Privacy Policy

1. Introduction

1.1. This Privacy Policy (hereinafter referred to as "Policy") defines the procedures for collecting, using, storing, protecting, and deleting personal data of users of the homiwork.com service (hereinafter referred to as "Service").

1.2. The Data Controller is: 3 Krolika LLP, BIN 251240001464, address: 010000, Kazakhstan, Astana, Taras Shevchenko Street 4/1, unit 17 (hereinafter referred to as "Operator").

1.3. Contact email address: support@homiwork.com.

1.4. This Policy has been developed in accordance with the laws of the Republic of Kazakhstan, including the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V "On Personal Data and Their Protection," and is designed to comply with international data protection standards, including the General Data Protection Regulation (GDPR) of the European Union and the California Consumer Privacy Act (CCPA).

1.5. By using the Service, the User confirms that they are at least 18 (eighteen) years of age. Persons under the age of 18 are not permitted to use the Service.

2. Data We Collect

2.1. For the Service to function, we collect and process the following categories of data:

2.1.1. Data Provided by the User:

• Email address — for registration, authorization, and account recovery;
• Username (login) — for identification within the system;
• Password — stored exclusively in encrypted (hashed) form.

2.1.2. Content Uploaded by the User:

• Photographs and images for processing or as references;
• Audio files for processing;
• Video files for processing;
• Text data (descriptions, wishes, generation instructions).

Images uploaded by the User are automatically transformed (resolution reduction, re-encoding) before being used by AI models. After such transformation, images do not contain biometric data — extracting unique biometric parameters for identification becomes impossible. Original images are not retained.

2.1.3. Automatically Generated Content:

• Songs and music;
• Images (portraits, greeting cards, invitations, logos, coats of arms, and other graphic materials);
• Poems;
• Texts (greetings, formal letters, marketing materials, and other text-based content);
• Videos;
• Chat history with AI assistants.

2.1.4. Technical Data:

• Hash of the network address (SHA-256 with a private salt) — used for abuse protection and rate-limiting. The hash is irreversible; the original IP address is not stored or transmitted;
• Browser and device information (general technical request headers);
• User settings and preferences;
• Service usage data (statistics, logs).

2.1.5. Payment Information:

We DO NOT store payment data (card numbers, CVV, etc.). All payments are processed through third-party payment services certified to PCI DSS standards. We receive only confirmation of successful payment and a transaction identifier.

2.1.6. Face Data and Uploaded Photos:

Our application allows Users to voluntarily upload photographs, which may contain faces, as visual references for AI-powered content generation features (AI portraits, photo animation, photo enhancement, and others).

We DO NOT perform facial recognition, biometric analysis, or extract any face geometry, depth maps, or faceprints from uploaded photographs. Uploaded photos are treated as general image files and are used solely as input for AI content generation.

Photos are forwarded to technical contractors exclusively for one-time execution of the generation requested by the User (see Section 7.2). Contractors do not retain, analyze, or use uploaded images for model training or any other purpose.

User-uploaded reference photos are automatically deleted from our servers within 7 (seven) calendar days. Users may also delete their generated content along with associated source photos at any time through the app interface.

We do not share uploaded photos or any derived data with advertisers, analytics providers, or any other third parties.

3. Purposes of Data Processing

3.1. The collected data is used exclusively for the following purposes:

• User registration and authentication;
• Ensuring account security;
• Providing Service functions (content generation);
• Processing payments and tracking energy points;
• Content moderation and violation prevention;
• Technical support and communication with Users;
• Improving Service quality and AI algorithms;
• Compliance with legal requirements;
• Protecting the rights and legitimate interests of the Operator.

4. Legal Basis for Processing (GDPR)

4.1. For Users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data based on the following legal grounds:

• Contract Performance: Processing necessary for the performance of a contract with you (providing Service functions);
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services, preventing fraud, and ensuring security;
• Consent: Where you have given explicit consent for specific processing activities;
• Legal Obligation: Processing necessary for compliance with legal obligations.

5. Data Retention Periods

5.1. Account data (email, login, password): stored until the account is deleted by the User or by the Operator in accordance with the terms of use.

5.2. Inactive accounts: To implement the right to be forgotten, User accounts that have not been accessed for 1 (one) year are automatically deleted along with all associated data and content.

5.3. Uploaded content (photographs, audio, video for processing): stored for 7 (seven) calendar days for moderation and verification purposes, after which it is automatically deleted.

5.4. Generated content:

• For Users without Prime status: generated content is automatically deleted 2-4 months after creation;
• For Users with Prime status: content is stored until deleted by the User or until the Prime status expires (after which standard retention periods apply).

Upon deletion, content is marked as deleted (for recovery purposes) and completely removed after 7 (seven) calendar days.

5.5. AI assistant chat history:

• Only the last 100 (one hundred) messages with each AI assistant are stored;
• For Users without Prime status: message history is automatically deleted after 2-4 months;
• For Users with Prime status: message history is stored until account deletion or until the Prime status expires.

5.6. Technical logs and hashes of network addresses: stored for 12 (twelve) months for security and incident investigation purposes. Original IP addresses are not stored.

5.7. Transaction data: stored for the period required by applicable law (at least 5 years) for accounting and tax purposes.

6. Data Protection

6.1. The Operator takes necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, distribution, and other unlawful actions.

6.2. Protection measures include:

• Password encryption using modern cryptographic algorithms;
• Use of secure connections (HTTPS/TLS);
• Restricted access to personal data;
• Regular data backups;
• System security monitoring.

6.3. Important Notice: Despite the protective measures taken, the Operator cannot guarantee absolute data security during transmission over the Internet. The User uses the Service at their own risk.

7. Data Transfer to Third Parties

7.1. The Operator does not sell personal data. Data is transferred to a limited set of third parties only in the following cases:

• Upon request of authorized government bodies in accordance with applicable law;
• To payment operators — for payment processing (only the amount, order identifier, and email; payment details are submitted by the User directly to the payment system and are not accessible to the Operator);
• To technical contractors — for infrastructure hosting, file storage, and processing of content generation requests.

7.2. Generation request processing. To perform the generation requested by the User (songs, poems, greetings, images, videos), text prompts and pre-transformed images are forwarded to technical contractors. Transmitted requests are anonymized: email, username, account identifier, and any other information that could identify the individual are not included. Each request is used solely for one-time delivery of the result.

7.3. All third parties receiving access to data are required to maintain confidentiality and use data exclusively to perform their functions.

7.4. International Data Transfers: Your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection. Where required, we implement appropriate safeguards such as Standard Contractual Clauses approved by relevant authorities.

8. Use of Data for Generation

8.1. The Operator does not train or fine-tune its own AI models on User data. The Service uses technical infrastructure to perform the User-requested generation on a one-off basis (see Section 7.2).

8.2. Content uploaded by the User and generated content may be used by the Operator for:

• Internal Service purposes (testing, debugging, improving algorithms and generation parameters);
• Statistical analysis in anonymized form.

9. User Rights

9.1. The User has the right to:

• Access their personal data and receive a copy;
• Request correction or updating of inaccurate personal data;
• Request deletion of their personal data ("right to be forgotten");
• Restrict the processing of their personal data;
• Object to the processing of their personal data;
• Request data portability (receive data in a structured, commonly used format);
• Withdraw consent to data processing at any time;
• Delete their content through the Service interface;
• Delete their account (all associated content will also be deleted);
• Lodge a complaint with a supervisory authority.

9.2. Additional Rights for California Residents (CCPA):

If you are a California resident, you have the following additional rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you;
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions;
• Right to Opt-Out of Sale: We do not sell personal information. However, you have the right to opt out of any future sales;
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, please contact us at support@homiwork.com.

9.3. To exercise your rights, the User may:

• Use the personal account functionality to manage data and content;
• Send a written request to the email address support@homiwork.com.

9.4. Request Requirements. Requests to exercise rights are sent by email to support@homiwork.com from the same address that is linked to the account — this serves as confirmation of the data subject's identity. The request must contain the substance of the matter and the date. The Operator may separately request additional information if necessary to identify the User.

9.5. Request processing time — 30 (thirty) calendar days from receipt, or within shorter timeframes where required by applicable law (e.g., 45 days under CCPA).

10. Account and Data Deletion

10.1. The User may delete their account at any time through the personal account settings.

10.2. Upon account deletion:

• Personal data (email, login) is deleted;
• All generated content is deleted;
• AI assistant chat history is deleted;
• Transaction data is retained in accordance with legal requirements.

10.3. Automatic deletion of inactive accounts: Accounts that have not been accessed for 1 (one) year are automatically deleted along with all associated data.

10.4. Account deletion is irreversible. Recovery of deleted data is not possible.

11. Cookies and Web Analytics

11.1. The Service uses essential cookies (for authentication and session maintenance) and the Yandex.Metrika counter (Yandex LLC, Russia) for visit counting. Metrika is configured in minimal mode: without click maps, outbound link tracking, accurate bounce tracking, or WebVisor.

11.2. Third-party analytics services (Google Analytics and similar) are not used.

11.3. The User may disable cookie usage in browser settings, but this may affect Service functionality.

12. Prohibited Content and Moderation

12.1. The Operator reserves the right to review uploaded content for violations of law and Service rules.

12.2. If prohibited content is discovered (including materials containing child sexual abuse material, hate speech, calls for violence), the Operator has the right to:

• Immediately block the User's account;
• Transfer information to law enforcement authorities;
• Retain necessary data for investigation.

13. Children's Privacy

13.1. The Service is not intended for persons under the age of 18. We do not knowingly collect personal data from children under 18.

13.2. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information as soon as possible.

13.3. If you believe that a child under 18 has provided us with personal data, please contact us at support@homiwork.com.

14. Do Not Track Signals

14.1. Some browsers have a "Do Not Track" feature that signals to websites that you do not want your online activities tracked. The Service does not currently respond to "Do Not Track" signals as there is no industry standard for handling such signals.

15. Changes to the Policy

15.1. The Operator reserves the right to make changes to this Policy at any time.

15.2. Changes take effect from the moment the new version of the Policy is published on the Service website.

15.3. The User undertakes to independently monitor changes in the Policy. Continued use of the Service after changes are made constitutes acceptance of the new version of the Policy.

15.4. For material changes, we will make reasonable efforts to notify you by email or through a prominent notice on the Service.

16. Governing Law and Jurisdiction

16.1. This Policy and any disputes arising from or relating to it shall be governed by the laws of the Republic of Kazakhstan.

16.2. Any disputes shall be subject to the exclusive jurisdiction of the courts located in Astana, Republic of Kazakhstan.

16.3. Notwithstanding the foregoing, if you are located in the European Economic Area, United Kingdom, or Switzerland, nothing in this Policy affects your statutory rights under applicable data protection laws.

17. Additional Disclosures

17.1. Categories of Personal Information Collected (CCPA Disclosure):

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (email address, username, SHA-256 hash of the network address);
• Internet or other electronic network activity information (browsing history, interactions with the Service);
• Audio, electronic, visual, or similar information (uploaded content);
• Inferences drawn from the above (preferences, characteristics).

17.2. Sources of Personal Information:

• Directly from you when you provide it;
• Automatically when you use the Service;
• From third-party payment processors (transaction confirmation only).

17.3. Business or Commercial Purposes for Collection:

As described in Section 3 of this Policy.

17.4. Sale or Sharing of Personal Information:

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.