Privacy Policy — PromptWise

ZeroTen Media Inc. ("Company," "we," "us," or "our")
Effective Date: May 11, 2026

At a glance. This Privacy Policy describes how we collect, use, share, and protect personal information when you use our AI image, video, and audio generation services (the "Services"). Key points: we do not use your Inputs or Outputs to train AI models; we offer biometric-sensitive features only outside Illinois and Texas; we operate from the United States and serve users globally with EU/UK GDPR overlay protections; and we publish a complete list of our sub-processors and Third-Party AI Model providers.

1. Scope and Application

This Privacy Policy applies to personal information we collect through the Services, including our website, mobile and desktop applications, and APIs. It does not cover personal information processed by third parties whose services or websites you may access through links from the Services; those parties have their own privacy practices.

For our enterprise customers using the Services under a Master Services Agreement or Data Processing Addendum ("DPA"), the DPA governs our processing of personal information that the customer submits as a controller, and this Privacy Policy applies to personal information we process as an independent controller (such as account-administration data and security telemetry).

2. Definitions

"Personal Information" means information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable natural person.
"Inputs" means text prompts, images, videos, audio files, voice samples, and other content you submit to the Services.
"Outputs" means the synthetic media (images, video, audio) generated by the Services in response to your Inputs.
"Third-Party AI Model" means an AI model hosted, operated, or made available by a third-party provider that we integrate with the Services.
"Sub-Processors" means third parties we engage to process personal information on our behalf, listed in our Sub-Processors and Model Providers list.

3. Personal Information We Collect

3.1 Information You Provide

Category	Examples	Source
Account Information	Name, email, password (hashed), profile picture, organization, billing address, telephone	You
Payment Information	Card number, billing address, transaction history (processed by our payment processor — we do not store full card numbers)	You / Payment processor
Inputs	Text prompts, uploaded images, uploaded video, uploaded audio, uploaded voice samples	You
Outputs	AI-generated images, video, audio	Generated by the Service
Communications	Support requests, feedback, survey responses	You
Identity-Verification Documents	Where required for biometric-feature access or for our enterprise / Earn / monetization programs: government ID, proof of address (limited collection, see §11)	You

3.2 Information We Collect Automatically

Category	Examples
Device and Connection Data	IP address, device type, operating system, browser, language, time zone
Usage Data	Pages and features visited, prompts submitted (in hashed form for security), generations performed, timestamps
Cookies and Similar Technologies	Strictly necessary cookies, performance cookies, and (with consent) analytics cookies — see our Cookie Policy
Security and Abuse Telemetry	Login attempts, suspected automated activity, fingerprint hashes, abuse-detection signals

3.3 Information from Third Parties

We may receive information from: identity providers (when you sign in via Google/Apple/Microsoft); payment processors (transaction confirmations); fraud-prevention services; analytics providers; and content-safety vendors (e.g., hash-match results from PhotoDNA / NCMEC / StopNCII).

3.4 Categories of Personal Information We Generally Do NOT Collect

We do not knowingly collect personal information from children under 13. We do not deliberately collect government identification numbers (other than as listed in §3.1 for specific verification purposes). Inputs may incidentally contain "sensitive" or "special" categories of personal information; please see Section 11 (Biometric and Likeness Data) and Section 12 (Sensitive Information).

4. How We Use Personal Information

We use personal information for the following purposes, with the corresponding lawful basis under EU/UK GDPR shown in brackets where applicable:

Purpose	Examples	GDPR Lawful Basis
Provide and operate the Services	Authenticate you; route Inputs to AI models; deliver Outputs; bill you	Contract performance (Art. 6(1)(b))
Improve and secure the Services	Detect abuse, fraud, and spam; protect against attacks; performance monitoring	Legitimate interests (Art. 6(1)(f))
Communicate with you	Service announcements, support responses, security alerts	Contract performance / legitimate interests
Marketing (with consent where required)	Email newsletters, in-product promotions you've opted into	Consent (Art. 6(1)(a)) where required, otherwise legitimate interests
Comply with law	Respond to lawful requests; mandatory CSAM reporting under 18 U.S.C. § 2258A; tax and accounting; sanctions screening	Legal obligation (Art. 6(1)(c))
Defend our legal rights	Investigate disputes; enforce the Agreement; defend claims	Legitimate interests / legal obligation
Aggregated and de-identified analysis	Capacity planning, trend analysis (no individual identification)	Legitimate interests

4.1 We Do Not Use Your Inputs or Outputs to Train AI Models

We do not use your Inputs or Outputs to train, fine-tune, or otherwise improve our AI models or any Third-Party AI Models, except where you expressly opt in. This commitment extends to our Sub-Processors and Third-Party AI Model providers, who are contractually prohibited from using customer Inputs or Outputs for model training.

We may use aggregated, de-identified data derived from Service operation (such as performance metrics, abuse-detection signals, and category-level usage statistics) to operate, secure, and improve the Services. This aggregated data does not identify you or your specific Inputs or Outputs.

4.2 We Do Not Sell Personal Information

We do not sell personal information for monetary consideration. For California consumers, please see Section 14 for additional rights, including in respect of "sharing" of personal information for cross-context behavioral advertising.

5. How We Share Personal Information

5.1 Sub-Processors and Service Providers

We engage Sub-Processors to provide infrastructure, payments, analytics, customer support, security, and other services. Each Sub-Processor is bound by a written agreement requiring confidentiality, security, and use of personal information only for the contracted purpose. Our complete current list of Sub-Processors and Third-Party AI Model providers is published at [TBD]. We update the list when we add or change Sub-Processors and provide notice of material changes.

5.2 Third-Party AI Model Providers

When you use a feature that relies on a Third-Party AI Model, your Inputs and the resulting Outputs are transmitted to that provider for processing. We contractually prohibit our Third-Party AI Model providers from using your Inputs or Outputs to train their models, except where the provider's terms expressly permit such use and we identify those features in the Service interface so that you can decline.

5.3 Legal and Safety Disclosures

We may disclose personal information to:

Law enforcement, regulators, courts, or other competent authorities in response to lawful process or where we believe in good faith that disclosure is necessary to comply with law, prevent imminent harm, or investigate suspected illegal activity;
The National Center for Missing & Exploited Children (NCMEC) CyberTipline as required by 18 U.S.C. § 2258A in respect of any CSAM detected on our Services;
Federal and state authorities as required by law, including in response to lawful subpoenas, search warrants, court orders, or national-security letters.

5.4 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred to the successor entity. We will notify you of any such transfer that materially affects the privacy of your personal information.

5.5 With Your Consent

We may share personal information with other parties with your express consent or at your direction.

6. International Data Transfers

We are headquartered in the United States, and personal information we collect may be transferred to and processed in the United States and other countries where we or our Sub-Processors operate. The data-protection laws in these countries may differ from those in your country.

6.1 EU / UK / Switzerland

For transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States or other countries, we rely on:

Standard Contractual Clauses approved by the European Commission (and the UK Addendum / IDTA where applicable) for transfers to non-adequate countries;
EU-U.S. Data Privacy Framework, the UK Extension thereto, and the Swiss-U.S. Data Privacy Framework where applicable to specific Sub-Processors;
Adequacy decisions where the destination country has been recognized as providing adequate protection.

A list of our cross-border transfer mechanisms by Sub-Processor is available on request to privacy@promptwise.com.

7. Data Retention

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law:

Category	Retention Period
Account information	Active period + 90 days post-deletion (extended for legal hold)
Inputs and Outputs (consumer)	As you direct via account controls; default 30 days post-deletion request
Inputs and Outputs (enterprise)	As specified in the DPA / customer agreement
Hashed prompt records (security and abuse detection)	Up to 12 months
Billing and tax records	7 years (US tax-record retention requirement)
Sanctions / KYC records	5 years post-relationship-end
Security incident logs	Up to 24 months
CSAM / NCII / safety incident records	As required by 18 U.S.C. § 2258A and applicable safety-cooperation obligations
Backup copies	Up to 90 days from last update
Aggregated and de-identified data	Indefinitely (no longer personal information)

When retention ends, we will delete or de-identify personal information using reasonable methods.

8. Your Rights

8.1 Rights Available to All Users

Through your account settings, you can: (a) review and update your account information; (b) download your Inputs and Outputs; (c) delete specific Inputs, Outputs, or your entire account; and (d) manage marketing communication preferences.

8.2 Additional Rights Under EU / UK / Swiss Law

If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR / UK GDPR / FADP:

Access — confirmation of whether we process your personal information and a copy of it;
Rectification — correction of inaccurate or incomplete personal information;
Erasure ("right to be forgotten") — deletion in specified circumstances;
Restriction of processing — limiting how we use personal information;
Data portability — receiving your personal information in a structured, machine-readable format;
Objection — objecting to processing based on legitimate interests, including for direct marketing;
Withdrawing consent — at any time without affecting prior lawful processing;
Not being subject to fully automated decisions producing legal or similarly significant effects (Article 22);
Lodging a complaint with your supervisory authority.

8.3 Note on Erasure Requests

You may delete your Inputs, Outputs, and account at any time. We will erase identifiable personal information within the periods stated in Section 7. Please note that aggregated and de-identified data already incorporated into security-analytics systems cannot be reconstituted to identify you and is not subject to erasure.

8.4 Verification

We will verify the identity of any person submitting a rights request (typically by confirming control of the account email or, for enterprise accounts, through a verified channel). We may decline manifestly unfounded or excessive requests, or charge a reasonable fee.

8.5 Authorized Agents

You may use an authorized agent to submit a rights request on your behalf. We will require proof of authorization and may verify the request directly with you.

8.6 How to Exercise Your Rights

Submit rights requests at privacy@promptwise.com or through the in-product privacy console. We will respond within the time required by applicable law (one month under GDPR, extendable by two further months for complex requests; 45 days under CCPA, extendable to 90 days).

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Our security program includes encryption in transit (TLS 1.2+) and at rest, access controls, multi-factor authentication for our personnel, vulnerability management, security monitoring, employee training, and regular third-party audits.

No security program is perfect. If we become aware of a personal-data breach affecting your personal information, we will notify you and applicable supervisory authorities as required by law.

9.1 Reporting a Vulnerability

Security researchers may report vulnerabilities through our coordinated-disclosure program at security@promptwise.com.

10. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected personal information from a child under 13, please contact privacy@promptwise.com and we will delete it. Users between 13 and the age of majority in their jurisdiction may use the Services only with parental consent and supervision, as described in our Terms of Service.

11. Biometric and Likeness Data

This section is critically important. Please read it carefully if you use any feature that processes facial or vocal characteristics.

11.1 What We Treat as Sensitive

Inputs that depict the face, voice, or other distinctive personal characteristics of a real person may, depending on jurisdiction, constitute "biometric data," "biometric identifiers," "biometric information," or "special categories of personal data" under laws including:

The Illinois Biometric Information Privacy Act (BIPA);
The Texas Capture or Use of Biometric Identifier Act (CUBI);
The Washington biometric statute;
The EU/UK GDPR Article 9;
The California CPRA;
Other state and national laws.

11.2 Geographic Availability

Features that process facial or vocal characteristics — including face-driven character generation, face swap, voice cloning, lip-sync, and avatar features — are not available to residents of Illinois or Texas, and may be restricted or unavailable in other jurisdictions. By enabling or using any such feature, you represent that you are not a resident of Illinois or Texas.

11.3 No Self-Classification

We do not determine or represent whether any specific Input or Output constitutes biometric data, a biometric identifier, biometric information, a "scan of face geometry," or any other regulated category under any specific law. Classification varies by jurisdiction and is your responsibility.

11.4 No Identification

We do not use your Inputs to identify you or any other individual based on biometric characteristics. You may not use the Services to identify any individual based on biometric characteristics.

11.5 Single-Subject Restriction

For features that generate or modify content depicting a specific individual (such as personal-avatar generators), you may upload only media depicting yourself.

11.6 Consent for Third-Party Subjects

If your Inputs contain media depicting any person other than yourself, you must have obtained verifiable, informed, written consent from that person to upload, process, and use the media as you do, in accordance with our Media Upload Agreement.

11.7 Retention of Media Containing Personal Characteristics

You may delete media containing personal characteristics through your account settings. We will remove the media from active processing systems within 30 days of your request, subject to limited retention as required for legal hold, fraud prevention, and security investigation. Where applicable law (such as BIPA § 15(a)) requires destruction within a defined period, we will comply with that requirement.

11.8 No Training on Biometric Inputs

We do not use Inputs containing facial or vocal characteristics, or Outputs derived from such Inputs, to train AI models — neither ours nor those of any Third-Party AI Model provider — under any circumstances.

12. Sensitive Information More Generally

You should not provide us with Inputs containing health information protected by HIPAA (in the absence of a Business Associate Agreement, which we do not generally enter into for the Services), genetic information, financial-account credentials, government identification numbers, sexual-orientation or sexual-life information, religious or political-belief information, trade-union membership information, or other categories of "sensitive personal information" or "special categories of personal data" defined under applicable law.

If you do provide such information, you are solely responsible for any consequences, and we will treat the information in accordance with applicable law and our security program.

13. Cookies and Similar Technologies

We use cookies and similar technologies to operate, secure, and improve the Services. Categories include:

Strictly necessary — for authentication, security, and basic functionality;
Performance and analytics — to understand how the Services are used;
Functionality — to remember preferences;
Marketing — only with your consent in jurisdictions requiring it.

You can manage non-essential cookies through our cookie consent manager (available in EU/UK/select US jurisdictions) and your browser settings. Disabling some cookies may degrade functionality.

We respect Global Privacy Control (GPC) signals as a valid opt-out of "sale" and "sharing" for California consumers.

14. United States State Privacy Rights

14.1 California (CCPA / CPRA)

California consumers have the rights described in Section 8.2 (with terminology adapted as below) and the following additional rights:

Right to Know what personal information we have collected, used, disclosed, and sold or shared;
Right to Delete personal information we hold;
Right to Correct inaccurate personal information;
Right to Opt-Out of "sale" and "sharing" of personal information for cross-context behavioral advertising. We do not sell personal information for monetary consideration. Where "sharing" applies (such as through certain advertising cookies), you may opt out via our cookie banner or by sending a Global Privacy Control signal;
Right to Limit Use of Sensitive Personal Information to specified business purposes;
Right against Retaliation for exercising any of these rights.

To submit a California rights request: privacy@promptwise.com. We will not discriminate against you for exercising your rights.

14.2 Other US States

If you are a resident of Colorado, Connecticut, Virginia, Utah, Texas (TDPSA), Oregon, Montana, Iowa, Tennessee, Florida (limited), Delaware, New Jersey, New Hampshire, Minnesota, Maryland, or another state with a comprehensive privacy law, you have rights similar to those described in Section 8.2 and 14.1, including rights of access, correction, deletion, portability, and opt-out of targeted advertising and profiling. Submit requests at privacy@promptwise.com.

14.3 Nevada

Nevada residents may direct us not to make certain "sales" of covered information by emailing privacy@promptwise.com. We do not currently engage in such sales.

15. Automated Decision-Making

We do not use solely automated processing to make decisions producing legal or similarly significant effects on you. Generation of Outputs in response to your Inputs is the operation of the Service itself, not an automated decision about you within the meaning of Article 22 of the GDPR. You may not use the Services for fully automated decision-making affecting any individual's legal rights or access to essential services or benefits.

16. EU AI Act Disclosures

Where we deploy or distribute AI systems within the EU, we comply with applicable obligations of Regulation (EU) 2024/1689 (the "EU AI Act"). In particular:

We mark Outputs as AI-generated using machine-readable provenance signals (including C2PA metadata where supported), as required by Article 50;
We do not use the Services for any practice prohibited by Article 5 (including subliminal manipulation, exploitation of vulnerabilities, social scoring, and real-time biometric identification in publicly accessible spaces);
For Third-Party AI Model providers that qualify as general-purpose AI providers, we receive transparency information from the provider as required and pass it through to enterprise customers on request.

17. EU Digital Services Act

For users in the EU, our notice-and-action mechanism, statement-of-reasons procedure, trusted-flagger intake, internal complaint-handling system, transparency reporting, and out-of-court dispute settlement options are described in our DSA Compliance Notice [TBD]. You may report illegal content through report@promptwise.com or the in-product report mechanism. Our point of contact for EU authorities is [TBD].

18. Trust & Safety: Mandatory Reporting

We cooperate with the National Center for Missing & Exploited Children (NCMEC) CyberTipline pursuant to 18 U.S.C. § 2258A. We use industry-standard image-hashing tools (including PhotoDNA) and operate processes for non-consensual intimate imagery removal under the federal Take It Down Act, with a 48-hour SLA from a verified report. Our designated child-safety contact is trust@promptwise.com. Our full Trust & Safety Policy is at [TBD].

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email or by prominent in-Service notice at least 14 days before they take effect. The "Last Updated" date at the top of this Policy reflects the most recent version. Continued use after the effective date constitutes acceptance of the updated Policy.

20. Contact Us

For privacy-related questions or to submit a rights request:

Email: privacy@promptwise.com
Mail: ZeroTen Media Inc., Attn: Privacy, 1007 N Orange Street, 4th Floor, Wilmington, Delaware 19801, USA
Data Protection Officer (where applicable): [TBD]
EU Representative under GDPR Article 27 (where applicable): [TBD]
UK Representative under UK GDPR Article 27 (where applicable): [TBD]

You also have the right to lodge a complaint with your data-protection supervisory authority.

Appendix A — Sub-Processors and Third-Party AI Model Providers

A complete current list, including the purpose of processing, location, and applicable transfer mechanism for each, is published at [TBD]. We update this list when we add or change Sub-Processors and provide notice of material changes.

This Privacy Policy has been drafted to reflect best-practice protections identified across leading AI generation platforms and current US/EU/UK privacy law as of May 11, 2026. It should be reviewed and adapted by qualified legal counsel before use. Square-bracketed placeholders must be completed.