1. DEFINITIONS

• Personal data means any information relating to an identified or identifiable natural person. The identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purpose of this Privacy Policy, the Company is the controller of your personal data.
• A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.
• Processing is any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• A data subject means you as an identified or identifiable natural person whose personal data is processed by the controller/processor.
• A user refers to you as a natural person authorized to use the HypnoPixels Services.
• A Website visitor refers to you as a natural person who accesses the Website.
• Encryption is a security protection measure for personal data. As a form of cryptography, it is a process whereby personal data gets turned into an encoded and unintelligible version using encryption algorithms and an encryption key, and whereby a decryption key or code enables users to decode it again.
• Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by an explicit affirmative action, signify agreement to the processing of personal data relating to them.

2. PERSONAL DATA COLLECTION AND USE

The purpose of processing your personal data by the Company is as follows (hereinafter referred to as the “Purpose”):

1. Your intention to access and use the HypnoPixels Services;

2. The performance of a contract to which you are a party, your identification and billing;

3. Provision of customer care service and assistance;

4. Analysis of your use of the HypnoPixels Services to understand better how the HypnoPixels Services are being used so we can improve the HypnoPixels Services, analyze your experience, and engage and retain users.

We may also use your personal data to:

a) Improve your browsing experience by personalizing the HypnoPixels Services;

b) Send information to you by email regarding registration status, password verification, and payment confirmation;

c) Send you communications relating to your use of the HypnoPixels Services;

d) Provide our partners with statistical information about our users by secured channels under data processing agreements (DPA);

e) Send you marketing and promotional materials and messages.

3. SCOPE AND CATEGORIES OF PERSONAL DATA, LAWFUL BASIS FOR PERSONAL DATA PROCESSING AND DATA SUBJECT CATEGORIES

We strive to comply with data privacy regulations and follow data minimization principles.

We do not authorize the use of your personal data by any third party (only under exceptional conditions as described under “Legal Matters” below). We operate and maintain a variety of online security measures to safeguard and keep your personal information private and secure.

When you make purchases, you may have to fill in the user’s information, which should contain your personal data, such as email and your name.

Based upon the personal data you provide us when registering for an account on the Website, we may send you a welcoming email to verify your login and password. You may enter your account on our Website using your login and password. All your activity in your account is password-protected, and you should keep and take all necessary measures to protect the secrecy of your password.

We can also communicate with you in response to your inquiries regarding any information or services you request.

Based on your separate consent, we may send you marketing emails. You can always opt-out (unsubscribe) from any communication via your account, App or our support (except operational and/or non-marketing notifications such as payment acceptance, payment notification, necessary updates notification, refund issue, etc.).

Face Data Collection & Storage

We define “Face Data” as any information about faces in the images and videos you upload, including data that estimates the location, geometry, and shape of facial features. We collect this data solely to power our inApp realtime face swap and avatar generation features. Once you upload an image or video, we retain Face Data on our servers for no longer than three (3) days; if you choose to save the generated content within the App, only that saved content is kept, and all underlying Face Data is deleted immediately. We do not sell Face Data, share it for marketing purposes, or use it for any other purpose beyond content generation and display.

To deliver the face swap functionality, your facial images are transmitted securely (via TLS) to our thirdparty providers - Replicate and AWS - who process the data in real time and must delete all Face Data immediately upon completion of that processing (typically within one hour). Both intransit and at rest, all Face Data and images are encrypted in accordance with industry best practices. For more information on how these providers handle and protect your data, please see their privacy policies: Replicate: https://replicate.com/privacy, AWS: https://aws.amazon.com/privacy/.

Payment information

We have implemented all necessary measures and standards in the area of payment security for the HypnoPixels Services. We cooperate with different payment service providers, and before our cooperation, we check them according to our policies regarding the availability of licenses and other permits for payment transactions. Within a payment execution, you may provide the following information to the payment service provider: (i) credit/debit card number; (ii) the expiration date of your credit/debit card; (iii) your full name; (iv) your email. This information might be partly collected and stored by us and the corresponding payment service provider.

Data that we collect automatically

We also collect and store information that is generated automatically as you navigate through the HypnoPixels Services to enhance your experience by using tracking technologies such as Cookies, Log Files and Pixel tags.

As you navigate our Website, information that we automatically collect is information in “log files” about your device’s connection to the Internet, length of time spent on the Website, and the pages accessed during each visit to the Website. We use this information to analyze trends, administer the Website, track user movement on the Website, and gather broad statistical information for aggregate use.

Our Website uses cookies

Cookies are text files that are stored in a computer system via an Internet browser. Cookies are small files that your web browser places on your hard drive for record-keeping purposes. By showing how and when visitors use the Website, cookies help us track user trends and patterns. They also prevent you from having to re-enter your preferences on certain areas of the Website where you have entered preference information before. Cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified using the unique cookie ID.

Through the use of cookies, we can provide you with more user-friendly services that would not be possible without cookie settings. By means of cookies, the information and offers on our Website can be optimized.

You may, at any time, prevent the setting of cookies through our Website by means of a corresponding setting of the Internet browser used and permanently deny the setting of cookies.

Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If you deactivate the cookies settings in the Internet browser, the Website functions may not be entirely usable.

If you do not wish to receive cookies, you may be able to refuse them by adjusting your browser settings to reject cookies. If you do so, we may be unable to offer you some of our functionalities, services or support. If you have previously visited our Website, you may also have to delete any existing cookies from your browser.

Also, we may use Pixel tags (single-pixel image files, also known as transparent GIFs, clear GIFs or web beacons) to access cookies and to count users who visit the Website or open our HTML-formatted email messages.

4. ENCRYPTED DATA

We have put in place security hardware, software and network scanning procedures designed to safeguard and secure the information (including personal data) under our control and follow generally accepted industry standards. We work with third-party service providers and vendors that use encryption and authentication to maintain the confidentiality of your personal data. If stored, we store your personal data on systems behind firewalls that are only accessible to limited personnel who are under data processing agreements.

We store the personal data of all our users in an encrypted way. We use asymmetric public-private key cryptosystem RSA with a key size of 4096 bit (further RSA) and symmetric-key algorithm AES with a key size of 256 bit (further AES).

Asymmetric public-private key cryptosystem RSA (key size is 4096 bit) use a public encryption key and private decryption key. The public encryption key is stored in a database (DB) in an open way. The private decryption key is stored in DB encrypted using AES 256 using a key which consists of the user’s password and secret key. It cannot be decrypted without the user’s password and secret key.

The user credentials (subject to the Website functionality), such as the user’s login, are stored in DB. The user’s password is not stored. We store only the hash of the password. We generate a public-private key pair for cryptosystem RSA during the user’s sign-up. This public-private key pair is unique for each user. The key pair is stored in DB encrypted format using AES 256.

Throughout the Website login process we use the user’s password and login form to decrypt the user’s original private key.

We get open data from devices using the encrypted https protocol. We immediately start the encryption process of the data on the server in the RAM without storing it on the server’s disks. We encrypt data using RSA using the user’s public encryption key. The encrypted data is saved to our servers.

Throughout the decryption process we get the user’s decrypted private key. We decrypt the user’s text data using the user’s original private decryption key. We show this information to the user.

5. LEGAL MATTERS

We consider your use of the HypnoPixels Services to be private. However, we may disclose your personal data in order to:

1. Comply with the laws, regulations and orders;

2. Fulfil our legitimate interest, including to conduct and facilitate investigations of potential fraudulent activities;

3. Protect the rights, property, or safety of our Company, our employees, customers or the public;

4. Provide the features of the HypnoPixels Services properly.

In the event of a change of control of the HypnoPixels Services (such as asset transfers through a merger, sale, assignment or liquidation of the business entity or any of its properties, assets or equity) or, in the event of a direct or indirect sale of any of publishing properties and/or its website(s)in our possession will be transferred to the new owner/successor. You will be notified of any such transaction and have the ability to exercise your legal rights under the applicable data protection legislation. You may always change or delete your personal data or opt-out by contacting us as provided below, or if the acquirer posts a new Privacy Policy with new contact information, you may change or delete your personal data or opt-out by following any new instructions that are posted.

We may use certain trusted third-party service providers to help us provide, improve, and protect the HypnoPixels Services. These third-party service providers will access your information only to perform services for the Company in compliance with this Privacy Policy and under the respective agreements. For example, payment processors process your personal data in order to facilitate payment operations. Other third-party service providers may process your personal data for purposes such as delivering email communications, providing customer support, and preventing fraudulent transactions.

The Company may share IP addresses used to access the HypnoPixels Services with designated third-party service providers for the sole purpose of preventing and detecting fraud. The Company may also use services and technologies provided by other companies to assist the Company in understanding how you use the HypnoPixels Services. As a result, information about how you use the HypnoPixels Services may be available to these other companies to the extent that their technology collects such information for the HypnoPixels or for purposes of delivering relevant online or mobile advertising to you.

Except as specifically noted in this Privacy Policy, the Company does not sell, exchange, transfer, or give personal data to any other companies.

Please note that we do our best to moderate the setting of the AI model not to include any inappropriate or harmful content. However, it is your sole responsibility to upload images, videos, and other content that is not unlawful, libelous, defamatory, obscene, pornographic, indecent, lewd, suggestive, harassing, threatening, invasive of privacy or publicity rights, abusive, inflammatory, fraudulent, or can be otherwise interpreted as harmful content. Please contact us at support@hypnopixels.com if you find any content to be offensive.

Data breach situations

We will notify the respective data protection authority within 72 hours after we become aware of the data breach and report the following information:

• The nature of the data breach.
• The name and contact details of our responsible person from whom more information can be obtained.
• The possible consequences of the data breach.
• The measures taken or proposed by us to address the data breach.

If the data breach may lead to a violation of your rights and freedoms or has a high risk of this, we shall immediately inform you of the fact of the data breach and report the following information:

• The nature of the data breach in clear and simple language.
• The name and contact details of the responsible person from whom more information can be obtained.
• The possible consequences of breaching the security of personal data.
• The measures taken or proposed by us to address the data breach.
• Useful tips and know-how that can help you in reducing the risks of the data breach.

We do not have to send the notification to you if any of the following conditions are met:

• We have implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the data breach, in particular, those that leave the personal data inaccessible to any person who is not authorized to access it, such as encryption;
• We have taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; or
• It would involve a disproportionate effort to communicate with every data subject concerned. In such a case, there shall instead be public communication or similar measures whereby the data subjects are informed equally effectively.

If we apply one of the exemptions, we document the circumstances, reason for not informing, and actions taken to meet one of the exemptions.

6. WHERE DATA SUBJECT’S PERSONAL DATA IS STORED

Your personal data is usually stored on the servers in Germany, the Netherlands and the EU multi-regional. We have adopted all necessary security measures for the protection of your personal data according to the best practices of security, protection, and confidentiality.

If we transfer your personal data to third-party service providers, we will compel each third-party service provider to adopt necessary security measures for the protection of your personal data according to the respective data protection agreement.

7. YOUR RIGHTS AS A DATA SUBJECT

The right to access.

You have the right to request an explanation of the personal data we process about you. Also, you can request a copy of your personal data undergoing processing.

The right to data portability.

You have the right to receive the personal data concerning you which you provided to us. You can make a request to transmit this data directly to another data controller in a structured, commonly used and machine-readable format. We will transmit your data directly to another controller in cases where it is technically feasible.

The right to restrict processing.

You have the right to request that we temporarily or permanently stop processing all or some of your personal data.

The right to rectification.

You have the right to request to rectify/correct any inaccurate data about you.

The right to erasure.

You have the right to be forgotten which means that we will delete all personal data that you have provided to us. We may retain certain information as required by law and for legitimate business purposes permitted by law.

The right to object processing.

You can, at any time, object to the processing of your personal data on grounds relating to your particular situation. You have the right to object to your personal data being processed for direct marketing purposes.

The right to lodge complaints.

You have the right to lodge complaints in relation to the data processing activities we carry out with the competent data protection authorities.

The right not to be subject to automated decision-making.

You have the right not to be subject to a decision based solely on automated decision-making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.

The right to right of confirmation.

You have the right to obtain confirmation from the controller as to whether or not personal data is being processed.

The right to withdraw consent.

You have the right to withdraw their consent to the processing of personal data at any time if se use this legal ground for processing.

If you want to exercise any of the aforementioned rights, please contact us at any time via email at support@hypnopixels.com.

8. CHILDREN’S PRIVACY

The provision of the HypnoPixels Services is generally not aimed at children and is not intended for use by children.

We do not knowingly collect information from children and minors. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide information without their permission.

The HypnoPixels Services is not directed to, nor do we knowingly collect personal data from children under the age of 13. If we obtain actual knowledge (including via email support@hypnopixels.com) that we have collected personal data from a child, we will comply with industry guidelines and applicable laws and will promptly delete it unless we are legally obligated to retain such data.

9. DATA RETENTION

The criteria used to determine the period of storage of personal data is the respective statutory retention period. After the expiration of that period, we routinely and securely delete or destroy it as long as it is no longer necessary to achieve the purposes of processing or as long as this is granted by the laws or regulations to which the Company is subject.

10. MISCELLANEOUS

We may modify this Privacy Policy at any time and post any changes to this Privacy Policy on the Website or in the App, so please review it frequently. We indicate the date of the current version of this Privacy Policy above so you know when it was last updated.

Changes to this Privacy Policy may not affect the personal data we have previously collected from you or after such changes.

If you object to the changes, please contact us as provided below.

This Privacy Policy is governed by and construed with the laws of Estonia.

Any claim or dispute which might arise out of or in connection with this Privacy Policy shall be settled in accordance with provisions of Terms of Use.

If you object to the changes, have any questions or propositions, please get in touch with us by email: support@hypnopixels.com.