Privacy Policy
Article 1 (Purpose)
Flitto Inc. (hereinafter referred to as the "Company") processes and manages personal information in compliance with the Personal Information Protection Act and other applicable laws to safeguard the rights and freedoms of data subjects. Pursuant to Article 30 of the Personal Information Protection Act, the Company hereby establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards for the processing and protection of personal information, and to facilitate prompt and effective handling of related grievances.
Unless otherwise defined herein, terms used in this Privacy Policy shall have the meanings set forth in the Service Terms of Use.
Article 2 (Purpose and Scope of Personal Information Processing)
1. Purposes of Processing
Member identification and account management: User authentication, account merging, account termination.
Service provision: Provision of real-time translation, quick chat, online meetings, and custom assistant features.
Payment processing: Subscription payments, refunds, error handling.
Service quality improvement: Enhancement of translation quality through anonymized chat logs and meeting summaries.
Customer support: Response to inquiries and service improvement.
Verification of parental consent for child members: Collection and processing of legal guardian information for children under 14 years of age, in accordance with the Personal Information Protection Act, to verify guardian consent.
2. Items of Personal Information Processed
Member identification and account management:
Email registration: Email address, password, nickname.
Social login: Email address, profile name (provided via OAuth).
Service provision and payment processing:
Subscription information: Subscription start date, cancellation date, renewal date, refund date, receipt PDF.
Payment information: Credit card information, payment amount, recurring payment/refund history.
Custom assistant information: User-defined fields including domain, role/purpose, and dataset.
Service quality improvement and customer support:
Chat logs: Text, audio, draft translations, and meeting summaries from quick chat and online meetings (retained in anonymized form for translation quality improvement for members only).
Inquiry records: Email address, inquiry content, and customer service response history (retained for a certain period for service improvement purposes).
Non-member guest service provision:
When participating via a host invitation link, only voice and language information are collected through a simplified consent process (“I agree” click). Such information is encrypted, used for translation, and destroyed immediately after the conversation.
No personally identifiable information is collected.
Child member and legal guardian information:
Child: Email address, password, nickname, date of birth (to verify under-14 status).
Legal guardian: Name, mobile phone number or email address, authentication results (if verified through an authentication agency), and consent status.
3. Methods of Collection
Personal information is collected through direct input or linkage during registration and login.
For children under 14, guardian information is collected through the consent procedure in conjunction with the child’s input during registration.
Article 3 (Retention and Use Period of Personal Information)
The Company processes and retains personal information within the periods prescribed by law or the periods consented to by data subjects at the time of collection.
Member information: Retained for 10 days after withdrawal (account recovery possible upon re-login), then permanently deleted.
Recurring payment/refund history: Retained for 5 years after withdrawal (to comply with applicable laws).
User inquiry history: Retained for 2 years after withdrawal.
Custom assistant information:
Domain, role/title: Destroyed immediately upon withdrawal.
Dataset input fields (nickname, dataset name, company, department/team, position/title): Destroyed immediately upon withdrawal.
LinkedIn input information: Destroyed 3 months after withdrawal.
Materials submitted via website links and files: Retained in anonymized form indefinitely for service quality improvement purposes.
Chat logs, voice data, and meeting summaries of members: Retained in anonymized form indefinitely for service quality improvement purposes.
Voice and language information of non-member guests: Encrypted and destroyed immediately after conversation.
Notwithstanding the above, personal information may be processed and retained for the following reasons until the corresponding reason or period ends:
Member service operation:
While investigations or inquiries are ongoing due to violations of related laws, until the conclusion of such investigations or inquiries.
For outstanding claims or debts arising from website usage, until settlement of such claims or debts.
Service provision and payment processing:
Records relating to contracts or withdrawal of subscription: 5 years (in accordance with Article 6, Paragraph 1, Subparagraph 2 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce).
Records relating to payment or supply of goods: 5 years (Article 6, Paragraph 1, Subparagraph 3).
Records relating to consumer complaints or dispute resolution: 3 years (Article 6, Paragraph 1, Subparagraph 4).
Records relating to advertisements: 6 months (Article 6, Paragraph 1, Subparagraph 1).
Article 4 (Destruction of Personal Information)
1. The Company shall promptly destroy personal information when such information becomes unnecessary due to the expiration of the retention period or achievement of the processing purpose.
The procedures and methods for destruction are as follows:
Personal identifying information (e.g., email, nickname, voice data identifiers) shall be permanently deleted from databases and backups 10 days after account withdrawal.
Payment and subscription information shall be deleted after the legally prescribed retention period.
Voice and language information of non-member guests shall be deleted immediately upon the termination of the conversation.
Electronic data shall be deleted in a manner that prevents recovery, and physical records shall be shredded.
Article 5 (Provision of Personal Information to Third Parties)
The Company shall not provide personal information to third parties without the consent of the data subject.
The Company may provide personal information to the following entities to the minimum extent necessary, with the consent of the data subject, in accordance with Article 17, Paragraph 1, Subparagraph 1 of the Personal Information Protection Act, for the purpose of smooth service provision:
Recipient: Paddle.com Inc.
Purpose of provision: Payment processing
Legal basis: Article 28-8, Paragraph 1, Subparagraph 1 of the Personal Information Protection Act
Items provided: Payment information (credit card information, payment amount, recurring payment/refund history)
Retention period: Up to 5 years after account withdrawal
Recipient: RevenueCat, Inc.
Purpose of provision: Payment processing
Legal basis: Article 28-8, Paragraph 1, Subparagraph 1 of the Personal Information Protection Act
Items provided: Subscription information (subscription start date, cancellation date, renewal date, refund date, receipt PDF)
Retention period: Up to 5 years after account withdrawal
Notwithstanding the above, the Company may provide personal information to relevant authorities without consent under exceptional circumstances:
Legal basis: Article 18, Paragraph 2, Subparagraph 2 of the Personal Information Protection Act; Article 215 of the Criminal Procedure Act
Recipients: Competent police and prosecution authorities
Items provided: Information within the requested scope
Article 6 (International Transfer of Personal Information)
1. The Company transfers personal information collected from data subjects internationally as follows:
Recipient: Paddle.com Inc. (3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803, USA)
Items transferred: Payment information (credit card information, last 4 digits; payment amount; recurring payment/refund history)
Purpose of use: Payment processing
Transfer countries: United States, EU
Timing and method of transfer: Each time a user uses the payment function, via remote transmission over an encrypted network (SSL)
Legal basis: Article 28-8, Paragraph 1, Subparagraph 1 of the Personal Information Protection Act
Retention period: Up to 5 years after account withdrawal
Security measures: GDPR compliance, data encryption
Recipient: RevenueCat, Inc. (1032 E Brandon Blvd #3003 Brandon, Florida, 33511, USA)
Items transferred: Subscription information (subscription start date, cancellation date, renewal date, refund date, receipt PDF)
Purpose of use: Payment processing
Transfer countries: United States, EU
Timing and method of transfer: Upon user subscription registration, renewal, cancellation, or occurrence of payment, via remote transmission over an encrypted network (SSL)
Legal basis: Article 28-8, Paragraph 1, Subparagraph 1 of the Personal Information Protection Act
Retention period: Up to 5 years after account withdrawal
Security measures: GDPR compliance, data encryption
Data subjects have the right to refuse consent to international transfers. In such cases, the use of recurring payments and paid services may be restricted. If a data subject does not wish to allow international transfers, they may withdraw from the service through the service website or request account withdrawal via customer support (ct.support@flitto.com).
Article 7 (Measures to Ensure the Security of Personal Information)
The Company takes the following measures to ensure the security of personal information:
Administrative Measures
Encryption: Personal information, including voice data and draft translations, is transmitted over TLS (HTTPS). Passwords and payment information are stored in encrypted form. Voice and language information of non-member guests is encrypted and destroyed immediately.
Physical Measures
Access Restrictions: Database access is managed according to the principle of least privilege. Onboarding data and chat records are accessible only to backend developers, the operations/CS team, and the Personal Information Protection Officer.
Technical Measures
Security Monitoring: Regular security checks are conducted at least once annually to detect anomalies in payment, subscription, and chat events.
Article 8 (Rights and Obligations of Data Subjects and Legal Guardians and How to Exercise Them)
Data subjects may request access, correction, deletion, suspension of processing, or withdrawal of consent regarding their personal information (“Exercise of Rights”). Non-member guests cannot exercise these rights as no personally identifiable information is collected.
For children under 14, rights must be exercised by their legal guardians. Minors aged 14 or older may exercise their rights directly or through their legal guardians.
Rights may be exercised through the Company’s customer support (ct.support@flitto.com) in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act. The Company shall process requests within 10 days and provide reasons in case of refusal.
Rights may also be exercised through an authorized representative, in which case a power of attorney in the format specified in the "Notice on Methods of Processing Personal Information" [Appendix 11] must be submitted.
The right to access and suspend processing may be restricted under Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.
If other laws require the collection of certain personal information, deletion requests for such information may not be granted.
The Company shall verify whether the requester is the data subject or a duly authorized representative.
Article 9 (Compliance with Laws)
The Company processes personal information in compliance with applicable laws, including the Korean Personal Information Protection Act, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) in the United States.
Article 10 (Changes to the Privacy Policy)
Changes to this Policy shall be notified via the service interface or other means and shall apply to all members who have agreed to this Policy.
The Company may change the Policy in compliance with applicable laws. Notice must be provided at least 7 days prior to enforcement, or at least 30 days in advance in the case of changes unfavorable to members, via in-service notice or email.
If a user does not express objection by the enforcement date, they shall be deemed to have agreed to the changes. Objections may be submitted via customer support (ct.support@flitto.com).
In the case of unfavorable changes, users may explicitly accept or refuse. Service access may be restricted if consent is refused.
The amended Policy becomes effective on the enforcement date specified in the notice.
Article 11 (Personal Information Protection Officer)
The Company designates the following Personal Information Protection Officer to oversee personal information processing and respond to inquiries from data subjects:
Officer: Lee Jungsoo
Contact: ct.support@flitto.com
Data subjects may submit inquiries or requests regarding the processing of personal information, legal issues, or other related matters to the Personal Information Protection Officer.
The Company will respond within 3–5 business days.
Article 12 (Remedies for Infringement of Rights)
Data subjects may seek remedies for personal information infringements through the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center, or other relevant authorities.
Personal Information Dispute Mediation Committee: 1833-6972 (http://www.kopico.go.kr )
Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)
Police Agency: 182 (http://ecrm.police.go.kr )
Effective Date and Announcement Date
Announcement Date: October 2, 2025
Effective Date: October 14, 2025
