Privacy Policy
Bloom Vocal (hereinafter "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (PIPA) of Korea to protect the personal information of data subjects and to handle related grievances promptly and smoothly.
1. Purpose of Processing Personal Information
The Company processes personal information for the following purposes:
- Membership registration and management: Member identification, verification of intent to register, identity verification, prevention of fraudulent use
- AI voice coaching service: Voice recording analysis, AI coaching feedback generation, training curriculum provision, progress tracking
- AI onboarding and personalization: Identification of user level and goals, baseline voice assessment, personalized training plan creation
- Voice health management: Real-time symptom checks, risk assessment, health record management
- Service improvement: Usage statistics analysis, service quality enhancement
- Speech analysis service: Sentence and word pronunciation analysis, AI pronunciation evaluation and feedback
- Credit management: Credit balance management, top-up and deduction transaction records
- Referral program: Referral link generation and referral performance tracking
2. Items of Personal Information Processed
| Category | Items Collected | Collection Method |
|---|---|---|
| Registration (required) | Email, name, profile image | Google OAuth social login |
| Onboarding profile (required) | Age range, experience level, training history, preferred genres, comfortable vocal range (low/high), passaggio awareness, training goals, weekly practice goal, preferred session duration, role model singers (optional) | Direct input via onboarding interface |
| Voice data (required) | Voice recording files (MP3, M4A, WAV, WebM, OGG, FLAC) | User upload |
| AI analysis results | Coaching feedback, rubric scores, timestamped notes | Automatically generated by AI |
| Training records | Exercise logs, session records, progress metrics, milestones | Automatically collected during service use |
| Voice health information | Voice health score, symptom records | User input and automatic assessment |
| Coaching session chat records | Conversation content exchanged between user and AI during coaching sessions (messages, roles, timestamps) | Automatically collected during service use |
| Speech analysis data | Analysis type, practice sentences, pronunciation category, scores, AI analysis results | Automatically generated by AI |
| Credit and transaction information | Credit balance, transaction history (type, amount, description) | Automatically collected during service use |
| Referral information | Referral code, referral click count, referral signup count | Automatically collected during service use |
| Automatically collected | Cookies, access logs, IP address, browser type | Automatically collected during service use |
3. Processing and Retention Period
The Company processes and retains personal information within the period prescribed by law or agreed upon with the data subject at the time of collection.
| Category | Retention Period | Basis |
|---|---|---|
| Member account information | Until membership withdrawal | Service agreement |
| Voice recording files | Deleted immediately after AI analysis (not stored on server) | Data minimization principle |
| AI analysis results / training records / coaching session chat records / speech analysis results | Until membership withdrawal | Service provision |
| Voice health records | Until membership withdrawal | Service provision |
| Credit and transaction records | Until membership withdrawal (transaction records retained for 5 years per E-commerce Act) | Service provision / E-commerce Act |
| Referral information | Until membership withdrawal | Service provision |
| Access logs | 3 months | Protection of Communications Secrets Act |
| E-commerce transaction records | 5 years | Act on Consumer Protection in Electronic Commerce |
4. Provision of Personal Information to Third Parties
In principle, the Company does not provide personal information to third parties. However, personal information may be provided in the following cases:
| Recipient | Purpose | Items Provided | Retention Period |
|---|---|---|---|
| Google LLC | Member authentication (OAuth) | Email, name, profile image | Until withdrawal or disconnection |
5. Entrustment of Personal Information Processing
The Company entrusts personal information processing as follows for service provision:
| Trustee | Entrusted Tasks |
|---|---|
| OpenAI, Inc. | AI analysis of voice recordings, coaching feedback generation, and speech analysis and evaluation (GPT-audio API) |
| Supabase, Inc. | Personal information database hosting and management (PostgreSQL cloud database) |
The Company ensures that the trustee does not process personal information beyond the purpose of the entrusted tasks, and stipulates matters concerning personal information security management in the entrustment contract.
6. Cross-Border Transfer of Personal Information
The Company transfers personal information overseas as follows for service provision:
| Recipient | Country | Items Transferred | Purpose | Retention Period |
|---|---|---|---|---|
| OpenAI, Inc. | United States | Voice recording files | AI voice analysis, coaching feedback, and speech analysis and evaluation | Deleted immediately after API processing |
| Google LLC | United States | Email, name, profile image | Member authentication (OAuth) | Until disconnection |
| Supabase, Inc. | United States | Member account data, onboarding profile, AI analysis results, training records, coaching session chat records, speech analysis results, voice health records, credit transaction records, referral information | Database hosting and management | Until membership withdrawal |
The Company takes protective measures in accordance with PIPA for cross-border transfers. Data subjects may refuse consent to cross-border transfers; however, refusal may limit the use of AI coaching services.
7. Destruction Procedures and Methods
- Destruction procedures: Personal information is destroyed without delay after the retention period expires or the processing purpose is achieved. If retention is required by law, the data is moved to a separate database and destroyed after the required period.
- Destruction methods: Electronic files are permanently deleted using methods that prevent recovery. Personal information printed on paper is shredded or incinerated.
8. Processing of Sensitive Information
The Company processes the following sensitive information:
| Sensitive Information | Purpose | Legal Basis |
|---|---|---|
| Voice recordings (may constitute biometric data) | AI voice analysis and coaching feedback | Separate consent from data subject |
| Voice health information (health-related data) | Voice health management and risk assessment | Separate consent from data subject |
Separate consent is obtained for processing sensitive information, and data subjects may refuse such consent. However, refusal may limit the use of AI coaching analysis and voice health management services.
9. Automated Decision-Making
The Company uses AI to perform the following automated decisions:
| Automated Decision | Criteria and Procedures |
|---|---|
| AI voice analysis and coaching feedback | The OpenAI GPT-audio model analyzes voice recordings and generates feedback on breathing, pitch, tone, rhythm, and expression. |
| Training level assessment and curriculum recommendation | Based on voice assessment results and profile information from onboarding, the system determines beginner, intermediate, or advanced level and recommends a personalized curriculum. |
| Voice health risk assessment | Based on symptom information entered by the user, the system automatically evaluates risk level (none, low, medium, high, critical). |
Data subjects may exercise the following rights regarding automated decisions:
- Right to refuse automated decisions
- Right to request an explanation of automated decisions
- Right to request human intervention (review by a person) for automated decisions
To exercise these rights, please contact the Chief Privacy Officer listed below.
10. Rights and Obligations of Data Subjects
Data subjects may exercise the following personal information protection rights at any time:
- Request to access personal information
- Request to correct or delete personal information
- Request to suspend processing of personal information
- Request to withdraw consent
- Request to refuse automated decisions and request explanations
Rights may be exercised through the settings menu within the Service or via email. The Company shall take action without delay. When a data subject requests correction or deletion, the Company shall not use or provide the relevant personal information until the correction or deletion is completed.
For children under 14, legal representatives may request access, correction, deletion, or suspension of processing of the child's personal information.
11. Measures to Ensure Security of Personal Information
The Company takes the following measures to ensure the security of personal information:
- Administrative measures: Establishment and implementation of internal management plans, minimization of personnel handling personal information, and training
- Technical measures: Encryption (TLS for transmission, database encryption for storage), access control management, installation of security software
- Physical measures: Access control for server rooms and data storage facilities
12. Cookies and Automatic Collection Devices
The Company uses cookies to store and retrieve user information.
- Purpose of cookies: Maintaining login status, remembering language settings, analyzing service usage statistics
- How to refuse cookies: Users can allow or block cookies through their web browser settings.
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Cookies and website data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Note: Blocking cookies may restrict some services including login.
13. Chief Privacy Officer
The Company has designated the following Chief Privacy Officer to oversee personal information processing and handle data subject complaints and remedies:
Privacy Department
- Department: Privacy Department
- Email: doublejstudio21@gmail.com
Data subjects may contact the Chief Privacy Officer regarding any inquiries, complaints, or remedies related to personal information protection.
14. Remedies for Privacy Violations
Data subjects may apply for dispute resolution or consultation with the following organizations for remedies against privacy violations:
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office Cyber Investigation Division: 1301 (www.spo.go.kr)
- National Police Agency Cyber Bureau: 182 (ecrm.police.go.kr)
15. Changes to this Privacy Policy
This Privacy Policy may be amended in accordance with changes in laws and policies. Any amendments shall be announced through the Service notice board, and the amended policy shall take effect from the date of announcement.
16. Effective Date
This Privacy Policy is effective as of March 3, 2026.