Back

Privacy Policy

Double J Studio(hereinafter "Company"), the operator of the "Bloom Vocal" service (hereinafter "Service"), establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (PIPA) of Korea to protect the personal information of data subjects and to handle related grievances promptly and smoothly.

1. Purpose of Processing Personal Information

The Company processes personal information for the following purposes:

  1. Membership registration and management: Member identification, verification of intent to register, identity verification, prevention of fraudulent use
  2. AI voice coaching service: Voice recording analysis, AI coaching feedback generation, training curriculum provision, progress tracking
  3. Personalized training setup: Identification of user level and goals, vocal range measurement, personalized training plan creation
  4. Voice health management: Real-time symptom checks, risk assessment, health record management
  5. Service improvement: Usage statistics analysis, service quality enhancement
  6. Speech analysis service: Sentence and word pronunciation analysis, AI pronunciation evaluation and feedback
  7. AI vocal consultation service: AI answer generation for consultation inquiries, consultation conversation record management, personalized exercise recommendations
  8. Credit and subscription management: Credit balance management, subscription (Bloom Plus) billing and renewal management, top-up and deduction transaction records
  9. Referral program: Referral link generation and referral performance tracking

2. Items of Personal Information Processed

Personal information collection items and methods
CategoryItems CollectedCollection Method
Registration (required)Email, name, profile imageGoogle OAuth social login
Training profileAge range, experience level, training history, preferred genres, comfortable vocal range (low/high), passaggio awareness, training goals, weekly practice goal, preferred session duration, role model singers (optional)Direct input via in-service profile settings and vocal range measurement screens
Voice data (required)Voice recording files (MP3, M4A, WAV, WebM, OGG, FLAC)User upload
AI analysis resultsCoaching feedback, rubric scores, timestamped notesAutomatically generated by AI
Training recordsExercise logs, session records, progress metrics, milestonesAutomatically collected during service use
Voice health informationVoice health score, symptom recordsUser input and automatic assessment
Coaching session chat recordsConversation content exchanged between user and AI during coaching sessions (messages, roles, timestamps)Automatically collected during service use
Speech analysis dataAnalysis type, practice sentences, pronunciation category, scores, AI analysis resultsAutomatically generated by AI
AI consultation conversation recordsConsultation question and answer messages, entry context information (exercise code, scores, etc.), whether recommended exercises were viewedAutomatically collected during service use
Credit and transaction informationCredit balance, transaction history (type, amount, description)Automatically collected during service use
Referral informationReferral code, referral click count, referral signup countAutomatically collected during service use
Automatically collectedCookies, access logs, IP address, browser typeAutomatically collected during service use

3. Processing and Retention Period

The Company processes and retains personal information within the period prescribed by law or agreed upon with the data subject at the time of collection.

Personal information retention periods and legal basis
CategoryRetention PeriodBasis
Member account informationUntil membership withdrawalService agreement
Voice recording filesUntil membership withdrawal or individual deletion request (encrypted storage, accessible only by owner)Service provision
AI analysis results / training records / coaching session chat records / speech analysis results / AI consultation conversation recordsUntil membership withdrawalService provision
Voice health recordsUntil membership withdrawalService provision
Credit and transaction recordsUntil membership withdrawal (transaction records retained for 5 years per E-commerce Act)Service provision / E-commerce Act
Referral informationUntil membership withdrawalService provision
Access logs3 monthsProtection of Communications Secrets Act
E-commerce transaction records5 yearsAct on Consumer Protection in Electronic Commerce

4. Provision of Personal Information to Third Parties

In principle, the Company does not provide personal information to third parties. However, personal information may be provided in the following cases:

Personal information third-party provision details
RecipientPurposeItems ProvidedRetention Period
Google LLCMember authentication (OAuth)Email, name, profile imageUntil withdrawal or disconnection

5. Entrustment of Personal Information Processing

The Company entrusts personal information processing as follows for service provision:

Personal information processing entrustment details
TrusteeEntrusted Tasks
Google LLC (Gemini API)AI analysis of voice recordings, coaching feedback generation, speech analysis and evaluation, and AI vocal consultation answer generation (Gemini API). This is a separate engagement from member authentication (OAuth) and hosting (Cloud Run).
Supabase, Inc.Personal information database hosting and management (PostgreSQL cloud database)
Cloudflare, Inc.Voice recording file storage and management (R2 object storage with server-side encryption)
Polar Software Inc.Payment processing and Merchant of Record responsibilities (credit pack and subscription (Bloom Plus) sales, payment facilitation, global VAT/sales tax reporting and remittance, refund processing). Actual card payments are processed via Polar's underlying payment infrastructure, Stripe, Inc.
Google LLC (Google Cloud Platform)Application hosting and traffic processing (Google Cloud Run, container execution environment). This is a separate engagement from member authentication (OAuth).

The Company ensures that the trustee does not process personal information beyond the purpose of the entrusted tasks, and stipulates matters concerning personal information security management in the entrustment contract.

6. Cross-Border Transfer of Personal Information

The Company transfers personal information overseas as follows for service provision:

Personal information cross-border transfer details
RecipientCountryItems TransferredPurposeRetention Period
Google LLC (Gemini API)United StatesVoice recording files, AI consultation and coaching text dataAI voice analysis, coaching feedback generation, speech analysis and evaluation, AI consultation answer generationRetained for a limited period per Google's data retention policy after API processing, then destroyed (paid API data is not used for model training)
Google LLCUnited StatesEmail, name, profile imageMember authentication (OAuth)Until disconnection
Supabase, Inc.United StatesMember account data, training profile, AI analysis results, training records, coaching session chat records, speech analysis results, AI consultation conversation records, voice health records, credit transaction records, referral informationDatabase hosting and managementUntil membership withdrawal
Cloudflare, Inc.United StatesVoice recording filesVoice recording file storage and management (accessible only by the owner)Until membership withdrawal or individual deletion request
Polar Software Inc.United StatesEmail, name, payment-related information (card details handled directly by Stripe)Payment processing, Merchant of Record role, refund handling, global tax reportingUp to 7 years from transaction date (tax recordkeeping obligation)
Google LLC (Google Cloud Platform)United StatesAll personal information transmitted during service use (request and session data, IP address, cookies)Application hosting and traffic processing (Google Cloud Run)Until membership withdrawal (per-request data is ephemeral and cleared from memory after processing)

The Company takes protective measures in accordance with PIPA for cross-border transfers. Data subjects may refuse consent to cross-border transfers; however, refusal may limit the use of AI coaching services.

7. Destruction Procedures and Methods

  1. Destruction procedures: Personal information is destroyed without delay after the retention period expires or the processing purpose is achieved. If retention is required by law, the data is moved to a separate database and destroyed after the required period.
  2. Destruction methods: Electronic files are permanently deleted using methods that prevent recovery. Personal information printed on paper is shredded or incinerated.

8. Processing of Sensitive Information

The Company processes the following sensitive information:

Sensitive information items, purpose, and legal basis
Sensitive InformationPurposeLegal Basis
Voice recordings (may constitute biometric data)AI voice analysis and coaching feedbackSeparate consent from data subject
Voice health information (health-related data)Voice health management and risk assessmentSeparate consent from data subject

Separate consent is obtained for processing sensitive information, and data subjects may refuse such consent. However, refusal may limit the use of AI coaching analysis and voice health management services.

9. Automated Decision-Making

The Company uses AI to perform the following automated decisions:

Automated decision-making details and criteria
Automated DecisionCriteria and Procedures
AI voice analysis and coaching feedbackThe Google Gemini model analyzes voice recordings and generates feedback on breathing, pitch, tone, rhythm, and expression.
Training level assessment and curriculum recommendationBased on vocal range measurement results and profile information, the system determines beginner, intermediate, or advanced level and recommends a personalized curriculum.
Voice health risk assessmentBased on symptom information entered by the user, the system automatically evaluates risk level (none, low, medium, high, critical).

Data subjects may exercise the following rights regarding automated decisions:

  • Right to refuse automated decisions
  • Right to request an explanation of automated decisions
  • Right to request human intervention (review by a person) for automated decisions

To exercise these rights, please contact the Chief Privacy Officer listed below.

10. Rights and Obligations of Data Subjects

Data subjects may exercise the following personal information protection rights at any time:

  1. Request to access personal information
  2. Request to correct or delete personal information
  3. Request to suspend processing of personal information
  4. Request to withdraw consent
  5. Request to refuse automated decisions and request explanations

Rights may be exercised through the settings menu within the Service or via email. The Company shall take action without delay. When a data subject requests correction or deletion, the Company shall not use or provide the relevant personal information until the correction or deletion is completed.

For children under 14, legal representatives may request access, correction, deletion, or suspension of processing of the child's personal information.

11. Measures to Ensure Security of Personal Information

The Company takes the following measures to ensure the security of personal information:

  • Administrative measures: Establishment and implementation of internal management plans, minimization of personnel handling personal information, and training
  • Technical measures: Encryption (TLS for transmission, database encryption for storage), access control management, installation of security software
  • Physical measures: Access control for server rooms and data storage facilities

12. Cookies and Automatic Collection Devices

The Company uses cookies to store and retrieve user information.

  • Purpose of cookies: Maintaining login status, remembering language settings, analyzing service usage statistics
  • How to refuse cookies: Users can allow or block cookies through their web browser settings.
    • Chrome: Settings → Privacy and security → Cookies and other site data
    • Safari: Preferences → Privacy → Cookies and website data
    • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Note: Blocking cookies may restrict some services including login.

13. Chief Privacy Officer

The Company has designated the following Chief Privacy Officer to oversee personal information processing and handle data subject complaints and remedies:

Privacy Department

  • Name: Woojin Lee (이우진)
  • Email: doublejstudio21@gmail.com

Data subjects may contact the Chief Privacy Officer regarding any inquiries, complaints, or remedies related to personal information protection.

14. Remedies for Privacy Violations

Data subjects may apply for dispute resolution or consultation with the following organizations for remedies against privacy violations:

  • Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
  • Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)
  • Supreme Prosecutors' Office Cyber Investigation Division: 1301 (www.spo.go.kr)
  • National Police Agency Cyber Bureau: 182 (ecrm.police.go.kr)

15. Changes to this Privacy Policy

This Privacy Policy may be amended in accordance with changes in laws and policies. Any amendments shall be announced through the Service notice board, and the amended policy shall take effect from the date of announcement.

Revision history:

  • Following infrastructure changes on May 14, 2026 (Supabase region migration and adoption of Google Cloud Run hosting), this Policy was amended effective May 18, 2026.
  • Amended on June 11, 2026: The entrustment, cross-border transfer, and automated decision-making sections were updated to reflect the change of AI analysis processor (OpenAI GPT-audio → Google Gemini API); processing purposes and items were added for the new AI vocal consultation service; and wording related to the discontinued onboarding process was tidied.

16. Effective Date

This Privacy Policy is effective as of June 11, 2026.