personaX Privacy Policy

English Reference Version - v1.2 Draft
Effective Date: 8 June 2026

The Thai version is the legally binding and controlling version.

1. Introduction and Data Controller

TENSOR ART HK LIMITED ("personaX", "we", "us", or "our", CR No. 77289411, BR No. 77289411, RM 1903, 19/F LEE GARDEN ONE, 33 HYSAN AVENUE, CAUSEWAY BAY, HONG KONG) operates the personaX mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, transfer, retain, and protect Personal Data in connection with the Service, including under the Personal Data Protection Act B.E. 2562 ("PDPA") of the Kingdom of Thailand.

By using the Service, you acknowledge this Privacy Policy. This Policy applies together with our Terms of Service. Where specific processing requires consent, we will request it separately.

Data Protection Contact: personax@echo.tech

Thailand Local Representative: If a local representative is required under applicable PDPA rules, we will publish the representative's details in this Policy. Until then, privacy inquiries may be sent to personax@echo.tech.

2. Data We Collect, Why, and Legal Basis

The table below summarises the Personal Data we may collect, how it is collected, why we use it, and the legal basis under the PDPA.

Data collected How / when Purpose Legal basis (PDPA)
Email address, hashed password You provide at registration or login Account creation, authentication, account security Contract (s.24(3))
Display name, avatar, bio, profile preferences You provide or edit in the Service Profile and community features; personalization Contract (s.24(3))
Account identifiers, including user ID and session identifiers Created or assigned when you register or use the Service Account operation; authentication; support; fraud prevention; enforcement Contract (s.24(3)) / Legitimate interest (s.24(5))
User Content, including OCs, generated images or videos, generation history, posts, comments, profile content, uploaded or reference images You create, upload, generate, or post Core Service features; public display where you choose to publish; moderation; safety review; responding to reports Contract (s.24(3)) / Legitimate interest (s.24(5))
Reports, feedback, appeals, safety actions, and moderation notes When you report content or users, send feedback, appeal decisions, or when we review safety issues Content and user moderation; enforcing Terms; preventing abuse; responding to appeals, user requests, and legal requests Legitimate interest (s.24(5)) / Legal obligation (s.24(6))
AI prompts, reference images, AI chatbot messages, AI-generated outputs, and related metadata You input to or receive from AI features Sending to AI model infrastructure or providers to generate outputs; operating AI chatbot features; abuse detection; safety review; responding to in-App reports or flags Contract (s.24(3)) / Legitimate interest (s.24(5))
Device model, OS version, app version, language, timezone, device identifiers, Android ID or similar device IDs, push registration identifiers Automatically collected when you use the Service or enable notifications Service operation; analytics; crash reporting; fraud prevention; notification delivery; account and device security Legitimate interest (s.24(5)) / Consent where required (s.24(1))
IP address, carrier, network status, connection type Automatically collected when you use the Service Security; fraud prevention; service routing; abuse detection; analytics Legitimate interest (s.24(5))
Feature usage, actions, session data, event logs, error logs, crash logs Automatically collected through the App and SDKs Service improvement; analytics; troubleshooting; crash reporting; fraud prevention; safety Legitimate interest (s.24(5))
Advertising identifiers such as Android Advertising ID or Apple IDFA, if enabled and available Collected by the App or SDKs subject to device settings and platform permissions Analytics, attribution, fraud prevention, or advertising only if such features are enabled and disclosed in the App and platform data safety forms Consent (s.24(1)) / Legitimate interest (s.24(5)), as applicable
Camera, photo picker, media, file, or storage access Only when you initiate an upload, capture, generation, editing, or media-related feature and grant relevant permissions Uploading or creating images, videos, or other media for Service features Contract (s.24(3)) / Consent where required (s.24(1))
Push notification token When you grant notification permission or enable notifications Delivering App notifications, service messages, and alerts Consent (s.24(1))
Email, push token, and marketing preferences Registration, settings, or consent flows Product updates and promotional messages where permitted Consent (s.24(1))
Support communications When you contact us by email, forms, social media pages, customer support tools, or other support channels Customer support; troubleshooting; responding to rights requests Contract (s.24(3)) / Legitimate interest (s.24(5))
Data required for legal compliance As required by applicable law or lawful requests Compliance with Thai law, platform rules, tax law, law enforcement requests, court orders, dispute handling Legal obligation (s.24(6)) / Legitimate interest (s.24(5))

We do not intentionally collect biometric data, health data, financial account numbers, national ID numbers, or PDPA s.26 sensitive data unless you voluntarily include such information in User Content, prompts, messages, or support communications. Please do not submit sensitive information to the Service unless it is necessary.

Where we rely on consent, you may withdraw consent at any time through in-App settings where available or by contacting personax@echo.tech. Withdrawal does not affect processing that occurred before withdrawal.

3. App Permissions and Platform Disclosures

The App may request platform permissions depending on your device, operating system, SDK behavior, and features you use. These may include camera, photo picker or media access, notifications, network status, and storage or file access. Some third-party SDKs may also declare permissions in the Android package for compatibility.

We only use runtime permissions when needed for a feature you choose to use or for Service operation, security, analytics, crash reporting, push notification delivery, or fraud prevention. If a permission is not needed for the Service, we aim to remove it or keep it inactive.

Platform permission prompts, Google Play Data safety disclosures, and this Policy should be read together. If we introduce new permission-based features, we will update this Policy and applicable platform disclosures.

4. How AI Features Process Your Data

Self-hosted open-source models. We operate certain AI models on our own or affiliated infrastructure, including infrastructure located in Mainland China. Your prompts, reference images, and related inputs may be sent to these servers to generate outputs. We deploy open-source and community models, including models from or used by our affiliated service TensorArt. We do not use your content to train or fine-tune personaX or TensorArt models without your separate explicit consent.

Third-party AI providers. Some features may use third-party AI models or infrastructure:

Provider Purpose Location Training / use policy
Google Gemini API Image generation, AI chatbot features, text processing, safety or content processing Google-operated infrastructure, including the United States and other jurisdictions where Google processes API requests Subject to Google's applicable API terms and data processing terms
ByteDance / Volcengine Doubao or Seedream APIs Image generation and image editing Volcengine-operated infrastructure, including Mainland China and other jurisdictions where Volcengine processes API requests Subject to Volcengine's applicable API, privacy, and data security terms
Alibaba Cloud / Qwen APIs AI chatbot features, image or text processing, model inference Alibaba Cloud / Qwen-operated infrastructure, including Mainland China, Singapore, and other jurisdictions where Alibaba Cloud or Qwen processes API requests Subject to Alibaba Cloud / Qwen applicable terms for the API route used

If AI-generated images, videos, OC generation results, generation history items, or AI chatbot responses are offensive, unlawful, unsafe, or otherwise objectionable, you may report or flag them through in-App reporting or feedback tools. We use reports to review specific outputs, enforce our Terms, improve safety controls, and meet platform policy requirements.

We will not sell your AI inputs or outputs to third parties. We will not use them to train personaX or TensorArt-owned models without your explicit consent, except to the extent necessary to operate, secure, moderate, debug, and improve the Service in accordance with this Policy.

5. Third-Party Providers, SDKs, Affiliates, and Data Transfers

We use service providers and SDKs to operate the Service. Depending on the App version and enabled features, these may include:

Provider / SDK category Example providers or SDKs Purpose
Cloud hosting, storage, and content delivery TensorArt affiliated infrastructure, Alibaba Cloud / OSS, other cloud or CDN providers Hosting, media storage, delivery, AI inference, file upload and download
AI model providers Google Gemini, Volcengine / Doubao / Seedream, Alibaba Cloud / Qwen AI generation, chatbot, image editing, text or safety processing
Analytics, event tracking, and diagnostics Sensors Analytics, UBT or internal analytics tools Usage analytics, event tracking, service improvement, fraud prevention
Crash reporting and stability Firebase services, Bugly, platform diagnostics tools Crash reporting, troubleshooting, performance and stability analysis
Push notifications Firebase Cloud Messaging, EngageLab Push token management and notification delivery
Payment, app linking, and platform integrations Google Play, Alipay, WeChat SDK, Huawei services where applicable Payments, app-to-app interactions, login or platform services where enabled
Customer support and communications Email systems, customer support tools, social media pages, forms Support, rights requests, account deletion requests, user communications

These providers may process Personal Data only for the purposes described in this Policy and according to applicable agreements, platform rules, or provider terms. Some providers may act as independent controllers for data processed through their own services, such as social media pages or payment platforms.

TensorArt affiliate. personaX and TensorArt are operated under the same corporate entity, TENSOR ART HK LIMITED. We may share data within this entity for shared infrastructure, AI inference, fraud prevention, safety, moderation, support, and aggregated analytics. We do not share individual User Content between personaX and TensorArt for unrelated marketing purposes without your separate consent.

Cross-border transfers. Your data may be transferred to or processed in: (i) Hong Kong SAR; (ii) Mainland China; (iii) the United States; (iv) Singapore; and (v) other jurisdictions where our cloud, AI, analytics, crash reporting, notification, email, support, and infrastructure providers operate. Where required by applicable law, we rely on contractual safeguards, technical measures such as encryption and access controls, and other lawful transfer mechanisms.

Legal disclosures. We may disclose Personal Data without consent where permitted or required by law, including to comply with court orders, regulator requests, law enforcement requests, platform policy enforcement, Thai Computer Crime Act obligations, tax or accounting obligations, to enforce our Terms, to protect safety, to prevent fraud or abuse, or in a corporate transaction where the acquirer agrees to appropriate privacy commitments.

6. Data Retention

Data Retention period
Account data, including email and hashed password Account lifetime + up to 90 days after deletion, unless longer retention is required by law, security, fraud prevention, or dispute handling
Public User Content, including posts, comments, OCs, and public generated content Account lifetime; removed from public display on deletion where applicable; backups purged within a reasonable period, generally up to 90 days
AI prompts, AI chatbot conversations, generated outputs, generation history, and related metadata Account lifetime or until you delete them where deletion is available; certain logs may be retained up to 90 days for abuse detection, safety review, security, and troubleshooting; longer if legally required
Login, device, analytics, event, crash, and security logs Generally 6-12 months, unless longer retention is needed for security, abuse prevention, legal compliance, or dispute handling
Reports, feedback, appeals, safety actions, and moderation records Up to 2 years; longer if needed for serious abuse, legal compliance, dispute handling, or safety protection
Payment or transaction records, if payment features are introduced As required by tax, accounting, platform, and payment rules, generally up to 5 years or longer where legally required
Suspended or terminated account data Up to 90 days for appeal and enforcement review; then deleted or anonymized unless longer retention is required

7. Your Rights and Account Deletion

You have the right to access, rectify, erase, restrict, object to, and port your Personal Data; withdraw consent at any time; and lodge a complaint with the PDPC (https://www.pdpc.or.th / pdpc@mdes.go.th).

You can exercise certain rights directly in the App, including account deletion where available, data access where available, and marketing opt-out where available.

You may also request account deletion and associated data deletion outside the App through our account deletion request page:

personaX Account Deletion Request

For other privacy requests, contact personax@echo.tech. We respond within 30 days unless a different period is required or permitted by applicable law. Identity verification may be required before we fulfill a request.

When you request account deletion, we delete or anonymize your account and associated data, subject to data we must retain for legal compliance, security, fraud prevention, dispute handling, accounting, platform enforcement, or other legitimate reasons disclosed in this Policy.

8. Security, Children, Marketing, and Tracking

Security. We use technical and organizational measures designed to protect Personal Data, including encryption in transit where supported, hashed password storage, access controls, monitoring, and incident response procedures. AI chatbot conversations, prompts, posts, comments, and generated content are not end-to-end encrypted. Please do not share sensitive information such as ID numbers, bank details, passwords, health information, or other highly sensitive data in prompts, chats, posts, comments, or uploads.

If a high-risk personal data breach occurs, we will notify affected users and applicable regulators where required by law, including PDPA s.37(4) where applicable.

Children. The Service is not intended for children under 13 or under the minimum age required in their country or region. If a user is under 18, they must have permission from a parent or legal guardian to use the Service. We do not knowingly collect Personal Data from anyone below the applicable minimum age. If we discover such data, we will delete it and terminate the account where required. Contact personax@echo.tech if you believe a child below the applicable minimum age has shared data with us.

Marketing. We send promotional emails and push notifications only with consent where required. You can opt out through in-App settings where available, email unsubscribe links where provided, device notification settings, or personax@echo.tech. Transactional messages such as security alerts, Terms updates, support replies, and service notices may continue.

Tracking and Data Safety consistency. We use device identifiers, user IDs, system version, device model, usage events, SDK-based analytics, crash logs, and security logs for session management, preference memory, service improvement, crash reporting, fraud prevention, safety, and platform compliance. We do not currently serve third-party advertising. If advertising is introduced, we will update this Policy, in-App disclosures, and applicable platform data safety declarations, and obtain consent where required.

9. Changes, Language, and Contact

Changes. We may update this Policy from time to time. Material changes will be notified by email, in-App notice, push notification, or other appropriate method at least 14 days before taking effect where required by law. Continued use of the Service after the effective date means you acknowledge the updated Policy.

Language. This Policy is available in Thai and English. The Thai version is the legally binding and controlling version.

Company: TENSOR ART HK LIMITED
Company Registration No.: 77289411
Business Registration No.: 77289411
Registered Address: RM 1903, 19/F LEE GARDEN ONE, 33 HYSAN AVENUE, CAUSEWAY BAY, HONG KONG
All Inquiries (Support / Legal / PDPA): personax@echo.tech
PDPC (regulator): https://www.pdpc.or.th | pdpc@mdes.go.th

-- End of Privacy Policy --