Privacy Policy
How BubbleBridge handles personal information.
Effective date: April 27, 2026
Last updated: April 27, 2026
The BubbleBridge operator (the "Company", "we", "us", or "our") protects users' personal information while providing BubbleBridge (the "Service") and complies with Korea's Personal Information Protection Act and other privacy laws that may apply in regions where the Service is provided.
This Policy is a common privacy standard for users in Korea and users outside Korea. Depending on where you live, where you use the Service, whether the Company targets your country, and whether paid services are offered, additional notices, consents, or rights procedures under GDPR, UK GDPR, CCPA/CPRA, or other local laws may apply.
1. Privacy Principles
The Company operates the Service under the following principles.
- Uploaded images, OCR results, and translation results are used only for temporary processing to provide the Service.
- Original images, OCR text, and translation results are not stored after processing is complete.
- Uploaded content and processing results are not used for AI training, model improvement, dataset creation, or quality-improvement datasets.
- Service logs are designed not to include content text such as original images, file names, OCR text, translations, or prompts.
- When external AI, OCR, or translation APIs are used, only the minimum necessary data is transmitted.
- Personal information is processed only to the minimum extent necessary for stated purposes and is deleted without delay after those purposes are achieved.
- The Company does not sell personal information and, as a principle, does not sell or share personal information for targeted advertising or cross-context behavioral advertising.
2. Personal Information We Process
The Company currently processes the following personal information.
2.1 Required Information
| Category | Items | Purpose | Retention |
|---|---|---|---|
| Account and authentication | Email, login identifier, authentication-token verification information, Terms and Privacy Policy consent timestamps | User identification, login, consent record management | Until account deletion or service termination. Records needed for dispute response may be kept for 3 years |
| Image translation request | Uploaded image, text extracted from the image, translation result, target language | OCR and translation result delivery | Not stored after request processing is complete |
| Usage metadata | User identifier, permission or plan, daily request count, success and failure counts | Request limit management, abuse prevention, service operation | Until account deletion or service termination. De-identified statistics may be retained |
| Service logs | IP address, User-Agent, request time, error code, processing time | Security, incident response, service stabilization, abuse prevention | Up to 30 days |
| Customer inquiries | Email address, inquiry content, attachments, response history | Support and dispute response | 3 years after the inquiry is closed |
Uploaded images, OCR text, and translation results may themselves be personal information or may contain personal information, so they are processed only temporarily during request handling. The Company does not intentionally collect sensitive information, government-issued identifiers, full payment card numbers, health information, or other information unnecessary to provide the Service.
2.2 Optional Information
| Category | Items | Purpose | Retention |
|---|---|---|---|
| Marketing consent | Email, opt-in and withdrawal history | Service news or update notices | Until consent is withdrawn |
| Paid features | Payment identifier, payment status, product name, amount, refund history | Payment processing, refunds, accounting evidence | Period required by applicable law |
The Service is currently provided for free, and the Company does not directly collect or store complete payment information such as full payment card numbers. If paid features are provided, a payment processor handles payment information, and the Company processes only the minimum payment metadata needed for payment confirmation and refunds.
3. Purposes and Legal Bases
The Company processes personal information for the following purposes.
- Providing image OCR and translation results
- User identification, login, and consent-record management
- Service incident diagnosis, security incident response, and abuse prevention
- Customer inquiry handling
- Payment, refund, tax, and accounting processing if paid services are provided
- Legal compliance and dispute response
- Service news, updates, or marketing notices if the user consents
For users subject to GDPR, UK GDPR, or similar laws, the legal bases are as follows.
| Purpose | Legal basis |
|---|---|
| OCR and translation result delivery, account login | Performance of a contract or steps before entering into a contract |
| Security, incident response, abuse prevention | Legitimate interests of the Company or a third party |
| Payment, tax, accounting, legal requests | Compliance with legal obligations |
| Marketing notices, optional cookies, optional notifications | User consent |
When the Company relies on legitimate interests, it limits processing scope and retention so that users' rights and freedoms are not unduly affected.
4. Retention and Use Period
- The Company deletes personal information without delay after the processing purpose is achieved.
- Uploaded images, OCR text, and translation results are not stored after request processing is complete.
- Account information and usage metadata are retained until account deletion or service termination. Information needed for dispute response, abuse prevention, or legal compliance may be kept until the relevant purpose is achieved.
- Security and incident-response logs are retained for up to 30 days and then deleted. If needed for a security incident investigation or legal dispute, they may be retained until that reason ends.
- Customer inquiry records are retained for 3 years after the inquiry is closed and then deleted.
- Information that must be preserved by law is retained for the period required by that law.
- If a user withdraws consent or requests account deletion, the Company deletes or de-identifies the information except where legal retention is required.
5. Deletion Procedures and Methods
- Personal information is deleted without delay after its retention period expires or its processing purpose is achieved.
- Electronic files are securely deleted so that recovery or reproduction is difficult.
- Paper documents are shredded or incinerated.
- Uploaded images and Processing Results are not stored in server storage as a default principle. If temporary memory or temporary files are created, they are deleted after request processing is complete.
6. Third-Party Disclosure and No Sale
The Company does not provide users' personal information to third parties as a default principle. Exceptions are:
- The user has given prior consent.
- Disclosure is based on law or a lawful request from an investigative authority, court, or administrative agency.
- Disclosure is urgently necessary to protect life, body, or property.
The Company does not sell users' personal information for money. As a principle, the Company also does not provide personal information for targeted advertising in a way that may constitute "sale" or "sharing" under CCPA/CPRA or similar U.S. state privacy laws. If advertising, retargeting, data broker provision, or cross-service tracking is introduced later, the Company will provide separate notice, consent, or opt-out procedures.
7. Processors
The Company uses the following External Processors to provide the Service.
| Processor | Work | Information processed or transferred | Retention |
|---|---|---|---|
| Google Cloud Platform | Server hosting, network, database, security, log processing | Account metadata, usage metadata, service logs, temporary processing data during requests | Until processing purpose is achieved or the processing agreement ends |
| Google Cloud Vision API | Image text recognition | Uploaded image or image portion | The Company does not store it after request processing; provider policy applies |
| Google Cloud Translation API | Translation result generation | OCR text, translation request information, target language | The Company does not store it after request processing; provider policy applies |
| Google Vertex AI | Context-aware AI translation result generation | OCR text, speech-bubble location information, translation request information, target language | The Company does not store it after request processing; provider policy applies |
| Google Identity Services or managed auth provider | Login and authentication | Email, login identifier, authentication-token verification information | Until account maintenance or authentication purpose is achieved |
| Google Analytics | Service usage analytics | Page visit information, device and browser information, cookie or similar identifier | Analytics settings and provider policy apply |
Google Analytics is used only if a measurement ID is configured for the Service and the user allows analytics cookies. When using External Processors, the Company sets necessary safeguards through contracts or equivalent measures, including processing purpose, security measures, subcontracting restrictions, confidentiality, and deletion or return after processing ends.
8. International Transfers
When external AI, OCR, translation, cloud, authentication, or analytics services are used, personal information or Uploaded Content may be transferred outside the user's country.
| Recipient | Country | Items | Purpose | Timing and method | Retention |
|---|---|---|---|---|---|
| Google LLC and Google Cloud affiliates | United States, Korea, and countries where Google infrastructure is located | Account metadata, usage metadata, service logs, uploaded image or image portion, OCR text, translation request information | Cloud hosting, authentication, OCR, translation, security, incident response, usage analytics | Transmitted through encrypted communication when the Service is used | Until processing purpose is achieved or under provider policy |
If GDPR, UK GDPR, or similar laws apply to an international transfer, the Company will prepare transfer bases and safeguards required by law, such as adequacy decisions, standard contractual clauses, transfer impact assessments, and supplementary measures.
9. Cookies and Similar Technologies
The Company may use cookies, localStorage, sessionStorage, or similar technologies for service stabilization, security, login state, language settings, and usage analytics.
- Required storage technologies: used for login, security, request processing, language settings, and other functions needed to provide the Service.
- Analytics cookies: tools such as Google Analytics are loaded only if the user allows them, and the consent choice is stored in the browser's localStorage.
- Marketing cookies: the Company currently does not use cookies for targeted advertising or retargeting. If introduced later, prior notice and required consent or opt-out procedures will be provided.
- Users can reject or delete cookies through browser settings. However, rejecting required storage technologies may limit use of the Service.
10. Data Subject and Representative Rights
Users may request access, correction, deletion, suspension of processing, and withdrawal of consent.
- Request email: bubblebridge.contact@gmail.com
- Response period: within the period required by law
The Company may verify whether the requester is the user or a lawful representative. Deletion or suspension may be limited for information that must be retained by law or is needed for security incident investigation, rights exercise, or defense.
Depending on applicable law, users outside Korea may have additional rights.
- EEA, United Kingdom, Switzerland, and similar regions: right to be informed, access, correction, deletion, restriction of processing, data portability, objection, withdrawal of consent, rights regarding automated decision-making and profiling, and the right to complain to a supervisory authority
- California and certain other U.S. states: right to know categories of personal information collected, used, and disclosed; right to delete; right to correct; right to opt out of sale or sharing; right to limit use of sensitive personal information; and right not to be discriminated against for exercising rights
- Other countries or regions: rights recognized by applicable privacy laws
Even if the Company does not sell personal information or share it for targeted advertising, the Company will disclose the relevant facts and rights procedures where required by applicable law.
If the Company processes personal information of children under 14, it will prepare separate parental consent and rights procedures. If the Service is provided to users outside Korea, age thresholds for children or minors may be higher by region, and the Company will reflect the relevant age limit and guardian consent procedure in the Service.
11. Security Measures
The Company takes the following measures to protect personal information.
- Encryption in transit
- Access minimization and access-right management
- No storage of Uploaded Content and deletion of temporary processing data
- Log masking or blocking so content text is not included in logs
- Security event and error log review
- Secure management of External Processor access keys and API keys
- Prior review of External Processor security levels and data-processing terms
- Incident notification and response procedures under applicable law
12. Privacy Contact
- Privacy officer: BubbleBridge privacy contact
- Email: bubblebridge.contact@gmail.com
- Phone: email support only
- International privacy contact email: bubblebridge.contact@gmail.com
- EU/UK representative or DPO: not currently appointed
Users may contact the Company about privacy inquiries, complaints, or remedies through the contact information above.
Addendum: This Privacy Policy takes effect on April 27, 2026.