1. Purpose

Mirage AI (hereinafter "Company") establishes and discloses this Privacy Policy in accordance with the Personal Information Protection Act of the Republic of Korea, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable international privacy laws to protect the personal information of data subjects and to promptly and smoothly handle related grievances.

2. Personal Information Collected

The Company collects the following personal information to provide services:

3. Purpose of Collection and Use

The Company uses collected personal information for the following purposes:

• Service Provision: AI conversations (text and voice), image generation, credit system operation, subscription services
• Member Management: Membership services, identity verification, prevention of fraudulent use, age verification
• Personalized Services: AI conversation personalization, preference-based recommendations, improved context understanding through AI memory
• Payment Processing: Credit purchases, subscription billing, settlements, refund processing
• Creator Support: Revenue settlement, affiliate program management, statistics provision
• Marketing: Event information and promotional content (with prior consent only)
• Service Improvement: New service development, service quality enhancement, statistical analysis
• Customer Support: Inquiry handling, complaint resolution, notices delivery
• Legal Compliance: Fulfilling legal obligations

4. Legal Basis for Processing

The Company processes personal information based on the following legal grounds:

• Contract Performance: When necessary for entering into and performing service agreements
• Consent: When the data subject has consented to processing
• Legal Obligation: When processing is necessary for legal compliance
• Legitimate Interests: When necessary for the legitimate interests of the Company or third parties (within limits that do not override data subject rights)

5. AI Service Data Processing

The Company processes data for AI-based services as follows:

6. Retention and Use Period

The Company processes and retains personal information within the retention period required by law or agreed upon during collection:

• Member Information: Until membership withdrawal (destroyed within 30 days after withdrawal, except where legally required)
• Payment Records: 5 years per E-Commerce Act
• Access Logs: 3 months per Communications Privacy Protection Act
• AI Conversation Records: Deleted upon membership withdrawal or user request
• AI Memory Data: Deleted upon membership withdrawal or user request
• Generated Images: Deleted upon membership withdrawal or user request
• Consumer Complaints/Disputes: 3 years per E-Commerce Act

7. Third-Party Disclosure

The Company does not disclose personal information to third parties except in the following cases:

• When the data subject has provided prior consent
• When required by law
• When necessary for service provision (payment processing, AI services, etc.)

8. Data Subject Rights

Data subjects may exercise the following rights at any time:

• Request access to personal information
• Request correction of errors
• Request deletion ("Right to be Forgotten")
• Request processing suspension
• Data portability (request data transfer)
• Right to object to automated decision-making
• Request to view and delete AI conversation memory
• Request deletion of generated images
• Withdraw consent for marketing purposes

Rights can be exercised through in-service settings or by emailing privacy@mirage.ai.kr. The Company will process requests promptly, and if additional time is needed, will provide results within one month.

9. International Data Transfers

The Company may transfer personal information to other countries for service provision. In such cases, the Company ensures:

• Transfers to countries with adequacy decisions under GDPR Article 45 or application of Standard Contractual Clauses (SCCs)
• Equivalent level of protection as this Privacy Policy for transferred data
• Information about transfer countries and protective measures upon data subject request

10. EU/EEA Residents' Rights (GDPR)

EU or EEA residents have the following additional rights under GDPR:

• Right of Access (Art. 15): Request access to personal data and processing information
• Right to Rectification (Art. 16): Request correction of inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of personal data under certain conditions
• Right to Restriction (Art. 18): Request restriction of processing under certain conditions
• Right to Data Portability (Art. 20): Request receipt and transfer of data in structured, machine-readable format
• Right to Object (Art. 21): Object to processing for certain purposes
• Rights Related to Automated Decisions (Art. 22): Right not to be subject to automated decision-making including profiling

EU/EEA residents have the right to lodge complaints with their local data protection authority.

11. California Residents' Rights (CCPA/CPRA)

California residents have the following rights under CCPA and CPRA:

• Right to Know: Request information about categories and purposes of personal information collected, used, shared, or sold
• Right to Delete: Request deletion of personal information (with certain exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Refuse sale or sharing of personal information
• Right to Limit Sensitive Information: Request limitation on use and disclosure of sensitive personal information
• Right to Non-Discrimination: Right not to be discriminated against for exercising privacy rights

Sale/Sharing of Personal Information: The Company does not sell users' personal information for monetary consideration.

12. Other Regional Rights

13. Cookies and Tracking Technologies

The Company uses cookies and similar technologies for service provision and improvement:

• Essential Cookies: Required for service operation (e.g., maintaining login status)
• Functional Cookies: Store user settings and preferences
• Analytics Cookies: Analyze service usage patterns for improvement

Users can refuse cookie acceptance through browser settings. However, refusing essential cookies may limit service use.

14. Security Measures

The Company takes the following measures to ensure personal information security:

• Encryption of personal information (passwords, payment data)
• Transmission encryption (TLS/SSL)
• Storage encryption
• Technical countermeasures against hacking (firewalls, intrusion detection systems)
• Access restriction and authorization management
• Minimizing personnel handling personal information and regular training
• Regular security audits and vulnerability assessments
• Personal information processing and access log management

15. Children's Personal Information

Our services are intended for users aged 19 and older. The Company does not intentionally collect personal information from users under 19. If we become aware that a user under 19 has provided personal information, we will immediately delete such information and terminate the account.

16. Data Protection Officer

The Company has designated a Data Protection Officer responsible for overseeing personal information processing and handling data subject complaints and remedies:

17. Policy Changes

This Privacy Policy is effective from December 10, 2025. Changes will be announced through notices at least 7 days before implementation. Significant changes will be individually notified via email at least 30 days in advance.

18. Remedies

Data subjects may contact the following organizations for dispute resolution or consultation regarding personal information infringement:

Supplementary Provisions

1. This Privacy Policy is effective from December 10, 2025.
2. The previous Privacy Policy effective from January 1, 2025 is replaced by this Policy.