Privacy Policy

Silmaril Technologies Inc. (the "Company"), in accordance with the Personal Information Protection Act, has established the following privacy policy to protect the personal information and rights of its users and to efficiently address any concerns related to personal information.

Article 1 (Purposes of Processing Personal Information)

The Company processes personal information for the purposes below. Personal information is not used for purposes other than those listed, and if the purpose changes, the Company will take necessary measures such as obtaining separate consent.

1. Membership Registration and Management

   Confirming intent to register, identifying and authenticating users under the membership service, maintaining and managing membership, preventing fraudulent use, and providing various notices.

2. Service Provision

   Providing AI-based learning-assistance services, problem recognition and analysis, learning statistics, incorrect-answer notebook management, and personalized learning content.

3. Service Improvement and Development

   Developing new services, improving existing services, and analyzing user statistics.

Article 2 (Processing and Retention Period of Personal Information)

1. The Company processes and retains personal information within the retention and use period specified by law or the period agreed to by the data subject at the time of collection.
2. The processing and retention periods for each purpose are as follows:
   • Membership registration and management: until withdrawal of membership
   • Service provision: until completion of service delivery and settlement of payment
3. Information retained under applicable laws:
   • Records of contracts or withdrawal of subscriptions: 5 years (Act on Consumer Protection in Electronic Commerce)
   • Records of payment and supply of goods: 5 years (Act on Consumer Protection in Electronic Commerce)
   • Records of consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce)
   • Service-use records, access logs, and access IP: 3 months (Protection of Communications Secrets Act)

Article 3 (Items of Personal Information Processed)

The Company processes the following items of personal information.

1. Items collected at sign-up
   • Required: email address, password, name (nickname)
   • Optional: profile photo
2. Items collected via social login
   • Google: email, name, profile photo
   • Kakao: email, nickname, profile photo
3. Items collected automatically during service use
   • Service-use records, access logs, cookies, access IP information, device information (OS and browser type)
4. Items collected through the learning service
   • Uploaded problem images, learning records, incorrect-answer records, and learning statistics

Article 4 (Provision of Personal Information to Third Parties)

The Company processes the data subject's personal information only within the scope specified in Article 1 and provides personal information to third parties only in cases that fall under Articles 17 and 18 of the Personal Information Protection Act, such as the data subject's consent or specific provisions of law. The Company does not currently provide users' personal information to third parties.

Article 5 (Entrustment of Personal Information Processing)

The Company entrusts personal information processing as follows for smooth operations:

• Supabase (authentication and database operations)
• Google Cloud / OpenAI (AI analysis services)

When entering into entrustment contracts, the Company supervises whether the entrusted party processes personal information securely in accordance with Article 26 of the Personal Information Protection Act.

Article 6 (Destruction of Personal Information)

When personal information becomes unnecessary due to the expiration of its retention period or the achievement of its purpose, the Company destroys it without delay.

• Procedure: After the purpose is achieved, the data is transferred to a separate database and stored for a set period in accordance with internal policy and applicable laws before being destroyed.
• Method: Electronic files are destroyed using technical methods that prevent recovery of the records.

Article 7 (Rights, Obligations, and Exercise Methods of Data Subjects)

Data subjects may exercise the following rights against the Company at any time:

• Request to access personal information
• Request for correction in case of errors
• Request for deletion
• Request to suspend processing

These rights may be exercised in writing, by email, or similar means, and the Company will respond without delay.

Article 8 (Measures to Ensure the Security of Personal Information)

To ensure the security of personal information, the Company takes the following measures:

1. Administrative measures: establishing and implementing an internal management plan; regular employee training.
2. Technical measures: access-rights management, installation of access-control systems, encryption, and installation of security software.
3. Physical measures: access control to server rooms and document-storage areas.

Article 9 (Personal Information Protection Officer)

The Company has designated the following person as the Personal Information Protection Officer, who takes overall responsibility for personal information processing and handles user complaints and damage relief.

Article 10 (Changes to the Privacy Policy)

This privacy policy takes effect on February 1, 2026. There is no prior privacy policy (initial version).

Article 11 (Remedies for Rights Infringement)

Data subjects may apply for dispute resolution or consultation with the following organizations to obtain relief from personal information infringement: