Privacy Policy

1. Introduction

1.1. This Privacy Policy (hereinafter referred to as "Policy") defines the procedures for collecting, using, storing, protecting, and deleting personal data of users of the vizardio.com service (hereinafter referred to as "Service").

1.2. The Data Controller is: 3 Krolika LLP, BIN 251240001464, address: 010000, Kazakhstan, Astana, Taras Shevchenko Street 4/1, unit 17 (hereinafter referred to as "Operator").

1.3. Contact email address: support@vizardio.com.

1.4. This Policy has been developed in accordance with the laws of the Republic of Kazakhstan, including the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V "On Personal Data and Their Protection," and is designed to comply with international data protection standards, including the General Data Protection Regulation (GDPR) of the European Union and the California Consumer Privacy Act (CCPA).

1.5. By using the Service, the User confirms that they are at least 18 (eighteen) years of age. Persons under the age of 18 are not permitted to use the Service.

2. Data We Collect

2.1. For the Service to function, we collect and process the following categories of data:

2.1.1. Data Provided by the User:

• Email address — for registration, authorization, and account recovery;
• Username (login) — for identification within the system;
• Password — stored exclusively in encrypted (hashed) form.

2.1.2. Content Uploaded by the User:

• Photographs and images for processing or as references;
• Audio files for processing;
• Video files for processing;
• Text data (descriptions, wishes, generation instructions).

2.1.3. Automatically Generated Content:

• Songs and music;
• Images (portraits, greeting cards, invitations, logos, coats of arms, and other graphic materials);
• Poems;
• Texts (greetings, formal letters, marketing materials, and other text-based content);
• Videos;
• Chat history with AI assistants.

2.1.4. Technical Data:

• IP address — for anti-fraud and abuse prevention;
• Browser and device information (User-Agent, interface language, device type);
• User settings and preferences (language, theme, application settings);
• Anonymized Service usage statistics (via Yandex.Metrika in minimal configuration, without behavioral profiling — enabled only after the User's explicit consent, see Section 11);
• Technical logs (for security incident investigation).

2.1.5. Payment Information:

We DO NOT store payment data (card numbers, CVV, etc.). All payments are processed through third-party payment services certified to PCI DSS standards. We receive only confirmation of successful payment and a transaction identifier.

3. Purposes of Data Processing

3.1. The collected data is used exclusively for the following purposes:

• User registration and authentication;
• Ensuring account security;
• Providing Service functions (content generation);
• Processing payments and tracking energy points;
• Content moderation and violation prevention;
• Technical support and communication with Users;
• Improving Service quality (anonymized usage statistics);
• Compliance with legal requirements;
• Protecting the rights and legitimate interests of the Operator.

3.2. Transformation of Uploaded Images

Images uploaded by the User (including photographs of faces) are automatically transformed before processing: resized to a maximum of 1536 pixels on the longer side and re-encoded into JPEG format. After such transformation, the images do not contain biometric data in the sense of applicable data protection laws — extraction of unique biometric parameters for identification becomes technically impossible. Original images are not stored in either the database or object storage.

4. Legal Basis for Processing (GDPR)

4.1. For Users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data based on the following legal grounds:

• Contract Performance: Processing necessary for the performance of a contract with you (providing Service functions);
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services, preventing fraud, and ensuring security;
• Consent: Where you have given explicit consent for specific processing activities;
• Legal Obligation: Processing necessary for compliance with legal obligations.

5. Data Retention Periods

5.1. Account data (email, login, password): stored until the account is deleted by the User or by the Operator in accordance with the terms of use.

5.2. Inactive accounts: To implement the right to be forgotten, User accounts that have not been accessed for 1 (one) year are automatically deleted along with all associated data and content.

5.3. Uploaded content (photographs, audio, video for processing): stored for 7 (seven) calendar days for moderation and verification purposes, after which it is automatically deleted.

5.4. Generated content:

• For Users without Prime status: generated content is automatically deleted 2-4 months after creation;
• For Users with Prime status: content is stored until deleted by the User or until the Prime status expires (after which standard retention periods apply).

Upon deletion, content is marked as deleted (for recovery purposes) and completely removed after 7 (seven) calendar days.

5.5. AI assistant chat history:

• Only the last 100 (one hundred) messages with each AI assistant are stored;
• For Users without Prime status: message history is automatically deleted after 2-4 months;
• For Users with Prime status: message history is stored until account deletion or until the Prime status expires.

5.6. Technical logs and IP addresses: stored for 12 (twelve) months exclusively for anti-fraud and security incident investigation purposes. Marketing analytics is not built on this data.

5.7. Transaction data: stored for the period required by applicable law (at least 5 years) for accounting and tax purposes.

6. Data Protection

6.1. The Operator takes necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, distribution, and other unlawful actions.

6.2. Protection measures include:

• Password encryption using modern cryptographic algorithms;
• Use of secure connections (HTTPS/TLS);
• Restricted access to personal data;
• Regular data backups;
• System security monitoring.

6.3. Important Notice: Despite the protective measures taken, the Operator cannot guarantee absolute data security during transmission over the Internet. The User uses the Service at their own risk.

7. Data Transfer to Third Parties

7.1. The Operator does not sell personal data. Transfer to third parties occurs only in the following cases:

7.2. Technical Contractors

To operate the Service, technical contractors are engaged: cloud storage, hosting providers, infrastructure suppliers, AI providers for content generation. The specific list of contractors may change as the Service evolves.

Requests transmitted to AI services are anonymized: email addresses, usernames, and account identifiers are not included. AI providers receive only the minimum data necessary to perform generation (prompt text, transformed reference images — see Section 3.2).

7.3. Payment Gateways

Payments are processed through external payment gateways certified to the PCI DSS standard. The following data is transmitted to the payment gateway: payment amount, order identifier, and the User's email address (for receipt delivery). Payment details (card number, CVV, expiration date) are entered by the User directly in the payment gateway form; the Operator does not receive or store them.

7.4. Upon Request of Government Bodies

Upon a reasoned request of authorized government bodies in accordance with applicable law.

7.5. With the User's Consent

In other cases — only with the User's explicit consent.

7.6. All third parties receiving access to data are required to maintain confidentiality and use data exclusively to perform their functions.

7.7. International Data Transfers

Some technical contractors and AI providers may be located outside the European Economic Area. The legal basis for such international transfer is contract performance (Article 6(1)(b) GDPR) — the User's request for content generation. Where required, we implement appropriate safeguards such as Standard Contractual Clauses (SCC) approved by the European Commission.

8. Use of Data and AI Training

8.1. The Operator does not use content uploaded or generated by the User to train its own artificial intelligence models. The Operator does not develop or train its own AI models.

8.2. For content generation, the technical infrastructure of third-party AI providers is used under contractual arrangements. Requests are transmitted in anonymized form (see Section 7.2).

8.3. Third-party AI providers may use the data transmitted to them in accordance with their own privacy policies. The Operator ensures anonymization of data prior to transmission and pre-transformation of images (see Section 3.2), which precludes the possibility of User identification on the AI providers' side.

8.4. Internal analysis for Service improvement (usage metrics, fault detection) is conducted exclusively on anonymized aggregated data.

9. User Rights

9.1. The User has the right to:

• Access their personal data and receive a copy;
• Request correction or updating of inaccurate personal data;
• Request deletion of their personal data ("right to be forgotten");
• Restrict the processing of their personal data;
• Object to the processing of their personal data;
• Request data portability (receive data in a structured, commonly used format);
• Withdraw consent to data processing at any time;
• Delete their content through the Service interface;
• Delete their account (all associated content will also be deleted);
• Lodge a complaint with a supervisory authority.

9.2. Additional Rights for California Residents (CCPA):

If you are a California resident, you have the following additional rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you;
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions;
• Right to Opt-Out of Sale: We do not sell personal information. However, you have the right to opt out of any future sales;
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, please contact us at support@vizardio.com.

9.3. To exercise your rights, the User may:

• Use the personal account functionality to manage data and content;
• Send a request to the email address support@vizardio.com.

9.4. Requirements for Requests:

To protect against unauthorized access to data, the request must be sent from the same email address that is registered with the User's account. This serves as identity verification of the requester.

The request must contain:

• Nature of the request (access, correction, deletion, withdrawal of consent, etc.);
• Account identifier (email address or username);
• Date of preparation.

9.5. Request processing time — 30 (thirty) calendar days from receipt of a properly formed request. Under GDPR — within one month (extendable by two further months for complex requests). Under CCPA — within 45 days (extendable by another 45 days where reasonably necessary).

10. Account and Data Deletion

10.1. The User may delete their account at any time through the personal account settings.

10.2. Upon account deletion:

• Personal data (email, login) is deleted;
• All generated content is deleted;
• AI assistant chat history is deleted;
• Transaction data is retained in accordance with legal requirements.

10.3. Automatic deletion of inactive accounts: Accounts that have not been accessed for 1 (one) year are automatically deleted along with all associated data.

10.4. Account deletion is irreversible. Recovery of deleted data is not possible.

11. Cookies and Similar Technologies

11.1. The Service uses two categories of cookies:

11.2. Necessary Cookies

Used for authentication, session maintenance, request forgery protection (CSRF), remembering the selected interface language, and application settings. The Service cannot function without them. Consent for their use is not required (legal basis — contract performance, Article 6(1)(b) GDPR).

11.3. Analytics Cookies

Yandex.Metrika in anonymized configuration is used: only counting of visits and page views to improve the Service. Extended features are disabled: WebVisor (recording user actions), clickmap (click heat-map), accurate dwell-time tracking, and behavioral profiling are not used. Analytics cookies are enabled only after the User's explicit consent.

11.4. Third-party analytics services (Google Analytics, Facebook Pixel, Hotjar, and similar) are not used by the Service.

11.5. Managing Consent

On the first visit, the User is shown a banner allowing them to allow or decline analytics cookies. The choice can be changed at any time via the "Cookie settings" section in the side menu of the Service. Cookies can also be disabled in browser settings.

12. Prohibited Content and Moderation

12.1. The Operator reserves the right to review uploaded content for violations of law and Service rules.

12.2. If prohibited content is discovered (including materials containing child sexual abuse material, hate speech, calls for violence), the Operator has the right to:

• Immediately block the User's account;
• Transfer information to law enforcement authorities;
• Retain necessary data for investigation.

13. Children's Privacy

13.1. The Service is not intended for persons under the age of 18. We do not knowingly collect personal data from children under 18.

13.2. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information as soon as possible.

13.3. If you believe that a child under 18 has provided us with personal data, please contact us at support@vizardio.com.

14. Do Not Track Signals

14.1. Some browsers have a "Do Not Track" feature that signals to websites that you do not want your online activities tracked. The Service does not currently respond to "Do Not Track" signals as there is no industry standard for handling such signals.

15. Changes to the Policy

15.1. The Operator reserves the right to make changes to this Policy at any time.

15.2. Changes take effect from the moment the new version of the Policy is published on the Service website.

15.3. The User undertakes to independently monitor changes in the Policy. Continued use of the Service after changes are made constitutes acceptance of the new version of the Policy.

15.4. For material changes, we will make reasonable efforts to notify you by email or through a prominent notice on the Service.

16. Governing Law and Jurisdiction

16.1. This Policy and any disputes arising from or relating to it shall be governed by the laws of the Republic of Kazakhstan.

16.2. Any disputes shall be subject to the exclusive jurisdiction of the courts located in Astana, Republic of Kazakhstan.

16.3. Notwithstanding the foregoing, if you are located in the European Economic Area, United Kingdom, or Switzerland, nothing in this Policy affects your statutory rights under applicable data protection laws.

17. Additional Disclosures

17.1. Categories of Personal Information Collected (CCPA Disclosure):

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (email address, username, IP address);
• Internet or other electronic network activity information (browsing history, interactions with the Service);
• Audio, electronic, visual, or similar information (uploaded content);
• Inferences drawn from the above (preferences, characteristics).

17.2. Sources of Personal Information:

• Directly from you when you provide it;
• Automatically when you use the Service;
• From third-party payment processors (transaction confirmation only).

17.3. Business or Commercial Purposes for Collection:

As described in Section 3 of this Policy.

17.4. Sale or Sharing of Personal Information:

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.