Skip to Content

Data Processing Agreement (DPA)

Last updated: 1 December 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between LanterNode Inc. (“Processor”, “we”, “us”) and you, the customer (“Controller”, “you”). It governs our processing of personal data on your behalf when you use Fluentade, our language-learning SaaS platform.

This DPA ensures compliance with the Personal Information Protection Act (PIPA) of the Republic of Korea and incorporates internationally recognized data-processing principles.


1. Definitions

For clarity and legal precision, the following terms apply:

1.1 Controller

The natural or legal person who determines the purposes and means of processing personal data. That is you.

1.2 Processor

The entity that processes personal data on behalf of the Controller. That is LanterNode Inc.

1.3 Subprocessor

A third-party service provider engaged by the Processor to assist in delivering infrastructure or operational services.

1.4 Personal Data / Processing

As defined under PIPA, including any collection, storage, transmission, use, recording, or deletion of identifiable information.

1.5 Fluentade

The SaaS platform operated by LanterNode that enables teachers, students, and organizations to manage lessons and learning activities.


2. Scope and Subject Matter of Processing

We process personal data solely to provide, maintain, and improve the Fluentade service in accordance with this DPA and your documented instructions.

2.1 Types of Personal Data

Data processed may include:

  • Account data: name, email, encrypted password, language preferences
  • Learning data: assignments, progress, feedback, vocabulary metrics
  • Audio data: recordings and transcripts generated during lessons
  • User-generated content: uploaded materials, study notes, attachments
  • Technical data: IP address, device details, browser type, session metadata
  • Payment metadata: PayPal transaction references, domestic bank transfer confirmations

We do not process full payment card numbers.

2.2 Categories of Data Subjects

  • Students
  • Teachers
  • Administrative staff
  • Authorized organizational users

2.3 Purpose of Processing

We process personal data exclusively to:

  • Operate Fluentade’s core functionality
  • Facilitate teacher–student interactions
  • Provide AI-enabled educational tools
  • Perform internal diagnostics, security monitoring, and backups
  • Comply with legal, accounting, and regulatory obligations

We will never use your data for advertising, profiling, resale, or unrelated commercial activity.


3. AI-Specific Processing Commitments (Strict Policy)

To address advanced data-protection risks involving AI:

3.1 No Training on Customer Data

Personal data, content, recordings, or any materials processed within your Fluentade environment are never used to train or fine-tune any AI models—ours or third parties’.

3.2 Purpose-Limited AI Processing

AI features operate only for the specific educational function requested (e.g., pronunciation analysis, feedback generation).

Data is not retained or reused for any secondary AI purpose.

3.3 Ownership and Use Restrictions

  • You retain full ownership of all personal and educational data.
  • We do not sell, license, or disclose your data to unrelated third parties.
  • Subprocessors are contractually prohibited from using your data for their own purposes.

3.4 Tenant-Isolated AI Infrastructure

Data is processed in secure environments with strict isolation controls to prevent cross-tenant access or leakage.


4. Data Retention

We retain data only for as long as necessary for the underlying purpose or as required by law:

  • Account and learning data: retained while the account is active
  • Audio recordings: retained for 24 months by default unless the Controller sets a shorter retention period
  • User-generated content: retained until deleted by the Controller
  • Payment records: retained for the statutorily required period (typically 5 years)

Upon termination or request, we will delete or anonymize data unless retention is legally required.


5. Subprocessors

We may engage subprocessors for hosting, storage, backups, email delivery, monitoring, or similar infrastructure needs.

5.1 Subprocessor Requirements

We ensure each subprocessor:

  • Operates under a written contract with equivalent data-protection obligations
  • Implements appropriate security measures
  • May not use your data for independent purposes

5.2 Subprocessor List

A current list of subprocessors is available upon request.

5.3 Changes to Subprocessors

Where legally required, we will notify customers prior to onboarding new subprocessors.

You may object to a new subprocessor if you have a reasonable, documented basis relating to data protection.


6. International Data Transfers

Data may be transferred outside Korea depending on infrastructure, user region, or third-party payment processors (e.g., PayPal).

We ensure:

  • Encrypted and secure transmission
  • Use of internationally recognized contractual safeguards
  • Engagement only with vendors with strong compliance records


7. Security Measures

We implement comprehensive technical and organizational measures, including:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Isolation of customer environments
  • Strict role-based access controls
  • Regular vulnerability scanning and security patching
  • Continuous monitoring and automated threat detection
  • Encrypted backups to prevent data loss

Documentation of specific controls is available upon request.


8. Roles & Responsibilities

8.1 Controller Responsibilities

You agree to:

  • Ensure lawful basis for collecting and processing users’ personal data
  • Provide required notices or obtain consent (especially for minors or audio recordings)
  • Manage deletion requests from your users
  • Keep your administrator credentials secure
  • Ensure data you upload does not violate applicable laws

8.2 Processor Responsibilities

We agree to:

  • Process personal data solely according to your documented instructions
  • Maintain confidentiality and enforce employee access controls
  • Assist with data subject rights requests
  • Support compliance with security and privacy obligations
  • Notify you of data breaches without undue delay
  • Ensure all subprocessors meet equivalent data-protection standards


9. Data Subject Requests

If a student, teacher, or administrative user contacts us directly to:

  • Access their data
  • Request correction or deletion
  • Exercise other statutory rights

We will:

  • Promptly notify you
  • Act only on your documented instructions unless legally required to do otherwise


10. Data Breach Notification

If we detect a personal-data breach affecting your users:

  • We will notify you without undue delay
  • Provide information about the nature, scope, and impact of the breach
  • Cooperate with you to meet obligations under PIPA or other applicable laws
  • Support remediation efforts and corrective action


11. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Korea.

Unless otherwise agreed in writing, disputes shall be resolved exclusively by the competent courts of Seoul, subject to mandatory consumer-protection law.


12. Contact Information

For questions regarding this DPA or data-protection matters: info@lanternode.com