PRIVACY POLICY

PRIVACY POLICY

Last Updated: 2026-4-17

TotalMedia Corporation, which is a part of global corporate group ( referred to as “Company”, “we”, “us”, or “our”), is committed to protecting and respecting your privacy. This Privacy Policy (the “Policy”) describes how we collect, store, use, and/or share (“process”) your personal data when you visit and use our services (“Services”) through our website (https://www.totalmedia.ai/ ), associated desktop and mobile applications (iOS, Android, Windows, Mac) and all related AI-powered platforms.

Our Services cover AI-powered graphic and text generation, online audio and video editing, AI video generation, AI design tools, AI color adjustment tools and other related features. Other products and services provided by us may operate under their own privacy policy tailored to their specific features and data processing practices. Please review those policies separately until their privacy practices are integrated with this Policy.

Summary of this Policy

This summary provides a concise overview. Please review the full Policy for complete details.

1.1 Similar technologies we may use include (all technologies comply with global data protection laws and will not collect your personal data without consent) :

• What data do we collect about you? When you use our Services, we may process personal data you provide (account details, User Content), data collected automatically (usage, device info), and data from third parties. We do not knowingly collect data from children under 16. See Section 1.

• Do we process any sensitive personal data?: Yes, for specific AI features (like AI avatar generation or voice cloning) we may process biometric data (e.g., facial geometry scans, voiceprints) only with your explicit consent. This data is deleted immediately after the specific generation task is complete. See Section 1.4, 1.5 and 11.

• How do we process your personal data?: We process your data to provide and improve our Services, communicate with you, ensure security, and comply with law. By default, we do not use your content for AI model training. Any such use requires your explicit opt-in consent. Where you have consented, we may use de-identified User Content to train and improve our AI models, which is in our legitimate interest. Our de-identification process adheres to industry standards, removing direct and indirect identifiers to ensure the data cannot be reasonably linked to an individual. You may opt-out of this use at any time by adjusting your preferences in your account settings (Account Center > Privacy Settings > AI Training Opt-out) or by contacting us using the details in Section 14. See Section 2.

• How do we share your personal data?: We share data only for specified purposes with affiliates, service providers (hosting, payment, support), legal authorities when required, or in a business transfer. We do not sell your personal information. See Section 4.

• How do we transfer your data globally?: We operate globally. When we transfer personal data from the EEA, UK, or Switzerland, we implement safeguards like Standard Contractual Clauses. See Section 6.

• How do we keep your personal data safe?: We use organizational and technical security measures. Data is retained only as long as necessary for the intended purpose. Biometric data is deleted immediately after use. See Section 5.

• What are your rights?: Depending on your location, you may have rights to access, correct, delete, or restrict processing of your data. You may request human review of automated decisions where required by law.

U.S. state residents (California, Virginia, Colorado, etc.) have additional rights under the CCPA/CPRA. See Section 8 and 9.

• How do we govern AI systems and protect enterprise customers?: Our AI systems are trained on licensed, lawful data and may produce inaccurate or biased outputs requiring your review. By default, we do not use your content for AI training; any such use requires your explicit opt-in consent, with enterprise data receiving additional segregation and contractual protections. We provide algorithmic transparency, human review rights for significant automated decisions, and maintain bias monitoring and EU AI Act compliance. Enterprise customers benefit from dedicated support, audit rights, and custom data residency options. See Section 11.

• Children's Privacy. Our Services are not for children under 16. We will delete any inadvertently collected data from minors. See Section 7.

Table of Contents

1. Personal Data We Collect

2. How We Use Your Data and the Legal Bases for These Uses

3. Cookies and Other Tracking Technologies

4. How We Share Your Personal Data

5. Data Security and Retention

6. International Transfers of Personal Data

7. Children

8. Your Privacy Rights

9. Additional U.S. State Disclosures (e.g., California, Virginia, Colorado)

10. Third Party Services

11. AI Governance and Enterprise Data Protection

12. Biometric Data Privacy Policy

13. Updates To This Policy

14. Contact Us

1. Personal Data We Collect

Depending on the relevant circumstances and applicable local laws and requirements across global jurisdictions, we collect various types of personal data to enable us to provide our Services to you.

1.1 Data You Provide to Us

• Account Information: Email address, username, password when you create an account. Email address, username, password when you create an account. We automatically generate a unique, unified user ID for you, ensuring a consistent and streamlined user experience across our multiple Services.

• User Content: This is the core of our Service. We collect Inputs (images, text, audio, video, prompts, designs you upload or enter) and Outputs (the content generated or edited by our AI based on your Inputs) when you use our AI graphic text generation, audio/video editing and design tools. This may include information from your device's clipboard with your permission.

• Payment Information: In order to provide the paid Services you purchased, we will collect your email address, billing address, your business affiliation (company or organization name), type of Services you purchase, amount you pay to complete your order, Subscription ID and Subscription-related URLs (such as purchase confirmation page URL, subscription cancellation URL). Full payment card details are processed directly by our third-party payment processors and are not stored by us.

• Communications: Feedback on complaints, support inquiries, survey responses and other communications with our customer service. Refusing to provide such information will not affect your use of our Services.

1.2 Data Collected Automatically

• Usage Data: Information about your interaction with our Services (clicks, browsing, edits, feature usage, time spent, prompt patterns) that reveals your preferences, interests, or manner of use of the Services. This helps us understand user preferences and improve our AI models. We collect your usage data via cookies and similar technologies, see Section 3.

• Device and Technical Data: IP address, browser type, device identification information (such as IMEI, Android ID, OAID, IDFA), operating system, network connectivity status, device model, and language settings that may be associated with your device or browser.

1.3 Data from Third Parties

• Account Information: If you log in via a third-party service (e.g., Google, Apple, Facebook), we receive the corresponding account information you authorize, which may include your name, email address, and profile picture.

• Payment Information: From third-party payment processors (such as Google Pay, Apple Pay, Stripe, PayPal) to confirm transaction status, payment account ID and other related information for the completion of the transactions. The payment details such as credit card information you provide during the purchase process will be collected by these third-party services.

1.4 Biometric Data

For specific AI features you choose to use (e.g., AI avatar generation, voice cloning for video/audio content), we may process biometric data with your explicit, prior opt-in consent:

• Facial Geometry Scans: Extracted from your uploaded images/videos solely to generate or edit AI avatars, live portraits, or apply realistic visual filters.

• Voiceprints: Extracted from your uploaded audio solely for voice cloning and AI video/audio generation and speech recognition/translation features.

We process this data only with your explicit, prior consent and solely to provide the specific feature you requested. This data is deleted immediately after the generation task is complete (typically within 24 hours). We do not use biometric data for identification, recognition, marketing or any other purpose beyond the specific feature you requested. See the Biometric Data Privacy Policy (Section 12) for complete details.

1.5 Special Data Processed for AI Features

When you use our AI-powered features (e.g., AI graphic/text generation, video/audio editing, AI design, AI color adjustment), we process the following data only after obtaining your consent:

• Text prompts you enter;

• Images, videos, and audio files and design materials you upload;

• Reference materials you provide.

This data is sent to third-party AI service providers (such as OpenAI's Sora, Google's Gemini/Veo, Anthropic's Claude, Stability AI or other industry-leading models) solely to process your request and generate the Output. These providers act as our data processors under strict contractual terms that prohibit them from using your data for their own purposes or training their general models. We do not use your Inputs or Outputs to train or improve these third-party provider's general AI models unless you explicitly opt in.

1.6 Prohibited Data

We do NOT process the following information unless specified in the individual privacy policies of our specific Services:

• Personal health data (e.g., medical records or an individual's healthcare claim information);

• Government-issued ID numbers (e.g., driver's license numbers, Social Security Numbers);

• Personal financial data or financial account numbers (beyond the limited payment information in Section 1.1);

• Personal data of children under 16;

• Genetic data (excluding the biometric data specified in Section 1.4 and 12).

2. How We Use Your Data and the Legal Bases for These Uses

We only use your personal data when the applicable global and local laws allow us to. Our legal bases for collecting and using the personal data described in this Policy depend on the personal data we collect and the specific context in which we collect that information, complying with the GDPR (EU/EEA), CCPA/CPRA (California) and other regional privacy regulations.

Key Global Legal Basis Notes

• For jurisdictions where legitimate interest is not an available legal base, we will engage in the relevant processing activities on a valid legal base applicable in that jurisdiction (e.g., explicit consent).

• Consent Withdrawal: Where processing is based on your consent, withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

3. Cookies and Other Tracking Technologies

Cookies are small text files stored by your web browser when you use our websites and Services. You can control how we use cookies by configuring your Cookie Preferences at the bottom of our Website. Note that if you disable essential cookies entirely, our Services may not function properly.

We and our third-party partners (analytics, advertising, technology providers) may collect information about you via cookies and similar tracking technologies. The information collected may include unique identifiers, system information, IP address, web browser, device type, your system preferences, and the web pages that you visit and interact with.

3.1 Types of Cookies

We may use both session cookies (disappear after you close your browser) and persistent cookies (remain after you close your browser for subsequent visits). We or our third-party partners may place cookies for the following purposes:

• Function cookies: Essential for the core functionality of the site and related Services (e.g., account login, feature access). These cannot be disabled as the Services will not operate properly without them.

• Marketing cookies: Allow us and our partners to deliver ads that are more relevant to your interests for marketing purposes. Disabling these means you will still see ads, but they may not be tailored to your preferences.

• Measurement cookies: Used to analyze site/Services usage, helping us measure and improve performance, understand user preferences and enhance the information/features we provide to you.

4. How We Share Your Personal Data

We will only share your personal data for lawful, legitimate, necessary, specific, and explicit purposes, and we will only share the minimum personal data required to provide the Services. We require our partners and service providers, through binding contractual agreements, to retain your personal data only for the necessary period and to implement adequate security measures to protect data security.

We do not sell your personal information to any third party for commercial purposes, in accordance with global privacy regulations and U.S. state laws. We share data only with the following parties for specified purposes:

4.1 Affiliates and Corporate Partners

We disclose the categories of personal data described in Section 1 between and among our global affiliates (including our Chinese parent company) and related corporate entities, for legitimate business purposes and the operation of the global Services, in accordance with applicable cross-border data protection laws.

Any access to your personal data by our affiliates is restricted to what is necessary and minimal for the specified purpose, is governed by strict data protection agreements (including, where required, EU Standard Contractual Clauses and China's Standard Contract for Cross-border Transfer of Personal Information), and is subject to comprehensive access controls and audit logs.

4.2 Service Providers

We may share any personal data listed in Section 1 with third-party Service Providers who help us provide the Services or perform business functions on our behalf, including:

• Hosting and technology vendors (e.g., cloud service providers powering our global infrastructure);

• Support and customer service vendors (providing user support and after-sales services);

• Payment processors (e.g., Apple Pay, Google Pay, Stripe, PayPal) for transaction processing;

• AI technology partners (acting as data processors for AI feature processing);

• Analytics and marketing partners (for Service improvement and legitimate promotional activities).

4.3 Law Enforcement, Regulatory Authorities and Judicial Bodies

We disclose personal data if we are legally required to do so, or if we have a good faith belief that such disclosure is reasonably necessary to:

• Comply with a legal obligation, judicial process or official regulatory request;

• Enforce our terms, policies, and standards, including investigation of any potential violation thereof;

• Detect, prevent or otherwise address security, fraud or technical issues;

• Protect the rights, property or safety of us, our users, a third party or the public as required or permitted by applicable laws (including exchanging information with other companies and organizations for fraud protection).

Government Access: We only disclose data to government authorities when legally required by valid legal process. We minimize the scope of disclosure to what is strictly necessary and will notify users of such disclosure where permitted by law and not prohibited by the legal process itself.

4.4 Business Transfer Parties

If we are involved in a merger, acquisition, bankruptcy, reorganization, partnership, asset sale or other corporate transaction, we may disclose your personal data as part of that transaction. Should one of these events occur, we will make reasonable efforts to notify you before your personal data becomes subject to different privacy and security policies and practices, in accordance with applicable local laws.

5. Data Security and Retention

5.1 Data Security

We have implemented appropriate technical and organizational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and other unlawful or unauthorized processing, in accordance with global and local applicable laws (including GDPR, CCPA/CPRA). Such measures include encryption of data in transmission and storage (especially for biometric data and payment-related information).

Your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and personal data by selecting and protecting your password appropriately and limiting access to your computer/device and browser by signing off after using our Services. If you have concerns that your account or personal data has been put at risk (e.g., password compromise), please contact us immediately using the details in Section 14.

While we use reasonable commercial efforts to protect your data, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. In the event of a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your data, we will notify you and the relevant regulatory authorities according to applicable local and cross-border laws.

5.2 Data Retention

We adhere to data minimization and retention limitation principles, and retain your personal data only as long as necessary for the intended purpose of collection, including to meet legal, financial, audit, or dispute resolution requirements across global jurisdictions. When assessing retention periods, we consider:

• The nature of the personal data and the activities involved;

• The duration of your use of our Services;

• Our legitimate business interests and global legal obligations.

If you deactivate/delete your account, delete personal data, or the retention period expires, we will delete or anonymize your personal data, except in the following cases:

• Compliance with legal requirements regarding data retention according to applicable global and local laws;

• Extension of the period for financial, audit, dispute resolution, or other legitimate business purposes.

Specific Retention Rules for Key Data Categories:

• Account Information: Retained until you delete your account (with mandatory deletion/anonymization after account deletion, except for legal retention requirements);

• Biometric Data: Retained only for the duration necessary to complete the specific AI generation or editing task you requested. The data is deleted immediately after the task is complete (typically within 24 hours), unless we are legally required to keep it for a different period under applicable global/local laws;

• User Content: Retained as long as your account is active to provide you access; de-identified User Content used for AI model improvement may be retained longer (permanently anonymized and not linked to your identity);

• Payment Information: Retained for the period required to complete transactions and comply with financial/tax laws (global and local);

• Usage Data & Device Data: Retained for a period necessary for analytics and Service improvement, after which it is anonymized or deleted;

• Communications/Feedback: Retained for the period necessary to resolve your inquiries/complaints, after which it is deleted or anonymized.

6. International Transfers of Personal Data

As a global service provider with a U.S. subsidiary and Chinese parent company, we use global cloud services to process and back up your Personal Data with data centers located in Singapore, the United States and the EU. Based on your geographic location, we will store your Personal Data in the nearest data center to ensure service efficiency:

• If you are within the European Economic Area (EEA)/UK/Switzerland: your Personal Data will be processed and stored on servers in the EU;

• If you are located in the U.S.: your Personal Data will be processed and stored within the U.S.;

• If you are located in Asia/Oceania/other regions: your Personal Data will be primarily processed and stored in Singapore (or other regional data centers as applicable).

We also rely on service providers and affiliates around the globe to support our global operations. Consequently, your personal data may be accessed by our global affiliates or transferred to third-party service providers and business partners in various jurisdictions, to fulfill the purposes set forth in this Policy.

6.1 Cross-Border Data Protection Safeguards

In the event of an international transfer of personal data (especially from the EEA/UK/Switzerland to jurisdictions not deemed to have an adequate level of data protection), we will provide an adequate level of protection for your personal data using various legally compliant means, including:

• Implementing the EU Standard Contractual Clauses (SCCs) between our affiliates and third-party service providers;

• Entering into data transfer agreements that comply with applicable cross-border data protection laws (e.g., GDPR, CCPA/CPRA, Asian/Oceanian privacy regulations);

• Using other lawful approaches that permit the cross-border transfer of personal data under applicable local and international laws.

6.2 Specific Cross-Border Transfer Scenarios

Consistent with our global operations, personal data may be transferred across borders for the following legitimate purposes (all with applicable security safeguards):

• Transfer of payment information to international payment processing companies to complete transactions;

• Temporary transfer of usage/device data to global analytics partners (e.g., Google Analytics) for Service improvement (most data is processed anonymously);

• Transfer of email/communication information to global email delivery service providers for sending service/marketing communications (with opt-out for marketing);

• Storage of personal data on global cloud server providers' infrastructure (Singapore, U.S., EU);

• Transfer of relevant data to global fraud monitoring and prevention providers to protect against security risks and fraud.

Access by Chinese Parent Company: Our Chinese parent company may access personal data solely for purposes of global technical support, infrastructure maintenance, and legal compliance. Such access is (1) limited to the minimum necessary data; (2) subject to SCCs with additional technical and organizational measures; (3) logged and audited quarterly; (4) compliant with PIPL security assessment requirements where applicable.

You can obtain more detailed information on the protection measures for cross-border data transfers by contacting us using the details in Section 14.

7. Children

Our Services are not intended for children under the age of 16 (or the applicable age threshold in your jurisdiction: 13 years for COPPA-covered U.S. users, 13-16 years for EU/EEA/UK users depending on Member State law, 14 years for South Korea, etc.) and we do not knowingly solicit, collect or process personal data from or market to children under 16 years of age, in compliance with global privacy regulations (including COPPA for U.S. users, GDPR Article 8 for EU users and other regional minor protection laws). If you do not meet the applicable age requirements, please do not use our Services.

• Age Verification: We may implement age verification measures before allowing access to certain AI features (especially biometric-related features) to prevent minor access.

• Inadvertent Collection: If we learn that personal data from users less than 16 years of age has been collected without proper parental/guardian consent, we will immediately deactivate the associated account and take reasonable measures to promptly delete such data from our global records.

• Parental Notification: If you become aware of any data we may have collected from children under age 16, please contact us immediately using the details in Section 14 for deletion.

For U.S. users subject to COPPA (Children's Online Privacy Protection Act), we comply with all COPPA requirements for children under 13, including verifiable parental consent for any limited data collection (where applicable) and parental rights to review/delete a child's personal data.

8. Your Privacy Rights

Subject to applicable global and local law (e.g., GDPR for EE/UK, CCPA/CPRA for California, PDPL for Asia) and depending on where you reside, you may have the following rights regarding your personal data. If you have any requests relating to your personal data rights, please contact us using the details in Section 13. We will verify your identity before responding to your request, in accordance with applicable law.

8.1 Core Privacy Rights

• Data Access & Portability: The right to know what personal data we process about you (categories, purposes, third-party disclosures) and to access/obtain a copy of your personal data in a portable, machine-readable format.

• Data Correction: The right to request correction of inaccurate or incomplete personal data we retain about you.

• Data Deletion: The right to request deletion of your account and erasure of your personal data (subject to legal retention requirements). If some data cannot be deleted, we will inform you of the specific legal reasons.

• Withdrawal of Consent: The right to withdraw your consent for any processing activity based on your prior consent (does not affect the lawfulness of processing before withdrawal).

• Objection to Processing: The right to object to the processing of your personal data based on our legitimate interests (where there are grounds relating to your particular situation). We may have an overriding legitimate interest to continue processing, and will notify you if this is the case.

• Restriction of Processing: The right to request limitation of our processing of your personal data if (1) the processing is unlawful and you oppose erasure; (2) you need the data for legal claims; (3) the accuracy of the data is pending verification; (4) your objection to processing is pending verification.

• Lodge a Complaint: The right to submit a complaint to your local data protection authority if you consider that our processing of your personal data infringes applicable privacy laws.

Right to Human Review (Automated Decision-Making): You have the right to request human intervention in, or to contest decisions based solely on automated processing (including profiling) that produces legal or similarly significant effects concerning you. To request human review, explanation of the logic involved, or to contest an automated decision, please contact us using the details in Section 14 with subject line “Human Review Request – [Your Account ID]”.

8.2 Exercising Your Rights

When submitting a rights request, please specify the scope and legal basis of your request and provide the necessary information to verify your identity. We will respond to your request or complaint in a timely manner in accordance with applicable global and local laws (e.g., 30/45 days for U.S. state law requests, 1 month for GDPR requests)

9. Additional U.S. State Disclosures (e.g., California, Virginia, Colorado, Connecticut, Utah)

We collect personal data from and about U.S. users in the preceding 12 months as described in Section 1 of this Policy. We disclose personal data with third parties for business purposes in the preceding 12 months as set forth in the table below, in compliance with U.S. state privacy laws (CCPA/CPRA, VCDPA, CPA, UCPA, etc.) for California, Virginia, Colorado, Connecticut and Utah residents.

9.1 Additional State Statutory Rights

For U.S. state residents covered by applicable state privacy laws, you have the following additional rights (in addition to the core rights in Section 8):

• Opt-out of Marketing Communications: We provide marketing information through in-app notifications, emails and website alerts. If you do not wish to receive these notifications, you can disable them in your device settings or click the opt-out link in all marketing emails.

• Opt-out of Sale/Sharing of Personal Data: As defined by relevant U.S. state laws, we may "share" your Device and Technical Data and Usage Data for cross-context behavioral advertising/targeted advertising purposes. To opt-out of the sale or sharing of your personal data, navigate to the "Do Not Sell or Share My Personal Information" link at the bottom of our website, enable a browser-based opt-out preference signal like Global Privacy Control (GPC) or contact us using the details in Section 14.

• Limit the Use of Sensitive Personal Information: You have the right to request limitation of the use and disclosure of your sensitive personal information (e.g., biometric data). We only use sensitive personal information as necessary to provide the Service you requested (with your explicit consent) and for other permitted purposes under state law, and do not use it for inferring personal characteristics.

• Right to Appeal: You may appeal our refusal to take action on any privacy rights request by contacting us using the details in Section 14. We will review your appeal and provide a response in accordance with state law.

• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights under U.S. state law (e.g., denying Services, charging different fees, providing different service quality).

• Shine the Light Law (California): We do not disclose personal data to third parties for their direct marketing purposes, in compliance with California's Shine the Light Law.

9.2 Additional Rights Regarding Automated Decision-Making Technology (ADMT)

In compliance with the California Consumer Privacy Act (CCPA) as amended, and other applicable U.S. state laws, you have the right to request information about, and opt out of, our use of Automated Decision-Making Technology (ADMT) where it is used to make decisions that produce legal or similarly significant effects concerning you. To the extent we use ADMT for such purposes, you may request an explanation of the decision and an opportunity to contest it. Human review is available upon request. For more information or to exercise your ADMT rights, please contact us using the details in Section 14.

10. Third Party Services

Our Services may incorporate services and functions provided by third parties (e.g., social media logins, cloud storage, payment processing, AI technology partners). When you choose to enable such third-party services, we may share your information (as necessary to provide the feature) with such third-party services, including your text, images, audio/video and other relevant User Content.

Third-Party Services are not owned or controlled by us and may have their own privacy policies and data processing practices for the collection, use, and sharing of your personal information. We encourage you to review the permissions, privacy settings and privacy notices of these third-party services before using them, or contact the third-party provider directly for any questions about their data practices.

We are not responsible for the privacy practices or content of any third-party service, and your use of third-party services is at your own risk.

11. AI Governance and Enterprise Data Protection

This section establishes our commitments and practices regarding artificial intelligence governance, algorithmic accountability, and enhanced protections for enterprise customers. These provisions apply to all users of our AI-powered Services, with specific additional safeguards for enterprise and business customers as noted below.

11.1 AI Systems and Training Data

Our AI systems are trained on licensed, human-created, and lawfully obtained data from diverse sources, including publicly available information, licensed datasets, and synthetic data. We implement data provenance tracking and copyright compliance protocols to ensure lawful training data acquisition.

AI Output Reliability: The Services utilize generative AI, which is probabilistic and may produce inaccurate, biased, incomplete, or otherwise unsuitable Outputs. AI-generated content may reflect biases present in training data or produce "hallucinations" (factually incorrect information). You acknowledge that:

• All AI Outputs must be reviewed, verified, and where necessary, edited by you before use or publication;

• We do not guarantee the accuracy, completeness, reliability, or suitability of any AI-generated content for your specific purpose;

• You bear full responsibility for any decisions, actions, or publications based on AI Outputs;

• We recommend implementing human-in-the-loop review processes for high-stakes use cases (e.g., medical, legal, financial, or public-facing applications).

11.2 Customer Data and AI Training

Default Position: No Training: By default, we do not use your Inputs or Outputs for AI model training, improvement, or any other purpose beyond providing the specific Service you requested. Your content remains segregated and is not incorporated into our general AI training datasets unless you explicitly opt in.

Opt-in in AI Training: Where you have provided explicit, affirmative opt-in consent (through account settings or explicit agreement), we may use de-identified User Content to train and improve our proprietary AI models. Such use is governed by the following safeguards:

• De-identification Standards: We apply industry-standard techniques including anonymization, pseudonymization, removal of direct identifiers (e.g., email, user ID) and differential privacy measures to prevent re-identification.

• Purpose Limitation: De-identified data is used solely for model training and improvement, not for profiling, advertising, or any other commercial purpose.

• Enterprise Segregation: Enterprise customer data is lawfully and securely segregated from general user data pools, with additional access controls and contractual prohibitions on training use.

• Consent Withdrawal: You may withdraw your consent at any time via your Account ID (via Account Settings → AI Training Opt-out) by contacting us at support@totalmedia.ai Withdrawal of consent does not affect the lawfulness of prior processing.

Third-Party AI Providers: We do not permit third-party AI service providers (e.g., OpenAI, Google, Anthropic) to use your Inputs or Outputs to train or improve their general AI models unless you explicitly opt in to such use. Our data processing agreements with these providers expressly prohibit such use.

11.3 Algorithmic Accountability and Human Oversight

For AI features that may significantly affect your rights or interests, we provide:

• Clear disclosure of AI involvement in generating Outputs;

• Information about the limitations and capabilities of our AI systems;

• Guidance on appropriate cases and known failure modes.

Human Review of Automated Decisions: Where our AI systems make decisions that produce legal effects or significantly significant effects concerning you (e.g., automated fraud/abuse detection, payment processing suspension, automated fraud detection), you have the right to:

• Request Human Reviewof the decision;

• Obtain an explanation of the logic involved, including the main factors considered;

• Contest the decision and present additional information for reconsideration.

To exercise these rights, contact us at support@totalmedia.ai with the subject line "Human Review Request – [Your Account ID]".

11.4 Enterprise and Business Customer Protections

Enterprise customers with separate commercial agreements receive enhanced data protection commitments including:

Business Associate Agreements: Where we process personal data on behalf of enterprise customers as a processor, we execute Data Processing Agreements (DPAs) or Business Associate Agreements (BAAs) specifying:

• Permitted processing purposes and prohibitions;

• Subprocessor governance and notification requirements;

• Security measures and breach notification procedures;

• Audit and compliance verification rights;

• Data return and deletion obligations upon termination.

11.5 AI Risk Management and Compliance

We maintain an AI Governance Framework aligned with emerging global standards including:

• EU AI Act: Risk classification of AI systems; conformity assessments for high-risk AI; transparency obligations;

• NIST AI Risk Management Framework: Governance, mapping, measuring, and managing AI risks;

• ISO/IEC 42001: AI management system standards where applicable.

Prohibited AI Uses: You may not use our AI Services for:

• Automated decision-making in high-risk domains (credit, employment, housing, education) without appropriate human oversight and legal compliance;

• Generation of deceptive content (deepfakes) for fraudulent, defamatory, or electoral manipulation purposes;

• Development or improvement of competing AI models through systematic data extraction or model distillation;

• Any use prohibited by applicable law or our Terms of Service.

11.6 Bias Monitoring and Fairness

We implement ongoing monitoring for algorithmic bias in our AI systems, particularly for features that may affect representation or access. This includes:

• Regular testing of model outputs across demographic dimensions;

• User feedback mechanisms for reporting biased or unfair outputs;

• Model retraining and adjustment protocols when bias is detected.

Users are encouraged to report potentially biased outputs via Account Center > Feedback > AI Output Report or by emailing support@totalmedia.ai.

12. Biometric Data Privacy Policy

This section supplements the core Privacy Policy and sets forth specific rules for the processing of biometric data in connection with our AI Services, complying with global biometric data protection laws (including the Illinois BIPA, Texas CBBL, Washington SHB 1181 and EU GDPR). This Policy applies to biometric data processed for our direct users and does not apply to biometric data we process on behalf of our business customers (we process such data solely on the instructions of business customers, governed by separate agreements).

12.1 What is Biometric Data

Biometric data is unique biological characteristics that identify you as defined by applicable global and local laws. For our Services, this includes voiceprints and scans of facial geometry extracted from your uploaded audio, images or videos. This does not include writing samples, written signatures, photographs, or physical descriptions (height, weight, hair color, eye color) that are not processed and used to identify you or provide AI features.

12.2 Collection and Use of Biometric Data

We may collect, generate, derive, store, and use your biometric data only to provide certain specific AI features of our Services you voluntarily request, including:

We will always obtain your explicit, opt-in consent before collecting, deriving or generating any biometric data from or regarding you, in compliance with applicable biometric data privacy laws. We use biometric data solely for the specific feature you requested and do not use it for any other purpose (e.g., identification, surveillance, marketing).

12.3 Disclosure of Biometric Data

We may disclose your biometric data only as necessary to provide the specific AI Service you requested and do not share your biometric data with any third party for commercial purposes. We will not share, sale, or trade your biometric data to any third party unless:

• You direct us to do so via explicit written instruction;

• We have obtained your prior, explicit consent for the specific disclosure;

• To perform our obligations under applicable global and local laws/regulations;

• The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction;

• To protect against fraud, security threats or unauthorized access to our Services (limited, necessary disclosure only).

Any third party that processes biometric data on our behalf is bound by strict contractual terms to protect the data and use it only for the requested Service.

12.4 Retention and Destruction of Biometric Data

We adhere to strict biometric data retention limitations and only keep biometric data for the duration necessary to complete the specific AI generation or editing task you requested. The data is deleted immediately after the task is completed (typically within 24 hours), unless we are legally required to keep it for a different period under applicable global/local laws.

After the retention period expires or the requested AI feature is completed, we permanently destroy and delete all biometric data (including facial geometry scans and voiceprints) from our global systems and records. This permanent destruction is achieved through secure deletion mechanisms that overwrite the data, rendering it irrecoverable. The destruction process is confirmed and subject to internal audit to ensure compliance with this Policy and applicable law.

We DO NOT retain biometric data for AI model training, marketing or any other secondary purpose.

12.5 Security of Biometric Data

Biometric data is subject to our highest level of security protection. We implement industry-standard encryption measures for biometric data during transmission and storage (however brief) and restrict access to biometric data only to authorized personnel who need it to provide the requested AI feature. All personnel with access to biometric data are bound by strict confidentiality and data protection obligations.

13. Updates To This Policy

Our Services and global business operations may change from time to time, and we may update this Policy to reflect changes in our data processing practices, comply with new global/local privacy laws or regulatory requirements, or address new Service features (e.g., new AI tools). The "Last Updated" date at the top of this Policy will indicate the effective date of the revised version.

We recommend that you regularly check this Policy on our website to stay up to date with the latest changes. For substantial changes to this Policy (e.g., changes to biometric data processing, cross-border data transfer rules, user privacy rights, or new categories of personal data we collect), we will notify you in advance through appropriate means (e.g., pop-up notices on our website/app, push notifications, email alerts to your registered email address) in accordance with applicable global and local laws.

Your continued use of our Services after the effective date of the revised Policy constitutes your acceptance of the changes. If you do not agree with the revised Policy, you should stop using our Services and delete your account.

14. Contact Us

For more information about your data subject rights, how we process your personal data, cross-border data transfers, or to exercise your privacy rights (access, correction, deletion, opt-out, etc.), please contact our Global Privacy Team using the following information:

General Privacy Inquiries: (Global Users)

• Email: support@totalmedia.ai

We will review all your inquiries and requests promptly and respond in accordance with applicable global and local privacy laws. For identity verification purposes, we may request additional information from you to ensure that we are providing personal data access to the rightful owner.