Privacy Policy

This Privacy Policy ("Policy") governs the collection, use, storage, disclosure, and protection of personal information of users ("You", "User") who access or use our website (https://playyy.ai/) and related services (collectively, the "Services"). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), Switzerland, and the UK; the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) for users in California; the Personal Data Protection Act (PDPA) of Singapore; and other relevant local regulations.

Nothing in this Policy limits your rights under applicable local laws. Where there is a conflict, mandatory local law will prevail.

By using the Services, you acknowledge that you have read, understood, and agreed to the collection and processing of your personal information as described in this Policy. If you do not agree with this Policy, please do not use the Services.

We collect information from you through multiple channels, which is categorized as follows:

We use the collected information for the following legitimate purposes:

1. Provide, operate, and maintain the Services (e.g., account management, Content storage, template retrieval, technical support for AI image editing).
2. Improve, personalize, and expand the Services (e.g., analyzing usage patterns and template preferences to optimize features, developing new AI editing tools and template categories, providing personalized template recommendations).
3. Train and enhance our AI models ONLY IF you provide your explicit consent (we do NOT use your User-Generated Content for AI model training by default); user-generated Content will not be used for model training without prior authorization.
4. Content moderation and security filtering: To comply with applicable laws, platform policies, and prevent abuse (e.g., detecting illegal, harmful, or infringing Content).
5. Quality and abuse detection: To identify and prevent spam, bulk scraping of templates, or improper use of the Services.
6. Communicate with you: Send service updates, technical notices, marketing communications (you can opt out at any time), and respond to your inquiries. For marketing communications (e.g., email campaigns), we will obtain your consent where required by law and provide a clear opt-out mechanism.
7. Process transactions: Facilitate payment processing, issue invoices, and manage subscription plans (once available).
8. Ensure security and prevent fraud: Detect and address security threats, technical issues, illegal activities, and unauthorized access to your account.
9. Comply with legal obligations: Respond to legal requests, enforce our Terms of Use, and comply with applicable laws and regulations.

For users in the EEA, Switzerland, and the UK, we process your personal information based on the following legal bases:

• Performance of a contract: To provide the Services you requested.
• Compliance with legal obligations: To meet statutory requirements (e.g., tax, anti-fraud).
• Legitimate interests: To operate and improve the Services, protect user safety, and prevent abuse (without overriding your rights).
• Consent: For activities such as marketing communications or model training (we do NOT use your personal information/UGC for AI model training by default, you may withdraw consent at any time).

Personalization and recommendations may involve profiling based on your usage. You may object to such processing where it is based on legitimate interests by contacting us at support@adastralab.ai.

We will not sell, rent, or lease your personal information to third parties for commercial purposes without your consent. We may share your information in the following circumstances:

1. Third-Party Service Providers: With vendors or partners who assist us in providing the Services, including:

• Cloud hosting and CDN providers;
• Payment processors;
• Analytics providers;
• Customer support tools;
• Email communication providers;
• Fraud prevention and security monitoring services.

We only share the minimum necessary information with the above third parties for the specified business purposes, and the specific corresponding relationships are: (1) Cloud hosting/CDN providers: share device information and UGC Content for service deployment and content storage; (2) Payment processors: share payment information and basic account information for transaction processing; (3) Analytics providers: share anonymized usage data and template usage data for service optimization; (4) Customer support tools: share contact information and support conversation content for handling user inquiries; (5) Email communication providers: share email address for sending service notices and marketing communications (where consent is obtained); (6) Fraud prevention and security monitoring services: share device fingerprint, login logs and usage data for fraud detection and account security.

These third parties are bound by confidentiality agreements and data processing agreements (DPAs), and may only use your information to perform assigned tasks. We require processors to provide appropriate safeguards and process data only on our instructions.

1. Legal Requirements: To comply with applicable laws, regulations, legal processes, or governmental requests (e.g., subpoenas, court orders).
2. Business Transfers: In the event of a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of the business assets to the acquiring party.
3. Security and Safety: To protect our rights, property, or safety, as well as the rights, safety, or well-being of users or the public (e.g., addressing fraud, harassment, or illegal activities).
4. With Your Consent: To share information with third parties at your explicit request or direction.

• Storage Location: We may store and process personal data in Singapore and other countries where we or our service providers operate data centers. The exact storage location may vary depending on your region and the services used.
• Cross-Border Transfers: Where we transfer personal data from the EEA/UK/Switzerland to countries not deemed adequate, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) (2021 version) and, where applicable, supplementary measures and transfer impact assessments. Where available, we may rely on the EU-U.S. Data Privacy Framework for certified recipients.

We generally retain your information for as long as it is necessary to serve the purpose(s) for which such information was collected, including to provide you with the Services. However, there are occasions where we are likely to keep this information longer in accordance with our legal obligations or where it is necessary for the establishment, exercise, or defense of legal claims.

We specify the reference maximum retention period of various types of data under normal circumstances in the following table, and all data retention shall not exceed the reasonable and necessary scope required for the business purpose:

Note: The above are the reference maximum retention periods under normal circumstances. We may extend the retention period only to the extent necessary to comply with applicable legal obligations or to establish, exercise, or defend legal claims. All retained data shall be limited to the scope of the aforementioned purposes and shall not be used for any other unrelated business. After the retention period expires, we will perform irreversible anonymization or permanent deletion of the data, and the anonymized data will not be used to identify individual users.

After you have terminated your use of our Services, we may store your information in an aggregated and anonymized format. Notwithstanding the foregoing, we may also retain any information as reasonably necessary to comply with our legal obligations, to allow us to resolve and litigate disputes, and to enforce our agreements.

We will regularly review the retention period of personal information, and delete or anonymize the personal information that is no longer necessary for business purposes and compliance with laws in a timely manner.

We implement technical, administrative, and physical security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction:

• Encryption: Data at rest is encrypted using AES-256; data in transit is protected via TLS 1.2+.
• Access Control: Role-based access control (RBAC) restricts system access to authorized personnel only.
• Security Program: We maintain a security program aligned with industry standards (e.g., NIST Cybersecurity Framework). Additional details may be provided under non-disclosure agreement (NDA) upon request.
• Incident Response: We maintain an incident response plan aligned with ISO/IEC 27035 guidelines; prompt notification of data breaches if they pose a risk to your rights.

Note: No internet service is 100% secure. We cannot guarantee absolute security, but we continuously improve our security measures to mitigate risks.

The Services may contain links to third-party websites or services (e.g., social media platforms, analytics tools). We are not responsible for the privacy policies, terms of use, or practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

The Services are not intended for individuals under the age of 13. If you are in the EEA/UK and under the age at which you can lawfully consent to data processing in your country (typically 13–16), you must have parental or guardian consent to use the Services. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor without parental/guardian consent, we will promptly delete such information. If you believe a minor has provided us with personal information, please contact us at support@adastralab.ai.

We may update this Policy from time to time. We will notify you of material changes by:

• Posting the updated Policy on the Services with a revised "Last Updated" date.
• Sending a notification to your registered email address or via the Services.

Your continued use of the Services after the effective date of the updated Policy constitutes your acceptance of the changes. We recommend reviewing this Policy periodically.

If you have any questions, concerns, or requests regarding this Policy or our data practices, please contact us at:

• Email: support@adastralab.ai
• Data Protection Officer (DPO) (Singapore PDPA Requirement): Email: support@adastralab.ai