Speak freely while Tiro captures every detail.
Privacy Policy
Privacy Policy
Effective Date: August 24, 2025
Last Revised: August 24, 2025
ThePlato Co., Ltd. ("Company") respects the freedom and rights of users and complies with the Personal Information Protection Act of Korea and all other applicable data protection laws. We are committed to processing personal information in a transparent and secure manner. In accordance with Article 30 of the Personal Information Protection Act, the Company has established this Privacy Policy to inform users (data subjects) of how their personal information is handled and to address any related grievances promptly and effectively.
I. Purpose of Collection, Items Collected, and Retention Period of Personal Information
The Company collects and uses the minimum personal information necessary to provide the Service, and does not use personal data for purposes beyond those stated. If the purposes for processing personal information change, the Company will obtain the user's consent in advance as required by Article 18 of the Personal Information Protection Act.
1. Personal Information Collected with User Consent
The Company processes the following personal information based on user consent:
| Purpose of Collection | Items Collected | Retention and Use Period | Legal Basis |
|---|---|---|---|
| Account registration and Service use | Required: Email address, SNS account integration (Apple/Google), name, contact information Optional: User ID, password, date of birth, gender, profile photo | Until membership withdrawal or as required by applicable law | Personal Information Protection Act Article 15(1)(1) |
| Service usage records management | Access logs, access IP, service usage and suspension records, cookies | 3 months (Communications Privacy Protection Act) or until membership withdrawal | Personal Information Protection Act Article 15(1)(1) |
| Device information-based optimization | MAC address, browser information, device model, OS, advertising ID, etc. | Until membership withdrawal | Personal Information Protection Act Article 15(1)(1) |
| External service integration (optional) | Google Calendar events, Notion documents, Slack messages, Confluence information, etc. | Until integration is removed or membership withdrawal | Personal Information Protection Act Article 15(1)(1) |
Important Notice Regarding Sensitive Content: During service provision, the Company may process content containing sensitive information such as voice recordings, video, and system sound that users directly upload or input.
The Company does not use such information for AI training, model improvement, marketing, or any other secondary purposes whatsoever. Except when specifically requested by users through customer service, the Company does not manually review or access such files.
Additionally, voice data is immediately and irreversibly destroyed after processing, and all conversation records and related content are encrypted with AES-256 using individual keys for each user.
Users are responsible for obtaining necessary consent in accordance with relevant laws when uploading files or using recording features that contain sensitive information such as others' voices or meeting content.
2. Information Retained as Required by Law
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Contract, cancellation, payment, and goods supply records | 5 years | Act on Consumer Protection in Electronic Commerce, etc. |
| Consumer complaint and dispute resolution records | 3 years | Same as above |
| Advertisement and labeling records | 6 months | Same as above |
| Access logs (IP, etc.) | 3 months | Communications Privacy Protection Act Article 15-2 |
II. Provision of Personal Information to Third Parties
The Company does not provide personal information to third parties in principle. However, exceptions may be made in the following cases:
- When separate consent from the data subject has been obtained
- When provision is required by law
- When there is imminent danger to the life, body, or property of the data subject or third parties
The Company is not providing personal information to third parties. Should provision become necessary in the future, the Company will notify data subjects in advance and obtain consent.
III. Outsourcing of Personal Information Processing
The Company outsources personal information processing tasks to external parties for service provision.
| Entrusted Processor | Outsourced Task |
|---|---|
| Google LLC | Statistical analysis (Google Analytics, Firebase) |
| PostHog | Statistical analysis |
| Appsflyer | User acquisition channel analysis |
| AssemblyAI, Inc. | Service operation support |
| OpenAI OpCo, LLC | Service operation support |
| Stripe, Inc. | Payment service provision |
| Amazon Web Services, Inc. | Server operation and storage, encryption key management (KMS) |
| Chequer, Inc. (QueryPie) | Database access auditing and log management |
When contracting with processors, the Company clearly specifies management and supervision of processors, restrictions on re-outsourcing, and technical protection measure obligations in accordance with Article 26 of the Personal Information Protection Act, and periodically inspects whether processors handle personal information securely.
IV. International Transfer of Personal Information
The Company transfers personal information overseas as follows for service operation:
| Processor | Country | Transfer Time and Method | Contact | Items | Purpose | Retention Period |
|---|---|---|---|---|---|---|
| Amazon Web Services, Inc. | United States | Server transmission during service use | aws-korea-privacy@amazon.com | Email, device info, logs, call data, etc. | Server operation and storage | Until entrustment contract termination |
| Google LLC | United States | Automatic transmission via server | googlekrsupport@google.com | Email, device info, logs, etc. | Server operation and storage | Until entrustment contract termination |
| AssemblyAI, Inc. | United States | Automatic transmission via server | support@assemblyai.com | Voice and video data | Service provision | Until entrustment contract termination |
| OpenAI OpCo, LLC | United States | Automatic transmission via server | privacy@openai.com | Voice and video data | Service provision | Until entrustment contract termination |
If you do not wish international transfer, you may disconnect external service integrations or withdraw membership.
V. Personal Information Destruction Procedures and Methods
The Company destroys information without delay when the personal information retention period expires or processing purposes are achieved.
- Electronic files: Deletion using technically irreversible methods (e.g., permanent database deletion and overwriting)
- Paper documents: Shredding or incineration
Information requiring separate retention under relevant laws is stored separately and securely from other information. Additionally, upon user request or withdrawal, related data (notes, paragraphs, context, audio, etc.) is immediately and irreversibly deleted, and logs are retained for at least one year before destruction.
VI. Rights and Obligations of Data Subjects and Legal Representatives and Exercise Methods
Data subjects may exercise the following rights at any time:
- Request for personal information access
- Request for correction in case of errors
- Request for deletion
- Request for processing suspension
These rights may be exercised through the [My Information] menu on the website, or through written communication or email.
The Company does not collect personal information from children under 14 years of age and does not operate date of birth verification or legal representative consent procedures, thus service use is restricted for those under 14. If registration by a child under 14 is confirmed, the account will be immediately deleted.
VII. Installation, Operation, and Rejection of Automatic Personal Information Collection Devices
The Company may operate automatic collection devices including cookies for service provision.
- Collection items: Service usage records, access logs, device information, etc.
- Collection purpose: Customized service provision, security maintenance, statistical analysis, etc.
Data subjects may refuse or delete cookie storage through web browser settings.
VIII. Collection, Use, and Rejection of Behavioral Information
The Company does not collect behavioral information for customized advertising or user behavior-based analysis.
Should the Company collect behavioral information in the future, collection items, usage purposes, retention periods, rejection methods, etc., will be separately notified through this policy.
IX. Personal Information Protection Officer and Grievance Processing Department
The Company designates a Personal Information Protection Officer to oversee personal information-related tasks.
- Name: SangChul Kim
- Email: hello@theplato.io
For personal information inquiries, rights exercise requests, grievance processing, etc., please contact the above address and we will process your request without delay.
X. Security Measures
The Company implements the following technical, administrative, and physical measures to protect personal information:
- Encryption: Personal information is stored and transmitted using AES-256 algorithms. SSO integration is supported for secure access control implementation. For email/password accounts, passwords are protected with secure hash algorithms (SHA-512 with salt).
- Access Control and Authentication: Role-based access control (RBAC) is applied to adhere to the principle of least privilege. Administrator access is restricted with MFA (Multi-Factor Authentication), and all external database access is audited through the DB auditing solution QueryPie. Secure authentication is required for administrator system access, with login attempt limits and session timeouts applied.
- Log Management and Monitoring: All access and change logs are recorded and analyzed through CloudTrail and GuardDuty and retained for at least one year. Abnormal activities are detected and responded to in real-time. Logs can be transmitted to customer SIEM (Splunk) upon request and are provided through API documentation.
- Data Retention and Masking: Sensitive information such as conversation records and documented content is classified as highest sensitivity and stored in fully encrypted form. When displayed, it is masked to minimize unnecessary exposure. It is automatically destroyed when the retention period expires, and data is classified by sensitivity (high, medium, low) with appropriate controls applied.
XI. Obligation to Notify and Policy Changes
This Privacy Policy may be revised due to changes in laws or service content. When changes occur, advance notice will be provided at least 7 days before revision.
- Notice method: Notification through website or email
- For important changes: At least 30 days advance notice
Notice Date: August 17, 2025
Effective Date: August 24, 2025