This Privacy Policy (the "Policy") sets out in detail how DrawiiAI (the "Company", "we", "us" or "our") collects, uses, stores, transfers, and protects the personal information of users ("Users", "you" or "your") who access and use our AI image generation and editing platform (the "Platform"). We recognize that privacy protection is a fundamental and inalienable right of every User, and we are firmly committed to safeguarding the confidentiality, integrity, and availability of your personal information throughout your interaction with our services. This Policy is formulated in strict compliance with applicable global privacy laws and regulations, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Hong Kong Personal Data (Privacy) Ordinance (PDPO), as well as other relevant local regulatory requirements. By accessing, browsing, or using the Platform in any manner, you acknowledge that you have carefully read, fully understood, and unconditionally agreed to the terms of this Policy, including our collection, use, and processing of your personal information as described herein. If you do not agree to any provisions of this Policy, please cease using the Platform immediately.

Personal Information: As defined under applicable laws: (i) Under GDPR, means any information relating to an identified or identifiable natural person ("Data Subject"), where such a person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person; (ii) Under CCPA/CPRA, means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including but not limited to names, contact details, IP addresses, and usage records; (iii) Under PDPO, means any recorded information relating directly or indirectly to a living individual, from which the individual's identity can be practically determined either from that information alone or from that information together with other information that is in the possession of, or is likely to come into the possession of, the person who holds the information, and which is in a form that is accessible and processable. For the specific purposes of this AI image Platform, Personal Information includes but is not limited to your contact details, account credentials, usage data, and any content you upload or generate through the Platform.

Sensitive Personal Information: Under GDPR, includes special categories of personal data that require enhanced protection, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed solely to identify a natural person, health data, and data concerning sex life or sexual orientation. Under CCPA/CPRA, includes personal information revealing racial or ethnic origin, religious or philosophical beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, or genetic data. Under PDPO, includes data that relates to a person's race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, or sexual life, and such data is subject to stricter processing restrictions. Given the nature of our AI image services, we specifically note that images containing Sensitive Personal Information (e.g., facial biometrics, health-related content) fall under this definition.

Processing: Under GDPR, means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Under PDPO, includes the collection, holding, processing, or use of personal data, and covers both automated and non-automated processing activities related to personal information on the Platform.

Data Controller/Processor: Under GDPR, a Data Controller is the person who, alone or jointly with others, determines the purposes and means of the processing of personal data; a Data Processor is a person who processes personal data on behalf of the Data Controller and is subject to the Data Controller's instructions. Under PDPO, a Data User is a person who alone or jointly with others controls the collection, holding, processing, or use of personal data, and bears primary responsibility for complying with PDPO's requirements. For the Platform, DrawiiAI acts as the Data Controller/Data User, while our third-party service providers act as Data Processors.

Cookies: Small text files stored on your device (computer, mobile phone, tablet, or other internet-connected devices) when you access the Platform. Cookies are designed to identify your device, track your usage patterns on the Platform, and store your preferences to enhance your user experience. They may be set by us (first-party Cookies) or by third-party service providers (third-party Cookies) for analytical, functional, or marketing purposes.

We collect personal information from you in the following categories, depending on your level of interaction with the Platform (e.g., browsing without an account, creating an account, or using premium services). We adhere to the principle of data minimization, collecting only the information necessary to provide our services and fulfill the purposes outlined in this Policy.

When you create an account on the Platform, we may collect your full name, email address, password (which is immediately hashed using industry-standard encryption to ensure it is not stored in plain text), phone number (optional, for account verification and security purposes), and billing information (including credit card details, billing address, and payment method) if you subscribe to our premium services. This information is necessary to create and manage your account, verify your identity, process payments, and provide personalized services, as required by PDPO’s first Data Protection Principle (DPP) which mandates lawful, fair, and transparent collection of personal data for legitimate purposes only.

We automatically collect non-identifiable and identifiable usage data about your interaction with the Platform through our servers, analytics tools, and other technical means. This data includes your IP address, device type, operating system and version, browser type and settings, access time and duration, pages visited within the Platform, prompts entered for AI image generation (including text descriptions and parameters), editing actions taken (e.g., filters applied, adjustments made), content interactions (e.g., images saved, shared, or deleted), and error logs. This data helps us optimize the Platform’s performance, enhance AI algorithm accuracy, troubleshoot technical issues, and personalize your user experience, all in compliance with GDPR’s requirement to collect only necessary and proportionate data.

Any content you upload to the Platform (e.g., reference images, logos, brand assets, or other visual materials) or generate using our AI tools may be temporarily or permanently collected, but only to the extent necessary to provide the requested service. For example, uploaded reference images are processed to align with your generation prompts, and generated images are stored in your account for your access. We do not use such content for any other purposes (including AI model training, marketing, or third-party sharing) without your explicit, written consent, in line with CCPA’s prohibition on unauthorized collection, use, or disclosure of consumer information.

We do not intentionally collect, process, or store Sensitive Personal Information unless it is strictly necessary for providing the requested service and you have given your explicit, informed consent (as required by GDPR Article 9 and PDPO’s restrictions on processing sensitive data). If you upload or generate content containing Sensitive Personal Information (e.g., images of individuals’ faces, health-related visuals, or content revealing racial/ethnic origin), you warrant and represent that you have obtained all necessary consents from the relevant individuals and that the collection, processing, and storage of such content comply with applicable global privacy laws. We reserve the right to restrict access to or remove such content if we reasonably suspect it violates this Policy or applicable laws.

We collect your personal information for the following legitimate, specific, and transparent purposes, in strict compliance with the principle of purpose limitation under GDPR, CCPA, and PDPO. We will not extend the use of your personal information beyond the purposes stated herein without your prior consent, except as required by law.

To send you important updates, including changes to this Policy, service announcements (e.g., scheduled maintenance, feature updates), and (with your explicit consent) targeted marketing communications about our products, services, promotions, or partner offers that may be of interest to you.

We use your personal information only in accordance with this Policy, applicable laws, and with your consent (where required). We strictly prohibit the use of your personal information for purposes incompatible with the collection purposes, except as mandated by a court order, regulatory request, or other legal obligation. Specifically, our use of your information includes the following:

Your account information is used to authenticate your access to the Platform, manage your subscription status (e.g., activating premium features, renewing or canceling subscriptions), and communicate with you about account-related matters (e.g., password reset, account verification, security alerts).

Usage data is analyzed in aggregate (non-identifiable form) to improve our AI algorithms’ ability to generate high-quality, relevant images, enhance tool functionality (e.g., optimizing prompt interpretation, adding new editing features), and personalize your experience by recommending settings or templates based on your usage history.

User-generated content is processed solely to deliver the requested AI image services. For example, uploaded reference images are used to guide the AI generation process, and generated images are stored in your account for your exclusive access and management. We will not share, disclose, or use such content for training our AI models, marketing, or any other purpose without your explicit written consent, in full compliance with GDPR’s data subject rights and CCPA’s disclosure and consent requirements.

We may use your contact information (primarily your email address) to send service-related communications that are essential to your use of the Platform (e.g., account verification, password reset instructions, service outage notifications) and marketing materials only if you have opted in to receive such communications. You may unsubscribe from marketing communications at any time by clicking the "unsubscribe" link in the email or adjusting your account settings, and we will process your request promptly.

We store your personal information on secure servers located in jurisdictions that comply with applicable privacy laws, including the EU/EEA, the United States, and Hong Kong. We implement industry-leading security measures to protect your information from unauthorized access, disclosure, alteration, or destruction, including end-to-end encryption (both at rest and in transit), role-based access controls (ensuring only authorized personnel can access personal data), firewalls, intrusion detection and prevention systems, and regular security audits and vulnerability assessments. These measures are consistent with PDPO’s requirement to take all practicable steps to ensure the security of personal data and prevent data breaches.

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law, after which it will be securely deleted or anonymized. Specifically: (i) Account information is retained for the duration of your account existence plus 7 years, in compliance with PDPO’s record-keeping requirements and CCPA’s mandate to retain consumer information for a reasonable period; (ii) Usage data is retained in identifiable form for 12 months, after which it is anonymized (irreversibly stripped of all identifying information) and may be retained indefinitely for analytical purposes to improve our services; (iii) User-generated content is retained for as long as it is stored in your account or as necessary to provide the service, and will be permanently deleted upon your explicit request, account termination, or when it is no longer needed for service delivery, in line with GDPR’s right to erasure ("right to be forgotten").

We may transmit your personal information to our affiliated entities (e.g., parent company, subsidiaries, or sister companies) or trusted third-party service providers (as described in Section 10) for the limited purposes outlined in this Policy. All data transmissions are secured using robust encryption protocols (e.g., SSL/TLS 1.3) to ensure the confidentiality and integrity of your information during transfer, and we only transmit data to parties that meet our strict security and compliance standards.

For cross-border data transfers (i.e., transfers of personal information to jurisdictions outside the EU/EEA, California, or Hong Kong), we comply with all applicable legal requirements: (i) Transfers to countries outside the EU/EEA comply with GDPR Article 46, including using European Commission-approved Standard Contractual Clauses (SCCs), relying on adequacy decisions (e.g., for transfers to the United States under the EU-U.S. Data Privacy Framework), or implementing other appropriate safeguards; (ii) Transfers involving California residents comply with CCPA’s requirements for clear disclosure of cross-border transfers and ensuring that the receiving party protects personal information consistent with CCPA standards; (iii) Transfers from or to Hong Kong comply with PDPO, including ensuring the receiving party provides a level of protection no less than that required by PDPO, obtaining your explicit consent where necessary, and maintaining records of all cross-border transfers.

We use Cookies and similar technologies (e.g., web beacons, local storage, session storage, and pixel tags) to enhance your experience on the Platform, optimize service performance, and deliver personalized content. These technologies work by collecting and storing information about your device and usage patterns, and they play a critical role in ensuring the Platform functions as intended. Specifically, these technologies help us: (i) Remember your account preferences (e.g., language settings, default editing tools) and login status, so you do not need to re-enter information on subsequent visits; (ii) Track usage patterns to identify areas for improvement, such as optimizing page load times or refining AI features based on user behavior; (iii) Deliver personalized content and advertisements (only with your explicit consent) that align with your interests; (iv) Ensure the security of the Platform by detecting unusual usage patterns and preventing unauthorized access.

We distinguish between three types of Cookies to ensure transparency and compliance with GDPR and CCPA: (i) Essential Cookies: Necessary for the Platform to function properly, such as those enabling account authentication and basic navigation. These Cookies cannot be disabled, as disabling them would prevent you from using core features of the Platform. (ii) Analytical Cookies: Used to analyze usage data (in aggregate form) and improve the Platform’s performance and user experience. These Cookies are non-essential but help us enhance our services. (iii) Marketing Cookies: Used to deliver targeted advertisements, track the effectiveness of marketing campaigns, and share usage data with third-party advertisers. These Cookies are non-essential and require your explicit consent before being placed on your device.

You can manage your Cookie preferences through your browser settings, where you can block, delete, or disable non-essential Cookies. However, disabling Essential Cookies may affect the functionality of the Platform, and disabling Analytical or Marketing Cookies may result in a less personalized user experience. In compliance with GDPR and CCPA, we display a prominent Cookie consent banner on your first visit to the Platform, allowing you to select which categories of non-essential Cookies you wish to enable or disable. You can update your Cookie preferences at any time by accessing the "Cookie Settings" page in your account or via the link provided in the footer of the Platform.

Right to Access: You may request access to the personal information we hold about you, including detailed records of how it is collected, used, stored, and shared. We will provide you with a clear, concise copy of your personal information free of charge, unless the request is excessive or repetitive (in which case we may charge a reasonable fee) (GDPR Article 15; CCPA § 1798.100; PDPO DPP 6).

Right to Correction: You may request correction of any inaccurate or incomplete personal information we hold about you. If we agree that the information is inaccurate or incomplete, we will update it promptly and notify you of the correction. If we disagree, we will provide you with a written explanation of our decision (GDPR Article 16; CCPA § 1798.106; PDPO DPP 4).

Right to Erasure ("Right to Be Forgotten"): You may request deletion of your personal information if it is no longer necessary for the purposes for which it was collected, your consent (if the processing is based on consent) is withdrawn, the processing is unlawful, or you object to the processing and there are no overriding legitimate interests. We will securely delete your information unless we are required by law to retain it (GDPR Article 17; CCPA § 1798.105; PDPO DPP 5).

Right to Restriction of Processing: You may request restriction of processing if you dispute the accuracy of your personal information (until we verify its accuracy), the processing is unlawful (but you do not want the information deleted), the information is no longer needed for our purposes but is needed for legal claims, or you have objected to processing (pending a decision on whether our legitimate interests override your rights) (GDPR Article 18).

Right to Data Portability: You may request a copy of your personal information in a structured, machine-readable, and commonly used format (e.g., CSV, JSON) that allows you to transfer the data to another data controller. We will also, where technically feasible, assist in transferring your information directly to another controller at your request (GDPR Article 20).

Right to Withdraw Consent: If we process your personal information based on your consent, you may withdraw consent at any time, free of charge, and without penalty. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal. We will process your withdrawal request promptly and cease processing your information for the purposes for which consent was given (GDPR Article 7; PDPO).

Right to Opt-Out of Sale/Sharing: Under CCPA/CPRA, California residents have the right to opt out of the sale or sharing of their personal information with third parties for marketing purposes. We will honor your opt-out request immediately and will not sell or share your information thereafter, unless you later opt back in (CCPA § 1798.120).

Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. This includes refusing to provide you with services, charging you higher fees, or offering you different terms of service solely because you have requested access to, corrected, or deleted your personal information (CCPA § 1798.125; GDPR Article 21).

To exercise these rights, please contact us using the details provided in Section 17. We may require you to provide reasonable verification of your identity (e.g., a copy of your government-issued ID, confirmation of your email address or phone number) to process your request, as this helps us protect against unauthorized access to your personal information and ensure that we fulfill requests only for the data subject. We will respond to your request within the time frame required by applicable law (e.g., 1 month under GDPR, 45 days under CCPA, with possible extensions if necessary) and will keep you updated on the progress of your request.

We respect your privacy and do not sell, rent, or lease your personal information to third parties for marketing purposes without your explicit, written consent, except as permitted by law (e.g., in connection with a business transaction or to comply with legal obligations). We may share your personal information with the following categories of third parties, but only for the limited purposes outlined in this Policy and subject to strict contractual safeguards:

Service Providers: Third-party vendors and partners who provide essential services on our behalf to support the Platform’s operations. This includes payment processors (to handle subscription payments securely), cloud storage providers (to store your personal information and user-generated content), customer support tools (to manage your inquiries and feedback), analytics services (to analyze usage data and improve our services), and security providers (to detect and prevent fraud). These service providers are bound by legally enforceable contracts that require them to protect your personal information, process it only in accordance with our instructions, and comply with applicable privacy laws, in full compliance with GDPR Article 28 (which governs Data Processors), CCPA, and PDPO’s requirements for data processors.

Affiliated Entities: Our parent company, subsidiaries, or sister companies, but only for legitimate business purposes (e.g., centralized data management, cross-functional service improvement, or compliance with internal policies) and in compliance with applicable privacy laws. We ensure that all affiliated entities adhere to the same privacy standards outlined in this Policy.

Legal and Regulatory Authorities: We may disclose your personal information if we are required to do so by law, court order, subpoena, or regulatory request (e.g., from a data protection authority, law enforcement agency, or tax authority). We may also disclose your information to protect our legal rights, property, or the safety of our users, employees, or the public, such as in cases of suspected fraud, cyberattacks, or violations of our Terms of Service.

With Your Consent: We may share your personal information with other third parties (e.g., marketing partners, creative platforms) if you have given your explicit, informed consent to do so. We will clearly inform you of the purpose of the sharing and the identity of the third party before obtaining your consent, and you may withdraw your consent at any time.

We share your personal information with third parties only for the following legitimate, proportionate reasons, in strict compliance with the principle of proportionality under GDPR, CCPA, and PDPO. We never share your information for purposes that are unrelated to our core business operations or that would undermine your privacy rights.

To fulfill the core functions of the Platform, as we rely on trusted third-party service providers to deliver services that we cannot effectively provide independently. For example, payment processors handle the secure processing of credit card transactions, cloud storage providers ensure your user-generated content is stored safely and accessible, and customer support tools enable us to respond to your inquiries promptly.

To enhance the security and performance of the Platform, including detecting and preventing fraudulent activities (via third-party fraud detection services), monitoring for unauthorized access (via cybersecurity providers), and conducting regular security audits (via independent auditors) to identify and address vulnerabilities.

To comply with legal obligations, including responding to lawful requests from regulatory authorities, court orders, or subpoenas. In such cases, we disclose only the minimum amount of information necessary to comply with the request, and we take steps to verify the legitimacy of the request before disclosing any data.

To protect the rights, property, or safety of DrawiiAI, our users, or the public. This includes disclosing information to law enforcement agencies in cases of suspected illegal activities (e.g., generating harmful or infringing content), or to third parties in connection with a legal claim or dispute where such disclosure is necessary to defend our interests.

In the event that DrawiiAI is acquired by, merged with, or sold to another entity, or if all or a portion of our assets (including user data) are transferred to a third party as part of a business transaction (e.g., a merger, acquisition, or bankruptcy proceeding), your personal information may be transferred to the acquiring or receiving entity as part of the transaction. This type of transfer is a standard business practice and is necessary to ensure the continuity of our services.

In such cases, we will take all necessary steps to protect your privacy and comply with applicable laws: (i) Notify you of the transfer in advance (at least 30 days before the transfer takes effect) via email (if you have an account) and a prominent notice on the Platform, as required by GDPR, CCPA, and PDPO; (ii) Ensure the acquiring entity enters into a legally binding agreement to uphold the terms of this Policy and applicable privacy laws, including maintaining the same level of security and data protection standards; (iii) Take all necessary technical and organizational measures to protect the confidentiality and security of your information during the transfer. If the acquiring entity intends to use your personal information for purposes other than those disclosed in this Policy, they will obtain your explicit consent before doing so, and you will have the right to opt out of such additional uses.

When using the Platform, you agree to comply with applicable privacy laws and refrain from engaging in any activities that infringe upon the privacy rights of others or violate the terms of this Policy. These prohibitions are designed to protect both the privacy of other users and the integrity of our services. Prohibited activities include, but are not limited to:

Uploading, generating, or sharing content that contains another person’s personal information (including Sensitive Personal Information) without their explicit, informed consent, in violation of GDPR, CCPA, and PDPO. This includes generating images of individuals without their consent, uploading photos of others without permission, or sharing content that reveals others’ private information.

We reserve the right to suspend or terminate your account immediately if you engage in any of these prohibited activities, without prior notice. We may also remove any infringing content, retain relevant information to investigate the violation, and report such activities to relevant legal authorities (e.g., data protection authorities, law enforcement agencies) if we reasonably believe the activity constitutes a criminal offense or poses a risk to others.

EU General Data Protection Regulation (GDPR): Applies to all Users residing in the EU/EEA or whose personal information is processed in connection with the offering of services to EU/EEA residents. We adhere to GDPR’s core principles, including lawful, fair, and transparent processing; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. We also comply with GDPR’s requirements for data subject rights, cross-border data transfers, data breach notifications (notifying the relevant Data Protection Authority and affected Users within 72 hours of discovering a breach), and conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities (e.g., AI model training involving personal data).

California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA): Applies to California residents and governs the collection, use, disclosure, and sale of their personal information. We comply with CCPA/CPRA’s requirements for clear disclosure of personal information collection and use practices, consumer rights (including the right to access, correct, delete, and opt out of sale/sharing of personal information), non-discrimination for exercising rights, and maintaining detailed records of data processing activities. We also comply with CPRA’s enhanced protections for Sensitive Personal Information, including requiring explicit consent for processing such data.

Hong Kong Personal Data (Privacy) Ordinance (PDPO): Applies to Users residing in Hong Kong or whose personal information is collected, held, processed, or used in Hong Kong. We adhere to PDPO’s six Data Protection Principles (DPPs), which govern the lawful collection, accuracy, retention, use, security, and access to personal data. We also respect the data subject rights granted under PDPO, including the right to access and correct personal data, and ensure compliance with PDPO’s requirements for data security, cross-border transfers, and notification of data breaches to the Office of the Privacy Commissioner for Personal Data (PCPD) when necessary.

We also comply with other applicable local privacy laws and regulations in the jurisdictions where we operate, including but not limited to Brazil’s Lei Geral de Proteção de Dados (LGPD), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and Australia’s Privacy Act 1988. This ensures that our processing of personal information meets the highest legal standards, regardless of your location.

We take special care to protect the privacy of minors and comply with global laws governing the collection of personal information from children. We do not intentionally collect, process, or store personal information from minors under the age of 16 (or the applicable age of majority in your jurisdiction) without the explicit, informed consent of a parent or legal guardian. If you are a minor under 16, you may not create an account or use the Platform without parental/guardian consent, and we reserve the right to terminate any account believed to be held by a minor without proper consent.

In compliance with GDPR (which requires parental/guardian consent for processing children’s data under 16), CCPA (which provides additional protections for minors, including restricting the sale of their personal information), and PDPO (which mandates special safeguards for children’s data), we will: (i) Verify parental/guardian consent before collecting any personal information from minors, such as requiring the parent/guardian to provide their contact information and confirm consent in writing; (ii) Delete any personal information collected from a minor without proper consent promptly upon notification, and take steps to ensure the data is permanently removed from our systems and third-party service providers; (iii) Ensure that minors’ personal information is protected with enhanced security measures, including restricting access to such data and anonymizing it where possible.

If you are a parent or legal guardian and believe we have collected personal information from your child without your consent, please contact us immediately using the details in Section 17. We will investigate the matter promptly, delete the information if confirmed, and provide you with a written update on the actions taken.

We may update or revise this Policy from time to time to reflect changes in applicable laws and regulations (e.g., new amendments to GDPR, CCPA, or PDPO), advancements in technology, changes to our business practices, or feedback from our users. We will ensure that any updates are transparent and do not expand our processing of personal information beyond what is permitted by law or your consent.

When we make material changes to the Policy (e.g., changes to how we collect, use, or share your personal information, or changes to your privacy rights), we will: (i) Post the updated Policy on the Platform with a revised "Last Updated" date prominently displayed at the top; (ii) Notify you via email (if you have an account) or through a prominent notice on the Platform’s homepage, at least 7 days before the changes take effect (as required by GDPR, CCPA, and PDPO); (iii) Obtain your explicit consent if the changes expand our collection or use of your personal information beyond the original purposes outlined in the previous version of the Policy. Non-material changes (e.g., minor clarifications or grammatical edits) will be posted on the Platform without prior notification but will still be effective immediately upon posting.

Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically (we recommend checking every 6 months) to stay informed about how we protect your privacy. You can access the latest version of the Policy at any time via the link in the footer of the Platform.

If you have any questions, concerns, or requests regarding this policy, your personal information, privacy rights, or potential data breaches, please contact our customer service representative. Our team is committed to promptly resolving your inquiries and ensuring compliance with applicable privacy laws.