Privacy Policy

The Company collects the following personal information for service provision: 1. Required Collection Items a. Upon registration: Email address, name (Google account name when using Google OAuth) b. During service use: Service usage records, credit usage history, payment records 2. Optional Collection Items a. Early access application: Production experience level 3. Automatically Collected Items a. IP address, cookies, visit date/time, service usage records b. Device information (OS, browser type and version, screen resolution) c. Access logs 4. Collection Methods a. Website registration (email/password or Google OAuth) b. Automatic generation and collection during service use

The Company uses collected personal information for the following purposes: 1. Service Provision and Account Management - Member identification and authentication, service provision, account management 2. Credit Payment and Billing Processing - Credit purchase, usage history management, refund processing 3. Service Improvement and Analysis - Service usage statistics analysis, new service development, existing service improvement 4. Customer Support - Responding to user inquiries, processing complaints, delivering announcements 5. Marketing and Advertising (with consent) - New feature announcements, event information, promotional notifications 6. Legal Compliance - Fulfilling obligations under applicable laws, dispute resolution

The Company destroys personal information without delay after the purposes of collection and use have been achieved. However, information that must be preserved under applicable laws shall be retained as follows: 1. Records related to contracts or withdrawal of subscriptions - Legal basis: Act on Consumer Protection in Electronic Commerce - Retention period: 5 years 2. Records related to payment and supply of goods - Legal basis: Act on Consumer Protection in Electronic Commerce - Retention period: 5 years 3. Records related to consumer complaints or dispute resolution - Legal basis: Act on Consumer Protection in Electronic Commerce - Retention period: 3 years 4. Access log records - Legal basis: Protection of Communications Secrets Act - Retention period: 3 months 5. Personal information upon membership withdrawal - Retained for 30 days after withdrawal, then destroyed (for preventing re-registration abuse and fraudulent use)

The Company does not, in principle, provide users' personal information to third parties. However, exceptions apply in the following cases: 1. When the user has given prior consent 2. When required by law or when requested by investigative agencies in accordance with legally prescribed procedures and methods 3. When necessary for statistical compilation, academic research, or market research, provided in a form that cannot identify specific individuals Note: When using AI image/video generation features, users' prompts and reference images are transmitted to AI model providers (fal.ai, Google Cloud). This is processed as service usage data, not personal information. Users' personally identifiable information such as email and name is not transmitted to AI model providers.

The Company delegates personal information processing as follows for service provision: 1. Cloud Hosting and Data Storage - Delegates: Supabase Inc. (database), Vercel Inc. (frontend hosting), Railway Corp. (backend hosting) - Delegated tasks: Service infrastructure operation and data storage 2. AI Service Provision - Delegates: fal.ai (AI image/video generation), Google Cloud (Vertex AI - AI image/video generation) - Delegated tasks: AI image and video generation processing - Transmitted information: Prompts, reference images (no personally identifiable information) 3. Payment Processing - Delegate: Lemon Squeezy (payment processing) - Delegated tasks: Credit purchase payment processing The Company requires necessary provisions to ensure safe management of personal information in delegation contracts.

1. The Company destroys personal information without delay when it is no longer needed, such as when the retention period has expired or the processing purpose has been achieved. 2. When personal information must continue to be preserved under other laws despite the expiration of the consented retention period or achievement of the processing purpose, the information shall be transferred to a separate database (DB) or stored in a different location. 3. Methods of personal information destruction are as follows: a. Personal information stored in electronic file format shall be securely deleted so that records cannot be reproduced. b. Personal information printed on paper shall be destroyed by shredding or incineration.

1. Users may exercise the following personal information protection rights against the Company at any time: a. Request to access personal information b. Request to correct errors c. Request for deletion d. Request to suspend processing e. Request to withdraw consent 2. Rights under Paragraph 1 may be exercised by emailing contact@cutflow.so, and the Company shall take action without delay. 3. When a user requests correction or deletion of personal information errors, the Company shall not use or provide such personal information until the correction or deletion is completed. 4. The Company shall process user requests within 10 business days and notify the user of the results. 5. For children under 14, legal guardians may request access, correction/deletion, and suspension of processing of the child's personal information.

1. The Company uses cookies to provide personalized services to users. 2. Cookies are used for the following purposes: a. Authentication session maintenance: Maintaining login status b. Language settings: Storing user language preferences c. Service analysis: Service improvement through usage pattern analysis 3. Users have the choice regarding cookie installation. Through web browser option settings, users may allow all cookies, go through confirmation each time a cookie is stored, or refuse all cookie storage. 4. However, refusing cookie storage may cause difficulties in using some services that require login.

The Company takes the following measures to protect users' personal information: 1. Technical Measures a. Encryption of personal information: User passwords are encrypted for storage and management, and only the user can view and modify personal information. b. SSL/TLS encryption: SSL/TLS is used for secure transmission of personal information over networks. c. Protection against hacking: Security programs are installed and regularly updated/inspected to prevent leakage or damage of users' personal information due to hacking or viruses. d. Database encryption: Databases containing personal information are encrypted and managed. 2. Administrative Measures a. Minimization and training of personnel handling personal information: Staff who process personal information are minimized and trained accordingly. b. Access rights management: Differentiated access rights to personal information are granted, and access records are maintained. c. Regular security inspections: Internal management plans are established and implemented, with regular self-audits conducted.

The Company designates a Personal Information Protection Officer as follows to oversee personal information processing and handle user complaints and damage relief: Personal Information Protection Officer - Company: Monad Labs - Email: contact@cutflow.so Users may direct all inquiries, complaints, and damage relief matters related to personal information protection arising from service use to the Personal Information Protection Officer. The Company shall respond and process user inquiries without delay. For reporting or consulting on personal information infringement, users may contact the following organizations: - Personal Information Infringement Report Center (privacy.kisa.or.kr / dial 118) - Supreme Prosecutors' Office Cyber Investigation Division (www.spo.go.kr / dial 1301) - National Police Agency Cyber Bureau (ecrm.police.go.kr / dial 182)

1. The Company obtains consent from legal guardians when collecting personal information of children under 14. 2. Legal guardians of children under 14 may request access, correction/deletion, and suspension of processing of their child's personal information, and the Company shall take necessary action without delay. 3. The Company collects only the minimum necessary information when collecting personal information of children under 14 in accordance with Article 22 of the Personal Information Protection Act.

1. When users use AI features within the Service, their prompts and reference images are transmitted to and processed by AI model providers (fal.ai, Google Cloud). 2. Images and videos generated through AI models are stored in the user's account and are accessible only by the user. 3. Character reference images uploaded by users are used only for processing that user's AI generation requests and are not used for other users' requests. 4. The Company does not use users' prompts, reference images, or AI-generated content for AI model training. 5. Data processing policies of AI model providers are subject to the respective providers' terms of service and privacy policies.

The Company may process user information outside Korea for service provision as follows: 1. Cloud Infrastructure - Transfer recipients: Supabase Inc., Vercel Inc., Railway Corp. - Transfer country: United States - Transfer purpose: Service hosting and data storage - Transfer items: Data necessary for service use - Safeguards: Encrypted transmission, access control, compliance with respective security certifications 2. AI Service Processing - Transfer recipients: fal.ai, Google Cloud - Transfer country: United States - Transfer purpose: AI image and video generation processing - Transfer items: Prompts, reference images (no personally identifiable information) - Safeguards: Encrypted transmission, input data not retained after generation completion 3. Payment Processing - Transfer recipient: Lemon Squeezy - Transfer country: United States - Transfer purpose: Payment processing - Transfer items: Payment-related information - Safeguards: PCI DSS certification compliance

1. This Privacy Policy may be changed in accordance with applicable laws and the Company's internal policies. 2. When changing the Privacy Policy, the Company shall post the changes on the service notice board at least 7 days in advance. However, for significant changes to user rights, individual notice shall be provided at least 30 days in advance via email. 3. The amended Privacy Policy shall take effect 7 days after posting.

This Privacy Policy shall take effect from March 1, 2026.