Celon

Privacy

Privacy Policy

Celon Inc. (the “Company”) treats the personal information of its users as important in the course of providing AI model routing and related API and web services, and complies with the laws of the Republic of Korea, including the Personal Information Protection Act, as well as applicable United States and California privacy laws.

This Privacy Policy applies to the Celon website, dashboard, API, software, and the features and customer support services incidental to them (collectively, the “Service”) provided by the Company.

Through this Privacy Policy, the Company explains:

  • What personal information the Company collects and uses
  • How the Company processes the prompts you submit and the AI responses returned to you
  • What information is transmitted to external AI providers and cloud service providers
  • How long personal information is retained and how it is destroyed
  • What rights you may exercise

Published July 17, 2026 · Effective July 17, 2026

1. The Company’s Role and the Scope of This Policy

1.1 Information the Company processes as a controller

For the following information, the Company acts as the personal information controller or business that determines the purposes and means of processing.

  • Celon account and sign-in information
  • Organization, team, and member information
  • Payment and subscription information
  • Service usage and security logs
  • Customer support and inquiry information
  • Information generated directly by the Company for service operation, security, and the prevention of misuse

1.2 Customer content processed on behalf of a customer

For personal information contained in prompts, files, images, audio, system messages, and other content that an enterprise or organizational customer enters into the Service or transmits through the API, that customer is generally the controller or business, and the Company acts as a processor, service provider, or contractor handling personal information under the customer’s instructions.

In such cases, the following documents may also apply to the processing of that information.

  • The service agreement between the customer and the Company
  • A data processing agreement or personal information processing delegation agreement
  • The privacy policy the customer provides to its own end users
  • The model, provider, cache, and ZDR policies configured by the customer

Requests from end data subjects regarding personal information contained in customer content should, in principle, be submitted to the relevant customer. The Company supports the customer in handling such requests in accordance with applicable law and its agreement with the customer.

2. Categories of Personal Information Processed and Purposes of Use

The Company processes the minimum personal information necessary to provide the Service.

2.1 Account and authentication information

Categories processed

  • Email address
  • Name or display name
  • Profile image
  • User identifier from the authentication service
  • Sign-in session and authentication tokens
  • Password hash or social sign-in credentials
  • Account creation date and most recent sign-in time

Purposes of use

  • Registration and sign-in
  • User identification and verification
  • Maintaining account security
  • Account recovery and customer support
  • Essential service-related notices

Where the Company uses an external authentication service, the Company may not directly view or store passwords in plain text.

2.2 Organization, team, and member information

Categories processed

  • Organization and team names
  • Roles and permissions within an organization
  • Organization owner and member identifiers
  • Member names, email addresses, and profile images
  • Email addresses of invitees
  • Invitation tokens, creation dates, and expiry dates
  • Budget and policy settings per organization and team

Purposes of use

  • Creating and managing organizations and workspaces
  • Member invitations and permission management
  • Data isolation between organizations
  • Cost, budget, and usage management per organization
  • Applying security and governance policies

2.3 API and service configuration information

Categories processed

  • The identifier, name, prefix, and hash of a Celon API key
  • API key creation and deactivation times
  • Budgets per organization or API key
  • Allowed and blocked models and providers
  • Routing and fallback settings
  • Cache settings
  • Personal information masking settings
  • External AI provider API keys or credentials registered through the Company
  • Auto top-up and usage limit settings

Purposes of use

  • API authentication and access control
  • Connecting each customer to AI providers
  • Providing the BYOK feature
  • Model and provider routing
  • Preventing budget overruns
  • Applying security and privacy policies
  • Preventing API key misuse and abuse

The plain text of a Celon API key may be provided only once at creation; for authentication purposes the Company may retain only the hash of the API key and limited identifying information.

2.4 Service usage and technical information

Categories processed

  • IP address
  • Browser and device information
  • Operating system information
  • Cookies and session identifiers
  • Request and response timestamps
  • The API endpoint called
  • The requested model and the model that actually served it
  • The selected AI provider
  • Routing tier
  • Input and output token counts
  • Request latency
  • Success or failure status
  • Error type
  • Whether the cache was hit
  • Amount spent and estimated savings
  • Internal identifiers for the API key or organization
  • Anomalous requests and security detection results

Purposes of use

  • Providing the API and dashboard
  • Performing model routing and fallback
  • Usage measurement and cost calculation
  • Improving service performance and reliability
  • Incident analysis
  • Detecting security threats and abuse
  • Applying per-customer budgets and policies
  • Verifying disputes and billing history

The Company operates the usage ledger and general operational logs so that the content of prompts and AI responses is not recorded by default. The cache processing described in Section 4, security detection, and features you explicitly enable are exceptions.

2.5 Customer content and AI request data

Categories processed

  • User and system prompts
  • Conversation messages and context
  • Images and image URLs
  • Voice and audio files
  • Uploaded files and file metadata
  • Tool or function call information
  • Responses generated by AI providers
  • Image generation results
  • Speech transcription results
  • Embedding vectors
  • Hashes derived from requests
  • Model settings necessary to process a request

Purposes of use

  • Calling AI models and generating responses
  • Request difficulty classification and model routing
  • Multi-provider fallback
  • Masking personal information in prompts
  • Providing exact and semantic caching
  • Image generation and speech transcription
  • Performing features requested by the customer
  • Security and prompt injection detection

Depending on what a user or customer chooses to submit, customer content may include personal information, sensitive information, or information about third parties. The Company does not require sensitive personal information such as resident registration numbers or health information in order to provide the Service, and users should not submit sensitive information that is unnecessary for using the Service.

2.6 Payment and billing information

Categories processed

  • The name and email address of the purchaser or billing contact
  • Organization and account identifiers
  • Order number
  • Payment amount and currency
  • Payment and refund status
  • Payment date and time
  • Payment keys, customer keys, or payment tokens issued by the payment provider
  • Card brand and the last four digits of the card number
  • Auto top-up settings and top-up history
  • Information required to issue a tax invoice or receipt

Purposes of use

  • Subscription and prepaid credit payments
  • Auto top-up
  • Fee settlement and refunds
  • Handling payment errors
  • Accounting and tax processing
  • Preventing fraudulent payments
  • Customer inquiries and dispute handling

Full card numbers, card passwords, and CVCs are, in principle, handled directly by the payment gateway and are not stored by the Company.

2.7 Inquiry and customer support information

Categories processed

  • Name
  • Email address
  • Company or organization name
  • The content of your inquiry
  • Attachments
  • Support and response history
  • Account and request identifiers necessary to resolve the issue

Purposes of use

  • Receiving and responding to inquiries
  • Resolving incidents and errors
  • Contract and onboarding consultation
  • Dispute handling
  • Improving service quality

In accordance with applicable law, the Company processes personal information on one or more of the following bases.

  • Entering into a contract with you and providing the Service
  • Carrying out measures you have requested
  • Compliance with legal obligations
  • Your consent
  • The Company’s legitimate interests in service security, abuse prevention, and reliable operation
  • Protecting the life, body, or property interests of you or another person
  • Performing processing delegated by, or service provider duties for, a customer

Where processing requires consent, the Company informs you of the categories of personal information, the purposes, the retention period, and the consequences of refusing consent, and obtains your consent.

4. How AI Requests, External Providers, and the Cache Are Handled

4.1 The basic AI request flow

AI requests are generally processed in the following order.

  1. You send a request to the Celon API or web service.
  2. Celon selects an AI provider taking into account your settings, request difficulty, model availability, cost, latency, security policy, ZDR conditions, and other factors.
  3. If personal information masking is enabled, some of the detected personal information is masked.
  4. The request is forwarded to the selected external AI provider.
  5. Celon receives the response generated by that provider.
  6. Celon returns the response to you and records usage metadata.
  7. If the request meets the caching conditions, some information may be stored in the cache for up to 24 hours.

If the selected provider returns a timeout, a rate limit, a server error, or another failure, Celon may re-send the same request, or as much of it as necessary, to another provider you have allowed.

4.2 Policy on AI training

The Company does not use customer prompts, files, images, audio, AI responses, or other customer content for the following purposes.

  • Training the Company’s general-purpose AI models
  • Training external AI providers’ general-purpose models
  • Building datasets without the customer’s separate consent
  • Advertising or user profiling

The Company uses AI providers that apply API or enterprise terms under which customer data is not used for model training.

The Company does not use providers or endpoints that permit model training on customer content as general routing targets.

4.3 Provider logs and ZDR

Even where data is not used for AI training, some AI providers may retain request or response data for a limited period for the following purposes.

  • Detecting abuse and malicious use
  • Responding to security incidents
  • Analyzing service failures
  • Legal compliance
  • Customer support
  • Billing and usage verification

Because the scope and duration of retention differ by provider, full ZDR does not apply to every provider.

You may choose the following measures in your service settings.

  • Block specific models
  • Block specific providers
  • Disable the cache per request
  • Enable personal information masking

When you block a model or provider, it is excluded from routing. This may reduce the number of available models or change cost, speed, and availability.

4.4 Using BYOK

If you register your own AI provider API key by separate arrangement with the Company, the following conditions may also apply to those requests.

  • The agreement between you and that AI provider
  • The data retention settings of that provider account
  • The region you have selected
  • Your per-provider ZDR or training opt-out settings
  • That provider’s terms of service and privacy policy

The Company uses BYOK credentials solely to provide the AI calls and related features you have requested.

4.5 Personal information masking

Where you have enabled masking, the Company detects and masks personal information patterns: email addresses, Korean mobile phone numbers, resident registration number formats, payment card numbers, and Korean passport number formats. Masking is disabled by default and applies only once you explicitly enable it in your organization or API key policy.

Automated detection is not, however, a technology that identifies or removes all personal information perfectly. Contextual personal information, unstructured personal information, personal information contained in images or audio, and new forms of identifying information may go undetected.

You must not rely on the masking feature alone as a basis for transmitting unlimited sensitive or unnecessary personal information.

4.6 Cache processing

By default, the Company may apply caching for up to 24 hours to requests that meet the caching conditions.

The following information may be stored in the cache.

  • Responses generated by AI providers
  • SHA-256 hashes derived from requests
  • Embedding vectors for semantic similarity search
  • Model and request metadata necessary for cache processing

The key for the exact cache does not store the prompt text itself; a hash derived from the request content is used instead.

To provide the semantic cache, portions of the request text — such as part of the system prompt and the last user message — are sent to OpenAI to generate an embedding. This applies even when the request itself is routed to a different provider, so for requests where the semantic cache is active, part of the request text may also reach OpenAI. The resulting embedding vector is not the original text itself, but it is treated as derived data that may be associated with personal information.

You can disable caching through per-request options. Requests with caching disabled neither read from nor write to the response cache.

5. Retention and Use Periods

The Company retains personal information only for as long as necessary to achieve the purposes of processing, and destroys it without delay once those purposes are achieved.

Type of informationDefault retention period
Account and authentication informationUntil you withdraw your membership or the service agreement terminates
Organization, team, and member informationUntil the relevant organization or account is deleted
Organization invitation informationUntil the invitation is accepted or cancelled, or 7 days after creation
Celon API key informationUntil the API key is deleted or deactivated. Identifying information needed for usage verification may be retained together with usage records
BYOK credentialsUntil you delete them or your account or agreement terminates
Cached AI responses and embeddingsUp to 24 hours after creation
Customer content not subject to cachingProcessed transiently until the request completes. Not retained on an ongoing basis absent a separate feature or legal requirement
Usage, cost, and request metadataUp to 5 years from termination of the agreement or the date of the relevant transaction
Payment and transaction recordsThe period prescribed by applicable law, or up to 5 years from the transaction date
Customer inquiry and dispute recordsUp to 3 years from the date the inquiry closes
General access logsUp to 3 months from collection
Security and abuse response recordsUp to 1 year from collection or from closure of the incident
Records of privacy rights requests and identity verificationUp to 3 years from the date the request is completed

When an account or agreement terminates, personal information in active systems is deleted or de-identified without delay. Backup data that cannot technically be deleted immediately is deleted within at most 90 days in line with the backup rotation cycle, and is not used during that period for any purpose other than recovery.

5.1 Retention under applicable law

The Company may retain the following records for set periods in accordance with applicable law.

RecordRetention period
Records concerning contracts or withdrawal of subscription5 years
Records concerning payment and the supply of goods or services5 years
Records concerning consumer complaints or dispute resolution3 years
Records concerning labeling and advertising6 months
Transaction and supporting records under tax lawThe period prescribed by applicable law
Records required for legally mandated investigation, supervision, or dispute responseUntil the relevant proceeding concludes

Information retained under legal requirements is not used for any purpose other than that legal purpose.

6. Provision to Third Parties, and Sale or Sharing

The Company does not sell personal information.

The Company does not share personal information for cross-context behavioral advertising as defined under California law, and does not provide your personal information to advertising businesses.

As a rule, the Company does not provide personal information to third parties without your consent. The following are exceptions.

  • Where you have consented in advance
  • Where necessary to perform the service agreement
  • Where a processor performs services under a processing delegation arrangement
  • Where specifically provided for by law
  • Where there is a lawful and valid request from a court, investigative authority, or administrative agency
  • Where urgently necessary to protect the life, body, or property interests of you or another person
  • Where information is transferred in the course of a merger, business transfer, investment, or reorganization in compliance with legal requirements

Transmitting customer content to an external AI provider is generally treated as processing delegation, or as a disclosure to a service provider, for the purpose of providing the AI service you requested — it is not a sale or sharing for advertising purposes.

7. Processing Delegation and Subprocessors

The Company may use the following types of processors or subprocessors to provide the Service.

Delegated workProcessor or type of processorProcessing performed
Website and frontend hostingVercel and similarServing the website, handling traffic and errors
API server hostingRailway and similarProcessing API requests, server operation, and log management
Authentication and databaseSupabase and similarSign-in, user authentication, and storage of account, organization, and usage data
Cache infrastructureUpstash (Redis)Short-term caching of AI responses keyed by a request hash, and storage of embedding vectors
AI inferenceOpenAI, Anthropic, Google (Gemini API and Vertex AI), xAI, Perplexity, Upstage, DeepInfra, Novita AI, FriendliAI, Fireworks AI, Weights & BiasesText generation and inference for the model you select
Embedding generationOpenAIGenerating embedding vectors for the semantic cache
Monitoring and observabilityLangfuse or equivalent toolingAnalysis of operational metadata such as latency, model, token counts, and errors (request and response content is not transmitted)
Domestic paymentsToss PaymentsPayment authorization, auto top-up, refunds, and fraud detection
International paymentsPolar (subprocessor: Stripe)Providing the checkout page, payment authorization, subscriptions, and refunds

When entering into agreements with processors, the Company stipulates obligations including the prohibition of processing beyond the stated purpose, confidentiality, security safeguards, management of sub-delegation, incident notification, and destruction upon termination.

Whether a given AI provider or subprocessor is actually used depends on the model you select, your routing policy, BYOK settings, ZDR settings, and the operational state of the Service.

The table above reflects the processors and subprocessors actually in use as of the effective date of this Policy. When a processor that materially affects the processing of personal information is added or changed, the Company will amend this Policy or give notice through a service announcement.

8. Cross-Border Transfer of Personal Information

Because the Service uses AI providers and cloud infrastructure in multiple countries, personal information may be processed or stored outside the Republic of Korea.

8.1 Transfers to AI providers

ItemDetails
RecipientThe external AI or embedding provider selected for the request
ProvidersOpenAI, Anthropic, Google (Gemini API and Vertex AI), xAI, Perplexity, Upstage, DeepInfra, Novita AI, FriendliAI, Fireworks AI, Weights & Biases
Destination countriesThe United States and other countries in which each provider operates infrastructure. DeepInfra, Fireworks AI, and FriendliAI process in the United States. OpenAI, Anthropic, and Google (Gemini API and Vertex AI) do not limit processing to the United States; in particular, where Vertex AI processes depends on the region configured by the Company (default: global). Upstage, which is headquartered in the Republic of Korea, uses infrastructure in both the Republic of Korea and the United States
Items transferredPrompts, system messages, images, audio, files, model settings, request identifiers, and metadata necessary to process the request. For requests where the semantic cache applies, part of the system prompt and the last user message are also sent to OpenAI to generate an embedding
Purpose of transferAI response generation, embedding generation, image generation, speech transcription, and fallback on failure
Timing and methodTransmitted via API over an encrypted connection when you execute an AI request
Retention periodFor ZDR providers, per the applicable ZDR terms. Otherwise, the limited period under each provider’s enterprise or API data retention policy, or until the request completes
Use for trainingNot used to train general-purpose AI models
How to refuseConfigure model and provider blocking, disable the cache per request, or discontinue use of the Service
Effect of refusalSome models or features may be unavailable, or cost, speed, and availability may change

Which provider actually receives a request depends on the model you select and your routing settings; the Service’s model information shows which providers serve each model.

8.2 Transfers to cloud and payment services

RecipientDestination countryItems transferredPurposeRetention period
VercelThe United States and other regions selected by the CompanyIP, access information, web request informationServing the website and securityThe term of the agreement, or the provider’s limited log retention period
RailwayThe United States and other regions selected by the CompanyAPI request information, server logs, service operation informationAPI server operationThe term of the agreement, or the log retention period configured by the Company
SupabaseSingapore and other regions selected by the CompanyAccount, authentication, organization, settings, usage, and service dataAuthentication and database operationUntil the account or agreement terminates, or the statutory retention period
UpstashThe United States and other regions selected by the CompanyCached AI responses, hashes, embeddingsShort-term cachingUp to 24 hours
Polar (and its subprocessor Stripe)The United StatesEmail, order, payment, and refund informationInternational payments and subscription managementThe period under applicable law and the payment provider’s retention policy
Langfuse CloudIreland (default region) or the region selected by the CompanyOperational metadata such as model, token counts, latency, cost, and errors, excluding request contentService monitoringThe period configured by the Company, or until the agreement terminates

Where a cross-border transfer is necessary to perform the service agreement, the Company transfers information on a basis permitted by applicable law, and obtains your consent where separate consent is required.

You may contact support@celon.ai with questions about cross-border transfers, or to request that specific providers be blocked or to get help with these settings.

9. Destruction of Personal Information

When the retention period elapses or the purpose of processing is achieved, the Company destroys personal information as follows.

9.1 Electronic files

The Company uses secure deletion methods that make recovery or reconstruction difficult. Database records are deleted or de-identified, and methods appropriate to the system — such as destroying encryption keys or overwriting storage — may be applied.

9.2 Paper documents

Destroyed by shredding or incineration.

9.3 Backup data

Backup data is separated and protected, and deleted when the backup rotation cycle comes due. Information slated for deletion that remains in a backup is not reused for any purpose other than disaster recovery.

10. Your Rights and How to Exercise Them

In accordance with applicable law, you may exercise the following rights.

  • Confirm whether your personal information is processed
  • Access your personal information
  • Correct or supplement your personal information
  • Delete your personal information
  • Suspend the processing of your personal information
  • Withdraw consent
  • Close your account
  • Request an explanation of how your data is processed
  • Where applicable, request portability of, or a copy of, your personal information

You can exercise these rights by contacting support@celon.ai.

The Company may request additional information within a reasonable scope in order to verify the identity of the requester. Information received for identity verification is not used for any purpose other than handling the request.

In the following cases, the Company may restrict or refuse a request in whole or in part, to the extent permitted by law.

  • Where there is a legal obligation to retain the information
  • Where necessary to perform a contract or complete a transaction
  • Where necessary for security and abuse prevention
  • Where there is a risk of infringing the rights and safety of others
  • Where the identity of the requester cannot reasonably be verified
  • Where the request is repetitive or manifestly excessive
  • Where necessary to exercise or defend against legal claims

Where the Company processes third-party personal information sent to Celon by a customer, acting as that customer’s processor or service provider, the Company may direct the requester to that customer or support the handling of the request under the customer’s instructions.

11. Children’s Personal Information

The Service is intended for businesses, organizations, and developers, and is not offered to children under the age of 14.

The Company does not knowingly collect personal information from children under the age of 14 without the consent of a legal representative.

With respect to users in the United States, the Service is not directed to children under the age of 13, and the Company does not knowingly collect personal information from children for which parental consent is required under the U.S. Children’s Online Privacy Protection Act.

If the Company becomes aware that a child’s personal information has been collected without appropriate consent, it will take reasonable measures to delete that information without delay.

12. Cookies, Tracking Technologies, and Browser Signals

12.1 Essential cookies

The Company may use cookies or similar technologies for the following purposes.

  • Maintaining your signed-in state
  • Session security
  • Storing user preferences
  • Preventing abuse
  • Analyzing service errors
  • Basic service usage measurement

If you block essential cookies, sign-in, the dashboard, or some service features may not work properly.

12.2 Advertising and cross-site tracking

The Company does not provide cross-context behavioral advertising based on your personal information, and does not sell or share personal information for advertising purposes.

The Company does not operate the Service for the purpose of tracking your activity across other websites and services over time to build an advertising profile.

12.3 Do Not Track

There is currently no common industry technical standard for browser Do Not Track signals.

Because the Company does not track for cross-site behavioral advertising, a Do Not Track signal may not cause any separate change to how the Service processes personal information by default.

12.4 Global Privacy Control

If the Company becomes a business that sells or shares personal information under California law, it will treat a valid Global Privacy Control signal as a request to opt out of sale or sharing, to the extent required by law.

The Company does not currently sell personal information or share it for cross-context behavioral advertising.

13. Security Safeguards

The Company applies reasonable administrative, technical, and physical safeguards to prevent the loss, theft, leakage, forgery, alteration, or damage of personal information.

The principal safeguards are as follows.

  • Limiting access rights to those who need them for their work
  • Data access controls by organization, team, and permission level
  • Management of administrator rights and service accounts
  • Encryption in transit
  • Hashed storage of API keys and minimized exposure of plain text
  • Restricted access to credentials and secrets
  • The personal information masking feature
  • The ability to disable the cache
  • The ability to block models and providers
  • Restrictions on recording request and response content in general logs
  • Security logging and anomaly monitoring
  • Access controls on the database and cache
  • Backup and recovery procedures
  • Established security incident response procedures
  • Confidentiality obligations for employees and those performing work
  • Security requirements applied to processors and subprocessors

Because no transmission over the internet or method of electronic storage can guarantee absolute security, the Company continuously improves its safeguards in line with applicable law and the state of the art.

14. Responding to Privacy Incidents

If a privacy incident occurs, or the Company becomes aware that one may have occurred, the Company takes the following measures.

  • Identifying the cause and scope of the incident
  • Preventing further leakage and the spread of harm
  • Isolating and restoring the affected systems
  • Checking with processors and AI providers
  • Notifying affected users and customers
  • Reporting to supervisory authorities as required by law
  • Establishing measures to prevent recurrence

Where notification or reporting is required, the Company acts in accordance with the content and deadlines prescribed by law.

15. Additional Notice for California Users

This section applies to California residents to the extent the Company is subject to the California Consumer Privacy Act and its amendments.

15.1 Categories of personal information that may be collected in the preceding 12 months

Category under California lawExamplesCollectedDisclosed for a business purposeSold or shared
IdentifiersName, email, IP address, account ID, online identifiersYesMay be disclosed to service providersNo
Customer records informationAccount, contact, and billing contact informationYesMay be disclosed to authentication and payment providersNo
Commercial informationSubscriptions, payments, refunds, credits used, and transaction historyYesMay be disclosed to payment and accounting providersNo
Internet or electronic network activityAccess logs, API calls, browser, device, and service usage informationYesMay be disclosed to hosting and security providersNo
Approximate geolocationCountry or region inferred from an IP addressMay applyMay be disclosed to security and hosting providersNo
Professional or employment-related informationOrganization name, team, job function, or role within an organizationMay applyMay be disclosed to service operation processorsNo
Sensitive personal informationAccount sign-in credentials, payment tokens, the contents of messages and files, and sensitive information you submit directlyMay applyDisclosed on a limited basis to providers necessary to perform the requested serviceNo
InferencesModel preferences, usage patterns, or security risk signalsMay apply, on a limited basisMay be disclosed to service operation and security providersNo

Depending on what you submit, customer content may contain categories of personal information not listed in the table above.

15.2 Sources of personal information

The Company may collect personal information from the following sources.

  • You
  • The organization you belong to, or the customer that administers your account
  • Organization administrators or the person who invited you
  • Authentication service providers
  • Payment service providers
  • Your device and browser
  • Your use of the Celon API and web service
  • The AI providers you select
  • Security and abuse detection systems

15.3 Rights of California residents

Where applicable, California residents may exercise the following rights.

  • The right to know the categories and specific pieces of personal information collected
  • The right to know the sources of personal information
  • The right to know the business purposes for using personal information
  • The right to know the categories of businesses to which personal information was disclosed
  • The right to request deletion of personal information
  • The right to request correction of inaccurate personal information
  • The right to opt out of the sale or sharing of personal information
  • The right to request limits on the use and disclosure of sensitive personal information
  • The right to receive a copy of your personal information
  • The right not to be discriminated or retaliated against for exercising these rights

Because the Company does not sell personal information or share it for cross-context behavioral advertising, it does not currently carry out processing that would require a separate “Do Not Sell or Share My Personal Information” process.

The Company does not use sensitive personal information beyond what is reasonably necessary to provide the Service and maintain security, nor for the purpose of inferring characteristics about you.

15.4 How to submit a request and response timelines

California privacy rights requests may be submitted to support@celon.ai.

Please include the following in your request.

  • The requester’s name
  • Your Celon account email address
  • The type of right you wish to exercise
  • The account or organization information that needs to be verified
  • If an agent is making the request, information evidencing their authority

The Company handles requests within the period prescribed by applicable law after receiving them. Requests to know, access, delete, or correct that are subject to the CCPA are, in principle, answered within 45 days; where necessary, the Company will notify you of the reason and may extend by the period permitted by law.

15.5 Authorized agents

You may submit a request through an authorized agent.

The Company may request a signed power of attorney, direct confirmation from you, or other reasonable evidence in order to verify the agent’s identity and authority.

15.6 Non-discrimination

The Company will not impose the following disadvantages on you for exercising your privacy rights.

  • Denying you the Service
  • Charging unjustified additional fees
  • Degrading service quality
  • Retaliation or discrimination not permitted by law

Where deletion or restriction of processing means information essential to a feature is no longer available, that feature may be limited; this is not considered discrimination for exercising your rights.

15.7 Financial incentives

The Company does not currently operate any financial incentive program offering discounts or rewards in exchange for the collection, sale, or sharing of personal information.

15.8 California Shine the Light

The Company does not provide the personal information of California customers to third parties for those third parties’ direct marketing purposes.

16. Changes to This Privacy Policy

The Company may amend this Policy to reflect changes in law, service features, AI providers, subprocessors, or how personal information is processed.

The Company posts the amended Policy in the Service and indicates its effective date.

Where a change materially affects your rights or the processing of your personal information, the Company will give notice before it takes effect through one or more of the following methods.

  • A notice on the website or dashboard
  • An email to your account address
  • An in-service notification
  • A notice in the API or developer documentation

Changes requiring separate consent take effect only after consent is obtained in accordance with applicable law.

17. Privacy Contact

Inquiries regarding the processing of personal information, the exercise of your rights, privacy violations, or this Policy may be submitted to the following contact.

  • Privacy team: Celon Operations Team
  • Company name: Celon Inc.
  • Email: support@celon.ai

The Company strives to handle privacy-related inquiries and complaints promptly and in good faith.

Users in the Republic of Korea may also apply for counseling or dispute mediation regarding privacy violations with the following bodies.

  • Privacy Infringement Report Center: 118 (no area code)
  • Personal Information Dispute Mediation Committee: 1833-6972
  • Supreme Prosecutors’ Office: 1301 (no area code)
  • National Police Agency: 182 (no area code)