Privacy Policy

VAILO.AI PRIVACY POLICY Effective Date: March 9, 2026 1. Introduction Vailo.ai (“Vailo”, “we”, “us” or “our”) offers an AI-powered creative studio that enables users to generate AI images and AI videos using generative models. This Privacy Policy describes how Vailo processes personal information that we collect through our digital properties that link to this Privacy Policy, including our website (vailo.ai) and related services (collectively, the “Service”), as well as our marketing activities and other activities described in this Privacy Policy. Vailo may provide additional or supplemental privacy policies to individuals for specific products or services at the time we collect personal information. NOTICE TO EUROPEAN USERS: Please see Section 13 (International Data Transfers) and the Notice to European Users provisions for additional information for individuals located in the European Economic Area or United Kingdom. 2. Information We Collect 2.1 Information You Provide Personal information you may provide to us through the Service or otherwise includes: • Contact data: your name, email address, billing and mailing addresses. • Profile data: username and password for your account, biographical details, and preferences. • Payment data: information needed to complete transactions, including payment card information or bank account number. Payment data is collected and stored by our payment processor Stripe, not by Vailo directly. • Communications data: the contents of your messages when you contact us through the Service or otherwise. • User-shared multimedia data: images, videos, and files that you upload to and process through the Service, as well as associated metadata. • Query and prompt data: text prompts, commands, descriptions, parameters, model selections, and other inputs you provide when using the Service to generate content. • Feedback data: information regarding your experiences with the Service. YOU SHOULD NOT PROVIDE US WITH ANY CONFIDENTIAL, SENSITIVE, OR UNLICENSED PROPRIETARY INFORMATION THROUGH THE SERVICE. 2.2 Third-Party Sources We may combine personal information we receive from you with information we obtain from other sources, including public sources, service providers, and third-party services (such as Google) that you use to log into or link to your Service account. Our use and disclosure of information received from Google’s APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. 2.3 Automatic Data Collection We, our service providers, and our business partners may automatically collect information about you, your device, and your interaction with the Service, including: • Device data: operating system, browser type, screen resolution, IP address, unique identifiers, language settings, and general location information such as city or country. • Online activity data: pages or screens viewed, time spent, navigation paths, access times, and whether you have opened our emails or clicked links. • Location data: when you authorize the Service to access your device’s location. 3. How We Use Information We may use your personal information for the following purposes: 3.1 Service Delivery and Operations To provide, operate, and maintain the Service, including processing your Inputs through AI models, generating and storing Outputs, managing your account and credits, establishing your user profile, and providing customer support. 3.2 Service Improvement and Analytics To analyze usage patterns, identify technical issues, monitor performance, and improve the reliability, functionality, and user experience of the Service. This may include using aggregated and anonymized usage data, prompt data, and generation metadata to understand how the Service is used and to improve our platform. 3.3 Safety and Compliance To detect, prevent, and address fraud, abuse, security incidents, and violations of our Terms of Service; to comply with applicable laws, legal processes, and governmental requests; and to protect the rights, safety, and property of Vailo, our users, and the public. 3.4 Communications To send you service-related notices, security alerts, account notifications, and updates. With your consent where required by law, we may also send you promotional communications, which you can opt out of at any time. 3.5 Aggregated Data We may create aggregated, de-identified, or anonymized data from the information we collect. This data is no longer associated with you and may be used for any lawful business purpose, including analytics, research, and service improvement. 4. User Uploaded Content When you upload reference images or other files to the Service, this content is processed solely to deliver the AI generation functionality you request. • Processing: Your uploaded images are transmitted to our AI inference provider (Fal.ai) and our cloud infrastructure (Google Cloud Platform) for processing. These providers handle your content only to perform the requested generation tasks. • No Model Training: We do not use your uploaded images to train, fine-tune, or improve any AI models. • Storage: Uploaded images may be stored on our servers to enable the generation process and to allow you to access your generation history. You may delete your uploaded content through your account settings. • Sensitive Content: Do not upload images containing sensitive personal information (such as government IDs, medical records, or financial documents) or images of individuals without their consent. 5. AI Generation Data 5.1 Prompts and Parameters We store the text prompts, model selections, and generation parameters you use when creating content. This data is used to deliver the Service, display your generation history, and improve the platform experience. 5.2 Generated Outputs Outputs are stored in your account so you can access, download, and manage your creations. Outputs remain stored while your account is active, unless you choose to delete them. 5.3 Third-Party Model Processing When you generate content, your Inputs are transmitted to third-party AI model providers through our inference infrastructure (Fal.ai). These providers process your data solely to generate Outputs and are contractually obligated to handle your data in accordance with applicable data protection standards. 6. Third-Party Providers We share information with the following categories of third-party providers to operate the Service: 6.1 AI Inference — Fal.ai Your Inputs (text prompts and reference images) and generation parameters are transmitted to Fal.ai for processing through generative AI models. Fal.ai processes this data solely to generate and return Outputs to Vailo. 6.2 Cloud Infrastructure — Google Cloud Platform We use Google Cloud Platform for data storage, computing, hosting, and infrastructure services. Your account data, User Content, Inputs, and Outputs are stored and processed on Google Cloud servers under our instructions and data processing agreements. 6.3 Payment Processing — Stripe Payment transactions are processed by Stripe, Inc. Stripe collects and processes your payment information directly. Vailo does not store your full payment card details. Stripe’s handling of your data is governed by Stripe’s Privacy Policy (stripe.com/privacy) and Terms of Service (stripe.com/legal). 6.4 Other Service Providers We may use additional third-party providers for analytics, email delivery, customer support, fraud prevention, and other operational purposes. These providers are granted access only to information they need to perform their functions and are contractually required to protect your data. 6.5 Legal and Safety Disclosures We may disclose your information to law enforcement, government authorities, or other third parties if required by law or legal process, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect rights or safety, detect or prevent fraud, or enforce our Terms of Service. 6.6 Business Transfers In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control. 7. Payments All payment transactions are processed securely through Stripe. From Stripe, we receive limited information necessary to manage your subscription, including transaction confirmations, the last four digits of your payment method, card type, billing country, and subscription status. We do not receive or store your full card number, CVV, or complete billing details. We retain billing and transaction records for as long as your account is active and for a reasonable period thereafter to comply with legal, tax, and accounting obligations. 8. Cookies and Analytics 8.1 Technologies Used Vailo uses cookies and similar tracking technologies (such as pixels, web beacons, and local storage) to operate the Service, remember your preferences, maintain your session, and analyze how the Service is used. Both Vailo and third-party service providers may set cookies via the Service. 8.2 Types of Cookies • Essential Cookies: Required for the Service to function properly, including authentication, session, and security cookies. • Analytics Cookies: Help us understand how users interact with the Service and how to improve the platform. • Advertising Cookies: May be used to deliver relevant advertisements on third-party platforms and measure marketing effectiveness. 8.3 Cookie Management You can control or disable non-essential cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service. We currently do not respond to Do Not Track signals. However, we honor Global Privacy Control (GPC) signals where required by applicable law. 9. Data Storage and Security 9.1 Data Storage Your data is stored on servers operated by Google Cloud Platform. We may use servers in multiple regions to deliver the Service efficiently. 9.2 Security Measures We employ technical, organizational, and physical safeguards designed to protect personal information, including encryption of data in transit and at rest, access controls, regular security assessments, and incident response procedures. 9.3 No Absolute Security Security risk is inherent in all internet and information technologies. We cannot guarantee the absolute security of your personal information. You are responsible for maintaining the security of your account credentials. 9.4 Security Incidents In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law. 10. Data Retention 10.1 Active Accounts We retain personal information for as long as your account is active and as necessary to provide the Service, satisfy legal, accounting, or reporting requirements, establish or defend legal claims, or prevent fraud. 10.2 After Account Closure Anything you remove from your account may remain on our active servers for 30 days, and copies may be held in backups for up to an additional 90 days before being permanently deleted. If you cancel your account, your content will become immediately inaccessible and should be purged from our systems in full within 90 days. These retention periods may be extended if required for legal purposes such as litigation holds, law enforcement requests, or tax audits. 10.3 Anonymized Data When we no longer require the personal information we have collected about you, we may delete it, anonymize it, aggregate it, or isolate it from further processing. Aggregated and anonymized data may be retained indefinitely for analytics and improvement purposes. 11. User Rights Depending on your location and applicable law, you may have the following rights regarding your personal information: 11.1 Access and Update You may review and update certain account information by logging into your account. You may request a copy of the personal information we hold about you. 11.2 Deletion You may request deletion of your personal information. You can delete certain content through your account. To request account closure, contact us at privacy@vailo.ai or support@vailo.ai. Please note the retention periods described in Section 10. 11.3 Portability You may request a copy of your personal information in a structured, commonly used, machine-readable format. 11.4 Opt-Out of Communications You may opt out of marketing-related emails by following the unsubscribe instructions in those communications or by contacting us. You may continue to receive service-related and non-marketing communications. 11.5 UAE Residents (PDPL) Vailo AI LLC-FZ is incorporated in the Meydan Free Zone, Dubai, United Arab Emirates, and is subject to the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”) and its implementing regulations. Under the PDPL, you have the right to: • Access your personal data held by us and obtain a copy. • Correction of inaccurate or incomplete personal data. • Deletion or destruction of personal data that is no longer necessary for the purpose for which it was collected. • Restriction of processing in certain circumstances as provided by the PDPL. • Object to the processing of your personal data in certain circumstances, including processing for direct marketing purposes. • Portability of your personal data to another controller in a structured, commonly used format. • Withdraw consent where processing is based on your consent, without affecting the lawfulness of processing prior to withdrawal. We process personal data under the PDPL on the following legal bases: performance of a contract with you, your consent, our legitimate interests, and compliance with applicable UAE laws and regulations. If you wish to exercise any of these rights, contact us at privacy@vailo.ai. We will respond within the timeframes prescribed by the PDPL and its implementing regulations. 11.6 European Residents (GDPR) If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent local laws, including the rights of access, rectification, erasure, restriction, portability, and objection. Our legal bases for processing include contractual necessity, legitimate interests, consent, and compliance with law. You have the right to lodge a complaint with your local data protection supervisory authority. 11.7 California Residents (CCPA/CPRA) If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know, delete, and opt out of the sale or sharing of personal information, and the right to non-discrimination. Vailo does not sell personal information for monetary consideration. We may share certain identifiers with advertising partners, which may constitute “sharing” under the CCPA. Contact privacy@vailo.ai to exercise your rights. 11.8 Exercising Your Rights To exercise any of these rights, contact us at privacy@vailo.ai. We will respond within 30 days or the applicable timeframe required by law. We may need to verify your identity before processing certain requests. 12. Children’s Privacy The Service is not intended for use by anyone under 13 years of age. Users between 13 and 18 may only use the Service with the consent and supervision of a parent or legal guardian. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@vailo.ai. If we learn that we have collected personal information from a child under 13 without verified parental consent, we will comply with applicable legal requirements to delete the information. In jurisdictions where the minimum age for data processing consent is higher than 13, we comply with the applicable local age requirement. 13. International Data Transfers Vailo AI LLC-FZ is incorporated in the Meydan Free Zone, Dubai, United Arab Emirates. We use service providers that operate in various countries, including the United States. Your personal information may be transferred to countries where privacy laws may differ from those in your jurisdiction. 13.1 UAE Cross-Border Transfers Where personal data is transferred outside the UAE, we comply with the cross-border data transfer requirements of the UAE PDPL (Federal Decree-Law No. 45 of 2021) and its implementing regulations. We ensure that adequate safeguards are in place to protect your personal data, including contractual data processing agreements with our service providers that require them to protect your data to standards consistent with the PDPL. 13.2 European Data Transfers For transfers of personal data from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection, we rely on appropriate legal mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK Information Commissioner’s Office. We may also rely on adequacy decisions, including under the EU-U.S. Data Privacy Framework where applicable. 13.3 Your Acknowledgment By using the Service, you acknowledge and consent to the transfer of your information to the United Arab Emirates, the United States, and other jurisdictions as described in this Privacy Policy. If you do not consent to such transfers, you should not use the Service. 14. Updates to Policy We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will notify you by updating the date of this Privacy Policy and posting it on the Service or by other appropriate means. Any modifications will be effective upon posting. Your continued use of the Service after the effective date of any modified Privacy Policy indicates your acceptance of the updated policy. 15. Contact Information If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us: Vailo AI LLC-FZ Meydan Grandstand, Meydan Free Zone, Dubai, United Arab Emirates Email: privacy@vailo.ai Support: support@vailo.ai For data protection inquiries or to exercise your privacy rights, please email privacy@vailo.ai with the subject line “Privacy Request.” If you are located in the EEA or UK and have concerns about our data processing that we have not adequately addressed, you have the right to lodge a complaint with your local data protection supervisory authority.