Privacy Policy

Mimicit ("Service") recognizes the protection of users' personal information and privacy as an important responsibility, and manages personal information appropriately in compliance with the Act on the Protection of Personal Information and related laws.

This Privacy Policy explains the types of information we collect, our purposes for use, how we manage it, and your rights.

This policy may be updated from time to time. We will notify you of important changes on our website.

We collect the following information:

[Account information] · Email address (provided by your Google account) · Name / display name (provided by your Google account) · Profile image (provided by your Google account)

[Service usage data] · Prompt text you generate · Source images (sent to our server for processing; not retained afterward) · Generated result images (stored for a period so you can view and save them) · AI models and settings used

[Access logs & technical information] · IP address · Browser type and version · Access timestamps and operation logs · Chrome extension version

[Payment information] · Payments for credit purchases are processed by Stripe. Sensitive card information is never stored on our servers.

We use collected information only for the following purposes:

(1) Providing, authenticating, and managing user accounts (2) Executing AI prompt generation and image generation features (3) Saving and displaying generation history (4) Managing credit balances (5) Responding to customer support requests (6) Detecting and responding to fraudulent use and security incidents (7) Creating anonymized statistical data to improve the Service and develop new features (8) Confirming compliance with Terms of Service and this Policy (9) Fulfilling legal obligations

We do not share or disclose users' personal information to third parties except in the following cases:

(1) With the user's prior consent (2) As required by law (e.g., lawful requests from courts, police, etc.) (3) When necessary to protect someone's life, body, or property, and it is difficult to obtain consent

We may share data with the following service providers, who process it solely on our behalf:

· Vercel, Inc. (web app hosting & runtime) — USA · Stripe, Inc. (payment processing) — USA · Google LLC (Google OAuth, Gemini / Imagen API) — USA · Black Forest Labs / fal.ai (FLUX model image generation) — Various · OpenAI, LLC (GPT-Image generation) — USA

Data transfers to the above providers are governed by their respective privacy policies.

User data is stored on servers in Japan or the United States.

[Retention periods] · Account information: For the duration the account is active, plus 90 days after deletion (for fraud prevention) · Generation history & images: For the duration the account is active · Access logs: Up to 90 days · Payment records: As required by law (up to 7 years)

Following an account deletion request, we delete data (except data required to be retained by law) within 30 days.

We use cookies and browser local storage for the following purposes:

[Essential cookies / session cookies] We use session cookies set by NextAuth to maintain sign-in status. These are essential for the Service to function.

[Extension local storage] The Chrome extension stores authentication tokens, language settings, and other data in browser local storage (chrome.storage.local).

Disabling cookies will prevent you from signing in to the Service normally.

We take the following measures to safely manage personal information:

· Encrypted communication via HTTPS (TLS 1.2 or higher) · Authentication via Google OAuth (we never store your password) · Authentication and access control for database access · Regular security reviews and updates · Secure card information processing via Stripe (PCI DSS compliant)

However, internet communications cannot guarantee complete security. If you discover a security concern, please report it via our Contact page.

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13.

If we discover that data from a child under 13 has been collected, we will delete it promptly.

You have the following rights regarding your personal information:

(1) Access: Right to request disclosure of personal information we hold (2) Correction / Addition / Deletion: Right to request correction of inaccurate information or addition/deletion of information (3) Restriction / Erasure: Right to request restriction of use or erasure of personal information (4) Data portability: Right to obtain data we hold in a machine-readable format

To exercise these rights, please contact us via our Contact page. We will respond within the period required by law after verifying your identity.

You can also directly delete your account from the Profile page in the Dashboard.

The Service sends source images and prompts you input to AI model APIs (Google Gemini, OpenAI, Black Forest Labs, etc.).

Please also review each AI model provider's privacy and data use policies separately. We strongly recommend not including personal or confidential information in source images or prompts.

We make no warranties regarding the quality or appropriateness of generated images or prompts.

The Mimicit Chrome extension follows these principles for handling data, in accordance with Chrome Web Store policies:

[Content script scope] The content script runs on every website (matches: <all_urls>), but solely to let you pick any image you find as creative source material. The extension never reads page text, form inputs, browsing history, cookies, passwords, or any other page content.

[Image data handling] The content script collects only the URLs and basic metadata of <img> elements visible on the page and forwards them to the side panel UI. Image data stays on your device until you explicitly click "Generate"; only then is it sent to our server (mimicit.app).

[Remote code execution] The extension runs only the code shipped in its Chrome Web Store package. No JavaScript is fetched and executed from remote sources, in compliance with the Manifest V3 remote code policy.

[Permissions requested] · storage: store the auth token and selected model · activeTab: communicate with the active tab while the side panel is open · contextMenus: provide a right-click menu entry · sidePanel: host the main UI · host_permissions: https://*.mimicit.app/* (API calls only)

[External messaging] The mimicit.app web app uses externally_connectable to notify the extension of "auth state changed" or "credits updated" events to keep the side panel in sync. Third-party sites cannot use this channel.

We may revise this Policy as necessary. We will notify you of important changes via the Service or by email in advance.

The revised Policy takes effect from the date it is posted on the website.

Questions, requests, or complaints regarding personal information handling may be submitted via our Contact page.

We maintain a personal information protection officer and appropriate management structure.