goorm Inc. Privacy Policy
goorm Inc. (the "Company") complies with the Personal Information Protection Act and applicable laws and regulations to lawfully process and securely manage personal information for the protection of data subjects' freedoms and rights. Pursuant to Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards for the processing and protection of personal information and to handle related complaints promptly and smoothly.
A separate privacy policy applies to the Arkain service. → Arkain Privacy Policy
Article 1 (Common Processing Status)

The Company processes personal information within the scope of the purposes set forth below, and where the purposes change, the Company takes necessary measures, including obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act.

A. Personal information processed without the data subject's consent

The Company processes the following items of personal information without the data subject's consent.

Legal basisPurpose of processingItems processedRetention period
Article 15(1)2 of the Personal Information Protection Act / Article 6 of the Act on the Consumer Protection in Electronic Commerce, etc.Records of contracts or withdrawal of offersConsumer identification information, contract/withdrawal records5 years
Records of payment and supply of goods, etc.Consumer identification information, payment/supply records5 years
Records of consumer complaints or dispute resolutionConsumer identification information, dispute resolution records3 years
Article 15(1)2 of the Personal Information Protection Act / Article 15-2 of the Protection of Communications Secrets ActRetention of communications confirmation dataService-use log records, access-tracing data3 months
Article 15(1)4 of the Personal Information Protection ActAccount creation and managementEmail address, password (encrypted storage), name, nickname, profile photo (optional), phone number (optional)Until membership withdrawal
Article 15(1)4 of the Personal Information Protection ActSocial login integration (Google, Kakao, Naver, GitHub, Bitbucket, Payco)Social account unique identifier (Provider User ID), email address, profile information (nickname/display name, profile photo)Until membership withdrawal
Article 15(1)4 of the Personal Information Protection ActIdentity verification and age verificationName, date of birth, gender, phone numberUntil completion of identity verification
Article 15(1)4 of the Personal Information Protection ActService provision and operation, notices and alertsService usage records (access date/time, access IP, usage history), device/browser information (OS/browser, User-Agent)Until membership withdrawal
Article 15(1)4 of the Personal Information Protection ActCustomer inquiries and complaint handlingEmail address, contact information, nickname/member information (if applicable), inquiry details, attachments, consultation/chat records3 years after completion of the inquiry
Article 15(1)4 and 15(1)6 of the Personal Information Protection ActPrevention of fraudulent useAccess IP, access date/time, device/browser information, User-Agent, cookie/session identifiers, records of fraudulent-use detection/blocking (suspension/sanction records), logs related to abnormal activity12 months from the date of membership withdrawal

B. Personal information processed with the data subject's consent

The Company processes the following items of personal information with the data subject's consent.

Legal basisPurpose of processingItems processedRetention period
Article 15(1)1 of the Personal Information Protection ActMarketing and promotionsEmail address, phone numberUntil consent is withdrawn or membership withdrawal, whichever comes first
Article 15(1)1 of the Personal Information Protection ActPersonalized recommendationsService usage records (view/click/course/learning/training history), interest/preference information (if configured), cookies/anonymous identifiers (where recommendations are provided on the web)Until consent is withdrawn or up to 1 year
Article 15(1)1 of the Personal Information Protection ActService improvement (security / incident response)Error/crash information, performance logs, network logs, access logs (IP/date and time), device/browser informationUntil consent is withdrawn or up to 1 year
Article 2 (Common Website Functions)

The Company processes personal information in connection with the following website functions.

1. Product inquiry function

This function receives, in a unified manner, inquiries regarding adoption and use of all goorm services (Exelearnce, Devth, education business/event operations, etc.).

A. Personal information processed without the data subject's consent
Legal basisPurpose of processingItems processedRetention period
Article 15(1)4 of the Personal Information Protection ActReceipt and response to product adoption/use inquiries (including consultations, demos, quotes, and proposals)Name, company email address, contact information (phone number), company/institution name, company/institution type, selected service, company/institution size (optional), additional inquiry details (optional)3 years after completion of the inquiry
  • The company/institution type includes "elementary, middle, and high school," but only the institution contact person's information (adult) is collected, and students' personal information is not collected.
  • Contacts should not enter personally identifiable information that is not statistical information, such as sample student data.
  • Please do not enter resident registration numbers, health information, student personal information, or other sensitive information in the additional inquiry field.

B. Personal information processed with the data subject's consent
Legal basisPurpose of processingItems processedRetention period
Article 15(1)1 of the Personal Information Protection Act / Article 50 of the Act on Promotion of Information and Communications Network Utilization and Information ProtectionSending marketing and promotional information (new products/services, updates, events/promotions, webinar/seminar invitations, case studies/reports, etc.)Company email address, contact information (phone number), name, company/institution nameUntil consent is withdrawn or an opt-out request is processed (sending records retained for 3 years for dispute resolution)
  • Even if you do not consent to receive marketing information, you will not be disadvantaged in submitting product inquiries or using the Services.
  • You may withdraw your consent to receive marketing information at any time via the unsubscribe link in the email or by contacting customer support (contact@goorm.io). Opt-out requests are reflected within 3 business days from the date of request.

2. Job application function

This function allows applicants to submit information through the website form to apply for goorm job postings.

Applicant information submitted through the website form is delivered to the Company's recruiting staff via Amazon Web Services, Inc. ("AWS") email delivery service (Amazon SES), and the information is stored in Amazon S3 located in the Korea region (Seoul, ap-northeast-2). Stored data is processed only within AWS infrastructure in Korea, and no cross-border transfer occurs.

A. Personal information processed without the data subject's consent
Legal basisPurpose of processingItems processedProcessing methodRetention period
Article 15(1)4 of the Personal Information Protection ActRecruitment screening and hiring process[Required] Name, email address, contact information (phone number), resume file (PDF) / [Optional] portfolio file (PDF), URLAWS SES (email notification) + Amazon S3 storage in the Korea region (Seoul)6 months after completion of the recruitment process

Entrustment notice:

Applicant information is entrusted to Amazon Web Services, Inc. (AWS) and stored/processed in Amazon S3 in the Korea region (Seoul), and no cross-border transfer occurs. Amazon Web Services, Inc. (AWS) is a processor under Article 26 of the Personal Information Protection Act. Applicant information is processed and stored only within Korea, and no transfer overseas occurs even when non-Korean nationals, including EEA residents, apply for jobs.

AWS Privacy Policy: https://aws.amazon.com/privacy/

Scope of processing and access rights:

Applicant information is received and viewed only by staff in the recruiting department via email.

The information is used only to the extent necessary for the recruitment process and is destroyed 6 months after completion of the recruitment process.

Applicant information is encrypted and stored in Amazon S3 in the Korea region (Seoul), and only designated recruiting staff have access rights.

B. Personal information processed with the data subject's consent

No additional consent-based personal information processing applies to the job application function.

Article 3 (Exelearnce - Online Education and Work Productivity Management)

Exelearnce is an integrated service combining the existing EDU (online education platform) and EXP (work productivity management, collaboration, points/rewards).

A. Personal information processed without the data subject's consent
Legal basisPurpose of processingItems processedRetention period
Article 15(1)4 of the Personal Information Protection ActCourse registration and managementEmail address, nickname, phone number, course/product name, registration/cancellation history, course status, coupon/point usage historyUntil membership withdrawal
Article 15(1)4 of the Personal Information Protection Act / Article 6 of the Act on the Consumer Protection in Electronic Commerce, etc.Payment, settlement and refundOrder number, payment amount, payment method type, PG transaction number, payment approval number, payment date/time, payment status, (for refunds) refund account information (bank, account holder, account number)5 years
Article 15(1)4 of the Personal Information Protection ActContent provision (including streaming)Content usage records (view/play/download history), access records (IP/date and time), device/browser information, error/performance logsUntil membership withdrawal
Article 15(1)4 of the Personal Information Protection ActLearning history managementProgress rate, attendance/completion status, quiz/assessment results, assignment submissions and submission logsUntil membership withdrawal
Article 15(1)4 of the Personal Information Protection ActPrevention of fraudulent course use / fraudulent paymentAccess logs (IP/date and time), device/browser information, payment/refund history (order number, etc.), anomaly detection logs for abnormal transactions/abnormal course usage, sanction records12 months from the date of membership withdrawal
Article 15(1)4 of the Personal Information Protection ActOrganization/project collaboration featuresEmail address, nickname, organization/project participation information, work records, permission/role information, work/project activity history, communication records such as comments/mentions, attachment metadataUntil termination of the account/organization service contract
Article 15(1)4 of the Personal Information Protection ActCalculation of work productivity metrics (within the configured scope)Work/project execution data (work status, progress, completion, assigned/participation relationship), work processing event logs (creation/modification/completion history), work hours/time spent (if entered)Until termination of the service contract
Article 15(1)4 of the Personal Information Protection ActAccrual, deduction, and settlement of pointsPoint accrual/deduction history, records of reasons/basis, point balance and transaction/settlement identifiers (transaction ID), settlement history (time/status/approval/processing history), recipient identification information (account ID, email/nickname, organization ID)Until completion of settlement
Article 15(1)4 of the Personal Information Protection ActCustomer supportInquirer identification information (email, nickname, organization/project information if needed), inquiry details, consultation/handling history, attachmentsUntil membership withdrawal
Article 15(1)4 of the Personal Information Protection ActAI goormee learning guide and learning plan supportNickname/email (account identifier), learning history (course history, progress rate, completion status), user input text (learning questions / request text)Until termination of the service contract
Article 15(1)4 of the Personal Information Protection ActLLM-based test executionEmail/account identifier, evaluation session identifier, user-input prompt (task response), AI response content (processing result), evaluation score/result/historyUntil membership withdrawal
  • When using AI goormee, the content entered by the user and learning context information are transmitted to OpenAI, L.L.C. and processed by the GPT-4o model (see Articles 9 and 10).
  • When using the LLM-based test, the content entered by the user is transmitted to OpenAI, L.L.C. (ChatGPT), Anthropic PBC (Claude), and Google LLC (Gemini) and used for LLM capability assessment (see Articles 9 and 10).

B. Personal information processed with the data subject's consent
Legal basisPurpose of processingItems processedRetention period
Article 15(1)1 of the Personal Information Protection ActMarketing and promotionsEmail address, phone numberUntil consent is withdrawn or membership withdrawal
Article 15(1)1 of the Personal Information Protection ActPersonalized recommendationsService usage records (view/click/course/learning/training history), interest/preference information (if configured), cookies/anonymous identifiersUntil consent is withdrawn or up to 1 year
Article 15(1)1 of the Personal Information Protection ActService improvement (security / incident response)Error/crash information, performance logs, network logs, access logs (IP/date and time), device/browser informationUntil consent is withdrawn or up to 1 year
Article 15(1)1 of the Personal Information Protection ActOrganization/project collaboration features (additional information)Organization information (department, job role, position), name, profile photo, employee ID number where applicable for internal identificationUntil termination of the account/organization service contract
Article 15(1)1 of the Personal Information Protection ActProvision of rewards (mobile coupons / product delivery)Recipient information (name, contact information, address or mobile coupon delivery information), reward dispatch/delivery history (dispatch date/time, carrier/channel, tracking number or coupon dispatch identifier), receipt/use confirmation information (success/failure, redelivery history)Until completion of reward provision
Article 4 (LEVEL - Coding Training / Challenges / Level Assessment)
A. Personal information processed without the data subject's consent
Legal basisPurpose of processingItems processedRetention period
Article 15(1)4 of the Personal Information Protection ActProblem solving / scoring, training, result generation (scores and levels)Email address, nickname, score, level, submitted code, solution logs, access records (IP/date and time), device/browser information, problem-solving metadataUntil membership withdrawal
Article 15(1)4 of the Personal Information Protection ActChallenge operationEmail address, nickname, participation history, team/affiliation information, ranking, challenge results, and, where rewards exist, points/payment historyUntil membership withdrawal
Article 15(1)4 of the Personal Information Protection ActDetection of fraudulent conductAccess logs (IP/date and time), device/browser information, detection results based on submitted code/solution logs, sanction records12 months from the date of membership withdrawal

B. Personal information processed with the data subject's consent
Legal basisPurpose of processingItems processedRetention period
Article 15(1)1 of the Personal Information Protection ActService quality improvementUsage records (visits/clicks/sessions), cookies/identifiers, error/performance logsUntil consent is withdrawn or up to 1 year
Article 15(1)1 of the Personal Information Protection ActPublic display of ranking/profileNickname, profile photo, score/level/ranking, public visibility settingsUntil visibility is turned off or membership withdrawal
Article 5 (Devth - Corporate/Institutional Recruitment Coding Test Inquiries)
A. Personal information processed without the data subject's consent
Legal basisPurpose of processingItems processedRetention period
Article 15(1)4 of the Personal Information Protection ActManagement of corporate customer administrator accounts and contractsCompany name, contact person's name, company email, contact information, position/department (if applicable), contract/plan information, billing-related information5 years after contract termination
Article 15(1)4 of the Personal Information Protection ActCustomer supportCompany email, contact person's name, contact information, inquiry details, consultation/chat records, attachments3 years after completion of the inquiry
Article 15(1)4 of the Personal Information Protection ActLLM-based test executionEmail/account identifier, evaluation session identifier, user-input prompt (task response), AI response content (processing result), evaluation score/result/history5 years after contract termination
  • When using the LLM-based test, the content entered by the user is transmitted to OpenAI, L.L.C. (ChatGPT), Anthropic PBC (Claude), and Google LLC (Gemini) and used for LLM capability assessment (see Articles 9 and 10).

B. Personal information processed with the data subject's consent
Legal basisPurpose of processingItems processedRetention period
Article 15(1)1 of the Personal Information Protection Act / Article 50 of the Act on Promotion of Information and Communications Network Utilization and Information ProtectionSending marketing and promotional information (new products/services, updates, events/promotions, webinar/seminar invitations, case studies/reports, etc.)Company email, contact information (phone number), name, company/institution nameUntil consent is withdrawn or an opt-out request is processed (sending records retained for 3 years for dispute resolution)
  • For product adoption/use inquiries, please also refer to Article 2, Section 1 (Product inquiry function). Even if you do not consent to receive marketing information, you will not be disadvantaged in submitting product inquiries or using the Services.
Article 6 (Information Automatically Collected During Service Use)

The Company may automatically collect the following information for service operation, security and quality improvement purposes:

  • Access IP address, access date and time, service usage records, access logs, cookies
  • Records of fraudulent use, browser type, device information (OS/version, screen resolution, etc.), User-Agent
  • Error/crash information, performance logs, network information
※ Internet log records and access tracing data among communications confirmation data under Article 41 of the Enforcement Decree of the Protection of Communications Secrets Act are retained for 3 months (see Article 1).
Article 7 (Use of Cookies and Online Behavioral Information)
1. Cookie use

The Company may use cookies and similar technologies to maintain login sessions, configure the user environment, improve service quality, analyze statistics, and enhance security.

Examples of collectable items: cookies, access/use records (visits/clicks/sessions), IP address, User-Agent, OS/browser information, network/error/performance logs, anonymous user identifiers, etc.

TypePurposeRetention period
Essential cookiesLogin maintenance, session managementUntil the end of the session or for a short period
Functional cookiesSaving settingsUp to 1 year
Analytics cookies/SDKsUsage statistics and feature improvementUp to 1 year with consent

Users may refuse or delete cookie storage through browser/device settings, and blocking essential cookies may limit the use of some features such as login.


2. Online behavioral information collection

The Company may collect and process online behavioral information based on the data subject's consent, as follows:

Legal basisInformation collectedCollection methodPurpose of collectionRetention period
Article 15(1)1 of the Personal Information Protection ActOnline identifiers (cookie IDs, SDK/app instance IDs, advertising identifiers such as ADID/IDFA, anonymous user identifiers) / access and usage records (visit/click/view/session/search/conversion (purchase/application) events) / device/access information (IP, User-Agent, OS/browser information) / performance/security logs (error/network/performance logs)Automatically collected via cookies, SDKs, pixels/scripts, and logs during the user's use of the web/appPersonalized ads/benefits, interest-based content/feature recommendations, campaign performance measurement (conversion tracking), service usage statistics and quality improvement, security enhancement and detection of fraudulent useDestroyed immediately after retention until consent is withdrawn or up to 1 year, whichever comes first

Where online behavioral information is processed through third-party analytics tools, the Company provides prior notice and, where required by law, consent and opt-out methods.

Article 8 (Provision of Personal Information to Third Parties)

The Company does not provide personal information to third parties without the data subject's consent. However, it may provide personal information where there is a legal basis or where the data subject has consented.

ServiceRecipientPurposeItems providedRetention / use period
ExelearnceSimple payment service providerPayment processingPayment-related information (order number, amount, etc. minimum necessary information)Until completion of payment processing; statutory retention period applies where required by law
ExelearnceReward delivery partner (mobile coupon / shipping)Coupon issuance / deliveryRecipient information (name/contact/address)Until completion of reward provision; if there is a dispute such as misdelivery, redelivery, or refund, until the dispute is resolved
Article 9 (Entrustment of Personal Information Processing)

The Company may entrust personal information processing to external processors for smooth service provision, and where it does so, it implements contractual safeguards and management/supervision measures in accordance with Article 26 of the Personal Information Protection Act.

ProcessorApplicable servicesEntrusted tasks
Amazon Web Services, Inc. (AWS)CommonCloud infrastructure / storage / operation
MongoDB, Inc.CommonStorage and management of customer/member data
Channel Corporation (Channel Talk)CommonCustomer consultation / chat functions
NITsoft Co., Ltd. ("Munjaswa")CommonSending notifications / alerts (SMS)
Stevie Co., Ltd.CommonSending notifications / alerts (email)
OpenAI, L.L.C.Exelearnce (AI goormee, LLM-based test), Devth (LLM-based test)AI response generation
Anthropic PBCExelearnce (LLM-based test), Devth (LLM-based test)AI response generation
Google LLC (Gemini)Exelearnce (LLM-based test), Devth (LLM-based test)AI response generation
Microsoft CorporationAI-enabled servicesAI response generation / platform provision
Naver Pay Co., Ltd.ExelearncePayment processing (simple payments)
NHN Payco Co., Ltd.ExelearncePayment processing (card/mobile/simple payments)
Danal Co., Ltd.ExelearncePayment processing (card/mobile)
Toss Payments Co., Ltd.ExelearncePayment processing (card/mobile)
Coupang Corp.ExelearnceReward issuance / delivery
KT alpha Co., Ltd.ExelearnceReward issuance / delivery
Article 10 (Cross-Border Transfer of Personal Information)

The Company may transfer personal information overseas for the provision and operation of the Services, and in such cases, in accordance with Article 28-8 of the Personal Information Protection Act, it provides notice of the recipient, items transferred, purpose, country, time/method of transfer, retention period, and method of refusal, and obtains consent where required.

Recipient (contact)Destination countryTime / method of transferItems transferredPurposeRetention / use period
AWS (privacy@amazon.com)United States (Oregon), India (Mumbai), Germany (Frankfurt)Network transmission and storage during use of the ServicesService data / logs (may include personal information)Infrastructure operationUntil purpose is achieved or until service termination / user request
MongoDB, Inc. (privacy@mongodb.com)United StatesNetwork transmission and storage during use of the ServicesAccount / usage data (may include personal information)DB operationUntil purpose is achieved or until service termination / user request
OpenAI, L.L.C. (privacy@openai.com)United StatesAPI transmission when AI features are usedAI goormee: user input content and learning context / LLM-based test (Exelearnce, Devth): user-input prompts and task responsesAI model inference (response generation), LLM capability assessmentDestroyed after API processing is completed (subject to OpenAI service policy)
Anthropic PBC (privacy@anthropic.com)United StatesAPI transmission when AI features are usedLLM-based test (Exelearnce, Devth): user-input prompts and task responsesAI model inference (response generation), LLM capability assessmentDestroyed after API processing is completed (subject to Anthropic service policy)
Google LLC (privacy@google.com)United StatesAPI transmission when AI features are usedLLM-based test (Exelearnce, Devth): user-input prompts and task responsesAI model inference (response generation), LLM capability assessmentDestroyed after API processing is completed (subject to Google service policy)

If you do not wish your personal information to be transferred overseas, you may refuse to use the relevant function or restrict it via related settings. However, where cross-border transfer is essential for providing the Services, your use of the Services may be limited.

For personal information of data subjects subject to the GDPR (EEA, etc.) that is transferred overseas, the Company applies valid transfer mechanisms such as Standard Contractual Clauses (SCCs).

When processing personal information in connection with generative AI, the Company strengthens purpose specification, data minimization, safeguards, and governance with reference to guidelines issued by supervisory authorities including the Personal Information Protection Commission of Korea.

Article 11 (Pseudonymized Information)

The Company may process pseudonymized information for statistical purposes, service improvement, and quality enhancement pursuant to Article 28-2 of the Personal Information Protection Act.

CategoryDetails
PurposeService usage statistics, quality improvement, feature stabilization
ItemsUsage records (access/click/session, etc.), service usage behavior data (only where pseudonymized)
Retention periodUntil the purpose is achieved (for statistical purposes, up to 3 years, after which it is destroyed or re-pseudonymized)
SafeguardsSeparate storage of additional information, minimization of access rights, anti-reidentification measures
Article 12 (Destruction of Personal Information)
  • Where personal information becomes unnecessary due to expiration of the retention period or achievement of the processing purpose, the Company destroys it without delay.
  • Where continued retention is required by law, the relevant personal information is stored separately in a separate DB and is not used for purposes other than those permitted by law.

Destruction methods

  • Electronic files: permanently deleted in a manner that makes recovery or restoration impossible
  • Paper documents: shredded or incinerated
Article 13 (Security Measures to Protect Personal Information)

The Company implements the following protective measures in accordance with Article 29 of the Personal Information Protection Act, Article 30 of its Enforcement Decree, and the Personal Information Protection Commission's Notice on Security Measures for Personal Information:

  • Administrative measures: establishment and implementation of internal management plans, minimization of access rights, regular training, self-inspections, management/supervision of processors
  • Technical measures: access control / permission management, retention of access logs and prevention of tampering, encryption (in transit / at rest), security programs, vulnerability checks, intrusion prevention and detection
  • Physical measures: access control to server rooms / storage rooms, locking devices, separate storage of critical data
Article 14 (Rights and Obligations of Data Subjects and How to Exercise Them)
1. Rights of data subjects

Data subjects may exercise the following rights at any time:

  • Request access to personal information
  • Request correction where errors exist
  • Request deletion (may be limited where there are legitimate grounds such as statutory retention obligations)
  • Request suspension of processing
  • Withdraw consent (including consent to optional items)
  • Exercise rights under the Personal Information Protection Act, including the right to object to or request an explanation of automated decisions
2. How to exercise rights and contact points
  • Via in-service settings menu (where provided)
  • By written request, email, phone, or customer support

Contact

  • Address: 9F, PDC A-dong, 242 Pangyoro, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea
  • Phone: 031-600-8586
  • Email: contact@goorm.io

The Company will generally take action and notify the result within 10 days of receiving a request. However, the period may be extended within the limits permitted by law.

3. Exercising rights through a representative

A legal representative or authorized agent may exercise rights by submitting a power of attorney and supporting documents in accordance with Form No. 11 of the Enforcement Rule of the Personal Information Protection Act.

Article 15 (Personal Information of Children Under 14)

The Company, in principle, does not provide services to children under 14 years of age and does not intend to directly collect or use personal information of children under 14.

Whether children's information is collected
  • The Company, in principle, does not collect date of birth or other age-verification information during service provision.
  • Because the Company does not have a system that automatically and uniformly determines users' ages, it is difficult to identify a user's age in advance.
  • Although "elementary, middle, and high school" is included as a company/institution type in the product inquiry function, only institution contact information (adults) is collected, and students' personal information is not collected.
Service policy restrictions for children
  • The Services may be used by educational institutions (schools, etc.) and teachers who create and assign student accounts.
  • Where an educational institution or teacher provides students' personal information to the Company or causes the Company to process such information, the institution/teacher must secure a lawful basis for processing in accordance with applicable laws (including, where necessary, consent from a legal representative).
  • The Company may require this through contracts, terms of use, or operational guidelines.
Company obligations as a processor
  • Where an educational institution uses the Company's Services to create and manage student accounts, this constitutes entrustment of personal information processing, and the Company, as a processor, is subject to Article 26(8) and Article 22-2 of the Personal Information Protection Act. Accordingly, the provisions regarding the protection of children's personal information also apply to the Company.
  • The educational institution, as the personal information controller, must primarily obtain consent from the student (or legal representative) or otherwise secure a lawful basis for collecting and using children's personal information. The educational institution may also entrust consent collection to the Company.
  • If the educational institution entrusts student personal information to the Company without lawful consent, the Company may also bear responsibility as a processor. In such cases, the Company will request confirmation of the lawful basis from the educational institution and may restrict the relevant account if necessary.
Measures when children's information is detected
  • If the Company becomes aware, through inquiry, report, authority request, or internal verification, that a particular user is a child under 14 or that personal information of a child under 14 is being provided or processed, the Company may request confirmation of the lawful basis.
  • If confirmation is difficult or required measures are not taken, the Company will restrict use of the relevant account (suspension/blocking) and delete the relevant personal information (or separate it and destroy it later), or take other necessary measures.
Rights of legal representatives
  • Legal representatives may exercise rights such as access, correction, deletion, and suspension of processing with respect to the child's personal information.
  • The procedure for exercising rights follows Article 14 of this Privacy Policy.
  • For educational institution administrator accounts, confirmation via the educational institution may be required for smooth processing.
Article 16 (Personal Information Protection Officer and Complaint Handling)

The Company designates the following person(s) to oversee matters related to personal information processing and to handle inquiries, complaints, and requests for relief from data subjects.

Chief Privacy Officer (CPO)

ItemDetails
NameGwak Kyung-ju
PositionCPO (Chief Privacy Officer)
Emailcontact@goorm.io
Contact031-600-8586
Address9F, PDC A-dong, 242 Pangyoro, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea

Personal Information Protection Department

ItemDetails
DepartmentCyber Security Team
Emailcontact@goorm.io
Contact031-600-8586
Address9F, PDC A-dong, 242 Pangyoro, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea
Article 17 (Remedies for Infringement of Rights)

Data subjects may seek consultation or dispute resolution from the following organizations in relation to personal information infringement:

  • Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
  • Personal Information Infringement Report Center (Korea Internet & Security Agency): 118 (without area code) (privacy.kisa.or.kr)
  • Supreme Prosecutors' Office: 1301 (without area code) (www.spo.go.kr)
  • National Police Agency: 182 (without area code) (ecrm.cyber.go.kr)