Privacy Policy

Scope of This Privacy Policy

This Privacy Policy applies to information collected through:

• our website and related landing pages;
• our AI-powered creative tools, including text-to-video, image-to-video, video editing, video extension, image generation, and related features;
• user accounts, subscriptions, purchases, billing support, and customer service interactions;
• any other online service where this Privacy Policy is posted or referenced.

This Privacy Policy describes:

• what personal information we collect;
• how and why we use personal information;
• how we process AI input and output data;
• how we handle face-related images, videos, and biometric data;
• how automated systems make or support decisions about your content and account;
• how we share information;
• how long we retain information;
• how we protect information and respond to data breaches;
• your privacy rights under applicable laws, including the GDPR, UK GDPR, CCPA/CPRA, and other U.S. state privacy laws.

Data Controller and Representatives

For purposes of applicable data protection laws, the data controller responsible for your personal information is:

STARSEA INNOVATION LIMITED Address: Email: [email protected]

Information We Collect

We collect personal information that you provide directly to us, information collected automatically when you use the Service, and information generated through your use of our AI tools.

Information You Provide to Us

Depending on how you use the Service, you may provide:

• name;
• email address;
• country or region;
• account registration information, including login credentials;
• billing address and limited payment-related information;
• order, subscription, and transaction details;
• customer support messages, inquiries, feedback, or complaints;
• content that you upload, submit, generate, or edit through the Service.

We do not store full payment card numbers. Payments are processed by third-party payment processors under their own privacy and security policies.

Information Collected Automatically

When you visit or use the Service, we may automatically collect certain technical and usage information, including:

• IP address;
• device identifiers;
• browser type and version;
• operating system;
• device type;
• language settings;
• pages or screens viewed;
• referring and exit URLs;
• date and time of access;
• clicks, interactions, and usage patterns;
• features used, generation frequency, and diagnostic data;
• approximate location inferred from IP address (such as country or region);
• security and anti-fraud signals (such as risk scores, suspicious-traffic indicators, and device-environment signals).

We use this information to operate, secure, improve, and troubleshoot the Service, detect abuse or fraud, and understand how users interact with our products.

Cookies and Similar Technologies

We may use cookies, pixels, software development kits, analytics tools, and similar technologies to:

• operate essential website functions;
• remember user preferences;
• analyze traffic and usage;
• improve product performance;
• detect security risks or fraud;
• support marketing and advertising activities where permitted by law.

You may be able to manage cookies through your browser settings, our in-product cookie controls (where available), or applicable opt-out tools. Disabling certain cookies may affect the functionality of the Service.

Categories of Personal Information We Collect (CCPA/CPRA Notice at Collection)

For California residents, the following table summarizes the categories of personal information (as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, collectively the "CCPA/CPRA") that we may have collected in the preceding twelve (12) months, the sources from which we collect them, and the business or commercial purposes for which they are used.

Sources of personal information include: directly from you (when you sign up, upload content, contact support, or make a purchase); automatically from your device and browser when you use the Service; and from our service providers (such as payment processors confirming transaction status, security vendors, and fraud-prevention partners).

Categories of recipients include: service providers (hosting, cloud, analytics, customer support, security, fraud prevention); payment processors; legal, regulatory, or government authorities where required by law; and parties involved in business transfers (see Section 9).

Business and commercial purposes for which we use each category include: providing and operating the Service; processing payments and managing subscriptions; customer support; security, fraud prevention, and abuse detection; product improvement; legal and regulatory compliance; and marketing where permitted by law.

We retain each category of personal information for the periods described in Section 14 (Data Retention).

We do not knowingly collect personal information from children under 16. See Section 16 (Children's Privacy).

AI Input and Output Data

When you use Visiva's AI tools, we may process content you provide or generate, including:

• text prompts;
• uploaded images;
• uploaded videos;
• audio or other materials;
• AI-generated images, videos, or other outputs;
• editing history, generation history, and related technical records.

We process this information to:

• generate, edit, extend, enhance, or transform content as requested by you;
• provide, maintain, and improve the Service;
• troubleshoot technical issues;
• respond to support requests;
• enforce our Terms and content safety policies;
• detect abuse, fraud, or unlawful activity;
• comply with legal obligations or lawful requests.

You are responsible for ensuring that any content you upload or generate does not violate the privacy, intellectual property, publicity, or other rights of third parties. Retention periods for AI input and output data are described in Section 14.

Face-Related and Biometric Data

Some features of the Service allow you to upload, generate, edit, or transform images or videos that include a person's face, likeness, voice, image, or other identifiable visual attributes ("Face-Related Content"). This Section explains how we handle such content.

Purpose Limitation

We process Face-Related Content only as necessary to provide the AI generation, editing, enhancement, transformation, or related service that you request, and for related purposes such as content safety review, fraud and abuse prevention, troubleshooting, and legal compliance.

No Biometric Identification Profiles

We do not:

• use Face-Related Content to identify individuals across uploads or sessions;
• create persistent biometric templates, faceprints, or biometric identification profiles for the purpose of identifying or authenticating individuals;
• sell, license, or otherwise transfer face-related data or biometric data to third parties for advertising, identity verification, surveillance, or biometric recognition purposes;
• use Face-Related Content to train general-purpose facial-recognition models.

For the limited and necessary purpose of content safety, we may apply automated detection systems that determine whether an image or video contains a human face (face detection), or whether content matches signatures of previously prohibited material. Such detection signals are processed only for the safety, fraud-prevention, and compliance purposes described in this Privacy Policy and are not used to identify specific individuals.

User Authorization and Consent

You are responsible for ensuring that you have obtained all necessary rights, permissions, authorizations, and consents before uploading or generating content that includes another person's face, likeness, voice, image, or other personal attributes. Where required by applicable law, you must not upload images, videos, or other materials featuring another person unless you have obtained that person's lawful authorization or consent.

Retention of Face-Related Content

Unless a longer period is required or permitted by law, or you have stored the content in your account at your direction:

• uploaded source images and videos containing faces are retained for the period necessary to complete and deliver the requested generation, and are deleted or anonymized within a reasonable period thereafter, typically not exceeding 90 days;
• generated outputs containing faces are retained as part of your project or generation history for the period during which you maintain access to them, subject to your deletion controls and our overall retention schedule (Section 14);
• content flagged for safety review may be retained for a longer period as reasonably necessary to investigate, respond to, or document the relevant matter.

You may request deletion of Face-Related Content at any time by contacting [email protected] or using in-product deletion tools where available, subject to verification and applicable legal-retention obligations.

U.S. State Biometric Laws

Where the laws of U.S. states impose specific obligations on the collection and processing of biometric information - including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), the Washington biometric privacy statute, the Washington My Health My Data Act, and similar laws - we process Face-Related Content consistently with the limitations in this Section, do not sell biometric identifiers, and apply the retention principles described in Section 5.4.

Automated Decision-Making and Content Safety Systems

To protect users, third parties, payment partners, and the integrity of the Service, we use automated systems that scan, score, or restrict user prompts, uploads, generated outputs, transactions, and account activity. These systems include, without limitation:

• real-time content scanning and keyword detection;
• rules-based filters and risk scoring;
• detection of high-risk requests (such as those that may produce illegal content, deceptive deepfakes, or content involving minors);
• payment- and account-level fraud and abuse detection;
• automatic blocking, rate-limiting, watermarking, or queuing of requests;
• automated escalation of flagged content for human review.

These systems may produce decisions that affect you - for example, blocking a generation request, removing or restricting content, applying watermarks, declining or holding a transaction, applying fraud holds, or restricting account features.

Human Review

Where a decision produces a significant effect on you (for example, account suspension or termination, denial of a refund linked to alleged abuse, or sustained restriction of features), you may request human review by contacting [email protected]. We will, where reasonably feasible and consistent with our legal obligations, review the relevant decision with appropriately qualified personnel and inform you of the outcome.

GDPR Article 22

Where the GDPR applies, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except where the decision is necessary for the performance of a contract with you, authorized by law, or based on your explicit consent. Where such automated decisions occur, you may request human intervention, express your point of view, and contest the decision.

How We Use Personal Information

We may use personal information for the following purposes:

• to provide, operate, and maintain the Service;
• to create and manage user accounts;
• to process purchases, subscriptions, renewals, cancellations, and refunds;
• to provide access to paid features, credits, or digital entitlements;
• to generate, edit, enhance, or transform content requested by users;
• to respond to customer support requests and inquiries;
• to send service-related notifications, including account, billing, security, and policy updates;
• to improve product functionality, performance, and user experience;
• to monitor, detect, and prevent fraud, abuse, security incidents, or unlawful activity;
• to enforce our Terms, content policies, and safety rules, including through the automated systems described in Section 6;
• to comply with applicable laws, regulations, court orders, or lawful requests;
• to send marketing communications where permitted by law or with your consent.

Legal Bases for Processing Under GDPR

Where the GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases:

• Performance of a contract - to provide the Service, process payments, manage subscriptions, and deliver requested features.
• Consent - where you have provided consent, such as for certain marketing communications, optional cookies, or processing of certain face-related data.
• Legitimate interests - to improve our Service, protect platform security, prevent fraud, understand product usage, and enforce our policies, provided that these interests are not overridden by your rights and freedoms.
• Legal obligation - to comply with tax, accounting, consumer protection, data protection, payment, anti-money-laundering, and other legal obligations.

For special categories of personal data within the meaning of GDPR Article 9 (which may include biometric data where used to uniquely identify a person), we rely on your explicit consent or another applicable lawful condition under Article 9. As described in Section 5, we do not use Face-Related Content for identification purposes.

You may withdraw consent at any time where processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Sharing of Information

We do not sell your personal information as that term is commonly understood, and we do not sell biometric identifiers.

We may share personal information only in limited circumstances, including:

Service providers. We may share information with trusted service providers that help us operate the Service, such as hosting providers; cloud infrastructure providers; payment processors; analytics providers; customer support tools; email delivery platforms; security vendors; and fraud-prevention partners. These providers are bound by contractual obligations to use personal information only for the purposes for which we engage them.

Payment processing. Payment information is processed by third-party payment processors. We may receive limited payment-related metadata, such as transaction ID, subscription status, plan type, amount, currency, and billing status.

Legal and compliance. We may disclose information where reasonably necessary to comply with applicable laws; regulations; legal processes; court orders; lawful government requests; or payment-network requirements.

Safety and enforcement. We may share information where necessary to protect the rights, safety, security, or integrity of Visiva, our users, third parties, payment partners, or the Service.

Business transfers. If we are involved in a merger, acquisition, financing, restructuring, sale of assets, or similar business transaction, personal information may be transferred as part of that transaction, subject to appropriate protections.

With your consent or direction. We may share information when you expressly request, authorize, or consent to such sharing.

Sale, Sharing, Targeted Advertising, and Sensitive Personal Information

No Sale; No Cross-Context Behavioral Advertising

Visiva does not sell your personal information for monetary consideration. We also do not engage in "sharing" of personal information for cross-context behavioral advertising (sometimes called "targeted advertising") as those terms are defined under the CCPA/CPRA and analogous U.S. state privacy laws. We do not knowingly sell, share, or use for targeted advertising the personal information of users under the age of 16.

Sensitive Personal Information

We process sensitive personal information (as defined under the CCPA/CPRA) only for purposes permitted under California Civil Code § 1798.121 and applicable regulations - namely, to provide the Service that you request, ensure security and integrity, prevent fraud, and perform other limited business purposes. We do not use sensitive personal information to infer characteristics about you or for purposes that would require offering a "Limit the Use of My Sensitive Personal Information" right.

Global Privacy Control (GPC)

Where technically feasible, we recognize and honor opt-out preference signals such as the Global Privacy Control (GPC). When we detect a GPC signal from your browser or device, we treat it as a valid request to opt out of the sale or sharing of personal information for the browser or device from which the signal is received, in accordance with applicable law.

How to Exercise Privacy Choices

You may submit privacy requests, including any opt-out, deletion, access, or correction request, by contacting [email protected]. A "Do Not Sell or Share My Personal Information" link is also made available on our website where required by applicable law.

California Privacy Rights

If you are a California resident, you may have certain rights under the CCPA/CPRA, subject to applicable limitations. These rights may include:

• the right to know what categories of personal information we collect, use, disclose, sell, or share (see the table in Section 3.4);
• the right to request access to specific pieces of personal information we hold about you;
• the right to request deletion of your personal information;
• the right to request correction of inaccurate personal information;
• the right to opt out of the sale or sharing of personal information, where applicable;
• the right to limit the use or disclosure of sensitive personal information, where applicable (see Section 10.2 regarding our limited processing);
• the right not to be discriminated against, or face retaliation, for exercising your privacy rights.

To exercise your California privacy rights, please contact us at: Email: [email protected] Subject line suggestion: California Privacy Request – Visiva

We may need to verify your identity before processing your request. You may also authorize an agent to submit a request on your behalf where permitted by law; we may require the agent to provide proof of authorization and may require you to verify your identity directly with us.

We will respond to verifiable requests within the time periods required by applicable law (generally within 45 days, with one possible 45-day extension where reasonably necessary).

Other U.S. State Privacy Rights

If you are a resident of a U.S. state with a comprehensive consumer privacy law - including, as in effect from time to time, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire, Minnesota (MCDPA), Maryland (MODPA), Rhode Island, and Indiana, among others - you may have rights similar to those described in Section 11, including (depending on your state):

• the right to confirm whether we process your personal data and to access that data;
• the right to correct inaccuracies;
• the right to delete personal data;
• the right to data portability;
• the right to opt out of targeted advertising, the sale of personal data, and certain types of profiling;
• the right not to face discrimination for exercising these rights;
• the right to appeal a denial of a privacy request.

To exercise your rights under any U.S. state privacy law, please contact [email protected]. If we deny your request, you may appeal by replying to our response. If your appeal is denied, you may contact your state's attorney general or applicable regulatory authority.

We do not engage in profiling that produces legal or similarly significant effects on you in the absence of your consent or another lawful basis. Our automated systems described in Section 6 are subject to human-review rights consistent with applicable state laws.

International Data Transfers

Your personal information may be processed in countries or regions other than where you live, including in Hong Kong, the United States, the European Economic Area, and other regions where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

Where required by applicable law, including for users in the European Economic Area, the United Kingdom, or Switzerland, we use appropriate safeguards for cross-border transfers, such as:

• Standard Contractual Clauses approved by the European Commission, and the UK International Data Transfer Addendum or UK International Data Transfer Agreement for transfers from the United Kingdom;
• contractual data protection obligations imposed on our service providers and recipients;
• supplementary technical and organizational security measures (such as encryption in transit and at rest);
• transfer impact assessments where required;
• other lawful transfer mechanisms recognized under applicable data protection laws.

You may request a copy of the relevant transfer mechanism by contacting [email protected], subject to redaction of confidential commercial terms.

Data Retention

We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy. The table below sets out our general retention principles for the main categories of data. Actual retention periods may vary based on applicable legal, tax, accounting, security, fraud-prevention, or dispute-resolution requirements.

When personal information is no longer needed, we will delete, anonymize, or otherwise process it in accordance with applicable law.

Data Security and Breach Notification

Security Measures

We use reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, disclosure, alteration, loss, misuse, or destruction. These measures may include:

• encryption in transit and, where appropriate, at rest;
• access controls and least-privilege permission management;
• secure infrastructure and network segmentation;
• firewalls, intrusion detection, and continuous monitoring;
• internal personnel training and confidentiality obligations;
• periodic security reviews and assessments;
• fraud and abuse detection systems.

However, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your information.

Breach Notification

In the event of a personal data breach, we will assess the breach in accordance with applicable law and will notify the relevant supervisory authorities and, where required, affected users without undue delay and within the timeframes prescribed by applicable law (for example, within 72 hours of becoming aware of a notifiable breach under the GDPR, where feasible). Notifications will include the information required by applicable law, such as the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

Children's Privacy

The Service is not directed to children and is not intended for use by anyone under the age of 13, or the minimum age required by the laws of the user's jurisdiction (whichever is higher).

We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child without appropriate authorization, we will take reasonable steps to delete such information.

If you believe that a child has provided us with personal information, please contact us at [email protected].

Your Privacy Rights

Depending on your jurisdiction - including if you are located in the European Economic Area, the United Kingdom, Switzerland, California, another U.S. state with a comprehensive privacy law, or any other region with applicable privacy laws - you may have certain rights regarding your personal information.

These rights may include:

• the right to be informed about how we process your personal information;
• the right to access personal information we hold about you;
• the right to correct inaccurate or incomplete information;
• the right to request deletion of your information;
• the right to restrict or object to certain processing;
• the right to data portability;
• the right to withdraw consent where processing is based on consent;
• the right to opt out of certain sales, sharing, targeted advertising, profiling, or marketing activities, where applicable;
• the right not to be subject to certain automated decision-making (see Section 6);
• the right to lodge a complaint with a data protection authority (such as your local supervisory authority in the EEA, the Information Commissioner's Office in the UK, or the relevant attorney general or regulator in your U.S. state).

To exercise your rights, please contact us at [email protected]. We may need to verify your identity before responding to your request, and we may decline requests in the limited circumstances permitted by applicable law.

Marketing Communications

Where permitted by law, we may send you marketing communications about Visiva products, features, offers, or updates.

You may opt out of marketing emails at any time by using the unsubscribe link in the email or by contacting us at [email protected].

Even if you opt out of marketing communications, we may still send you non-marketing service messages, such as account, billing, security, legal, or transactional notices.

Third-Party Links and Services

The Service may contain links to third-party websites, services, platforms, payment providers, or integrations.

We do not control and are not responsible for the privacy practices, content, security, or policies of third parties. Your use of third-party services is governed by their own privacy policies and terms.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations.

When we update this Privacy Policy, we will revise the "Updated Date" at the top of this page. Where required by law, we may provide additional notice or request your consent.

Your continued use of the Service after the updated Privacy Policy becomes effective means that you acknowledge the updated policy.

How to Contact Us

If you have any questions, requests, or concerns about this Privacy Policy or our privacy practices, please contact us at:

STARSEA INNOVATION LIMITED Address:

• General privacy inquiries and rights requests: [email protected]
• Customer support, billing, and account questions: [email protected]
• Copyright and DMCA notices: [email protected] (see our Copyright & DMCA Policy)

Subject line suggestion: Privacy Inquiry – Visiva