Privacy Policy

1. Introduction

ENPITS ("we," "us," or "our") is a business automation service operated by Kangin Jeong, based in Gangnam-gu, Seoul 06164, Republic of Korea. We provide done-for-you AI automation services (custom n8n workflows) primarily to business-to-business (B2B) clients located in the United States.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit our website at https://enpits.co.kr, use our services, or otherwise interact with us. By using our website or services, you acknowledge that you have read and understood this policy.

We are committed to protecting your privacy and complying with applicable data protection laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the General Data Protection Regulation (GDPR), the CAN-SPAM Act, the Children's Online Privacy Protection Act (COPPA), the FTC Act Section 5, and applicable state consumer protection laws.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide to us, including:

• Contact information: Your name, email address, and company name, submitted through Tally intake forms or direct email correspondence.
• Business requirements: Descriptions of your workflow needs, automation goals, ideal customer profile (ICP) data, sales processes, and other operational details necessary to build and maintain your automation systems.
• Payment information: Billing details processed through Lemon Squeezy (our merchant of record). We do not store your full credit card number, CVV, or other sensitive payment data on our servers. Lemon Squeezy handles all payment processing in accordance with PCI-DSS standards.
• Communication records: Emails and messages exchanged between you and ENPITS through email or Slack.

2.2 Information Collected Through Your Workflows

When we build and operate automation workflows on your behalf, those workflows may process data that you provide or that is generated during workflow execution, including:

• Lead and prospect data (names, email addresses, company information, publicly available business data)
• Email content generated by AI models for outreach campaigns
• CRM data, sales pipeline information, and workflow execution logs
• Any other data you configure your workflows to process

You are the data controller for any personal data processed through your workflows. ENPITS acts as a data processor on your behalf for this data.

2.3 Information Collected Automatically

Our website collects minimal technical data. We do not use tracking cookies, analytics pixels, or behavioral advertising tools. The only automatically collected data may include:

• Server access logs (IP address, browser type, referring URL, pages visited, timestamp) maintained by our hosting provider for security purposes
• Data collected by third-party services embedded on our site (such as Google Fonts, which may log IP addresses per Google's privacy policy)

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To build, deploy, monitor, and maintain your custom AI automation workflows.
• Communication: To respond to your inquiries, provide project updates, and deliver service-related notifications.
• Payment processing: To bill you for services through Lemon Squeezy and maintain billing records.
• Service improvement: To improve our workflow architecture, templates, and service offerings based on aggregated, non-identifiable patterns.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.
• Security: To detect, prevent, and respond to security incidents, fraud, and abuse.

We do not sell your personal information. We do not use your personal information for targeted advertising. We do not share your personal information with third parties for their own marketing purposes.

4. How We Use Artificial Intelligence

Our automation services rely on third-party AI models to process data within your workflows. You should understand how this works:

4.1 AI Models Used

• OpenAI (GPT-4.1 and successors): Used for lead research, email composition, data analysis, and workflow orchestration. Data sent to OpenAI is processed according to OpenAI's Privacy Policy and their data usage policies for API customers. As of the date of this policy, OpenAI does not use API customer data to train their models.
• Anthropic (Claude): Used for content generation, outreach email drafting, and quality assurance. Data sent to Anthropic is processed according to Anthropic's Privacy Policy. As of the date of this policy, Anthropic does not use API customer data to train their models.

4.2 What Data Is Sent to AI Models

Depending on your workflow configuration, the following data may be sent to AI providers for processing:

• Lead and prospect names, company names, and publicly available business information
• Email content (drafts and templates)
• Business context you provide (ICP descriptions, value propositions, product details)
• Workflow execution data necessary for AI-powered decision-making within your automations

4.3 AI Limitations

AI-generated content may contain inaccuracies, and AI model behavior may change over time as providers update their models. We implement quality assurance checks in our workflows, but we cannot guarantee the accuracy, completeness, or appropriateness of all AI-generated outputs. See our Terms of Service for important disclaimers regarding AI output.

5. Third-Party Services

We use the following third-party services to operate our business. Each service has its own privacy policy governing how it handles data:

6. Automated Outreach Emails (CAN-SPAM Compliance)

As part of our service, we build and operate automated email outreach systems on behalf of our clients. These emails are sent from our clients' email domains and accounts, not from ENPITS directly. However, we ensure every automated outreach system we build complies with the CAN-SPAM Act:

• Every automated email includes accurate sender identification (the client's name and business)
• Every automated email includes a valid physical mailing address
• Every automated email includes a clear and conspicuous unsubscribe mechanism that is honored within 10 business days
• Subject lines accurately reflect the content of the message
• Commercial messages are clearly identified as such where required

If you receive an automated email from one of our clients' systems and wish to unsubscribe, please use the unsubscribe link in the email. If you have difficulty unsubscribing, you may contact us at support@enpits.co.kr and we will process your removal within 10 business days.

7. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

7.1 Your Rights

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected that information, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions (such as completing a transaction, detecting security incidents, or complying with legal obligations).
• Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. However, you may still exercise this right by contacting us.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA beyond what is necessary to provide our services.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

7.2 How to Exercise Your Rights

To exercise any of your California privacy rights, you may:

• Email us at support@enpits.co.kr with the subject line "CCPA Request"
• Specify which right you wish to exercise and provide sufficient information for us to verify your identity

We will respond to verifiable consumer requests within 45 days. If we need more time (up to an additional 45 days), we will notify you in writing. We will not charge you a fee for making a request unless it is excessive or repetitive.

7.3 Categories of Personal Information Collected (Past 12 Months)

• Identifiers: Name, email address, company name, IP address
• Commercial information: Services purchased, payment history
• Internet or network activity: Server access logs
• Professional or employment information: Company name, job title (when provided)

We have not sold or shared (for cross-context behavioral advertising) any personal information in the preceding 12 months.

8. European Economic Area (EEA) and UK Privacy Rights (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following additional provisions apply to you.

8.1 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Performance of a contract: Processing necessary to deliver the services you have requested.
• Legitimate interests: Processing necessary for our legitimate business interests (such as improving our services and maintaining security), where those interests are not overridden by your rights.
• Consent: Where you have given us specific consent to process your data for a particular purpose. You may withdraw consent at any time.
• Legal obligation: Processing necessary to comply with applicable laws.

8.2 Your Rights Under GDPR

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data under certain circumstances.
• Right to restriction of processing: Request that we limit how we use your data.
• Right to data portability: Receive your data in a structured, commonly used format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.
• Right to lodge a complaint: File a complaint with your local data protection authority.

8.3 Data Controller

For purposes of the GDPR, the data controller is:

Kangin Jeong / ENPITS
Gangnam-gu, Seoul 06164, Republic of Korea
support@enpits.co.kr

To exercise any GDPR rights, email us at support@enpits.co.kr with the subject line "GDPR Request." We will respond within 30 days.

9. Cookie Policy

Our website uses minimal cookies and tracking technologies.

• Essential cookies: We may use strictly necessary cookies for basic website functionality (such as remembering form state). These do not require consent under GDPR.
• Analytics cookies: We do not currently use analytics cookies or tracking pixels.
• Advertising cookies: We do not use advertising or retargeting cookies.
• Third-party cookies: Third-party services embedded on our site (such as Google Fonts) may set their own cookies. We recommend reviewing the privacy policies of these services.

Because we do not use non-essential cookies, we do not currently display a cookie consent banner. If we add analytics or marketing cookies in the future, we will update this policy and implement appropriate consent mechanisms before doing so.

10. Data Retention and Deletion

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy:

• Active client data: Retained for the duration of our service relationship plus 12 months after termination, to allow for any follow-up questions, disputes, or reactivation.
• Payment records: Retained for 7 years after the transaction to comply with tax and accounting obligations.
• Communication records: Retained for 3 years after the last interaction, or longer if required for legal purposes.
• Server logs: Automatically deleted after 90 days.
• Workflow execution data: Retained on our servers for the duration of your service. Upon termination, workflow execution data is deleted within 30 days unless you request an export.

To request deletion of your data, email us at support@enpits.co.kr with the subject line "Data Deletion Request." We will process your request within 30 days, subject to any legal retention obligations.

11. International Data Transfers

ENPITS is based in the Republic of Korea and serves clients primarily in the United States. Your data may be transferred to and processed in multiple jurisdictions:

• Republic of Korea: Where ENPITS is headquartered and where administrative operations are conducted.
• Germany: Where our primary server infrastructure is hosted (Hetzner Cloud, Falkenstein data center).
• United States: Where certain third-party service providers (OpenAI, Anthropic, Lemon Squeezy, Slack, Google) may process data.

For transfers of personal data from the EEA/UK, we rely on the following safeguards:

• The European Commission's adequacy decision for the Republic of Korea (adopted December 2021)
• The EU-US Data Privacy Framework for transfers to certified US companies
• Standard Contractual Clauses (SCCs) where other mechanisms are not available

South Korea has been recognized by the European Commission as providing an adequate level of data protection, facilitating lawful transfers between the EEA and Korea.

12. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your personal information, including:

• Encryption in transit (TLS/SSL) for all data transmitted to and from our servers
• SSH key-based authentication for server access (no password authentication)
• Encrypted credential storage for all API keys and service integrations
• Automated error monitoring and alerting for all production workflows
• Regular security updates to our server infrastructure

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law.

13. Children's Privacy (COPPA)

Our services are designed for businesses and business professionals. We do not knowingly collect, solicit, or maintain personal information from anyone under the age of 16. Our website and services are not directed at children under 16.

If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at support@enpits.co.kr.

14. Do Not Track Signals

Our website does not currently respond to "Do Not Track" (DNT) browser signals because we do not engage in the type of tracking that DNT is designed to prevent. We do not track visitors across third-party websites for advertising purposes.

15. Links to Third-Party Websites

Our website may contain links to third-party websites or services that are not operated by us. We have no control over the content, privacy policies, or practices of any third-party website. We encourage you to review the privacy policy of every website you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify active clients by email at least 30 days before the changes take effect
• Post the updated policy on our website

Your continued use of our services after the effective date of any changes constitutes acceptance of the updated policy.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.