Privacy Notice
Last updated: 29 May 2026
DAMSORA is operated from the Republic of Korea. This notice explains how we collect, use, share, and protect your personal data. Our processing is primarily governed by the Korean Personal Information Protection Act (PIPA). Region-specific notices for Japanese consumers appear at the end of this document.
1. Who We Are
Service Operator: DAMSORA
Representatives: Junhwi Nam, Sehyun Park
Business Address: [to be updated upon business registration]
Privacy Contact: privacy@damsora.com
Under Article 30-3 of the amended Korean PIPA (effective 11 September 2026), our representatives are designated as the ultimate parties responsible for personal information protection.
2. Data We Collect and Why
| Data | Purpose | Required? |
|---|---|---|
| Name, email, date of birth, password | Account creation and authentication | Required |
| Google account ID, email | Social login (OAuth) | Required if using Google sign-in |
| Payment records (Paddle-handled; no card data stored by us) | Subscription billing and refunds | Required for paid plans |
| Session records, reviews, learning notes, time-zone | Core service delivery | Auto-generated by service use |
| IP address, browser type, access logs | Security, abuse prevention, statutory log keeping | Auto-collected |
| Analytics data (anonymised) | Service improvement | Optional (consent-based) |
| Marketing preferences | Promotional communications | Optional (consent-based) |
Video Session Quality Metadata (Service improvement & dispute resolution)
We collect the following metadata to analyse video call quality, ensure accurate session completion / incompletion judgements, and provide objective evidence in the event of a dispute. This metadata does not include the audio or video content of the call itself.
- Join / leave timestamps and counts
- Co-presence duration (time both participants were in the session together)
- Disconnect and reconnect counts
- Average RTT (Round-Trip Time, network latency)
- Packet loss rate
- Media device (camera / microphone) error messages
- Audio / video active time
3. Data Retention and Deletion
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, date of birth) | 30 days after account deletion, then deleted | Service contract |
| Payment & session records | 5 years after account deletion, then anonymised | Korean E-Commerce Act §6 |
| Support inquiries | 3 years after account deletion, then deleted | Consumer dispute resolution |
| Video call connection logs | 3 years after account deletion, then anonymised | Dispute defence (PIPA §15(1)(4)) |
| Community posts & comments | Author anonymised 3 years after deletion; content retained | Service operation |
| Access logs (IP, browser) | 3 months | Korean Communications Privacy Act |
| Video session media | Deleted at session end | Contract performance |
| Session event log (session_events) | 6 months, then anonymised | Statistics & quality analysis, dispute resolution |
| Session participation summary (session_participants) | 1 year, then anonymised | No-show pattern detection, analytics |
Paddle payment identifiers (transaction ID, subscription ID) are deleted from our database 5 years after account deletion. Records held by Paddle itself are subject to Paddle's own privacy policy.
Deletion procedure and method
Personal data whose retention period has expired is automatically purged from the database row (or the identifier column is replaced with random values for anonymisation) via a scheduled batch job. Records that must be retained under applicable law (e.g. payment and withdrawal records) are moved to a separate retention area and deleted once the statutory period ends. Database backups are rotated and discarded within 30 days; any paper printouts are shredded or incinerated.
4. Sharing, Processors and International Transfers
We do not sell or rent your personal data. We do share data with the following processors strictly to operate the service. Because our infrastructure is global, your data may be processed outside your country of residence. Transfers are protected by data processing agreements with each provider and (where applicable) standard contractual clauses or equivalent safeguards.
| Processor | Country | Purpose | Data Transferred |
|---|---|---|---|
| Supabase, Inc. | USA | Database & authentication | Account data, service records |
| Paddle.com Market Ltd. | United Kingdom | Payment processing as Merchant of Record | Email, billing address, payment records |
| Resend, Inc. | USA | Transactional email delivery | Email, name |
| Vercel, Inc. | USA | Service hosting and edge delivery | IP address, request logs |
| Google LLC | USA | Social login (OAuth) and analytics | Email, Google ID, anonymised usage |
| LiveKit, Inc. | USA | Video call infrastructure | Real-time audio/video stream |
If you do not consent to these transfers, the service may be unavailable to you. For questions about international transfers, email privacy@damsora.com.
5. Your Rights
You can exercise the following rights with respect to your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate data (also available directly on My Page).
- Erasure — request deletion of your account and associated data.
- Restriction — ask us to suspend processing of your data.
- Data portability — receive your data in a structured, machine-readable format (JSON/CSV). This corresponds to the right to data transfer under Korean PIPA §35-2.
- Withdraw consent — at any time for processing based on consent (e.g. marketing). Withdrawal does not affect prior processing.
- Account closure — via My Page → Account Settings.
To exercise any right, email privacy@damsora.com. We respond within 10 days where required by Korean law, and within 30 days at the latest. You may also contact the Korea Internet & Security Agency (KISA) at privacy.kisa.or.kr (call 118 from within Korea) or your local data protection authority if you wish to lodge a complaint.
5-bis. Automated Decisions and Your Rights
Pursuant to Article 37-2 of the Korean Personal Information Protection Act, we operate the following automated decisions and guarantee you the rights to refuse, demand explanation, and request human review.
1. Automated decisions in operation
- Session completion / incompletion judgement — When a session ends, a LiveKit webhook measures the time during which both participants' cameras were simultaneously active (camera overlap). If the overlap reaches 80% of the scheduled session length, the session is judged completed and the partner receives compensation. If the overlap falls below 80% or no join events were recorded, the session is judged incomplete: the learner's credit is refunded and no compensation is paid to the partner.
- 24-hour auto-finalisation — If no dispute is raised within 24 hours after a session ends, a scheduled job (cron) automatically finalises the judgement above.
- Automated no-show classification — If one party fails to join within 5 minutes of the scheduled start time, or if neither party has any join record, the session is automatically classified as a no-show based on a cross-reference of multiple sources (LiveKit webhooks, client-side telemetry, and an administrative cron job).
- Automatic credit refund / forfeiture — Based on the automated judgements above, the learner's credit is automatically refunded or kept in a forfeited state, and the partner's compensation is either paid out or withheld.
2. Your rights
- Right to refuse — refuse the application of the automated decision where it has a significant impact on your rights or obligations.
- Right to explanation — request an explanation of the criteria (e.g. the 80% overlap threshold) and the procedure used.
- Right to human intervention — request manual review by our staff.
3. How to exercise these rights
Within 24 hours of the session end, email privacy@damsora.com stating the session ID and the reason. Our staff will review the LiveKit logs and session records manually within 10 days and notify you of the outcome. Unless there is a justified reason, we will not apply the automated decision or will correct it accordingly.
6. Security Measures
- Password hashing with bcrypt (handled by Supabase Auth)
- Encryption in transit via HTTPS/TLS
- Database access control via Row Level Security (RLS); administrative service-role keys are isolated
- Card information is never stored on our servers — payment data is handled solely by Paddle
7. Cookies
We use essential cookies for login sessions and, with your consent, analytics cookies (Google Analytics). For details and how to manage your preferences (including how to opt out of behavioural tracking and reset advertising identifiers), see our Cookie Policy.
8. Children
Our service is not directed to persons under 16. We verify date of birth at sign-up and block under-16 registration. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
9. Changes to This Notice
We may update this notice to reflect changes in law or our services. Material changes will be communicated at least 30 days in advance via in-app notice or email. The latest version is always available at this page.
10. Notice for Users in Japan (日本のお客様向け)
Pursuant to the Japanese Act on the Protection of Personal Information (個人情報保護法) and the Act on Specified Commercial Transactions (特定商取引法), DAMSORA — operating from the Republic of Korea — provides the following disclosures to Japanese consumers:
- The service operator and contact information are as set out in Section 1 above.
- Payments are processed by Paddle.com Market Ltd. (UK) as Merchant of Record, including tax handling for Japanese consumption tax (消費税).
- Subscription terms, cancellation, and refund conditions are set out in the Terms of Service.
- For privacy inquiries, contact privacy@damsora.com.
日本のお客様からの個人情報に関するお問い合わせは、上記アドレスまで英語または韓国語でご連絡ください。
11. Contact
Data Protection Contact: Sehyun Park
Email: privacy@damsora.com