South Korea’s data protection authority has concluded that Chinese artificial intelligence startup DeepSeek collected personal information from local users and transferred it overseas without their permission.

The authority, the Personal Information Protection Commission, released its written findings on Thursday in connection with a privacy and security review of DeepSeek.

It follows DeepSeek’s removal of its chatbot application from South Korean app stores in February at the recommendation of PICP. The agency said DeepSeek had committed to cooperate on its concerns. 

During DeepSeek’s presence in South Korea, it transferred user data to several firms in China and the U.S. without obtaining the necessary consent from users or disclosing the practice, the PIPC said.

The agency highlighted a particular case in which DeepSeek transferred information from user-written AI prompts, as well as device, network, and app information, to a Chinese cloud service platform named Beijing Volcano Engine Technology Co.

While the PIPC identified Beijing Volcano Engine Technology Co. as “an affiliate” of TikTok-owner ByteDance, the information privacy watchdog noted in a statement that the cloud platform “is a separate legal entity and has no relation to ByteDance,” according to a Google translation.

According to PIPC, DeepSeek said it used Beijing Volcano Engine Technology’s services to improve the security and user experience of its app, but later blocked the transfer of AI prompt information from April 10.

DeepSeek and ByteDance did not immediately respond to inquiries from CNBC. 

The Hangzhou-based AI startup took the world by storm in January when it unveiled its R1 reasoning model, rivaling the performance of Western competitors despite the company’s claims that it was trained for relatively low costs and with less advanced hardware. 

However, the app’s rising popularity quickly triggered national security and data concerns outside China due to Beijing’s requirement for domestic firms to share data with the PRC. Cybersecurity experts have also flagged data vulnerabilities in the app and voiced concerns about the company’s privacy policy. 

PIPC on Thursday said it had issued a corrective recommendation to DeepSeek, which includes requests to immediately destroy AI prompt information transferred to the Chinese company in question and to set up legal protocols for transferring personal information overseas.

When the data protection authority announced the removal of DeepSeek from local app stores, it signaled that the app would become available again once the company implemented the necessary updates to comply with local data protection policy.

That investigation followed reports that some South Korean government agencies had banned employees from using DeepSeek on work devices. Other global government departments, including in Taiwan, Australia, and the U.S., have reportedly instituted similar bans.