Flux AI Asia — collection, use, retention, and protection of personal information.
This page publishes the CRAISEE Privacy Policy in full. The numbered articles below are the authoritative text.
1. General Provisions (Purpose and Scope)
This Privacy Policy applies to CRAISEE and related services provided by Flux AI Asia (the "Company"), including web/app services and chat-based AI, image/video, and audio features (collectively, the "Service"). It sets forth matters relating to the collection, use, retention, entrustment, provision, cross-border transfer, and safeguarding of personal information. The Company complies with the Personal Information Protection Act and other applicable laws and regulations.
2. Categories of Personal Information Processed and Methods of Collection
2.1 Sign-up and Account
Required: email address, password (hashed), display name (nickname)
Optional: profile information such as job role and interests (only if voluntarily provided)
2.2 Generated Content and Logs Collected Through Use of the Service
Conversations / prompts / uploads / outputs: text, images, audio, and video to the extent the user uses such features
Usage / device information: access date and time, usage records, IP address, cookie/SDK ID, browser/OS/device identifiers, label status
Payments (for paid services): payment method token, transaction ID, amount / time / status, receipt / tax invoice information where required
Logs: model / preset identifiers, timestamps, internal job IDs, success / failure codes, display / labeling status
2.3 Methods of Collection
Information entered directly by users (e.g. sign-up, inquiries, uploads)
Information automatically generated and collected in the course of using the Service (e.g. logs, cookies/SDKs)
Minimum necessary information collected through integrations with processors/subcontractors (e.g. cloud, payments, notifications, analytics, models)
2.4 Safety Review and Content Filtering
To ensure service safety, comply with applicable laws, prevent abuse, and block prohibited content, the Company may analyze prompts, text, images, audio, video, and related metadata that users input, upload, or generate by using automated safety review systems or trusted third-party safety screening tools used by the Company.
In this process, the Company may inspect, restrict, block, delete, or make private user inputs, uploaded assets, and generated outputs to the extent necessary to prevent the generation or distribution of sexually explicit, nude, sexually suggestive, or other content that may violate Company policies or applicable laws.
During the safety review process, prompts, uploaded assets, generated outputs, and related metadata may be transmitted in encrypted form to domestic or overseas processors or safety screening services, and the Company will manage such processing so that only the minimum necessary information is handled.
3. Purposes of Processing and Legal Bases
The Company processes personal information for the following purposes and legal bases to the extent permitted by applicable law, including for the provision, maintenance, improvement, and enhancement of the Service.
Performance of Contract
User registration and identity verification, login and account management, provision of paid services, payment and settlement, operation of generative features, customer support, delivery of notices, service operations, and incident response
Compliance with Legal Obligations
Retention of transaction records, dispute handling, reporting, and tax obligations under applicable laws relating to e-commerce, consumer protection, telecommunications secrecy, taxation, and accounting
Processing for attachment/pass-through and application/verification of provenance/content credential metadata (including C2PA-compatible metadata), labeling, and notice obligations to the extent required by law
Legitimate Interests of the Company
Service security, prevention of abuse, error analysis, quality improvement, and service stability, provided that such processing is limited to what is necessary and does not unduly infringe the rights and interests of data subjects
Safety Assurance and Prevention of Prohibited Content
To ensure service safety, prevent the generation and distribution of sexually explicit, nude, sexually suggestive, or other content that violates Company policies or applicable laws, maintain system integrity, detect abuse, and comply with law, the Company may review, analyze, and process user inputs, uploaded assets, generated outputs, and related logs.
Consent of the Data Subject
Optional profile information, participation in events or surveys, optional analytics, receipt of marketing information, processing of sensitive information, or third-party provision / overseas transfer where separate consent is required
4. Retention and Destruction
Principle: Personal information is destroyed without delay once the purpose of processing has been achieved or the applicable retention period has expired.
Statutory Retention Periods
Records of contracts / cancellation of subscription: 5 years
Records of payment and supply of services: 5 years
Consumer complaints / dispute resolution records: 3 years
Advertising / display records: 6 months
Telecommunications confirmation data (e.g. access logs): 3 months
Aggregated data for statistics/reporting: retained long-term after removal of personal identifiers and de-identification
Method of Destruction: Electronic files are deleted using methods that make recovery impossible. Printed materials are destroyed by shredding, incineration, or equivalent means.
5. Provision of Personal Information to Third Parties
As a rule, the Company does not provide personal information to external third parties. However, exceptions may apply in any of the following cases:
Where the data subject has given prior separate consent
Where required by law or unavoidable for compliance with legal obligations
Where necessary to protect the urgent life, body, or property interests of the data subject or a third party
Where otherwise permitted under applicable law
Where the Company provides personal information to a third party, it will disclose or separately notify the recipient, purpose, items provided, and retention/use period through the Service or another appropriate notice.
6. Entrustment of Processing
To ensure the smooth operation of the Service, the Company may entrust certain tasks as set out below and will supervise entrusted parties in accordance with applicable law. Such access is limited to the extent necessary to perform the entrusted tasks. During entrusted processing, content and the related provenance/content credential metadata may be stored and processed together.
Hosted infrastructure / processors
Hosting / serverless / edge CDN / WAF / DDoS — Vercel Inc. / United States / global edge (main operation: iad1)
Static and dynamic asset delivery, API routing, request metadata (IP, headers, etc.), edge cache and security processing
Retention: until termination of entrustment (cache retained short-term according to TTL)
Policy: vercel.com/security
Edge security / DDoS — Cloudflare, Inc. / United States / global
Request metadata (IP, headers, etc.), DDoS/WAF processing
Retention: until termination of entrustment (security logs retained according to settings)
Policy: cloudflare.com/trust-hub
Database management — MongoDB, Inc. (Atlas) / United States (currently us-east-1)
Application DB (account profile, usage metadata, generation history metadata, etc.), backups
Retention: until termination of entrustment, backups retained for 7 days
Policy: mongodb.com/cloud/trust
Authentication / session management — Clerk, Inc. / United States / multi-region
Email, display name and other authentication identifiers, session/token metadata
Retention: until account deletion or termination of entrustment
Policy: clerk.com/security
Payment / recurring billing — Armitage Labs OÜ / Estonia / global
Payment tokens, transaction IDs, amount/status, billing records
Retention: statutory retention period
Policy: creem.io/#support
Asset storage / delivery — Cloudinary Ltd. / United States / global POPs
Uploaded/generated assets (image/video/audio), delivery, transformation metadata
Retention: until deletion or termination of entrustment
Policy: cloudinary.com/trust
Object storage — Amazon Web Services, Inc. (S3) / Seoul / global (depending on settings)
Asset storage/delivery, access logs
Retention: until deletion or termination of entrustment
Policy: aws.amazon.com/compliance
Error monitoring — Sentry (Functional Software, Inc.) / United States / EU (depending on settings)
Error events / stack traces (PII excluded in principle), diagnostic metadata
Retention: according to organization settings
Policy: sentry.io/security
Product analytics (first-party) — Vercel Analytics / United States / global
Aggregated traffic/performance metrics (no direct personal identifiers collected)
Retention: according to settings
Policy: vercel.com/analytics
Optional product analytics — PostHog, Inc. / EU region available
De-identified product analytics (opt-out available)
Retention: according to settings
Policy: posthog.com/security
AI model processing (inference) — OpenAI, Anthropic, Google, Microsoft Azure, Replicate, Groq, Cohere, Mistral, xAI, Fireworks, Cerebras, Perplexity, ElevenLabs, FAL.ai, DeepInfra, etc. / United States, Europe, and other regions depending on provider
Temporary processing of prompts, outputs, and generation parameters (in principle not stored, or retained only briefly according to provider policy)
Retention: immediately after processing or according to provider policy
Policies: each provider's policy page (e.g. openai.com/policies)
7. Overseas Transfer of Personal Information
The Company may transfer personal information overseas to the extent necessary to provide the Service. In accordance with applicable law, the Company will disclose or separately notify: (1) items transferred, (2) country, (3) timing and method, (4) recipient/contact information, (5) purpose and retention/use period, and (6) how to refuse and any disadvantages of refusal.
Content exported or shared may include provenance/content credential metadata, and both the content and such metadata may be transmitted, stored, and processed on overseas infrastructure.
Data subjects may withdraw consent to overseas transfer within the scope permitted by applicable law. In such case, use of features that necessarily require overseas storage/processing (e.g. payments, certain AI generation features) may be restricted. Methods of withdrawal and the affected features will be explained within the Service.
Main overseas transfer items
Hosting / serverless / edge CDN / WAF / DDoS: request metadata, static/dynamic assets, edge cache data
Edge security / DDoS: request metadata, security events
Database management: application DB
Authentication / session: authentication identifiers, session/token metadata
Payment / recurring billing: payment tokens, transaction IDs, amount/status
Asset storage / delivery: uploaded/generated assets and transfer metadata
Object storage: asset files and access logs
Error monitoring: error events / stacks
Product analytics: aggregated or de-identified usage data
AI inference: prompts, outputs, parameters where necessary
Transfers are made via TLS-encrypted transmission during use of the Service and are retained according to the relevant processor or provider policy. Refusal may result in degraded or unavailable features, as applicable.
8. Cookies, SDKs, and Behavioral Information
Required cookies: cookies necessary for authentication, session maintenance, and security are essential to provide the Service.
Analytics: the Company may operate first-party analytics based on server logs that do not directly identify individuals and provides opt-out measures.
Advertising/profiling: used only with consent and subject to separate notice and consent where required.
The Company may use essential cookies and optional cookies or similar technologies for service improvement. Users may refuse optional cookies through browser settings, device settings, or the privacy settings menu within the Service. Blocking essential cookies may limit functions such as login persistence and security authentication.
9. Sensitive Information and Children
The Company does not, in principle, request processing of sensitive information. Users must not input or upload their own or a third party's sensitive information, resident registration numbers, or other information requiring special protection under applicable law. Where such input is identified, the Company may take necessary measures such as deletion, making the content private, or restricting use, in order to ensure service safety and legal compliance.
The Service is not available to children under the age of 14. If the Company becomes aware that personal information of a child under 14 has been collected, it may promptly delete such information or restrict the relevant account.
10. Processing of Pseudonymized Information
The Company may pseudonymize information for purposes such as quality improvement and statistics, and will implement safeguards such as separate storage of additional information, separation of access rights, and prohibition of re-identification.
11. Rights of Data Subjects and How to Exercise Them (DSR)
Rights: access, correction, deletion, suspension of processing, data portability, and withdrawal of consent
Method: through the /profile page or by email at support@craisee.com
Procedure: the Company will process requests within the statutory period after identity verification and will notify users if a request cannot be fulfilled
Where necessary for integrity, safety, or legal compliance, the Company may refuse requests to delete or alter labels or provenance metadata and will explain the reason.
12. Safeguards
The Company implements the following measures to prevent personal information from being lost, stolen, leaked, altered, or damaged:
Administrative: internal management plans, least-privilege principle, regular training
Technical: encryption at rest and in transit, access controls, vulnerability checks, anti-malware/security software, protection against log tampering
Physical: access control for server rooms and records storage areas
13. Third-Party Sites and Services
If users access third-party services linked or embedded in the Service (such as payment, hosting, analytics, or model providers), the privacy policy of the relevant third party may apply.
14. Incident Response and Notice
In the event of a personal data breach or similar incident, the Company will promptly conduct impact assessment and damage mitigation measures and will report to the relevant authorities without delay where required by law.
15. Privacy Officer and Contact Information
Privacy Officer: Seunghyun Han
Email: support@craisee.com / Phone: +82-2-6242-6502
Dispute / complaint relief:
Korean Personal Information Infringement Report Center: 118
Korean Personal Information Dispute Mediation Committee: 1833-6972
Korean National Police Agency: 182
16. Notice and Changes
This Policy applies from its effective date. Any additions, deletions, or corrections will be announced on the website or by similar means. Material changes may be individually notified or require consent by email or in-app notice.
If there are other privacy-related notices, summaries, translations, or foreign-language documents with the same or similar titles, this Privacy Policy shall prevail with respect to the CRAISEE service provided by Flux AI Asia.
Previous versions of the Privacy Policy and revision history will be retained for at least five years and made available to users.
Public notice date: 2026-04-17
Effective date: 2026-04-17
