Privacy Policy

Elicova (hereinafter "the Company"), a sole proprietorship in the Republic of Korea, is committed to protecting Members' personal information in compliance with the Personal Information Protection Act of Korea and other applicable laws. This Privacy Policy describes how the Company collects, uses, stores, and disposes of personal information when Members use the Mathiter website (mathiter.com), web and mobile applications, the Mathiter Tutoring service, and all related products and services (collectively, the "Service").

1.1 Information You Provide

• Account information (required): Email address, password (stored encrypted), name/nickname, grade or learning stage, optional profile image.
• Parent account information (Mathiter Tutoring): Parent's name, mobile number, email, and relationship to the student.
• Payment information: Billing key issued by our payment processor (Toss Payments), last 4 digits of card, card issuer. The Company does not store full card numbers, CVC, or expiration dates.
• Learning data: Diagnostic test results, problem-solving history, learning progress, AI coaching interactions, notes, and weak-topic analysis.
• Mathiter Tutoring enrollment process data: Consultation notes, learning goals, session schedules, parent reports.
• Communications: Customer support messages, feedback, survey responses.

1.2 Information Collected Automatically

• Device/access information: IP address, device type, OS, browser, language settings, access time and duration.
• Usage data: Pages visited, features used, click and navigation paths, learning session statistics.
• Cookies and similar technologies: See Section 7 for details.

1.3 Information from Third-Party Authentication

If you sign up or log in through Google, Apple, or similar services, we may receive basic profile information (name, email) from those services.

The Company uses the information collected for the following purposes:

• Service delivery: Member authentication, payment processing, learning content delivery, 1:1 video session operation, parent dashboard display.
• Personalized learning: Curriculum recommendation based on diagnostic results, AI coaching, weak-topic analysis.
• Billing and settlement: Post-cycle automatic charging, recurring subscription renewal, refund processing, cash receipt issuance.
• Customer support: Inquiry responses, payment-failure and refund notifications, service-change announcements.
• Service improvement: De-identified, aggregated learning-pattern analysis to improve content and features.
• Legal compliance: Monthly tutoring fee reporting under Korean law, tax record keeping, dispute resolution.

Important: The Company does not use Member personal learning data or AI interaction data to train third-party AI models.

The Company retains personal information until the collection/use purpose is fulfilled or the Member terminates the account, except as noted below.

3.1 General Retention

• While the account is active: Account information, learning data, and payment information are retained in an active state.
• Upon account termination: Identifying information is deleted immediately, except items with statutory retention periods (separately stored and disposed of upon expiration).

3.2 Learning Data Retention After SaaS Downgrade

When a paid subscription is downgraded to free tier due to payment failure or other reasons, learning data is processed as follows:

• Day 7 ~ Day 37 (30 days): Data retained as-is, accessible within free-tier limits.
• Day 37: Data enters dormant state with "90 days remaining for recovery" notice.
• Day 67: "60 days remaining for recovery" notice.
• Day 97: "30 days remaining for recovery" final warning.
• Day 127: Backup permanently deleted. Re-subscription cannot restore data.

Members may re-subscribe before Day 127 to instantly restore all learning data.

3.3 Statutory Retention

• Act on Consumer Protection in Electronic Commerce: Contract / withdrawal / payment / delivery records — 5 years. Customer complaint and dispute records — 3 years.
• Electronic Financial Transactions Act: Payment-related records — 5 years.
• Framework Act on National Taxes: Transaction ledgers and supporting documents — 5 years.
• Act on Private Teaching Institutes: Tutoring fee reporting records (as required by the regional Education Office).
• Protection of Communications Secrets Act: Login records — 3 months.

The Company does not sell, rent, or provide Member personal information to third parties, except in the following cases:

• Member's prior consent.
• Required by law: Valid warrants, investigation cooperation requests, court orders, etc.
• Parent dashboard: For Mathiter Tutoring or linked parent-student accounts, learning progress data (scores, study time, weak areas) is displayed in the connected parent account. This is part of normal Service operation and is not deemed a third-party disclosure.
• Business transfer: In a merger, acquisition, or asset transfer, information may be transferred to the successor under the condition that this Policy continues to apply.

The Company entrusts the following processing tasks to external providers, each contractually bound by data protection obligations.

Some processors are based abroad, resulting in cross-border data transfer. See Section 8 for details.

For Members under the age of 14, the Company obtains consent from a legal representative (parent or guardian) at registration. If the Company becomes aware that it has collected personal information of a child under 14 without legal representative consent, the Company will promptly delete such information.

Legal representatives may request access, correction, or deletion of their child's personal information at any time via support@mathiter.com.

The Company uses the following types of cookies and similar technologies:

• Essential cookies: Required for authentication, session, security, and core service operation.
• Analytics cookies: Used to analyze usage patterns for service improvement.
• Preference cookies: Remember Member settings such as language and theme.

Members may decline cookies through browser settings, but blocking essential cookies may render parts of the Service unusable.

Because some of the Company's infrastructure (Google Cloud, Vercel, etc.) is hosted outside Korea, Member personal information may be transferred abroad. Details are as follows:

• Items transferred: All Member service usage data.
• Recipients: Google LLC (United States), Vercel Inc. (United States).
• Country of transfer: United States.
• Transfer method: Network transmission (encrypted).
• Retention period: Per Section 3 of this Policy.

Members may decline cross-border transfer, but doing so will prevent use of the Service.

As a data subject, you may exercise the following rights with respect to the Company:

• Right of access: Request to view personal information held by the Company about you.
• Right to correction/deletion: Request correction or deletion of inaccurate or incomplete data.
• Right to suspend processing: Request temporary suspension of data processing.
• Right to withdraw consent: Withdraw consent for collection, use, or provision of personal information.
• Right to data portability: Receive your personal information in a machine-readable format.

To exercise these rights, please contact our customer support at support@mathiter.com. The Company will process requests without undue delay after identity verification.

You may also report concerns to the Personal Information Protection Commission of Korea (privacy.go.kr) or the Korea Internet & Security Agency's Privacy Infringement Reporting Center (privacy.kisa.or.kr, dial 118).

The Company implements the following measures to protect Member personal information:

• Administrative: Minimization of personal-information handlers, access privilege management, regular security training.
• Technical: One-way password hashing (bcrypt), payment information tokenization (billing keys), TLS 1.2+ encryption in transit, database access control, regular backups.
• Physical: Data center physical security compliance by processors (Google Cloud, Vercel, etc.).

Please direct privacy-related inquiries or complaints to the officer above. The Company will respond without undue delay (within 7 business days).

The Company may update this Privacy Policy from time to time. Material changes will be announced via in-Service notice and email to registered Members at least 7 days in advance (or at least 30 days in advance for changes adverse to Members), with the "Effective Date" updated accordingly.