Private Policy

Version: 1.0
Last updated: 03 Sep 2025
Applies to: Carpe Diem Glocal Co., Ltd. (“Glocaltrans”, “we/us/our”)

The objective of this policy is to protect customers’ personal data and project data during translation and content creation activities in a professional manner, in compliance with Decree 13/2023/ND-CP (PDPD) and relevant international standards (e.g. GDPR where applicable).

1) Scope & Legal Roles

• Scope: glocaltrans.org, our email/storage systems, and operations for translation, editing/LQA, localization, copywriting, subtitling, and related project workflows.
• Roles:
  • For client-supplied project files, we usually act as a Processor on behalf of the client (Controller).
  • For website/marketing data, we act as the Controller.
• Legal bases (illustrative): performance of contract or pre-contract steps; consent where required; compliance with law; legitimate interests (security, fraud prevention, service analytics).

2) Core Principles

• Data minimization — only what is necessary for defined purposes.
• Transparency — clear notices on purposes, retention, sharing.
• Security by design — least-privilege access, encryption, logging, backups.
• No training of public AI on client data — unless expressly authorized in writing under controlled conditions.
• Integrity & availability — periodic testing, incident response, disaster recovery.

3) Data We Process

• Contact data: name, company/title, email, phone, address.
• Project data: source files (DOCX, PDF, HTML, ZIP…), termbases, styleguides, brand voice notes, contextual references; may include third‑party personal data provided by the client.
• Website/tech data: IP address, browser type, cookies/analytics, form events.
• Billing/accounting: transaction details and invoices where applicable.
• Recruitment (if applicable): CVs, qualifications, domain expertise.

Sensitive data: If project files contain special categories (e.g., health, children’s data, criminal records), we follow the client’s documented instructions and implement additional safeguards.

4) Sources of Data

• Directly from clients via form/email/secure upload.
• From website users (cookies/analytics/support chat).
• From authorized partners (e.g., subcontractors with NDA/DPA).

5) Purposes of Use

• Service delivery: translation, editing, LQA, transcreation, localization, subtitling.
• Quality management: termbase/styleguide management, version control, MQM scoring, random QA checks.
• Support & aftercare: responses to requests; 7‑day warranty for minor fixes.
• Operations & security: logs, anti‑spam, backup, recovery testing.
• Accounting & compliance.
• Opt‑in marketing: resource downloads (templates), case studies, newsletters.

6) AI/ML & CAT Tools

• We do not upload client files to public AI models by default.
• We may use CAT/QA tools (e.g., Trados/memoQ/Xbench) and/or enterprise AI with contractual assurances (no training on client data; controlled retention) only with client consent or where the contract permits.
• Where feasible, we anonymize/pseudonymize/redact sensitive elements before any automated processing.

7) Sharing & International Transfers

We do not sell personal data. We share on a need‑to‑know basis with:

• Hosting & storage providers;
• Email & collaboration tools;
• CAT/QA platforms
• Accounting/payment services;
• Web analytics providers.

All vendors and/or subcontractors are required to sign a Non-Disclosure Agreement (NDA) and/or a Data Processing Agreement (DPA); access is granted strictly on the principle of least privilege. For cross-border data transfers, we apply appropriate safeguards (e.g., Standard Contractual Clauses/SCCs where applicable) and conduct impact assessments & provide notifications in accordance with the PDPD, as required by law.

8) Retention

• Project records: default 24 months from final delivery, unless the contract states otherwise or the client requests earlier deletion or longer retention.
• Termbases/Styleguides: retained until engagement ends or deletion is requested.
• System logs/analytics: 3–12 months depending on technical needs.
• Accounting records: retained per legal requirements.

9) Security Measures

• Organizational: role‑based access, mandatory NDAs, privacy/security training, onboarding/offboarding controls.
• Technical: encryption in transit/at rest; MFA; endpoint controls; backups; firewall/WAF; malware scanning; logging and alerting; periodic testing.
• Vendor governance: risk assessments, DPA/NDA, data‑location review.

10) Your Rights

Tùy khu vực pháp lý, bạn có thể thực hiện: quyền biết, đồng ý/thu hồi đồng ý, truy cập, sửa, xoá, hạn chế xử lý, phản đối, di chuyển dữ liệu, khiếu nại. Gửi yêu cầu qua kênh ở Mục 13; chúng tôi sẽ phản hồi trong thời hạn luật định. Khi yêu cầu liên quan tới dữ liệu dự án do khách hàng kiểm soát, chúng tôi sẽ phối hợp để hỗ trợ xử lý.

11) Children

We do not target children below the applicable age threshold. If project files include children’s data, we act under the client’s instructions and seek guardian consent when required.

12) Cookies and Analytics

• Essential cookies operate the site; analytics/marketing cookies run only with your consent.
• You can adjust preferences anytime via the Cookie Settings link in the footer.

13) Incidents & Breach Notification

• On detecting a breach, we activate incident response, contain, remediate, and log.
• Notice: In accordance with the PDPD, we will notify the competent authorities within the legally stipulated period and inform relevant parties when necessary. In our role as a Data Processor, we will immediately notify our clients so that they can fulfill their respective legal obligations.

14) Contact & Complaints

• Data Protection / Privacy: admin@glocaltrans.org
• Phone: +84 934 784 004
• Address: 187A Phan Dang Luu, Hoa Cuong, Da Nang, Vietnam

15) Changes to this Policy

We may update this Policy to reflect legal or operational changes. We will post the effective date on glocaltrans.org.