PRIVACY POLICY

1. Categorization and Information We Collect

We process your information categorized as Basic Personal Data under applicable laws. We do not intentionally collect Sensitive Personal Data.

• Account Data: Unique User ID, email address, and display name provided via third-party authenticators (Apple, Google, or Facebook).
• Interaction Data: Text prompts you input into our AI systems and the resulting AI-generated responses.
• Payment Data: Transaction history and subscription status processed via RevenueCat. We do not store or process credit card numbers.
• Technical Data: IP address, device model, operating system version, and diagnostic/crash logs.

2. Legal Basis and Purpose of Processing

We process your data based on: Contractual Necessity (to provide the Service); User Consent (for marketing); Legitimate Interests (to improve AI logic and security); and Legal Obligation (tax and regulatory compliance). Processing ends when the purposes are fulfilled or the retention period expires.

3. Sensitive Data Disclaimer & User Responsibility

We do not knowingly collect "sensitive personal data". Users are strictly advised not to input sensitive personal information into the AI prompts. Any such data provided is done so at the user's own discretion. By providing such data, you acknowledge and accept all associated risks.

4. AI Processing & Third-Party Recipients

We share gameplay prompts with AI providers (specifically OpenAI, LLC). We utilize enterprise-grade APIs which ensure that your data is NOT used to train public AI models. We do not sell, rent, or trade your personal information.

5. International Data Transfers

By using the Service, you acknowledge and provide explicit consent for your personal data to be transferred to and processed in Vietnam and the United States. We comply with Article 25 of Decree 13/2023/ND-CP by maintaining Transfer Impact Assessment (TIA) records.

6. Data Retention

• Account Data: Duration of active account plus 30 days post-deletion.
• Interaction Data: Stored for two (2) years for service quality, then anonymized or deleted.
• Technical Logs: Deleted or anonymized after 90 days.

7. Children's Privacy

The Service is intended for users aged 13 and older. For users in the EEA/Vietnam under 16, we require verifiable parental/guardian consent. If we discover data collected from a child without proper consent, we will delete it within 72 hours.

8. Your Rights

In accordance with the GDPR and Decree 13/2023/ND-CP, you possess the following rights: Right to be informed, Access, Rectification, Erasure, Restriction of processing, Data Portability, Objection, and the Right to withdraw consent. To exercise these rights, contact contact@tanabtech.com. We respond within 30 days.

9. Data Security & Breach Notification

We implement industry-standard encryption (AES-256). In the event of a data breach, we will notify the Ministry of Public Security (A05) and affected users within the timeframe required by Decree 13 (72 hours after discovery).