Ballast

Privacy Policy

Effective date: July 15, 2026 · This English translation is provided for convenience; the Korean version is the authoritative document.

Ballast (the “Company”) processes personal information lawfully and manages it securely in compliance with the Personal Information Protection Act of Korea (PIPA) and related laws. In accordance with Article 30 of PIPA, the Company establishes and publishes this privacy policy to inform data subjects of the procedures and standards for processing personal information and to handle related grievances promptly.

This policy applies to the website and the AWS infrastructure diagnostics / FinOps cost optimization service Ballast (currently operated at ballast-landing.vercel.app, to be moved to ballast.cloud — the “Service”). The Service is currently in beta and provides read-only diagnostic reports for AWS accounts and a waitlist for launch notices.

1. Purposes of Processing

  1. Member registration and management — confirming intent to register, identification and authentication, maintaining membership, preventing misuse, notices, and grievance handling
  2. Service provision — connecting AWS accounts (read-only), automated resource discovery, cost/configuration analysis, and generating diagnostic reports
  3. Waitlist operation and launch notices — confirming registration, sending launch/beta invitations, prioritizing invites, and responding to inquiries
  4. Billing and settlement — settling fees for paid services (bank transfer) and issuing tax invoices
  5. Grievance handling — verifying identity, receiving and investigating inquiries, and notifying results
  6. Service improvement — analyzing service usage and improving quality, stability, and new features
  7. Marketing and information — (only with consent) sending news, feature updates, and newsletters

2. Items of Personal Information Processed

2-1. Processed without separate consent (legal bases under PIPA)

Processing activityLegal basisItems
Member servicesPIPA Art. 15(1)4 (performance of contract)(Required) email address, password / (Optional) name
Cloud account connectionPIPA Art. 15(1)4 (performance of contract)Connected AWS account identifiers (AWS account ID, IAM role ARN) and connection settings (External ID, etc.)
Billing and settlement (paid)PIPA Art. 15(1)4 (performance of contract)Business information for tax invoices (company name, business registration number, contact person’s name/phone/email), settlement records
Inquiries and supportPIPA Art. 15(1)4 (performance of contract)Name, email address, inquiry content
Automatically generated during usePIPA Art. 15(1)6 (legitimate interest — abuse prevention, stable operation)IP address, access timestamps and logs, usage records, device/browser info, cookies

2-2. Processed with consent

Processing activityLegal basisItems
Waitlist operation and launch noticesPIPA Art. 15(1)1 (consent)(Required) email address / (Optional) company, role, monthly cloud spend range, primary cloud, dedicated DevOps status
Marketing/newsletterPIPA Art. 15(1)1 (consent — optional)Email address

3. Children Under 14

The Service is not directed at children under 14, and the Company does not collect or process their personal information.

4. Retention Periods

  1. Member registration and management: until account deletion — or until the end of any pending investigation or outstanding claims/obligations
  2. Cloud account connection data: destroyed without delay upon disconnection or account deletion
  3. Billing and settlement: until settlement is complete, except records retained under the E-Commerce Act Enforcement Decree — contracts/withdrawals (5 years), payments/supply (5 years), consumer complaints/disputes (3 years), display/advertising (6 months)
  4. Waitlist data: until the purpose is fulfilled (launch notices and waitlist operation end) or upon deletion request
  5. Access logs: telecommunications logs kept for 3 months under the Protection of Communications Secrets Act Art. 15-2; access records for personal information processing systems kept for at least 1 year under the safeguards standards
  6. Marketing consent data: until consent withdrawal or account deletion

5. Destruction of Personal Information

When personal information is no longer needed (retention expiry, purpose fulfilled), it is destroyed without delay with the approval of the privacy officer. Data that must be retained under other laws is moved to a separate database or storage. Electronic files are destroyed irrecoverably.

6. Provision to Third Parties

The Company does not provide personal information to third parties, except with separate consent or where required by law (PIPA Arts. 17(1)2 and 18(2)).

7. Additional Use or Provision

The Company does not currently engage in ongoing additional use/provision of personal information without consent within a scope reasonably related to the original purpose. Should this change, the criteria under PIPA Arts. 15(3)/17(4) and Enforcement Decree Art. 14-2 will be published in this policy first.

8. Outsourcing of Processing

ProcessorOutsourced work
Vercel Inc. (USA)Website/service hosting and infrastructure operation
Neon, LLC (USA · a Databricks, Inc. company)Service database storage and management (member, connection, waitlist data)

Outsourcing contracts specify the prohibitions and safeguards required by PIPA Art. 26, and the Company supervises processors. Changes will be disclosed through this policy without delay.

9. Cross-Border Transfer

The Company transfers personal information abroad (outsourced processing/storage) as follows, disclosed under PIPA Art. 28-8. If you do not wish your data transferred abroad, you may request account deletion via email (kal6529@gmail.com), though this limits use of the Service.

RecipientsVercel Inc. (hosting · privacy@vercel.com) / Neon, LLC (database storage · privacy@databricks.com)
Items transferredAll items collected under Section 2
Country / timing / methodUnited States / at the time of service use / encrypted transmission and storage (TLS)
Purpose / retentionService hosting and database storage / same as the periods in Section 4

10. Safeguards

  1. Organizational: internal management plan, minimization of personnel handling personal information, access authorization management
  2. Technical: access control for processing systems; encryption of sensitive values such as cloud connection settings (TLS in transit, encryption at rest); one-way password hashing; retention and tamper-proofing of access logs; read-only, least-privilege cloud access only — no write permissions over user infrastructure
  3. Physical: physical access controls and disaster safeguards of the cloud infrastructure providers

11. Sensitive Information

The Company does not process sensitive information under PIPA Art. 23(1) and provides no feature that discloses it.

12. Pseudonymized Information

The Company does not currently process pseudonymized information under PIPA Arts. 28-2 and 28-3. If it does in the future, details will be added to this policy.

13. Cookies

The Company uses cookies only to the extent essential for providing the Service, such as keeping you signed in, and does not use advertising or tracking cookies. Usage analytics are collected cookie-free with a self-hosted tool (Umami) without identifying individuals. You may refuse cookies in your browser settings, though sign-in persistence may be limited.

14. Behavioral Information Collected by Third Parties

The Company does not allow third parties to collect behavioral information for targeted advertising. If this changes, the collectors, items, purposes, and opt-out methods will be disclosed in this policy.

15. Rights of Data Subjects

You may at any time request access, transmission, correction, deletion, suspension of processing, or withdrawal of consent by email (kal6529@gmail.com). The Company responds within 10 days (transmission requests: without delay). Rights may be exercised through a legal representative or authorized agent with a power of attorney. Requests may be limited under PIPA Arts. 35(4) and 37(2).

16. Automated Decisions

The Company does not make fully automated decisions with legal or similarly significant effects under PIPA Art. 37-2. Diagnostic reports and cost optimization recommendations are provided as reference information based on the cloud providers’ official analysis engines.

17. Privacy Officer

18. Domestic Agent

The Company has its address/place of business in Korea and is not subject to the domestic agent designation requirement under PIPA Art. 31-2. (Not applicable)

19. Remedies for Infringement

20. Voluntary Privacy Efforts

21. Changes to This Policy

This policy (v2) takes effect on July 15, 2026. This revision adds disclosures for processing that newly begins with the beta service (member registration, AWS account connection, diagnostic reports) and makes no unfavorable changes to the processing of existing data subjects (waitlist registrants), so it takes effect upon announcement. Future revisions are announced at least 7 days in advance (30 days for changes significantly affecting your rights). Previous versions:

← Back to main