Docs
Privacy Policy
Scope of Personal Information Collection and Use
iisacc.com (the “Website”) does not provide account creation, login, subscriptions, comments, or messaging. Mere access to and viewing of the Website does not result in the Operator creating a named user profile, and ordinary use is not conditioned on providing a name, email address, postal address, or telephone number. If the Vincent direct-purchase flow is enabled, the Website maintains a limited transaction-entitlement record so that payment confirmation, revocation, expiry, download limits, version access, and installer integrity can be enforced. That record contains the payment provider name, provider transaction and any applicable captured-payment identifiers, transaction currency, total and post-credit grand total, a random entitlement identifier, token expiry, download-link count and timestamps, revocation state, and the applicable retention deadline. It does not contain payment-card or payment-account credentials.
Limited Aggregate Web Analytics
The Website does not use Google Analytics, Google Tag Manager, advertising pixels, behavioral advertising or analytics services, or custom analytics events. The current Website shell does not load a site analytics client.
Color Workbench at /Solutions/ColorWorkbench and color.app.iisacc.com, Vincent checkout completion at and below /Store/Vincent/Checkout, Paddle transaction links at and below /Store/Vincent/Paddle, and private downloads at and below /Store/Vincent/Download are not tracked as analytics page views or analytics events by the Website.
The Website does not deploy cookies or similar technologies for behavioral tracking, and the Operator does not maintain a user-identification scheme based on local storage or IndexedDB for tracking. Browser storage used by a local-first solution for the user’s own solution data, such as a Color Workbench palette, is not used for analytics and is not transmitted to the Operator. When a purchaser explicitly starts Vincent checkout, the server sets a separate random HttpOnly, SameSite checkout-security cookie for that checkout for up to seven days. Independent cookies keep purchases opened in parallel tabs distinguishable and are used only to bind each Paddle transaction to the browser that started it. A browser already presenting 12 valid active checkout cookies cannot start another checkout, although requests already in flight may finish. Successful browser reconciliation deletes the matching cookie only; webhook-first issuance leaves that cookie until browser reconciliation or expiry. The server also temporarily records each state’s SHA-256 hash, Product and Price IDs, catalog currency and base amount, timestamps, and an HMAC-pseudonymized requester network address. These fields limit automated checkout-state creation and prove that the server issued the state; the raw network address is not stored. Paddle.js may use checkout storage, cookies, device and network information, and related security signals as necessary to display the payment form, authenticate payment, prevent fraud, calculate tax, and complete the transaction under Paddle’s own notices. When an order access link is opened, its fragment token is removed from the address bar. An active token is exchanged for a separate HttpOnly, SameSite Strict download-access cookie; a valid revoked, expired, or limit-reached token displays its read-only status without being stored. The active-token cookie contains the signed order token, is scoped to /Store/Vincent/Download, expires with the entitlement or after 30 days at the latest, and can be deleted with the page’s “Forget access” action. The iisacc checkout-security and download-access cookies are not used for analytics or advertising.
Third-Party Services and Payment Processing
Where the Website offers paid solutions, Paddle acts as the merchant of record and processes payment credentials, billing details, payment authentication, tax calculation, receipts, customer credit, refunds, and chargebacks in Paddle Checkout. The Website receives a client-side completion notice for user experience only; entitlement issuance requires a completed Paddle transaction verified through Paddle’s server API or a signed transaction.completed webhook. The Vincent entitlement record deliberately persists only the Paddle transaction, any applicable captured-payment, customer, price, currency, total, post-credit grand total, and webhook-event identifiers together with the limited delivery fields described above. It does not persist card numbers, payment-account passwords, postal addresses, or the Paddle customer profile. AWS hosts the Website and server routes and processes the private installer objects, checkout-state and requester-pseudonym records, entitlement records, payment-event identifiers, revocation records, and download-event timestamps on the Operator’s behalf through AWS Amplify, Amazon Aurora PostgreSQL, Amazon S3, AWS Secrets Manager, and EventBridge Scheduler. A private S3 object is disclosed only through a short-lived presigned URL after the entitlement and release checks pass.
Information Voluntarily Provided by Users
The Website does not request personal information as a condition of use. However, a user may voluntarily provide information via explicit contact channels (e.g., email) when submitting inquiries, bug reports, or refund requests. In such cases, the Operator processes the voluntarily provided information solely for the purpose of responding to the request and resolving the issue. The Operator retains such information only for the period necessary to complete the request and, unless retention is required by applicable law, deletes or anonymizes it without undue delay after the purpose has been fulfilled. The Operator does not use voluntarily provided information for marketing, resale, or disclosure to third parties beyond its original purpose.
Retention Period and Deletion of Personal Information
Checkout-state and requester-pseudonym records carry a 30-day retention deadline whether or not payment completes. Vincent order, payment-confirmation, and supply records carry a five-year retention deadline from creation so the Operator can maintain transaction evidence and purchaser access within the period applicable to contract, payment, and supply records. Complaint or dispute material may be retained for the period required to resolve the matter and for any mandatory legal period. After the applicable deadline and any legal hold end, the records are deleted or anonymized. Download-event records contain only entitlement ID, release ID, and timestamp and follow the parent entitlement’s lifecycle. Voluntarily provided support information is retained only as long as necessary to complete the request unless a mandatory retention obligation applies. The Operator does not retain a separate user-level analytics history.
User Rights
Users, as data subjects, may have statutory rights under applicable data protection laws, including rights relating to access, correction, deletion, or restriction of processing. A purchaser should provide the Paddle transaction or payment identifier and sufficient proof of the requester’s relationship to the transaction so that the Operator can locate the limited entitlement record without disclosing another purchaser’s information. Deletion or restriction may be limited where transaction preservation, dispute handling, fraud prevention, or another mandatory legal obligation applies.
Inquiries and Handling Principles
The Operator handles privacy-related inquiries in accordance with this Privacy Policy and applicable law. Any communications regarding privacy matters shall be submitted through the contact method posted on the Website, and the Operator will respond within a reasonable period where a response is necessary. The Operator will not disclose an entitlement or transaction record unless the request can be reasonably matched to the relevant purchaser.
Legal Compliance and Policy Updates
The Operator complies with applicable data protection laws, including the Personal Information Protection Act of the Republic of Korea, to the extent relevant to the Website’s operating model. This Privacy Policy is intended to describe, in definitive terms, the scope and limits of personal information processing based on the Website’s actual operation. If laws change or the Website’s functions or processing practices change, this Privacy Policy may be amended. Any material additions, deletions, or modifications will be announced on the Website prior to taking effect within a reasonable notice period. This Privacy Policy is effective as of July 12, 2026.