Privacy and Acceptable Use Policy

This Policy applies to HelloDay (hereinafter "we", "us", or "the Company") and governs our collection, storage, processing, sharing and other handling of personal data and user-generated content via our websites, mobile and desktop applications, APIs, embedded components and other services (collectively, "Services").

By accessing or using the Services you agree to the practices described herein, subject to applicable law (where explicit consent is required by law, consent will be requested separately).

For clarity, the terms used in this Policy are defined as follows:

• Personal Data / Personal Information: Any information that identifies or can be used to identify a natural person, either alone or in combination with other information (e.g., name, email, IP address, device identifiers, images).
• Sensitive Personal Data / Special Categories of Data: Data defined as sensitive under applicable law (e.g., race or ethnicity, religion, health, sexual orientation, biometric data). We will only collect/handle such data with explicit consent or where required/allowed by law.
• Controller: The legal entity that determines the purposes and means of processing personal data (in this Policy, typically HelloDay).
• Processor / Subprocessor: A third-party service provider that processes personal data on behalf of the Controller (e.g., cloud vendors, analytics providers).
• Processing: Any operation performed on personal data (collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, erasure, etc.).
• User Content: Content that users upload, create or submit to the Services (including text, images, audio, video, avatar materials, prompts).
• Generated Content / Model Outputs: Content produced by HelloDay's models or processing in response to user inputs (e.g., synthesized speech, generated video/audio, AI-generated text).
• Avatar / Character: A virtual image or persona created by a user or by the Service to represent or simulate a person or character (may include appearance, voice, gestures).
• Deepfake: AI/ML technologies used to synthesize, substitute, or alter real persons' faces, voices or other identifying characteristics in a way that makes content appear to be someone else.
• Anonymization / De-identification: Technical measures that irreversibly remove personal identifiers so the data can no longer be associated with an identifiable person.
• Data Subject: A natural person who is identified or identifiable from personal data.

Controller: HelloDay (insert full legal company name here).

Registered office / corporate information: 59 Fermont House, 15 Beaufort Square, London, NW9 4FF. AVATARAI UNITED KINGDOM LTD

Data Protection Officer (DPO) (if applicable): customer@helloday.ai

Privacy / Data Requests Contact: customer@helloday.ai

Please replace the above placeholders with the Company's actual legal and contact information and have legal counsel confirm DPO obligations under GDPR.

We collect personal data from users and other sources. Categories include:

We process personal data only for specific, legitimate purposes. The legal basis depends on the jurisdiction and context (GDPR legal bases included where applicable).

We treat user uploaded and generated content as follows:

1. Service necessity: To provide avatar creation, video/voice synthesis and preview features, the Service may process and temporarily or persistently store the content you upload or provide.
2. Model improvement: By default we may use de-identified or aggregated data for model improvement. If we intend to use identifiable or non-anonymized user content to train base models, we will make this explicit and obtain clear consent, and where feasible provide an opt-out.
3. User choice: We recommend offering users a clear "opt-out" for having their content used to train models (where technically feasible). Document the opt-out mechanism and its effects in account settings and this Policy.
4. Deepfakes & unauthorized likenesses: We prohibit and will actively restrict generation or distribution of realistic likenesses of third parties (particularly public figures and private individuals) without their explicit authorization. See Section 14 for details.

We do not sell personal data. We may share personal data with:

• Affiliates and subsidiaries for internal corporate purposes;
• Service providers / subprocessors (e.g., cloud hosting, CDN, analytics, payment processors, email providers) who are contractually bound to process data only on our instructions and maintain security safeguards;
• Business partners where you have authorized integrations;
• Legal / compliance recipients when required by law;
• Acquirers in case of corporate transactions (see Section 17).

We and our service providers use cookies, web beacons, pixel tags, local storage and other tracking technologies to:

• Maintain sessions and authentication;
• Store user preferences and settings;
• Conduct analytics and product optimization;
• Provide security and anti-fraud measures;
• Enable advertising and personalization (only with consent where required).

Users may manage cookies via browser settings and in-app preferences. For cookies requiring consent (e.g., advertising, analytics under certain laws), we will present a consent mechanism.

We implement reasonable technical and organizational measures including, where appropriate:

• TLS/HTTPS for data in transit;
• Encryption of sensitive data at rest;
• Role-based access controls and least privilege;
• Multi-factor authentication for administrative access;
• Regular security assessments, vulnerability management, penetration testing;
• Backups and disaster recovery processes;
• Logging and intrusion detection.

In the event of a data breach, we will activate our incident response plan, investigate scope/impact, contain and remediate vulnerabilities, notify affected users and supervisory authorities as required by law, and implement corrective measures to prevent recurrence.

In the event of a data breach, we will:

1. Activate our incident response plan and investigate scope/impact;
2. Contain and remediate vulnerabilities;
3. Notify affected users and supervisory authorities as required by law, providing details on affected data, likely consequences and mitigation steps;
4. Implement corrective measures to prevent recurrence.

In the event of a data breach, we will activate our incident response plan, investigate scope/impact, contain and remediate vulnerabilities, notify affected users and supervisory authorities as required by law, and implement corrective measures to prevent recurrence.

Our Services are not directed at children below the minimum age required by applicable law (commonly under 13 in the U.S., under 16 in certain EU countries). We do not knowingly collect personal data from children under the applicable age without parental consent. If we become aware that we have collected such data without consent, we will promptly delete it and take steps to terminate the account. Where we offer services for minors, we will obtain parental consent and implement additional safety measures.

• Right of access: Request a copy of personal data we hold;
• Right of rectification: Request correction of inaccurate or incomplete data;
• Right to erasure (“right to be forgotten”): Request deletion of personal data in certain circumstances;
• Right to restriction of processing: Request limitation of processing in defined scenarios;
• Right to data portability: Obtain data in a machine-readable format;
• Right to object: Object to processing based on legitimate interests, direct marketing, or profiling;
• Right to withdraw consent:Where processing is based on consent, withdraw it at any time;
• Right to lodge a complaint: with a supervisory authority.

• How to submit: Use account settings or send an email to customer@helloday.ai with a clear description of the request (see Appendix B for templates).
• Identity verification: We will verify the requester’s identity to protect data from unauthorized disclosure.
• Response timeline: We will respond within applicable statutory timelines (commonly 30 days) or notify you if an extension is necessary.
• Refusal:If we are legally permitted to refuse a request, we will explain the reasons and the available remedies (including lodging a complaint).

We may update this Policy from time to time to reflect legal, technical, or business changes. For material changes (e.g., new uses of personal data, change in data-sharing practices), we will provide prominent notice in the Service (in-app or email notification) and update the Effective Date at the top of the Policy. Continued use of the Services after notice constitutes acceptance of the updated Policy.

For privacy inquiries, data requests, or complaints:

• Privacy / Data Requests:customer@helloday.ai
• Data Protection Officer (where applicable): customer@helloday.ai
• General Support:customer@helloday.ai
• Company Address / Registration Details: 59 Fermont House, 15 Beaufort Square, London, NW9 4FF,AVATARAI UNITED KINGDOM LTD

If you remain unsatisfied with our handling of your request, you may lodge a complaint with your local supervisory authority (e.g., a Data Protection Authority in an EU Member State or other applicable regulator).

Note: These are illustrative examples. Adjust to your business and legal obligations.