Privacy Policy (Free Beta)

Announced: June 28, 2026

Effective: July 1, 2026

Sangjun Song (the "Operator") complies with the Korean Personal Information Protection Act (PIPA) and other applicable laws when operating the Sooda free beta. This Policy applies during the beta period from July 1 through September 30, 2026.

1. Personal Information Processed

Required at sign-up

  • Email address, one-way password hash, display name, English name (if entered), and time zone
  • Consent timestamps and document versions for the Terms, privacy processing, age 18 confirmation, international transfer, and Community Guidelines acknowledgement

Teacher applications

  • Introduction, languages, Korean native-speaker status, and profile photo (if uploaded)
  • Timestamp and document version of the Teacher Beta Participation Agreement

Generated through use

  • Booking counterpart, booking and lesson times, booking status, video-room identifiers, and connection records
  • Timestamp and document version of consent to share information with the booking counterpart

Generated or collected automatically

  • IP address, access and security logs, device/browser information, and essential authentication cookies/session data

Video lessons

  • Audio and video are used for real-time transmission. Sooda does not provide recording and the Operator does not record or store lesson content. The video provider may process technical connection and security logs.

The beta has no payment feature and does not collect card, bank-account, payment, or settlement information.

2. Purposes

  • Account registration, login, and identification
  • Teacher review, profile display, lesson booking/connection, and notification emails
  • Service operation, troubleshooting, security, and abuse prevention
  • Beta improvement, legal compliance, and dispute response

3. Retention

CategoryRetention period
Account, profile, and teacher-application dataUntil account deletion or within 30 days after the beta ends
Booking and consent recordsWithin 30 days after the beta ends. On account deletion, direct identifiers are promptly anonymized; pseudonymous identifiers needed for booking integrity and proof of consent remain until then
Access and security logsUntil the security purpose is met or for the period in each processor's published retention policy
Lesson audio/videoNot stored after real-time transmission

Where law requires retention or an actual dispute is pending, only necessary information is separately retained until the obligation or dispute ends and is then deleted. Because the beta has no paid transactions, payment and settlement records under e-commerce law are not created.

4. Information Shared with Other Users and Public Visitors

The following information is shared to connect 1:1 lessons:

RecipientPurposeItemsRecipient's use periodEffect of refusal
Booked teacherPrepare and conduct the lesson; identify the counterpartStudent display name, profile photo (if any), and time zoneFor the lesson and beta operation; the teacher must not separately retain it after the lesson purpose endsCannot book
Booking studentSelect, prepare, and conduct the lesson; identify the counterpartTeacher display name, profile photo (if any), and time zoneFor the lesson and beta operation; the student must not separately retain it after the lesson purpose endsCannot participate as a teacher
Service visitors, including non-membersIntroduce and select teachersTeacher display/English name, introduction, languages, native-speaker status, and profile photoUntil the profile is hidden/deleted or the beta endsCannot participate as a teacher

Separate consent for sharing student information is obtained on the booking screen. Teacher disclosure and public display are separately accepted in the Teacher Beta Participation Agreement. The Operator otherwise does not disclose personal information to third parties without consent unless specifically authorized by law.

5. Processing Vendors

ProcessorWorkMain data processedData storage/processing location
Supabase, Inc.Authentication, database, file storage, authentication emailAccount, profile, teacher application, booking and consent records, avatarStored in the Republic of Korea (Seoul, ap-northeast-2)
Vercel Inc.Web hosting, delivery, and securityIP, request/access logs, device/browser informationUnited States
Daily.co, Inc.Real-time videoUser identifier/display name, room metadata, real-time audio/video, connection logsUnited States
Plus Five Five, Inc. (Resend)Service notification emailRecipient email, name, booking time/link, message content and delivery recordsUnited States

The Operator manages vendors so they process data only within the outsourced purpose. The account, profile, booking, and consent data stored by Supabase resides in the Republic of Korea (Seoul) region, so the storage itself is not an international transfer. However, Supabase, Inc. (U.S.) may access it remotely from the U.S. for operation and support, and that access scope is also listed in Section 6. Vercel, Daily, and Resend process data in the U.S. and are transferred internationally under Section 6. There is no payment processor in the beta.

6. International Transfers

Based on separate consent under PIPA Article 28-8(1)(1), the Operator transfers data as follows. The data stored by Supabase resides in the Republic of Korea (Seoul) region, so the storage itself is not an international transfer; the Supabase row below covers only Supabase, Inc.'s operation/support remote access from the U.S.

Recipient/contactPurpose and itemsCountriesTiming/methodRetention
Supabase, Inc. · privacy@supabase.comRemote access for operation, incident response, and support / account, profile, teacher application, booking, consent, avatar (stored in Seoul, Korea)U.S. (data storage region: Seoul, Korea)Remote access when operation/support is neededOperator-controlled data deleted upon account deletion or within 30 days after beta closure; backups/security logs deleted on the processor's cycle
Vercel Inc. · privacy@vercel.comHosting/security / IP, request/access logs, device/browserUnited StatesEncrypted network transfer on accessUntil service/security purpose is met or under the processor's retention policy
Daily.co, Inc. · privacy@daily.coVideo connection / identifier, display name, room metadata, real-time audio/video, connection logsUnited StatesEncrypted real-time transfer when a room is created or joinedAudio/video is not recorded; room/connection data remains until purpose completion or under the processor's retention policy
Plus Five Five, Inc. (Resend) · privacy@resend.comNotification email / address, name, booking time/link, content, delivery recordUnited StatesEncrypted network transfer when sending a noticeUntil email-delivery purpose is met or under the processor's retention policy

These vendors may use subprocessors, whose locations are published by each: Supabase · Vercel · Daily · Resend.

You may refuse international-transfer consent. These providers are essential to registration, authentication, hosting, video, and notices, so refusal prevents sign-up and use. Before sign-up, refuse by leaving the box unchecked; afterward, request withdrawal or processing suspension at the email below. Withdrawal may end your use and does not affect lawful processing before withdrawal or data that law requires to be retained.

If a provider or material transfer detail changes, this Policy will be updated before the change and new consent will be obtained where required.

7. Your Rights

You may request access, correction, deletion, suspension, or withdrawal of consent. Profile updates and account deletion are available in My Account. Send other requests to kedu202606@gmail.com; the Operator will verify identity and respond without undue delay.

You can delete or block essential authentication cookies/session storage in your browser, but login and core features may stop working.

8. Age Restriction

Only users aged 18 or older may register and use the Service.

9. Beta Closure and Deletion

Within 30 days after the beta ends, the Operator will delete or irreversibly anonymize Operator-controlled accounts, profiles, bookings, avatars, and consent records. They will not automatically migrate to a full service. Processor backups and security logs may be deleted progressively under each processor's retention cycle while access remains restricted. Information strictly necessary for a legal retention duty or pending dispute is separately retained only as described in Section 3.

10. Security Measures

Measures include one-way password hashing, HTTPS, row-level security (RLS), least-privilege access, file type/size/path restrictions, and protection of consent records.

11. Privacy Officer

12. Changes

The effective date and changes will be posted in the Service. Material changes affecting user rights will be announced in advance, and renewed consent will be obtained where required by law.