Privacy Policy
Operator: 주식회사 유마인솔루션 (Umine Solution Co., Ltd.)·Effective: August 25, 2025
Umine Solution (the “Company”) values the personal information of the users of the CrushOn Korean service (the “Service”) and complies with the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection. This Privacy Policy explains what personal information the Company collects, how it is used, to whom it may be provided or transferred, and how it is protected. For the terms that govern use of the Service, see our Terms of Service.
1. Purposes of Processing Personal Information
The Company processes personal information for the following purposes. Information collected for one purpose is not used for any other purpose without the data subject’s prior consent.
- A. Membership registration and management — confirming intent to register, identifying and authenticating members, maintaining and managing membership, preventing fraudulent use, providing notices, handling complaints and inquiries, and preserving records for dispute resolution.
- B. Provision of the Service — providing AI character chat, AI vocabulary learning, the community, online courses, and other features; processing learning progress; and providing customized content.
- C. AI-based features— transmitting a user’s messages to AI service providers to generate the responses of AI characters, and applying safety and moderation measures.
- D. Payment and settlement — processing payments for paid Points and course enrollments, billing, settlement, and refunds.
- E. Marketing and advertising (with consent) — providing information on events and benefits, developing new services, compiling usage statistics, and measuring service effectiveness.
2. Items of Personal Information Collected
A. Collected at sign-up (through the Google authentication provider)
- Required: email address, name (display name), profile image, and the authentication provider’s account identifier.
B. Provided by the user during use (optional)
- Korean-learning level, native language, learning goal, and a free-text learner note; date of birth (used to verify whether the user is an adult); and consent status for mature content.
C. Generated automatically while using the Service
- Conversation content with AI characters; vocabulary and course learning progress; community posts, comments, likes, and reviews; course enrollment and progress; Point balance and Point transaction records.
- Access IP address, cookies, device and browser information, access logs, and service usage records.
D. Collected for payment
- Records of payment and Point transactions, and payment-transaction identifiers. Payment-card details are collected and processed directly by the payment provider (Paddle) and are not stored by the Company.
The Company does not use a separately created login ID or password; authentication is handled by the Google provider, so the Company does not collect or store passwords.
3. Retention and Use Period; Destruction
- In principle, the Company destroys personal information without delay once the purpose of processing is achieved or the membership is withdrawn.
- Where retention is required under applicable law, the Company retains the information for the period required by that law:
- Records on contracts or withdrawal of subscription: 5 years (Act on Consumer Protection in Electronic Commerce);
- Records on payment and the supply of goods or services: 5 years (same Act);
- Records on consumer complaints or dispute resolution: 3 years (same Act);
- Records on the display and advertising of goods: 6 months (same Act);
- Records on access logs (service use): 3 months (Protection of Communications Secrets Act).
- Destruction procedure and method — Personal information whose retention period has elapsed or whose purpose has been achieved is destroyed within 5 days from the end of the retention period or the date it is recognized as unnecessary. Electronic files are deleted by technical means that prevent recovery, and any printed documents are shredded or incinerated.
4. Provision of Personal Information to Third Parties
The Company does not provide a data subject’s personal information to third parties, except where the data subject has consented or where required by applicable law.
5. Outsourcing of Personal Information Processing
To provide the Service, the Company outsources personal information processing as follows. In its outsourcing agreements, the Company specifies, in accordance with the Personal Information Protection Act, the prohibition of processing for purposes other than performing the outsourced work, technical and managerial safeguards, restrictions on re-outsourcing, supervision of the contractor, and liability for damages, and supervises whether the contractor processes personal information safely.
| Contractor | Outsourced work |
|---|---|
| Google LLC | User authentication (social sign-in) |
| Vercel Inc. | Application hosting and infrastructure operation |
| Neon Inc. | Database hosting (storage of service data) |
| Anthropic PBC | AI processing to generate AI character responses |
| Paddle.com Market Ltd. | Payment processing and settlement |
| Vimeo Inc. | Hosting and streaming of course videos |
Where the Company also uses other AI providers (such as OpenAI or Google) to generate or process AI features, those providers are treated as contractors on the same basis. Where the content or contractor of outsourcing changes, the Company discloses the change through this Privacy Policy without delay.
6. Overseas Transfer of Personal Information
To provide the Service, the Company transfers personal information overseas as follows. By using the Service, the data subject is informed of and consents to the transfers below. A data subject may refuse the transfer, in which case use of the relevant feature or the Service may be restricted.
| Recipient | Country | Items transferred | Purpose | Time and method of transfer | Retention / use period |
|---|---|---|---|---|---|
| Google LLC | United States | Email, name, profile image, account identifier | User authentication | At sign-in, via network | Until withdrawal or end of the contract |
| Vercel Inc. | United States | All information processed through the Service | Application hosting | At time of use, via network | Until withdrawal or end of the contract |
| Neon Inc. | United States | All service data stored in the database | Database hosting | At time of use, via network | Until withdrawal or end of the contract |
| Anthropic PBC | United States | User chat messages and related conversation context | Generation of AI character responses | At time of use, via network | Processed in real time; retention follows the provider’s policy |
| Paddle.com Market Ltd. | United Kingdom / United States | Payment and billing information, email | Payment processing and settlement | At time of payment, via network | Period required by applicable law |
| Vimeo Inc. | United States | Video-playback request information, access IP | Course-video streaming | At time of playback, via network | Follows the provider’s policy |
7. Rights and Obligations of Data Subjects and How to Exercise Them
- A data subject may at any time exercise the rights to request access to, correction of, deletion of, and suspension of processing of their personal information, and to withdraw consent.
- These rights may be exercised in writing, by email, or by similar means in accordance with the Enforcement Rules of the Personal Information Protection Act, and the Company responds without delay.
- Where correction or deletion is requested due to an error, the Company does not use or provide the relevant information until the correction or deletion is complete.
- These rights may also be exercised through a legal representative or an authorized agent, in which case a power of attorney must be submitted in the form prescribed by the Enforcement Rules of the Personal Information Protection Act.
8. Cookies and Other Automatic Collection Tools
- The Company uses “cookies” — small data files stored on the user’s device — to maintain sign-in sessions and to provide and improve the Service.
- A user may refuse cookies through browser settings; refusing cookies may make it difficult to use features that require sign-in.
- Microsoft Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data
- Google Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Cookies and website data
9. Measures to Ensure the Safety of Personal Information
Pursuant to Article 29 of the Personal Information Protection Act, the Company implements the following safeguards:
- Managerial measures — establishing and implementing an internal management plan, minimizing and training personnel who handle personal information, and conducting periodic internal checks.
- Technical measures — controlling access to the personal information processing system, encrypting data in transit (TLS) and encrypting sensitive items where applicable, installing and updating security software against hacking and malicious code, and storing and protecting access logs from forgery for at least 6 months.
- Authentication — sign-in is delegated to the Google authentication provider, and the Company does not store user passwords.
- Physical measures — controlling access to systems and storage media that hold personal information.
10. Personal Information of Children
The Service is, in principle, not intended for children under 14 years of age. A child under 14 may use the Service only with the consent of a legal representative, in accordance with applicable law. Mature content is provided only to users aged 18 or older following age verification.
11. Personal Information Protection Officer
The Company has designated the following Personal Information Protection Officer to take overall responsibility for personal information processing and to handle data subjects’ complaints and damage relief:
- Name: Son Ji-yoon
- Position: CEO
- Contact: +82-10-7228-7193
- Email: business@crushonkorean.com
12. Remedies for Infringement of Rights
A data subject may contact the following organizations for relief from infringement of personal information rights, to report violations, or for counseling:
- Personal Information Dispute Mediation Committee — kopico.go.kr, 1833-6972
- Personal Information Infringement Report Center (KISA) — privacy.kisa.or.kr, 118
- Supreme Prosecutors’ Office Cybercrime Investigation — spo.go.kr, 1301
- National Police Agency Cyber Bureau — ecrm.police.go.kr, 182
13. Changes to the Privacy Policy
This Privacy Policy takes effect on the effective date above. Any addition, deletion, or amendment arising from changes in law or policy is announced through a notice within the Service at least 7 days before the effective date of the change (at least 30 days in advance for changes to material matters such as the items collected or the purposes of use).
Supplementary Provisions
This Privacy Policy takes effect on August 25, 2025.