Privacy Policy
Article 1 (Purpose)
Flitto Inc. (hereinafter referred to as the “Company”) processes personal information lawfully and manages it securely in compliance with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects. Accordingly, pursuant to Article 30 of the 「Personal Information Protection Act」, the Company establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards for processing and protecting personal information, and to ensure prompt and smooth resolution of related grievances.
※ Unless otherwise defined, terms used in this policy follow the definitions set forth in the ‘Terms of Service’.
Article 2 (Items of personal information processed, purpose, and retention period)
The Company collects the minimum necessary personal information as listed below to provide various services.
Use of personal information is deemed to be consented to upon membership registration. Failure to consent may make membership registration and smooth service use difficult.
Personal information is collected through information directly entered or linked by the user during the membership registration and service usage process.
Processing Items | Details | Purpose | Processing and Retention Period | Legal Basis |
|---|---|---|---|---|
Member Information | - Email Sign-up: Email address, Password, Nickname - Social Login: Email address, Profile name (provided by OAuth) | Membership Registration and Service Provision | Up to 10 days after withdrawal (re-login recovery possible), then permanently deleted | Personal Information Protection Act Article 15 Paragraph 1 Item 4 (Contract Performance) |
Subscription and Payment/Refund History | - Subscription Information: Subscription start date, cancellation date, renewal date, refund date, receipt PDF - Payment Information: Credit card details, payment amount, recurring payment/refund history - Custom Assistant Information: User-defined fields, job/purpose, dataset | Recurring Payment/Refund Processing | Up to 5 years after withdrawal (in compliance with laws and regulations) | Article 6 of the Enforcement Decree of the Electronic Commerce Act |
Conversation History | Voice recordings, transcribed text, translation drafts, and meeting summary notes generated during quick chats and online meetings | Service Provision and Service Quality Improvement | Permanently stored after anonymization, exclusively for members | Personal Information Protection Act Article 58-2 (Exceptions to Application) |
Custom Assistant Input and Storage Items
| Name, English name, field of use, keywords, custom material links (including keywords generated from URLs such as LinkedIn profiles/YouTube/websites), uploaded files | Applied to dataset creation and translation | Immediately destroyed upon withdrawal (LinkedIn: destroyed after 3 months) | Personal Information Protection Act Article 15 Paragraph 1 Item 1 (Consent of the Data Subject) |
Inquiry Details | Inquiry and customer service handling records, personal information provided by the inquirer (contact information, email address, etc.) | Handling user inquiries | Up to 2 years after withdrawal | Article 6, Paragraph 1, Item 4 of the Enforcement Decree of the Electronic Commerce Act |
Non-Member Guest Voice and Language Information | Voice and language information (no personally identifiable information is collected) | Providing services to non-members | Used for encrypted conversation transcription and translation, immediately destroyed upon conversation end | Personal Information Protection Act Article 15 Paragraph 1 Item 4 (Contract Performance) |
However, personal information will be processed and retained until the relevant reason or period ends in the following cases:
Member Service Operation
Until the conclusion of any ongoing investigation or inquiry due to violation of relevant laws and regulations
Until the settlement of any outstanding creditor-debtor relationship arising from website use
Service Provision and Payment Processing
Records related to contracts or withdrawal of subscription: 5 years (Article 6, Paragraph 1, Item 2 of the Enforcement Decree of the Consumer Protection Act in Electronic Commerce, etc.)
Records related to payment settlement and supply of goods, etc.: 5 years (Article 6, Paragraph 1, Item 3 of the Enforcement Decree of the Consumer Protection Act in Electronic Commerce, etc.)
Records related to consumer complaints or dispute resolution: 3 years (Article 6, Paragraph 1, Item 4 of the Enforcement Decree of the Consumer Protection Act in Electronic Commerce, etc.)
Records related to labeling and advertising: 6 months (Article 6, Paragraph 1, Item 1 of the Enforcement Decree of the Consumer Protection Act in Electronic Commerce, etc.)
Article 3 (Destruction of Personal Information)
The Company shall promptly destroy personal information when it is no longer necessary, such as upon expiration of the retention period or achievement of the processing purpose.
The procedures and methods for destroying personal information are as follows:
After 10 days following withdrawal, personal identification information (email, nickname, voice data identification information, etc.) is completely deleted from the database and backups.
Payment/subscription information is deleted after the legal retention period.
Voice and language information of non-member guests is deleted immediately upon conversation termination.
Electronic data is deleted in an unrecoverable manner; physical records are shredded.
Article 4 (Entrustment of Personal Information Processing and Cross-Border Transfer)
Pursuant to Article 26 (Restrictions on Processing Personal Information under Business Entrustment) and Article 28-8 (Cross-Border Transfer of Personal Information) of the Personal Information Protection Act, the Company entrusts the processing of personal information as follows to fulfill the service use agreement with the data subject and enhance convenience.
Entrusted Company | Content of Entrusted Tasks | Items Entrusted/Transferred | Country of Transfer / Timing and Method | Retention and Use Period | Security Measures |
|---|---|---|---|---|---|
Paddle, Inc. | Payment Processing | Payment information (credit card details, payment amount, recurring payment/refund history) | United States, EU / Remote transmission via encrypted communication network (SSL) each time the user uses the payment function | Up to 5 years after account termination | GDPR compliance, data encryption |
RevenueCat, Inc. | Payment Processing | Subscription Information (Subscription start date, cancellation date, renewal date, refund date, receipt PDF) | United States, EU / When a user registers, renews, or cancels a subscription, or when a payment transaction occurs, transmitted remotely via an encrypted network (SSL) | Up to 5 years after account termination | GDPR compliance, data encryption |
Amazon Web Services, Inc. | IT infrastructure operation for service provision, cloud server management, and data storage | Service usage records, membership registration information (email, etc.), log data, and device information | United States (however, actual data storage is located in the AWS Seoul Region) / Remote transmission via encrypted communication networks (HTTPS/TLS) at the time of service use | Until account deletion or termination of the outsourcing contract | Compliance with ISO 27001/27017/27018 and SOC 1/2/3 certifications, data encryption |
Zendesk, Inc. | Providing customer consultation responses, CS history management, and technical support services | Consultation inquiry details (inquiry content, attachments, etc.), email address, service usage records | USA, etc. / Remote transmission via encrypted communication network (SSL/TLS) at the time of consultation inquiry | Until account deletion or termination of the outsourcing contract | Compliance with SOC 2 Type II and ISO 27001 certification, data access control and encryption |
The company may exceptionally provide personal information to relevant authorities without the data subject's consent in the following cases.
Legal Basis: Article 18(2)(2) of the Personal Information Protection Act, Article 215 of the Criminal Procedure Act
Recipient: Competent police agency, public prosecutor's office
Items Provided: Information within the scope of the request
Article 5 (Matters Concerning the Collection, Use, and Refusal of Behavioral Information)
The Company directly collects and uses users' ‘behavioral information’ to provide optimized personalized services, benefits, and online tailored advertisements during the service usage process.
Advertising Business Operator Collecting and Processing Behavioral Information | Google (Analytics, Firebase) |
Items of Behavioral Information Collected | - Advertising Identifier: A randomly assigned ‘Device ID’ on the mobile device (referred to as AAID (Advertising ID) on Android OS and IDFA (Identifier for Advertisers) on iOS) |
Collection Method | Automatically collected and transmitted when the user launches and uses the app |
Purpose of Collection | - Providing personalized advertising based on user interests, |
Matters concerning retention, use, and disposal of behavioral information | Collected behavioral information is retained and used for up to 2 months from the collection date, depending on the settings of the service analysis solution. After this period, it is automatically deleted by the system. For details, please refer to the privacy policy (https://policies.google.com/privacy)and data retention guidelines (https://support.google.com/analytics/answer/7667196?hl=en&sjid=2278585397756242995-NC) of the advertising provider (Google). |
Advertising Business Operator Collecting and Processing Behavioral Information | Microsoft (Clarity.ms) |
Items of Behavioral Information Collected | How Users Interact with the Website |
Collection Method | Real-time automatic collection using cookies when users access and use the website |
Purpose of Collection | Improving usability and providing customized services to users |
Matters concerning retention, use, and disposal of behavioral information | The collected behavioral information is retained and used for the periods specified below for each type of information, depending on the settings of the service analytics solution. After the respective period expires, it is automatically destroyed by the system. For details, please refer to the data retention policy of the advertising provider (Microsoft) (https://learn.microsoft.com/en-us/clarity/setup-and-installation/data-retention). - Click Data: 13 months (Data viewable in the Clarity portal, URLs, user IDs, pointer movement distance, and other aggregated data per website page) |
The above behavioral information is automatically generated and collected based on cookies. Users have the option to manage cookies and can refuse cookie collection or delete collected cookies via their web browser or mobile device.
Blocking and deletion methods vary by platform as listed below, and may differ depending on the platform version.
Other web browsers not listed (e.g., Firefox, Opera, etc.) also provide cookie settings functionality.
Platform Type | Blocking Method (Path) |
|---|---|
Chrome | [Delete] Web browser settings > Privacy and security > Clear browsing data |
Edge | [Delete] Web browser settings > Cookies and site permissions > Manage and delete cookies and site data |
Safari | [Block] Settings > ‘Cross-site tracking prevention’ and 'Block all cookies' |
Android | [Block] Settings > Security & Privacy > Other Privacy Settings > Turn off ‘Android Personalized Services’ (Switch to Off) [Delete] Settings > Security & Privacy > Other Privacy Settings > Ads > Delete Advertising ID |
iOS | [Block] Settings > Privacy > Apple Advertising > Turn off ‘Personalized Ads’ switch |
c. When using a web browser (PC/Mobile), access the following path to use the service in an environment that does not allow cookie collection.
Platform Type | Blocking Method (Path) |
|---|---|
Chrome | Select the ‘⋮’ icon in the top-right corner of the web browser > New Incognito Window |
Edge | Select the ‘⋮’ icon in the top-right corner of the web browser > New InPrivate Window |
Chrome (Mobile Web) | Select the ‘⋮’ icon in the top-right corner of the mobile browser > New Incognito Tab |
Safari (Mobile Web) | Mobile device Settings > Safari > Advanced > ‘Block All Cookies’ |
Samsung Internet (Mobile Web) | Tap the ‘Tabs’ icon at the bottom of the mobile browser > Turn on Incognito Mode > Start |
Article 6 (Measures to Ensure the Security of Personal Information)
The Company takes the following measures to ensure the security of personal information.
Administrative Measures
Encryption: Personal information (including voice data and translation drafts) is transmitted via TLS (HTTPS), and passwords and payment information are stored in encrypted form. Voice and language information from non-member guests is encrypted and immediately destroyed after processing.
Physical Measures
Access Restriction: Database access is managed under the principle of least privilege. Onboarding data and conversation records are accessible only to backend developers, operations/CS teams, and the Personal Information Protection Officer.
Technical Measures
Security Monitoring: Regular security audits conducted at least once a year detect anomalies in payment/subscription/conversation events.
Article 7 (Rights, Obligations, and Exercise Methods of Data Subjects and Legal Representatives)
Data subjects may request the Company to access, correct, delete, suspend processing, or withdraw consent for their personal information (hereinafter “exercise rights”) when necessary. However, non-member guests cannot exercise these rights as their personally identifiable information is not collected.
The Company does not collect personal information from children under the age of 14.
Exercise of rights may be made to the Company through the Customer Center (ct.support@flitto.com) in accordance with Article 41(1) of the Enforcement Decree of the 「Personal Information Protection Act」. The Company must process the request within 10 days after the data subject exercises their rights and must provide reasons if the request is denied.
Rights may also be exercised through an agent, such as the data subject's legal representative or an authorized delegate. In such cases, a power of attorney in the format specified in [Appendix 11] of the “Notice on Personal Information Processing Methods” must be submitted.
The data subject's right to request access to personal information and suspension of processing may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
If other laws or regulations explicitly designate such personal information as subject to collection, deletion of that personal information cannot be requested.
The company verifies whether the person exercising the rights is the data subject themselves or a legitimate representative.
Article 8 (Compliance with Laws and Regulations)
The Company processes personal information in compliance with relevant laws and regulations, including the Korean Personal Information Protection Act, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
Article 9 (Changes to the Privacy Policy)
The contents of this policy shall be posted on the service screen or notified by other means, and shall take effect for all members who have agreed to this policy.
The Company may change the policy in compliance with relevant laws and regulations. When making changes, the Company must notify members via an in-service notice or email at least 7 days prior to the effective date. Changes unfavorable to members must be notified 30 days in advance.
After the Company notifies changes pursuant to this clause, if the user does not express refusal by the effective date, it shall be deemed that the user has consented to the changes. Refusal may be expressed through the Customer Center (ct.support@flitto.com).
In the case of unfavorable changes, the user may explicitly choose whether to consent. Service use may be restricted if consent is refused.
The amended terms shall be notified in accordance with Paragraph 1 and shall take effect from the effective date.
Article 10 (Chief Privacy Officer & Responsible Personnel)
The Company has designated a Personal Information Protection Officer as follows to oversee all matters related to personal information processing and to resolve inquiries from data subjects concerning personal information processing.
Chief Privacy Officer
Department: Personal Information Management Team
Name: Lee Jeong-su
Position: CEO
Contact: ct.support@flitto.comPersonal Information Protection Officer
Department: Personal Information Management Team
Officer: Kim Jin-gu
Contact: help@flitto.com
Data subjects may contact the Personal Information Protection Officer regarding all inquiries related to personal information protection arising from the use of the Company's services, including the receipt and processing of such inquiries and legal issues.
The company will respond to data subjects' inquiries within 3 to 5 business days.
Article 11 (Remedies for Infringement of Rights)
Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Reporting Center, or similar bodies to seek redress for personal information infringements. For other reports or consultations regarding personal information infringement, please contact the following institutions:
Personal Information Dispute Mediation Committee: (Without an area code) 1833-6972 (www.kopico.go.kr)
Personal Information Infringement Reporting Center: (Without an area code) 118 (privacy.kisa.or.kr)
National Police Agency: (Without an area code) 182 (http://ecrm.police.go.kr )
Announcement Date and Effective Date
Announcement Date: February 10, 2026
Effective Date: February 17, 2026
