Privacy Policy
Last updated: April 4, 2026
Article 1 (General)
HEY JAMES Inc. (the "Company") values users' personal data and complies with relevant laws including the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, and the Protection of Communications Secrets Act. This Privacy Policy describes the personal data collected through the Fingr service (the "Service") operated by the Company — the items collected, purposes of collection, retention periods, and user rights.
Article 2 (Items collected & methods)
1. At sign-up (required)
- Name, email address, password (stored as a BCrypt hash)
2. Google social login (required)
- Email, name, profile image URL, Google unique identifier (UID)
3. At payment (required)
- Card issuer, last 4 digits of card number, billing key (auto-billing authentication)
- Payment key, order ID
- ※ The full card number is not stored by the Company; it is handled by Toss Payments.
4. Voice cloning (optional)
- Voice sample audio file
- Voice profile metadata (name, gender, language)
5. While using the Service (auto-collected)
- Access IP address, browser information, Service usage records
- AI API usage logs (service name, model, token count, estimated cost)
6. Project data
- Project title, topic, target audience, script, slide data, subtitles
Methods of collection
Sign-up form, Google OAuth, Toss Payments SDK, file upload, automatic collection during Service use.
Article 3 (Purposes of collection & use)
- Member management: sign-up / withdrawal processing, identity verification, email verification
- Service provision: AI video creation features, TTS generation, voice cloning
- Payment & subscription management: credit top-ups, subscription renewal, refund handling
- Service improvement: usage analytics, API cost management
- Customer support: handling inquiries, dispute resolution
- Legal compliance: retention of records under the e-Commerce Act
- Service safety: abuse prevention, detection of unauthorized access
Article 4 (Retention & use period)
| Item | Retention | Basis |
|---|---|---|
| Member info (name, email, etc.) | Until withdrawal | Personal Information Protection Act, Art. 21 |
| Payment / transaction records | 5 years | e-Commerce Act, Art. 6 |
| Contract / withdrawal records | 5 years | e-Commerce Act, Art. 6 |
| Consumer complaint / dispute records | 3 years | e-Commerce Act, Art. 6 |
| Access logs (IP, browser) | 3 months | Communications Secrets Act, Art. 15-2 |
| Projects / generated content | 30 days after withdrawal | Internal policy |
| Voice cloning data | Immediately upon profile deletion or withdrawal | Internal policy |
Article 5 (Provision to third parties)
The Company does not provide personal data to third parties without the user's consent, except as required by law. To provide the Service, information is shared with the following parties:
| Recipient | Items | Purpose | Retention |
|---|---|---|---|
| Anthropic (USA) | Script text, topic, conditions | AI script / slide generation | Immediately after API processing |
| MiniMax (China) | Narration text, voice sample files | TTS generation, voice cloning | Immediately after API processing* |
| FAL.ai (USA) | Image generation prompt | B-roll image generation | Immediately after API processing |
| Toss Payments (Korea) | Name, email, card information | Payment processing | Per Toss Payments' policy |
| Google (USA) | OAuth authentication info | Social login | Per Google's policy |
* For voice cloning, voice data uploaded to MiniMax may be retained on MiniMax servers for the purpose of generating a voice_id.
Article 6 (Cross-border transfer of personal data)
To provide the Service, users' personal data is transferred overseas as follows:
| Recipient | Country | Items | Purpose | Method |
|---|---|---|---|---|
| Anthropic, LLC | USA | Text data (scripts, etc.) | AI script generation | API transfer (HTTPS) |
| MiniMax Technology Co., Ltd. | China | Text, voice files | TTS / voice cloning | API transfer (HTTPS) |
| FAL.ai, Inc. | USA | Image generation prompt | AI image generation | API transfer (HTTPS) |
| Google LLC | USA | OAuth authentication info | Social login | OAuth protocol |
Notice regarding MiniMax (China)
When using voice cloning and TTS features, users' text and voice data are transferred to MiniMax servers located in China. China is subject to the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). The Company protects data through HTTPS-encrypted transmission, and processing is governed by MiniMax's data processing policy.
If a user does not consent to the cross-border transfer, the use of AI script generation, TTS narration, voice cloning, and AI image generation features may be restricted.
Article 7 (Processing entrustment)
To smoothly provide the Service, the Company entrusts processing of personal data as follows:
| Processor | Entrusted task |
|---|---|
| Toss Payments Co., Ltd. | Payment processing and billing key management |
| Cloud service providers | Data storage and server operation |
Entrustment contracts include compliance with personal data protection laws, confidentiality, restrictions on sub-entrustment, and damages for incidents.
Article 8 (User rights & how to exercise them)
Users may exercise the following rights:
- Right to access: view personal data the Company holds about you.
- Right to correction / deletion: request correction or deletion of inaccurate personal data.
- Right to suspend processing: request that processing of personal data be suspended.
- Right to withdraw consent: withdraw consent to the collection and use of personal data.
How to exercise
- You can view, edit, and delete personal data directly from the profile page.
- Account deletion (withdrawal) can be processed from the profile page.
- You can also request via email (james@heyjames.ai).
- A legal representative or an authorized agent may exercise these rights (a power of attorney is required).
Requests are processed within 10 days, and the relevant data is not used or provided until correction / deletion is complete.
Article 9 (Destruction procedures)
- When destroyed: when the retention period elapses, the processing purpose is achieved, or the user withdraws.
- How destroyed:
- Electronic files: permanently deleted in a non-recoverable manner.
- Paper documents: shredded or incinerated.
- Handling on withdrawal:
- Destroyed immediately: name, email, password, OAuth info, billing key, voice profile.
- Destroyed after 30 days: projects, generated content.
- Statutory retention: payment records (5 years), access logs (3 months) — stored separately.
Article 10 (Cookies & sessions)
- Session cookies: used to keep you logged in.
- CSRF protection: security tokens are used to prevent cross-site request forgery.
- Third-party tracking cookies and analytics tools (e.g., Google Analytics) are not used at this time.
- You can refuse or delete cookies in your browser settings. Note that refusing cookies may restrict access to features that require login.
Article 11 (Protective measures)
Administrative measures
- Minimization of staff who handle personal data
- Regular staff training
- Establishing and operating an internal management plan
Technical measures
- Passwords stored using BCrypt encryption
- HTTPS (SSL / TLS) encrypted communication
- Role-based access control
- Retention of access logs and prevention of tampering
- Installation and updating of security software
Physical measures
- Data center access control
Article 12 (Information about automated decisions)
The following automated decisions are made within the Service:
- Automatic credit deduction: credits are automatically deducted in line with the cost of AI API calls.
- Automatic credit expiry: credits past their validity period are automatically forfeited.
- Subscription auto-renewal: when a subscription expires, the registered payment method is automatically charged.
Users may request an explanation of, or object to, an automated decision. AI content generation only runs in response to a user's explicit request.
Article 13 (Personal data of children under 14)
- The Company does not collect personal data from children under 14, and does not allow membership for children under 14.
- If the Company becomes aware that personal data of a child under 14 has been collected, it will destroy the data immediately.
- A legal representative may request access, correction / deletion, or suspension of processing of a child's personal data.
Article 14 (Privacy officer)
The Company has designated the following privacy officer for the protection of users' personal data and the handling of related complaints:
| Name | Sunghoon Lee |
| Title | CEO |
| Contact | james@heyjames.ai |
For all personal data inquiries, complaints, and remedy requests arising from use of the Service, users may contact the privacy officer above.
Article 15 (Remedies for infringement)
For relief and consultation regarding personal data infringement, users may apply to the following bodies:
| Body | Phone | Website |
|---|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 | www.kopico.go.kr |
| Privacy Infringement Report Center (KISA) | 118 | privacy.kisa.or.kr |
| Supreme Prosecutors' Office Cyber Investigation Division | 1301 | www.spo.go.kr |
| National Police Agency Cyber Bureau | 182 | ecrm.cyber.go.kr |
Article 16 (Changes to this policy)
- If this policy changes, notice will be posted within the Service at least 7 days before the effective date.
- For material changes unfavorable to users, notice will be given at least 30 days in advance and individually by email.
Supplementary provisions
- This Privacy Policy takes effect on April 4, 2026.
- The previous Privacy Policy (effective April 1, 2026) is replaced by this policy.
For questions related to personal data, please contact james@heyjames.ai.