Privacy Policy

Mimicit ("Service") recognizes the protection of users' personal information and privacy as an important responsibility, and manages personal information appropriately in compliance with the Act on the Protection of Personal Information and related laws.

As a small, indie-built service, we believe being explicit about "what we collect and what we don't" matters more than ever. This Privacy Policy explains the types of information we collect, our purposes for use, how we manage it, and your rights — written in plain language wherever possible.

This policy may be updated from time to time. We will notify you of important changes via an in-app banner or email to your registered address.

We collect only the information necessary to operate the Service. We do not collect data "just in case."

[Account information] · Email address (provided by your Google account) · Name / display name (provided by your Google account) · Profile image (provided by your Google account) We use Google OAuth, so we never store your password.

[Service usage data] · Prompt text you generate · Source images (sent to our server for processing; not retained afterward) · Generated result images (stored so you can review them in History, until you delete them) · AI models and settings used (resolution, aspect ratio, etc.) · Favorite status

[Access logs & technical information] · IP address (retained up to 90 days for fraud prevention) · Browser type and version · Access timestamps and operation logs · Chrome extension version

[Payment information] · Payments for credit purchases are processed by Stripe. Sensitive card information (card numbers, CVC, etc.) is never sent to or stored on our servers. · After purchase, we only receive the transaction ID, amount, and timestamp from Stripe.

[What we DON'T collect] Even when technically possible, we do NOT collect: · URLs or text of web pages you visit · Form input (passwords, search queries, etc.) · Cookies or localStorage from sites other than mimicit.app · Account info from other websites

We use collected information only for the following purposes:

(1) Providing, authenticating, and managing user accounts (2) Executing AI prompt generation and image generation features (3) Saving and displaying generation history (4) Managing credit balances and processing purchases (5) Responding to customer support requests (6) Detecting and responding to fraudulent use and security incidents (7) Creating anonymized statistical data to improve the Service and develop new features (8) Confirming compliance with Terms of Service and this Policy (9) Fulfilling legal obligations

We will never use your data beyond these purposes. No ad targeting, no selling to third parties, no repurposing for AI training data — period.

We do not share or disclose users' personal information to third parties except in the following cases:

(1) With the user's prior consent (2) As required by law (e.g., lawful requests from courts, police, etc.) (3) When necessary to protect someone's life, body, or property, and it is difficult to obtain consent

We may share data with the following service providers, who process it solely on our behalf and never for their own purposes:

· Vercel, Inc. (web app hosting & runtime) — USA · Stripe, Inc. (payment processing) — USA · Google LLC (Google OAuth, Gemini / Imagen API) — USA · Black Forest Labs / fal.ai (FLUX model image generation) — Various · OpenAI, LLC (GPT-Image generation) — USA · Resend / SendGrid (transactional email like password reset) — USA

Data transfers to the above providers are governed by their respective privacy policies. All providers maintain enterprise-grade data protection (encryption, access control, SOC 2 or equivalent certifications).

If we add a new processor in the future, we will update this policy to reflect it.

User data is stored on servers in Japan or the United States (cloud providers). All data is encrypted both at rest and in transit.

[Retention periods] · Account information: While the account is active, plus 90 days after deletion (for fraud prevention and accidental-deletion recovery) · Generation history & images: While the account is active, until you delete them · Favorites: While the account is active · Access logs: Up to 90 days (including IP addresses) · Payment records: As required by law (up to 7 years under Japanese tax record retention)

Following an account deletion request, we delete all data (except data required to be retained by law) within 30 days. For records we must retain by law, we minimize the personally identifying portion.

Data in backups is purged according to backup rotation (within 30 days at most).

We use cookies and browser local storage for the following purposes only. We do NOT use third-party advertising or tracking cookies.

[Essential cookies / session cookies] We use session cookies set by NextAuth to maintain sign-in status. These are essential for the Service to function. They are set with `secure` (HTTPS-only), `httpOnly` (no JS access), and `SameSite=Lax`.

[Locale cookie] We save the selected display language as a cookie named `mimicit-locale`.

[Extension local storage] The Chrome extension stores authentication tokens, selected AI model, language settings, etc. in browser local storage (chrome.storage.local). These are automatically cleared by Chrome when the extension is uninstalled.

Disabling cookies will prevent you from signing in normally.

We take the following measures to safely manage personal information:

· Encrypted communication via HTTPS (TLS 1.2 or higher) · Authentication via Google OAuth (we never store your password) · Authentication and access control for database access (principle of least privilege) · Database encryption at rest (AES-256) · Regular security reviews and dependency updates · Secure card information processing via Stripe (PCI DSS compliant) · Server access log monitoring

However, internet communications cannot guarantee absolute security. If you discover a security concern or vulnerability, please report it via our Contact page. We greatly appreciate responsible disclosure.

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13.

If we are notified that data from a child under 13 has been collected, we will delete it promptly upon receiving a request from a parent or guardian.

Users under 18 must obtain parental consent before using the Service.

You have the following rights regarding your personal information. We genuinely care about your ability to know and control how your data is used — it's one of our core principles.

(1) Access: Right to request disclosure of personal information we hold (2) Correction / Addition / Deletion: Right to request correction of inaccurate information or addition/deletion of information (3) Restriction / Erasure: Right to request restriction of use or erasure of personal information (4) Data portability: Right to obtain data we hold in a machine-readable format (e.g., JSON) (5) Withdrawal of consent: Right to withdraw previously given consent for the future

To exercise these rights, please contact us via our Contact page. We aim to respond within 2 weeks after verifying your identity, and at the latest within the period required by law.

You can also delete your account directly from the Profile page in the Dashboard. A history download (export) feature is planned for the future.

The Service sends source images and prompts you input to AI model APIs (Google Gemini, OpenAI, Black Forest Labs, etc.).

Each AI model provider publicly states that data received via API is 'not used for further training of their AI models', but please review each provider's latest policy for the most accurate information.

We strongly recommend not including personal information, confidential business information, photos of other people, or similar sensitive content in source images or prompts. If accidentally sent, the data will be handled according to each provider's retention policy.

We make no warranties regarding the quality, appropriateness, or copyright cleanliness of generated images or prompts. AI output is just that — output. The decision to use it is yours.

The Mimicit Chrome extension follows these principles for handling data, in accordance with Chrome Web Store policies. The same disclosures are also published on the Chrome Web Store listing.

[Content script scope] The content script runs on every website (matches: <all_urls>), but solely to let you pick any image you find as creative source material. The extension never reads page text, form inputs, browsing history, cookies, passwords, or any other page content.

[Image data handling] The content script collects only the URLs and basic metadata of <img> elements visible on the page and forwards them to the side panel UI. Image data stays on your device until you explicitly click "Generate"; only then is it sent to our server (mimicit.app).

[Remote code execution] The extension runs only the code shipped in its Chrome Web Store package. No JavaScript is fetched and executed from remote sources, in compliance with the Manifest V3 remote code policy.

[Permissions requested] · storage: store the auth token and selected model · activeTab: communicate with the active tab while the side panel is open · contextMenus: provide a right-click menu entry · sidePanel: host the main UI · host_permissions: https://*.mimicit.app/* (API calls only)

[External messaging] The mimicit.app web app uses externally_connectable to notify the extension of "auth state changed" or "credits updated" events to keep the side panel in sync. Third-party sites cannot use this channel.

We may revise this Policy as necessary. We will notify you of important changes via an in-app banner or email to your registered address in advance.

The revised Policy takes effect from the date it is posted on the website. The "Last updated" date at the top of this page reflects the latest revision.

Questions, requests, or complaints regarding personal information handling may be submitted via our Contact page.

We maintain a personal information protection officer and an appropriate management structure. We aim to respond within 3 business days.