Privacy Policy

Fairium (“GenToon”, “we”, “us”, or “the Company”) provides the GenToon service (the “Service”) and is the controller of personal data processed through it. This Privacy Policy explains what personal data we collect, why and on what legal basis we process it, who we share it with, how long we keep it, how we transfer it internationally, and the rights you have over your data.

For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. For users in California and other U.S. states with applicable privacy laws, the disclosures in the “Your U.S. State Privacy Rights” section apply. Country-specific provisions required under Korean law apply only to users in the Republic of Korea and are set out separately below. If you have any question about this Policy or wish to exercise your rights, contact us at service@gentoon.ai.

1. Categories of Personal Information Collected and Methods of Collection

A. Categories Collected

B. Methods of Collection

• Direct input during sign-up and service use on the website
• Social login via Google or Kakao OAuth
• Automatic collection during payment processing via Polar
• Automatic generation and collection through cookies, logs, and similar technologies during service use
• Collection during customer inquiries via email or the Help page

2. Purposes of Processing Personal Information

1. Member management. Identity verification, prevention of unauthorized use, complaint resolution, and delivery of notices
2. Service provision. AI image and script generation, project storage, character management, and community operation
3. Payment and billing. Subscription payments, credit purchases, refunds, and issuance of tax receipts and invoices
4. Service improvement. Usage statistics analysis, error detection (Sentry), and service quality enhancement
5. Marketing (optional). Event and benefit notifications (only with prior consent)

Legal Bases for Processing (EEA / UK Users)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)). To create and maintain your account, provide AI generation, project storage, character management, the community, and to process payments, subscriptions, credit purchases, and refunds. Without this data we cannot provide the Service.
• Legitimate interests (Art. 6(1)(f)). To secure the Service against fraud and abuse, detect and fix errors, maintain access and audit logs, analyse aggregate usage to improve the Service, and to enforce our Terms. We balance these interests against your rights and you may object as described in the “Your Rights” section.
• Consent (Art. 6(1)(a)). For optional marketing communications and for non-essential analytics cookies (Google Analytics, Microsoft Clarity), where consent is required in your jurisdiction. You may withdraw consent at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)). To retain transaction and tax records and to respond to lawful requests, where mandatory law requires it.

We do not use your prompts, uploaded reference images, or generated outputs to train AI models, and we do not carry out automated decision-making that produces legal or similarly significant effects on you.

3. Retention and Use Periods

The Company destroys personal information without delay once the purpose of processing has been fulfilled. However, where retention is required by applicable law, the information shall be securely stored for the prescribed period before destruction.

Where mandatory local law imposes a specific minimum retention period, we keep the relevant records for that period and no longer. Korea-specific statutory retention periods are set out in the Korean-language Policy for users in the Republic of Korea.

4. Provision of Personal Information to Third Parties

The Company does not provide personal information to third parties without the user's consent. However, the minimum necessary information is shared with the following parties for the purpose of providing the Service.

Personal information may also be disclosed where required by law, such as upon presentation of a warrant by investigative authorities.

5. Entrustment of Personal Information Processing

The Company entrusts the processing of personal information to the following service providers for the purpose of operating the Service. In each entrustment agreement, the Company ensures the safe handling of personal information in accordance with applicable data protection laws.

International Data Transfers

We operate globally and use trusted infrastructure and service providers located in various countries, including the United States. As a result, your personal data may be transferred to, stored in, and processed in countries other than the one where you live, including countries whose data-protection laws may differ from those of your home country.

Where we transfer personal data of EEA, UK, or Swiss users to a country that has not received an adequacy decision, we put appropriate safeguards in place, primarily the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), together with technical measures such as encryption in transit. The categories of recipients and the countries involved are listed in the table below. You may request a copy of the relevant transfer safeguards by contacting service@gentoon.ai.

Your Rights

Depending on where you live, applicable data-protection law gives you rights over your personal data. Where the GDPR or UK GDPR applies to you, you have the right to:

• Access the personal data we hold about you and obtain a copy.
• Rectify inaccurate or incomplete data.
• Erase your data (“right to be forgotten”), subject to legal retention obligations.
• Restrict processing in certain circumstances.
• Object to processing based on our legitimate interests, and to object to direct marketing at any time.
• Data portability — receive the data you provided to us in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
• Withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal.

You can exercise most of these rights directly under Settings > My Account, or by emailing service@gentoon.ai. We will respond without undue delay and within one month of receiving your request; this period may be extended by up to two further months where the request is complex or numerous, in which case we will inform you. We do not charge a fee for a reasonable request, and we verify your identity using your account before acting on a request.

You also have the right to lodge a complaint with your local data-protection supervisory authority (for example, your national authority in the EEA, or the UK Information Commissioner's Office at ico.org.uk). We would, however, appreciate the chance to address your concern first. Additional rights for California and other U.S. state residents are set out in the “Your U.S. State Privacy Rights” section below.

8. Destruction of Personal Information

1. Personal information shall be destroyed without delay once the retention period has expired or the processing purpose has been achieved.
2. Electronic files: Permanently deleted using methods that prevent recovery.
3. Paper documents: Shredded or incinerated.
4. Upon account deletion, all projects, characters, generated images, and files stored in the Service are immediately deleted. Trashed projects are permanently deleted after the 30-day retention period has elapsed.

9. Use of Cookies

The Company uses the following cookies:

By using the Service (signing up or logging in), you are deemed to have consented to this Privacy Policy, and the analytics cookies listed above will be collected automatically. You may refuse the storage of cookies through your web browser settings. However, blocking cookies may restrict your ability to use certain features, such as logging in.

10. Measures to Ensure the Security of Personal Information

The Company implements the following measures in accordance with applicable data protection laws:

1. Access control. Access to personal information is restricted to the minimum number of authorized personnel, and administrator accounts are managed via UUID-based whitelisting.
2. Encryption. Passwords are stored using one-way hashing, and payment card information is processed by Polar in compliance with PCI-DSS standards. All communications are encrypted using TLS (HTTPS).
3. Security headers. Security headers including HSTS, CSP, and X-Frame-Options are applied to prevent web-based attacks.
4. Access restrictions. CSRF tokens, API rate limiting, and IP-based anomalous access blocking are implemented.
5. Monitoring. Real-time error detection and security event monitoring are performed through Sentry.

Children's Privacy

The Service is not directed to children. You must meet the minimum age required to use online services in your country: at least 13 years old in the United States, and at least the age of digital consent in your country in the EEA and the UK (16, unless your country sets a lower age of 13, 14, or 15). Where applicable law requires it, a parent or guardian must provide or authorise consent. If we learn that we have collected personal data from a child below the applicable age without the required consent, we will delete the account and the data without undue delay. If you believe a child has provided us with personal data, contact service@gentoon.ai.

How to Contact Us About Your Data

For any privacy question, to exercise your rights, or to raise a concern, contact our data-protection contact at service@gentoon.ai. We will route your request to the person responsible for data protection and respond within the timeframe set out in the “Your Rights” section.

GenToon does not currently maintain a permanent establishment in the EEA or the UK. If we are required to appoint a representative under Article 27 of the GDPR or UK GDPR, we will update this Policy with their details. In the meantime, EEA, UK, and Swiss users may direct all data-protection requests to service@gentoon.ai, which we monitor as our primary data-protection channel.

Lodging a Complaint

You have the right to lodge a complaint with the data-protection supervisory authority in your country or state of residence. For users in the EEA, this is your national Data Protection Authority; in the UK, the Information Commissioner's Office (ICO) at ico.org.uk; in California, the California Privacy Protection Agency or the California Attorney General. You may also contact us first at service@gentoon.ai and we will work to resolve your concern.

Your U.S. State Privacy Rights (California and Other States)

If you are a resident of California or another U.S. state with a comprehensive privacy law, you may have the right to know what personal information we collect and how we use it, to access and delete your personal information, to correct inaccurate information, to limit the use of sensitive personal information, and to opt out of the “sale” or “sharing” of personal information and of targeted advertising.

We do not sell your personal information for money. We do not knowingly “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the CPRA, except that our use of analytics cookies (Google Analytics, Microsoft Clarity) may be considered “sharing” for cross-context behavioural advertising purposes under California law. You can opt out of these analytics cookies by emailing service@gentoon.ai, or through your browser's Global Privacy Control (GPC) signal, which we honour where required.

We do not sell or share the personal information of consumers we know to be under 16. We will not discriminate against you for exercising any of these rights. To exercise your U.S. state privacy rights, or to opt out, email service@gentoon.ai with the subject line “U.S. Privacy Request” (or “Do Not Sell or Share”); we will verify your request using your account before responding. You may use an authorized agent to submit a request on your behalf. We will respond within the time required by law (generally 45 days, extendable once where permitted).

14. Changes to This Policy

1. This Privacy Policy may be amended due to changes in applicable laws, regulations, or internal policies of the Company.
2. Any amendments will be announced within the Service at least 7 days prior to the effective date of the change.
3. This Policy has been in effect since January 1, 2025. The revision dated May 9, 2026 takes effect on the same date.

15. Política de retención de mensajes

La Empresa aplica períodos de retención diferenciados según el tipo de mensajes intercambiados dentro del Servicio.

Cooperación con las fuerzas del orden y autoridades gubernamentales

La Empresa se compromete a proteger la información personal de los usuarios; sin embargo, cuando una autoridad gubernamental presente una solicitud legal siguiendo el proceso debido, la Empresa cooperará dentro del alcance permitido por la legislación aplicable.