Skip to main content

Privacy Policy

Effective Date: 2026-04-21 Version: 1.0

Theta One AI ("Theta One", "we", "us") respects your privacy. This Privacy Policy explains what personal data we collect through the Theta One API Console and related API services (together, the "Service"), how we use and share it, and the rights you have.

This Policy applies to:

  • Account personal data we collect from developers and organizational users who sign up to use the Service (we are the controller); and
  • End-user data (e.g., audio submitted by our customers' applications) which we process on behalf of our customers (we are the processor).

Sections specific to the EU/EEA/UK, California, and Korea appear at the end.

1. Data We Collect

1.1 Account data (we are the controller)

CategoryExamplesSource
IdentityEmail, username, account type, affiliation (company name), phone numberYou, at sign-up
AuthenticationPassword hash, email-verification tokens, OAuth identifiers (if social login is used)You / identity provider
BillingLast four digits of payment method, billing name and address, VAT ID, invoice historyPayment processor, you
Service usageAPI-key metadata, call counts, timestamps, error codes, IP address of callsThe Service
SupportMessages you send to support@thetaone.co, survey responsesYou
Consent recordsWhich notices and policies you accepted, version, timestamp, IP, user agent, jurisdictionThe Service

1.2 End-user data submitted via the API (we are the processor)

When you or your application calls our API, we receive:

  • Audio (.wav or .mp3) — may contain the voice of the speaker, including minors if your application involves children;
  • Text / reference text submitted with pronunciation requests;
  • Request metadata — timestamps, API key used, IP address.

We process this data solely to return the requested result and to operate the Service, under the Terms of Service and any Data Processing Addendum.

1.3 Cookies and similar technologies

See the separate Cookie Policy.

2. How We Use Personal Data

We use personal data for the following purposes, with the legal bases shown in parentheses for EU/UK users:

  • Provide the Service — create accounts, authenticate you, issue and validate API keys, return API results (contract, Art. 6(1)(b) GDPR).
  • Billing and taxes — charge fees, issue invoices, comply with tax and accounting obligations (contract and legal obligation, Art. 6(1)(b)(c)).
  • Security and fraud prevention — detect abuse, rate-limit keys, investigate incidents, maintain audit logs (legitimate interests, Art. 6(1)(f); and legal obligation).
  • Service operations and improvement — monitor reliability, fix bugs, capacity-plan. We do not use audio or text submitted via the API to train our models except under an opt-in contractual arrangement (see Section 4).
  • Communications — respond to support requests, send service notices (contract); send marketing only with your explicit opt-in consent (consent, Art. 6(1)(a)).
  • Legal compliance — comply with applicable law, enforce our Terms, and defend legal claims (legal obligation; legitimate interests).

3. Sharing and Sub-Processors

We do not sell personal data. We share data only as follows:

  • Sub-processors. Infrastructure, authentication, email delivery, and payments providers that process data on our behalf under written contracts. The current list, including location and purpose, is published at Sub-Processors.
  • Professional advisors. Lawyers, auditors, and accountants, under confidentiality.
  • Legal and safety. When required by law, lawful process, or to protect rights, safety, or property.
  • Business transfer. In connection with a merger, acquisition, reorganization, or sale of assets, subject to this Policy.

4. Model Training

By default, Theta One does not use audio or text submitted via the API to train or fine-tune machine-learning models. Any model-training use of Customer Data requires a separate, written, opt-in arrangement with the account holder and is not enabled by signing up.

5. Cross-Border Data Transfers

Theta One is headquartered in the Republic of Korea. To operate the Service we transfer personal data outside Korea to infrastructure providers located primarily in the United States and, for some services, the European Union.

Safeguards we rely on:

  • For transfers from Korea: consent and the PIPA cross-border transfer disclosures summarized in Section 11 (Korea) and Sub-Processors.
  • For transfers from the EU/EEA/UK to third countries: the European Commission's Standard Contractual Clauses (and the UK IDTA/Addendum, where applicable), plus supplementary technical measures (TLS 1.2+ in transit, encryption at rest).
  • For transfers from Switzerland: the Swiss-equivalent SCCs.

Where the EU Data Privacy Framework applies to a specific sub-processor, we rely on its certification as an additional safeguard.

6. Retention

DataRetention
API request audio and textProcessed in memory and discarded after the response is returned. Short-lived debug logs (up to 24 hours) may reference request metadata but not payload content.
Account dataFor the life of your account, plus up to three (3) years after account closure to comply with Korean commercial and tax law.
Billing recordsFive (5) years under the Korean Framework Act on National Taxes, or longer where required.
Consent recordsFor the life of the account plus five (5) years, to evidence consent under PIPA and GDPR.
Security / access logsUp to twelve (12) months, then deleted or anonymized.
Support communicationsUp to three (3) years after resolution.

When the retention period ends, we delete or irreversibly anonymize the data, unless we are legally required to keep it longer.

7. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data, including:

  • Transport encryption (TLS 1.2 or higher) and encryption at rest for stored data;
  • Access controls (role-based access, least-privilege, MFA for employee consoles);
  • Audit logging and monitoring;
  • Secret scanning and rotation policies for credentials and API keys;
  • Periodic vulnerability review of infrastructure.

No system is completely secure. If we learn of a data breach affecting your personal data, we will notify you and, where required, regulators, within the timelines required by law.

8. Your Rights

Subject to local law, you may:

  • Access the personal data we hold about you;
  • Correct inaccurate data;
  • Delete your data ("right to erasure");
  • Restrict or object to certain processing;
  • Receive your data in a portable format;
  • Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing);
  • Lodge a complaint with a supervisory authority (see Sections 9–11).

To exercise a right, use the Settings → Privacy page in the Console, or email privacy@thetaone.co. We will respond within the timelines required by applicable law (generally 10–30 days). We may need to verify your identity before acting on a request.

9. EU / EEA / UK Users (GDPR)

  • Controller: Theta One AI, contact above.
  • EU Representative (Art. 27 GDPR): To be appointed. Until appointed, please contact privacy@thetaone.co.
  • Legal bases: as listed in Section 2.
  • International transfers: as described in Section 5.
  • Supervisory authority: you have the right to lodge a complaint with your local data protection authority. In the UK, that is the Information Commissioner's Office (ICO).
  • Automated decision-making: we do not make decisions with legal or similarly significant effects about you based solely on automated processing.

10. California Residents (CCPA / CPRA)

We provide this section for California residents under the California Consumer Privacy Act as amended by the CPRA.

  • Categories of personal information collected in the last 12 months: identifiers (email, username, IP), commercial information (billing), internet activity (API usage logs), audio recordings (only where submitted via the API), and inferences (limited, for abuse detection).
  • Sources: you, your devices, our sub-processors.
  • Business purposes: as listed in Section 2.
  • Sale or sharing of personal information: We do not sell or "share" (as defined by the CPRA) personal information.
  • Sensitive personal information: we do not use sensitive PI for purposes other than those permitted by CPRA § 7027 without notice.
  • Your rights: know, delete, correct, portability, limit use of sensitive PI, opt out of sale/share, and non-discrimination. Submit requests to privacy@thetaone.co or via the Console.
  • Authorized agents: you may use an authorized agent; we will verify the agent and the underlying consumer request.

11. Korean Users (PIPA)

In accordance with the Personal Information Protection Act (PIPA) and related laws, Theta One discloses the following.

11.1 Items, purposes, retention

ItemPurposeRetention
Email, password (hashed), usernameAccount creation and authenticationLife of account + 3 years
Account type, affiliation, phoneService provision, supportLife of account + 3 years
Payment method info (tokenized)BillingUntil card is removed or 5 years, whichever is longer (tax law)
API usage logs, IPService operation, abuse prevention12 months
Consent recordsEvidence of lawful consentLife of account + 5 years
Marketing consent (optional)Marketing emails, product updatesUntil withdrawn

11.2 Cross-border transfers (국외이전)

Because core infrastructure is hosted outside Korea, the following transfers occur. By creating an account, you consent to these transfers in accordance with PIPA Article 28-8.

RecipientCountryPurposeItemsRetentionTransfer method
Supabase, Inc.United StatesAuth, database, storageAccount data, consent recordsSame as retention aboveEncrypted network (TLS)
Amazon Web ServicesUnited StatesCompute, object storageAPI request metadata, short-lived logsUp to 12 monthsEncrypted network (TLS)
Stripe, Inc.United StatesPayment processingBilling informationPer Stripe's policyEncrypted network (TLS)

The authoritative, up-to-date list is published at Sub-Processors. Transfers to these countries may occur in a country whose data-protection laws differ from Korea's. You have the right to refuse cross-border transfer; however, if you refuse, we may be unable to provide the Service.

11.3 Children

The Service is intended for users aged nineteen (19) and older. We do not knowingly collect personal data directly from users under 14. If you believe a minor has registered a Theta One account, contact privacy@thetaone.co and we will delete the account.

11.4 Rights under PIPA

You may request access, correction, deletion, suspension of processing, and portability under PIPA Articles 35–37. You may also lodge a complaint with the Personal Information Protection Commission (PIPC) (privacy.go.kr) or the Korea Internet & Security Agency (KISA) (118).

11.5 Chief Privacy Officer (CPO)

12. Children

Theta One does not knowingly collect personal data directly from children under nineteen (19) years of age. If your application uses the Service to process audio from minors, you are the controller of that data and must obtain the consents required by applicable law (e.g., PIPA, COPPA, GDPR Art. 8).

13. Do Not Track

Our Service does not respond to "Do Not Track" signals, as no industry standard has been finalized. We honor the Global Privacy Control (GPC) signal for opt-out-of-sale/share requests for California residents.

14. Changes to This Policy

If we make a material change, we will notify the account holder by email at least thirty (30) days before it takes effect (or the minimum longer period required by law) and request re-consent where required. Non-material changes will be posted here with an updated "Effective Date".

15. Contact

Theta One AI Privacy inquiries: privacy@thetaone.co General support: support@thetaone.co

Postal address: To be added.