Effective Date: July 30, 2025

1. INTRODUCTION AND ACCEPTANCE

1.1 Welcome Message

Welcome to [ Creao AI ] ("the Company," "we," "us," or "our"). We are dedicated to providing innovative generative artificial intelligence (AI) services that cater to a wide range of user needs. Our core services include, but are not limited to,[ intelligent content generation, data analysis and processing, AI-driven consultation, and customized solution development (collectively, the "Services").] We strive to deliver efficient, secure, and high-quality services to enhance your experience and meet your diverse requirements in both personal and professional scenarios. Our commitment to user privacy and data protection is integral to our mission, and we continuously invest in advanced security technologies and privacy-enhancing measures to safeguard your information.

1.2 Legal Binding Nature

This Privacy Notice and Personal Information Protection Agreement ("Agreement") constitutes a legally binding contract between you ("User," "you," or "your") and the Company. By accessing, registering for, or using our Services, you acknowledge and agree that you have read, fully understood, and voluntarily accepted all the terms and conditions set forth in this Agreement. This Agreement governs the collection, use, storage, protection, disclosure, and other processing activities of your Personal Information (including Sensitive Personal Information, where applicable) in the context of your interaction with our Services.

1.3 Scope of Application

This Agreement applies to all aspects of your access to and use of our Services, including but not limited to our website (https://creao.ai/), mobile applications, application programming interfaces (APIs), and any other related platforms (collectively, the "Platform"). It covers all Personal Information you provide, generate, or that is collected in the course of your use of the Services, regardless of the device or method you use to access the Platform. This Agreement also applies to any beta or pre-release versions of our Services, as well as any future updates, modifications, or additions to the Services, unless explicitly stated otherwise in a separate agreement.

1.4 Special Reminder

Your privacy is of utmost importance to us, and we take the protection of your Personal Information seriously. PLEASE READ THIS AGREEMENT THOROUGHLY AND CAREFULLY BEFORE USING OUR SERVICES. This Agreement contains crucial information regarding your legal rights, remedies, and obligations.

By accessing, registering for, or using the Services, you confirm that you have read, understood, and agreed to be bound by all the terms and conditions of this Agreement. If you do not agree to any part of this Agreement, you must not access or use the Services. In such case, you may contact our customer support team to discuss alternative arrangements, if available, for accessing certain functionalities without agreeing to all terms. We reserve the right to modify or update this Agreement from time to time, and any changes will be posted on the Platform with a revised "Last Updated" date. Your continued use of the Services after the effective date of the updated Agreement constitutes your acceptance of the changes. 

We encourage you to periodically review this Agreement to stay informed about our privacy practices.

2. DEFINITIONS

2.1 Aggregate/Anonymous Information

"Aggregate/Anonymous Information" refers to information that does not identify and cannot reasonably be used to identify an individual User. It is created by aggregating or anonymizing Personal Information through processes that permanently remove the original identifiers. This type of information is stripped of any data that could link it back to a specific individual, such as names, identification numbers, or unique online identifiers. Aggregate/Anonymous Information is often used for statistical analysis, research, market trends assessment, and service improvement purposes, as it allows us to gain insights without compromising individual privacy.

2.2 AI Model Training

"AI Model Training" denotes the comprehensive process of using various types of data (which may include User Content and Usage Data) to develop, train, test, validate, improve, and fine-tune generative AI models, algorithms, and related systems. This process involves feeding data into the models to enable them to learn patterns, recognize relationships, make predictions, and generate relevant outputs. AI Model Training is essential for enhancing the performance, accuracy, reliability, and functionality of our AI services, allowing us to provide more intelligent and effective solutions to users.

2.3 Consent

"Consent" means any freely given, specific, informed, and unambiguous indication of your wishes. It is expressed through a clear affirmative action, such as checking a box, clicking an "accept" button, or providing explicit verbal or written confirmation, signifying your agreement to the processing of your Personal Information. Your Consent must be given voluntarily without any coercion, deception, or undue influence. We ensure that you are provided with sufficient information about the purpose, scope, and implications of the processing before you give your Consent, enabling you to make an informed decision. You have the right to withdraw your Consent at any time, subject to the provisions of this Agreement.

2.4 Content

"Content" encompasses two main categories:

1. "Input Content": This refers to all data, text, prompts, instructions, questions, documents, images, code snippets, audio files, video clips, or any other materials you provide, upload, submit, or generate as input to the Services. Input Content is the information you share with our AI models to obtain the desired outputs.

2. "Output Content": This denotes the corresponding data, text, images, code, analyses, reports, recommendations, or other materials generated and returned by the Services based on your Input Content. Output Content is the result of the AI models' processing of your Input Content, tailored to your specific requests and requirements.

2.5 Cookies and Similar Technologies

"Cookies and Similar Technologies" refer to small data files or tracking mechanisms placed on your device when you access the Platform. This includes, but is not limited to, cookies (small text files stored on your browser), pixel tags (invisible images embedded in web pages or emails), web beacons (small pieces of code that transmit information), local storage (data stored locally on your device), and other similar tracking technologies. These technologies help us recognize your device, remember your preferences, analyze your usage patterns, and enhance the functionality and personalization of the Services.

2.6 Personal Information (or Personal Data)

"Personal Information" (or "Personal Data") means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (e.g., social security number, driver's license number), location data (e.g., IP address, geolocation coordinates), an online identifier (e.g., username, device ID), or to one or more factors specific to the physical (e.g., biometric data), physiological (e.g., health records), genetic, mental, economic, cultural, or social identity of that natural person. Examples of Personal Information include your full name, email address, phone number, postal address, payment details, browsing history, and user profiles.

2.7 Processing (or Process)

"Processing" (or "Process") means any operation or set of operations performed on Personal Information, whether or not by automated means. This includes, but is not limited to, collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, making available, alignment, combination, restriction, erasure, or destruction of Personal Information. Processing activities are carried out in accordance with the purposes specified in this Agreement and applicable data protection laws.

2.8 Profile

"Profile" means any form of automated processing of Personal Information to evaluate certain personal aspects relating to a natural person. In particular, it involves analyzing or predicting aspects concerning that person's preferences, behavior, interests, needs, location, or movements. Profiling may be used to personalize the Services, provide targeted recommendations, improve user experience, or for security and fraud prevention purposes. We ensure that profiling activities are conducted in compliance with applicable laws and do not result in unfair or discriminatory treatment.

2.9 Sensitive Personal Information

"Sensitive Personal Information" means a subset of Personal Information that, due to its nature, requires special protection under applicable law. This typically includes, but is not limited to: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person (e.g., fingerprint, facial recognition data); data concerning health (e.g., medical records, health status, diagnosis); data concerning a natural person's sex life or sexual orientation; precise geolocation data (e.g., location data that can identify a specific address or area within a small radius); financial account/payment data in combination with access credentials (e.g., bank account number with password, credit card details with security code); and the Personal Information of a known child (under the age specified by local law).

2.10 Services

"Services" has the meaning given in Section 1.1, referring to the innovative generative artificial intelligence services provided by the Company, including intelligent content generation, data analysis and processing, AI-driven consultation, customized solution development, and any other related services made available through the Platform.

2.11 Third Party

"Third Party" means any natural or legal person, public authority, agency, or body other than you, the Company, or a Company affiliate. Third Parties may include service providers, contractors, business partners, and other entities with whom we interact in the course of providing the Services. We only share your Personal Information with Third Parties in accordance with this Agreement and applicable law.

2.12 Usage Data

"Usage Data" means information collected automatically during your interaction with the Platform. This includes, but is not limited to, IP address, device identifiers (e.g., device model, unique device ID), browser type and version, operating system, referring URLs (the website you visited before accessing our Platform), access times and dates, pages viewed, duration of visits, the features and functions you use, the frequency and volume of your queries, response latency, error logs, and other diagnostic data. Usage Data helps us understand how users interact with the Services, identify areas for improvement, and ensure the smooth operation and security of the Platform.

2.13 User or You

"User" or "You" means any individual who accesses or uses the Services, including registered users who have created an account and unregistered users who access certain parts of the Platform without registration. By accessing or using the Services, you agree to be bound by the terms and conditions of this Agreement.

3. INFORMATION WE COLLECT AND HOW WE USE IT

This section provides a comprehensive and transparent overview of the categories of Personal Information (including Sensitive Personal Information, where applicable) that the Company may Process in the course of providing the Services, the specific purposes for which we Process such information, and the corresponding legal bases that legitimize our Processing activities under applicable data protection laws. Our practices are guided by the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. We are committed to collecting only the information necessary to fulfill the stated purposes and using it in a manner that respects your privacy rights.

3.1 Categories of Information We Collect

We collect information from three main sources: information you provide directly, information collected automatically through your interaction with the Platform, and information from third-party sources in certain limited circumstances. The scope of collection is proportionate and necessary to achieve the specified purposes outlined in Section 3.2. We do not collect information that is irrelevant to the provision of the Services or exceeds the scope required to fulfill the stated purposes. Our data collection practices are subject to regular privacy impact assessments (PIAs) and data protection audits to ensure compliance with our privacy-by-design and privacy-by-default principles. We implement data minimization techniques such as pseudonymization and anonymization where feasible to reduce privacy risks.

3.1.1 Information You Provide Directly

You voluntarily provide certain information to us when you interact with the Services. This information is essential for us to establish and maintain your account, provide the requested services, and communicate with you effectively. The types of information you may provide directly include, but are not limited to:

1. Account and Registration Information: When you create an account or register for the Services, we collect information necessary to establish and maintain your account. This includes your full name, a valid email address, a unique username you select, and a password of your choice. You may also choose to add a profile picture, date of birth, gender, or other identifying imagery to personalize your account. This information helps us verify your identity, secure your account, and provide you with a personalized user experience. We strongly recommend that you use a strong, unique password for your account and enable two-factor authentication (2FA) when available to enhance account security. We do not collect government-issued identification numbers (such as social security numbers) for general account registration purposes.

2. Commercial and Transactional Information: If you subscribe to or purchase any paid tier of the Services, we or our designated third-party payment processors collect billing details, payment card information (e.g., card number, expiration date, security code), billing address, and transaction history. We do not store full payment card details on our servers; such information is handled by PCI-DSS compliant payment processors to ensure the security of your payment information. This information is used to process your payments, fulfill your subscription or purchase, and maintain accurate financial records. For enterprise customers, we may also collect purchase order numbers, authorized signatory information, and billing contact details to facilitate corporate billing processes and account management.

3. User-Generated Content (Input and Output): This constitutes the core of your interaction with our generative AI. "Input Content" refers to all data, text, prompts, instructions, questions, documents, images, code snippets, audio files, video clips, or any other material you upload, submit, or otherwise provide as input to the Services. "Output Content" refers to the corresponding apps, text, images, code, analyses, reports, recommendations, or other materials generated and returned to you by the AI models based on your Input Content. Collectively, these are referred to as "User Content." User Content is used to provide the requested services, train and improve our AI models (in accordance with Section 3.2.2), and resolve any issues or disputes related to your use of the Services. We implement content filtering and moderation systems to prevent the submission of harmful, illegal, or policy-violating content. You retain ownership of your Input Content, subject to the license granted to us in our Terms of Service for the purposes of providing and improving the Services.

4. Communication and Correspondence: When you contact our customer support team, participate in user research surveys, provide feedback, report a problem, or otherwise communicate with us, we collect the content of your messages, your contact information (e.g., email address, phone number), and any attachments or screenshots you provide. This information is used to respond to your inquiries, address your concerns, improve the quality of our customer support, and gather insights to enhance the Services. We may record and analyze customer support calls for training, quality assurance, and service improvement purposes, with prior notification to you. All communication data is stored in secure, access-controlled systems and retained only for as long as necessary to fulfill the purposes described in this Agreement.

5. Voluntary Profile Information: You may elect to provide additional information to personalize your experience, such as your professional title, company affiliation, job role, areas of interest, industry, or a biographical description. This information helps us tailor the Services to your specific needs and preferences, provide relevant recommendations, and connect you with other users or resources that may be of interest to you. Profile information is visible only to you and authorized Company personnel unless you explicitly choose to share it publicly through community features or social sharing options. You can update or delete your profile information at any time through your account settings.

6. Preference and Consent Management Information: We collect and maintain records of your privacy preferences, consent choices, and opt-in/opt-out decisions regarding marketing communications, data processing activities, and third-party data sharing. This includes timestamps of when you provided or withdrew consent, the specific context of the consent, and the method through which consent was obtained (e.g., checkbox selection, preference center). These records are essential for demonstrating compliance with consent requirements under applicable data protection laws and for respecting your privacy choices.

3.1.2 Information Collected Automatically (Usage Data)

When you access or use the Services, we and our authorized service providers automatically collect certain technical and behavioral information about your device and interaction with the Platform. This Usage Data is essential for the operational delivery, security, and improvement of the Services. It allows us to understand how users engage with the Platform, identify potential issues, and optimize the performance and functionality of the Services. The types of Usage Data we collect include, but are not limited to:

1. Log and Device Data: We collect information such as your Internet Protocol (IP) address, browser type and version (e.g., Chrome, Firefox, Safari), device type and model (e.g., smartphone, tablet, laptop), operating system (e.g., iOS, Android, Windows), unique device identifiers (e.g., IMEI, MAC address), mobile network information (e.g., carrier name, signal strength), and the date, time, and duration of your access sessions. This information helps us identify the devices and browsers used to access the Services, troubleshoot technical issues, and ensure compatibility with different platforms.

2. Interaction and Activity Data: We collect data about your interactions with the Platform, including the features you use (e.g., content generation, data analysis), the pages or screens you view, the sequences of your actions (e.g., the order in which you navigate through the Platform), the frequency and volume of your queries, response latency (the time it takes for the Services to respond to your requests), and error logs (information about any errors or technical issues you encounter). This includes metadata associated with your User Content (e.g., prompt length, model version used, timestamp). This information helps us understand user behavior patterns, identify popular features, and optimize the user interface and user experience.

3. Cookies and Similar Technologies: As detailed in Section 4, we use cookies, web beacons, pixel tags, and local storage to collect information about your browsing activities across our Services and, where you have consented, to remember your preferences. This may include information about the referring URL (the website you came from), pages visited on our Platform, time spent on each page, the links you click, and your preferences (e.g., language settings, display preferences). This information helps us personalize your experience, and improve the functionality of the Platform. We categorize cookies based on their function (essential, performance, functionality, social media) and provide granular controls in our cookie preference center to allow you to manage your preferences for non-essential cookies.

4. Inferred Data: Through the analysis of the aforementioned Usage Data, we may derive or infer certain non-precise information about you. For example, we may infer your general geographic location (at the city or country level) based on your IP address, your primary language based on your browser settings or the language used in your Input Content, or your broad usage patterns (e.g., frequent use of certain features) to personalize default settings and provide more relevant recommendations. Inferred Data is used to enhance the user experience and does not identify you individually. We apply strict logical and statistical safeguards to ensure that inferred data cannot be reverse-engineered to reveal your identity. Inferred data is regularly reviewed and purged when no longer necessary for the stated purposes.

5. Security and Fraud Prevention Data: We automatically collect and analyze data patterns to detect and prevent security threats, fraud, and abuse of the Services. This includes monitoring for unusual login patterns, suspicious API call volumes, brute-force attack attempts, and other anomalous activities that may indicate malicious behavior. We use automated systems and machine learning algorithms to identify potential threats while minimizing false positives. This security data is processed separately from other Usage Data and is retained only as long as necessary for security purposes.

3.1.3 Information from Third Parties

In limited scenarios, we may receive information about you from third-party sources, always in compliance with applicable laws and contractual obligations. We only collect information from third parties if it is necessary to fulfill the purposes outlined in this Agreement and if we have a legitimate basis for doing so. The types of information we may receive from third parties include, but are not limited to:

1. Authentication Partners: If you choose to register or log in using a single sign-on service (e.g., Google, Microsoft, Apple), we may receive your name, email address, and profile identifier from that provider, as permitted by your privacy settings with them. This information is used to simplify the registration and login process, verify your identity, and create or link your account with our Platform. We only receive the minimum information necessary from authentication partners and do not access your social media contacts, posts, or other unrelated information without your explicit permission. You can manage the information shared with us through your privacy settings with the respective authentication provider.

2. Service and Integration Partners: If you connect third-party applications or services (e.g., cloud storage providers, productivity tools, project management software) to our Platform via our API or integration features, we may receive information as authorized by you through that connection. For example, if you integrate your cloud storage account with our Services, we may access the files and data you choose to share from that account to process them using our AI models. This information is used to provide the integrated services you request and enhance the functionality of our Platform.

3. Publicly Available Sources and Data Providers: For business-to-business services or to enhance our security and fraud prevention capabilities, we may obtain limited business contact information (e.g., company name, contact person, email address) or fraud risk indicators from legally permissible public sources (e.g., business directories, government databases) or specialized data providers. We ensure that the information obtained from these sources is accurate, relevant, and collected in accordance with the principles of data quality and legality. This information is used to verify the identity of business users, prevent fraud and unauthorized access, and improve the security of the Services.

3.2 Purposes and Legal Bases for Processing

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities and maintain detailed records of processing activities (ROPA) as required by applicable laws. Our legal basis assessments are regularly reviewed and updated to reflect changes in our services, technology, and legal requirements. We Process your Personal Information only for specified, explicit, and legitimate purposes as described below. We rely on one or more of the following legal bases as required by applicable data protection regulations: (a) Your Consent; (b) Performance of a Contract with you (i.e., to provide the Services you request); (c) Compliance with a Legal Obligation; (d) Protection of Vital Interests; (e) Public Interest; or (f) our Legitimate Interests, provided that such interests are not overridden by your fundamental rights and freedoms. 

The specific legal basis for each primary processing purpose is indicated below. We ensure that our processing activities are proportionate to the stated purposes and do not exceed what is necessary to achieve those purposes.

3.2.1 To Provide, Operate, and Maintain the Services

We Process your Account Information, User Content, and necessary Usage Data to deliver the core contractual functionality of our generative AI Services. This is essential to fulfill our obligations under the contract we have with you when you access or use the Services. The specific activities include:

1. Creating, managing, and securing your user account to ensure that only authorized individuals can access your account and the Services.

2. Authenticating your identity for access to prevent unauthorized access and protect the security of your account and personal information.

3. Processing transactions and subscription payments to ensure that you can access the paid tiers of the Services you have subscribed to and that we receive payment for the services provided.

4. Executing your queries, generating Output Content from your Input Content, and delivering the results to you in a timely and accurate manner.

5. Providing technical and customer support, and responding to your inquiries to address any issues or concerns you may have and ensure a smooth user experience.

6. Communicating with you regarding service announcements, administrative messages, and updates essential to your account or the Services (e.g., changes to terms, security alerts) to keep you informed and ensure that you are aware of important developments related to the Services.

7. Implementing and maintaining data backup and disaster recovery systems to ensure service continuity and data integrity in case of technical failures or unforeseen events.

8. Conducting capacity planning and load balancing to optimize resource allocation and maintain optimal service performance during peak usage periods.

Primary Legal Basis: Performance of our Terms of Service/User Agreement with you. For certain ancillary administrative communications (e.g., notifying you of a scheduled maintenance), our Legitimate Interest in ensuring the stable and secure operation of the Services.

3.2.2 To Improve, Develop, and Train Our AI Models

This purpose is fundamental to the nature of our business as a generative AI company. Continuous improvement of our AI models is necessary to enhance their accuracy, reliability, safety, capabilities, and performance, which ultimately benefits all users by providing more effective and efficient services. To this end, we may Process:

1. User Content (Input and Output): This data is used to train, fine-tune, validate, and improve our underlying AI models and algorithms. This involves analyzing patterns in the data to help the models learn language structures, factual associations, reasoning, and creative generation. We implement robust technical and organizational measures designed to de-identify and aggregate this data prior to its use in training subsequent model versions, where feasible and appropriate. De-identification involves removing or altering personal identifiers such that the data can no longer be linked back to a specific individual. Aggregation involves combining data from multiple users to create a dataset that does not identify any individual user. By using de-identified and aggregated User Content, we can improve the performance of our AI models without compromising your privacy.

2. Usage Data: We analyze how features are used, where errors occur, and performance metrics to identify areas for improvement, optimize resource allocation, and develop new functionalities. For example, if we notice that a particular feature is rarely used or generates a high number of errors, we may investigate and make improvements to that feature. Usage Data also helps us understand user preferences and behavior, which allows us to tailor the Services to better meet user needs.

3. Research and Development (R&D): We conduct R&D activities to advance the field of AI, develop new models (e.g., more efficient architectures, specialized capabilities for specific industries or use cases), and create novel features that benefit all users. R&D activities may involve exploring new algorithms, testing new approaches to AI model training, and collaborating with academic institutions or research organizations. The results of our R&D efforts are used to enhance the existing Services and develop new services that provide greater value to users. Our R&D activities adhere to ethical AI principles and responsible innovation frameworks. We conduct algorithmic bias assessments, fairness evaluations, and safety testing to identify and mitigate potential harms before deploying new AI capabilities. We also participate in industry initiatives and share research findings (in de-identified form) to contribute to the broader AI community's understanding of privacy-preserving AI development.

Primary Legal Basis: Our Legitimate Interest in researching, developing, and improving our Services, products, and technologies, which benefits users through enhanced quality and innovation. In jurisdictions requiring a specific legal basis for using personal data to train AI, and where such use extends beyond what is strictly necessary for the direct service provision, we rely on your Consent, which you may withdraw at any time via your account settings (though withdrawal does not affect the lawfulness of processing prior to withdrawal). We do not use Sensitive Personal Information for AI Model Training. We provide granular consent options in our privacy settings that allow you to control whether your User Content is used for different types of model improvement activities (e.g., general model training, specialized model development, research publications). You can modify these settings at any time through your account dashboard.

3.2.3 To Ensure Safety, Security, and Integrity

We Process information to protect our Users, the Platform, and the public from harm, abuse, and illegal activity. This is essential to maintain a safe and secure environment for all users and to comply with our legal obligations related to cybersecurity and fraud prevention. The specific activities include:

1. Monitoring and analyzing activity to detect, prevent, investigate, and respond to security incidents (e.g., data breaches, hacking attempts), fraud (e.g., unauthorized transactions, identity theft), spam, malware, and other malicious activities. We use automated tools and manual reviews to monitor user activity and identify potential threats.

2. Enforcing our Terms of Service, Acceptable Use Policy, and other applicable policies, including preventing misuse of the Services (e.g., generating harmful content, attempting to bypass safety filters, unauthorized access to the Platform or other users' accounts). This may involve automated and manual review of User Content to ensure compliance with our policies.

3. Protecting the rights, property, or personal safety of the Company, our Users, or the public. For example, if we receive a report of a user generating harmful or illegal content, we may take action to remove the content and suspend or terminate the user's account to prevent further harm.

4. Conducting audits, vulnerability assessments, and penetration testing to maintain and enhance our security posture. These activities help us identify and address potential security vulnerabilities in the Platform and ensure that our security measures are effective.

5. Implementing and maintaining advanced threat detection systems that use behavioral analytics and machine learning to identify anomalous patterns indicative of security threats or policy violations.

6. Establishing and maintaining incident response plans and procedures to ensure rapid and effective response to security incidents, including data breach notification processes as required by applicable laws.

7. Conducting regular security awareness training for employees and contractors to ensure they understand and follow security best practices and procedures.

Primary Legal Basis: Our Legitimate Interest in protecting our business and users from harm and ensuring a secure environment. Compliance with Legal Obligations related to cybersecurity and fraud prevention (e.g., reporting data breaches to relevant authorities, cooperating with law enforcement investigations).

3.2.4 To Communicate with You

We use your contact information to send you different types of communications, as legally justified. The purpose of these communications is to keep you informed about the Services, provide you with relevant information and offers, and gather feedback to improve the Services. The types of communications include:

1. Service Communications: As mentioned in 3.2.1, these are essential messages related to your account and the Services' functioning. Examples include notifications about account activity (e.g., login from a new device), updates to the Services (e.g., new features, bug fixes), and information about scheduled maintenance. Service communications are mandatory and cannot be opted out of, as they contain important information about your account and the Services. However, you can choose your preferred communication channel (e.g., email, in-app notifications) for different types of service messages through your account preferences.

Legal Basis: Performance of Contract / Legitimate Interest.

b. Promotional/Marketing Communications: To inform you about new features, products, service tiers, events, or offers that may be of interest to you. These communications may

include emails, push notifications, or in-app messages about discounts, special

promotions, or new services. 

Legal Basis: Your prior Consent, which you can freely give or withhold and can withdraw at

any time using the "unsubscribe" link in emails or via account settings.

c. Surveys and Feedback Requests: To invite you to participate in user research, which helps us improve the Services. Participation in surveys is always voluntary, and your responses

are used anonymously to gather insights about user satisfaction, preferences, and areas for

improvement. We may offer incentives (such as service credits or gift cards) for

participation in certain research activities, with clear terms and conditions provided

separately. Survey responses are typically aggregated and analyzed in anonymized form,

though in some cases we may need to retain minimal identifying information to administer

incentives or follow up on specific feedback.

Legal Basis: Legitimate Interest in improving our Services / Consent.

3.2.5 To Comply with Legal and Regulatory Obligations

We may Process your Personal Information as necessary to comply with a wide range of legal obligations imposed on us by courts, law enforcement agencies, regulatory authorities, or other governmental bodies with valid jurisdiction. This ensures that we operate in accordance with the law and fulfill our legal responsibilities. We carefully review all legal requests to ensure they are valid, proportionate, and legally required before disclosing any Personal Information. Where permitted by law, we will notify you of such requests unless prohibited by court order or law enforcement directive. We maintain transparency reports that provide information about the number and types of legal requests we receive, subject to confidentiality restrictions. The specific activities include:

1. Responding to lawful requests such as subpoenas, court orders, or search warrants. If we receive a valid legal request for your Personal Information, we will disclose the information as required by law.

2. Fulfilling tax, accounting, and financial reporting requirements. We may need to retain and process your Personal Information to comply with tax laws, prepare financial statements, and meet other accounting obligations.

3. Cooperating with regulatory investigations or audits. Regulatory authorities may conduct investigations or audits of our business, and we may need to provide your Personal Information as part of this process.

4. Maintaining records as required by specific industry regulations. Depending on the nature of our business and the Services we provide, we may be required to maintain certain records for a specified period of time to comply with industry-specific regulations.

Primary Legal Basis: Compliance with a Legal Obligation. 

3.2.6 For Corporate Transactions (Legitimate Interests)

In the context of a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your Personal Information may be disclosed or transferred as part of the business assets. This is necessary to facilitate such corporate transactions, which are essential for business continuity and growth. We will require the receiving party to handle your information in accordance with this Agreement and applicable data protection laws. The receiving party will be obligated to maintain the same level of privacy protection as we do and to use your Personal Information only for the purposes specified in this Agreement. In the event of a corporate transaction, we will provide notice to affected users through prominent announcements on our Platform and, where required by law, through direct communication. You may have the right to opt out of certain data transfers in specific jurisdictions, as explained in Section 7.

Primary Legal Basis: Legitimate Interest in facilitating such corporate transactions which are essential for business continuity and growth.

3.2.7 Data Analytics and Business Intelligence

We Process aggregated and anonymized data to perform business analytics, market research, and competitive analysis. This helps us understand market trends, user demographics, and business performance metrics. These analytics activities are conducted on data that has been stripped of personally identifiable information and cannot be linked back to individual users. We use business intelligence tools and data visualization platforms to analyze usage patterns, feature adoption rates, and customer satisfaction metrics to inform strategic business decisions and resource allocation.

Primary Legal Basis: Legitimate Interest in understanding and improving our business operations, market position, and strategic planning through analysis of aggregated, non-personal data.

3.3 Special Provisions for Sensitive Personal Information

We recognize that Sensitive Personal Information warrants heightened protections due to its sensitive nature and the potential risks to your privacy and rights if it is mishandled. Our default position is one of strict limitation when it comes to the collection, use, and disclosure of Sensitive Personal Information. We implement enhanced security measures, access controls, and audit trails for any processing of Sensitive Personal Information. All employees and contractors who may handle Sensitive Personal Information receive specialized training on the proper handling of such data and the legal requirements governing its processing.

1. No Intentional Collection: Our Platform and Services are not designed to solicit, nor do we intentionally collect or Process, categories of information classified as "Sensitive Personal Information" under applicable law, unless such Processing is unexpectedly necessary for the provision of a Service explicitly requested by you (e.g., a health analysis tool that requires health data to provide personalized recommendations). Any such Processing would occur only with your explicit, prior, opt-in Consent and with additional safeguards to ensure the security and confidentiality of the information. We will clearly inform you about the specific purposes for which we need to collect and Process your Sensitive Personal Information, the legal basis for such Processing, and the measures we have in place to protect it.

2. Prohibited Input: You are contractually prohibited from submitting, and you represent and warrant that you will not submit, any Sensitive Personal Information as Input Content to the general-purpose Services. This includes, but is not limited to, health data (e.g., medical records, diagnosis, treatment plans), biometric data for identification (e.g., fingerprint, facial recognition data), precise geolocation data revealing your home address or other sensitive locations, financial account numbers with access codes (e.g., bank account number with password, credit card details with security code), and information revealing racial origin, political opinions, or sexual orientation in an identifiable context. If you submit any Sensitive Personal Information in violation of this provision, we shall not be liable for any consequences resulting from the disclosure or misuse of such information. We implement automated content scanning and filtering systems to detect and block submissions that appear to contain Sensitive Personal Information. However, these systems are not foolproof, and we rely primarily on user compliance with this prohibition. Users who repeatedly violate this provision may have their accounts suspended or terminated.

3. Handling of Inadvertent Collection: If we discover that we have inadvertently collected Sensitive Personal Information (e.g., through user error, such as a user mistakenly uploading a document containing health data to the general-purpose Services), we will take prompt action to either securely delete that information or, if deletion is not immediately possible (e.g., due to backup systems), to isolate and apply stringent access controls to it, pending deletion. We will not use inadvertently collected Sensitive Personal Information for any purpose, including AI Model Training, and will take all necessary steps to prevent further collection of such information. We may also notify you of the inadvertent collection and provide you with the option to have the information deleted.

4. Enhanced Legal Basis Requirement: Should a specific, consented Service require the Processing of Sensitive Personal Information, we will rely on your explicit, separate, and informed Consent as the primary legal basis, in addition to implementing the enhanced security measures mandated by Section 6. This Consent will be obtained separately from any other Consent you provide, and you will have the right to withdraw it at any time. We will also conduct a data protection impact assessment (DPIA) to evaluate the risks to your privacy and rights associated with the Processing of Sensitive Personal Information and implement appropriate measures to mitigate those risks.

4. COOKIES AND SIMILAR TECHNOLOGIES

4.1 Overview of Cookies and Similar Technologies

We use Cookies and Similar Technologies to enhance your experience when using our Services, remember your preferences, understand how you use our Platform, and personalize your interactions. Cookies and Similar Technologies are small data files or tracking mechanisms that are placed on your device when you access the Platform. They help us recognize your device, track your usage patterns, and provide you with a more tailored and efficient service. By using our Services, you acknowledge and agree to our use of Cookies and Similar Technologies as described in this section. It is important to note that Cookies and Similar Technologies are standard industry tools used by most websites and online services to improve functionality, analyze traffic, and personalize content. Our use of these technologies is designed to balance user experience with privacy considerations, and we provide you with meaningful choices and controls over their use.

4.2 Types and Purposes of Cookies and Similar Technologies

We use different types of Cookies and Similar Technologies for various purposes, each designed to enhance the functionality and performance of our Services. The types and their respective purposes are as follows:

1. Essential Cookies: These Cookies are necessary for the Platform to function properly. They enable basic features such as user authentication, account management, and access to protected areas of the Platform. Without these Cookies, the Services may not be able to provide the core functionality you request. Essential Cookies cannot be refused, as they are essential for the operation of the Services. Examples of essential Cookies include session cookies that maintain your login state during a browsing session, security cookies that help prevent cross-site request forgery (CSRF) attacks, and load-balancing cookies that distribute traffic across servers to ensure optimal performance. These Cookies are typically first-party cookies, meaning they are set by our domain and are not shared with third parties.

2. Performance/Analytics Cookies: These Cookies help us understand how visitors interact with the Platform. They collect information about the number of visitors to the Platform, the pages viewed, the time spent on each page, the source of traffic, and other usage statistics. This information is used to analyze trends, evaluate the effectiveness of our marketing campaigns, and identify areas for improvement in the Platform's design and functionality. The data collected by these Cookies is aggregated and anonymized, meaning it cannot be used to identify individual users. We use both first-party and third-party analytics cookies. First-party analytics cookies are set by us and provide insights into user behavior on our Platform. Third-party analytics cookies, such as those from Google Analytics, help us understand broader traffic patterns and user demographics. We configure these tools to respect user privacy by anonymizing IP addresses, limiting data retention periods, and disabling data sharing with other Google services unless explicitly authorized.

3. Functionality Cookies: These Cookies allow the Platform to remember choices you make, such as your language preference, display settings, or login credentials. They help personalize your experience by retaining your preferences across different sessions and devices. For example, if you set your preferred language to English, a functionality Cookie will remember this setting and display the Platform in English during your subsequent visits. Functionality Cookies also enable features like persistent shopping carts, customized layouts, and personalized recommendations based on your previous interactions. These Cookies may collect anonymized information about your preferences and usage patterns but do not track your browsing activity on other websites.

4. Social Media Cookies: These Cookies are set by social media platforms (such as Facebook, Twitter, LinkedIn) when you use social sharing features or interact with social media plugins on our Platform. They allow you to share content from our Platform directly to your social media accounts, log in using your social media credentials, or see content from our Platform in your social media feeds. Social media cookies may also be used by social media platforms to track your browsing activity across websites that integrate their features, for the purpose of content personalization. We do not control the setting of these cookies, and their use is governed by the privacy policies of the respective social media platforms.

4.3 Your Choices Regarding Cookies and Similar Technologies

Most web browsers allow you to control Cookies through their settings. You can set your browser to refuse all or some Cookies, or to alert you when websites set or access Cookies. The specific steps for managing Cookies vary depending on the browser you use. You can usually find these settings in the "Options" or "Preferences" menu of your browser.

Please note that disabling or deleting certain Cookies may impact the functionality of the Services. For example, disabling essential Cookies may prevent you from accessing certain features of the Platform or logging into your account. Disabling performance/analytics Cookies will not affect the functionality of the Services but will prevent us from collecting data about your usage patterns, which may limit our ability to improve the Platform.

In addition to managing Cookies through your browser settings, you may also have the option to opt out of certain types of Cookies through third-party tools or websites.

We may update our use of Cookies and Similar Technologies from time to time. If we make material changes to our Cookie policy, we will notify you by posting the updated policy on the Platform with a new "Last Updated" date. Your continued use of the Services after the effective date of the updated policy constitutes your acceptance of the changes.

4.4 Cookie Consent Management

We respect your right to control the use of Cookies and Similar Technologies on our Platform. When you first visit our Platform, or when we introduce new types of Cookies that require consent, we display a cookie banner or pop-up notification that provides clear information about our use of Cookies and requests your consent for non-essential Cookies. The consent mechanism allows you to:

1. Accept all Cookies: This allows us to set all categories of Cookies, including essential, performance, functionality, and social media Cookies.

2. Reject non-essential Cookies: This allows us to set only essential Cookies, which are necessary for the basic functioning of the Platform.

3. Customize your preferences: This allows you to choose which categories of non-essential Cookies you consent to. Our cookie preference center provides granular controls for each category of Cookies, along with clear descriptions of their purposes and impacts.

Your consent preferences are stored in a cookie on your device, so we can remember your choices on subsequent visits. You can change your cookie preferences at any time by accessing our cookie preference center, which is available through a link in the footer of our website or through your account settings (if logged in). Changes to your cookie preferences will take effect immediately, but please note that previously set Cookies may remain on your device until you clear them through your browser settings.

5. HOW WE SHARE AND DISCLOSE INFORMATION

We understand that the privacy of your Personal Information is crucial, and we are committed to sharing and disclosing your information only in accordance with this Agreement and applicable law. We do not sell, rent, or lease your Personal Information to third parties for marketing purposes without your explicit Consent. The circumstances in which we may share or disclose your information are as follows:

5.1 With Your Consent

We will share your Personal Information with third parties only when we have your explicit Consent to do so. Your Consent will be obtained in a clear and unambiguous manner, and you will be informed about the purpose of the disclosure, the identity of the third party, and the types of information to be shared. You may withdraw your Consent at any time, subject to the provisions of this Agreement, by contacting us through the designated channels. Withdrawal of Consent will not affect the lawfulness of any disclosure made prior to the withdrawal. We implement granular consent management systems that allow you to provide consent for specific types of data sharing with specific third parties for defined purposes. Your consent preferences are stored in our secure consent management database and can be reviewed, modified, or withdrawn at any time through your account privacy settings or by contacting our privacy team.

5.2 Service Providers and Processors

We engage trusted third-party companies and individuals ("Processors") to perform services on our behalf, such as hosting and server maintenance, data analysis, payment processing, customer service, email delivery, and marketing support. These Processors are contractually bound to protect your information and use it only for the purposes we specify. We carefully select our Processors based on their reputation, security practices, and compliance with applicable data protection laws. We also monitor their performance and ensure that they adhere to the terms of our agreement. Examples of services provided by Processors include:

1. Hosting and Server Maintenance: Third-party hosting providers store our data and maintain the servers that power our Platform. They have access to your Personal Information only to the extent necessary to perform their hosting and maintenance services. We use leading cloud service providers that implement state-of-the-art security measures, including physical security controls, network security, encryption, and access management. Our contracts with hosting providers include strict data protection clauses that require them to implement appropriate technical and organizational measures to protect your data, prohibit them from using your data for their own purposes, and mandate compliance with applicable data protection laws. However, as these providers operate their own infrastructure, we encourage you to review their privacy and security policies to understand how they protect data at the infrastructure level.

2. Data Analysis: We may engage data analysis firms to help us analyze user behavior, evaluate the effectiveness of our Services, and identify areas for improvement. These firms use the data we provide to generate reports and insights, which are used to enhance the Services. Before sharing data with analytics providers, we implement data minimization techniques. We require analytics providers to delete or return data upon completion of services and prohibit them from combining our data with data from other sources to identify individual users.

3. Payment Processing: As mentioned in Section 3.1.1, third-party payment processors handle the processing of subscription and transaction payments. They collect and process your payment information in accordance with industry standards and security protocols. We only work with payment processors that are certified as PCI-DSS (Payment Card Industry Data Security Standard) compliant and that use tokenization and encryption to protect payment card data. Our payment processors are prohibited from using your payment information for any purpose other than processing transactions on our behalf, and they are required to maintain appropriate security measures to protect your financial data.

4. Customer Service: We may outsource certain customer service functions to third-party service providers. These providers have access to your contact information and the content of your communications with customer support to respond to your inquiries and resolve your issues. Customer service providers are trained in data protection principles and are contractually obligated to maintain the confidentiality of your information. Access to customer data is restricted to authorized personnel on a need-to-know basis, and all customer interactions are logged and monitored for quality assurance and security purposes.

5. Additional Service Providers: We may also engage additional specialized service providers for functions such as fraud detection, cybersecurity monitoring, legal and compliance support, human resources management, and business intelligence. In all cases, we conduct due diligence on potential service providers, assess their data protection practices, and enter into data processing agreements (DPAs) that define their responsibilities and obligations regarding the protection of your Personal Information. Our DPAs include standard contractual clauses approved by data protection authorities where required for international data transfers.

5.3 For Legal Reasons

We may disclose your information if we believe it is reasonably necessary to:

1. Comply with a valid legal process, law, or regulation, such as a subpoena, court order, or search warrant.

2. Protect the safety, rights, or property of the Company, our Users, or the public. This may include disclosing information to prevent or investigate fraud, harassment, or other illegal activities.

3. Enforce our agreements and policies, including our Terms of Service, Acceptable Use Policy, and this Agreement. This may involve disclosing information to third parties to resolve disputes or take legal action against users who violate our policies.

4. Prevent fraud or abuse of the Services. For example, if we suspect that a user is using the Services to engage in fraudulent activity, we may disclose information to the relevant authorities or to the affected third parties.

In such cases, we will disclose only the information that is necessary to comply with the legal requirement or to protect the safety, rights, or property of the affected parties. We will also take reasonable steps to notify you of the disclosure, unless prohibited by law or court order.

5.4 Business Transfers

In connection with, or during negotiations of, any merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your Personal Information may be transferred as a business asset. This is a common practice in corporate transactions, and the receiving party will be obligated to honor the terms of this Agreement and applicable data protection laws. We will take reasonable steps to ensure that the receiving party is bound by confidentiality and data protection obligations and that your Personal Information is protected in accordance with this Agreement. If the transfer results in a change in the control of your Personal Information, we will notify you by posting a notice on the Platform or by sending you an email, and you will have the right to opt out of the transfer if permitted by law.

5.5 Aggregated or De-Identified Information

We may share Aggregate/Anonymous Information that cannot reasonably be used to identify you for research, marketing, analytics, or other purposes. Aggregated Information is data that has been combined with data from other users to form a dataset that does not identify any individual user. De-Identified Information is data from which all personal identifiers have been removed, such that it cannot be linked back to a specific individual. Examples of Aggregate/Anonymous Information include statistics about the number of users of the Services, the average time spent on the Platform, and the most popular features. Sharing this type of information helps us collaborate with third parties, conduct research, and improve the Services, while protecting your privacy.

5.6 Affiliates

We may share information with our parent company, subsidiaries, joint ventures, or other companies under common control (collectively, "Affiliates"). These Affiliates will be required to honor the terms of this Agreement and applicable data protection laws. Sharing information with Affiliates allows us to provide integrated services, streamline our operations, and enhance the user experience. For example, if you use a service provided by one of our Affiliates, we may share your information with that Affiliate to enable seamless access and provide consistent service. We have established binding corporate rules (BCRs) or intra-group data transfer agreements that govern the sharing of Personal Information among our Affiliates. These agreements ensure that all Affiliates adhere to consistent data protection standards and provide the same level of protection for your Personal Information regardless of which entity processes it. You can request information about our Affiliates and their data protection practices by contacting our privacy team.

5.7 Academic and Research Partnerships

We may collaborate with academic institutions, research organizations, and non-profit entities to advance the field of artificial intelligence and improve our Services. In such collaborations, we may share de-identified or aggregated data for research purposes under strict confidentiality and data protection agreements. Research partners are required to adhere to ethical research standards, implement appropriate security measures, and use the data only for the approved research purposes. We prohibit research partners from attempting to re-identify individuals from de-identified data and require them to publish research findings in a manner that protects individual privacy. All research collaborations undergo ethical review and approval processes before any data sharing occurs.

5.8 Public Forums and Community Features (Third-Party Discord Channel)

Our primary Platform does not host public forums, community discussion boards, or user-generated content galleries. However, we may maintain an official community channel on third-party platforms such as Discord to facilitate user discussions and support. Please note that any Discord server or channel we participate in is operated by Discord Inc. and is governed by Discord's own Terms of Service and Privacy Policy. When you choose to participate, share information, or communicate in these third-party community spaces, any Personal Information you voluntarily disclose becomes accessible to other participants in accordance with the platform's functionality and settings. We cannot control how other users on these third-party platforms may collect, read, or use information you choose to share there. We strongly encourage you to exercise caution and good judgment when deciding to disclose any Personal Information in such public or semi-public online forums. Your interactions and privacy within these third-party community platforms are managed through your account settings on those platforms (e.g., Discord's privacy settings), not through your account settings on our primary Platform. You are responsible for managing your content and privacy preferences directly within the respective third-party service.

6. DATA RETENTION AND SECURITY

6.1 Data Retention

We retain your Personal Information only for as long as is necessary to fulfill the purposes outlined in this Agreement, unless a longer retention period is required or permitted by law (e.g., for tax, accounting, or legal compliance). The criteria used to determine retention periods include:

1. The nature of the data: Different types of data may have different retention requirements. For example, account information may be retained for the duration of your account, while transaction records may be retained for a longer period to comply with tax and accounting laws.

2. The purpose for its collection: We retain data for as long as it is needed to achieve the purpose for which it was collected. For example, User Content used to provide a specific service will be retained for as long as necessary to deliver that service, and then deleted or anonymized.

3. Legal obligations: We may be required to retain certain data for a specified period of time to comply with applicable laws and regulations. For example, we may need to retain financial records for a certain number of years to comply with tax laws.

4. Operational needs: We may retain data for a reasonable period of time to meet operational needs, such as troubleshooting technical issues, resolving disputes, or providing customer support.

User Content used for AI Model Training may be retained in a de-identified or aggregated form indefinitely to maintain model performance. This is because de-identified and aggregated data is no longer linked to individual users and does not pose a risk to their privacy. However, if you withdraw your Consent for the use of your User Content for AI Model Training, we will cease using your data for this purpose, but we may not be able to remove the de-identified or aggregated data from previously trained models due to technical limitations.

When the retention period expires, we will take appropriate measures to securely delete or anonymize your Personal Information. We use secure deletion methods to ensure that the data cannot be recovered, and we verify that the deletion has been completed successfully.

6.2 Data Security

We implement and maintain appropriate technical and organizational security measures designed to protect your Personal Information from unauthorized access, alteration, disclosure, or destruction. These measures are designed to ensure the confidentiality, integrity, and availability of your data, and are proportionate to the risks associated with the processing of your Personal Information. The security measures we implement include, but are not limited to:

1. Encryption: We encrypt your Personal Information both in transit and at rest. In transit, we use secure communication protocols such as Transport Layer Security (TLS) to encrypt data as it is transmitted between your device and our servers. At rest, we use encryption technologies to protect data stored on our servers and other storage devices.

2. Access Controls: We implement strict access controls to ensure that only authorized personnel have access to your Personal Information. Access to data is granted on a need-to-know basis, and we use multi-factor authentication, strong passwords, and other access control mechanisms to prevent unauthorized access.

3. Security Monitoring: We monitor our systems and networks for potential security threats, such as unauthorized access attempts, malware, and data breaches. We use automated security tools and manual monitoring to detect and respond to security incidents in a timely manner.

4. Regular Security Assessments: We conduct regular security assessments, including vulnerability scans and penetration testing, to identify and address potential security vulnerabilities in our systems and processes. We also review and update our security measures on a regular basis to keep up with emerging threats and technologies.

5. Employee Training: We provide regular training to our employees on data protection and security best practices. Our employees are required to comply with our security policies and procedures, and we conduct background checks on new employees who will have access to sensitive data.

6. Third-Party Security: We require our service providers and Processors to implement appropriate security measures to protect the data we share with them. We conduct due diligence on our third-party partners to ensure that they have adequate security practices in place, and we monitor their compliance with our security requirements.

However, no method of transmission over the Internet or electronic storage is 100% secure. Despite our best efforts to protect your Personal Information, we cannot guarantee absolute security. There is always a risk that unauthorized third parties may find a way to bypass our security measures or that unforeseen events may cause data to be compromised. If a data breach occurs, we will take immediate action to mitigate the damage and notify you and the relevant authorities in accordance with applicable law.

6.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authorities without undue delay, as required by applicable law. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

The notification will include the following information, as required by law:

1. A description of the nature of the breach, including the categories and approximate number of individuals affected and the categories and approximate number of personal data records involved.

2. The name and contact details of our Data Protection Officer or other contact person who can provide further information.

3. A description of the likely consequences of the breach.

4. A description of the measures we have taken or propose to take to address the breach, including measures to mitigate the possible adverse effects.

If the breach is not likely to result in a high risk to your rights and freedoms, we may not be required to notify you directly, but we will still investigate the breach and take appropriate measures to prevent future breaches. We will also maintain records of all data breaches, including the details of the breach, the actions taken to address it, and the notifications sent.

In the event that a third-party service integrated with our Platform experiences a data breach that may affect your information, we will take reasonable steps to assess the impact on our users and provide appropriate notifications as required by law. However, our ability to respond to third-party breaches is limited by our access to information about the breach and our contractual relationship with the third party. We encourage you to enable security notifications in your account settings and to monitor announcements from third-party services you use in connection with our Platform.

6.4 Security Governance and Oversight

Our security program is overseen by a dedicated Security Governance Committee that includes senior leadership from engineering, operations, legal, and compliance functions. This committee meets quarterly to review security metrics, assess risks, approve security policies, and allocate resources for security initiatives. We maintain a risk register that tracks identified security risks with assigned ownership and mitigation plans. Our board of directors receives regular updates on our security posture and significant security incidents.

6.5 User Security Responsibilities

While we implement robust security measures, you also play an important role in protecting your account and Personal Information. We recommend that you:

1. Use strong, unique passwords for your account and enable two-factor authentication (2FA) where available.

2. Keep your login credentials confidential and avoid using public computers or unsecured Wi-Fi networks to access sensitive information.

3. Regularly review your account activity and report any suspicious behavior immediately.

4. Keep your devices and software updated with the latest security patches.

5. Be cautious of phishing attempts and never share your credentials in response to unsolicited requests.

We provide security guidance and tools in our help center and through security notifications. However, you are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account.

7. YOUR RIGHTS AND CHOICES

Depending on your jurisdiction, you may have the following rights regarding your Personal Information. We are committed to helping you exercise these rights and will respond to your requests in a timely and efficient manner. Our rights fulfillment processes are designed to be transparent, accessible, and compliant with applicable data protection laws. We provide multiple channels for submitting requests and maintain dedicated resources to process and respond to your inquiries within legally mandated timeframes. Below we detail each right, how you can exercise it, and any limitations or exceptions that may apply.

7.1 Right to Access and Portability

You have the right to request a copy of the Personal Information we hold about you. We will provide you with a clear and concise copy of your data in a structured, commonly used, and machine-readable format, where technically feasible. This allows you to easily transfer your data to another organization if you wish.

To exercise this right, you must submit a verifiable request to us via our designated privacy portal or by emailing [email protected]. We may need to verify your identity before fulfilling your request to ensure that the data is being provided to the correct person. The verification process may involve asking you to provide certain information that only you would know, such as your account details or answers to security questions. 

We will respond to your access request within 30 days of receipt, as required by most data protection laws, though this period may be extended by an additional 60 days for complex requests, in which case we will notify you of the extension and the reasons for the delay. There is no fee for making an access request, but we may charge a reasonable fee if your request is manifestly unfounded, excessive, or repetitive.

7.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete Personal Information we hold about you. If you believe that any of your Personal Information is incorrect or incomplete, you can submit a request to us to have it corrected. We will review your request and, if we agree that the information is inaccurate or incomplete, we will correct it promptly.

To exercise this right, you must submit a verifiable request to us, providing details of the information you believe is inaccurate or incomplete and the correct information. We may need to verify your identity and the accuracy of the information you provide before making the correction. 

We will respond to rectification requests within 30 days, and if we cannot act within that time, we will inform you of the delay and the reasons. In some cases, we may need to consult with third parties (such as data providers) to verify the accuracy of information, which may extend the response time. We will inform you of any such consultations where appropriate.

7.3 Right to Erasure 

You have the right to request deletion of your Personal Information, subject to certain exceptions (e.g., where we need to retain data for legal reasons or for the establishment, exercise, or defense of legal claims). If you wish to have your Personal Information deleted, you can submit a request to us. We will review your request and, if we determine that the data is no longer necessary for the purposes for which it was collected, that retention is not required by law, and that there are no other legitimate grounds for retaining the data, we will delete it promptly.

Please Note: Due to the nature of AI Model Training, it may not be technically feasible to retroactively remove the influence of your de-identified data from previously trained models. However, we will cease using your data for future model training and will delete any identifiable data we hold about you.

To exercise this right, you must submit a verifiable request to us. We may need to verify your identity and confirm that you are the owner of the data before processing your request.

We will respond to erasure requests within 30 days and inform you if any exceptions apply. If we cannot delete the data due to an exception, we will inform you of the specific legal basis for our decision. When we delete data, we will take reasonable steps to inform third parties who are processing the data on our behalf, unless this is impossible or involves disproportionate effort.

7.4 Right to Restrict Processing

You have the right to request that we temporarily or permanently stop Processing some or all of your Personal Information. This right may be exercised in the following circumstances:

1. If you contest the accuracy of your Personal Information, you can request that we restrict processing until the accuracy of the data is verified.

2. If the processing is unlawful, you can request that we restrict processing instead of deleting the data.

3. If we no longer need the data for the purposes for which it was collected, but you need it for the establishment, exercise, or defense of legal claims, you can request that we restrict processing.

4. If you have objected to processing based on our legitimate interests, you can request that we restrict processing until we have determined whether our legitimate interests override your rights and freedoms.

To exercise this right, you must submit a verifiable request to us, specifying the data you wish to have processing restricted and the reason for your request. We will review your request and, if we agree that the restriction is appropriate, we will implement it promptly.

7.5 Right to Object to Processing

You have the right to object to our Processing of your Personal Information based on our legitimate interests. We will review your objection and, if we determine that our legitimate interests do not override your rights and freedoms, we will cease processing your data. You also have an absolute right to object to Processing for direct marketing purposes. If you object to direct marketing, we will cease processing your data for this purpose immediately.

To exercise this right, you must submit a verifiable request to us, specifying the processing you object to and the reason for your objection. For direct marketing objections, you can also use the "unsubscribe" link in our marketing emails or update your preferences in your account settings.

We will respond to objections within 30 days. If we reject your objection, we will provide a clear explanation of our reasoning and inform you of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

7.6 Right to Withdraw Consent

Where we rely on your consent for Processing, you have the right to withdraw that consent at any time. This does not affect the lawfulness of Processing based on consent before its withdrawal. To withdraw your consent, you can update your preferences in your account settings or contact us via our designated privacy portal or email. We will process your request promptly and cease processing your data for the purposes for which you withdrew your consent. Withdrawing consent may affect your ability to use certain features of our Services that require the processing of Personal Information based on consent. We will inform you of any consequences of withdrawal at the time you make the request. Note that we may have other legal bases for processing your data (such as contract performance or legal obligation), so withdrawing consent may not lead to complete cessation of processing if another basis applies.

7.7 Right to Opt-Out of Sale/Sharing/Profiling

In certain jurisdictions, you may have the right to opt-out of the "sale" or "sharing" of your Personal Information, or to opt-out of automated decision-making/profiling that has legal or similarly significant effects. "Sale" or "sharing" refers to the disclosure of your Personal Information to third parties for valuable consideration. Automated decision-making/profiling refers to the use of automated processes to evaluate certain personal aspects of you and make decisions based on that evaluation.

To exercise this right, you can update your preferences in your account settings or contact us via our designated privacy portal or email. We will process your request promptly and cease the sale, sharing, or profiling of your data as requested.

We will honor opt-out requests for at least 12 months before asking you to reaffirm your choice. We will not discriminate against you for exercising your opt-out rights, meaning we will not deny you goods or services, charge you different prices, or provide a different level or quality of services, except where the difference is reasonably related to the value of your data. If you use an authorized agent to submit an opt-out request, we may require proof that the agent has been authorized to act on your behalf.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or where you believe a violation of data protection laws has occurred. We encourage you to contact us first to resolve any concerns, but you have the right to directly approach the supervisory authority. We will cooperate with supervisory authorities in any investigation and will comply with their decisions.

7.9 Right to Non-Discrimination

You have the right not to be discriminated against for exercising any of your privacy rights. We will not deny, charge different prices for, or provide a different level of quality of our Services to you because you exercised your rights under this Agreement or applicable law. However, we may offer different tiers of Services with different features or pricing, and the value of your data may be considered in determining the price or service tier, as permitted by law. We will not retaliate against you for exercising your rights, including by terminating your account, unless your request is manifestly unfounded or excessive, or you have violated our Terms of Service.

7.10 How to Exercise Your Rights

To exercise any of these rights, please submit a verifiable request to us via our designated privacy portal or by emailing [email protected]. Your request should include sufficient detail to allow us to identify you and process your request, such as your full name, email address, and account username (if applicable). We may need to verify your identity before fulfilling your request to ensure that the data is being provided to the correct person. The verification process may involve asking you to provide certain information that only you would know, such as your account details, answers to security questions, or a copy of a government-issued ID.

We will respond to your request within the timeframe required by applicable law. If we are unable to fulfill your request, we will notify you of the reasons for our refusal and any rights you may have to appeal the decision.

8. INTERNATIONAL DATA TRANSFERS

8.1 Global Nature of Data Processing

We are a global company, and our Services are made available to users around the world. As a result, your Personal Information may be transferred to, stored, and Processed in countries other than your country of residence, where our servers or those of our Processors are located. These countries may have data protection laws that differ from those in your country. However, we are committed to ensuring that your Personal Information is protected to the same high standard regardless of where it is processed.

8.2 Legal Safeguards for International Transfers

We ensure that such transfers are made in compliance with applicable data protection laws. This may involve implementing one or more of the following safeguards:

1. Standard Contractual Clauses: We may use Standard Contractual Clauses (SCCs) approved by relevant data protection authorities. SCCs are pre-approved contractual clauses that set out the rights and obligations of the parties involved in the transfer of personal data, ensuring that the data is protected to the same standard as required by the original jurisdiction.

2. Adequacy Decisions: We may transfer data to countries that have been deemed to provide an adequate level of data protection by the relevant data protection authority. An adequacy decision means that the country's data protection laws are considered to be equivalent to those in the original jurisdiction, providing a sufficient level of protection for personal data.

3. Explicit Consent: In some cases, we may obtain your explicit consent for the transfer of your Personal Information to a country outside your jurisdiction. We will provide you with clear and comprehensive information about the transfer, including the country to which the data will be transferred, the reasons for the transfer, and the safeguards in place to protect your data. Consent for international transfers is obtained separately from other consents and includes specific information about the risks associated with the transfer (including the possibility that foreign governments may access the data under laws that do not provide equivalent protection to your home country). You may withdraw this consent at any time, but such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal and may impact your ability to use certain Services that rely on international data transfers.

4. Binding Corporate Rules: If we transfer data within our group of companies (Affiliates), we may use Binding Corporate Rules (BCRs) to ensure that the data is protected throughout the group. BCRs are internal rules that govern the transfer of personal data within a multinational company and are approved by the relevant data protection authority.

We regularly review our international data transfer practices to ensure that they continue to comply with applicable law and that the safeguards we have implemented are effective. If you have any questions about the international transfer of your Personal Information, please contact us via our designated privacy portal or email.

9. CHILDREN'S PRIVACY

9.1 Age Restriction

Our Services are not directed to individuals under the age of 16 (or a higher age as specified by local law). We do not knowingly collect Personal Information from children. This is because children may not have the necessary capacity to understand the risks associated with the collection and processing of their personal information, and we are committed to protecting the privacy of children.

9.2 Handling of Accidental Collection

If you are a parent or guardian and believe your child has provided us with Personal Information without your consent, please contact us immediately. We will take steps to verify your identity and the relationship between you and the child, and upon verification, we will delete the child's Personal Information from our systems. We will also take measures to prevent the child from accessing our Services in the future.

If we learn that we have collected Personal Information from a child without verification of parental consent, we will take steps to delete that information as soon as possible. We may also notify the relevant authorities if we believe that the collection of the child's information constitutes a violation of applicable law.

10. THIRD-PARTY LINKS AND SERVICES

10.1 Third-Party Links

The Services may contain links to third-party websites or services that are not owned or controlled by us. These links are provided for your convenience and to enhance your experience. However, we do not endorse or assume any responsibility for the privacy practices or content of these third-party websites or services. This Agreement does not apply to those third-party services, and we encourage you to review the privacy policies and terms of service of every third-party service you visit or use. Third-party links may appear in various contexts within our Platform, including but not limited to: (1) references in generated content that may include citations or sources; (2) integration directories showcasing compatible applications; (3) documentation and help resources; and (4) user-generated content that may include embedded links. We use automated systems to scan external links for known security threats, but we cannot guarantee the ongoing safety, accuracy, or relevance of linked content.

10.2 Third-Party Services

If you use third-party services in connection with our Services (e.g., integrating a third-party application with our Platform), your use of those services is subject to the third party's privacy policies and terms of service. We are not responsible for the collection, use, or disclosure of your Personal Information by these third parties, and we recommend that you carefully review their privacy policies before providing them with any personal information.

We do not have control over the content, functionality, or security of third-party websites or services, and we are not liable for any damages or losses arising from your use of these third-party services. If you have any questions or concerns about a third-party website or service, please contact the third party directly.

10.3 Changes to Third-Party Services

Third-party services may change their features, privacy practices, or terms of service without notice to us. Such changes may affect how your data is processed when using these services in connection with our Platform. We monitor significant changes to third-party services we formally recommend, but we cannot monitor all third-party services that may be used with our Platform. It is your responsibility to stay informed about changes to third-party services you use and to adjust your permissions and usage accordingly. We may remove or disable integrations with third-party services that no longer meet our standards for privacy, security, or functionality.

11. CHANGES TO THIS AGREEMENT

11.1 Right to Update

We may update this Agreement from time to time to reflect changes in our practices, technologies, legal requirements, or other reasons. We reserve the right to make changes to this Agreement at any time, but we will provide notice of material changes to give you an opportunity to review the updated terms.

11.2 Notice of Changes

We will provide notice of material changes by posting the updated Agreement on the Platform with a new "Last Updated" date. We may also notify you via email or through the Services, depending on the nature of the change. The notice will include a summary of the material changes and the effective date of the updated Agreement.

11.3 Acceptance of Changes

Your continued use of the Services after the effective date of the updated Agreement constitutes your acceptance of the changes. If you do not agree to the updated Agreement, you must stop using the Services and may close your account. We encourage you to review this Agreement periodically to stay informed about our privacy practices and any changes to the Agreement.

12. CONTACT US

12.1 Contact Information

If you have any questions, concerns, or complaints about this Agreement or our privacy practices, or if you wish to exercise your rights, please contact our Data Protection Officer/Privacy Team at:

Creao

Address:10080 N Wolfe Rd SW3 200, Cupertino, CA 95014

Email: [email protected]

12.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence or where you believe a violation has occurred. A supervisory authority is an independent public authority responsible for monitoring and enforcing data protection laws. We will cooperate with the supervisory authority in any investigation and will take all necessary steps to address the complaint.

We will respond to your inquiries and complaints in a timely and professional manner. We aim to resolve all issues to your satisfaction, and we will keep you informed of the progress of your inquiry or complaint throughout the process.