Privacy Policy
Last Updated: February 15, 2026
Callus Company Inc. ("Company") establishes and discloses this Privacy Policy in accordance with the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, and other applicable laws, to protect users' personal information and promptly address related concerns.
1. Personal Information Collected and Collection Methods
1.1 Account Information (Required)
Users may register using email, Google, or Kakao authentication. The following information is collected upon registration:
- Name, email address, profile image
1.2 Academic and Consulting Information (Optional)
Information that users may optionally provide during use of the Service. Users may decline to provide this information and still register for and use the basic functions of the Service:
- Grades, GPA, and test scores (SAT, ACT, AP, etc.)
- Extracurricular activities, honors, and awards
- School information and academic history
- Profile details: date of birth, phone number, guardian information, nationality, visa status
1.3 AI-Generated Data
Information generated by the AI system based on user input during use of the Service. AI-generated data constitutes personal information of the user and is afforded the same protection:
- Analytical reports, roadmaps, strategy recommendations, to-do lists, milestones
1.4 Automatically Collected Information
The following information is automatically generated and collected during use of the Service:
- Pages visited, usage patterns, access timestamps
- Device information (device type, operating system, browser type)
- IP address, cookies, access logs
1.5 Payment Information
Payments are processed through the payment service provider Paddle. The Company does not directly collect or store sensitive payment information such as credit card numbers. The processing of payment information collected by Paddle is governed by Paddle's own privacy policy.
2. Purposes of Collection and Use
| Purpose | Data Collected | Legal Basis |
|---|---|---|
| Service provision and account management | Name, email, profile image | Performance of contract |
| AI analysis, roadmap, and strategy generation | Academic and profile data | Consent of data subject |
| Payment and subscription processing | Email, payment records (via Paddle) | Performance of contract |
| Service-related communications (notices, renewal alerts, etc.) | Performance of contract | |
| Marketing communications (optional consent) | Consent of data subject | |
| Service quality improvement and statistical analysis | Usage data, cookies | Legitimate interest |
| Legal compliance | Transaction records, access logs | Legal obligation |
3. Entrustment and Third-Party Provision of Personal Information
3.1 Processing Entrustment
The Company entrusts the processing of personal information to the following parties for the provision of the Service:
| Entrusted Party | Entrusted Tasks | Data Accessed | Entrustment Period |
|---|---|---|---|
| Supabase, Inc. | Database hosting and management | All user data | Until termination of entrustment contract |
| Vercel, Inc. | Application hosting | All request data | Until termination of entrustment contract |
| Anthropic, PBC | AI analysis and content generation | Academic and profile data | Until termination of entrustment contract |
| Cloudflare, Inc. | Edge request processing and security | Request data | Until termination of entrustment contract |
| Tavily, Inc. | AI web search | Search queries (may include academic context) | Until termination of entrustment contract |
| Upstash, Inc. | Session management | Session tokens | Until termination of entrustment contract |
| Paddle.com Market Ltd. | Payment processing | Payment-related information | Until termination of entrustment contract |
| Google LLC | Email delivery (Gmail SMTP) | Email address | Until termination of entrustment contract |
3.2 Third-Party Provision
The Company does not, in principle, provide users' personal information to third parties. Exceptions include:
- When the user has given prior consent
- When required by law enforcement or investigative authorities pursuant to applicable law
- When provided in a form that cannot identify specific individuals for the purposes of statistical compilation or academic research
3.3 Analytics and Marketing Services (Third-Party Provision)
The following service providers process data for their own purposes and therefore constitute third-party provision, which is provided through users' optional cookie consent:
| Recipient | Purpose | Data Provided | Retention Period |
|---|---|---|---|
| Google LLC (Analytics) | Usage analysis | Usage data, cookies | Per Google's policy |
| Google LLC (Ads) | Ad conversion tracking and remarketing | Usage data, cookies | Per Google's policy |
| Kakao Corp. (Kakao Pixel) | Usage analysis and marketing | Usage data, cookies | Per Kakao's policy |
| Danggeun Market Inc. (Karrot Pixel) | Usage analysis and marketing | Usage data, cookies | Per Danggeun's policy |
4. AI Data Processing
4.1 Processing Details
Users' academic and personal data is processed through the AI system (Anthropic Claude) to generate personalized analysis, roadmaps, strategy recommendations, and related content. The AI system receives users' academic data (grades, test scores, extracurricular activities, etc.) and generates university fit assessments, weakness diagnoses, and strategic directions through natural language inference. The final outputs are based on probabilistic AI inference and do not constitute definitive assessments.
This is a core function of SPRINT Program, and consent for this processing is obtained at the time of service registration. Users who do not wish to have their data processed by AI may withdraw consent by terminating the Service.
4.2 Limitations of AI Processing
- AI-generated content is informational reference material and does not substitute for professional admissions counseling.
- AI systems may generate information that appears factual but is incorrect (AI hallucination).
- The Company makes no warranties regarding the accuracy, completeness, or timeliness of AI-generated content.
4.3 Rights Regarding Automated Decision-Making
In accordance with Article 37-2 of the Personal Information Protection Act, users may refuse decisions based entirely on automated processing of personal information that significantly affect their rights or obligations, request an explanation of such decisions, and request human intervention. This right may be exercised by contacting contact@calluscompany.com.
4.4 Pseudonymization and Anonymization
In accordance with Article 28-2 of the Personal Information Protection Act, the Company may pseudonymize or anonymize personal information for the purposes of service quality improvement, AI model enhancement, statistical compilation, and scientific research. When processing pseudonymized information, the Company implements safety measures in accordance with Article 28-4 of the Personal Information Protection Act, including separate storage of pseudonymized data and additional identifying information, differentiated access rights, and maintenance of pseudonymized data processing records.
5. Cookies and Tracking
5.1 Types of Cookies
| Type | Purpose | Services Used | Required |
|---|---|---|---|
| Essential cookies | Login maintenance and service operation | NextAuth, Upstash Redis | Required |
| Analytics cookies | Understanding usage patterns | Google Analytics, Kakao Pixel, Karrot Pixel | Optional |
| Advertising cookies | Remarketing and conversion tracking | Google Ads | Optional |
5.2 Cookie Management
Users may refuse or delete cookies through their browser settings. However, refusing essential cookies may result in limitations to Service use. Optional cookies (analytics, advertising) may be configured through a separate consent mechanism upon accessing the Service.
6. Retention and Destruction of Personal Information
6.1 Retention Period
Users' personal information is retained while the account is active or as necessary to provide the Service.
6.2 Destruction Procedures and Methods
Upon account deletion or termination, the Company shall destroy the user's personal information within 30 days. Electronic files are deleted using overwrite and other technical methods that render recovery impossible; paper documents are shredded or incinerated.
6.3 Retention Under Applicable Law
The following information is retained for the prescribed period pursuant to applicable law and destroyed thereafter:
| Information Retained | Retention Period | Legal Basis |
|---|---|---|
| Records relating to contracts or withdrawal of offers | 5 years | Act on Consumer Protection in Electronic Commerce |
| Records relating to payment and supply of goods/services | 5 years | Act on Consumer Protection in Electronic Commerce |
| Records relating to consumer complaints or dispute resolution | 3 years | Act on Consumer Protection in Electronic Commerce |
| Records relating to labeling and advertising | 6 months | Act on Consumer Protection in Electronic Commerce |
| Access log records | 3 months | Protection of Communications Secrets Act |
6.4 Anonymized Data
Data that has been fully anonymized such that specific individuals cannot be identified is excluded from the scope of destruction and may be retained indefinitely.
7. Measures to Ensure the Security of Personal Information
The Company implements the following security measures:
- Administrative measures: Establishment and implementation of internal management plans, minimization of and training for personal information handlers
- Technical measures: Access control for personal information processing systems, access rights management, encryption of personal information, installation and updating of security software
- Physical measures: Access control for server rooms and data storage facilities
TLS encryption is applied for data transmission, and databases are managed through encrypted connections.
8. Protection of Minors' Personal Information
8.1 Children Under 14
When collecting personal information from children under the age of 14, the Company obtains consent from a legal guardian in accordance with Article 22 of the Personal Information Protection Act. Consent is verified by collecting the legal guardian's name and contact information from the child, and then confirming the consent via email or telephone with the legal guardian. Legal guardians may request access to, correction of, deletion of, or suspension of processing of the child's personal information.
8.2 Minors in General
Parents or legal guardians may create and manage accounts on behalf of minor children. Guardians managing a minor's account bear responsibility for the data submitted and the use of the Service. If the Company becomes aware that personal information of a minor has been collected without proper consent, the Company shall destroy such information without delay.
9. International Transfer of Personal Information
Users' personal information may be transferred overseas for the provision of the Service as follows:
| Recipient | Country | Data Transferred | Purpose | Transfer Method | Retention Period |
|---|---|---|---|---|---|
| Supabase, Inc. | United States | All user data | Database hosting | Transmission via encrypted network | Duration of service use |
| Vercel, Inc. | United States | All request data | Application hosting | Transmission via encrypted network | Deleted upon completion of processing |
| Anthropic, PBC | United States | Academic and profile data | AI analysis and content generation | Real-time transmission via API | Retained up to 30 days for safety monitoring, then deleted |
| Cloudflare, Inc. | United States | Request data | Edge processing and security | Transmission via encrypted network | Deleted upon completion of processing |
| Tavily, Inc. | United States | Search queries (may include academic context) | AI web search | Real-time transmission via API | Deleted upon completion of processing |
| Upstash, Inc. | United States | Session tokens | Session management | Transmission via encrypted network | Deleted upon session termination |
| Paddle.com Market Ltd. | United Kingdom | Payment-related information | Payment processing | Transmission via encrypted network | Per Paddle's policy |
| Google LLC | United States | Usage data, email | Analytics, advertising, email delivery | Transmission via encrypted network | Per Google's policy |
The Company implements protective measures in accordance with the Personal Information Protection Act when transferring personal information overseas, and manages and supervises the recipients through contracts and other means to ensure the safe processing of personal information.
10. Rights of Data Subjects and Methods of Exercise
10.1 Rights
Users may exercise the following rights:
- Request to access personal information
- Request to correct erroneous or incomplete information
- Request to delete personal information
- Request to suspend processing of personal information
- Request to transfer personal information in a portable format
- Withdraw consent for optional processing
- Refuse automated decision-making and request an explanation (see Section 4.3)
10.2 Methods of Exercise
- The above rights may be exercised in writing or by email to the department designated below for receiving and processing access requests.
- Department: Management Support Division
- Contact person: Juno Yu (CEO)
- Email: contact@calluscompany.com
- Phone: 02 6951 0200
- The Company shall process the request and notify the user of the outcome within 10 days of receipt.
- If processing is delayed for legitimate reasons, the Company shall notify the user of the reason and expected processing date.
- When exercising rights through an authorized representative, a power of attorney and a copy of the representative's identification must be submitted.
- Users may export their AI-generated content and personal data prior to account termination; data recovery is not possible after termination.
10.3 Rights of Legal Guardians
Legal guardians of children under 14 may request access to, correction of, deletion of, or suspension of processing of the child's personal information.
11. Personal Information Protection Officer
The Company designates the following Personal Information Protection Officer to oversee all matters relating to the processing of personal information and to address user complaints and remediate damages:
- Personal Information Protection Officer: Juno Yu (CEO)
- Department: Management Support Division
- Email: contact@calluscompany.com
- Phone: 02 6951 0200
12. Remedies for Rights Infringement
For reports or consultations regarding personal information infringement, please contact the following organizations:
- Personal Information Infringement Report Center (KISA): 118, privacy.kisa.or.kr
- Personal Information Dispute Mediation Committee: 1833-6972, kopico.go.kr
- Supreme Prosecutors' Office Cyber Investigation Division: 1301, spo.go.kr
- National Police Agency Cyber Bureau: 182, ecrm.police.go.kr
13. Changes to This Policy
This policy may be amended in accordance with changes to applicable law or Company policies. In the event of material changes, users shall be notified via email or in-service notice at least 7 days prior to the effective date. For changes that are disadvantageous to users, notice shall be provided at least 30 days prior, and users may terminate the Service prior to the effective date if they do not consent to the changes.
14. Contact Information
Callus Company Inc. CEOs: Juno Yu, Ryan Kim Business Registration: 615-86-18887 Mail-Order Business Registration: 2023-성남분당A-1178 Address: Songpa-gu Munjeong-dong 634, Garden Five Life 8F, L-8028, Seoul Email: contact@calluscompany.com Phone: 02 6951 0200