LangTwo Privacy Policy

Effective Date: 2025-01-15Version: v1.0.0

1. Purpose and Legal Basis for Processing Personal Data

LangTwo (langtwo.com, hereinafter referred to as the “Company”) processes personal data only for the following purposes and legal bases in accordance with the Personal Information Protection Act and other applicable laws. If the purpose of processing changes, the Company will obtain separate consent in advance or use the data only within the scope permitted by law.

Category	Purpose of Processing	Legal Basis
Member Services	Member identification and authentication, provision and maintenance of AI-based language learning services, customer support	Performance of Contract
Payment/Settlement	Subscription payment and refund, issuance of tax invoices, PayPal payment processing	Performance of Contract
Marketing/Promotion	Notification of new features, personalized learning content recommendations	Consent of Data Subject
Service Improvement	Analysis of learning patterns, improvement of AI scenario quality, enhancement of usability	Legitimate Interest
Legal Compliance	Fraud detection, dispute resolution, response to regulatory requests	Legal Obligation

2. Items Collected and Methods of Collection

The Company collects personal data through the following items and methods.

2.1 Information Collected Directly

Category	Required Items	Optional Items
Membership Registration	Email (ID)	Password (only if social login is not used)
Social Login	Google account information (email, profile)	-
Payment	PayPal transaction approval number, payment information	Address for tax invoice receipt

2.2 Information Collected Automatically

Google Analytics 4 (GA4) Collected Items:

IP address (automatically anonymized in the EU), browser and OS information
Device information (mobile/desktop, screen resolution)
Approximate geographic location (country/city level)
Page views, session duration, bounce rate, referring websites

Amplitude Collected Items:

User behavior events (clicks, page views, feature usage)
Session data (connection and stay time), anonymized device ID
App version, OS version, user journey analytics data
Custom events (learning progress, Today Energy usage, etc.)

Learning Data Collected Items:

Scenario conversation messages (all AI–user interactions)
Learning session information (start/end time, progress)
AI evaluation and feedback data, translation practice results
Review questions and accuracy rate, daily learning goals and achievement
AI token usage (for cost management and service optimization)

3. Retention and Use Period

The Company retains personal data only for the period prescribed by law or agreed upon by the user, and destroys it without delay once the retention period expires.

Item	Retention Period	Legal Basis or Internal Policy
Basic Member Information	3 months after withdrawal	Prevention of re-registration misuse (internal)
Learning Data	1 year after withdrawal	Service quality improvement (internal)
Payment/Settlement Records	5 years	Article 6 of the E-Commerce Act
Display/Advertising Records	6 months	Article 6 of the E-Commerce Act
Electronic Financial Transaction Records	5 years	Electronic Financial Transactions Act
Logs/Access Records	3 months	Protection of Communications Secrets Act
Dormant Accounts	Stored separately after 1 year of inactivity → destroyed after 3 years	Compliance with PIPA Amendment (2023)
Fraudulent Transaction Records	5 years	Internal Policy

4. Provision to Third Parties and Outsourcing of Processing

4.1 Domestic Outsourcing

Entrusted Company	Entrusted Task	Retention Period
PayPal	Electronic payment processing, subscription management	Until termination of contract
TBD	SMS/KakaoTalk notification delivery	Deleted immediately after completion

All entrusted companies enter into written contracts in accordance with Article 26 of the Personal Information Protection Act and are regularly monitored and supervised.

4.2 Overseas Transfer

Google Analytics 4:

Recipient/Country: Google LLC / United States
Transferred Items: Cookie-based logs, access IP (anonymized), website usage patterns
Transfer Timing: Encrypted transmission via TLS during service use, stored in U.S. region
Legal Basis: Prior consent of data subject
Opt-out Method: Google Analytics Opt-out Add-on or browser cookie blocking

Amplitude:

Recipient/Country: Amplitude Inc. / United States
Transferred Items: Service usage records, event data, and other anonymized analytics information
Transfer Timing: Encrypted transmission via TLS during service use, stored in U.S. region
Legal Basis: Prior consent of data subject
Opt-out Method: Browser cookie blocking or discontinuation of service use

OpenAI:

Recipient/Country: OpenAI Inc. / United States
Transferred Items: Learning conversation content (excluding personally identifiable information), AI prompt data
Transfer Timing: API communication during AI feature use, processed in U.S. region
Legal Basis: Essential processing for service provision
Retention Period: Deleted immediately after processing (in compliance with OpenAI API policy)

If any changes occur in overseas transfer details, the Company will notify users via website notice and email.

5. Rights of Data Subjects

Users may exercise the following rights at any time.

5.1 List of Data Subject Rights

Request for access to and copies of personal data
Request for correction or deletion of errors or changes
Request for suspension of processing
Request for data portability – provided in a machine-readable format
Request for explanation or objection to automated decision-making (AI recommendations, personalized content, etc.)

5.2 Procedure for Exercising Rights

Request Method: Submit a request to admin@langtwo.comProcessing Period: Notification of results within 10 days of receiptFees: Free of charge in principle; however, a reasonable fee may be charged for manifestly unfounded or excessive requests

5.3 Additional Rights for EU Residents (GDPR Applicable)

Right to be Forgotten: Request complete deletion of personal data
Right to Restrict Processing: Request temporary suspension of processing under certain conditions
Right to Object: Object to processing based on legitimate interests

6. Collection of Cookies and Other Online Identifiers

6.1 Purpose of Cookie Use

Essential Cookies: Maintain login sessions, security, and core service functions
Analytics Cookies: Service improvement through GA4/Amplitude
Functional Cookies: Language settings, saving learning progress
Marketing Cookies: Personalized content delivery (for future advertising features)

6.2 Cookie Management

Opt-out Method: You may block or delete cookies in your browser settings (Tools ▶ Internet Options ▶ Privacy).Impact: Blocking cookies may limit certain personalized services.Consent Management: Cookie preferences can be managed by category in the “Cookie Settings” section at the bottom of the website.

7. Procedures and Methods for Data Destruction

7.1 Grounds for Destruction

Fulfillment of processing purpose, expiration of retention period, or user request

7.2 Destruction Procedure

Separate Storage: Transfer data subject to destruction to a separate database
Review Process: Verify appropriateness of destruction in accordance with internal policies and laws
Execution: Destroy immediately or after a designated retention period

7.3 Destruction Methods

Electronic Files: Permanently deleted using an unrecoverable method (AES-256)
Printed Materials: Shredded or incinerated
Cloud Storage: Permanently deleted in accordance with AWS secure deletion policy

8. Measures to Ensure Security of Personal Data

8.1 Technical Measures

Encryption during transmission and storage (TLS 1.3, AES-256)
Database access control and permission management
24×365 intrusion detection and log monitoring
Regular security updates and vulnerability assessments

8.2 Administrative Measures

Quarterly internal and external audits
Application of the principle of least privilege
Regular employee security training
Retention of access logs to personal data systems for 2 years

8.3 Physical Measures

Redundant server rooms and backup centers
Access control and CCTV installation
Compliance with AWS infrastructure security policies

8.4 Response to Data Breaches

In the event of a personal data breach or similar incident, the Company will notify the supervisory authority and affected data subjects within 24 hours.

9. Protection of Minors’ Personal Data

9.1 Age Restrictions

Currently, no age verification process (only email collected)
Use of the service by children under 13 is not recommended
A separate notice will be provided when an age verification system is introduced

9.2 Parental Rights

If it is confirmed that personal data of a child under 13 has been collected:

Data collected without parental consent will be deleted immediately
Parents may request access, correction, or deletion of their child’s personal data

10. Personal Data Protection Officer

10.1 Data Protection Officer

Name: Daehyun Nam
Position: CEO
Contact: admin@langtwo.com, +82-70-8983-4695
Address: 201-S38, 11-3 Eunchon-ro, Gwanak-gu, Seoul, Republic of Korea

10.2 Inquiries Regarding Personal Data

For inquiries, complaints, or remedies related to personal data processing, please contact the above representative.

10.3 Remedies for Infringement of Rights

If a dispute related to personal data is not resolved or if you require relief:

Personal Information Dispute Mediation Committee: privacy.go.kr, 1833-6972
Personal Information Protection Commission: privacy.go.kr, 02-2100-2820
Supreme Prosecutors’ Office: spo.go.kr, 1301
National Police Agency: cyberbureau.police.go.kr, 182

11. Policy Revision Procedure and Notification

11.1 Revision Procedure

In the event of significant changes such as purpose, items collected, retention period, or third-party provision:

Advance notice via website announcement at least 7 days prior to the change
Individual notification via email (for major changes)
Implementation of the revised policy and retention of previous versions

11.2 Version Management

Previous versions will be retained and accessible for 5 years
Version history can be checked on the website

12. Miscellaneous

12.1 Governing Law

This Privacy Policy is governed by the laws of the Republic of Korea. For overseas users, the data protection laws of their respective countries may also apply.

12.2 Language

The Korean version of this Policy is the original. In case of any discrepancies between the Korean version and translated versions, the Korean version shall prevail.

Effective Date: January 15, 2025Contact: admin@langtwo.comThis Privacy Policy will be regularly reviewed and improved to ensure the safe protection of users’ personal data.