Privacy Policy
Ballast (the “Company”) processes personal information lawfully and manages it securely in compliance with the Personal Information Protection Act of Korea (PIPA) and related laws. In accordance with Article 30 of PIPA, the Company establishes and publishes this privacy policy to inform data subjects of the procedures and standards for processing personal information and to handle related grievances promptly.
This policy applies to the website and the AWS infrastructure diagnostics / FinOps cost optimization service Ballast (currently operated at ballast-landing.vercel.app, to be moved to ballast.cloud — the “Service”). The Service is currently in beta and provides read-only diagnostic reports for AWS accounts and a waitlist for launch notices.
1. Purposes of Processing
- Member registration and management — confirming intent to register, identification and authentication, maintaining membership, preventing misuse, notices, and grievance handling
- Service provision — connecting AWS accounts (read-only), automated resource discovery, cost/configuration analysis, and generating diagnostic reports
- Waitlist operation and launch notices — confirming registration, sending launch/beta invitations, prioritizing invites, and responding to inquiries
- Billing and settlement — settling fees for paid services (bank transfer) and issuing tax invoices
- Grievance handling — verifying identity, receiving and investigating inquiries, and notifying results
- Service improvement — analyzing service usage and improving quality, stability, and new features
- Marketing and information — (only with consent) sending news, feature updates, and newsletters
2. Items of Personal Information Processed
2-1. Processed without separate consent (legal bases under PIPA)
| Processing activity | Legal basis | Items |
|---|---|---|
| Member services | PIPA Art. 15(1)4 (performance of contract) | (Required) email address, password / (Optional) name |
| Cloud account connection | PIPA Art. 15(1)4 (performance of contract) | Connected AWS account identifiers (AWS account ID, IAM role ARN) and connection settings (External ID, etc.) |
| Billing and settlement (paid) | PIPA Art. 15(1)4 (performance of contract) | Business information for tax invoices (company name, business registration number, contact person’s name/phone/email), settlement records |
| Inquiries and support | PIPA Art. 15(1)4 (performance of contract) | Name, email address, inquiry content |
| Automatically generated during use | PIPA Art. 15(1)6 (legitimate interest — abuse prevention, stable operation) | IP address, access timestamps and logs, usage records, device/browser info, cookies |
- Passwords are stored as one-way hashes; plaintext is never retained.
- The Company connects to cloud accounts with read-only, least-privilege access only. The current Service does not collect or hold write (execution) permissions that could modify your infrastructure.
- Payments are settled via bank transfer and tax invoices; the Company does not collect or store credit card details or other payment instrument data.
- Resource and cost metadata collected from connected accounts is mostly non-identifying infrastructure/billing information; where personal information is included, it is handled under this policy.
2-2. Processed with consent
| Processing activity | Legal basis | Items |
|---|---|---|
| Waitlist operation and launch notices | PIPA Art. 15(1)1 (consent) | (Required) email address / (Optional) company, role, monthly cloud spend range, primary cloud, dedicated DevOps status |
| Marketing/newsletter | PIPA Art. 15(1)1 (consent — optional) | Email address |
- Optional fields are not required for waitlist registration.
- Marketing consent can be withdrawn at any time and is not required to use the Service’s essential features.
3. Children Under 14
The Service is not directed at children under 14, and the Company does not collect or process their personal information.
4. Retention Periods
- Member registration and management: until account deletion — or until the end of any pending investigation or outstanding claims/obligations
- Cloud account connection data: destroyed without delay upon disconnection or account deletion
- Billing and settlement: until settlement is complete, except records retained under the E-Commerce Act Enforcement Decree — contracts/withdrawals (5 years), payments/supply (5 years), consumer complaints/disputes (3 years), display/advertising (6 months)
- Waitlist data: until the purpose is fulfilled (launch notices and waitlist operation end) or upon deletion request
- Access logs: telecommunications logs kept for 3 months under the Protection of Communications Secrets Act Art. 15-2; access records for personal information processing systems kept for at least 1 year under the safeguards standards
- Marketing consent data: until consent withdrawal or account deletion
5. Destruction of Personal Information
When personal information is no longer needed (retention expiry, purpose fulfilled), it is destroyed without delay with the approval of the privacy officer. Data that must be retained under other laws is moved to a separate database or storage. Electronic files are destroyed irrecoverably.
6. Provision to Third Parties
The Company does not provide personal information to third parties, except with separate consent or where required by law (PIPA Arts. 17(1)2 and 18(2)).
7. Additional Use or Provision
The Company does not currently engage in ongoing additional use/provision of personal information without consent within a scope reasonably related to the original purpose. Should this change, the criteria under PIPA Arts. 15(3)/17(4) and Enforcement Decree Art. 14-2 will be published in this policy first.
8. Outsourcing of Processing
| Processor | Outsourced work |
|---|---|
| Vercel Inc. (USA) | Website/service hosting and infrastructure operation |
| Neon, LLC (USA · a Databricks, Inc. company) | Service database storage and management (member, connection, waitlist data) |
- Usage analytics are performed with a self-hosted tool (Umami) operated directly by the Company — no separate analytics processor. Analytics data is processed on the infrastructure above.
- Inquiries and support are handled directly by the Company via email — no separate support or email-delivery processor.
Outsourcing contracts specify the prohibitions and safeguards required by PIPA Art. 26, and the Company supervises processors. Changes will be disclosed through this policy without delay.
9. Cross-Border Transfer
The Company transfers personal information abroad (outsourced processing/storage) as follows, disclosed under PIPA Art. 28-8. If you do not wish your data transferred abroad, you may request account deletion via email (kal6529@gmail.com), though this limits use of the Service.
| Recipients | Vercel Inc. (hosting · privacy@vercel.com) / Neon, LLC (database storage · privacy@databricks.com) |
|---|---|
| Items transferred | All items collected under Section 2 |
| Country / timing / method | United States / at the time of service use / encrypted transmission and storage (TLS) |
| Purpose / retention | Service hosting and database storage / same as the periods in Section 4 |
- Legal basis: PIPA Art. 28-8(1)3 (outsourced processing/storage necessary for contract performance).
- The Company plans to migrate its infrastructure to Korea (AWS Seoul region) and will revise this section upon completion.
10. Safeguards
- Organizational: internal management plan, minimization of personnel handling personal information, access authorization management
- Technical: access control for processing systems; encryption of sensitive values such as cloud connection settings (TLS in transit, encryption at rest); one-way password hashing; retention and tamper-proofing of access logs; read-only, least-privilege cloud access only — no write permissions over user infrastructure
- Physical: physical access controls and disaster safeguards of the cloud infrastructure providers
11. Sensitive Information
The Company does not process sensitive information under PIPA Art. 23(1) and provides no feature that discloses it.
12. Pseudonymized Information
The Company does not currently process pseudonymized information under PIPA Arts. 28-2 and 28-3. If it does in the future, details will be added to this policy.
13. Cookies
The Company uses cookies only to the extent essential for providing the Service, such as keeping you signed in, and does not use advertising or tracking cookies. Usage analytics are collected cookie-free with a self-hosted tool (Umami) without identifying individuals. You may refuse cookies in your browser settings, though sign-in persistence may be limited.
14. Behavioral Information Collected by Third Parties
The Company does not allow third parties to collect behavioral information for targeted advertising. If this changes, the collectors, items, purposes, and opt-out methods will be disclosed in this policy.
15. Rights of Data Subjects
You may at any time request access, transmission, correction, deletion, suspension of processing, or withdrawal of consent by email (kal6529@gmail.com). The Company responds within 10 days (transmission requests: without delay). Rights may be exercised through a legal representative or authorized agent with a power of attorney. Requests may be limited under PIPA Arts. 35(4) and 37(2).
16. Automated Decisions
The Company does not make fully automated decisions with legal or similarly significant effects under PIPA Art. 37-2. Diagnostic reports and cost optimization recommendations are provided as reference information based on the cloud providers’ official analysis engines.
17. Privacy Officer
- Name: Taeksoo Kim
- Title: Founder/CEO
- Contact: kal6529@gmail.com
18. Domestic Agent
The Company has its address/place of business in Korea and is not subject to the domestic agent designation requirement under PIPA Art. 31-2. (Not applicable)
19. Remedies for Infringement
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- KISA Privacy Report Center: 118 (privacy.kisa.or.kr)
- National Police Agency: 182 (ecrm.police.go.kr)
20. Voluntary Privacy Efforts
- Security by design: cloud connections use read-only, least-privilege access via temporary role assumption (AssumeRole) combined with an External ID — no long-lived access keys.
- No durable write credentials: the Company does not store credentials capable of modifying user infrastructure.
- The Company plans to pursue certifications such as ISMS-P.
21. Changes to This Policy
This policy (v2) takes effect on July 15, 2026. This revision adds disclosures for processing that newly begins with the beta service (member registration, AWS account connection, diagnostic reports) and makes no unfavorable changes to the processing of existing data subjects (waitlist registrants), so it takes effect upon announcement. Future revisions are announced at least 7 days in advance (30 days for changes significantly affecting your rights). Previous versions: