Privacy Policy

Article 1 (General)

HEY JAMES Inc. (the "Company") values users' personal data and complies with relevant laws including the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, and the Protection of Communications Secrets Act. This Privacy Policy describes the personal data collected through the Fingr service — which includes AI video creation, AI app creation, and related features (the "Service") — operated by the Company, including the items collected, purposes of collection, retention periods, and user rights.

Article 2 (Items collected & methods)

1. At sign-up (required)

• Name, email address, password (stored as a BCrypt hash)
• Sign-up time IP address, browser identification (User-Agent), language preference
• ※ The IP address and User-Agent collected at sign-up are used and analyzed to block abuse — multiple sign-ups from the same IP, bot sign-ups, disposable email domains, etc.

2. Google social login (required)

• Email, name, profile image URL, Google unique identifier (UID)
• Sign-up time IP address and User-Agent

3. At payment (required)

• Korean-language users: card issuer, last 4 digits of card number, billing key (auto-billing authentication), payment key, order ID
• English-language users: customer identifier and payment identifier issued by the payment processor (Lemon Squeezy)
• ※ The full card number is not stored by the Company; it is handled by Toss Payments or Lemon Squeezy.

4. AI video creation

• Project title, topic, target audience, script, slide data, subtitles
• Voice cloning (optional): voice sample audio file, voice profile metadata (name, gender, language)

5. AI app creation

• App idea text, follow-up Q&A, attached files (images, documents, etc.)
• Natural-language edit request text
• Source code, database, logs, and asset files of the generated app
• For production mode: activation timestamps and renewal history
• For custom domain connection: the domain name entered by the user, SSL certificate issuance status

6. Beta service sign-up

• Email address (required), the slug indicating which beta service was applied for
• Optional fields: contact number, time spent on the relevant workflow, pain points, expectations, desired features, role
• UTM parameters (utm_source / utm_medium / utm_campaign / utm_content), referer, IP address, User-Agent
• ※ Beta sign-up data is collected for evaluating launch viability, requesting interviews, and inviting pilot users; it is not disclosed outside the Company.

7. While using the Service (auto-collected)

• Access IP address, browser information, Service usage records
• AI API usage logs (service name, model, token count, estimated cost)
• External traffic statistics on generated apps (IP, User-Agent — used to identify bot traffic and compute auto-suspension timers)

Methods of collection

Sign-up form, Google OAuth, payment processor SDKs (Toss Payments / Lemon Squeezy), file upload, beta sign-up form, automatic collection during Service use.

Article 3 (Purposes of collection & use)

• Member management: sign-up / withdrawal processing, identity verification, email verification, language preference
• Service provision — video: AI video creation features, TTS generation, voice cloning
• Service provision — app: automatic AI app generation, natural-language edits, app hosting, production mode, custom domain connection and SSL certificate issuance
• Payment & subscription management: credit top-ups, subscription renewal, refund handling, production-mode renewal and auto-demotion
• Service safety & abuse prevention: detecting multiple sign-ups from the same IP, blocking bot sign-ups, matching disposable email domains, preventing fraud, detecting unauthorized access
• Beta service validation: evaluating launch viability, requesting interviews, inviting pilot users
• Service improvement: usage analytics, AI API cost management, app traffic pattern analysis (separated from personally identifiable information)
• Customer support: handling inquiries, dispute resolution
• Legal compliance: retention of records under the e-Commerce Act

Article 4 (Retention & use period)

Article 5 (Provision to third parties)

The Company does not provide personal data to third parties without the user's consent, except where required by law. The following information is shared with third parties as necessary to provide the Service.

* For voice cloning at MiniMax, the uploaded voice data may be retained on MiniMax's servers in order to generate the voice_id.

Article 6 (Cross-border transfer of personal data)

To provide the Service, users' personal data is transferred across borders as follows.

If a user does not consent to cross-border transfer, AI script generation, TTS narration, voice cloning, AI image generation, AI app creation and editing, English-language payment processing, and custom-domain SSL issuance may be unavailable.

Article 7 (Processing entrustment)

The Company entrusts the processing of personal data to the following parties to provide the Service smoothly.

The entrustment contracts specify compliance with relevant privacy laws, confidentiality, restrictions on sub-entrustment, and damages in the event of incidents.

Article 8 (User rights & how to exercise them)

Users may exercise the following rights:

1. Right of access: view the personal data the Company holds about them.
2. Right to correct or delete: request correction or deletion of inaccurate personal data.
3. Right to suspend processing: request that processing of personal data be suspended.
4. Right to withdraw consent: withdraw consent to the collection or use of personal data.

How to exercise

• Personal data can be viewed, edited, and deleted directly on the profile page.
• Account deletion (withdrawal) can be processed on the profile page.
• Requests can also be made by email to james@heyjames.ai.
• A legal representative or duly authorized agent may exercise these rights (proxy required).

Requests are processed within 10 days. The relevant data is not used or provided until correction or deletion is complete.

Article 9 (Destruction procedures)

1. Trigger: when the retention period expires, the processing purpose is achieved, or the user withdraws.
2. Method:
   • Electronic files: permanently deleted in an unrecoverable manner
   • Paper documents: shredded or incinerated
3. On withdrawal:
   • Destroyed immediately: name, email, password, OAuth info, billing key, voice profiles, sign-up time IP / User-Agent
   • Destroyed after 30 days: video projects, generated video content, generated app workspaces (source code, database, logs)
   • Statutory retention: payment records (5 years), access logs (3 months) — kept separately
4. On automatic app deletion: Apps that are automatically deleted 7 days after auto-suspension under Terms Article 10 have their workspace (source code, database, logs) permanently deleted in an unrecoverable manner.

Article 10 (Cookies & sessions)

1. Session cookies: session cookies are used to keep users signed in.
2. CSRF protection: security tokens are used to prevent cross-site request forgery.
3. The main Service screens do not currently use third-party tracking cookies or analytics tools (e.g., Google Analytics). However, beta-service landing pages may collect referral information through URL parameters (UTM) for ad-campaign tracking.
4. Users may refuse or delete cookies in their browser settings. Refusing cookies may, however, restrict use of features that require sign-in.

Article 11 (Protective measures)

Administrative

• Minimization of personnel handling personal data
• Regular employee training
• Internal management plan and execution

Technical

• Passwords stored as BCrypt hashes
• HTTPS (SSL/TLS) for communication
• Role-based access control
• Access-log retention with tamper protection
• Isolation between generated apps (memory, CPU, disk, and process separation) to prevent information leakage
• Installation and updating of security software

Physical

• Data-center access controls

Article 12 (Information about automated decisions)

The Service makes the following automated decisions:

• Automatic credit deduction: credits are deducted automatically based on AI API costs (covering video creation, app creation, and natural-language edits).
• Credit expiry: credits past their validity period are forfeited automatically.
• Subscription auto-renewal: subscriptions are auto-charged on the registered payment method when they expire.
• App auto-suspension: generated apps are auto-suspended after a period of inactivity (Terms Article 10).
• App auto-deletion: if an app stays suspended past the threshold, its workspace is permanently deleted automatically (Terms Article 10). Apps owned by suspended users are permanently deleted 30 days after suspension.
• Production-mode auto-demotion: if credits are insufficient at renewal, the app is automatically demoted to development mode (Terms Article 11).
• Automatic abuse blocking: sign-up time IP, User-Agent, and email domain are analyzed; same-IP multiple sign-ups, bot sign-ups, and disposable-domain matches result in an automatic temporary suspension and a request for operator review.

Users may request an explanation of, or object to, an automated decision. If automatically suspended for suspected abuse, the user may dispute the decision by emailing james@heyjames.ai; an operator will review the request and either lift the block or provide reasoning. AI content generation is performed only at the user's direct request.

Article 13 (Personal data of children under 14)

1. The Company does not collect personal data from children under 14, and does not allow them to sign up.
2. If the Company learns that personal data of a child under 14 has been collected, that data is destroyed immediately.
3. Legal representatives may request access, correction or deletion, or suspension of processing for the child's personal data.

Article 14 (Privacy officer)

The Company designates the following privacy officer to protect users' personal data and to handle related complaints.

Users may direct any privacy-related inquiries, complaints, or remediation requests to the officer above.

Article 15 (Remedies for infringement)

Users may request remediation, consultation, or other relief for personal-data infringement at the following bodies.

Article 16 (Changes to this policy)

1. Any changes to this Policy will be announced within the Service at least 7 days before the effective date.
2. For changes that materially disadvantage users, notice will be given at least 30 days in advance, with individual notice by email.

Supplementary provisions

1. This Privacy Policy takes effect on April 30, 2026.
2. The previous Privacy Policy (effective April 4, 2026) is replaced by this Policy. The principal scope of this revision is the addition of items collected, purposes of use, cross-border transfers, and automated decisions related to the AI app creation feature; the explicit listing of the English-language payment processor (Lemon Squeezy) and the SSL certificate authority (Let's Encrypt); and information on beta-service sign-up handling.