Privacy
Privacy Policy
Celon Inc. (the “Company”) treats the personal information of its users as important in the course of providing AI model routing and related API and web services, and complies with the laws of the Republic of Korea, including the Personal Information Protection Act, as well as applicable United States and California privacy laws.
This Privacy Policy applies to the Celon website, dashboard, API, software, and the features and customer support services incidental to them (collectively, the “Service”) provided by the Company.
Through this Privacy Policy, the Company explains:
- What personal information the Company collects and uses
- How the Company processes the prompts you submit and the AI responses returned to you
- What information is transmitted to external AI providers and cloud service providers
- How long personal information is retained and how it is destroyed
- What rights you may exercise
Published July 17, 2026 · Effective July 17, 2026
1. The Company’s Role and the Scope of This Policy
1.1 Information the Company processes as a controller
For the following information, the Company acts as the personal information controller or business that determines the purposes and means of processing.
- Celon account and sign-in information
- Organization, team, and member information
- Payment and subscription information
- Service usage and security logs
- Customer support and inquiry information
- Information generated directly by the Company for service operation, security, and the prevention of misuse
1.2 Customer content processed on behalf of a customer
For personal information contained in prompts, files, images, audio, system messages, and other content that an enterprise or organizational customer enters into the Service or transmits through the API, that customer is generally the controller or business, and the Company acts as a processor, service provider, or contractor handling personal information under the customer’s instructions.
In such cases, the following documents may also apply to the processing of that information.
- The service agreement between the customer and the Company
- A data processing agreement or personal information processing delegation agreement
- The privacy policy the customer provides to its own end users
- The model, provider, cache, and ZDR policies configured by the customer
Requests from end data subjects regarding personal information contained in customer content should, in principle, be submitted to the relevant customer. The Company supports the customer in handling such requests in accordance with applicable law and its agreement with the customer.
2. Categories of Personal Information Processed and Purposes of Use
The Company processes the minimum personal information necessary to provide the Service.
2.1 Account and authentication information
Categories processed
- Email address
- Name or display name
- Profile image
- User identifier from the authentication service
- Sign-in session and authentication tokens
- Password hash or social sign-in credentials
- Account creation date and most recent sign-in time
Purposes of use
- Registration and sign-in
- User identification and verification
- Maintaining account security
- Account recovery and customer support
- Essential service-related notices
Where the Company uses an external authentication service, the Company may not directly view or store passwords in plain text.
2.2 Organization, team, and member information
Categories processed
- Organization and team names
- Roles and permissions within an organization
- Organization owner and member identifiers
- Member names, email addresses, and profile images
- Email addresses of invitees
- Invitation tokens, creation dates, and expiry dates
- Budget and policy settings per organization and team
Purposes of use
- Creating and managing organizations and workspaces
- Member invitations and permission management
- Data isolation between organizations
- Cost, budget, and usage management per organization
- Applying security and governance policies
2.3 API and service configuration information
Categories processed
- The identifier, name, prefix, and hash of a Celon API key
- API key creation and deactivation times
- Budgets per organization or API key
- Allowed and blocked models and providers
- Routing and fallback settings
- Cache settings
- Personal information masking settings
- External AI provider API keys or credentials registered through the Company
- Auto top-up and usage limit settings
Purposes of use
- API authentication and access control
- Connecting each customer to AI providers
- Providing the BYOK feature
- Model and provider routing
- Preventing budget overruns
- Applying security and privacy policies
- Preventing API key misuse and abuse
The plain text of a Celon API key may be provided only once at creation; for authentication purposes the Company may retain only the hash of the API key and limited identifying information.
2.4 Service usage and technical information
Categories processed
- IP address
- Browser and device information
- Operating system information
- Cookies and session identifiers
- Request and response timestamps
- The API endpoint called
- The requested model and the model that actually served it
- The selected AI provider
- Routing tier
- Input and output token counts
- Request latency
- Success or failure status
- Error type
- Whether the cache was hit
- Amount spent and estimated savings
- Internal identifiers for the API key or organization
- Anomalous requests and security detection results
Purposes of use
- Providing the API and dashboard
- Performing model routing and fallback
- Usage measurement and cost calculation
- Improving service performance and reliability
- Incident analysis
- Detecting security threats and abuse
- Applying per-customer budgets and policies
- Verifying disputes and billing history
The Company operates the usage ledger and general operational logs so that the content of prompts and AI responses is not recorded by default. The cache processing described in Section 4, security detection, and features you explicitly enable are exceptions.
2.5 Customer content and AI request data
Categories processed
- User and system prompts
- Conversation messages and context
- Images and image URLs
- Voice and audio files
- Uploaded files and file metadata
- Tool or function call information
- Responses generated by AI providers
- Image generation results
- Speech transcription results
- Embedding vectors
- Hashes derived from requests
- Model settings necessary to process a request
Purposes of use
- Calling AI models and generating responses
- Request difficulty classification and model routing
- Multi-provider fallback
- Masking personal information in prompts
- Providing exact and semantic caching
- Image generation and speech transcription
- Performing features requested by the customer
- Security and prompt injection detection
Depending on what a user or customer chooses to submit, customer content may include personal information, sensitive information, or information about third parties. The Company does not require sensitive personal information such as resident registration numbers or health information in order to provide the Service, and users should not submit sensitive information that is unnecessary for using the Service.
2.6 Payment and billing information
Categories processed
- The name and email address of the purchaser or billing contact
- Organization and account identifiers
- Order number
- Payment amount and currency
- Payment and refund status
- Payment date and time
- Payment keys, customer keys, or payment tokens issued by the payment provider
- Card brand and the last four digits of the card number
- Auto top-up settings and top-up history
- Information required to issue a tax invoice or receipt
Purposes of use
- Subscription and prepaid credit payments
- Auto top-up
- Fee settlement and refunds
- Handling payment errors
- Accounting and tax processing
- Preventing fraudulent payments
- Customer inquiries and dispute handling
Full card numbers, card passwords, and CVCs are, in principle, handled directly by the payment gateway and are not stored by the Company.
2.7 Inquiry and customer support information
Categories processed
- Name
- Email address
- Company or organization name
- The content of your inquiry
- Attachments
- Support and response history
- Account and request identifiers necessary to resolve the issue
Purposes of use
- Receiving and responding to inquiries
- Resolving incidents and errors
- Contract and onboarding consultation
- Dispute handling
- Improving service quality
3. Legal Bases for Processing
In accordance with applicable law, the Company processes personal information on one or more of the following bases.
- Entering into a contract with you and providing the Service
- Carrying out measures you have requested
- Compliance with legal obligations
- Your consent
- The Company’s legitimate interests in service security, abuse prevention, and reliable operation
- Protecting the life, body, or property interests of you or another person
- Performing processing delegated by, or service provider duties for, a customer
Where processing requires consent, the Company informs you of the categories of personal information, the purposes, the retention period, and the consequences of refusing consent, and obtains your consent.
4. How AI Requests, External Providers, and the Cache Are Handled
4.1 The basic AI request flow
AI requests are generally processed in the following order.
- You send a request to the Celon API or web service.
- Celon selects an AI provider taking into account your settings, request difficulty, model availability, cost, latency, security policy, ZDR conditions, and other factors.
- If personal information masking is enabled, some of the detected personal information is masked.
- The request is forwarded to the selected external AI provider.
- Celon receives the response generated by that provider.
- Celon returns the response to you and records usage metadata.
- If the request meets the caching conditions, some information may be stored in the cache for up to 24 hours.
If the selected provider returns a timeout, a rate limit, a server error, or another failure, Celon may re-send the same request, or as much of it as necessary, to another provider you have allowed.
4.2 Policy on AI training
The Company does not use customer prompts, files, images, audio, AI responses, or other customer content for the following purposes.
- Training the Company’s general-purpose AI models
- Training external AI providers’ general-purpose models
- Building datasets without the customer’s separate consent
- Advertising or user profiling
The Company uses AI providers that apply API or enterprise terms under which customer data is not used for model training.
The Company does not use providers or endpoints that permit model training on customer content as general routing targets.
4.3 Provider logs and ZDR
Even where data is not used for AI training, some AI providers may retain request or response data for a limited period for the following purposes.
- Detecting abuse and malicious use
- Responding to security incidents
- Analyzing service failures
- Legal compliance
- Customer support
- Billing and usage verification
Because the scope and duration of retention differ by provider, full ZDR does not apply to every provider.
You may choose the following measures in your service settings.
- Block specific models
- Block specific providers
- Disable the cache per request
- Enable personal information masking
When you block a model or provider, it is excluded from routing. This may reduce the number of available models or change cost, speed, and availability.
4.4 Using BYOK
If you register your own AI provider API key by separate arrangement with the Company, the following conditions may also apply to those requests.
- The agreement between you and that AI provider
- The data retention settings of that provider account
- The region you have selected
- Your per-provider ZDR or training opt-out settings
- That provider’s terms of service and privacy policy
The Company uses BYOK credentials solely to provide the AI calls and related features you have requested.
4.5 Personal information masking
Where you have enabled masking, the Company detects and masks personal information patterns: email addresses, Korean mobile phone numbers, resident registration number formats, payment card numbers, and Korean passport number formats. Masking is disabled by default and applies only once you explicitly enable it in your organization or API key policy.
Automated detection is not, however, a technology that identifies or removes all personal information perfectly. Contextual personal information, unstructured personal information, personal information contained in images or audio, and new forms of identifying information may go undetected.
You must not rely on the masking feature alone as a basis for transmitting unlimited sensitive or unnecessary personal information.
4.6 Cache processing
By default, the Company may apply caching for up to 24 hours to requests that meet the caching conditions.
The following information may be stored in the cache.
- Responses generated by AI providers
- SHA-256 hashes derived from requests
- Embedding vectors for semantic similarity search
- Model and request metadata necessary for cache processing
The key for the exact cache does not store the prompt text itself; a hash derived from the request content is used instead.
To provide the semantic cache, portions of the request text — such as part of the system prompt and the last user message — are sent to OpenAI to generate an embedding. This applies even when the request itself is routed to a different provider, so for requests where the semantic cache is active, part of the request text may also reach OpenAI. The resulting embedding vector is not the original text itself, but it is treated as derived data that may be associated with personal information.
You can disable caching through per-request options. Requests with caching disabled neither read from nor write to the response cache.
5. Retention and Use Periods
The Company retains personal information only for as long as necessary to achieve the purposes of processing, and destroys it without delay once those purposes are achieved.
| Type of information | Default retention period |
|---|---|
| Account and authentication information | Until you withdraw your membership or the service agreement terminates |
| Organization, team, and member information | Until the relevant organization or account is deleted |
| Organization invitation information | Until the invitation is accepted or cancelled, or 7 days after creation |
| Celon API key information | Until the API key is deleted or deactivated. Identifying information needed for usage verification may be retained together with usage records |
| BYOK credentials | Until you delete them or your account or agreement terminates |
| Cached AI responses and embeddings | Up to 24 hours after creation |
| Customer content not subject to caching | Processed transiently until the request completes. Not retained on an ongoing basis absent a separate feature or legal requirement |
| Usage, cost, and request metadata | Up to 5 years from termination of the agreement or the date of the relevant transaction |
| Payment and transaction records | The period prescribed by applicable law, or up to 5 years from the transaction date |
| Customer inquiry and dispute records | Up to 3 years from the date the inquiry closes |
| General access logs | Up to 3 months from collection |
| Security and abuse response records | Up to 1 year from collection or from closure of the incident |
| Records of privacy rights requests and identity verification | Up to 3 years from the date the request is completed |
When an account or agreement terminates, personal information in active systems is deleted or de-identified without delay. Backup data that cannot technically be deleted immediately is deleted within at most 90 days in line with the backup rotation cycle, and is not used during that period for any purpose other than recovery.
5.1 Retention under applicable law
The Company may retain the following records for set periods in accordance with applicable law.
| Record | Retention period |
|---|---|
| Records concerning contracts or withdrawal of subscription | 5 years |
| Records concerning payment and the supply of goods or services | 5 years |
| Records concerning consumer complaints or dispute resolution | 3 years |
| Records concerning labeling and advertising | 6 months |
| Transaction and supporting records under tax law | The period prescribed by applicable law |
| Records required for legally mandated investigation, supervision, or dispute response | Until the relevant proceeding concludes |
Information retained under legal requirements is not used for any purpose other than that legal purpose.
6. Provision to Third Parties, and Sale or Sharing
The Company does not sell personal information.
The Company does not share personal information for cross-context behavioral advertising as defined under California law, and does not provide your personal information to advertising businesses.
As a rule, the Company does not provide personal information to third parties without your consent. The following are exceptions.
- Where you have consented in advance
- Where necessary to perform the service agreement
- Where a processor performs services under a processing delegation arrangement
- Where specifically provided for by law
- Where there is a lawful and valid request from a court, investigative authority, or administrative agency
- Where urgently necessary to protect the life, body, or property interests of you or another person
- Where information is transferred in the course of a merger, business transfer, investment, or reorganization in compliance with legal requirements
Transmitting customer content to an external AI provider is generally treated as processing delegation, or as a disclosure to a service provider, for the purpose of providing the AI service you requested — it is not a sale or sharing for advertising purposes.
7. Processing Delegation and Subprocessors
The Company may use the following types of processors or subprocessors to provide the Service.
| Delegated work | Processor or type of processor | Processing performed |
|---|---|---|
| Website and frontend hosting | Vercel and similar | Serving the website, handling traffic and errors |
| API server hosting | Railway and similar | Processing API requests, server operation, and log management |
| Authentication and database | Supabase and similar | Sign-in, user authentication, and storage of account, organization, and usage data |
| Cache infrastructure | Upstash (Redis) | Short-term caching of AI responses keyed by a request hash, and storage of embedding vectors |
| AI inference | OpenAI, Anthropic, Google (Gemini API and Vertex AI), xAI, Perplexity, Upstage, DeepInfra, Novita AI, FriendliAI, Fireworks AI, Weights & Biases | Text generation and inference for the model you select |
| Embedding generation | OpenAI | Generating embedding vectors for the semantic cache |
| Monitoring and observability | Langfuse or equivalent tooling | Analysis of operational metadata such as latency, model, token counts, and errors (request and response content is not transmitted) |
| Domestic payments | Toss Payments | Payment authorization, auto top-up, refunds, and fraud detection |
| International payments | Polar (subprocessor: Stripe) | Providing the checkout page, payment authorization, subscriptions, and refunds |
When entering into agreements with processors, the Company stipulates obligations including the prohibition of processing beyond the stated purpose, confidentiality, security safeguards, management of sub-delegation, incident notification, and destruction upon termination.
Whether a given AI provider or subprocessor is actually used depends on the model you select, your routing policy, BYOK settings, ZDR settings, and the operational state of the Service.
The table above reflects the processors and subprocessors actually in use as of the effective date of this Policy. When a processor that materially affects the processing of personal information is added or changed, the Company will amend this Policy or give notice through a service announcement.
8. Cross-Border Transfer of Personal Information
Because the Service uses AI providers and cloud infrastructure in multiple countries, personal information may be processed or stored outside the Republic of Korea.
8.1 Transfers to AI providers
| Item | Details |
|---|---|
| Recipient | The external AI or embedding provider selected for the request |
| Providers | OpenAI, Anthropic, Google (Gemini API and Vertex AI), xAI, Perplexity, Upstage, DeepInfra, Novita AI, FriendliAI, Fireworks AI, Weights & Biases |
| Destination countries | The United States and other countries in which each provider operates infrastructure. DeepInfra, Fireworks AI, and FriendliAI process in the United States. OpenAI, Anthropic, and Google (Gemini API and Vertex AI) do not limit processing to the United States; in particular, where Vertex AI processes depends on the region configured by the Company (default: global). Upstage, which is headquartered in the Republic of Korea, uses infrastructure in both the Republic of Korea and the United States |
| Items transferred | Prompts, system messages, images, audio, files, model settings, request identifiers, and metadata necessary to process the request. For requests where the semantic cache applies, part of the system prompt and the last user message are also sent to OpenAI to generate an embedding |
| Purpose of transfer | AI response generation, embedding generation, image generation, speech transcription, and fallback on failure |
| Timing and method | Transmitted via API over an encrypted connection when you execute an AI request |
| Retention period | For ZDR providers, per the applicable ZDR terms. Otherwise, the limited period under each provider’s enterprise or API data retention policy, or until the request completes |
| Use for training | Not used to train general-purpose AI models |
| How to refuse | Configure model and provider blocking, disable the cache per request, or discontinue use of the Service |
| Effect of refusal | Some models or features may be unavailable, or cost, speed, and availability may change |
Which provider actually receives a request depends on the model you select and your routing settings; the Service’s model information shows which providers serve each model.
8.2 Transfers to cloud and payment services
| Recipient | Destination country | Items transferred | Purpose | Retention period |
|---|---|---|---|---|
| Vercel | The United States and other regions selected by the Company | IP, access information, web request information | Serving the website and security | The term of the agreement, or the provider’s limited log retention period |
| Railway | The United States and other regions selected by the Company | API request information, server logs, service operation information | API server operation | The term of the agreement, or the log retention period configured by the Company |
| Supabase | Singapore and other regions selected by the Company | Account, authentication, organization, settings, usage, and service data | Authentication and database operation | Until the account or agreement terminates, or the statutory retention period |
| Upstash | The United States and other regions selected by the Company | Cached AI responses, hashes, embeddings | Short-term caching | Up to 24 hours |
| Polar (and its subprocessor Stripe) | The United States | Email, order, payment, and refund information | International payments and subscription management | The period under applicable law and the payment provider’s retention policy |
| Langfuse Cloud | Ireland (default region) or the region selected by the Company | Operational metadata such as model, token counts, latency, cost, and errors, excluding request content | Service monitoring | The period configured by the Company, or until the agreement terminates |
Where a cross-border transfer is necessary to perform the service agreement, the Company transfers information on a basis permitted by applicable law, and obtains your consent where separate consent is required.
You may contact support@celon.ai with questions about cross-border transfers, or to request that specific providers be blocked or to get help with these settings.
9. Destruction of Personal Information
When the retention period elapses or the purpose of processing is achieved, the Company destroys personal information as follows.
9.1 Electronic files
The Company uses secure deletion methods that make recovery or reconstruction difficult. Database records are deleted or de-identified, and methods appropriate to the system — such as destroying encryption keys or overwriting storage — may be applied.
9.2 Paper documents
Destroyed by shredding or incineration.
9.3 Backup data
Backup data is separated and protected, and deleted when the backup rotation cycle comes due. Information slated for deletion that remains in a backup is not reused for any purpose other than disaster recovery.
10. Your Rights and How to Exercise Them
In accordance with applicable law, you may exercise the following rights.
- Confirm whether your personal information is processed
- Access your personal information
- Correct or supplement your personal information
- Delete your personal information
- Suspend the processing of your personal information
- Withdraw consent
- Close your account
- Request an explanation of how your data is processed
- Where applicable, request portability of, or a copy of, your personal information
You can exercise these rights by contacting support@celon.ai.
The Company may request additional information within a reasonable scope in order to verify the identity of the requester. Information received for identity verification is not used for any purpose other than handling the request.
In the following cases, the Company may restrict or refuse a request in whole or in part, to the extent permitted by law.
- Where there is a legal obligation to retain the information
- Where necessary to perform a contract or complete a transaction
- Where necessary for security and abuse prevention
- Where there is a risk of infringing the rights and safety of others
- Where the identity of the requester cannot reasonably be verified
- Where the request is repetitive or manifestly excessive
- Where necessary to exercise or defend against legal claims
Where the Company processes third-party personal information sent to Celon by a customer, acting as that customer’s processor or service provider, the Company may direct the requester to that customer or support the handling of the request under the customer’s instructions.
11. Children’s Personal Information
The Service is intended for businesses, organizations, and developers, and is not offered to children under the age of 14.
The Company does not knowingly collect personal information from children under the age of 14 without the consent of a legal representative.
With respect to users in the United States, the Service is not directed to children under the age of 13, and the Company does not knowingly collect personal information from children for which parental consent is required under the U.S. Children’s Online Privacy Protection Act.
If the Company becomes aware that a child’s personal information has been collected without appropriate consent, it will take reasonable measures to delete that information without delay.
12. Cookies, Tracking Technologies, and Browser Signals
12.1 Essential cookies
The Company may use cookies or similar technologies for the following purposes.
- Maintaining your signed-in state
- Session security
- Storing user preferences
- Preventing abuse
- Analyzing service errors
- Basic service usage measurement
If you block essential cookies, sign-in, the dashboard, or some service features may not work properly.
12.2 Advertising and cross-site tracking
The Company does not provide cross-context behavioral advertising based on your personal information, and does not sell or share personal information for advertising purposes.
The Company does not operate the Service for the purpose of tracking your activity across other websites and services over time to build an advertising profile.
12.3 Do Not Track
There is currently no common industry technical standard for browser Do Not Track signals.
Because the Company does not track for cross-site behavioral advertising, a Do Not Track signal may not cause any separate change to how the Service processes personal information by default.
12.4 Global Privacy Control
If the Company becomes a business that sells or shares personal information under California law, it will treat a valid Global Privacy Control signal as a request to opt out of sale or sharing, to the extent required by law.
The Company does not currently sell personal information or share it for cross-context behavioral advertising.
13. Security Safeguards
The Company applies reasonable administrative, technical, and physical safeguards to prevent the loss, theft, leakage, forgery, alteration, or damage of personal information.
The principal safeguards are as follows.
- Limiting access rights to those who need them for their work
- Data access controls by organization, team, and permission level
- Management of administrator rights and service accounts
- Encryption in transit
- Hashed storage of API keys and minimized exposure of plain text
- Restricted access to credentials and secrets
- The personal information masking feature
- The ability to disable the cache
- The ability to block models and providers
- Restrictions on recording request and response content in general logs
- Security logging and anomaly monitoring
- Access controls on the database and cache
- Backup and recovery procedures
- Established security incident response procedures
- Confidentiality obligations for employees and those performing work
- Security requirements applied to processors and subprocessors
Because no transmission over the internet or method of electronic storage can guarantee absolute security, the Company continuously improves its safeguards in line with applicable law and the state of the art.
14. Responding to Privacy Incidents
If a privacy incident occurs, or the Company becomes aware that one may have occurred, the Company takes the following measures.
- Identifying the cause and scope of the incident
- Preventing further leakage and the spread of harm
- Isolating and restoring the affected systems
- Checking with processors and AI providers
- Notifying affected users and customers
- Reporting to supervisory authorities as required by law
- Establishing measures to prevent recurrence
Where notification or reporting is required, the Company acts in accordance with the content and deadlines prescribed by law.
15. Additional Notice for California Users
This section applies to California residents to the extent the Company is subject to the California Consumer Privacy Act and its amendments.
15.1 Categories of personal information that may be collected in the preceding 12 months
| Category under California law | Examples | Collected | Disclosed for a business purpose | Sold or shared |
|---|---|---|---|---|
| Identifiers | Name, email, IP address, account ID, online identifiers | Yes | May be disclosed to service providers | No |
| Customer records information | Account, contact, and billing contact information | Yes | May be disclosed to authentication and payment providers | No |
| Commercial information | Subscriptions, payments, refunds, credits used, and transaction history | Yes | May be disclosed to payment and accounting providers | No |
| Internet or electronic network activity | Access logs, API calls, browser, device, and service usage information | Yes | May be disclosed to hosting and security providers | No |
| Approximate geolocation | Country or region inferred from an IP address | May apply | May be disclosed to security and hosting providers | No |
| Professional or employment-related information | Organization name, team, job function, or role within an organization | May apply | May be disclosed to service operation processors | No |
| Sensitive personal information | Account sign-in credentials, payment tokens, the contents of messages and files, and sensitive information you submit directly | May apply | Disclosed on a limited basis to providers necessary to perform the requested service | No |
| Inferences | Model preferences, usage patterns, or security risk signals | May apply, on a limited basis | May be disclosed to service operation and security providers | No |
Depending on what you submit, customer content may contain categories of personal information not listed in the table above.
15.2 Sources of personal information
The Company may collect personal information from the following sources.
- You
- The organization you belong to, or the customer that administers your account
- Organization administrators or the person who invited you
- Authentication service providers
- Payment service providers
- Your device and browser
- Your use of the Celon API and web service
- The AI providers you select
- Security and abuse detection systems
15.3 Rights of California residents
Where applicable, California residents may exercise the following rights.
- The right to know the categories and specific pieces of personal information collected
- The right to know the sources of personal information
- The right to know the business purposes for using personal information
- The right to know the categories of businesses to which personal information was disclosed
- The right to request deletion of personal information
- The right to request correction of inaccurate personal information
- The right to opt out of the sale or sharing of personal information
- The right to request limits on the use and disclosure of sensitive personal information
- The right to receive a copy of your personal information
- The right not to be discriminated or retaliated against for exercising these rights
Because the Company does not sell personal information or share it for cross-context behavioral advertising, it does not currently carry out processing that would require a separate “Do Not Sell or Share My Personal Information” process.
The Company does not use sensitive personal information beyond what is reasonably necessary to provide the Service and maintain security, nor for the purpose of inferring characteristics about you.
15.4 How to submit a request and response timelines
California privacy rights requests may be submitted to support@celon.ai.
Please include the following in your request.
- The requester’s name
- Your Celon account email address
- The type of right you wish to exercise
- The account or organization information that needs to be verified
- If an agent is making the request, information evidencing their authority
The Company handles requests within the period prescribed by applicable law after receiving them. Requests to know, access, delete, or correct that are subject to the CCPA are, in principle, answered within 45 days; where necessary, the Company will notify you of the reason and may extend by the period permitted by law.
15.5 Authorized agents
You may submit a request through an authorized agent.
The Company may request a signed power of attorney, direct confirmation from you, or other reasonable evidence in order to verify the agent’s identity and authority.
15.6 Non-discrimination
The Company will not impose the following disadvantages on you for exercising your privacy rights.
- Denying you the Service
- Charging unjustified additional fees
- Degrading service quality
- Retaliation or discrimination not permitted by law
Where deletion or restriction of processing means information essential to a feature is no longer available, that feature may be limited; this is not considered discrimination for exercising your rights.
15.7 Financial incentives
The Company does not currently operate any financial incentive program offering discounts or rewards in exchange for the collection, sale, or sharing of personal information.
15.8 California Shine the Light
The Company does not provide the personal information of California customers to third parties for those third parties’ direct marketing purposes.
16. Changes to This Privacy Policy
The Company may amend this Policy to reflect changes in law, service features, AI providers, subprocessors, or how personal information is processed.
The Company posts the amended Policy in the Service and indicates its effective date.
Where a change materially affects your rights or the processing of your personal information, the Company will give notice before it takes effect through one or more of the following methods.
- A notice on the website or dashboard
- An email to your account address
- An in-service notification
- A notice in the API or developer documentation
Changes requiring separate consent take effect only after consent is obtained in accordance with applicable law.
17. Privacy Contact
Inquiries regarding the processing of personal information, the exercise of your rights, privacy violations, or this Policy may be submitted to the following contact.
- Privacy team: Celon Operations Team
- Company name: Celon Inc.
- Email: support@celon.ai
The Company strives to handle privacy-related inquiries and complaints promptly and in good faith.
Users in the Republic of Korea may also apply for counseling or dispute mediation regarding privacy violations with the following bodies.
- Privacy Infringement Report Center: 118 (no area code)
- Personal Information Dispute Mediation Committee: 1833-6972
- Supreme Prosecutors’ Office: 1301 (no area code)
- National Police Agency: 182 (no area code)