Privacy Policy
PopcornSAR Co., Ltd. ("PopcornSAR", "we", "us", or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you visit our website (https://autosar.io), use PAIO (our locally-installed client application), use PARA (our server-based service), or otherwise interact with us (collectively, the "Service").
This Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Personal Information Protection Act of the Republic of Korea (PIPA), the Act on the Protection of Personal Information of Japan (APPI), and other applicable data protection laws.
If you do not agree with this Policy, please do not use the Service.
1. Data Controller
The data controller responsible for your personal information under this Policy is:
PopcornSAR Co., Ltd. Business Registration Number: 206-87-03697 Representative Director: Seungyueb Chae (채승엽) Registered Office: 2F Nobel Building, 16 Teheran-ro 78-gil, Gangnam-gu, Seoul, Republic of Korea Email: contact@popcornsar.com Website: https://autosar.io
Data Protection Officer (DPO): Name: Min-hyun Jun (전민현) — Team Lead, Sales & Business Operations Email: mhjun@popcornsar.com Phone: +82-10-8754-8758
For questions about this Policy or to exercise your rights, please contact us at contact@popcornsar.com or the DPO email above.
2. Information We Collect
We collect the following categories of personal information across all components of the Service (PAIO, PARA, and the website).
2.1 Information You Provide Directly
| Category | Items |
|---|---|
| Account Information | Name, company name, job title, country, and similar profile information you provide on signup or use. We do not store user passwords; authentication is performed via Google OAuth or email-based magic links (see Section 2.2). |
| Billing Information | Name, billing address, country, and tax/VAT identifier when relevant. Full payment card and bank account details are collected and processed by Paddle (international) or Toss Payments (Republic of Korea) and are not stored on our servers (see Section 5). |
| Communications | Information you provide when contacting support, submitting a refund request, or completing surveys. |
| Website Chatbot | Questions you submit, our responses, and timestamps recorded by the chatbot on our website. |
2.2 Information from Third-Party Authentication and Payment Providers
| Source | Items |
|---|---|
| Google OAuth (authentication provider) | Google Account ID, email address, display name, and profile image URL — provided by Google upon your authorization. |
| Payment processors (Paddle / Toss Payments) | Transaction confirmations, billing country, and partial card information for invoicing and fraud prevention. |
2.3 Information Automatically Collected by the PAIO Application
PAIO is installed locally on your device, but it communicates with our servers for license validation, automatic updates, and authentication. The following information is collected through that communication.
| Category | Items | Purpose | Retention |
|---|---|---|---|
| Access Logs | IP address, access timestamp, request URL, HTTP method, response code, User-Agent | Service stability, blocking abnormal access, security-incident response | 14 days (nginx / reverse proxy layer) |
| Device Information | OS type and version, CPU architecture, device name (host name), application version | Auto-update build matching, license-seat management, fraud detection | Account lifetime |
| Device Identifiers | Machine ID (16-character SHA-256 hash of host name + OS + architecture + home directory), server-issued session ID (UUID) | License-seat (per-device) limits, multi-device management, identification of multiple devices on one account | Account lifetime |
| Account Identification | Google Account ID, email, display name, profile image URL, license tier, first / last application sign-in timestamps, account creation / modification timestamps | Member identification, authentication, prevention of unauthorized login | Account lifetime |
| Authentication Tokens | Token hash (SHA-256), issuing source (app / web / extension), issued / expires / last-used timestamps, revoked status | Session persistence, authorization checks | 30 days (auto-deleted on expiry) |
| Device Sessions | machine_id, session ID, device name, OS, application version, last verification time, revoked status | Multi-device management, seat enforcement, abnormal-access detection | Account lifetime or until session revocation |
| Usage History | Downloaded project / repository / tag / file name / file size / timestamp; auto-update check timestamps; license verification timestamps | License management, statistics, fraud prevention | Account lifetime |
| Security Events | Login failure counts, account-lockout expiry timestamps | Brute-force protection, security-incident response | Until security handling completes |
| License & Subscription | License tier (trial / standard / premium), trial start / expiry dates, subscription status, current billing-period start / end | Trial-expiry computation, paid conversion management, license-permission enforcement | Account lifetime |
| Temporary Authentication Data | Magic-link codes, Device Flow codes (for Google OAuth polling) | Authentication procedures | Until use or expiry (typically minutes) |
Payment-related data collection is set out separately in Section 2.6.
2.4 Information Automatically Collected on the Website (https://autosar.io)
| Category | Items | Purpose | Retention |
|---|---|---|---|
| Access Logs | IP address, access timestamp, request URL, response code, data size, Referer, User-Agent | Service stability, blocking abnormal access, statistical analysis | 14 days (nginx logs) |
| Cookies | Login session (connect.sid), CSRF token, OAuth PKCE, language preference | Login persistence, security, user preferences | connect.sid: 24 hours; others vary by cookie (see Section 8) |
| Analytics (Google Analytics 4) | Page views, navigation paths, click and scroll events, device and resolution, country / city estimates | Usage statistics and UX improvement | Per Google's GA4 policy (typically 14 months) |
| Chatbot Activity | Question content, response content, input timestamps | Quality improvement and error analysis | Up to 1 year |
2.5 Information Automatically Collected by the PARA Service
| Category | Items | Purpose | Retention |
|---|---|---|---|
| Access Logs | IP, URL, response code, Referer, User-Agent | Security-incident response, blocking abnormal access | 14 days (nginx logs) |
| Account Identification | Google Account ID, email, name, profile image, member tier, login records | Member identification, authentication, prevention of unauthorized login | Account lifetime |
| Authentication Tokens | Token hash, issuing source, expiry timestamp | Session persistence, authorization checks | 30 days |
| Device Information | machine_id, OS, application version, last verification time | Multi-device management, abnormal-access detection | Account lifetime |
| Usage History | Downloaded project / version / file name / size / timestamp | License management, statistics, fraud prevention | Account lifetime |
| Container Operation Logs | pull / push / delete / create operations | Usage tracing, security-incident response, license management | Account lifetime |
| Temporary Authentication Data | Magic-link codes, Device Flow codes, robot-account information | Authentication procedures | Until use or expiry |
2.6 Payment-Related Information Collected Automatically
When you make a payment through PAIO or our checkout page, the following data is collected automatically. Depending on the type of transaction, the data is processed either by PopcornSAR or by the relevant payment provider (Paddle / Toss Payments). PopcornSAR does not directly collect or store sensitive card credentials.
A. Payment Information Collected and Stored Directly by PopcornSAR
| Category | Items | Purpose | Retention |
|---|---|---|---|
| Transaction Identifiers | Payment session ID (UUID), plan, billing cycle, amount and currency, PG provider (toss / paddle), billing email, PG transaction ID | Payment processing, transaction identification, refund handling | 5 years |
| Consent Records | Records of consent to the Terms of Service and to the collection and use of personal information, including timestamps | Proof of contract formation, dispute response | 5 years (Act on the Consumer Protection in Electronic Commerce) |
| Transaction Outcome | Payment success / failure, transaction number, card brand, masked card number (first 6 + last 4 digits only), encrypted recurring-payment token (billing key, AES-256-GCM), billing country and currency, VAT, receipt URL, payment history (success / failure / refund) | Subscription management, refund handling, tax-invoice issuance | 5 years (Korean Framework Act on National Taxes and Act on the Consumer Protection in Electronic Commerce) |
B. Information Collected and Processed by the Payment Provider (Toss Payments / Paddle)
The sensitive payment credentials you enter into the checkout window are collected and processed by the payment provider directly. PopcornSAR does not receive or store this information.
| Processor | Items | Purpose | Retention |
|---|---|---|---|
| Toss Payments Co., Ltd. (Korean transactions — sub-processor) | Card number, expiration date, CVC, billing address, 3DS authentication data, IP address, User-Agent, device / browser fingerprint | Payment processing, fraud detection (FDS), identity verification, tax-jurisdiction determination | Per Toss Payments policy and applicable laws (e.g. 5 years under Korea's Electronic Financial Transactions Act) |
| Paddle.com Market Limited (international transactions — Merchant of Record) | Card number, expiration date, CVC, billing address, 3DS authentication data, IP address, User-Agent, device / browser fingerprint | Payment processing, fraud detection (FDS), identity verification, tax-jurisdiction determination | Per Paddle policy and applicable laws |
C. Payment SDK Cookies
The Toss Payments and Paddle checkout SDKs loaded on our payment pages set their own cookies for session continuity and fraud detection (also discussed in Section 8).
| Category | Items | Purpose | Retention |
|---|---|---|---|
| Payment SDK Cookies | Session and fingerprint cookies set by the Toss Payments / Paddle checkout SDKs | Payment-session continuity, fraud detection | Session through several months (per each PG's policy) |
No direct storage of card credentials by PopcornSAR. PopcornSAR does not collect or store full card numbers, CVC, expiration dates, or bank account numbers. These are entered by you directly into the payment provider's checkout window — a PCI-DSS-aligned separation of payment-credential handling.
2.7 Information Stored on Your Device and Not Transmitted to Us (PAIO Client)
The following data is stored by the PAIO client on your local device and is not transmitted to our servers:
- Cached machine ID
- Application preferences and workspace settings
- PAIO in-application chatbot conversation sessions
- License cache
- Authentication tokens (encrypted via OS keychain or equivalent)
- UI preferences (localStorage)
In addition, the content of project files (e.g. .arxml work files) that you create, edit, or generate within PAIO is not transmitted to our servers; we only record download history.
2.8 Information We Do NOT Collect (Stated for Clarity)
We do not intentionally collect or use any of the following:
- Third-party analytics or telemetry SDKs inside the PAIO client: Google Analytics, Sentry, Firebase, Mixpanel, etc., are NOT embedded in the PAIO client. (Note: GA4 IS used on the autosar.io website only — see Section 2.4.)
- Location data: GPS, Wi-Fi, or cell-tower-based location data is not collected.
- Hardware-level identifiers: MAC addresses, disk serial numbers, etc., are not collected. The "Machine ID" is a hash of OS attributes and is not a direct hardware identifier.
- OS permission-gated information: Microphone, camera, contacts, calendar, and similar OS-permission-gated data are not collected.
- User work-file contents: The contents of .arxml or other PAIO project files are never transmitted to our servers.
- Special-category (sensitive) personal information (health, beliefs, criminal-record data, biometric data, etc.).
- Personal information of children under 16 (or under 14 in the Republic of Korea).
3. How We Use Your Information
We process personal information for the following purposes:
| Purpose | Examples |
|---|---|
| Service provision | Creating and authenticating accounts; delivering PAIO functionality; handling Free Trials and paid Subscriptions |
| Billing and payments | Processing subscription fees, refunds, and invoices via Paddle (international) or Toss Payments (Republic of Korea) |
| Customer support | Responding to inquiries; troubleshooting issues; communicating service updates |
| Service improvement | Analyzing usage patterns; debugging; product analytics; quality assurance |
| Security and fraud prevention | Detecting unauthorized access, abuse, or fraud; maintaining system integrity |
| Marketing | Sending product announcements, updates, and newsletters by email to existing customers and members. We rely on the "soft opt-in" framework permitted under Article 50(2) of the Korean Act on Promotion of Information and Communications Network Utilization and Information Protection (for existing customers receiving information about similar products). Every marketing email contains clear unsubscribe instructions, and you may opt out at any time by replying to the email or following the unsubscribe link/instructions. |
| Legal compliance | Complying with tax, accounting, and other legal obligations; responding to lawful requests from authorities |
4. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information on the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR): to provide the Service you requested and execute our contract with you.
- Legitimate interests (Art. 6(1)(f) GDPR): to operate, secure, and improve the Service, prevent fraud, and conduct internal analytics, balanced against your rights and freedoms.
- Consent (Art. 6(1)(a) GDPR): for optional cookies, marketing to non-customer individuals in the EEA/UK, and any other processing where consent is required. You may withdraw consent at any time. For marketing communications to existing customers about similar products, we rely on legitimate interests (Art. 6(1)(f) GDPR) under the "soft opt-in" approach, with an unsubscribe option in every email.
- Legal obligation (Art. 6(1)(c) GDPR): to comply with tax, accounting, and other legal duties.
5. How We Share Your Information
We do not sell your personal information. We share it only with the following categories of recipients, under appropriate contractual safeguards:
5.1 Service Providers (Sub-processors)
- Paddle.com Market Limited (Merchant of Record for international transactions) — payment processing, tax remittance, invoicing, fraud prevention. https://www.paddle.com/legal/privacy
- Toss Payments Co., Ltd. (Payment Gateway for Korean transactions) — payment processing for Korean Won transactions, fraud prevention. https://www.tosspayments.com/terms/privacy
- Amazon Web Services, Inc. (AWS) — cloud hosting and data storage for the Service.
- Google LLC — (i) Google OAuth: authentication for PAIO and PARA sign-in, (ii) Google Analytics 4: usage analytics for the autosar.io website only. https://policies.google.com/privacy
Note: Apart from the sub-processors listed above, we handle email delivery and customer support in-house and do not engage external sub-processors for those activities.
5.2 Affiliates
We may share information with PopcornSAR's affiliates and subsidiaries, subject to this Policy.
5.3 Legal and Safety Disclosures
We may disclose information when required by law, court order, or governmental request, or when we reasonably believe disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of others.
5.4 Business Transfers
In the event of a merger, acquisition, reorganization, financing, or sale of assets, personal information may be transferred to the relevant party, subject to confidentiality obligations.
6. International Data Transfers
PopcornSAR is headquartered in the Republic of Korea, and we use service providers located in various jurisdictions, including the European Economic Area, United Kingdom, United States, and Japan. When we transfer personal information across borders, we rely on appropriate safeguards, including:
- the European Commission's Standard Contractual Clauses (SCCs) for transfers from the EEA;
- adequacy decisions where applicable (the Republic of Korea was granted EU adequacy in December 2021);
- additional supplementary measures where required.
You may request a copy of the safeguards we apply by contacting contact@popcornsar.com.
7. Data Retention
We retain personal information only as long as necessary to fulfill the purposes described in this Policy or as required by law. Detailed retention periods per data category are set out in the tables under Section 2; a summary is provided below.
| Category | Retention |
|---|---|
| Account information (Google OAuth profile, license & subscription, device info) | Duration of your Account; up to three (3) years after closure for fraud-prevention and dispute-handling purposes |
| Billing and tax records | Five (5) years under the Korean Framework Act on National Taxes and the Act on the Consumer Protection in Electronic Commerce |
| Authentication tokens | 30 days (auto-deleted on expiry) |
| Device sessions | Account lifetime or until session revocation |
| Temporary authentication data (magic-link codes, Device Flow codes) | Until use or expiry (typically minutes) |
| Access logs (nginx / reverse proxy) | 14 days |
| Website cookies (connect.sid, etc.) | connect.sid: 24 hours; others vary by cookie |
| Google Analytics 4 data | Per Google's GA4 retention policy (typically 14 months) |
| Website chatbot interactions | Up to 1 year |
| Support communications | Up to three (3) years after last contact |
| Marketing recipient list | Until opt-out or account closure |
After the applicable retention period, personal information is deleted, anonymized, or archived in compliance with this Policy.
8. Cookies and Tracking Technologies
We and our service providers use cookies and similar technologies to operate, secure, and analyze the Service. Categories include:
- Strictly necessary cookies — required for authentication, session management, and security (e.g. connect.sid, CSRF token, OAuth PKCE).
- Payment SDK cookies — set by the Toss Payments / Paddle checkout SDKs loaded on our payment pages, for payment-session continuity and fraud detection (FDS). These are required for the checkout to function (see Section 2.6).
- Functional cookies — remember preferences and settings.
- Analytics cookies — measure traffic and usage (used only with your consent where required by law).
- Marketing cookies — used only with your explicit consent.
You can manage cookies through your browser settings or, where available, through the cookie banner displayed when you first visit our website.
9. Your Rights
Depending on your location, you may have some or all of the following rights:
9.1 GDPR / UK GDPR Rights (EEA, UK, Switzerland)
- right of access;
- right to rectification;
- right to erasure ("right to be forgotten");
- right to restriction of processing;
- right to data portability;
- right to object, including to direct marketing and to processing based on legitimate interests;
- right not to be subject to a decision based solely on automated processing;
- right to withdraw consent at any time;
- right to lodge a complaint with your local supervisory authority.
9.2 PIPA Rights (Republic of Korea)
- right to be informed about processing;
- right to consent and to withdraw consent;
- right to confirm processing and request access;
- right to request correction, deletion, or suspension of processing;
- right to seek redress, including through the Personal Information Dispute Mediation Committee (privacy.go.kr) or the Korea Internet & Security Agency (privacy.kisa.or.kr).
9.3 APPI Rights (Japan)
- right to request disclosure, correction, addition, deletion, or suspension of use of retained personal data;
- right to be notified of the purpose of use;
- right to file a complaint with the Personal Information Protection Commission (PPC).
9.4 CCPA / CPRA Rights (California, USA)
- right to know what personal information is collected, used, disclosed;
- right to delete personal information;
- right to correct inaccurate information;
- right to opt out of sale or sharing of personal information (we do not sell personal information);
- right to limit use of sensitive personal information;
- right to non-discrimination for exercising your rights.
To exercise any of these rights, please contact contact@popcornsar.com. We will respond within the timeframes required by applicable law (typically within 30 days under GDPR, 45 days under CCPA, and 10 business days under PIPA).
10. Security
We implement reasonable technical and organizational measures to protect personal information from unauthorized access, alteration, disclosure, or destruction, including:
- encryption in transit (TLS 1.2+) and at rest where appropriate;
- role-based access controls and the principle of least privilege;
- regular security testing and patching;
- ongoing employee training on data protection.
No system is completely secure, however, and we cannot guarantee absolute security. If we become aware of a personal data breach that affects you, we will notify you and the relevant supervisory authority as required by applicable law.
11. Children's Privacy
The Service is not intended for and we do not knowingly collect personal information from children under the age of sixteen (16), or under fourteen (14) for users in the Republic of Korea. If we become aware that we have collected personal information from a child without the appropriate consent, we will delete it promptly. Parents or guardians who believe their child has provided personal information may contact us at contact@popcornsar.com.
12. Third-Party Links
The Service may contain links to third-party websites or services. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you use.
13. Automated Decision-Making
We do not use personal information for automated decision-making that produces legal or similarly significant effects without human involvement.
14. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will notify you via email or through the Service at least fourteen (14) days before the changes take effect. The "Last Updated" date at the top of this Policy indicates when it was last revised.
15. Contact and Complaints
If you have questions, complaints, or wish to exercise any rights under this Policy, please contact us:
PopcornSAR Co., Ltd. Business Registration Number: 206-87-03697 Representative Director: Seungyueb Chae (채승엽) Registered Office: 2F Nobel Building, 16 Teheran-ro 78-gil, Gangnam-gu, Seoul, Republic of Korea Email: contact@popcornsar.com Website: https://autosar.io
Data Protection Officer (DPO) Name: Min-hyun Jun (전민현) — Team Lead, Sales & Business Operations Email: mhjun@popcornsar.com Phone: +82-10-8754-8758
Where applicable law grants you the right to lodge a complaint with a supervisory authority (for example, GDPR Article 77 for residents of the EEA or UK), you may exercise that right with the competent authority in your country of residence in addition to contacting us.
This Privacy Policy is made available in both English and Korean. In the event of any conflict between the two language versions, the English version shall prevail for users outside the Republic of Korea, and the Korean version shall prevail for users inside the Republic of Korea.