Privacy policy

Last updated: 19 05 2025

1 Introduction

1.1 Company & Scope

ChimerAI Pte. Ltd., a company incorporated in Singapore with its registered office at [office address] (“ChimerAI”, “we”, “us”, or “our”), operates a cloud-based AI fashion-design software platform, associated websites, mobile applications, APIs, and any related features or communications (collectively, the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect personal data of all individuals (“you”) who access or use the Services anywhere in the world.

1.2 Agreement to Policy

By creating an account, accessing, or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and processing of your personal data as described herein. If you disagree with any part of this Policy, please do not use the Services.

1.3 Relation to Other Terms

This Privacy Policy is incorporated by reference into our Terms of Service. Capitalised terms not defined here have the meanings given in the Terms of Service or applicable product-specific terms. A separate Cookie Policy may further describe our use of cookies and similar technologies.

1.4 Definitions

“Personal data” (or “personal information”) means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on personal data, whether automated or not, such as collection, storage, use, disclosure, or erasure.

Anonymous or de-identified data that cannot reasonably identify an individual is not personal data under this Policy.

1.5 Legal Compliance

ChimerAI complies with Singapore’s Personal Data Protection Act 2012 (PDPA) and, where applicable, the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other relevant laws. Depending on your jurisdiction, additional rights or disclosures may apply (see Section 10).

2 Information We Collect

We collect information in three primary ways: (i) directly from you, (ii) automatically from your device and usage, and (iii) from third-party sources.

2.1 Information You Provide Directly

2.2 Information We Collect Automatically

2.3 Information from Third Parties

· Third-Party Login Providers - basic profile data (e.g. name, email, avatar) shared according to your OAuth consent screen.

· Connected Services - if you connect Google Drive, Dropbox, or similar, we access files only as authorised to import images or save outputs.

· Business Partners & Resellers - contact details or subscription status if you purchase through an authorised reseller.

· Publicly Available Sources - open company websites or social media, used for designer verification where relevant.

We do not buy marketing lists, nor do we ingest public imagery for AI-training in a way that is linked back to an identifiable individual without consent.

3 How We Use Your Information

We process personal data only for specific, explicit, and legitimate purposes, and we do not further process data in a manner incompatible with those purposes.

Purpose

Typical Data Used

Lawful Basis*

Providing & Operating the Services

Account credentials, profile data, User Content, device identifiers

Contract performance (PDPA §13 & GDPR Art 6-1-b)

Personalising Experience

Usage logs, search history, saved preferences

Legitimate interests / consent

Generating & Delivering AI Designs

Prompts, uploaded images, model parameters

Contract performance

Service Improvement & R&D

Aggregated usage metrics, error logs, (for Free-tier: de-identified User Content)

Legitimate interests; content ownership terms

Communications • transactional (receipts, security alerts) • marketing (newsletters, feature updates)

Name, email, subscription tier

Contract performance; consent (opt-in for marketing)

Customer Support

Support tickets, chat logs, diagnostic data

Legitimate interests

Payments & Accounting

Billing details, payment tokens, tax IDs

Contract performance; legal obligation

Enforcing Terms / Security & Fraud Prevention

IP address, behavioural logs, reported content

Legitimate interests; legal obligation

Analytics & Research

Cookie IDs, aggregated design statistics

Legitimate interests

Legal Compliance

Any data necessary to respond to lawful requests

Legal obligation

* Under the PDPA, we rely principally on deemed consent by contractual necessity; under the GDPR, specific lawful bases are indicated.

AI-Model Training We may use Free-tier User Content—after irreversibly de-identifying it—to improve our algorithms. Paid-tier content is excluded from training unless you give explicit opt-in consent.

4 How We Disclose or Share Your Information

We do not sell personal data. We disclose it only as described below:

4.1 Service Providers

Trusted vendors under written agreements that require confidentiality and data-protection safeguards, including:

· Infrastructure & Hosting - cloud IaaS platforms (e.g. AWS, Google Cloud)

· AI Compute - GPU providers where models are executed

· Payments - Stripe, PayPal, or regional payment gateways

· Email & Messaging - transactional email senders, in-app chat engines

· Analytics & Crash Reporting - Google Analytics, Sentry, etc.

Each receives only the minimum data necessary for their task.

4.2 Business Partners & Other Users

· Public profiles and design listings you choose to publish are visible to all site visitors.

· If you initiate collaboration, selected profile or contact data will be shared with the counterparties only as you direct.

· Showcased success stories or testimonials are shared only with prior consent.

4.3 Legal & Regulatory Compliance

We may disclose personal data when we reasonably believe it is required to:

· comply with applicable law, court order, or lawful request;

· enforce our Terms, investigate violations, or protect the rights, safety, or property of ChimerAI, our users, or the public;

· detect, prevent, or address security or fraud issues.

Where legally permissible, we will notify you before disclosing your data.

4.4 Corporate Transactions

In the event of a merger, acquisition, spin-off, reorganisation, insolvency, or asset sale, personal data may be transferred to the successor entity subject to this Policy (or an equivalent policy). We will provide prior notice of any material change in control or use.

4.5 With Your Consent

We share personal data for any other purpose only after obtaining your explicit consent. You may withdraw that consent at any time.

4.6 Aggregated / Anonymised Data

We may publish or share anonymised trend reports (e.g., “42 % of designers favour sustainable fabrics”) or model-performance metrics that cannot reasonably identify any individual.

5 International Data Transfers

We are headquartered in Singapore but rely on a global cloud infrastructure. Consequently, your personal data may be transferred to, stored in, or processed within jurisdictions other than your own, including (but not limited to) Singapore, the United States, the European Union, and other countries where our service-provider data centres are located.

· Adequate protection. We will take appropriate safeguards to ensure your personal data receives a level of protection that is substantially comparable to that required under this Policy and applicable law.

· EEA/UK/Swiss users. When we transfer personal data outside the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (or the UK Addendum) and, where needed, supplementary measures (encryption at rest and in transit, access controls, etc.).

· Singapore users. By providing personal data, you consent under the PDPA to its transfer overseas. We will ensure that overseas recipients are bound by legally enforceable obligations to protect the data to standards comparable to the PDPA.

· Other regions. By accessing the Services from any location, you consent to the transfer and processing of your information in Singapore and any other country in which we or our subprocessors operate, understanding that local laws may differ.

6 Data Security

We maintain a comprehensive information-security programme designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

· Technical controls - TLS/HTTPS encryption in transit, AES-256 or equivalent encryption at rest, network firewalls, intrusion-detection monitoring, vulnerability scanning, and least-privilege API keys.

· Organisational controls - role-based staff access, background checks for employees with elevated privileges, mandatory security and privacy training, and incident-response playbooks.

· Testing & audits - regular penetration tests and third-party security assessments.

No absolute guarantee. Despite our efforts, no transmission or storage system is completely secure. You are responsible for safeguarding your password, enabling multi-factor authentication where available, and promptly notifying us at security@chimerai.com of any suspected account compromise.

If we discover a personal-data breach that is likely to result in significant harm or risk to you, we will notify affected users and, where required, regulators without undue delay.

7 Data Retention

Data Category

Typical Retention Period

Rationale

Account Data (profile, credentials)

While account is active plus 90 days after deletion request

Provide grace period for reactivation; allow user to retrieve assets.

Billing & Transaction Records

7 years

Statutory tax and audit obligations.

Support Tickets & Communications

Up to 3 years from closure

Resolve follow-up queries; improve support quality.

Usage Logs & Security Logs

12 months rolling

Debugging, fraud prevention, security investigations.

Free-tier User Content (owned by ChimerAI)

Retained indefinitely or until no longer commercially relevant

Improve Services; portfolio showcases.

Paid-tier User Content

Until user deletes it or terminates account; backups expire in ≤ 90 days

Honour user ownership; system backups.

· Account deletion. When you delete your account (or request erasure), we will permanently delete or anonymise personal data within 90 days, except where retention is (i) legally required, (ii) necessary to resolve disputes or enforce agreements, or (iii) technically stored in encrypted backups that will be purged on a routine cycle.

· Inactive accounts. Accounts with no sign-in activity for 24 months may be flagged as inactive; we will e-mail advance notice and, if no response, delete or anonymise personal data associated with that account.

· Residual anonymous data. We may retain aggregated, de-identified data (which cannot identify you) for analytics or service improvement.

8 Your Rights & Choices

We respect your control over your personal data. Depending on your jurisdiction, you may exercise some or all of the rights below.

Right

What it Means

How to Exercise

Access

Obtain confirmation whether we hold personal data about you and receive a copy.

Use Account → Privacy → Download My Data or e-mail privacy@chimerai.com.

Correction / Rectification

Request that inaccurate or incomplete data be corrected.

Update fields in Account Settings or e-mail support.

Erasure (“Right to be Forgotten”)

Ask us to delete personal data we hold about you.

Click Delete Account in settings or contact us. Some data (e.g., invoices) may be retained where legally required.

Withdraw Consent

Revoke consent for optional processing (e.g., marketing e-mail, AI-training opt-in).

Use unsubscribe links, toggle opt-in switches, or e-mail us.

Marketing Opt-out

Stop receiving promotional e-mails. Transactional messages will still be sent.

Click Unsubscribe at the bottom of any marketing e-mail.

Do-Not-Sell/Share (CCPA/CPRA)

California residents may direct us not to “sell” or “share” personal data for cross-context advertising.

Submit request via Privacy Portal. We currently do not sell personal data for monetary consideration.

Restriction / Objection

(GDPR) Restrict or object to processing based on legitimate interests.

E-mail privacy@chimerai.com explaining the grounds.

Data Portability

Receive your data in a structured, machine-readable format and/or request transmission to another controller.

Use Download My Data or contact support.

Automated Decision-Making

Request human review of any solely automated decision that produces legal or similarly significant effects (none presently applied).

Contact support if you believe this applies.

Verification & response time. We may request additional information to verify your identity and will respond within 30 days (or the statutory period) free of charge, unless requests are manifestly unfounded or excessive.

Impact of refusal. If you decline to provide—or request deletion of—information necessary to deliver the Services (e-mail address, authentication credentials, payment data for paid plans), we may be unable to maintain your account or certain features.

9 Children’s Privacy

Our Services are not directed to children under 13 years of age (or the minimum age of digital consent in your country). We do not knowingly collect personal data from children under that age.

· If you are under 13, do not create an account or submit any personal data.

· If you are a parent or guardian and believe your child has provided personal data, please contact privacy@chimerai.com; we will promptly delete it.

· Users aged 13-17 should use the Services only with parental or guardian supervision where required by local law, consistent with the eligibility section of our Terms of Service.

10 Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, technology, or our practices.

· Notice of changes. If we make material changes, we will notify you by e-mail (sent to the address in your account) and/or by posting a prominent notice in the Service before the change takes effect.

· Effective date. The “Last Updated” date at the top of this document indicates when revisions become binding.

· Review. We encourage you to review this Policy periodically. Continued use of the Services after the effective date signifies acceptance of the updated Policy. If you do not agree to the changes, you should discontinue use of the Services and may request deletion of your data as described above.

11 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data-handling practices, please reach out at any time:

Purpose

Contact Method

General privacy enquiries / rights requests

privacy@chimerai.com

Data Protection Officer (Singapore PDPA)

DPO — ChimerAI Pte. Ltd.[Office Address]Singapore XXXXXX

EU/UK Representative (GDPR Art 27)

[Representative Name][Representative Company & Address]privacy-eu@chimerai.com

Postal correspondence

ChimerAI Pte. Ltd.[Office Address]Singapore XXXXXX

We aim to acknowledge all verified privacy requests within 72 hours and close them within the statutory period (usually 30 days).

12 Additional Notices for Specific Jurisdictions

12.1 Singapore (PDPA)

· We collect, use, and disclose personal data in line with the Personal Data Protection Act 2012 and its advisory guidelines.

· Singapore residents may contact our Data Protection Officer (details above) for access or correction requests under Part V of the PDPA or to withdraw consent at any time.

12.2 EEA / UK (GDPR)

· Legal bases. Our principal bases are:

o Contract (Art 6-1-b) – operating your account, generating designs, billing;

o Legitimate Interests (Art 6-1-f) – service improvement, fraud prevention, internal analytics, except where overridden by your interests;

o Consent (Art 6-1-a) – marketing e-mails, optional cookies, Paid-tier training opt-in;

o Legal Obligation (Art 6-1-c) – tax, accounting, lawful disclosure requests.

· Supervisory authority. You have the right to lodge a complaint with your local Data Protection Authority or with the lead authority in Singapore (Personal Data Protection Commission) regarding our cross-border processing.

12.3 California (CCPA / CPRA)

· Categories collected. We collect the personal-information categories listed in Cal. Civ. Code §1798.140 (o)(1) (identifiers, commercial information, internet activity, etc.) for the purposes described in Sections 3 and 4.

· No sale for money. We do not sell personal information for monetary consideration. We may “share” limited usage data with analytics providers; California residents may opt out via the “Do Not Sell/Share My Personal Info” link in the footer or by e-mailing privacy@chimerai.com.

· CCPA rights. California users can exercise the rights to know, delete, correct, and opt-out without discrimination. A toll-free request line is available at +1-888-XXX-XXXX.

12.4 Other Regions

Where local laws (e.g., Australia Privacy Act 1988, Brazil LGPD, Canada PIPEDA) grant additional rights, we will honour them. You may contact us to clarify any region-specific concern.

13 Cookie Notice (Overview)

We use cookies and similar technologies to:

· keep you signed in and maintain session security;

· remember language or theme preferences;

· measure site performance and diagnose errors; and

· analyse anonymised usage patterns to improve features.

Consent & control. Visitors in the EEA/UK and other consent jurisdictions will see a cookie-consent banner allowing acceptance of optional analytics cookies. You can also manage cookies through your browser settings, but disabling essential cookies may impair core functionality (e.g., inability to stay logged in).

We do not serve behavioural advertising or third-party ad-tracking cookies. A detailed cookie table is available at https://chimerai.com/cookies.