HUMMINGo Privacy Policy
CREVERSE Inc. ("Company," "we," "our," or "us") is a company incorporated in the Republic of Korea that operates HUMMINGo, an AI-powered educational evaluation platform ("Service") accessible at hummingo.ai and related domains (tch.hummingo.ai, stu.hummingo.ai).
We are committed to protecting your privacy and handling personal data in a transparent, lawful, and secure manner in accordance with applicable data protection laws worldwide, including but not limited to the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), the UK GDPR, the U.S. Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our Service.
1. Scope
This Privacy Policy applies to:
- Individual users (teachers, parents, students)
- Institutional users (schools, academies, organizations)
- Website visitors
- Subscription purchasers
- Any person whose personal data is processed through the Service
2. Information We Collect
A. Information You Provide (Account Registration)
When you create an account, we collect personal information necessary for user identification and service delivery. You have the right to refuse consent to the collection of personal information; however, refusal of required items will prevent account creation and use of the Service.
Refusal of optional items does not affect account creation or use of core services.
Required Items
| Registration Type | Data Collected | Purpose | Retention |
|---|---|---|---|
| Standard sign-up | Name, email address, password | Account creation, user identification, account recovery | Until account deletion |
| Social sign-up (Google) | SNS ID, email address | Account creation, user identification, account recovery | Until account deletion |
Optional Items
| Category | Data Collected | Purpose | Retention |
|---|---|---|---|
| Marketing | Email address | Event information, service updates, promotional communications | Until account deletion or withdrawal of consent |
B. Student Data (Educational Records)
When used by schools or teachers, we may process:
- Student name or identifier
- Student email (if applicable)
- Assignment submissions (text, image, audio, or video)
- AI-generated evaluations and feedback
- Performance analytics
Student data is processed strictly for educational purposes. We do not use student data for advertising, profiling, or any purpose unrelated to the educational services provided to the school or teacher.
C. Payment Information
Payment and subscription billing are processed by PCI-DSS compliant third-party payment processors. The specific processor depends on your region.
We do NOT store:
- Full credit card numbers
- CVV/CVC codes
- Card PIN numbers
Payment information is collected and processed directly by the payment processor under their own privacy policy. We may retain only:
- Transaction ID and payment reference number
- Subscription status
- Billing email
- Country of purchase
- Last four digits of card (if provided by the processor)
D. Automatically Collected Information
During use of the Service, the following information may be automatically generated and collected:
- IP address
- Device information and browser type
- MAC address
- Cookies and session identifiers
- Access timestamps
- Service usage logs and records
- Records of improper use (if any)
This information is used to improve service quality, optimize performance, and enhance the user experience.
E. How We Collect Information
- Directly from you: through our website, account registration forms, and service interfaces
- Automatically: through cookies, server logs, and analytics tools during your use of the Service
3. How We Use Information
We process personal data only for the following purposes:
1. Provide, operate, and maintain the Service
2. Verify user identity and prevent unauthorized or fraudulent use
3. Process subscriptions and payments
4. Generate AI-based evaluations and feedback on student submissions
5. Improve platform performance through statistical analysis
6. Respond to customer support inquiries
7. Manage billing records and resolve payment disputes
8. Comply with legal obligations
9. Send newsletters, feature announcements, promotions, and event information (only with prior marketing consent)
4. Automated Processing and AI Transparency
HUMMINGo uses artificial intelligence to:
- Analyze written and spoken student assignments
- Generate rubric-based evaluations with structured scores
- Provide personalized, automated feedback
AI evaluations are intended to support educators and do not replace professional academic judgment. Teachers retain full discretion over final grading decisions.
Under applicable data protection laws (including GDPR Article 22), you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. Since AI evaluations in HUMMINGo are advisory tools used under teacher supervision — not final automated decisions — they generally do not constitute solely automated decision-making. However, if you believe automated processing has significantly affected you, you may contact us to request human review.
5. Legal Bases for Processing
The legal basis for processing your personal data depends on your location and the specific processing activity:
| Legal Basis | Examples |
|---|---|
| Performance of a contract | Providing the Service, managing your account, processing payments |
| Consent | Marketing communications, optional data collection, cookies (where required) |
| Legitimate interests | Improving service quality, preventing fraud, internal analytics |
| Legal obligation | Tax/accounting records, responding to lawful government requests |
| Vital interests | Protecting the safety of users in emergency situations |
| Public interest (education) | Processing student data for legitimate educational purposes |
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
6. Sharing and Disclosure of Information
We do NOT sell personal information. We do not provide personal information to third parties without your consent or as required by law.
We may share data with trusted service providers who process data on our behalf under strict contractual obligations:
| Service Provider | Purpose | Data Shared | Retention |
|---|---|---|---|
| Microsoft Azure | Cloud hosting, data storage, and system infrastructure | Service usage records and collected personal data | Until account deletion or end of service agreement |
| Payment Processors (region-dependent) | Payment processing and subscription billing | Purchaser name, ID, order details, contact info, payment details | Until account deletion or as required by law |
All service providers are contractually obligated to safeguard personal data and process it only for the purposes specified. We may also disclose information when required by law, regulation, legal process, or governmental request.
7. International Data Transfers
CREVERSE Inc. is based in the Republic of Korea. Your personal data may be transferred to and processed in countries other than your own, including Korea and other jurisdictions where our service providers operate (e.g., Microsoft Azure data centers).
When transferring data internationally, we ensure appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers from the EU/EEA
- The UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, for transfers from the UK
- Adequacy decisions recognized by applicable authorities
- Contractual commitments with service providers that meet equivalent data protection standards
You may request a copy of the applicable transfer safeguards by contacting us.
8. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy, or as required by applicable law.
A. General Retention
| Category | Retention Period |
|---|---|
| Account information | Until account deletion (with a 30-day grace period for organizational accounts, after which data is permanently and irreversibly deleted) |
| Payment and transaction records | Up to 5 years (as required by commercial and consumer protection laws) |
| Consumer complaints and dispute records | Up to 3 years |
| Identity verification records | Up to 6 months |
| Access/connection logs | Minimum 1 year (for incident response and security) |
B. Extended Retention
We may retain data beyond the standard period when:
- An investigation or legal proceeding related to law violations is ongoing
- Outstanding debts or obligations related to the Service remain unsettled
- Retention is required by applicable law or regulation
Student data associated with institutional accounts may be retained in accordance with agreements with the educational institution.
9. Your Rights
Depending on your location, you may have some or all of the following rights regarding your personal data:
A. Rights Available to All Users
- Access: View the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data (subject to legal retention requirements)
- Withdrawal of Consent: Withdraw consent for optional processing (e.g., marketing) at any time
You may exercise these rights through your account settings, or by contacting us at the address listed in Section 16. If you request correction of your data, we will not use or provide the data until the correction is completed. If inaccurate data has already been provided to a third party, we will promptly notify the third party of the correction.
B. Additional Rights for EU/EEA and UK Residents (GDPR)
- Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
- Restriction of Processing: Request that we restrict processing in certain circumstances
- Right to Object: Object to processing based on legitimate interests, including profiling
- Automated Decision-Making: Right not to be subject to decisions based solely on automated processing (see Section 4)
- Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (e.g., the ICO in the UK, or your national DPA in the EU)
C. Additional Rights for California Residents (CCPA/CPRA)
- Right to Know: Request details about personal information collected, used, disclosed, or sold
- Right to Delete: Request deletion of personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt out of the sale or sharing of personal information
- Right to Limit Use of Sensitive Personal Information
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
We do not sell or share personal information as defined under CCPA/CPRA.
D. Rights of Legal Representatives
Legal guardians or authorized representatives may exercise the above rights on behalf of users (including minors) by providing appropriate verification.
10. Children's Privacy
HUMMINGo is designed for educational use in schools and is used by students of various ages, including children.
A. COPPA Compliance (United States)
For users under 13 years of age in the United States:
- Personal information is collected only through a school or teacher account
- The school or teacher acts as the parent's authorized agent for consent under COPPA
- We do not knowingly collect personal information directly from children under 13 without proper authorization
- We do not use children's data for advertising or commercial purposes unrelated to the educational service
B. FERPA Compliance (United States)
For U.S. educational institutions:
- HUMMINGo acts as a "School Official" with a legitimate educational interest under FERPA
- We process student education records solely for the educational purposes authorized by the school
- We do not disclose student records without school authorization
- We do not use student education records for advertising or non-educational profiling
C. Age-Appropriate Processing (EU/UK and Other Jurisdictions)
In the EU/EEA and UK, where consent is the legal basis for processing, we rely on the educational institution to provide or obtain appropriate consent for students under the applicable age threshold (generally 13-16 years, depending on the member state). In all cases, student data is processed solely for educational purposes under the direction of the school or teacher.
Parents or legal guardians may contact us at privacy@hummingo.ai to review, correct, or request deletion of a child's data.
11. Cookies and Tracking Technologies
We use cookies to:
- Maintain secure login sessions (authentication)
- Store user preferences (e.g., language settings)
- Analyze site performance and usage patterns
We use only essential and functional cookies by default. Where required by law (e.g., under the EU ePrivacy Directive), we obtain your consent before placing non-essential cookies.
You may disable cookies through your browser settings, though this may affect the functionality of the Service.
12. Data Security
We implement technical, administrative, and physical measures to protect personal data from loss, theft, leakage, alteration, and damage, including:
Technical Measures
- Encryption of personal data in transit (TLS 1.2+) and at rest
- Security software with regular updates and monitoring
- Systems hosted in access-controlled environments with technical and physical monitoring
- Access log retention for a minimum of 1 year, with tamper-prevention safeguards
Administrative Measures
- Internal data protection management plan
- Role-based access controls with grant, modification, and revocation procedures
- Regular security reviews and audits
- Designated Data Protection Officer
Physical Measures
- Restricted physical access to data processing facilities
13. Data Deletion and Destruction
When personal data is no longer needed — whether due to expiration of the retention period, achievement of the processing purpose, or user request — we delete the data without delay.
Deletion Procedure
- Personal data eligible for deletion is identified and approved by our Data Protection Officer before destruction
Deletion Methods
- Electronic records: Deleted using methods that prevent recovery or reproduction
- Paper records: Shredded or incinerated
14. Subscriptions and Refunds
Subscriptions are billed on a recurring basis.
Users may cancel subscriptions through their account settings or the payment portal.
Refund eligibility is governed by our Refund Policy, available on our website.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Updates will be posted on our website with a revised effective date. For material changes, we will provide prominent notice (such as an in-service notification or email to registered users) before the changes take effect.
This Privacy Policy is effective as of March 16, 2026.
16. Contact Information
Data Protection Officer / Privacy Contact
| Company | CREVERSE Inc. |
|---|---|
| Name | Kwan Kim |
| Title | Head of AX Biz Division |
| Department | AX Development Team |
| Phone | +82-2-6420-8338 |
| contact@hummingo.ai |
You may contact us with any questions, complaints, or requests regarding the processing of your personal data. We will respond without undue delay.
Regulatory Bodies
If you are not satisfied with our response, you may lodge a complaint with the relevant data protection authority in your jurisdiction, including but not limited to:
- EU/EEA: Your national Data Protection Authority (list at edpb.europa.eu)
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
- Republic of Korea: Personal Information Protection Commission (PIPC) — pipc.go.kr
- United States: Federal Trade Commission (FTC) — ftc.gov