Privacy Policy

Effective date: 1 January 2026 · Amendment announced: 16 June 2026 · Amendment effective: 16 July 2026 (Version 3.0)

METIS, a non-commercial project operated by students in the Republic of Korea (the “Operator,” “we,” or “us”), establishes and discloses this Privacy Policy pursuant to Article 30 of the Personal Information Protection Act (the “PIPA”) to protect the personal information of data subjects and to handle related grievances promptly and smoothly. Where you access the Service from the European Economic Area, the United Kingdom, the United States, or another jurisdiction, the region-specific provisions of Article 19 also apply to you. This Policy forms an integral part of, and should be read together with, the Terms of Service and the Community Guidelines.

Article 1 (Definitions and Scope)

1. “Personal information” means information relating to a living individual that identifies, or can be combined with other information to identify, that individual; where the context requires, it includes “personal data” as defined under the GDPR and “personal information” as defined under the laws of California. 2. “Processing” means collection, generation, recording, storage, retention, value-added processing, editing, retrieval, output, correction, recovery, use, provision, disclosure, and destruction of personal information. 3. This Policy applies to all personal information the Operator processes through the Service. The Operator is the personal-information controller (and, under the GDPR, the data controller) with respect to such information.

Article 2 (Personal Information We Collect and the Method of Collection)

The Operator collects the following categories of personal information. “Required” items are necessary to provide the relevant function; “optional” items are collected only if the Member chooses to provide them. Refusal to provide a required item may limit the corresponding service.

CategoryItems
Account and authentication(Required) email address, password (stored as a one-way hash), display name, date of birth (for age verification); (Optional) username, profile/avatar image, banner image, biography, affiliation, website, GitHub URL, location, preferred language
Identity verificationEmail one-time-password verification records; phone number in international (E.164) format and verification status, where phone verification is used; institutional (school) email, institution name, domain, and verification timestamp, where school verification is used
Strong authentication and securityTwo-factor authentication enrollment (time-based one-time-password factor, managed by our authentication processor); FIDO2/WebAuthn passkey credentials (public key, credential identifier, signature counter, authenticator identifier (AAGUID), transports, device type, backup status, friendly name, creation and last-used time); trusted-device records and a device-fingerprint identifier
Children and guardiansWhere the Member is under 14: the child's name, email, and date of birth; and the legal representative's (guardian's) name, relationship, email, the consent record, and the date, time, and IP address of consent verification
Author and academic profileAuthor real name, optional local-language name, contact email, research areas and interests, affiliation, career description, discipline, external links, and biography, where the Member creates an author profile; paper full text, abstract, authors, category, discipline, tags, DOI, and other metadata; research-ethics disclosures submitted on upload
Community and social activityCommunity posts and comments, paper comments and replies, likes, bookmarks, follows, notifications, and uploaded attachments and images
Learning activityLearning progress, streaks, quiz results, and achievements
Points and rewardsPoint balances and point-transaction history, including the reason and any reference to the related item
Paid services and billingSubscription status and period; a tokenized billing key or a subscription identifier issued by the payment-gateway or overseas payment provider (the Operator does not store full card numbers); and payment and refund records processed by the payment provider — collected only if and when paid services are offered
Reports, moderation, and complianceReport content and status; image-moderation results and logs; banned-word screening results; account status, including sanction records, ban reason, ban count, and violation points
Recommendation and analytics signalsInteraction events (such as paper views, read-progress, searches, author clicks, and 'not interested' signals), recommendation impressions, an interest profile, and content embeddings used for similarity search
Access and device logsAccess IP address, browser and device information, user-agent, service-use records, and activity logs generated automatically in the course of use, including for fraud prevention and security
InquiriesThe content of inquiries, the contact email, and the handling record
Consent recordsWhether the Terms and the Privacy Policy were agreed to, the agreement timestamps, the agreed version, and the sign-up user-agent

Method of collection: directly from the Member during registration, profile creation, verification, upload, payment, and inquiry; automatically through the operation of the Service (logs, cookies, and local storage); and from third-party identity providers (OAuth) and processors where the Member uses those features.

Article 3 (Purposes of Processing and Legal Bases)

The Operator processes personal information for the purposes below and does not use it beyond those purposes. Where the purpose changes, the Operator takes the measures required by Article 18 of the PIPA, such as obtaining separate consent.

PurposePrincipal itemsLegal basis
Registration, authentication, and account managementAccount, authentication, and verification dataPerformance of the service agreement; consent (PIPA Art. 15(1)); GDPR Art. 6(1)(b) contract
Guardian-consent verification for children under 14Child and guardian dataLegal obligation and consent (PIPA Art. 22-2); GDPR Art. 6(1)(c) and Art. 8
Operation of the paper archive and scholarly recordAuthor, paper, and metadataContract and legitimate interest in preserving the scholarly record; GDPR Art. 6(1)(b),(f); Art. 89 (research and archiving)
Community, learning, points, and recommendationsActivity, learning, points, and recommendation signalsContract and legitimate interest in providing and improving the Service; GDPR Art. 6(1)(b),(f)
Paid-service billing and refunds (only if and when paid services are offered)Billing and subscription dataPerformance of the paid contract and legal record-keeping; GDPR Art. 6(1)(b),(c)
Trust and safety, fraud prevention, and securityReport, moderation, sanction, access, and device dataLegal obligation and legitimate interest in keeping the Service safe; GDPR Art. 6(1)(c),(f)
Service notices and grievance handlingEmail, inquiry, and contact dataContract and legal obligation; GDPR Art. 6(1)(b),(c)
Optional marketing or newsletters, where offeredEmail and preference dataConsent (PIPA Art. 22; Network Act Art. 50); GDPR Art. 6(1)(a)

Where the Operator relies on consent, the Member may withdraw it at any time without affecting the lawfulness of prior processing. Where the Operator relies on a legitimate interest, the Member may object as described in Article 12.

Article 4 (Retention and Use Period)

The Operator retains and uses personal information for the period below, after which it destroys it without delay. Information that must be preserved under applicable law is moved to a separate database or storage and retained for the statutory period.

ItemRetention period
Account and profile informationUntil withdrawal of membership; destroyed after a grace period (in principle 14 days) following a withdrawal request, to allow recovery of an account deleted in error
Guardian-consent records (children under 14)Until withdrawal of consent or of membership; the consent record is retained for the minimum period necessary to evidence consent under the PIPA
Published papers and metadataRetained for the duration of publication to preserve the scholarly record; on withdrawal the account link is severed, while attribution may remain in accordance with scholarly practice and the selected license
Institutional (school) verificationUntil verification is revoked or membership is withdrawn
Records on contracts or withdrawal of subscription5 years (E-Commerce Act) (applies only while paid services are operated)
Records on payment and the supply of goods/services5 years (E-Commerce Act) (applies only while paid services are operated)
Records on consumer complaints or dispute resolution3 years (E-Commerce Act) (applies only while paid services are operated)
Records on display/advertising6 months (E-Commerce Act) (applies only while paid services are operated)
Service-access (log) recordsAt least 3 months (Protection of Communications Secrets Act); access, device, and security logs are in principle retained for up to 1 year for fraud prevention and security
Sanction and re-registration-restriction recordsRetained for the minimum period necessary to enforce sanctions and prevent re-registration abuse

Article 5 (Provision of Personal Information to Third Parties)

The Operator processes personal information only within the scope specified in Article 3, and provides it to a third party only where the data subject has given separate consent or where Article 17 or 18 of the PIPA applies (for example, a special provision of law, or a lawful request by an investigative agency following due process). The Operator does not sell personal information and does not provide it to third parties for their own marketing. Where the Operator is legally compelled to disclose information, it discloses only the minimum necessary and, where permitted by law, notifies the affected Member.

Article 6 (Entrustment of Processing / Sub-Processors)

The Operator entrusts the processing of personal information as set out below to provide the Service. Some processors are located outside the Republic of Korea; see Article 7. The Operator specifies, by contract, the prohibition of processing beyond the entrusted purpose, technical and managerial safeguards, restrictions on re-entrustment, supervision, and liability, and it supervises whether each processor handles personal information safely, in accordance with Article 26 of the PIPA.

ProcessorEntrusted taskLocation / notes
Supabase Inc. (on cloud infrastructure such as AWS)Database, authentication, file storage, and serverless function infrastructureUnited States and other regions
Cloudflare, Inc.Content delivery (CDN), serverless edge, and security/bot mitigationUnited States and other regions
PortOne (formerly IAMPORT) and PayPal Pte. Ltd.Payment processing for paid services (recurring and one-time)Republic of Korea; Singapore / United States · engaged only if and when paid services are offered
SMS / messaging providers (such as Twilio Inc.)Delivery of one-time passwords and security/service notifications by SMSUnited States and other regions
Sightengine SASAutomated moderation of uploaded images for nudity and unsafe contentFrance / European Union; a temporary signed image URL is shared
Federated-login providers (Google, Discord, GitHub, GitLab, X/Twitter)Optional single-sign-on authentication chosen by the MemberUnited States and other regions; identity data such as email and profile name is processed
Discord, Inc.Optional community-server verification and role linkingUnited States and other regions

The current list of processors may change as the Service evolves; the Operator updates this Policy and gives notice when it adds or replaces a processor that handles personal information.

Article 7 (International Transfer of Personal Information)

1. Because certain processors are located overseas, the Operator transfers personal information abroad as necessary to operate the Service. The items transferred are those described in Article 2 that are needed for the relevant processor's task; the country of transfer is the processor's location stated in Article 6; the time and method of transfer is electronic transmission through the network in the course of providing the Service; and the retention period at the transferee is the period necessary for the entrusted task or as required by law. 2. The Operator takes the protective measures required by Article 28-8 of the PIPA and, for transfers from the European Economic Area or the United Kingdom, relies on an appropriate safeguard such as the European Commission's Standard Contractual Clauses, together with supplementary measures where necessary. 3. A data subject who does not wish to have personal information transferred abroad may refuse; however, because the core infrastructure of the Service is provided by overseas processors, such refusal may mean the data subject cannot use the Service, in which case the data subject may withdraw membership.

Article 8 (Cookies, Local Storage, and Similar Technologies)

The Operator uses cookies and browser storage that are necessary to maintain login sessions and to remember settings. It does not currently use third-party cookies for behavioral advertising; if it introduces such cookies in the future, it will amend this Policy and establish a prior-consent procedure. A Member may refuse storage through browser settings, but some functions, such as login, may then be restricted.

Name / typePurpose
Authentication session (local storage, set by the authentication SDK)Keeps the Member signed in and refreshes the session
Device-fingerprint cookie and local-storage fallbackRecognizes a trusted device to support two-factor and anti-fraud checks; retained up to one year
Preference storage (language, theme, accent)Remembers the Member's language, theme, and interface preferences
Session storage (e.g., rate-limiting and view-deduplication)Temporarily prevents repeated failed-login attempts and duplicate view counting during a session

Article 9 (Automated Decision-Making and Profiling)

1. The Operator operates a recommendation system that analyzes a Member's interaction signals and an interest profile to suggest papers, authors, and content that may be relevant. This constitutes profiling but is not used to make a decision that produces legal effects concerning the Member or similarly significantly affects the Member. 2. The Operator also uses automated tools for safety, such as banned-word screening and automated image moderation; a Member may request human review of, and may object to, the result of such automated processing. 3. Under Article 37-2 of the PIPA and Articles 21–22 of the GDPR, the Member may refuse or request an explanation of a fully automated decision that significantly affects the Member, and may request human intervention; the Operator handles such requests in accordance with law.

Article 10 (Processing of the Personal Information of Children Under 14 and Minors)

1. For a child under 14, the Operator obtains the consent of a legal representative at registration and, to verify it, collects the legal representative's name, relationship, and email and conducts email verification; it uses the information collected to verify consent only for that purpose and destroys it after the minimum period needed for evidence. 2. A legal representative may request access to, correction or deletion of, or suspension of processing of, the child's personal information, and may withdraw consent. 3. For minors aged 14 and over, the Operator provides age-appropriate protections and handles reports concerning minors with the highest priority, as detailed in the Community Guidelines. 4. For users outside Korea, the Operator applies COPPA (United States, under 13) and the GDPR children's provisions (European Economic Area and United Kingdom) where applicable, and does not knowingly collect personal information from a child below the applicable age without verifiable parental consent.

Article 11 (Rights of Data Subjects and Legal Representatives, and How to Exercise Them)

1. A data subject may, at any time, exercise the rights to access, correct, delete, and suspend the processing of their personal information, and to withdraw consent. Depending on the data subject's region, additional rights apply, including the rights to restriction, to data portability, to object, and to lodge a complaint with a supervisory authority (GDPR), and the rights to know, to delete, to correct, to opt out of sale or sharing, and to non-discrimination (California). 2. Rights may be exercised through the in-service settings menu, the one-to-one inquiry, or a written or email request to the privacy officer; the Operator acts without delay and, in principle, within the period required by law (for example, within 10 days under the PIPA, or within one month under the GDPR, extendable as permitted). 3. The rights of a child under 14 may be exercised by the child's legal representative. A request may be made through an authorized agent, in which case a power of attorney in the form prescribed by the applicable notification must be submitted. 4. The right to access or to suspend processing may be limited under Articles 35(4) and 37(2) of the PIPA and corresponding provisions of other law; deletion may not be requested where another statute requires the information to be collected. The Operator verifies the identity of a requester to protect the account, and does not charge a fee except where a request is manifestly unfounded or excessive, as permitted by law.

Article 12 (Right to Object and to Withdraw Consent)

Where the Operator processes personal information on the basis of a legitimate interest, the data subject may object on grounds relating to their particular situation, and the Operator ceases such processing unless it demonstrates compelling legitimate grounds that override the data subject's interests or the processing is necessary to establish, exercise, or defend legal claims. Where processing is based on consent, the data subject may withdraw consent at any time; withdrawal may limit the related service.

Article 13 (Measures to Ensure the Security of Personal Information)

The Operator takes the following measures pursuant to Article 29 of the PIPA and applicable law. 1. Managerial measures: establishment and implementation of an internal management plan; minimization and training of personnel who handle personal information; and access-rights management. 2. Technical measures: one-way encryption of passwords; encryption of data in transit (TLS); row-level access control in the database; offering of two-factor authentication, passkeys, and CAPTCHA; retention of access logs; and measures to prevent intrusion. 3. Physical measures: reliance on the physical access controls of the cloud data centers operated by the Operator's processors, under contractual supervision.

Article 14 (Notification of a Personal-Information Breach)

If a breach of personal information occurs, the Operator notifies affected data subjects and the competent authority without delay, in accordance with the PIPA and the Network Act (in principle, notification to data subjects and, where applicable, to the Personal Information Protection Commission or the Korea Internet & Security Agency), and, where the GDPR applies, notifies the competent supervisory authority within 72 hours where feasible and the affected data subjects where there is a high risk. The notice describes the items affected, the time and circumstances, the measures taken, and how the data subject may minimize harm.

Article 15 (Procedure and Method of Destruction)

1. When personal information becomes unnecessary — because the retention period has elapsed or the purpose has been achieved — the Operator destroys it without delay. 2. Information that must be retained under law is moved to a separate database or storage and destroyed without delay after the statutory period. 3. Information in electronic form is deleted by a technical method that prevents recovery, and printed documents are shredded or incinerated.

Article 16 (Processing of Pseudonymized Information)

The Operator may pseudonymize collected personal information so that a specific individual cannot be identified, and use it for statistics, scientific research, and archiving in the public interest. In such case, the Operator prohibits re-identification, separates and securely stores the pseudonymized information, and does not process information that could be used to identify a specific individual.

Article 17 (Privacy Officer and Grievance Handling)

The Operator designates the privacy officer and grievance-handling contact below. A data subject may direct any inquiry, complaint, or request for remedy relating to personal information arising from use of the Service to this contact, and the Operator will respond without delay.

ItemDetails
Privacy officerMETIS Operations Lead (admin@metis.re.kr)
Grievance-handling channelIn-service one-to-one inquiry → category 'Account / Personal information'
EU/UK representative (where required)Designated where Article 27 of the GDPR applies; contact provided on request

Article 18 (Remedies for Infringement of Rights)

A data subject may contact the following bodies for reporting, consultation, or relief: the Personal Information Infringement Report Center (118, without area code); the Personal Information Dispute Mediation Committee (1833-6972); the Supreme Prosecutors' Office (1301); and the National Police Agency (182). A data subject who is harmed by a disposition or omission of the Operator in connection with a request under Articles 35 to 37 of the PIPA may seek an administrative appeal under the Administrative Appeals Act. A data subject in the European Economic Area or the United Kingdom may lodge a complaint with their local data-protection supervisory authority.

Article 19 (Region-Specific Provisions)

1. European Economic Area and United Kingdom (GDPR/UK GDPR): the Operator is the controller; the legal bases are those stated in Article 3; data subjects have the rights of access, rectification, erasure, restriction, portability, and objection, the right to withdraw consent, and the right to lodge a complaint with a supervisory authority; international transfers rely on the safeguards in Article 7. 2. California (CCPA/CPRA): the Operator does not sell or share personal information as those terms are defined; California residents have the rights to know, delete, correct, opt out, and not be discriminated against for exercising their rights, exercisable as described in Article 11. 3. Other jurisdictions: where local data-protection law grants a data subject additional rights, the Operator honors those rights to the extent required by that law.

Article 20 (Changes to this Privacy Policy)

1. This Policy applies from 1 January 2026; the Version 3.0 revision was announced on 16 June 2026 and applies from 16 July 2026 (a 30-day advance-notice period). 2. Where the Policy is added to, deleted from, or corrected, the Operator announces the change at least 7 days before it takes effect (at least 30 days before, for a material change), and obtains separate consent where a change to the items or purposes of collection has a material effect on a Member's rights. 3. A previous version of this Policy is available through the customer inquiry.

Language and Prevailing Version

This Policy is provided in multiple languages. The English version is the drafting reference; the Korean version is the legally governing version for operation in the Republic of Korea. Where a translation conflicts with the Korean version, the Korean version prevails, except to the extent the mandatory law of a data subject's country of residence requires otherwise.