Effective Date: 2025-12-26

Last Updated: 2025-12-26

AI AVATAR (“Company,” “we,” “our,” or “us”) operates the mobile application AI AVATAR (AIA) and related websites, software, and online services (collectively, the “Services”). This Privacy Policy explains how and why we collect, use, disclose, transfer, and safeguard personal information when you use the Services, and describes your legal rights under applicable privacy and data protection laws.

By accessing or using the Services, you acknowledge that you have read, understood, and agreed to this Privacy Policy. If you do not agree, please uninstall the application and discontinue use.

1. Scope and Applicability

This Privacy Policy applies to all users worldwide who download, install, register for, or otherwise use the Services. It governs information collected through: the AI AVATAR (AIA) mobile application, official websites operated by us, customer support channels, promotional campaigns, and social media integrations (where enabled by you).

This Privacy Policy does not apply to information collected offline, information related to employees/contractors/job applicants, or information processed by third-party platforms beyond our control.

2. Definitions

For purposes of this Policy:

• “Personal Information” (also “personal data”) means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) to an individual.
• “Sensitive Personal Information” means categories of personal information subject to enhanced protection requirements under applicable laws. This may include biometric data (e.g., facial embeddings), precise geolocation, and other sensitive categories depending on jurisdiction.

Information We Collect

We collect information in three ways: (a) information you provide directly, (b) information collected automatically, and (c) information from third parties.

3.a. Information You Provide Directly

Depending on the features you use, you may provide:

Ordinary (non-sensitive) personal information

• Account & profile: name/display name, email, phone number (if provided), date of birth/age declaration (for age gating), country/region, password (if applicable), and account preferences.
• Communications: messages to customer support, survey responses, and feedback.
• Avatar content (non-biometric): avatar name, avatar image outputs you save, prompts/instructions you type, and content you choose to upload (e.g., images) for generating avatar content.
• Payment and transaction records: purchases, subscription status, transaction identifiers, and entitlement status. (Payment card details are processed by the app store or payment provider, not stored by us.)

Sensitive personal information

• Audio/voice data: voice recordings you upload or record; voice characteristics necessary to generate requested voice features.
• Video data: videos you upload or record (may include face/voice), used to generate avatar video outputs.
• Facial data / biometric-derived data (“Face Data”): face images you upload/record, facial landmarks/key points, and face embeddings used to generate or animate your AI avatar. We do not use face data to identify you outside the app, and we do not use face data for ads/marketing or unrelated profiling.

3.b. Information Collected Automatically

When you use the Services, we may automatically collect:

• Device & app information: device model, OS version, app version, language, time zone, network type, and performance data (including crash logs).
• Identifiers: device identifiers and advertising identifiers where permitted (e.g., IDFA/GAID) and similar SDK identifiers.
• Log and security data: IP address, approximate location inferred from IP, timestamps, and events relevant to service integrity/security.
• Usage analytics: feature usage, session frequency/duration, screens viewed, and in-app interactions used to improve stability and user experience.

Precise geolocation is collected only if you explicitly enable it in your device settings, and we do not share precise location with third parties unless necessary to provide the Service or required by law.

3.c. Information from Third Parties

We may receive information from:

• Authentication providers: if you sign in using Apple/Google/Facebook (as available), we may receive basic profile data as permitted by you and the provider.
• App marketplaces: Apple App Store / Google Play may provide purchase verification information needed to confirm entitlements.
• Analytics/advertising partners: aggregated or event-level insights where legally permitted.

3.d. AI-generated and derived data

To operate AI features, we may generate and store:

• Avatar outputs: generated avatar images/videos, animation parameters, rendering artifacts.
• Derived/feature data: embeddings or feature vectors derived from your media (e.g., face/voice) used inside the Service to deliver avatar features.
• Safety and quality signals: content moderation results, abuse/fraud signals, and model quality metrics.

We use these data only for the purposes described in Section 4.

4. Purposes of Processing

We process personal information for the following purposes and legal bases (where GDPR/UK GDPR applies). For Vietnam (Decree 13) and other jurisdictions, we process personal data based on consent and other grounds permitted by law, and we provide the mapping below for transparency.

• 1. To provide, operate, and maintain the Services (core functionality).

  Data used: account data, device data, required avatar content.

  Legal basis: performance of a contract (service delivery).

• 2. To generate and deliver AI avatar features you request (image/video/voice/avatar creation).

  Data used: uploaded images, avatar images, audio/voice recordings, videos, Face Data, derived/AI-generated data.

  Legal basis: performance of a contract; consent/explicit consent where required for sensitive/biometric processing.

• 3. To personalize your experience (settings, recommendations, feature tuning).

  Data used: usage analytics, preferences, device data, AI-derived personalization signals.

  Legal basis: legitimate interests (improving user experience) and/or contract; consent where required by local law.

• 4. To process payments, verify entitlements, and manage subscriptions/refunds.

  Data used: transaction identifiers, purchase records, subscription status.

  Legal basis: contract; legal obligation (accounting/tax) where applicable.

• 5. To communicate important notices (security alerts, technical updates, policy/terms changes).

  Data used: account contact info, device tokens for push notification (if enabled).

  Legal basis: contract; legitimate interests (service communications).

• 6. To conduct analytics to improve the Services and AI algorithms (clear scope).

  We analyze aggregated usage patterns (e.g., which features crash, latency, which avatar steps fail) to improve app stability and AI output quality.

  Data used: performance logs, crash data, usage analytics, aggregated/de-identified AI quality metrics.

  Legal basis: legitimate interests (service improvement). If local law requires consent for certain analytics identifiers, we rely on consent.

• 7. To prevent, detect, and investigate fraud, unauthorized use, and security incidents.

  Data used: logs, device identifiers, security events, abuse signals.

  Legal basis: legitimate interests (security).

• 8. Marketing and promotional activities (only where consent is obtained or permitted by law).

  Data used: email/push token, marketing preferences, limited attribution data.

  Legal basis: consent (opt-in where required). You can withdraw consent at any time (Section 10).

• 9. To comply with legal obligations and respond to lawful requests.

  Data used: data required to comply with law, court orders, or regulator/law enforcement requests.

  Legal basis: legal obligation.

5. User Media, Voice, Face Data, and Avatar Outputs

• You may create or upload audio, voice recordings, images, and videos to generate avatar outputs within the Services. These remain associated with your account and are not made public by us unless you choose to export/share them.
• When you export/share content to external platforms (e.g., social media), those platforms’ privacy policies apply.
• Face Data: We collect Face Data only to create and animate your AI avatar, apply effects, improve performance (in anonymized/aggregated form where feasible), and maintain safety/prevent misuse. We do not use face data for ads, marketing, or unrelated profiling.
• No sale of Face Data: We never sell your face data or share it with advertisers.

6. Advertising and Monetization

At present, monetization of the Services is primarily through in-app purchases and/or subscriptions. Payment details are processed by app marketplaces or payment providers and not stored directly by the Company.

If we enable targeted advertising in the future, where required by law we will obtain your prior consent before activating targeted advertising features. You can manage ad preferences by limiting ad tracking, resetting advertising identifiers, or withdrawing consent through device settings or in-app privacy settings (where available).

7. Sharing and Disclosure

We do not sell personal information.

We may share personal information with the following categories of recipients, subject to appropriate safeguards such as data processing agreements, confidentiality obligations, and access controls:

• 1. Affiliates / group entities (if applicable): for internal operations and administration.
• 2. Service providers (processors): cloud hosting, storage, AI inference infrastructure, analytics, crash reporting, customer support, communications (email/SMS), and payment verification.
• 3. Payment services / marketplaces: Apple App Store, Google Play, and/or other payment provider(s) for purchase verification and subscription management.
• 4. Advertising/attribution partners (if enabled): only the minimum identifiers/events required for attribution and measurement, and not Face Data.
• 5. Legal authorities: when required by law, court order, or regulator request.
• 6. Corporate transactions: in merger/acquisition/reorganization or sale of assets.

Face Data sharing rule: We only share Face Data with service providers who help process/store it securely and with legal authorities if required by law.

8. Minors / Children’s Data

The Services are not intended for children under 13 years old without verified parental/guardian consent, depending on jurisdiction.

Age verification: We implement age-gating during onboarding and may request additional verification where required.

Vietnam (Decree 13): We obtain consent in the manner required for children’s data and apply enhanced safeguards.

United States (COPPA): For children under 13, we require verifiable parental consent before collecting personal information.

If we learn we have collected children’s data without required consent, we will delete it promptly and restrict/terminate access as appropriate.

9. International Data Transfers

The Company may store and process personal data in Japan, Singapore, or other jurisdictions where we and our service providers operate.

Where personal data is transferred internationally, we implement appropriate safeguards consistent with applicable laws, including GDPR Article 46 safeguards such as Standard Contractual Clauses (SCCs) where applicable.

Your rights: Where applicable, you may object to certain processing (including some transfers). If the transfer is necessary to provide core Services, we may be unable to continue providing some features if you object.

10. Your Rights and How to Exercise Them

Depending on your location, you may have rights such as access, correction, deletion, restriction, objection, portability, and withdrawal of consent.

How to submit a request

Submit requests by email: [email protected] and include: your account identifier (email / user ID), the specific right you want to exercise, the data category/feature involved (e.g., “Face Data deletion”), approximate dates, and information needed to verify identity (we may request reasonable verification to protect your account).

Response timeframes

• GDPR: without undue delay and generally within 1 month, with possible extension by 2 months for complex requests.
• Vietnam (Decree 13): certain requests such as restriction and objection must be acted on within 72 hours (unless otherwise provided by law).

Where processing is based on consent (e.g., marketing, optional identifiers), you can withdraw consent at any time through: in-app privacy settings (if available), device settings (e.g., ad tracking limits), and/or contacting us at [email protected].

Withdrawal does not affect the lawfulness of processing before withdrawal.

11. Security, Data Protection by Design, and DPIA / Impact Assessments

We employ technical and organizational measures designed to protect personal data against unauthorized access, destruction, loss, alteration, or disclosure. These measures include encryption in transit, access controls, secure hosting arrangements, and periodic security reviews.

Data protection by design: We apply privacy and security controls during feature design and development, including role-based access, data minimization, and logging.

Impact assessments: Before deploying new AI features that may introduce higher privacy risks, we conduct and document data protection impact assessments (DPIA) or equivalent assessments where required, and implement additional safeguards.

No system is 100% secure; you are responsible for safeguarding your account credentials and device access.

12. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, including providing and improving our services, maintaining security, complying with legal obligations, resolving disputes, enforcing agreements, and ensuring business continuity.

Retention periods vary depending on the nature of the data, how it is used, applicable legal or regulatory requirements, and operational needs. Where appropriate, we retain data in aggregated, anonymized, or de-identified form to minimize privacy impact.

Certain information may be retained beyond account closure where required or permitted by law, or where reasonably necessary for legitimate business purposes, subject to appropriate safeguards.

13. Third-Party Services

The Services may contain links to or integrations with third-party websites, platforms, or applications (e.g., social media, app stores). We are not responsible for third-party privacy practices. Please review their policies before interacting or sharing data.

Google APIs (if used): Our use and transfer of information received from Google APIs will follow Google API Services User Data Policy. If you connect to YouTube, we may store only your YouTube channel link in your profile and do not share that YouTube data with third-party AI platforms.

14. Amendments

We may update this Privacy Policy periodically. Material changes will be communicated through reasonable means such as in-app notifications, email (if available), or prominent posting. The revised version is effective as of the date indicated above. Continued use of the Services constitutes acceptance of the updated Policy.

14A. Legal Bases for Processing (GDPR / UK GDPR and related frameworks)

Where applicable, we rely on:

• Consent (e.g., marketing; optional identifiers; sensitive processing where required)
• Contractual necessity (to provide the Services you request, including avatar generation and subscriptions)
• Legal obligation (compliance with laws, lawful requests)
• Legitimate interests (security, fraud prevention, service quality improvement)

You may have the right to object to processing based on legitimate interests (Section 10).

15. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of Japan. Mandatory consumer and data protection laws of your country/region of residence will also apply where required.

16. Contact Information and Complaints

If you have questions, concerns, or requests related to this Privacy Policy or the processing of your personal information, please contact [email protected]

Complaints to authorities:

• EEA/UK: you may lodge a complaint with your local supervisory authority (DPA).
• Vietnam: Decree 13 assigns state management/authority functions to the Ministry of Public Security (Department A05) regarding personal data protection oversight.