threatmesh.info (hereinafter the "Site") establishes and discloses this Privacy Policy in accordance with relevant laws, such as the "Personal Information Protection Act," to protect the personal information of data subjects and to promptly and smoothly handle related grievances.

Article 1 (Personal Information Collected and Purpose of Use)

The "Site" collects the minimum amount of personal information necessary for the following purposes. The personal information being processed will not be used for purposes other than the following, and necessary measures, such as obtaining separate consent, will be implemented if the purpose of use changes.

1. Membership Registration and Management
   • Items Collected (Required): Email Address, Password (hashed).
   • Purpose: Member identification, service provision, delivery of notices, Customer Support (CS), prevention of fraudulent use.
2. Service Provision and Operation (CTI, ASM, Dark Web)
   • Items Collected (Required): ASM Configuration Data (e.g., user-submitted domains, IP addresses for scanning).
   • Purpose: Provision of core "Service" functions (ASM scanning), management of user-configured assets.
3. Information Automatically Generated and Collected During Service Use
   • Items Collected: IP Address, Cookies, Service usage logs (access times, etc.), API request logs.
   • Purpose: Prevention of fraudulent use, monitoring of service misuse and abnormal access (e.g., service attacks), service quality improvement, and statistical analysis.
4. Information Collected for Service Operation (Threat Intelligence)
   • (Note: This is data the service collects, not user personal info, but is listed for transparency)
   • Items Collected: CTI Data (IoCs from sensors/OSINT), Dark Web Data (from crawlers), ASM Scan Results (vulnerabilities, ports, etc.).
   • Purpose: To provide the core CTI, Dark Web Monitoring, and ASM services to users; for security research (if anonymized/aggregated).

Article 2 (Processing and Retention Period of Personal Information)

1. The "Site" processes and retains personal information within the period of retention and use specified by law or agreed upon by the data subject at the time of collection.
2. Membership and Management Information: Until the time of membership withdrawal.
3. Service Provision (ASM Configs, Logs): Destroyed without delay upon membership withdrawal (or when deleted by the user).
4. However, information related to the following reasons will be retained until the end of the specified period:
   • If an investigation or inquiry is in progress due to a violation of relevant laws, until the said investigation is concluded.
   • To restrict re-registration and manage account suspension due to violations of the Terms of Service (such as Prohibited Conduct in Article 5), records of misuse and identifying information (hashed identifiers) may be retained for [e.g., 1 year] after withdrawal before being destroyed.

Article 3 (Provision of Personal Information to Third Parties)

The "Site" processes the data subject's personal information only within the scope specified in Article 1. Personal information is provided to third parties only in cases falling under relevant laws, such as with the data subject's separate consent or special provisions in the law.

(Note: The "Site" does not sell or rent user personal information. Aggregated, anonymized threat statistics are not personal information.)

Article 4 (Entrustment of Personal Information Processing)