Privacy Policy
Effective January 1, 2025 | Last revised May 9, 2026
Fairium (“GenToon”, “we”, “us”, or “the Company”) provides the GenToon service (the “Service”) and is the controller of personal data processed through it. This Privacy Policy explains what personal data we collect, why and on what legal basis we process it, who we share it with, how long we keep it, how we transfer it internationally, and the rights you have over your data.
For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. For users in California and other U.S. states with applicable privacy laws, the disclosures in the “Your U.S. State Privacy Rights” section apply. Country-specific provisions required under Korean law apply only to users in the Republic of Korea and are set out separately below. If you have any question about this Policy or wish to exercise your rights, contact us at service@gentoon.ai.
1. Categories of Personal Information Collected and Methods of Collection
A. Categories Collected
| Category | Required | Optional |
|---|---|---|
| Sign-up | Email, name (provided via OAuth for social login) | Profile image |
| Payment | Card brand, last four digits of card number (via Polar) | Billing details handled by our payment provider (card brand and last four digits via Polar). We do not store full card numbers. |
| Service usage | IP address, access logs, service usage records, device information (User-Agent) | Generated content, reference images, community nickname and bio |
| Customer support | Email, inquiry content | — |
B. Methods of Collection
- Direct input during sign-up and service use on the website
- Social login via Google or Kakao OAuth
- Automatic collection during payment processing via Polar
- Automatic generation and collection through cookies, logs, and similar technologies during service use
- Collection during customer inquiries via email or the Help page
2. Purposes of Processing Personal Information
- Member management. Identity verification, prevention of unauthorized use, complaint resolution, and delivery of notices
- Service provision. AI image and script generation, project storage, character management, and community operation
- Payment and billing. Subscription payments, credit purchases, refunds, and issuance of tax receipts and invoices
- Service improvement. Usage statistics analysis, error detection (Sentry), and service quality enhancement
- Marketing (optional). Event and benefit notifications (only with prior consent)
Legal Bases for Processing (EEA / UK Users)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)). To create and maintain your account, provide AI generation, project storage, character management, the community, and to process payments, subscriptions, credit purchases, and refunds. Without this data we cannot provide the Service.
- Legitimate interests (Art. 6(1)(f)). To secure the Service against fraud and abuse, detect and fix errors, maintain access and audit logs, analyse aggregate usage to improve the Service, and to enforce our Terms. We balance these interests against your rights and you may object as described in the “Your Rights” section.
- Consent (Art. 6(1)(a)). For optional marketing communications and for non-essential analytics cookies (Google Analytics, Microsoft Clarity), where consent is required in your jurisdiction. You may withdraw consent at any time without affecting prior processing.
- Legal obligation (Art. 6(1)(c)). To retain transaction and tax records and to respond to lawful requests, where mandatory law requires it.
We do not use your prompts, uploaded reference images, or generated outputs to train AI models, and we do not carry out automated decision-making that produces legal or similarly significant effects on you.
3. Retention and Use Periods
The Company destroys personal information without delay once the purpose of processing has been fulfilled. However, where retention is required by applicable law, the information shall be securely stored for the prescribed period before destruction.
| Data | Retention Period | Legal Basis |
|---|---|---|
| Member information | Until account deletion | User consent |
| Contract and payment records | 5 years | Contract and applicable tax/accounting law (varies by jurisdiction) |
| Consumer complaint and dispute resolution records | 3 years | Contract and applicable tax/accounting law (varies by jurisdiction) |
| Access logs | 3 months | Applicable telecommunications / records-retention law |
| Tax receipt and invoice issuance records | 5 years | Applicable tax law |
Where mandatory local law imposes a specific minimum retention period, we keep the relevant records for that period and no longer. Korea-specific statutory retention periods are set out in the Korean-language Policy for users in the Republic of Korea.
4. Provision of Personal Information to Third Parties
The Company does not provide personal information to third parties without the user's consent. However, the minimum necessary information is shared with the following parties for the purpose of providing the Service.
| Recipient | Purpose | Data Provided | Retention |
|---|---|---|---|
| Polar (Global) | Global subscription / credit payment processing and refunds | Payment information, purchase amount | 5 years after transaction completion |
| Polar Software Inc. (merchant of record) | Processes global subscription and credit-pack payments, refunds, and tax handling | Payment information, purchase amount | 5 years after transaction completion |
| Google LLC | Social login, AI image generation (Gemini API) | Email and profile (for login); generation prompts and reference images (for AI generation) | Until termination of service use |
| Kakao Corp. | Social login | Email, nickname, profile image (as provided by Kakao OAuth) | Until termination of service use |
Personal information may also be disclosed where required by law, such as upon presentation of a warrant by investigative authorities.
5. Entrustment of Personal Information Processing
The Company entrusts the processing of personal information to the following service providers for the purpose of operating the Service. In each entrustment agreement, the Company ensures the safe handling of personal information in accordance with applicable data protection laws.
| Processor | Entrusted Tasks |
|---|---|
| Supabase Inc. | Database hosting, user authentication, and file storage |
| Vercel Inc. | Web application hosting and CDN |
| Google Cloud (Gemini API) | AI image and text generation |
| Upstash Inc. | Distributed caching and rate limiting (Redis) |
| Functional Software Inc. (Sentry) | Error monitoring and performance tracking |
| Resend Inc. | Email delivery |
| Google LLC (Google Analytics / GA4) | Website usage analytics and service improvement |
| Microsoft Corporation (Clarity) | User behavior analytics (heatmaps and session replay) for service improvement |
🤖 AI Model Training Disclosure
GenToon does not use your prompts, uploaded reference images, or generated outputs to train any AI model. Generation is performed via the Google Gemini API; per Google's policy, paid API calls are not used for model training. We also do not build any internal training dataset from user content. Any future change to this policy will be notified in advance and require your explicit consent.
International Data Transfers
We operate globally and use trusted infrastructure and service providers located in various countries, including the United States. As a result, your personal data may be transferred to, stored in, and processed in countries other than the one where you live, including countries whose data-protection laws may differ from those of your home country.
Where we transfer personal data of EEA, UK, or Swiss users to a country that has not received an adequacy decision, we put appropriate safeguards in place, primarily the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), together with technical measures such as encryption in transit. The categories of recipients and the countries involved are listed in the table below. You may request a copy of the relevant transfer safeguards by contacting service@gentoon.ai.
| Recipient | Country | Data Transferred | Method |
|---|---|---|---|
| Supabase Inc. | United States (AWS ap-northeast-2 region) | Member information, project data, files | Network transmission |
| Vercel Inc. | United States (global edge network) | Service usage logs | Network transmission |
| Google LLC | United States | Prompts, reference images | Transmitted via API calls |
| Upstash Inc. | United States | User ID or IP address (hashed) | Transmitted via API calls |
| Sentry (Functional Software Inc.) | United States | Error logs, partial user ID | Automatic SDK transmission |
Your Rights
Depending on where you live, applicable data-protection law gives you rights over your personal data. Where the GDPR or UK GDPR applies to you, you have the right to:
- Access the personal data we hold about you and obtain a copy.
- Rectify inaccurate or incomplete data.
- Erase your data (“right to be forgotten”), subject to legal retention obligations.
- Restrict processing in certain circumstances.
- Object to processing based on our legitimate interests, and to object to direct marketing at any time.
- Data portability — receive the data you provided to us in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
- Withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
You can exercise most of these rights directly under Settings > My Account, or by emailing service@gentoon.ai. We will respond without undue delay and within one month of receiving your request; this period may be extended by up to two further months where the request is complex or numerous, in which case we will inform you. We do not charge a fee for a reasonable request, and we verify your identity using your account before acting on a request.
You also have the right to lodge a complaint with your local data-protection supervisory authority (for example, your national authority in the EEA, or the UK Information Commissioner's Office at ico.org.uk). We would, however, appreciate the chance to address your concern first. Additional rights for California and other U.S. state residents are set out in the “Your U.S. State Privacy Rights” section below.
8. Destruction of Personal Information
- Personal information shall be destroyed without delay once the retention period has expired or the processing purpose has been achieved.
- Electronic files: Permanently deleted using methods that prevent recovery.
- Paper documents: Shredded or incinerated.
- Upon account deletion, all projects, characters, generated images, and files stored in the Service are immediately deleted. Trashed projects are permanently deleted after the 30-day retention period has elapsed.
9. Use of Cookies
The Company uses the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie (Supabase Auth) | Maintaining login state | End of session |
| csrf_token | CSRF attack prevention | 1 hour |
| Language preference cookie | Retaining selected language preference | Session |
| Google Analytics (GA4) cookies | Service usage analytics and service improvement | Up to 2 years |
| Microsoft Clarity cookies | User behavior analytics (heatmaps and session replay) for service improvement | Up to 1 year |
By using the Service (signing up or logging in), you are deemed to have consented to this Privacy Policy, and the analytics cookies listed above will be collected automatically. You may refuse the storage of cookies through your web browser settings. However, blocking cookies may restrict your ability to use certain features, such as logging in.
10. Measures to Ensure the Security of Personal Information
The Company implements the following measures in accordance with applicable data protection laws:
- Access control. Access to personal information is restricted to the minimum number of authorized personnel, and administrator accounts are managed via UUID-based whitelisting.
- Encryption. Passwords are stored using one-way hashing, and payment card information is processed by Polar in compliance with PCI-DSS standards. All communications are encrypted using TLS (HTTPS).
- Security headers. Security headers including HSTS, CSP, and X-Frame-Options are applied to prevent web-based attacks.
- Access restrictions. CSRF tokens, API rate limiting, and IP-based anomalous access blocking are implemented.
- Monitoring. Real-time error detection and security event monitoring are performed through Sentry.
Children's Privacy
The Service is not directed to children. You must meet the minimum age required to use online services in your country: at least 13 years old in the United States, and at least the age of digital consent in your country in the EEA and the UK (16, unless your country sets a lower age of 13, 14, or 15). Where applicable law requires it, a parent or guardian must provide or authorise consent. If we learn that we have collected personal data from a child below the applicable age without the required consent, we will delete the account and the data without undue delay. If you believe a child has provided us with personal data, contact service@gentoon.ai.
How to Contact Us About Your Data
For any privacy question, to exercise your rights, or to raise a concern, contact our data-protection contact at service@gentoon.ai. We will route your request to the person responsible for data protection and respond within the timeframe set out in the “Your Rights” section.
GenToon does not currently maintain a permanent establishment in the EEA or the UK. If we are required to appoint a representative under Article 27 of the GDPR or UK GDPR, we will update this Policy with their details. In the meantime, EEA, UK, and Swiss users may direct all data-protection requests to service@gentoon.ai, which we monitor as our primary data-protection channel.
Lodging a Complaint
You have the right to lodge a complaint with the data-protection supervisory authority in your country or state of residence. For users in the EEA, this is your national Data Protection Authority; in the UK, the Information Commissioner's Office (ICO) at ico.org.uk; in California, the California Privacy Protection Agency or the California Attorney General. You may also contact us first at service@gentoon.ai and we will work to resolve your concern.
Your U.S. State Privacy Rights (California and Other States)
If you are a resident of California or another U.S. state with a comprehensive privacy law, you may have the right to know what personal information we collect and how we use it, to access and delete your personal information, to correct inaccurate information, to limit the use of sensitive personal information, and to opt out of the “sale” or “sharing” of personal information and of targeted advertising.
We do not sell your personal information for money. We do not knowingly “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the CPRA, except that our use of analytics cookies (Google Analytics, Microsoft Clarity) may be considered “sharing” for cross-context behavioural advertising purposes under California law. You can opt out of these analytics cookies by emailing service@gentoon.ai, or through your browser's Global Privacy Control (GPC) signal, which we honour where required.
We do not sell or share the personal information of consumers we know to be under 16. We will not discriminate against you for exercising any of these rights. To exercise your U.S. state privacy rights, or to opt out, email service@gentoon.ai with the subject line “U.S. Privacy Request” (or “Do Not Sell or Share”); we will verify your request using your account before responding. You may use an authorized agent to submit a request on your behalf. We will respond within the time required by law (generally 45 days, extendable once where permitted).
14. Changes to This Policy
- This Privacy Policy may be amended due to changes in applicable laws, regulations, or internal policies of the Company.
- Any amendments will be announced within the Service at least 7 days prior to the effective date of the change.
- This Policy has been in effect since January 1, 2025. The revision dated May 9, 2026 takes effect on the same date.
15. 訊息保存政策
本公司依使用者在服務中所傳送之訊息類型,採取不同的保存期限政策。
AI 角色對話
與 AI 角色的對話記錄將永久保存,直至使用者自行刪除。為維護儲存效率,超過一年(365 天)未存取的對話將自動移至封存,超過兩年(730 天)未存取的訊息將自動永久刪除。使用者標記為常用(收藏)的訊息不在自動刪除範圍內,將保留至使用者自行取消標記為止。
使用者間私訊(DM)
使用者間的私訊將於發送後 180 天自動永久刪除。但因違反服務條款而遭檢舉或列入審核的訊息,將另行保存至爭議解決完畢,或依相關法規規定之期限保存。
使用者主動刪除
當使用者刪除訊息、對話或帳號時,相關資料(包含備份)將立即永久刪除(硬刪除)。依會計、稅務或爭議解決相關法規須保存的付款及交易記錄,將依本政策第 3 條另行保存。
存取紀錄(AuditLog)
存取與安全日誌(包括 IP 位址、User-Agent 及時間戳記)將保留一段有限期間(最長一(1)年),用於保護本服務、防止詐欺及回應合法要求,之後將自動刪除。若您所在國家的當地法律規定了特定的日誌保留期間,我們將對相關使用者適用該期間。
配合執法機關及政府機關
本公司致力保護使用者個人資料;但若政府機關依正當程序提出合法請求,本公司將在相關法規允許的範圍內予以配合。
合法程序
當偵查機關、法院或其他有權的政府機關出示有效的搜索票、法院命令、傳票或同等合法文件要求提供資料時,我們僅在適用法律要求的範圍內揭露最低限度的必要資訊。對於未附有效法律程序的非正式要求,我們不予回應。
使用者通知
當我們向政府機關揭露使用者資訊時,在適用法律允許的範圍內,我們將盡合理努力通知受影響的使用者。若有權機關依法禁止揭露,或通知可能實質妨礙偵查或法律程序時,通知可能延後或不予提供。
使用者權利
在適用法律的範圍內,您可要求取得我們向政府機關所為揭露的相關資訊。若您認為某項揭露係屬違法,您可依您所屬司法管轄區的資料保護法尋求可用的救濟,包括向您的監管機關提出申訴。相關詢問請來信 service@gentoon.ai。
