Privacy Policy
Effective: June 13, 2026 (originally effective: April 17, 2026)
AT HVAC & Refrigeration Co., Ltd. (the "Company") establishes and discloses the following Privacy Policy pursuant to Article 30 of the Personal Information Protection Act (PIPA) in order to protect the personal information of data subjects and to handle related grievances promptly and smoothly.
1. Purpose of Processing Personal Information
The Company processes personal information for the following purposes. The processed personal information will not be used for purposes other than those below, and where the purpose of use changes, the Company will take necessary measures such as obtaining separate consent. a. Responding to technical inquiries and project consultations b. Receiving and replying to estimate requests c. Reviewing and responding to partnership and supply proposals
2. Personal Information Items Processed
The Company processes the following personal information items through the website inquiry form. - Required items: company name, contact name, email address, inquiry content - Automatically collected and stored: User-Agent, access date and time - Processed transiently for abuse prevention: access IP (hashed as a rate-limit key; not stored in the inquiry record)
3. Processing and Retention Period
The Company processes and retains personal information within the retention/use period required by law or consented to by the data subject at the time of collection. - Inquiry receipt and response: 3 years from the date of collection - Where separate retention is required by law: until the end of that period
4. Provision to Third Parties
The Company processes personal information only within the scope specified in Article 1 (Purpose of Processing), and does not process it beyond the original scope or provide it to third parties without the prior consent of the data subject.
5. Outsourcing of Personal Information Processing
For smooth processing, the Company outsources personal information processing as follows, and some of it is transferred overseas. a. Trustee: Google LLC (Firebase Authentication, Firestore) - Outsourced work: member authentication, inquiry data storage and management - Storage location: Google Cloud asia-northeast3 (Seoul, Republic of Korea) - Retention/use period: until membership withdrawal or termination of the outsourcing agreement b. Trustee: Resend, Inc. (USA) — overseas transfer of personal information - Outsourced work: sending notification emails to staff when an inquiry is received - Items transferred overseas: company name, contact name, email address, inquiry content - Country / processing location: USA (headquarters) / Tokyo region, Japan (send processing) - Time and method of transfer: transmitted over the network (HTTPS) at the moment the inquiry form is submitted - Retention/use period: destroyed without delay once the email-sending purpose is achieved (until termination of the outsourcing agreement) c. Trustees: Upstash, Inc. (USA) · Functional Software, Inc. (Sentry, USA) — ancillary processing - Outsourced work: anti-abuse rate limiting on the inquiry form (Upstash); service error/exception monitoring (Sentry) - Items transferred overseas: a one-way hash of the access IP (the raw IP is not transmitted) / operational error telemetry (no inquiry content or other PII) - Country: USA - Retention/use period: until each processing purpose is met (e.g. a 1-hour rate-limit window)
6. Rights of Data Subjects and How to Exercise Them
A data subject may exercise the following personal-information rights against the Company at any time. a. Right to access personal information b. Right to request correction of errors c. Right to request deletion d. Right to request suspension of processing Rights may be exercised in writing, by phone, or by email via the Company representative email (hwh011@daum.net) or phone (+82-10-9615-9506), and the Company will act without delay.
7. Procedure and Method of Destruction
The Company destroys personal information without delay when it becomes unnecessary — for example, upon expiry of the retention period or achievement of the processing purpose. - Destruction method: information in electronic form is permanently deleted using technical methods that prevent recovery or reproduction - Destruction timing: within 5 business days from the end of the retention period
8. Measures to Ensure Security
In accordance with Article 29 of PIPA, the Company takes the following technical, administrative, and physical measures to ensure security. - Administrative: administrator-account allowlist, principle of least-privilege access - Technical: end-to-end HTTPS encrypted transmission (HSTS), Content Security Policy, Firebase Security Rules-based access control, clickjacking / XSS / MIME-sniffing prevention headers - Physical: use of access-controlled facilities in the Google Cloud Seoul region
9. Cookies and Automatic Collection Devices
The Company uses cookies and browser storage via Firebase Authentication to maintain login state and for security. Users may refuse cookie storage by changing browser settings; in that case, some functions such as administrator login may be restricted.
10. Personal Information Protection Officer
The Company designates the Personal Information Protection Officer below to take overall responsibility for personal information processing and to handle data subjects’ complaints and damage relief. - Name: Hong Wan-hyung - Position: CEO - Email: hwh011@daum.net - Phone: +82-10-9615-9506
11. Remedies for Infringement of Rights
To obtain relief for infringement of personal information, data subjects may apply for dispute resolution or consultation to the following organizations. - Personal Information Dispute Mediation Committee: 1833-6972 · www.kopico.go.kr - Personal Information Infringement Report Center: 118 · privacy.kisa.or.kr - Supreme Prosecutors’ Office Cyber Investigation Division: 1301 · www.spo.go.kr - National Police Agency Cyber Investigation Bureau: 182 · ecrm.cyber.go.kr
12. Changes to This Privacy Policy
This Privacy Policy applies from its effective date. Any additions, deletions, or corrections arising from changes in laws or policy will be announced through the website from 7 days before the effective date of the changes.