Privacy Policy

Effective Date: March 1, 2025

Last Modified: March 1, 2025

Privacy Policy

Thank you for using Ella. United Associates Inc. ("we" or "Company") respects your privacy and is committed to protecting your personal data as you ("you" or "User") use our Services. This Privacy Policy (this "Policy") describes how we collect, use, and handle your personal data when you use our platforms, websites, and services, including our AI Conversation Platform, Ella ("Services").

If you have any questions regarding this Policy or our privacy practices, please contact our Data Protection Department as listed in this Policy. It is crucial that you thoroughly read and understand the terms of this Policy, as it details your rights concerning your personal data under applicable data protection laws. Please note that this Policy should be read in conjunction with our Terms of Service as well as any other privacy notices we may issue in relation to specific occasions or services.

1. Collection and Use of Personal Data

Personal information, or personal data, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data)

During your use of the Services or any interaction with us, we may collect and use the following types of personal data below:

Account details (such as user name, user ID, password, profile pictures, nickname, etc)

Contact information (such as email address, phone number, etc)

Basic personal information (such as name, age, gender, language, country of residence, etc)

Legal guardian information (such as name, age, contact information of the legal guardian)

Payment information (such as credit card details, bank details, etc)

Transactional information (such as details about payments made to and from you, other details of products and services you have purchased from us, etc.)

Usage information (such as information about how you use our Services, interests, preferences, feedback and survey responses, actions you take using your account, access history, record of unauthorized usages, text data, voice data etc.)

Technical information (internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device information, etc.)

Marketing and communication information (such as your communication preferences, and your preferences in receiving marketing from us, etc.)

2. Method of Personal Data Collection

We collect personal data from and about you through various methods, including:

2.1. Direct Interactions

You may provide personal data to us directly by filling out forms or communicating with us through our Services, by phone, email, or other channels. This typically occurs when you apply for our products or Services, create an account, subscribe to our updates or publications, request or consent to marketing communications, participate in competitions, events, promotions, or surveys, or when you provide feedback or contact us directly.

2.2. Automated Technologies and Cookies

As you interact with our Services, we may automatically collect technical data about your device, browsing actions, and usage patterns. This data is gathered through cookies, server logs, and other similar technologies. Cookies refer to small amounts of data that is sent by the server that operates the website or the Services on your browser, which may be stored on the hard disk of your computer. They are used to manage security measures, enhance and develop services, offer personalized Services and provide tailored advertisements through analyzing user access, such as the frequency and timing of access, identify patterns in the user's usage, track user activities, and access to security measures. You may set your browser to not accept cookies, but this may limit your ability to use the Services. We may also use third-party service providers that set cookies and similar technologies to promote our Services.

2.3. Third Parties or Publicly Available Sources

We may receive your personal data from third parties or publicly available sources.

3. Purposes of Collecting and Using Personal Data

We process your personal data as follows to facilitate your better use of our Services as follows:

3.1. Membership Registration and Management

To verify intent to register, identify and authenticate users, verify age, maintain and manage membership status, prevent unauthorized use of services, confirm parental or guardian consent for processing personal data of users under 14, and send notifications and other important communications.

3.2. Provision of Goods and Services

To deliver Services and products, provide standard and customized Services, send contracts and invoices, facilitate payment and billing, and collect debts as necessary.

3.3. Complaint Resolution

To verify the identity of users making complaints, confirm and address issues, communicate regarding investigation of issues, and notify users of results.

3.4. Marketing and Advertising

To deliver personalized advertisements, provide event information and promotional materials, and offer participation opportunities in promotional activities.

3.5. Service Improvement and Development

To enhance existing Services, develop new services, enhance AI performance, and create customized offerings based on user preferences and needs, develop Service related statistics.

4. Legal Basis for Processing Personal Data

We only collect and process your personal data when we have a lawful basis to do so. The specific legal basis depends on the context in which we process the personal data, including the Service you use and the nature of the personal data involved.

The legal bases we rely on for processing your personal data include:

4.1. Performance of a Contract

We process your personal data to fulfill our contractual obligations to you. This includes providing the Service, communicating with you regarding your use of the Service, and ensuring your compliance with our Terms of Service.

4.2. Legitimate Interests

We process your personal data when necessary for our legitimate interests or the legitimate interests of third parties, provided that such processing is not overridden by your data protection rights. This may include preventing fraud, securing our Services, protecting our legal rights, conducting market research, developing products, and for marketing purposes.

4.3. Compliance with Legal Obligations

We process your personal data to comply with applicable laws, regulations, court orders, or official requests from government or law enforcement authorities.

4.4. Consent

We process your personal data when you have provided your explicit consent, such as when you agree to receive marketing communications from us. You may withdraw your consent at any time by contacting us at our Data Protection Department.

If you wish to withdraw your consent or object to the processing of your personal data, please contact us at our Data Protection Department. If you feel your concerns have not been addressed adequately or believe we have violated applicable data protection laws, you may file a complaint with your local data protection supervisory authority.

5. Disclosure of Personal data

To provide the Services, we may share your personal data as discussed below. Please note that we will not sell your personal data to advertisers or other third parties.

5.1. Disclosure of Personal Data to a Third Party

We may engage certain third-party service providers (including, but not limited to, providers of customer support and IT services) to assist us in delivering, improving, protecting, and promoting our Services. These service providers may process your personal data on our behalf, but only to the extent necessary for the fulfillment of these business purposes. The processing of your personal data by these third parties is subject to strict contractual obligations to ensure compliance with applicable data protection laws.

More specifically, we may share your personal data with the third-party recipients listed below:

Third Party Recipient	Purpose
Amazon Web Services	- Provision of service operating environment via AWS<br>- Data Storage & Identity Verification
Google Cloud Platform	- Provision of service operating environment via GCP<br>- Data Storage and enhancement of real-time conversation experience
STRIPE	- Provision of electronic payment services
Google Play Services	- Ensuring device security and stability
OpenAI, L.L.C	- Enhancement of real-time conversation experience
Meta Platforms, Inc.	- Enhancement of real-time conversation experience
Sentry	- Automated error logging
RevenueCat	- Verification of App Store and Play Store transaction history and processing refunds
DeepL API	- Translation services
Mixpanel	- Automated user usage traction

5.2. Required Disclosure

We may disclose your personal data to third parties if we reasonably determine that such disclosure is necessary to:

Comply with any applicable law, regulation, legal process, or government request;

Protect the safety or life of any individual;

Prevent fraud or abuse of the Company's Services or protect our users;

Safeguard the rights, property, safety, or interests of the Company or our users; or

Perform a task carried out in the public interest.

6. Transfer of Your Personal Data Overseas

To provide you with the Services, we may store, process, and transmit your personal data in the Republic of Korea or other locations outside your country. Data may also be stored locally on the devices you use to access the Services. When we transfer your personal data outside, we will ensure that the transfer complies with applicable data protection laws by implementing appropriate safeguards such as those provided under the GDPR as follows or other legally recognized mechanisms.

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

Where we use certain service providers, we may use standard contractual clauses approved by the European Commission which give personal data the same protection it has in Europe.

7. Measures to Protect Your Personal Data

Safeguarding your personal data is a top priority and a responsibility we take seriously. We are committed to ensuring the security of your personal data and regularly test for vulnerabilities in our Services. To prevent accidental loss, unauthorized access, use, alteration, or disclosure of your personal data, we employ robust security measures designed to protect your information at all times.

Our comprehensive security measures include:

7.1. Regular Internal Audits

To maintain the security of personal data, we conduct regular internal audits to evaluate and strengthen our data protection practices.

7.2. Minimization and Training of Data Handling Staff

We restrict access to personal data to designated employees only and limit the number of personnel involved in handling personal data. These individuals receive regular training on data protection and security.

7.3. Technical Safeguards Against Hacking and Viruses

To protect against data breaches from hacking or malware, we have installed security programs that are regularly updated and monitored. Systems are housed in secured zones with limited external access, protected through both technical and physical barriers to monitor and prevent unauthorized entry.

7.4. Data Encryption

User personal data, including passwords, is encrypted during storage, allowing only the user to access this information. For critical data, we use additional security measures such as file encryption, secure transmission, and file locking.

7.5. Access Logs and Tamper Prevention

Access logs to our data processing systems are retained for a minimum of one year (or two years for systems processing data of 50,000 or more subjects, unique identifiers, or sensitive data). We employ security functions to prevent tampering, theft, or loss of these records.

7.6. Access Restriction

We control access to databases containing personal data through permissions management, with processes in place to grant, modify, or revoke access as necessary. We also use intrusion prevention systems to block unauthorized external access.

7.7. Secure Storage of Physical Documents and Media

Documents and storage media containing personal data are stored in secure, locked locations with restricted access.

7.8. Controlled Physical Access

Physical locations housing personal data are secured, with entry control measures in place to prevent unauthorized access to storage facilities.

In addition to these measures, access to personal data is strictly limited to employees, agents, contractors, and third parties who have a legitimate business need to process it, and all are bound by confidentiality obligations. These individuals and entities are required to follow our instructions and are bound by strict confidentiality obligations.

In the event of a suspected data breach, we have established comprehensive procedures to promptly address and mitigate any risks. Where legally required, we will notify both you and the relevant regulatory authorities of any data breach that may impact your personal data.

8. Data Retention

We will retain your personal data only for as long as is reasonably necessary to fulfill the purposes for which it was collected, including to comply with any legal, regulatory, tax, accounting, or reporting obligations. In certain circumstances, such as in the event of a complaint or where there is a reasonable expectation of litigation related to our relationship with you, we may retain your personal data for a longer period of time.

To determine the appropriate retention period, we take into account several factors, including the volume, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we are processing the data and whether those purposes can be achieved through other means, as well as any relevant legal, regulatory, tax, accounting, or other applicable requirements.

Subject to the foregoing, in principle, we will destruct your personal data without delay when (i) the purpose of collection and use has been achieved; (ii) you withdraw your account from the Service; (iii) the legal or management needs have been achieved; (iv) or receipt of your request for deletion.

9. Your Responsibility for Securing Personal Data

You are responsible for ensuring the security of your personal data. This includes choosing a sufficiently strong password and keeping your credentials, including your password, confidential at all times. You are also obligated to respect the privacy and personal data of others and must not infringe upon or misuse third-party personal data. Please avoid disclosing your personal data, such as your password, and refrain from actions that may harm or compromise the personal data or privacy of others.

While we employ rigorous security measures to protect your personal data, we will not be liable for any loss, unauthorized access, or misuse of your personal data that results from your own actions, such as failing to secure your account or sharing your password with others. It is your responsibility to safeguard your personal data and respect the privacy and security of others.

It is equally important that the personal data we hold about you is accurate and up to date. Please notify us promptly if any of your personal data changes during your use of our Services, to help us maintain the accuracy and integrity of the information. We will not be liable for any loss, unauthorized access, or misuse of your personal data that occurs as a result of your failure to promptly update your personal data.

10. Your Rights to Your Personal Data

You have control over your personal data and how it is collected, used, and shared by the Company. As a user of our Services, you may exercise the following rights concerning your personal data:

Right to access to personal data: You have the right to request access to the personal data we hold about you.

Right to deletion: You may request the deletion of personal data from your account or our databases.

Right to correction: You can manage your account, including editing your personal data at any time.

Right to restrict processing and objection: You may object to the processing of your personal data or request a temporary suspension or restriction of data processing.

Right to data portability: You may request the transfer of your personal data to another party.

Right to avoid automated decision-making: You may request to stop automated processing of personal data.

Right to withdraw consent: You may withdraw your consent to the processing of your personal data at any time. Withdrawal of consent will not affect the lawfulness of processing conducted prior to withdrawal. However, withdrawing consent may limit our ability to provide certain Services to you. We will inform you if this is the case at the time of withdrawal.

To exercise any of the above rights, please contact us at our Data Protection Department. We will take appropriate action without undue delay. Note that we may deny your request if there is a legitimate reason prescribed by law.

11. Protection of Personal Data of Children

The Services provided by the Company are intended for general audiences, and we do not knowingly collect personal data from children under the age of 16 or the equivalent minimum age as defined by the laws of relevant jurisdictions. However, if we must collect personal data from children under the age of 16 (or the equivalent minimum age in the relevant jurisdiction) for unavoidable reasons, we will take additional steps to ensure the protection of that personal data, including:

Verification: We will make reasonable efforts to verify that the individuals are children of an age requiring parental or guardian consent, and that the person providing consent is authorized to do so.

Parental Consent: We will obtain verifiable consent from the parent or legal guardian before collecting personal data or providing services directly to children.

Parental Notification: We will provide parents or guardians with notice of this Policy, detailing the types of personal data collected, the purpose of collection, and any sharing of the data.

Parental Rights: We will grant parents or guardians the right to:
- Access their child's personal data;
- Request correction or deletion of their child's personal data;
- Request the suspension of processing their child's personal data;
- Withdraw their consent for the processing of their child's personal data.

Data Minimization: We will collect only the personal data necessary for the provision of our Services.

12. Region Specific Notices

Out of respect for your privacy, we have implemented additional measures to comply with the obligations and rights associated with the collection of personal data as dictated by the laws governing the regions of our users.

12.1. Disclosures for residents of the EU/EEA

If you are a resident of the European Union ("EU") or the European Economic Area ("EEA"), you have certain rights in relation to your personal data based on the GDPR that we comply with as part of our commitment to your privacy. Unless otherwise expressly stated, all terms in this section have the same meaning as defined in the GDPR.

Right to withdraw consent: You have the right to withdraw consent where you have previously given your consent to the processing of your personal data. To the extent that the legal basis for our processing of your personal data is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

Right to access: You have the right to learn if your personal data is being processed by us, obtain disclosure regarding certain aspects of the processing, and obtain a copy of your personal data undergoing processing.

Right to rectification: You have the right to verify the accuracy of your information and ask for it to be updated or corrected. You also have the right to request us to complete the personal data you believe is incomplete.

Right to object to the processing: You have the right to object to the processing of your information if the processing is carried out on a legal basis other than consent. Where personal data is processed for the public interest, in the exercise of an official authority vested in us, or for the purposes of the legitimate interests pursued by us, you may object to such processing by providing a ground related to your particular situation to justify the objection. You must know that, however, should your personal data be processed for direct marketing purposes, you can object to that processing at any time without providing any justification.

Right to restrict processing: You have the right, under certain circumstances, to restrict the processing of your personal data. These circumstances include: the accuracy of your personal data is contested by you and we must verify its accuracy; the processing is unlawful, but you oppose the erasure of your personal data and request the restriction of its use instead; we no longer need your personal data for the purposes of processing, but you require it to establish, exercise or defend your legal claims; you have objected to processing pending the verification of whether our legitimate grounds override your legitimate grounds. Where processing has been restricted, such personal data will be marked accordingly and, with the exception of storage, will be processed only with your consent or for the establishment, to exercise or defense of legal claims, for the protection of the rights of another natural, or legal person or for reasons of important public interest.

Right to delete: You have the right, under certain circumstances, to obtain the erasure of your personal data from us. These circumstances include: the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions of the right to erasure such as where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, to exercise or defense of legal claims.

Right to data portability: You have the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance from us, provided that such transmission does not adversely affect the rights and freedoms of others.

Right to complaint: You have the right to complain to a data protection authority about our collection and use of your personal data. If you are not satisfied with the outcome of your complaint directly with us, you have the right to lodge a complaint with your local data protection authority.

12.2. Disclosures for residents of the California

If you are a resident of California, you have certain rights and we aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your personal data. This supplemental section, together with other relevant sections of the Policy, provides information about your rights and how to exercise them under the California Consumer Privacy Act and the California Privacy Rights Act (collectively, "CCPA"), and any and all regulations arising therefrom. Unless otherwise expressly stated, all terms in this section have the same meaning as defined in the CCPA.

Right to know and right to access: You have the right to request certain information we have collected about you. Once we receive and confirm a verifiable request from you, we will disclose to you, to the extent permitted by law:
- The categories of personal data we collected about you.
- The purposes the categories of personal data are collected or used for.
- The specific pieces of personal data we hold about you.
- The categories of sources from which Information about you is collected.
- The purposes for collecting, selling, or sharing your personal data.
You have the right to request that the personal data is delivered in a format that is both portable and easily usable, as long as it is technically possible to do so.

Right to correct: You have the right to request that we correct your inaccurate personal data taking into account the nature of the personal data and the purposes of the processing of the personal data.

Right to delete: You have the right to request deletion of your personal data.

Right to opt-out of the sale and sharing: You have the right to opt-out of the sale of your personal data which may include selling, disclosing, or transferring personal data to another business or a third-party for monetary or other valuable consideration.

Right to limit the use of your personal data, including any sensitive personal data: You have the right to restrict our use of your personal data and disclosure solely to what is essential for carrying out or delivering the Services or operating the Website in a manner reasonably anticipated by an average user, or for certain business objectives as specified by law. However, we do not use personal data for any purposes other than those legally permitted or beyond the scope of this Privacy Policy.

Right to non-discrimination: You have the right to not be discriminated against in the Services or quality of Services you receive from us for exercising your rights. We may not, and will not, treat you differently because of your data subject request activity, or charge different rates for goods or Services, or suggest that we would treat you differently because of your data subject request activity.

Shine the Light: California residents that have an established business relationship with us have the right to know how their personal data is disclosed to third parties for their direct marketing purposes under California's "Shine the Light" law, or the right to opt out of such practices.

To exercise any of your rights, simply contact us using the details below. After we receive and verify your request, we will process it to the extent possible within our capabilities.

13. Contact Information

If you have any questions about this Policy or our privacy practices, please contact our Data Protection Department in the following ways:

Attention: Daewon Lim
Email address: support@ella.school
Postal address: 14F Frontone, 122 Mapo-daero, Mapo-gu, Seoul, Korea 04213

If they cannot answer your question, you have the right to contact your local data protection supervisory authority.

14. Changes to the Privacy Policy

We reserve the right to revise this Policy from time to time. In the event of any changes, we will provide notice by posting the updated policy on our Services or through other appropriate means, such as email notifications or a pop-up screen requesting acceptance when you sign in.