개인정보 처리방침

VOLI Privacy Policy

Last updated: May 14, 2026

This Privacy Policy explains how waveDeck Corp. (the "Company", "we", "us", or "our") collects, uses, shares, and protects personal information when you use the VOLI service ("Service"). If you are a resident of the Republic of Korea, please refer to the Korean Privacy Policy at https://voli.ai/terms/privacy.

1. Who We Are (Data Controller)

The Company is the Data Controller with respect to the personal information processed under this Policy. Legal Name: waveDeck Corp. (주식회사 웨이브덱). Address: 18F, 122 Mapo-daero, Mapo-gu, Seoul, 04117, South Korea. Privacy Contact: contact@wavedeck.ai. Phone: +82-70-7954-4511. Privacy Officer: Haegab Jeong, CEO. For EU/EEA users, an EU Representative may be designated as required by GDPR Article 27. If you are located in the EU/EEA and wish to contact our EU Representative, please email contact@wavedeck.ai for current contact information.

Category	Purpose	Items Collected	Collection Type
Account Information	Account creation and management	Name, email address	Required
Social Login Credentials	Social login and authentication	Social account identifier, email, name, and gender from Naver/Kakao	Required when using social login
Payment Information	Payment processing	Payment identifier, transaction records. Credit card numbers and similar sensitive data are handled by payment processors and not retained by us.	Required when making payment
Billing Information	Tax invoice and receipt issuance	Business registration number, business name, representative name, business address	Required when requested
Service Inputs	TTS, STS, and Custom Voice service provision	TTS input text, STS input audio, Custom Voice creation prompts	Required
Custom Voice Voice Samples	Custom Voice creation through upload or recording	Voice sample audio files, biometric information	Required with separate consent
Customer Support Communications	Customer support and inquiry handling	Email content, attachments	Required when contacting support
Marketing Preferences	Marketing and newsletter communications	Email subscription consent	Optional

Information collected automatically
We may automatically collect device information, usage data, network information, cookies and similar technologies, and mobile advertising identifiers such as IDFA and AAID.

Information we generate
We may generate voice embeddings, user generated files, and service logs during your use of the Service.

2. What Personal Information We Collect

We collect personal information directly from you, automatically through your use of the Service, and from third-party sources such as social login providers and payment processors.

1. Information you provide directly, such as account information, billing information, service inputs, voice samples, customer support communications, and marketing preferences.
2. Information collected automatically, such as device information, usage data, network information, cookies, analytics identifiers, and advertising identifiers.
3. Information received from third-party sources, such as Google, Naver, Kakao, PayPal, Port One, and NICE Payments.
4. Information generated by us, such as voice embeddings, user generated audio files, and service logs.

3. Special Category: Biometric Information

We process biometric information, specifically voice biometric data, in connection with the Custom Voice feature when you create a Custom Voice through the Voice Sample Upload or Voice Recording method.

3.1 What Qualifies as Biometric Information
Biometric information includes voice sample data you upload or record for Custom Voice creation and voice embedding data generated by our system from your voice samples.

3.2 Why We Process Biometric Information

• To create your Custom Voice model
• To provide the Custom Voice service to you
• To manage your Custom Voice slots

3.3 Legal Basis for Processing
For EU/EEA users, we process biometric information based on your explicit consent under GDPR Article 9(2)(a). For users in other jurisdictions, we process biometric information based on your explicit, separate consent obtained at the time of Custom Voice creation.

3.4 Retention

• Biometric information is retained only while you maintain the corresponding Custom Voice slot.
• Upon termination of your paid plan, downgrade to a plan with fewer slots, or deletion of the Custom Voice, biometric information is immediately and irreversibly deleted.

3.5 Deletion Method

• Biometric information is deleted using technical measures that prevent recovery.
• Deletion may include permanent deletion, encryption key destruction, or other irreversible technical safeguards.

3.6 No Sharing or Sale

• We do not share or sell biometric information with third parties.
• Where we use processors such as cloud infrastructure providers, we apply technical measures that prevent processors from independently identifying individuals from such information.

3.7 Exclusion from AI Training
Biometric information is excluded from AI model training. We do not use your Custom Voice biometric data to train our AI models.

3.8 Prompt Design Method and California Sensitive Personal Information
Custom Voice created through the Prompt Design method does not involve voice sample collection and therefore does not result in biometric information processing. For California residents, biometric information may also constitute sensitive personal information under the CPRA. You have the right to limit our use of sensitive personal information by contacting us.

4. How We Use Personal Information

We use personal information for the purposes described below. Each purpose is associated with a specific legal basis under GDPR for EEA/UK users and applicable legal grounds under other laws.

4.1 Purposes and Legal Bases

Purpose	Legal Basis
Account creation and management	Performance of contract
Age verification and minor protection	Legal obligation
Service provision including TTS, STS, and Voice Cloning	Performance of contract
Custom Voice creation through Upload or Record method	Explicit consent
Custom Voice creation through Prompt Design method	Performance of contract
Payment processing	Performance of contract
Customer support	Performance of contract or legitimate interest
Service security, fraud prevention, and duplicate account prevention	Legitimate interest
AI model training and improvement, subject to opt-out and exclusions	Legitimate interest with opt-out right
Service analytics and behavioral data	Consent for non-essential analytics; legitimate interest for essential analytics
Marketing communications	Consent, withdrawable at any time
Legal compliance	Legal obligation

4.2 Retention Periods
We retain personal information only as long as necessary for the purposes described in this Policy, or as required by applicable law.

Category	Retention Period	Notes
Account information	Until account deletion	Includes name, email, phone, and related account data
Social login credentials	Until account deletion	Applies to Google, Naver, and Kakao login data
TTS/STS usage records and payment records	Until account deletion	Subject to legal retention obligations
User Generated Files	1 year from creation	Automatically deleted thereafter
Custom Voice biometric data	Until slot deletion, plan termination, or downgrade	Then immediate and irreversible deletion
1:1 inquiries	Until account deletion	Includes inquiry content and attachments
Marketing consent	Until consent withdrawal or account deletion	Whichever occurs first

4.3 Inactive Users and Account Deletion

• If you do not use the Service for 1 year, we may move your personal information to separate storage with advance notice or delete it after advance notice.
• You may opt to extend this period up to a maximum of 3 years.
• We provide at least 30 days' advance notice before any separation or deletion action.
• Upon account deletion, we delete all personal information immediately, except information required by law and hashed identifiers retained for fraud prevention for 30 days.

5. AI Model Training Use

We may use certain data for AI voice model training, refinement, and performance improvement, subject to exclusions and opt-out rights.

Processor	Function	Categories Processed
Amazon Web Services, Inc.	Cloud infrastructure and Amazon SES email delivery	All personal information collected under this Policy
Korea Port One Co., Ltd. (포트원)	Domestic payment processing for Korean transactions	Payment information
NICE Payments Co., Ltd.	Domestic payment processing for Korean transactions	Payment information
PayPal Holdings, Inc.	International payment processing	International payment identifiers and transaction records
Google LLC	Google social login and Google Analytics 4	Social account ID, email, access logs, device info
Naver Corporation	Naver social login	Social account ID, email, name, gender
Kakao Corporation	Kakao social login	Social account ID, email, name, gender
Amplitude, Inc.	Service behavioral analytics	Access logs, usage behavior, device info
Hotjar Ltd.	Service behavioral analytics including heatmaps and session recordings	Access logs, usage behavior, device info
Tally Forms BV	1:1 inquiry and customer support form	Email, inquiry content, attachments

Processors are bound by data processing agreements requiring compliance with applicable data protection laws.

6. International Data Transfers

The Service is operated from the Republic of Korea. Personal information you provide will be transferred to and processed in Korea. Depending on the processor used, additional international transfers may occur as follows.

Destination	Processor	Transfer Timing and Method	Categories Transferred	Purpose	Retention Period
United States	Amazon Web Services, Inc.	Automatic transfer during Service use	All categories	Cloud infrastructure and email delivery	Until processor agreement termination
United States	Google LLC	Automatic transfer during Service use	Social login data, analytics data	Social login authentication and analytics	Until processor agreement termination
United States	PayPal Holdings, Inc.	Automatic transfer during international payment	Payment data	International payment processing	Payment processing period and legal retention period
United States	Amplitude, Inc.	Automatic transfer during Service use	Analytics data	Service behavioral analytics	Until processor agreement termination
Malta (EU)	Hotjar Ltd.	Automatic transfer during Service use	Analytics data	Behavioral analytics including heatmaps and session recordings	Until processor agreement termination
Belgium (EU)	Tally Forms BV	Automatic transfer when submitting a 1:1 inquiry	Customer support data	1:1 inquiry and customer support form	Until processor agreement termination

6.1 EU/EEA/UK Transfers
For transfers from the EU/EEA or UK to non-adequate jurisdictions, we rely on Standard Contractual Clauses approved by the European Commission and equivalent UK transfer mechanisms.

6.2 APPI Transfers and Transfer Safeguards

• For transfers of personal information of Japanese residents outside Japan, we comply with the requirements of APPI Article 28.
• You may obtain a copy of the relevant transfer safeguards by contacting us at contact@wavedeck.ai.

6.3 Your Rights Regarding Transfers
You may contact us to request information about applicable safeguards for international transfers.

7. Retention and Deletion

We delete personal information when it is no longer necessary for the purposes described in this Policy, unless retention is required by applicable law.

7.1 Deletion Procedure
After the purpose of processing has been achieved, personal information is deleted or separately stored for the period required by internal policies or applicable law.

7.2 Deletion Method

• Electronic files are deleted using technical methods that prevent restoration.
• Paper documents are shredded or incinerated.
• Biometric information, including Custom Voice samples and embeddings, is permanently deleted using irreversible technical measures.

7.3 Deletion Timing

Data Type	Deletion Timing
Account information	Immediately upon account deletion, except hashed identifiers retained for 30 days for fraud prevention
User Generated Files	Automatically deleted 1 year after creation
Custom Voice data	Immediately upon slot deletion, plan termination, or downgrade
Records retained by law	Immediately after the legally required retention period expires
Marketing consent	Immediately upon consent withdrawal or account deletion
Inactive user information	Handled according to the dormant account policy

8. AI Model Training Use

We may use certain data for AI voice model training, refinement, and performance improvement.

8.1 Categories Used

• TTS input text data
• TTS and STS generated audio outputs after pseudonymization or de-identification
• Service usage statistics

8.2 Categories Excluded
The following data is never used for AI training:

• Custom Voice voice sample data, which is biometric information
• Custom Voice voice embedding data, regardless of creation method
• Content for which you have explicitly opted out

8.3 Principles
We follow these principles when using data for AI training:

• Personal identifiers are removed or pseudonymized before training.
• Raw data is not provided to external third parties for training.
• Technical and organizational safeguards are applied to training infrastructure.
• Training outputs are managed to prevent embedding of individual user identifiers.

8.4 Opt-Out Right
You may opt out of AI training use at any time by contacting us at contact@wavedeck.ai or through the 1:1 customer support form. Data collected after your opt-out will not be used for training. We will work to develop a self-service opt-out path and will publish it in this Policy when available.

8.5 Legal Basis
AI model training and improvement is based on legitimate interest for EEA/UK users, subject to opt-out rights and exclusions.

9. Automated Decision-Making

9.1 Current Operation
The Company does not currently operate any fully automated decision-making systems that produce legal effects or similarly significant effects on you.

9.2 If Implemented in the Future
If we implement automated decision-making in the future, such as AI-based content moderation or automated account restrictions, we will update this Policy to include:

• The categories and procedures of such decisions
• The main criteria and information used
• Your right to object, request human review, and obtain meaningful information about the logic involved

10. Behavioral Data

10.1 Collection and Use
We collect and use behavioral data for service improvement, product development, and analytics, including:

• Service access patterns and navigation
• Time and frequency of use
• Click, search, and content generation behavior
• Device identifiers and advertising identifiers

This is processed through our analytics processors, including Google Analytics 4, Amplitude, and Hotjar.

10.2 No Sale or Sharing with Third Parties
We do not currently sell or share your behavioral data with third-party advertising partners such as Meta/Facebook or Google Ads. If we change this in the future, we will obtain prior consent and update this Policy.

10.3 Your Right to Opt Out
You may opt out of behavioral data collection by:

• Browser: Disable or delete cookies through your browser settings
• iOS: Settings → Privacy & Security → Tracking → toggle off "Allow Apps to Request to Track"
• Android: Settings → Google → Ads → Reset or Delete advertising ID
• Google Analytics: Install the Google Analytics Opt-Out Browser Add-on
• Direct Request: Email contact@wavedeck.ai

10.4 Effect of Opting Out
Opting out of behavioral data collection does not affect account creation or core Service use, but may limit personalization.

11. Your Rights

Depending on your jurisdiction, you have certain rights regarding your personal information. We honor all valid requests and respond within applicable legal timeframes.

11.1 Rights Available to All Users

• Access: Obtain a copy of your personal information
• Correction: Correct inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Restriction: Restrict the processing of your personal information
• Objection: Object to processing based on our legitimate interests
• Consent Withdrawal: Withdraw consent at any time without affecting prior processing
• Opt-out of AI Training: Request that your data not be used for AI training
• Account Termination: Delete your account at any time

11.2 Additional Regional Rights and How to Exercise
Depending on your region, you may have additional rights under GDPR, CCPA/CPRA, APPI, or other applicable laws.

• EU/EEA/UK users may request data portability, object to automated decision-making, and lodge a complaint with a supervisory authority.
• California users may exercise the right to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and non-discrimination.
• Japanese users may request disclosure, correction, suspension of use, and notice of source under APPI.
• To exercise your rights, email contact@wavedeck.ai or submit a 1:1 inquiry through the Service.

We will verify your identity before processing your request.
We aim to respond within 10 business days for general requests, 30 days for GDPR requests, and 45 days for CCPA requests, subject to legally permitted extensions.

11.3 No Fee

• We do not charge a fee for processing your requests.
• Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request as permitted by law.

11.4 User Responsibility
You are responsible for keeping your information accurate and for not infringing upon the rights of others when using the Service.

12. Security

We implement administrative, technical, and physical safeguards to protect personal information against unauthorized access, alteration, disclosure, or destruction.

12.1 Administrative Safeguards

• Internal privacy management plan
• Regular employee privacy training
• Minimization of personnel with access to personal information
• Regular oversight of processors

12.2 Technical Safeguards

• Access control and permission management
• One-way encryption of passwords
• Encryption of sensitive data in transit and at rest
• Separate storage and additional encryption of biometric information, including Custom Voice data
• Security software with regular updates
• Access logging and tamper detection

12.3 Physical Safeguards and Breach Notification

• Restricted physical access to servers and data storage facilities
• Use of certified data centers, including AWS-certified facilities
• In the event of a personal data breach affecting your rights and freedoms, we will notify you and applicable authorities within timeframes required by applicable law.

13. Cookies and Similar Technologies

13.1 Use of Cookies
We use cookies and similar technologies to maintain login sessions, analyze Service usage, improve features, strengthen security, and collect behavioral analytics data.

13.2 Types of Cookies

• Strictly Necessary: Login session and security, no consent required
• Functional: User preferences, consent where applicable
• Analytics: Service improvement through GA4, Amplitude, and Hotjar
• Advertising/Targeting: Currently not used

13.3 Cookie Consent and Management
For EU/EEA users, we obtain cookie consent through a cookie banner. You may withdraw or modify your consent at any time. For other users, you may manage cookies through your browser settings:

• Chrome: Settings → Privacy and Security → Cookies and other site data
• Safari: Preferences → Privacy → Manage Website Data
• Edge: Settings → Cookies and site permissions
• Firefox: Preferences → Privacy & Security → Cookies and Site Data

Disabling cookies may limit certain Service features.

14. Children's Privacy

14.1 Minimum Age
We do not knowingly collect personal information from children under the minimum age applicable in their country of residence, generally 14 in Korea, 16 or local equivalent in the EEA/UK, 13 in the United States under COPPA, and as required by APPI in Japan.

14.2 Age Self-Certification at Registration
At registration, users are required to self-certify that they meet the applicable minimum age requirement by checking a confirmation checkbox. By checking this box, the user represents and warrants that they meet the applicable minimum age requirement.

14.3 False Representation by Underage Users
If a child below the applicable minimum age registers for the Service by falsely representing their age, the legal responsibility for such false representation lies with the child and/or their parent or legal guardian. The Company shall not bear responsibility for violations of applicable child protection laws caused by such false representation.

14.4 Discovery of Underage Users
If the Company becomes aware, or has reasonable grounds to suspect, that a user is below the applicable minimum age, the Company will immediately:

• Terminate the user's membership and service access
• Delete all personal information collected from the user
• Notify the user's parent or legal guardian where appropriate

14.5 Parental Consent for Minors
For users between the minimum age and the local age of majority, parental or guardian consent may be required under applicable law. Where required, the Company will obtain such consent through appropriate procedures.

14.6 Custom Voice Creation by Minors
For Custom Voice creation by minors, which involves biometric information, the Company applies additional parental consent confirmation procedures.

14.7 Parent and Guardian Rights
Parents and guardians may exercise privacy rights on behalf of their minor children by contacting us at contact@wavedeck.ai.

15. Region-Specific Provisions and Contact

If you have questions, comments, or concerns about this Privacy Policy or our privacy practices, please contact us.

15.1 Privacy Officer

• Privacy Officer: Haegab Jeong, CEO
• Email: contact@wavedeck.ai
• Phone: +82-70-7954-4511
• Address: 18F, 122 Mapo-daero, Mapo-gu, Seoul, 04117, South Korea

15.2 Department

• Department: waveDeck CX Team
• Contact: contact@wavedeck.ai

15.3 Unresolved Concerns
For unresolved concerns, you may also contact:

• EU/EEA/UK: Your local data protection authority
• California: California Privacy Protection Agency (https://cppa.ca.gov)
• Japan: Personal Information Protection Commission (https://www.ppc.go.jp)
• Korea: Personal Information Protection Commission (https://www.pipc.go.kr) / KISA Personal Information Infringement Report Center (privacy.kisa.or.kr)

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified in advance.

Standard Changes: We will post the updated Policy at least 7 days before the effective date.
Material Changes: For changes that materially affect your rights, such as new categories of personal information, new purposes of processing, or new processors handling sensitive data, we will provide at least 30 days' advance notice and notify you by email or in-Service notification.
If you do not agree with the changes, you may delete your account before the effective date.

Effective Date

This Privacy Policy takes effect on May 21, 2026.
Last updated: May 14, 2026.

Previous Policy