Privacy Policy

1. Introduction

Coralo (the "Service") is a PWA dedicated to AI-powered color grading for underwater video and photography. This Privacy Policy describes how personal information is collected, used, stored, and shared when you use our Service available at https://www.coralo.app (the "Website").

Coralo is committed to protecting your privacy and complies with applicable data protection laws, including GDPR and the Korean Personal Information Protection Act (PIPA). This policy applies to all users of the Service.

2. Information We Collect

Information You Provide Directly

• Account information: email address, name (collected through Clerk authentication)
• Payment information: payments are processed through Lemon Squeezy (Merchant of Record). Coralo does NOT directly store credit card numbers or payment method details.
• Information you provide when contacting customer support

Information Collected Automatically

• Browser type, operating system, and device information
• IP address
• Usage logs and error tracking data
• Session cookies

Information We Do NOT Collect

Coralo's core color grading functionality processes all video and photo files locally in your browser using WebGL and WebAssembly. Your video files, photo files, and project data are NEVER uploaded to our servers or collected in any way.

3. How We Use Information

We use the collected information for the following purposes:

• Account creation and management
• Subscription and payment processing
• Service improvement and bug fixes
• Customer support
• Important notices including service changes and security alerts

4. Third-Party Services

Coralo uses the following third-party services to operate. Each service processes data according to its own privacy policy:

• Clerk — User authentication — Privacy Policy
• Supabase — Database — Privacy Policy
• Vercel — Hosting — Privacy Policy
• Lemon Squeezy — Payment processing (Merchant of Record) — Privacy Policy
• Cloudflare — CDN — Privacy Policy

5. Data Storage & Security

User data is stored encrypted in Supabase. All data transmission is encrypted via HTTPS. Passwords are hashed by Clerk, and Coralo never has access to plaintext passwords.

We implement industry-standard security measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

6. Cookies

Coralo uses the following types of cookies:

• Essential session cookies — Required to maintain your login state and for core service functionality. These cookies are essential and cannot be disabled.
• Analytics cookies (future) — May be used in the future to collect usage statistics for service improvement. We will notify you separately when introduced.

Coralo does not use advertising cookies.

7. Your Rights

You have the following rights regarding your personal information:

• Access and modify your personal information
• Request account deletion — when you delete your account, all associated data will be deleted
• Data portability — request a download of your personal data (GDPR)
• Restrict processing and object to processing

To exercise any of these rights, please contact us at support@coralo.app.

8. Data Retention

• Active accounts — Data is retained for as long as your account remains active.
• Deletion requests — All personal data will be deleted within 30 days of a deletion request.
• Payment records — Payment records are retained for 5 years as required by law.

9. Children's Privacy

Coralo does not provide services to children under the age of 14. If we become aware that personal information has been inadvertently collected from a child under 14, we will delete that information immediately. If you believe this has occurred, please contact us at support@coralo.app.

10. International Data Transfers

Coralo's service infrastructure is distributed across multiple regions:

• Vercel: hosted on servers located in the United States
• Supabase: Asia (Korea) region

For EU users, data transfers are conducted with appropriate safeguards as required by the GDPR. For users in South Korea, we comply with cross-border transfer requirements under the Personal Information Protection Act (PIPA).

11. Changes to This Privacy Policy

If this Privacy Policy is updated, we will notify you at least 30 days before the effective date via the email address associated with your account. For significant changes, we will also provide notice through the Service. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

12. Contact

If you have any questions about this Privacy Policy, please contact us:

• Email: support@coralo.app
• Data Protection Officer (DPO): Kim Dohyun
• Location: South Korea

13. Effective Date

This Privacy Policy is effective as of April 15, 2026.