Privacy Policy
Bloom Vocal (hereinafter "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (PIPA) of Korea to protect the personal information of data subjects and to handle related grievances promptly and smoothly.
1. Purpose of Processing Personal Information
The Company processes personal information for the following purposes:
- Membership registration and management: Member identification, verification of intent to register, identity verification, prevention of fraudulent use
- AI voice coaching service: Voice recording analysis, AI coaching feedback generation, training curriculum provision, progress tracking
- AI onboarding and personalization: Identification of user level and goals, baseline voice assessment, personalized training plan creation
- Voice health management: Real-time symptom checks, risk assessment, health record management
- Service improvement: Usage statistics analysis, service quality enhancement
2. Items of Personal Information Processed
| Category | Items Collected | Collection Method |
|---|---|---|
| Registration (required) | Email, name, profile image | Google OAuth social login |
| Onboarding profile (required) | Age range, experience level, gender (optional), voice classification, training goals | Direct input via AI conversation |
| Voice data (required) | Voice recording files (MP3, M4A, WAV, WebM, OGG, FLAC) | User upload |
| AI analysis results | Coaching feedback, rubric scores, timestamped notes | Automatically generated by AI |
| Training records | Exercise logs, session records, progress metrics, milestones | Automatically collected during service use |
| Voice health information | Symptom records, risk assessment results | User input and automatic assessment |
| Automatically collected | Cookies, access logs, IP address, browser type | Automatically collected during service use |
3. Processing and Retention Period
The Company processes and retains personal information within the period prescribed by law or agreed upon with the data subject at the time of collection.
| Category | Retention Period | Basis |
|---|---|---|
| Member account information | Until membership withdrawal | Service agreement |
| Voice recording files | Deleted immediately after AI analysis (not stored on server) | Data minimization principle |
| AI analysis results / training records | Until membership withdrawal | Service provision |
| Voice health records | Until membership withdrawal | Service provision |
| Access logs | 3 months | Protection of Communications Secrets Act |
| E-commerce transaction records | 5 years | Act on Consumer Protection in Electronic Commerce |
4. Provision of Personal Information to Third Parties
In principle, the Company does not provide personal information to third parties. However, personal information may be provided in the following cases:
| Recipient | Purpose | Items Provided | Retention Period |
|---|---|---|---|
| Google LLC | Member authentication (OAuth) | Email, name, profile image | Until withdrawal or disconnection |
5. Entrustment of Personal Information Processing
The Company entrusts personal information processing as follows for service provision:
| Trustee | Entrusted Tasks |
|---|---|
| OpenAI, Inc. | AI analysis of voice recordings and coaching feedback generation (GPT-audio API) |
The Company ensures that the trustee does not process personal information beyond the purpose of the entrusted tasks, and stipulates matters concerning personal information security management in the entrustment contract.
6. Cross-Border Transfer of Personal Information
The Company transfers personal information overseas as follows for service provision:
| Recipient | Country | Items Transferred | Purpose | Retention Period |
|---|---|---|---|---|
| OpenAI, Inc. | United States | Voice recording files | AI voice analysis and coaching feedback | Deleted immediately after API processing |
| Google LLC | United States | Email, name, profile image | Member authentication (OAuth) | Until disconnection |
The Company takes protective measures in accordance with PIPA for cross-border transfers. Data subjects may refuse consent to cross-border transfers; however, refusal may limit the use of AI coaching services.
7. Destruction Procedures and Methods
- Destruction procedures: Personal information is destroyed without delay after the retention period expires or the processing purpose is achieved. If retention is required by law, the data is moved to a separate database and destroyed after the required period.
- Destruction methods: Electronic files are permanently deleted using methods that prevent recovery. Personal information printed on paper is shredded or incinerated.
8. Processing of Sensitive Information
The Company processes the following sensitive information:
| Sensitive Information | Purpose | Legal Basis |
|---|---|---|
| Voice recordings (may constitute biometric data) | AI voice analysis and coaching feedback | Separate consent from data subject |
| Voice health information (health-related data) | Voice health management and risk assessment | Separate consent from data subject |
Separate consent is obtained for processing sensitive information, and data subjects may refuse such consent. However, refusal may limit the use of AI coaching analysis and voice health management services.
9. Automated Decision-Making
The Company uses AI to perform the following automated decisions:
| Automated Decision | Criteria and Procedures |
|---|---|
| AI voice analysis and coaching feedback | The OpenAI GPT-audio model analyzes voice recordings and generates feedback on breathing, pitch, tone, rhythm, and expression. |
| Training level assessment and curriculum recommendation | Based on voice assessment results and profile information from onboarding, the system determines beginner, intermediate, or advanced level and recommends a personalized curriculum. |
| Voice health risk assessment | Based on symptom information entered by the user, the system automatically evaluates risk level (none, low, medium, high, critical). |
Data subjects may exercise the following rights regarding automated decisions:
- Right to refuse automated decisions
- Right to request an explanation of automated decisions
- Right to request human intervention (review by a person) for automated decisions
To exercise these rights, please contact the Chief Privacy Officer listed below.
10. Rights and Obligations of Data Subjects
Data subjects may exercise the following personal information protection rights at any time:
- Request to access personal information
- Request to correct or delete personal information
- Request to suspend processing of personal information
- Request to withdraw consent
- Request to refuse automated decisions and request explanations
Rights may be exercised through the settings menu within the Service or via email. The Company shall take action without delay. When a data subject requests correction or deletion, the Company shall not use or provide the relevant personal information until the correction or deletion is completed.
For children under 14, legal representatives may request access, correction, deletion, or suspension of processing of the child's personal information.
11. Measures to Ensure Security of Personal Information
The Company takes the following measures to ensure the security of personal information:
- Administrative measures: Establishment and implementation of internal management plans, minimization of personnel handling personal information, and training
- Technical measures: Encryption (TLS for transmission, database encryption for storage), access control management, installation of security software
- Physical measures: Access control for server rooms and data storage facilities
12. Cookies and Automatic Collection Devices
The Company uses cookies to store and retrieve user information.
- Purpose of cookies: Maintaining login status, remembering language settings, analyzing service usage statistics
- How to refuse cookies: Users can allow or block cookies through their web browser settings.
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Cookies and website data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Note: Blocking cookies may restrict some services including login.
13. Chief Privacy Officer
The Company has designated the following Chief Privacy Officer to oversee personal information processing and handle data subject complaints and remedies:
Privacy Department
- Department: Privacy Department
- Email: doublejstudio21@gmail.com
Data subjects may contact the Chief Privacy Officer regarding any inquiries, complaints, or remedies related to personal information protection.
14. Remedies for Privacy Violations
Data subjects may apply for dispute resolution or consultation with the following organizations for remedies against privacy violations:
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office Cyber Investigation Division: 1301 (www.spo.go.kr)
- National Police Agency Cyber Bureau: 182 (ecrm.police.go.kr)
15. Changes to this Privacy Policy
This Privacy Policy may be amended in accordance with changes in laws and policies. Any amendments shall be announced through the Service notice board, and the amended policy shall take effect from the date of announcement.
16. Effective Date
This Privacy Policy is effective as of March 1, 2026.