1. Information We Collect

• Account & Contact: Name, email, password (hashed), country or region; if using Google Sign-In, minimal profile data needed for authentication.
• Usage & Device: IP address, device or browser information, access logs, Cookies or similar technologies, in-app actions.
• AI Interaction Data: User Input (ideas, prompts) and AI-generated Outputs.
• Billing: Subscription status, plan, transaction identifiers via Stripe (we do not store raw card numbers).

2. Purposes of Processing

We process data to: (a) provide and operate the Service; (b) authenticate users and secure the Service; (c) analyze usage and improve features; (d) process payments and invoices; (e) communicate important notices; (f) prevent fraud and abuse; and (g) comply with laws.

3. Legal Bases (GDPR)

Where the GDPR applies, our legal bases include contract performance, legitimate interests (security and quality improvement), consent (for example, analytics or advertising cookies where required), and legal obligations.

4. Cookies and Analytics

We use Cookies and similar technologies for essential operations and, with consent where required, for analytics such as Google Analytics. You can manage preferences in your browser or via our consent banner. IP anonymization and opt-out options are supported where applicable.

5. Sub-processors and Third Parties

We use trusted providers to operate the Service, including Supabase (data and auth), Vercel (hosting), Stripe (payments), Anthropic API / OpenAI API (AI processing), Google Analytics (analytics), Resend (email), and Google Cloud Platform (infrastructure). We will maintain a Sub-processor List and provide notice of material changes via the Service or email.

6. International Data Transfers

Your data may be processed outside your country. For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses. A copy or description of safeguards is available upon request.

7. Data Retention

• Account data: deleted within ninety days after account deletion, unless retention is required by law.
• Billing and tax records: retained up to seven years (or as required by applicable law).
• Security and audit logs: retained up to twelve months.
• Projects or Outputs: deletable by users; upon account deletion we remove them within ninety days.

8. Model Training Policy

By default, we do not use your User Input or Outputs to train model parameters. We may retain minimal logs for security, troubleshooting, or quality evaluation. If we later wish to use data for training, we will first obtain explicit consent.

9. Sharing and Disclosure

We do not sell personal information. We disclose information to sub-processors under contract, to authorities when legally required, in emergencies to protect rights, property, or safety, and in connection with corporate transactions subject to safeguards.

10. CCPA/CPRA Disclosures (California)

We do not "sell" or "share" personal information as defined by the CCPA or CPRA. California residents have the right to know, delete, correct, and to limit use of sensitive data, subject to verification. An authorized agent may act on your behalf with proper authorization and identity verification.

11. Your Rights

Subject to applicable law, you may request access, rectification, deletion, restriction, objection, and data portability. We will respond within the time limits required by law (for example, GDPR one month, CCPA forty-five days, extendable). We will verify your identity via your registered email or other reasonable means.

12. Children’s Privacy

The Service is not intended for children under thirteen, or a higher age where applicable. We do not knowingly collect personal information from children without parental consent.

13. Security

We implement appropriate technical and organizational measures, including access controls, encryption in transit, and monitoring. No method is one hundred percent secure, but we work to protect your data against unauthorized access and disclosure.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via the Service or email. Continued use after the effective date constitutes acceptance.

15. Contact Us

16. Governing Law, Venue, and Language

This Policy is governed by the laws of Japan.

Disputes shall be brought exclusively in the Tokyo District Court. In the event of inconsistencies, the Japanese version prevails over translations.