Legal
Privacy Policy
Updated: Mar. 16, 2026
Effective: Mar. 16, 2026
This Privacy Policy explains how Nexight Technology (HK) Limited ("we," "us," or "our"), headquartered in Hong Kong, collects, uses, stores, and protects your personal information when you use ojo.art ("Services").
This Policy complies with the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Personal Information Protection Law of China (PIPL).
1. Information We Collect
1.1 Personal Information:
- Identity Data: Name, email address, phone number, billing address, company information;
- Account Credentials: Encrypted password hashes;
- Payment Information: Processed by Stripe; we do not store full credit card details;
- User Content: Text prompts, uploaded reference images, generated AI designs, project files, and communications with our support team.
1.2 Technical Data:
- Device Information: IP address, browser type, operating system, device identifiers;
- Usage Data: Feature interactions, Credit consumption, generation timestamps, error logs;
- Location Data: Derived from IP address to determine Data Region (Section 7).
1.3 Anonymized Data: Aggregated statistical data that cannot identify individuals.
2. How We Use Your Information
We process personal data for the following purposes:
- Service Provision: Generating AI designs, processing payments, managing accounts;
- AI Model Improvement: Training and fine-tuning our AI models using anonymized or de-identified Inputs and AI Output (see Section 5);
- Security: Fraud detection, abuse prevention, and protecting our infrastructure;
- Communication: Service updates, billing notifications, and support responses;
- Legal Compliance: Tax obligations, regulatory requirements, and dispute resolution.
Legal Bases (GDPR):
- Contract Performance: Necessary to fulfill our contract with you;
- Legitimate Interests: Security, fraud prevention, and service optimization;
- Consent: AI training participation (opt-out available) and marketing communications;
- Legal Obligation: Compliance with Hong Kong, EU, and Chinese data protection laws.
3. Data Regions and Cross-Border Transfers
3.1 Data Localization (Data Isolation). We maintain separate data infrastructure based on user location:
- China Mainland Users: Personal data is processed and stored on servers located within the People's Republic of China, operated by qualified local service providers;
- International Users (US, EU, others): Data is stored in AWS US East jurisdictions with adequate data protection standards.
3.2 No Unauthorized Transfers. We do not transfer personal data collected in China to overseas jurisdictions without ensuring compliance with PIPL requirements (security assessment, standard contract clauses, or certification).
3.3 International Transfers (GDPR). For EU users, data may be transferred to Hong Kong and other jurisdictions using Standard Contractual Clauses (SCCs) and adequacy decisions to ensure GDPR-compliant protection levels.
4. Third-Party Processors
We engage the following categories of processors:
- AI Processing: Google LLC (Gemini models): Processes text prompts and image generation requests. Subject to Google's Data Processing Terms.
- AI Processing: Anthropic PBC (Claude models): Processes complex design instructions and creative prompts. Subject to Anthropic's Commercial Terms of Service.
- Infrastructure: Cloud Storage Providers: Alibaba Cloud for China region; AWS for International region.
- Payment Processors: Stripe, Inc. (global).
- Customer Support: Zendesk.
All processors are bound by data processing agreements requiring appropriate safeguards and prohibition on using data for their independent purposes.
5. AI Training and Your Choices
5.1 Model Improvement Program. We use anonymized (de-identified) User Content to improve ojo.art's AI capabilities. This means: Personal identifiers (name, email, IP address) are removed before training use; Data is aggregated with millions of other samples to prevent individual identification; No third-party AI provider uses your data to train their general models (prohibited by our contracts with Google and Anthropic).
5.2 Opt-Out Rights. You have the right to exclude your data from future training:
- How to Opt-Out: Toggle "Model Improvement" to OFF in your Account Settings > Privacy, or email official@ojo.art.
- Effect: Opt-out applies prospectively. Data already used in trained models cannot be extracted retroactively.
5.3 High-Risk Data. We do not intentionally collect or process special category data (health, biometric, political opinions) for AI training. Do not upload such content.
6. Your Privacy Rights
Depending on your jurisdiction, you have rights to:
- 6.1 Access and Portability: Request a copy of your personal data in structured format;
- 6.2 Rectification: Correct inaccurate data;
- 6.3 Erasure ("Right to be Forgotten"): Delete your account and associated data, subject to legal retention periods;
- 6.4 Restriction: Limit processing in certain circumstances;
- 6.5 Objection: Object to processing based on legitimate interests;
- 6.6 Withdraw Consent: Opt-out of AI training or marketing at any time.
CCPA-Specific Rights (California Residents):
- Right to Know: Categories of personal information collected (Identifiers, Commercial Info, Internet Activity, Geolocation);
- Right to Delete: Request deletion of personal information, subject to exceptions;
- Right to Opt-Out of Sale: We do not sell personal information as defined by CCPA;
- Right to Non-Discrimination: No penalty for exercising privacy rights.
PIPL Rights (China Mainland Residents):
- Right to withdraw consent and request deletion;
- Right to request explanation of processing rules;
- Right to designate an agent to exercise rights on your behalf.
How to Exercise: Email official@ojo.art with "Privacy Rights Request" and your jurisdiction. We respond within 30 days (or shorter periods required by local law).
7. Data Retention and Security
7.1 Retention Periods:
- Active Accounts: Personal data retained for the duration of your account plus 90 days for backup restoration;
- Deleted Accounts: Identifiable data permanently deleted within 90 days of deletion request;
- Financial Records: Retained for 7 years per Hong Kong tax law requirements;
- Anonymized Data: Retained indefinitely for analytics and model improvement (non-identifiable).
7.2 Security Measures. We implement: TLS 1.3 encryption for data in transit; AES-256 encryption for data at rest; Access controls and audit logging; Regular security assessments.
Despite these measures, no internet transmission is 100% secure. Use the Services at your own risk.
8. Cookies and Tracking Technologies
We use essential cookies for authentication and service operation. We do not currently use tracking cookies for advertising purposes (No Google Analytics, No Facebook Pixel).
- Essential Cookies: Session management, login state, Credit balance display.
You may disable cookies in your browser, but this may impair functionality.
9. Children's Privacy
The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover collection from a minor, we will promptly delete the information. Parents may contact official@ojo.art to report such cases.
10. Changes to This Policy
We may update this Privacy Policy to reflect legal or operational changes. Material changes will be notified via email or service notice 30 days prior to effectiveness. The "Last Updated" date indicates the current version.
11. Contact Information
Data Protection Officer/Privacy Contact:
Email: official@ojo.art
Address: Suite 6503, 65/F, Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong
Entity: Nexight Technology (HK) Limited
For Hong Kong-specific complaints, you may also contact the Office of the Privacy Commissioner for Personal Data (PCPD).