rights requests.

13. Children's Privacy

The Service is not directed to children under 13 (under the U.S. Children's Online Privacy Protection Act, "COPPA"), under 14 (under PIPA), or under 16 (under GDPR, subject to EU member-state variation). The Company does not knowingly collect personal data from children below those ages. In accordance with PIPA Article 22-2, processing of personal information of a child under 14 requires the consent of the child's legal guardian; the Company will not process such data without that consent. Under COPPA, the Company does not knowingly collect personal information from children under 13. If you believe a child has provided personal information without proper consent, please contact privacy@backendx.ai for prompt deletion.

14. Data-Breach Notification

In the event of a personal-data breach, the Company will notify affected Users and the relevant supervisory authorities in accordance with applicable law, including PIPA Article 34 (notification within 72 hours of awareness of breaches affecting 1,000 or more data subjects), GDPR Article 33/34 (supervisory-authority notification within 72 hours; data-subject notification where high risk is likely), and applicable U.S. state breach-notification statutes.

15. Contact

For privacy-related inquiries, rights requests, or complaints, please contact:

• Chief Privacy Officer: DK Moon
• Privacy Email: privacy@backendx.ai
• General Email: team@email.backendx.ai
• EU/UK Representative: to be designated (see Section 12)

16. Cookies and Similar Technologies

The Company distinguishes between the in-product Service (app.backendx.ai or equivalent) and the marketing website (backendx.ai).

1. In-product Service. The in-product Service uses only strictly necessary cookies and similar technologies for authentication, session management, security, and service operation. These are essential to providing the Service and do not require consent under applicable law.
2. Marketing website. The marketing website uses Google Analytics 4 ("GA4") for traffic measurement and product improvement. GA4 sets cookies (including _ga, _ga_<id>) that are classified as non-essential analytics cookies. Where the User is located in the European Economic Area, United Kingdom, or Republic of Korea, or in any other jurisdiction requiring prior consent for non-essential cookies, GA4 will not load until the User grants consent through the cookie banner displayed on the website. The User may withdraw consent at any time through the cookie-preferences control on the website. GA4 data is transferred to Google LLC in the United States under Google's standard contractual clauses and within its Consent Mode framework.
3. Next.js framework. The Service is built using the Next.js framework. Next.js does not set tracking cookies by default; any Next.js-generated cookies used by the Service are strictly necessary and scoped to session management and security.
4. Do Not Track and Global Privacy Control. The marketing website honors browser-level Global Privacy Control ("GPC") signals where technically feasible, treating them as an opt-out of analytics cookies for the affected session.

17. Changes to This Policy

This Privacy Policy may be amended due to changes in laws or Service operations. Any changes will be announced through the Service or by other reasonable means. Material changes will be notified in advance to the extent required by applicable law, and the "Last Updated" date at the top of this Policy will reflect the most recent revision.