Article 1 (Purpose of Processing and Use of Personal Information)

The Company processes and uses the personal information it collects only for the purposes set forth below and does not use it for any other purpose. If the purpose of use changes, the Company will take necessary measures, such as obtaining separate consent, in accordance with applicable laws including the Personal Information Protection Act.

• Membership Registration and Management
  • Confirmation of intent to register, identification and authentication of the individual, and identity verification
  • Maintenance and management of membership status
  • Prevention of unauthorized or improper use of the services
  • Response to customer inquiries, and delivery of various notices, notifications, and announcements
  • Handling grievances and complaints
• Handling Civil Complaints
  • Verification of the complainant’s identity
  • Contacting, notifying, and informing the complainant of the results for confirmation of the complaint and fact-finding
  • Restriction of service use, prevention of unauthorized use, and sanctions against members who violate laws or the Terms of Service
  • Prevention of conduct that interferes with the smooth operation of the services and protection of users
• Provision of Goods or Services
  • Provision of services and content
  • Provision of core services such as AI-based English speaking proficiency assessment
  • Analysis of responses, generation of assessment results, and provision of feedback using artificial intelligence and large language models (LLMs)
  • Identity verification, purchase processing, and payment/settlement for paid services
• Operation, Maintenance, and Improvement of Services
  • Response to service failures
  • Analysis of service usage records and access frequency
  • Preparation and analysis of service usage statistics
  • Maintenance and management of functions, including error checking
  • Research and development to improve AI analysis engines
  • Development of new services and improvement of existing features
• Marketing and Advertising
  • Provision of event and promotional information, and offering opportunities to participate
  • Provision of services and display of advertisements based on demographic characteristics
  • Verification of service effectiveness
  • Processing personal information for statistical purposes related to members’ use of the services

Article 2 (Items of Personal Information Collected and Methods of Collection)

In order to provide better services, the Company collects and uses the following personal information according to member type, and obtains users’ consent at the time of collection.

• ① Items Collected from Individual Members

  Membership Registration and Management

  • Required: Login ID (email address), name, password, mobile phone number, access IP information, access logs, service usage records
    Optional: Date of birth

  Provision of AI English Assessment Services

  • Required: Voice response information (voice files for AI analysis, such as test response recordings)
    (※ Collected voice data and text conversion results are analyzed and assessed using artificial intelligence (AI) and large language models (LLMs), and are processed for score generation and feedback provision.)

  Provision of Goods or Services (Payment-Related)

  • Required: Login ID (email address), name, date of birth, transaction identification information for payment and refund processing (such as payment approval number, transaction number, payment amount, payment date/time), service usage records
    (※ Payments by individual members are processed through an external payment gateway provider (PG), and payment method information such as card numbers and bank account numbers is not stored, managed, or retained in the Company’s systems.)

  Handling Civil Complaints

  • Required: Login ID (email address), name, mobile phone number, service usage records

  Marketing and Advertising

  • Optional (with consent): Login ID (email address), name, date of birth, access IP information, cookies, access logs, service usage records

• ② Items Collected from Corporate Members

  Membership Registration and Management

  • Required: Login ID (email address), name, password, mobile phone number, company name, employee ID number, access IP information, access logs, service usage records
    Optional: Date of birth, department

  Provision of AI English Assessment Services

  • Required: Voice response information (voice files for AI analysis, such as test response recordings)
    (※ Collected voice data and text conversion results are analyzed and assessed using artificial intelligence (AI) and large language models (LLMs), and are processed for score generation and feedback provision.)

  Provision of Goods or Services

  • Required: Company name, contract type and contract information, contact person’s name, contact person’s email (ID), mobile phone number, service usage records
    (※ For corporate members, payment and settlement are processed at the corporate level, and payment method information such as card numbers and bank account numbers is not stored, managed, or retained in the Company’s systems.)

  Handling Civil Complaints

  • Required: Login ID (email address), name, mobile phone number, company name, service usage records

  Marketing and Advertising

  • Optional (with consent): Login ID (email address), name, date of birth, company name, department, access IP information, cookies, access logs, service usage records

• ③ Automatically Collected Items for Service Operation and Failure Response

  • IP address, visit date and time, cookies, service usage records, error logs, browser information, etc.
    (Generated and stored automatically during service use, or collected after securely converting device-specific information)
    

    Some of the automatically collected information may be processed in accordance with “Article 9 Behavioral Information.”

• ④ Methods of Collecting Personal Information

  Direct input by users during membership registration and service use (including SNS integration; only the minimum necessary SNS account information is collected as required)

  Automatically stored during service use (such as test response recordings)

  During 1:1 inquiries and customer support consultations (webpage, email, phone, etc.)

• ⑤ Right to Refuse Consent and Notice of Disadvantages

  Users have the right to refuse consent to the collection and use of personal information. However, if consent to required items is refused, membership registration and use of the services may be restricted. Refusal to consent to optional items (such as marketing) will not affect basic use of the services.

Article 3 (Period of Processing and Retention of Personal Information)

The Company processes and retains personal information within the retention and use period prescribed by law or within the scope of the user’s consent. The retention periods for each category are as follows.

• Personal Information Related to Membership Registration and Management
  • Retention period: From the date of consent to the collection and use of personal information until the date of membership withdrawal request (destroyed within 3 days after withdrawal request)
  • Basis for retention: Internal company policy
  • Exception (for service improvement purposes): Test results, test dates, and similar data for test design, improvement, and analysis may be retained solely for service quality improvement and statistical analysis purposes.
• Personal Information Related to Handling Civil Complaints
  • Retention period: 3 years from the date of consent to the collection and use of personal information
  • Basis for retention: Applicable laws (records of consumer complaints or dispute resolution: 3 years)
• Personal Information Related to the Provision of Goods or Services (Payment by Individual Members)
  • Retention period: 5 years from the date of consent to the collection and use of personal information
  • Basis for retention: Applicable laws (records of contracts or withdrawal of offers: 5 years, records of payment and supply of goods: 5 years)


• Personal Information for Marketing and Advertising
  • Retention period: From the date of consent to the collection and use of personal information until membership withdrawal (destroyed within 3 days after withdrawal request)
  • Basis for retention: Internal company policy

  The Company does not use users’ personal information without authorization as separate AI training data and processes such information only within the scope of service provision and quality improvement.

Article 4 (Procedures and Methods for Destruction of Personal Information)

In principle, the Company destroys personal information without delay once the purpose of collection and use has been achieved or the retention and use period has expired. The procedures and methods of destruction are as follows.

• Destruction Procedure
  • Information entered by users for membership registration and similar purposes is transferred to a separate database after the purpose is achieved (or to a separate document file in the case of paper records) and then destroyed after being retained for a period in accordance with internal policies and other applicable laws. Such personal information will not be used for any purpose other than as required by law.
• Method of Destruction
  • Personal information printed on paper is destroyed by shredding or incineration, and personal information stored in electronic file format is deleted using technical methods that prevent the records from being restored.
  • Upon membership withdrawal, information related to SNS account login and posts is deleted. SNS unlinking may be done on each SNS account settings page.

Article 5 (Provision of Personal Information to Third Parties)

The Company uses members’ personal information only within the scope disclosed in this Privacy Policy and does not use it beyond such scope or provide it to any third party, company, or institution.
However, the following cases are exceptions.

Where, prior to collection or provision of information, the Company informs the user of the recipient, the items of personal information to be provided, the purpose of provision, and the retention/use period, and obtains separate consent (if consent is not given, no additional information will be provided); or where there is a special provision in applicable law or it is unavoidable for compliance with a legal obligation

Article 6 (Entrustment of Personal Information Processing)

The Company may entrust the processing of personal information to external professional service providers for the performance of service use agreements and similar purposes, and when entering into an entrustment contract, the Company stipulates necessary matters to ensure that personal information is managed safely in accordance with applicable laws and thoroughly supervises such matters.

1. Domestic Personal Information Processing Entrustees and Entrusted Work

2. Overseas Personal Information Processing Entrustees and Entrusted Work

For the provision of AI analysis and assessment services, the Company may entrust the processing of personal information, including voice and text data, to external professional service providers or AI analysis service providers. In such case, the Company will disclose the entrusted party, entrusted work, retention period, and other required matters in this Policy in accordance with applicable laws.

Timing and method of transfer: If a user enters and sends personal information in the chat window, or uses LLM-linked features such as summarization and analysis based on voice input (STT) results, the information is transferred through network transmission.

Contact for information management officer: [privacy@openai.com]

Article 7 (Matters Regarding the Installation/Operation of Automatic Personal Information Collection Devices and Refusal Thereof)

The Company operates “cookies” that store and retrieve users’ information from time to time. Cookies are very small text files sent by the server used to operate the website to the user’s browser and stored on the user’s computer hard drive. The Company uses cookies for the following purposes.

• Purpose of Using Cookies
  • To provide personalized services by analyzing the access frequency or visit time of members and non-members, identifying the level of test participation and number of visits, etc.
• How to Refuse Cookie Settings
  • Users have the right to choose whether to allow the installation of cookies. Accordingly, users may allow all cookies, require confirmation whenever a cookie is saved, or refuse the storage of all cookies by setting options in their web browser.
• Example of Settings Method (for Internet Explorer)
  • Tools at the top of the web browser > Internet Options > Privacy. However, if the installation of cookies is refused, some services requiring login may be difficult to use.

Article 8 (Measures to Ensure the Security of Personal Information)

The Company takes the following measures to ensure the security of personal information.

• Establishment and Implementation of Internal Management Plans
  • The Company has established and implemented internal management plans for the safe processing of personal information.
• Minimization and Training of Employees Handling Personal Information
  • The Company designates employees who handle personal information and limits such handling to the minimum necessary personnel, thereby implementing measures to manage personal information.
• Restriction of Access to Personal Information
  • The Company takes necessary measures to control access to personal information by granting, changing, and revoking access rights to database systems that process personal information, and controls unauthorized external access by using an intrusion prevention system.
• Retention of Access Records and Prevention of Tampering/Forgery
  • The Company retains and manages records of access to personal information processing systems for at least 1 year. However, in cases where personal information of 50,000 or more data subjects is additionally stored, or unique identifying information or sensitive information is processed, such records are retained and managed for at least 2 years. The Company also uses security functions to prevent access records from being tampered with, forged, stolen, or lost.
• Encryption of Personal Information
  • Users’ personal information, including passwords, is stored and managed in encrypted form so that only the individual user can know it, and important data is protected by additional security features such as encryption of files and transmitted data or the use of file-locking functions.
• Technical Measures Against Hacking and Similar Risks
  • To prevent leakage or damage of personal information caused by hacking or computer viruses, the Company installs security programs, regularly updates and checks them, and installs systems in areas with controlled external access while technically and physically monitoring and blocking access.
• Access Control for Unauthorized Persons
  • The Company maintains separate physical storage locations for personal information and establishes and operates access control procedures for such locations.
• Use of Locking Devices for Document Security
  • Documents and auxiliary storage media containing personal information are kept in secure locations equipped with locking devices.