Privacy Policy
Last updated: May 21, 2026
HeyJames Inc. (the "Company") complies with the Personal Information Protection Act (PIPA), the Act on Promotion of Information and Communications Network Utilization and Information Protection, and other applicable Korean laws regarding the protection of personal information. This Privacy Policy applies to the heyjames service operated by the Company (including https://heyjames.ai).
1. Personal Information Collected and Methods of Collection
A. Items Collected
At sign-up (required):
- Email address, password (stored as a one-way hash), name
When using social login (Google):
- Email, name, profile image URL, social provider identifiers (provider, uid)
When paying for courses, membership, consulting, or sprint:
- Payment authorization result, card brand, masked card number (e.g., 1234-****-****-1234), payment identifiers (orderId, paymentKey), and billing key for membership recurring payments. Full card numbers, CVC, and passwords are not stored by the Company and are processed by Toss Payments.
When using AI chatbot and AI features:
- Text entered by the user (questions/prompts), session identifiers, and response output. Conversation content is transmitted to external AI APIs (Anthropic, OpenAI) to generate responses.
When contacting support or applying for 1:1 consulting:
- Name, email, phone (optional), inquiry content, pre-consulting Q&A responses (qa_history), and business idea description (for sprint applications)
When applying as a sub-merchant (/toss):
- Business name, business registration number, contact name, contact email, contact phone, website URL, monthly transaction volume, payment methods
When completing the post-signup survey (optional):
- Age range, current status/role, experience level, technical background, learning goals, income preferences, pain points, referral source
Automatically collected during service use:
- IP address, User-Agent (browser/OS), cookies and visitor identifiers, visit timestamps, pages visited, referrer, service usage records, and records related to fraud or abuse
B. Methods of Collection
- Direct input by the user during sign-up, payment, inquiries, and other service usage
- Automated collection via cookies, server logs, and similar tools
2. Purposes of Collection and Use
The Company uses collected personal information for the following purposes.
A. Performance of the Service Contract
- Course access, members-only content delivery, consulting booking and meeting link delivery, sprint program operation
- Payment processing, issuance of receipts/tax invoices, refund processing
- Learning progress tracking, enrollment and completion management, reviews and practice submissions
- Generating AI chatbot responses, automated comment bot responses, and consulting briefs
B. Member Management
- Identity verification for membership service use
- Prevention of fraudulent or unauthorized use
- Verifying age 14+ eligibility and registration intent
- Handling customer inquiries, retaining records for dispute resolution, delivering notices
- Managing points, coupons, and referral codes
C. Marketing and Statistics (with separate consent)
- Delivering announcements about new services, events, and promotions via email or notifications
- Analyzing service usage statistics, developing and improving new features
- Personalized recommendations of courses and content
3. Retention and Use Periods
In principle, the Company destroys personal information without delay once the collection and use purpose has been fulfilled. The following information is retained for the specified periods.
A. Retention under Company Internal Policy
- Member account information: until withdrawal (destroyed upon withdrawal)
- AI chatbot conversation logs: up to 6 months (for service quality and abuse prevention)
- Fraud-prevention records: 1 year
B. Retention under Applicable Laws
- Records on contract or withdrawal: 5 years (E-Commerce Act)
- Records on payment and supply of goods: 5 years (E-Commerce Act)
- Records on consumer complaints or disputes: 3 years (E-Commerce Act)
- Records on advertising and labeling: 6 months (E-Commerce Act)
- Website visit logs (IP, etc.): 3 months (Protection of Communications Secrets Act)
4. Destruction Procedures and Methods
When the retention period expires or processing purpose is fulfilled and the information is no longer needed, the Company destroys it without delay.
A. Destruction Procedure
User-entered information is transferred to a separate database (or physical storage for paper records) after the purpose is fulfilled and is destroyed after the retention period or immediately, in accordance with internal policies and applicable laws.
B. Destruction Methods
- Electronic files are deleted via technical methods that prevent reproduction (soft delete followed by permanent deletion, column anonymization).
- Printed personal information is shredded or incinerated.
5. Provision of Personal Information to Third Parties
The Company does not provide users' personal information to third parties in principle. The following are exceptions.
- When the user has given prior consent
- When required by law or upon request from investigative agencies following lawful procedures
- When provided in an anonymized form (e.g., statistics, research, market analysis) that does not allow identification of individuals
6. Outsourced Processing of Personal Information
The Company outsources certain personal information processing as listed below, and ensures safe management of personal information through contractual provisions in accordance with applicable laws.
| Processor | Outsourced Task | Items Outsourced |
|---|---|---|
| Toss Payments | Approving/canceling card and easy-payment transactions, issuing/using billing keys for recurring payments, tax invoices | Payment data, order identifiers, masked card numbers, payment amounts |
| Resend (Resend, Inc.) | Transactional emails (sign-up confirmation, password reset, payment/refund/operational notices) | Email address, name, identifiers contained in email body |
| Anthropic (Anthropic, PBC) | AI chatbot responses, automated comments, AI-generated consulting briefs | User-input questions/prompts, conversation context |
| OpenAI (OpenAI, OpCo, LLC) | Generating embeddings of course/membership content for search and recommendation | Course/content text (no direct personal information), user search queries |
| Google LLC | Google social login (OAuth), registering consulting meeting schedules via Google Calendar | Email, name, profile image, schedule information (title/time) |
| Gumlet (Gumlet Inc.) | Hosting, streaming, and processing course video content | Course video files, viewer IP and device information (temporary) |
7. Cross-Border Transfer of Personal Information
To provide the Service, the Company transfers certain personal information abroad as listed below. By signing up and using the Service, users are deemed to have consented to such transfers.
| Recipient | Country | Items / Purpose | Time, Method, and Retention |
|---|---|---|---|
| Resend, Inc. | United States | Email address, name, email body / Sending transactional emails | Transmitted via network at time of email sending / Delivery logs retained up to 30 days |
| Anthropic, PBC | United States | AI input text (questions/prompts) / Generating AI responses | Transmitted at time of API call / Not used for training per Anthropic API policy; short-term retention for abuse monitoring (up to 30 days) |
| OpenAI, OpCo, LLC | United States | Content/search query text / Generating embeddings | Transmitted at time of API call / Not used for training under OpenAI's default policy; short-term retention (up to 30 days) |
| Google LLC | United States | Google account identifiers, email, calendar event information / Social login and schedule registration | Transmitted at time of login/event creation / Retained per Google's policies |
| Gumlet Inc. | Singapore/India (with global CDN) | Course video files, viewer device info / Video hosting and streaming | Transmitted at upload/streaming / Retained during the course operation period |
Users may refuse cross-border transfers, but in that case the features provided by the relevant processors (e.g., social login, AI chatbot, video streaming) cannot be used. Send refusal requests to james@heyjames.ai.
8. Rights of the Data Subject and How to Exercise Them
Users may exercise the following rights regarding their personal information at any time.
- Right to access and rectify: My Page > Edit Profile, or contact james@heyjames.ai
- Right to suspend processing: Submit a request via customer support; the Company will respond within 10 days unless legally restricted
- Right to withdraw (account deletion): Submit a withdrawal request via My Page or customer support
- Remedies for rights infringement: See Section 14 of this Policy
When exercising these rights, the Company verifies the identity of the user or their authorized agent. For users under 14, the legal guardian may exercise these rights; however, this Service does not allow sign-up by anyone under 14.
9. Cookies and Automatic Collection Devices
The Company uses 'cookies' and similar technologies to provide personalized services. Cookies are small text files sent by the website to the user's browser and stored on the user's device.
A. Purposes of Cookies
- Maintaining login state (session cookies)
- Analyzing visit frequency and navigation paths
- Identifying user interests to recommend courses and content
B. How to Refuse Cookies
Users may refuse cookie storage through their browser settings (e.g., Chrome > Settings > Privacy and security > Cookies and other site data). Refusing cookies may affect certain service features such as maintaining login.
10. Measures to Ensure the Safety of Personal Information
The Company implements the following technical, administrative, and physical measures to prevent loss, theft, leakage, alteration, or destruction of users' personal information.
- Administrative: Minimizing personnel who handle personal information, conducting regular internal training, and separating access permissions
- Technical: One-way encryption (bcrypt) of passwords; payment data processed by the PG (with only masked values retained); HTTPS (TLS) applied across all channels
- Access Control: Granting access only to authorized personnel, retaining operational access logs, operating intrusion prevention systems
- Backup and Recovery: Regular database backups, prompt recovery in case of incidents
- Physical: Operating infrastructure (cloud data centers) with access controls and security facilities
11. Privacy Officer
The Company designates the following Privacy Officer to be responsible for personal information processing and to handle related complaints and remedies.
12. Personal Information of Children Under 14
The Company does not allow sign-up by children under the age of 14 and does not collect their personal information. If it is found that a child under 14 has signed up without parental consent, the Company will promptly delete the account and related information.
13. Changes to this Privacy Policy
This Privacy Policy is effective from the date stated, and any changes due to legal or policy reasons will be announced via in-service notice or email at least 7 days before the effective date (at least 30 days in advance for material changes).
14. Remedies for Rights Infringement
For reporting or consultation regarding personal information infringement, please contact the following Korean agencies.
- Personal Information Infringement Report Center (KISA): 118 / privacy.kisa.or.kr
- Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr
- Supreme Prosecutors' Office Cyber Investigation Division: 1301
- National Police Agency Cyber Bureau: 182 / ecrm.police.go.kr
This Privacy Policy is effective from May 21, 2026.
Business Information and Contact
Company: HeyJames Inc.
CEO: Sunghoon Lee
Business Reg. No.: 362-81-00644
Mail-Order License: 2024-Seoul Dongjak-0832
Address: 2803, 43 Boramae-ro 5-gil, Dongjak-gu, Seoul, Republic of Korea
Phone: +82-10-9391-6522
Email: james@heyjames.ai