Privacy Policy

1. Data We Collect

Information you provide:

We collect information you provide directly, including your email address, username, display name, encrypted (hashed) password, profile image, prompts and uploads, and any communications you send to us (such as support requests).

Payment information is processed securely by third-party providers (such as TossPayments or Creem.io), and we do not store full card details.

Information collected automatically:

When you use the Service, we automatically collect certain technical and usage information, such as your browser type, device and operating system, pages visited, features used, generation activity, timestamps, IP address, and approximate location (country/city).

We also collect limited security-related information (such as session identifiers and login activity) to help protect your account and prevent unauthorized access.

Information from third parties:

If you sign in through third-party services, we may receive basic profile information such as your email address, name, and profile image (e.g., Google OAuth), or institutional identity information (e.g., university SSO). Payment providers may also share transaction status and billing information necessary to process your subscription.

2. How We Use Your Data

• Service delivery, authentication, and billing
• Communication (verification, password reset, billing notifications)
• Product improvement (usage analysis)
• AI training (mandatory)
• Safety (abuse/fraud detection)
• Legal compliance

3. Legal Basis

• Contract performance: Account, generation, billing
• Consent: Marketing — opt out at any time
• Legitimate interest: Improvement, fraud prevention, security
• Legal obligation: Tax records, government requests

4. Data Sharing

We do not sell personal data.

4.1 Mergers and Acquisitions

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or part of our assets or shares, your personal data may be transferred to or shared with the acquiring entity or its advisors as part of that transaction. We will notify you in advance of any such transfer where practicable, and will ensure that the receiving party handles your personal data in a manner consistent with this Privacy Policy. If the receiving party intends to use your data in a materially different way, we will provide you with appropriate notice and, where required by law, obtain your consent.

4.2 Outsourcing of Personal Data Processing

In accordance with Article 26 of the Personal Information Protection Act (PIPA), we outsource personal data processing tasks as follows:

In our outsourcing agreements, we expressly stipulate the prohibition on processing for purposes other than the outsourced task, required protection measures, restrictions on sub-outsourcing, and management and supervision obligations.

5. Data Storage and Security

We implement industry-standard technical and organizational measures to protect your data, including encryption in transit and at rest, secure authentication practices, and access controls designed to prevent unauthorized access, disclosure, or misuse.

5.1 Data Breach Notification

In the event of a personal data breach, Melaka will:

• Notify the relevant supervisory authority (PIPC for Korean users; lead EU DPA for European users) within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and PIPA Article 34;
• Notify affected users directly without undue delay where the breach is likely to result in a high risk to their rights and freedoms, including information on the nature of the breach, the data affected, likely consequences, and steps taken or proposed to address it;
• Maintain an internal record of all data breaches, their effects, and remedial actions taken.

We have implemented technical and organizational procedures to detect, investigate, and respond to data breaches in a timely manner.

5.2 Specific Safety Measures

In accordance with Article 29 of the Personal Information Protection Act (PIPA), we implement the following measures:

1) Technical Measures

• Encrypted storage of user passwords and SSL encryption for the transmission of personal data
• Operation of firewalls and intrusion detection systems (IDS) to prevent hacking and unauthorized access
• High-level security maintenance and regular backups of servers that hold personal data

2) Administrative Measures

• Minimization of access privileges to personal data (limited to personnel responsible for personal data processing)
• Regular personal data protection training and execution of security pledges by employees upon hire
• Personal data processing agreements with outsourced providers and regular audits of those providers

In the event of a data breach caused by internal administrator error or technical incident, we will promptly notify affected users and take appropriate remedial measures.

6. Data Retention

Retention periods are determined based on the purpose of data collection, applicable legal obligations, and the principle of data minimisation under PIPA Article 21 and GDPR Article 5(1)(e).

7. Cross-Border Transfers

To provide the Service, your personal data may be transferred to and processed in countries outside the Republic of Korea, including the United States and countries within the European Economic Area. These countries may have different data protection laws than Korea.

• EU users: Transfers are protected by Standard Contractual Clauses approved by the European Commission or other appropriate safeguards under GDPR Chapter V.
• Korean users: Cross-border transfers comply with PIPA Article 17. We ensure that recipient countries or organizations provide an equivalent level of data protection, or we execute the necessary contractual safeguards before transferring your data.
• All users: We only transfer personal data to third-party service providers that are contractually bound to protect it in accordance with applicable data protection law and this Privacy Policy.

8. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you, as defined under GDPR Article 22. All content moderation decisions that may result in account suspension or termination involve human review at the final stage. Our AI Services generate content outputs at your direction and do not autonomously make decisions that materially affect your legal rights, financial situation, or access to services.

9. Your Rights

To exercise your rights: email [email protected]. Response within 30 days.

10. Cookies

We use cookies and similar technologies to operate the Service. For full details of which cookies we use and how to manage them, see our Cookie Policy.

11. AI Training

Mandatory: worldwide royalty-free license for prompts and outputs. Processed in aggregate; not publicly exposed; not sold. Third-party AI providers have their own data retention policies.

12. Children's Privacy

In accordance with this Section 12, the Service is not directed to users under the age of 13 as a general rule, and any account discovered to belong to such a user will be deleted without prior notice. However, in accordance with Korean law (Article 22-2 of the Personal Information Protection Act), Korean users aged 13 and over but under 14 may use the Service only where verifiable consent has been obtained from a legal guardian, and a separate process is provided for that purpose. As the Service is primarily intended for adolescents aged 14 and over and adults, direct use by children under 14 is limited.

The Service has the following age requirements, which are consistent with the eligibility terms in our Terms of Service:

• Under 13: The Service is not intended for users under 13. If we become aware that a user under 13 has registered, the account will be deleted without notice.
• Ages 13–17 (Free Plan only): Users aged 13–17 may only access the free plan with the express consent of a parent or legal guardian. Korean users under 14 require verifiable parental consent in accordance with PIPA Article 22-2.
• Ages 18+ required for paid plans: Paid subscriptions require users to be at least 18 years old.

Parents and guardians are responsible for supervising minors' use of the Service and for ensuring compliance with these age requirements. By permitting a minor to use the Service, the parent or guardian accepts these Terms on the minor's behalf and assumes full responsibility for their activity. If you believe a minor has registered without appropriate consent, please contact [email protected] and we will promptly investigate and delete the account if confirmed.

13. Changes

Updates posted with a new effective date. Significant changes will be communicated via email or in-app notification. Renewed consent will be requested where required by law.