Private Policy
Version: 1.0
Last updated: 03 Sep 2025
Applies to: Carpe Diem Glocal Co., Ltd. (“Glocaltrans”, “we/us/our”)
The objective of this policy is to protect customers’ personal data and project data during translation and content creation activities in a professional manner, in compliance with Decree 13/2023/ND-CP (PDPD) and relevant international standards (e.g. GDPR where applicable).
1) Scope & Legal Roles
- Scope: glocaltrans.org, our email/storage systems, and operations for translation, editing/LQA, localization, copywriting, subtitling, and related project workflows.
- Roles:
- For client-supplied project files, we usually act as a Processor on behalf of the client (Controller).
- For website/marketing data, we act as the Controller.
- Legal bases (illustrative): performance of contract or pre-contract steps; consent where required; compliance with law; legitimate interests (security, fraud prevention, service analytics).
2) Core Principles
- Data minimization — only what is necessary for defined purposes.
- Transparency — clear notices on purposes, retention, sharing.
- Security by design — least-privilege access, encryption, logging, backups.
- No training of public AI on client data — unless expressly authorized in writing under controlled conditions.
- Integrity & availability — periodic testing, incident response, disaster recovery.
3) Data We Process
- Contact data: name, company/title, email, phone, address.
- Project data: source files (DOCX, PDF, HTML, ZIP…), termbases, styleguides, brand voice notes, contextual references; may include third‑party personal data provided by the client.
- Website/tech data: IP address, browser type, cookies/analytics, form events.
- Billing/accounting: transaction details and invoices where applicable.
- Recruitment (if applicable): CVs, qualifications, domain expertise.
Sensitive data: If project files contain special categories (e.g., health, children’s data, criminal records), we follow the client’s documented instructions and implement additional safeguards.
4) Sources of Data
- Directly from clients via form/email/secure upload.
- From website users (cookies/analytics/support chat).
- From authorized partners (e.g., subcontractors with NDA/DPA).
5) Purposes of Use
- Service delivery: translation, editing, LQA, transcreation, localization, subtitling.
- Quality management: termbase/styleguide management, version control, MQM scoring, random QA checks.
- Support & aftercare: responses to requests; 7‑day warranty for minor fixes.
- Operations & security: logs, anti‑spam, backup, recovery testing.
- Accounting & compliance.
- Opt‑in marketing: resource downloads (templates), case studies, newsletters.
6) AI/ML & CAT Tools
- We do not upload client files to public AI models by default.
- We may use CAT/QA tools (e.g., Trados/memoQ/Xbench) and/or enterprise AI with contractual assurances (no training on client data; controlled retention) only with client consent or where the contract permits.
- Where feasible, we anonymize/pseudonymize/redact sensitive elements before any automated processing.
7) Sharing & International Transfers
We do not sell personal data. We share on a need‑to‑know basis with:
- Hosting & storage providers;
- Email & collaboration tools;
- CAT/QA platforms
- Accounting/payment services;
- Web analytics providers.
All vendors and/or subcontractors are required to sign a Non-Disclosure Agreement (NDA) and/or a Data Processing Agreement (DPA); access is granted strictly on the principle of least privilege. For cross-border data transfers, we apply appropriate safeguards (e.g., Standard Contractual Clauses/SCCs where applicable) and conduct impact assessments & provide notifications in accordance with the PDPD, as required by law.
8) Retention
- Project records: default 24 months from final delivery, unless the contract states otherwise or the client requests earlier deletion or longer retention.
- Termbases/Styleguides: retained until engagement ends or deletion is requested.
- System logs/analytics: 3–12 months depending on technical needs.
- Accounting records: retained per legal requirements.
9) Security Measures
- Organizational: role‑based access, mandatory NDAs, privacy/security training, onboarding/offboarding controls.
- Technical: encryption in transit/at rest; MFA; endpoint controls; backups; firewall/WAF; malware scanning; logging and alerting; periodic testing.
- Vendor governance: risk assessments, DPA/NDA, data‑location review.
10) Your Rights
Tùy khu vực pháp lý, bạn có thể thực hiện: quyền biết, đồng ý/thu hồi đồng ý, truy cập, sửa, xoá, hạn chế xử lý, phản đối, di chuyển dữ liệu, khiếu nại. Gửi yêu cầu qua kênh ở Mục 13; chúng tôi sẽ phản hồi trong thời hạn luật định. Khi yêu cầu liên quan tới dữ liệu dự án do khách hàng kiểm soát, chúng tôi sẽ phối hợp để hỗ trợ xử lý.
11) Children
We do not target children below the applicable age threshold. If project files include children’s data, we act under the client’s instructions and seek guardian consent when required.
12) Cookies and Analytics
- Essential cookies operate the site; analytics/marketing cookies run only with your consent.
- You can adjust preferences anytime via the Cookie Settings link in the footer.
13) Incidents & Breach Notification
- On detecting a breach, we activate incident response, contain, remediate, and log.
- Notice: In accordance with the PDPD, we will notify the competent authorities within the legally stipulated period and inform relevant parties when necessary. In our role as a Data Processor, we will immediately notify our clients so that they can fulfill their respective legal obligations.
14) Contact & Complaints
- Data Protection / Privacy: admin@glocaltrans.org
- Phone: +84 934 784 004
- Address: 187A Phan Dang Luu, Hoa Cuong, Da Nang, Vietnam
15) Changes to this Policy
We may update this Policy to reflect legal or operational changes. We will post the effective date on glocaltrans.org.
FAQ:
Contact details; project files (source, termbases, styleguides, notes); website/technical data (IP, cookies/analytics); accounting records where applicable. Project content may include third-party personal data supplied by the client.
Contract fulfilment/quotations; quality management (MQM, termbase); 7-day aftercare; operations/security; accounting/compliance; opt-in marketing. Bases: contract, consent where required, legitimate interests, legal obligations.
For client-supplied project files: Processor. For website/marketing data: Controller.
Not by default. We may use CAT/QA or enterprise AI only with written authorization and safeguards; we favor anonymization/pseudonymization/redaction.
Minimal sharing with hosting/storage, email/collaboration, CAT/QA, accounting, analytics. A sub-processor is a contracted provider bound by NDA/DPA with least-privilege access.
Possible where infrastructure/tools require. We use appropriate safeguards (e.g., SCCs) and, where required, transfer impact assessments.
Project archives 24 months by default from final delivery; early deletion or long-term archiving available upon request.
Least-privilege access, NDAs, encryption in transit/at rest, MFA, endpoint protection, backups, WAF/anti-malware, logging/alerting, periodic testing.
Rights to be informed/access/rectify/erase/restrict/object/portability (as applicable). Contact admin@glocaltrans.org. For client-controlled data, we assist the client in responding.
We trigger incident response and notify without undue delay per applicable law (e.g., GDPR target: 72 hours to the authority). As Processor, we notify the client promptly.
Analytics/marketing cookies run only with consent; change preferences via the Cookie Settings link.
DPO/Privacy: admin@glocaltrans.org • Phone: +84 934 784 004 • Address: 187A Phan Dang Luu, Hoa Cuong, Da Nang, Vietnam