# Privacy Policy **Last Updated**: May 1, 2026 **Effective Date**: May 1, 2026 Xross Road Inc. (a Delaware corporation; "we," "us," or "the Company") places great importance on protecting the Personal Information of the users (each, a "User" or "you") of its AI creation platform "TokiMake" (the "Service"), and hereby establishes this Privacy Policy (this "Policy"). This Policy applies to Users located in the United States. By reading this Policy, you can understand what Personal Information we collect and how we use, disclose, and protect it. Your use of the Service constitutes your consent to this Policy. > **IMPORTANT**: Residents of California have additional rights under the California Consumer Privacy Act (CCPA, as amended by the CPRA), as set forth in **Article 13** of this Policy. Residents of Virginia, Colorado, Connecticut, Utah, and other states that afford special rights under state law should review **Articles 14 and 15** of this Policy. *** ### Article 1 (Business Information) | Item | Details | | -------------- | ------------------------------------------------------ | | Business Name | Xross Road Inc. (a Delaware corporation) | | Address | 838 Walker Road Suite 21-2, Dover, Delaware 19904, USA | | Representative | Yosuke Utsumi | | Contact | | *** ### Article 2 (Personal Information We Collect) In providing the Service, we collect the following information. #### 2.1 Account Information * Email address * Username (display name) * Password (stored in hashed form) * Profile information (where optionally provided) * Record of confirmation that you are 18 years of age or older (the date and time of the checkbox confirmation) #### 2.2 Payment Information * Purchase history and transaction history * Subscription contract information * Billing address (including state and ZIP code) * We do not retain credit card information. Payment processing is performed by our designated payment provider, and card information is managed on the side of such provider. #### 2.3 Usage Data * Image generation history, prompt history, and negative prompt history * Vertical-scroll manga (webtoon) generation history * Generation parameters (model used, setting values, etc.) * Credit consumption and balance history * Operation logs (feature usage) * Public content and content you transmit to the Service (including Playground posts) #### 2.4 Device and Log Information * IP address * Browser type, version, and language settings * Operating system information * Date and time of access * Cookie information and similar technologies #### 2.5 Communication Information * The content of your inquiries to customer support * Email correspondence #### 2.6 Moderation-Related Information * The content of reports and report history * Rating determination results and determination history * History of enforcement actions (warnings, removals, feature restrictions, suspensions, etc.) * Records of appeals #### 2.7 Information Relating to the Adult Content Feature * Usage settings for the adult (R-18) feature (whether opted in) * Consent logs (records of consent to the Terms of Service and this Policy, age verification, and R-18 feature opt-in, including version, timestamp, and IP address) * Viewing and generation history of adult content *** ### Article 3 (Categories of Personal Information Collected — CCPA/CPRA Compliance) In accordance with the California Consumer Privacy Act (CCPA, as amended by the CPRA, Cal. Civ. Code §§ 1798.100 et seq.), we disclose the categories of Personal Information collected over the preceding 12 months as follows. | CCPA Category | Examples of Information Collected | Source of Collection | | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------- | | A. Identifiers | Name, email address, account ID, IP address | Directly (from you); automatically collected | | B. Personal records (Cal. Civ. Code §1798.80(e)) | Billing address, payment information | Directly (from you); payment provider | | C. Characteristics of protected classifications | Age (confirmation of being 18 or older only; we do not collect gender, race, religion, disability, marital status, etc.) | Directly (from you) | | D. Commercial information | Purchase history, subscription information | Directly (from you); payment provider | | E. Biometric information | Not collected | — | | F. Internet or other electronic network activity information | Browsing history, search history, operation logs on the Service | Automatically collected | | G. Geolocation data | Approximate regional information inferred from the IP address | Automatically collected | | H. Audio and visual information | Not collected | — | | I. Professional or employment-related information | Not collected | — | | J. Education information | Not collected | — | | K. Inferences | Inferences regarding your preferences and interests | Automatically collected and analyzed | | L. Sensitive Personal Information (CPRA) | Not collected (SSN, precise geolocation, race, health information, etc.) | — | *** ### Article 4 (Purposes of Use of Personal Information) We use the Personal Information we collect for the following purposes (the "business and commercial purposes" referred to under the CCPA/CPRA). 1. To provide, operate, improve, and promote the Service (including advertising and publicity, pursuant to Article 8 of the Terms of Service) 2. To manage and authenticate User accounts 3. To process payments and manage billing (including automatic subscription renewals) 4. To grant, consume, and manage the expiration of credits 5. To respond to customer support 6. To analyze usage and improve service quality 7. To prevent unauthorized use and ensure security 8. To conduct content moderation (by automated systems and human review) 9. To operate reporting, enforcement, and appeals processes 10. To verify age and determine eligibility requirements for the adult content feature 11. To respond as required by law (including subpoenas, court orders, and reports to NCMEC and others; see Article 5.6) 12. To provide notices of important announcements and changes to the Service (including pre-renewal notices under the California Automatic Renewal Law (ARL), AB2863) 13. For marketing communications (providing an opt-out mechanism in accordance with the CAN-SPAM Act) 14. **To develop, train, improve the quality of, evaluate, improve, develop new features for, and conduct research and development on AI models** — We use any and all content and information that you provide to us by generating, posting, publishing, transmitting, inputting, or by any other means through the Service (including prompts, images, text, source works, generation parameters, operation logs, feedback, ratings, comments, etc.) for purposes including use, reproduction, modification, adaptation, analysis, creation of derivative works, and provision to third parties as training data, under the **comprehensive (irrevocable) consent** pursuant to Article 8, Paragraph 3 of the Terms of Service. 15. To respond to requests for the removal of non-consensual intimate images under the TAKE IT DOWN Act, the PROTECT Act, and other federal and state laws, and to report to NCMEC. *** ### Article 5 (Disclosure and Sharing of Personal Information) We disclose or share your Personal Information with third parties only in the following cases. #### 5.1 Service Providers (Subcontractors) To the extent necessary to operate the Service, we entrust data processing to the following businesses. | Service Provider | Purpose | Information Provided | Country | | ------------------------------- | ------------------------------- | --------------------------------- | -------------------- | | Our designated payment provider | Payment processing | Payment-related information | United States | | Google LLC (Google Analytics) | Access analytics | Usage data and device information | United States | | Amazon Web Services, Inc. | Infrastructure and data storage | All data (stored encrypted) | Japan (Tokyo region) | | Cloudflare, Inc. | Content delivery and security | IP address, access information | United States | #### 5.2 As Required by Law We may disclose Personal Information in the following cases. * In response to a subpoena, court order, or legitimate request from a law enforcement authority * To comply with a legal obligation * To protect the rights, property, or safety of the Company, Users, or third parties * For emergency response (to ensure the safety of life or body) #### 5.3 With Your Consent We may provide it only where we have obtained your prior consent. #### 5.4 Disclosure in Connection with a Business Transfer In connection with a merger, acquisition, business transfer, corporate reorganization, corporate rehabilitation, or the like, we may disclose Personal Information as part of the business assets. In such cases, we will provide prior notice in accordance with applicable law (including notice obligations under state laws such as the CCPA/CPRA). #### 5.5 De-identified or Aggregate Information We may use and disclose, without restriction, de-identified information or aggregate information that has been processed so that individuals cannot be identified. #### 5.6 Disclosure to Investigative and Child Protection Authorities In the course of moderation operations under Article 14 of the Terms of Service, we may voluntarily provide your registration information, posted content, access logs, and other necessary information to investigative authorities, child protection organizations, and the like in any of the following cases. 1. Where we discover content depicting the sexual exploitation or sexual abuse of children (including real, photographic, or photorealistic depictions) — reporting to NCMEC (the National Center for Missing & Exploited Children) is mandatory under **18 U.S.C. § 2258A**. 2. Where we discover a deepfake of a real person, or other intimate image without the subject's consent (application of the **TAKE IT DOWN Act**, etc., is anticipated). 3. Where we discover content that is highly likely to violate the PROTECT Act, child pornography laws, or other federal or state laws. 4. Where we discover conduct that poses a risk of serious harm to the life, body, or property of the Company or a third party. 5. Where we receive a disclosure request based on law, such as a subpoena, court order, or inquiry relating to an investigation. 6. Where we receive a request for the removal of a non-consensual intimate image (NCII) under the TAKE IT DOWN Act and determine that disclosure of the poster's information is required by law. Recipients of such reports include NCMEC, the FBI, other federal and state investigative authorities, and the [Internet Hotline Center](https://www.internethotline.jp/) in Japan, among others. *** ### Article 6 (Sale or Sharing of Personal Information — "Do Not Sell or Share My Personal Information") **We do not provide your Personal Information to third parties in any manner constituting a "sale" or "sharing" as defined under the CCPA/CPRA.** Specifically: * We do not sell Personal Information for monetary consideration. * We do not share Personal Information for the purpose of cross-context behavioral advertising. California residents have the right to opt out, in the manner set forth in Article 13 of this Policy, in the event that we engage in such a sale or sharing in the future. *** ### Article 7 (Data Retention) #### 7.1 Storage Location Your Personal Information is stored on the servers of Amazon Web Services (Tokyo region). As a Delaware corporation, we implement appropriate safeguards with respect to international data transfers (see Article 12). #### 7.2 Retention Periods | Data Type | Retention Period | | ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | Account information | One year after account deletion (for recovery and disclosure-request response) | | Payment and transaction history | The retention period required by U.S. federal tax law and other laws (up to 7 years) | | Credit balance and consumption history | 90 days after the expiration of each credit | | Consent logs (records of consent to the Terms, R-18 feature opt-in, etc.) | 7 years after withdrawal | | Moderation history and enforcement records | 3 years from the action | | Report records | 3 years from receipt | | DMCA notice records (existing) | 3 years from receipt | | Data incorporated into AI model training | During the period the model is provided (after withdrawal, separation or deletion may be difficult due to technical constraints) | | Usage data (generation history, prompts, etc.) | Deleted within 90 days after account deletion | | Device information and logs | One year from collection | #### 7.3 Security To protect Personal Information, we implement the following technical and organizational measures. * AES-256 encryption at rest * TLS encryption in transit * Access controls and management of audit logs * Privacy training for employees * Periodic security audits However, transmission over the Internet and methods of online storage are not 100% secure, and we cannot guarantee absolute protection. *** ### Article 8 (General Rights of Users) All Users, regardless of their state of residence, have the following rights. Where additional rights are afforded under state law, please refer to Articles 13 through 15 of this Policy. 1. **Right of Access**: To request disclosure of your Personal Information that we retain. 2. **Right to Correct**: To request correction where the content of your Personal Information is inaccurate. 3. **Right to Delete**: To request deletion of your Personal Information (except where a retention obligation exists under law). 4. **Opt-Out of Marketing Communications**: To stop receiving marketing emails under the CAN-SPAM Act (every commercial email includes an unsubscribe link). #### Relationship to Use for AI Model Training Pursuant to Article 8, Paragraph 3 of the Terms of Service, the use of data obtained through the Service for AI model training is premised on **comprehensive (irrevocable) consent**. * **An opt-out request against the use for AI model training itself cannot, in principle, be accepted.** * However, with respect to the **portions constituting Personal Information** contained in the usage data, we will respond to requests for deletion or cessation of use within the scope of applicable laws (the CCPA/CPRA, the Act on the Protection of Personal Information, etc.). * With respect to data already incorporated into AI model training, **separation or deletion may not be possible due to technical constraints.** * In such a case, we will take measures to cease the use of such data for new training, and will arrange for its use to terminate upon the discontinuation of the provision of such model. We will endeavor to protect Users' rights to the greatest extent technically reasonable. #### Procedures for Exercising Rights * **Contact**: (please indicate "Privacy Request" in the subject line) * **Identity verification**: Identity is verified by contact from your registered email address or by account authentication. * **Response deadline**: We will respond within a reasonable period after receiving the request. Where a specific deadline is prescribed by state law, we will comply with such deadline (for residents of CA/VA/CO/CT, see Articles 13 through 14). * **Fees**: No fee is charged for the exercise of rights. *** ### Article 9 (Automated Decision-Making) In content moderation under Article 14 of the Terms of Service, we make determinations using automated systems (rating determinations, filtering, automated removal, etc.). * Determinations by automated systems are made on the basis of the **objective content** of the content, and the poster's subjective intent is not taken into account. * Automated systems do not guarantee 100% accuracy, and false positives and oversights may occur. * If you object to the result of a determination made by an automated system, you may request human review by our moderation team through the appeals procedure set forth in the Community Guidelines. *** ### Article 10 (Response to Data Breaches) In the event of a leak, loss, damage, or other incident involving Personal Information (a "Data Breach"), we will take the following measures in accordance with applicable law. 1. **Reporting as required by law**: We will report to the competent authorities in accordance with applicable federal, state, and international laws (the data breach notification laws of the various U.S. states, applicable laws such as HIPAA, Article 26 of the Act on the Protection of Personal Information, etc.). 2. **Notification to individuals**: We will notify affected individuals within the period prescribed by applicable law (where Cal. Civ. Code §1798.82, etc., applies, in accordance with such provisions). 3. **Implementation of recurrence-prevention measures**: We will investigate the cause and implement technical and organizational measures to prevent recurrence. *** ### Article 11 (Cookies and Tracking Technologies) We use cookies and similar tracking technologies to provide and improve the Service. #### 11.1 Types of Cookies Used | Type | Purpose | Provider | | -------------------------- | ----------------------------------------------- | ------------------------------ | | Strictly necessary cookies | Maintaining login state; security | The Company (first party) | | Functional cookies | Saving language settings and User preferences | The Company (first party) | | Analytics cookies | Analyzing usage; improving the Service | Google LLC (third party) | | Performance cookies | Measuring site performance; optimizing delivery | Cloudflare, Inc. (third party) | #### 11.2 Managing Cookies * You can disable cookies in your browser settings (some features may become unavailable). * You can opt out of Google Analytics at . * **Global Privacy Control (GPC) signal**: We honor the GPC signal transmitted by your browser as a manifestation of your intent to opt out of the "sale or sharing" of Personal Information under the CCPA/CPRA. *** ### Article 12 (International Data Transfers) As a Delaware corporation, some of our data is transferred and processed internationally as follows. * **United States**: Entrustment of data processing to the payment provider, Google, Cloudflare, etc. * **Japan**: Data storage at Amazon Web Services (Tokyo region). These transfers are carried out in accordance with applicable laws (U.S. federal law, state law, and the laws of the country in which the service provider is located). We confirm that appropriate data protection measures (encryption, access restrictions, etc.) are in place at the transfer destinations. *** ### Article 13 (Rights of California Residents) **California residents** have the following additional rights under the California Consumer Privacy Act (CCPA, as amended by the CPRA, Cal. Civ. Code §§ 1798.100 et seq.). #### 13.1 Right to Know The right to request the following information regarding the Personal Information that we have collected, used, and disclosed over the preceding 12 months: * The categories of Personal Information collected (see Article 3) * The categories of sources from which it was collected * The business or commercial purpose for collecting or disclosing it * The categories of third parties with whom Personal Information was shared * The specific pieces of Personal Information collected #### 13.2 Right to Delete The right to request deletion of your Personal Information that we retain (except where an exception under CCPA §1798.105 applies). #### 13.3 Right to Correct (CPRA) The right to request correction of inaccurate Personal Information. #### 13.4 Right to Opt-Out of Sale or Sharing We do not sell or share Personal Information (see Article 6). Should such handling occur in the future, California residents have the right to opt out. #### 13.5 Right to Limit Use of Sensitive Personal Information (CPRA) We do not collect Sensitive Personal Information (see Article 3, Item L). Should such collection occur in the future, you have the right to request a limitation on its use. #### 13.6 Right to Non-Discrimination The right not to be subjected to discriminatory treatment in the quality or price of, or otherwise in connection with, the Service for exercising the rights described above. #### 13.7 No Financial Incentives We do not offer any financial incentive (discounts, benefits, etc.) in exchange for consent to the provision or retention of Personal Information, an opt-out, or the like. #### 13.8 How to Exercise Your Rights * **Contact**: (subject line "CCPA Request") * **Response deadline**: We respond within 45 days of receipt (extendable by an additional 45 days). * **Identity verification**: Contact from your registered email address, plus account authentication. * **Requests by an authorized agent**: A request submitted through an authorized agent is also permitted (proof of authority is required). #### 13.9 Shine the Light Law (Cal. Civ. Code §1798.83) As stated in Article 6, we do not share Personal Information for the direct marketing purposes of third parties. Accordingly, there is nothing to disclose under the Shine the Light law. *** ### Article 14 (Rights of Virginia, Colorado, and Connecticut Residents) Residents of **Virginia** (the Virginia Consumer Data Protection Act, VCDPA, Va. Code §59.1-575 et seq.), **Colorado** (the Colorado Privacy Act, CPA), and **Connecticut** (the Connecticut Data Privacy Act, CTDPA) have the following rights. 1. **Right of Access**: The right to confirm and to access the processing of personal data. 2. **Right to Correct**: The right to request correction of inaccurate personal data. 3. **Right to Delete**: The right to request deletion of personal data. 4. **Right to Data Portability**: The right to obtain personal data in a structured format. 5. **Right to Opt Out of Processing**: * To opt out of processing for targeted advertising * To opt out of the sale of personal data * To opt out of profiling (involving significant decisions) 6. **Right to Appeal**: The right to use an internal appeals process with respect to our decisions. #### How to Exercise Your Rights * **Contact**: (subject line "State Privacy Request") * **Response deadline**: Within 45 days (extendable by an additional 45 days). * **Appeals**: If you are dissatisfied with our response, you may appeal to the office of your state Attorney General. *** ### Article 15 (Rights of Utah and Other State Residents) Residents of **Utah** (the Utah Consumer Privacy Act, UCPA) and of other states that afford special rights under state law likewise have similar privacy rights in accordance with the law of such state. For details, please contact . *** ### Article 16 (Privacy of Minors and Children) **The Service is intended for persons 18 years of age or older.** (See Article 4.2 of the Terms of Service.) 1. **Use by persons under 18**: If we discover that a person under 18 years of age is using the Service, we will promptly suspend the account and delete the Personal Information. 2. **Age requirement for the adult (R-18) feature**: The adult (R-18) feature is available only to members 18 years of age or older (see Article 13 of the Terms of Service). If we discover the use of the adult feature by a User under 18, we will immediately suspend the account and delete the related data. 3. **COPPA (federal law) compliance**: In particular, in accordance with the U.S. Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) and the implementing rule of the Federal Trade Commission (FTC) (16 C.F.R. Part 312, including the amended version effective June 23, 2025), we do not knowingly collect the personal information of children under 13 years of age. If you believe that we have collected the personal information of a child under 13, the parent or guardian may contact . 4. **Mandatory reporting of child sexual exploitation content**: If we discover content depicting the sexual exploitation or sexual abuse of children (including real, photographic, or photorealistic depictions), we will report to NCMEC (the National Center for Missing & Exploited Children) under **18 U.S.C. § 2258A** (see Article 5.6). *** ### Article 17 (Changes to This Policy) We may change this Policy due to amendments to laws, changes to the content of the Service, or other circumstances. * **Minor changes**: We will give notice by posting on the Service, and such changes take effect 30 days after posting. * **Material changes**: We will give notice by transmission to your registered email address and by posting on the Service, at least 30 days before the effective date. By continuing to use the Service on or after the effective date of the revised Policy, you are deemed to have consented to the revised Policy. *** ### Article 18 (Contact) For inquiries regarding this Policy, the exercise of privacy rights, or other opinions or complaints, please contact us at: * **Email**: * **Business**: Xross Road Inc. (a Delaware corporation) * **Representative**: Yosuke Utsumi * **Address**: 838 Walker Road Suite 21-2, Dover, Delaware 19904, USA *** ### Article 19 (Governing Law and Jurisdiction) 1. This Policy is governed by the laws of the State of Delaware, USA (excluding its conflict-of-laws principles). 2. Disputes relating to this Policy shall be resolved in accordance with Article 20 (Dispute Resolution, Arbitration, and Class Action Waiver) and Article 21 (Governing Law and Jurisdiction) of the Terms of Service. 3. **Special provision for California residents**: For compliance with California Senate Bill 940 (effective January 1, 2025), the special provision of Article 21, Paragraph 5 of the Terms of Service applies to California residents. *** **Effective Date**: May 1, 2026 --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tokimake.app/privacy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.