Privacy Policy

Introduction

This Privacy Policy describes how NNT Inc. (주식회사 엔엔티) ("Company," "we," "us," or "our"), collects, uses, stores, shares, and otherwise processes your personal information when you access or use the GRYYD platform available at https://www.gryyd.ai (the "Services").

GRYYD is an AI-powered advertising creative generation platform that enables performance marketers and brands to create professional product advertisement images using AI image generation technology. The Services include product asset management, AI-based image generation and editing, creative performance analytics integrated with third-party advertising platforms (including Meta Ads and Google Ads), and related tools.

This Privacy Policy applies when you:

• Visit our website at https://www.gryyd.ai
• Register for and use the GRYYD platform
• Connect third-party advertising accounts (such as Meta or Google Ads) to the Services
• Contact us, subscribe to communications, or otherwise interact with us

If you do not agree with the practices described in this Privacy Policy, please do not use the Services.

This Privacy Policy is provided in English. If we publish translated versions in the future, the English version will remain the reference text unless a specific translated version is designated as controlling for a particular jurisdiction. Regardless of language, Korean residents retain all rights granted under the Personal Information Protection Act (개인정보보호법), including the right to have ambiguous terms interpreted in their favor under Korean consumer protection principles.

Summary of Key Points

This summary highlights key points from our Privacy Policy. For full details, please review the relevant sections below or use the table of contents.

• What information we collect: Account information (email, name, password), uploaded content (product images, prompts, generated outputs), usage data, technical information (IP address, device, cookies), payment information processed by our payment provider, and data from third-party advertising platforms you choose to connect.
• Why we process your information: To provide and improve the Services, process payments, generate AI outputs via Google Gemini and OpenAI, deliver advertising performance analytics, communicate with you, prevent fraud, and comply with legal obligations.
• Sensitive personal information: We do not intentionally collect or process sensitive personal information.
• Sharing with third parties: We share data with infrastructure providers (Google Cloud), AI providers (Google Gemini, OpenAI), payment processors, analytics providers, and advertising platforms you connect (Meta, Google Ads). We do not sell personal information.
• Your rights: Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to withdraw consent.
• AI training: We do not use your uploaded content, prompts, or generated outputs to train AI models. AI processing is performed via Google Vertex AI / the paid tier of the Google Gemini API, and the paid tier of the OpenAI API (including GPT Image 2) — under terms that prohibit these providers from using your data to train or improve their models. OpenAI may retain inputs and outputs for up to 30 days for abuse monitoring before automatic deletion.

1. Information We Collect

1.1 Information You Provide to Us

1.2 Information Collected Automatically

When you visit or use the Services, we automatically collect certain information through cookies, log files, and similar technologies:

• IP address and approximate location (country/region level, inferred from IP)
• Browser type, version, and language preferences
• Device type, operating system, and screen resolution
• Referring URLs and pages visited within the Services
• Date and time of access, session duration
• Click events, feature usage patterns, and other interaction data
• Cookie identifiers and similar tracking technology identifiers

1.3 Information from Third-Party Platforms

When you connect a third-party account to the Services, we receive information from that platform. See Section 4 for details on Meta and Google Ads integrations, and Section 6 for social login integrations.

1.4 Sensitive Personal Information

GRYYD is designed for product imagery (e.g., product photos, packaging, marketing assets). It is not intended for the processing of human faces, biometric identifiers, or other sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation.

What this means in practice

• We do not intentionally collect or process biometric data. We do not run facial recognition on your uploads, and we do not extract, generate, or store facial embeddings, face templates, or other biometric identifiers on our infrastructure.
• Product images you upload may incidentally include human faces (for example, a model wearing your product, a mannequin, or a person appearing in a reference image). When this occurs, we store and transmit the image as-is to fulfill your generation or editing request. We do not perform identity-level analysis on these faces, and we do not link incidentally-appearing faces to user accounts or profiles.
• AI processing of your uploads is performed by Google Gemini (via Google Vertex AI, paid tier) and/or OpenAI (paid API tier, including GPT Image 2). These providers are contractually prohibited from using your inputs or outputs to train their models. See Section 11 for details.

Your obligations when uploading content that contains human faces

You agree that you will not upload to the Services any image containing an identifiable human face unless at least one of the following is true:

1. The face depicted is your own;
2. You have obtained valid consent from each depicted person (or, where applicable, from their legal guardian) authorizing the use of their image with an AI image generation and editing service; or
3. The image is otherwise lawful for you to use under applicable law (for example, a clearly licensed stock image whose license permits AI-based modification).

You further agree that you will not use the Services to:

• Generate, edit, or composite images depicting public figures, politicians, celebrities, or deceased persons without lawful basis;
• Create sexual, defamatory, harassing, hateful, or otherwise unlawful content involving identifiable persons;
• Produce deepfakes or other content that could deceive viewers into believing a real person performed an action they did not perform.

No automated upload filtering at this time

We currently do not technically block the upload of images containing human faces. This is a deliberate design choice to support legitimate product imagery (which often features human models). It does not constitute permission to upload content in violation of the obligations above. You remain solely responsible for ensuring that every image you upload complies with this Privacy Policy, our Terms of Service, applicable privacy and biometric data laws (including the Korean Personal Information Protection Act, GDPR, and any applicable U.S. state biometric privacy laws), and the personality, publicity, and image rights of any persons depicted.

We reserve the right, at our sole discretion and without prior notice, to remove content, suspend or terminate accounts, and report unlawful activity to relevant authorities where we become aware of violations of these obligations. We may also introduce automated detection and blocking of unsupported content categories (such as identifiable human faces uploaded without lawful basis) in the future, and will update this Privacy Policy accordingly.

Reporting concerns or removal requests

If you believe an image of you (or of a person you legally represent) has been uploaded to or processed by the Services without proper authorization, please contact our Chief Privacy Officer at nnt.aistudio@metric-studio.com with sufficient information for us to identify the content. We will review and act on such requests promptly, typically within 30 days, in accordance with Section 12.

2. How We Process Your Information

We process your personal information for the following purposes:

2.1 Service Provision

• Creating and managing your account, workspaces, folders, and creatives
• Processing AI image generation and editing requests via Google Gemini API and/or OpenAI API (including GPT Image 2)
• Storing your uploaded assets, prompts, and generated outputs
• Delivering advertising performance analytics from connected platforms

2.2 Payments and Subscriptions

We use Lemon Squeezy as our Merchant of Record for all paid transactions. This means Lemon Squeezy is the seller of record for your subscription or credit pack purchase, handles payment processing on our behalf, and is responsible for tax compliance (including VAT, sales tax, and similar). When you make a purchase through the Services:

• Payment information (card number, CVV, full billing details) is collected and processed by Lemon Squeezy, not by GRYYD
• We receive only limited transaction information (e.g., transaction ID, amount, last 4 digits of card, billing country, subscription status)
• Applicable taxes (VAT, GST, US sales tax, and similar) are automatically calculated and displayed by Lemon Squeezy at checkout based on your billing location
• Lemon Squeezy issues invoices and receipts on behalf of NNT Inc., and delivers them to you automatically by email after each successful payment
• Your relationship with Lemon Squeezy for payment processing is additionally governed by their Privacy Policy and Data Processing Agreement

We process the limited transaction data we receive to:

• Manage your subscription, billing cycle, renewals, and cancellations
• Track credit balances and consumption
• Provide receipts and account history
• Handle refund and dispute requests

Refund requests: To request a refund, please email nnt.aistudio@metric-studio.com. We review each request, and if approved, the actual refund is executed through Lemon Squeezy and returned to your original payment method. Refund eligibility is governed by our Terms of Service and any applicable mandatory consumer protection laws (including, for South Korean consumers, the Act on Consumer Protection in Electronic Commerce).

2.3 Communication

• Responding to support inquiries
• Sending service-related notifications (account activity, payment confirmations, security alerts)
• Sending marketing communications (only with your explicit consent, where required by law)
• Notifying you of material changes to the Services or this Privacy Policy

2.4 Improvement and Analytics

• Analyzing aggregated usage patterns to improve the Services
• Diagnosing and resolving technical issues
• Conducting A/B testing and feature experiments
• Generating internal business analytics

2.5 Security and Fraud Prevention

• Detecting and preventing fraudulent activity, abuse, and unauthorized access
• Enforcing our Terms of Service
• Investigating suspected violations of our policies

2.6 Legal Compliance

• Complying with applicable laws and regulations (including tax, consumer protection, and data protection laws)
• Responding to lawful requests from public authorities
• Establishing, exercising, or defending legal claims

2.7 What We Do NOT Do

• We do not sell your personal information to third parties
• We do not access advertising accounts you have not explicitly connected
• We do not share your uploaded content or prompts with third parties beyond the subprocessors required to provide the Service (primarily Google Gemini and OpenAI for AI processing)
• We do not use your uploaded content, prompts, or generated outputs to train AI models. Our use of Google Gemini is performed through Google Vertex AI and the paid tier of the Gemini API, governed by the Google Cloud / Vertex AI data usage terms and the Gemini API Paid Services terms. Our use of OpenAI (including GPT Image 2) is performed through the paid tier of the OpenAI API, governed by the OpenAI API Data Usage Policies. Under these terms, neither Google nor OpenAI uses your inputs or outputs to train or improve their models. OpenAI may retain API inputs and outputs for up to 30 days solely for abuse monitoring (e.g., detection of policy violations), after which they are automatically deleted; OpenAI personnel access this data only when investigating suspected abuse.

3. Sharing with Third Parties

We share personal information with the following categories of recipients, all of which are bound by confidentiality and data protection obligations.

3.1 Subprocessors

3.2 Connected Advertising Platforms

When you connect Meta or Google Ads accounts, data flows between the Services and those platforms as described in Section 4.

3.3 Business Transfers

If we are involved in a merger, acquisition, financing, sale of assets, or bankruptcy proceeding, your personal information may be transferred as part of that transaction. We will notify you of such transfers via email or a prominent notice on the Services before your information becomes subject to a different privacy policy.

3.4 Legal Requirements

We may disclose your information if required by law, legal process, or governmental request, or to protect the rights, property, or safety of NNT Inc., our users, or others.

3.5 With Your Consent

We may share your information with other third parties when you have given us explicit consent to do so.

3.6 We Do Not Sell Personal Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

4. Third-Party Advertising Platform Integrations

The Services offer optional integrations with Meta Ads and Google Ads. These integrations are activated only when you explicitly connect your accounts and grant the required permissions.

4.1 Meta (Facebook/Instagram) Ads Integration

When you connect your Meta advertising account through the Services, we access and process the following data via the Meta Marketing API and related Meta APIs:

Data accessed

• Ad account information (account ID, name, currency, time zone, status)
• Business Manager and asset access information
• Campaign, ad set, and ad-level metadata (names, status, objectives, schedule)
• Ad creative assets (images, videos, copy) that you have uploaded to Meta
• Aggregated advertising performance metrics (impressions, clicks, spend, CTR, CPC, CPM, conversions, ROAS)
• Audience and targeting configuration metadata (we do not access individual end-user data)

Purpose

• To display creative performance analytics within your GRYYD workspace
• To enable AI-powered analysis of your advertising creatives (using Google Gemini and/or OpenAI)
• To generate dashboards, reports, and insights based on your ad performance

What we do not do

• We do not share your Meta advertising data with any third party other than the subprocessors listed in Section 3.1
• We do not access Meta accounts you have not explicitly connected
• We do not access end-user personal information from your Meta audiences
• We do not use Meta advertising data (including ad creatives, performance metrics, or account metadata) to train AI models. All AI-based analysis is performed through Google Vertex AI / the paid tier of the Gemini API, and the paid tier of the OpenAI API — all of which contractually prohibit the providers from using this data for model training.

Disconnection and deletion

You may disconnect your Meta account at any time via your GRYYD workspace settings. Upon disconnection, we will delete all Meta-derived data within 30 days, except where we are required to retain it for legal or accounting purposes.

Data Deletion Requests

You can request deletion of Meta-derived data through any of the following channels:

• In GRYYD: Disconnect your Meta account via your workspace settings. We will delete all Meta-derived data within 30 days, except where retention is required for legal or accounting purposes.
• In Facebook: Go to Facebook → Settings & Privacy → Settings → Apps and Websites → GRYYD → Remove. Meta will automatically notify our backend, and we will process the deletion within 30 days.
• By email: Contact our Chief Privacy Officer at nnt.aistudio@metric-studio.com. See Section 12 for our general privacy rights process.

For step-by-step instructions, please visit our Data Deletion Instructions page.

Compliance

Our use of Meta Platform data is governed by the Meta Platform Terms and Meta Developer Data Use Policy, in addition to this Privacy Policy.

4.2 Google Ads Integration

When you connect your Google Ads account, we access the following data via the Google Ads API:

Data accessed

• Account information (account ID, name, currency, time zone)
• Campaign, ad group, ad, and asset-level metadata
• Performance Max asset groups and asset-level data
• Ad creative assets (images, videos, headlines, descriptions)
• Aggregated performance metrics (impressions, clicks, spend, CTR, CPC, conversions)

Purpose, restrictions, and deletion practices are equivalent to those described for Meta in Section 4.1.

Compliance

Our use of Google Ads data is governed by the Google API Services User Data Policy and applicable Google Ads API terms.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate, analyze, and improve the Services. We use the following categories of cookies:

We use CookieYes with Google Consent Mode v2 to manage cookie consent. You can change your cookie preferences at any time via the cookie settings link in the website footer.

About our marketing pixels:

• Meta Pixel Execution: The Meta Pixel is integrated into gryyd.ai but remains strictly inactive until explicit marketing consent is granted via our cookie banner. Upon consent, limited data—including IP addresses, browser/device identifiers, and cookie IDs—may be shared with Meta for advertising measurement and attribution. If marketing cookies are declined, the Meta Pixel is completely blocked from loading.
• Google Consent Mode v2: Our Google Analytics 4 and Google Ads Conversion Tags operate strictly under Google Consent Mode v2. Accepting cookies allows these tags to process standard interaction data. If declined, cookie storage and access are entirely restricted. In such cases, the tags transmit only anonymous, cookieless signals, enabling aggregate modeling without individual tracking.
• Enhanced Conversions Policy: Google Ads Enhanced Conversions is fully deactivated. gryyd.ai does not transmit hashed email addresses, phone numbers, or any other personally identifiable information (PII) to Google.

Meta Pixel — Automatic Advanced Matching: enabled. When you grant marketing consent and interact with our website, the Meta Pixel automatically reads available customer information from the page — including email address, phone number, first and last name, gender, city / state / postal code / country, date of birth, and external user identifier — hashes this information cryptographically in your browser, and transmits the hashed values to Meta alongside the standard signals described above. Meta uses these hashed identifiers to attribute ad conversions to your account more accurately and to serve more relevant advertising. The hashing occurs in your browser before transmission, so plain-text personal information is not sent to Meta.

6. Social Logins

The Services support two authentication methods:

1. Email and password — You may register with an email address and password.
2. Sign in with Google — You may register or log in using your Google account through the standard Google OAuth flow.

Both authentication methods are powered by Firebase Authentication, a Google service. Your authentication data — including your email address, password (stored in hashed form by Firebase, never in plain text), display name, and authentication tokens — is processed and stored by Google through Firebase Authentication. Password reset and email verification emails are also delivered via Firebase. See Section 3.1 for Firebase's role as a subprocessor.

When you use Sign in with Google, we receive only the limited profile information necessary to create and authenticate your account:

• Your name (as provided by Google)
• Your email address
• Your profile picture (if available)
• A unique Google account identifier

We do not request, access, or store any additional Google data, including your Google contacts, calendar, Drive files, Gmail content, friends list, social graph, or address book. We do not offer or use Facebook/Meta Login, Apple Sign In, Kakao, Naver, or any other third-party authentication provider.

Your relationship with Google is governed by Google's Privacy Policy. We recommend reviewing it to understand how Google handles your authentication data.

7. International Data Transfers

NNT Inc. is based in the Republic of Korea, and our primary infrastructure — including databases and storage for user accounts, uploaded assets, and generated outputs — is hosted on Google Cloud Platform in the Seoul region (asia-northeast3), within the Republic of Korea.

Some of our subprocessors — including Google LLC (Vertex AI, Gemini API, Firebase Authentication, Google Analytics, Google Ads, Google Tag Manager), OpenAI, L.L.C., Meta Platforms, Inc., Lemon Squeezy (Merchant of Record: Sold through Link, LLC f/k/a Lemon Squeezy LLC), Mixpanel, Inc., Functional Software, Inc. (Sentry), Trampoline Software SRL (Formspark), and CookieYes Limited — process data outside the Republic of Korea (principally in the United States, the European Union, and the United Kingdom). A full list with country of processing is provided in Section 3.1 and, for Korean users, in Section 13.3. By using the Services, you acknowledge that your personal information may be transferred to and processed in countries that may have different data protection laws than your country of residence.

Data Processing Agreements (DPAs) are in place with each of our principal subprocessors, contractually binding them to process personal information only on our instructions and to maintain appropriate security measures. These DPAs become effective automatically upon acceptance of each subprocessor's service terms:

• Google Cloud Platform DPA
• OpenAI DPA
• Lemon Squeezy DPA
• Mixpanel DPA
• Meta Platforms Data Processing Terms

For users in the EEA, UK, or Switzerland, where applicable, transfers outside those regions are made under Standard Contractual Clauses (SCCs) incorporated through each subprocessor's DPA, or under adequacy decisions (e.g., the EU–US Data Privacy Framework for DPF-certified recipients).

You may request a copy of the safeguards we rely on by contacting our Chief Privacy Officer at nnt.aistudio@metric-studio.com.

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

When the retention period expires or you request deletion, we will delete or anonymize your information, unless retention is required for legal, accounting, or fraud-prevention purposes.

9. Data Security

We take reasonable technical and organizational measures to protect your personal information. These measures include:

• Encryption in transit: All traffic between your browser and the Services is protected using industry-standard HTTPS / TLS encryption.
• Encryption at rest: Data stored in our Google Cloud Platform infrastructure (Seoul region, asia-northeast3) is encrypted at rest using Google-managed encryption keys, as provided by default by Google Cloud.
• Platform-level defenses: We rely on the infrastructure-level security controls provided by Google Cloud Platform, including network firewalls, DDoS protection, and regular platform security updates.
• Subprocessor due diligence: We select subprocessors that provide comparable or stronger safeguards (see Section 3.1).

We do not currently hold formal security certifications such as SOC 2 Type II or ISO/IEC 27001. We continue to review and improve our security posture over time.

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security. You are responsible for keeping your own credentials (email, password) confidential and for notifying us promptly if you suspect unauthorized access to your account.

Data breach notification: If we become aware of a personal data breach that affects your personal information, we will notify you and, where required, the relevant supervisory authorities within the timelines required by applicable law (including, for EEA/UK users, within 72 hours where feasible under GDPR Article 33; for Korean users, without delay under PIPA §34).

10. Children's Privacy

The Services are not intended for users under the age of 18 (or under the age of 14 for users in South Korea, in accordance with the Personal Information Protection Act).

We do not knowingly collect personal information from children. If we become aware that we have collected information from a child without verifiable parental consent, we will take steps to delete that information promptly.

If you believe we have collected information from a child, please contact our Chief Privacy Officer at nnt.aistudio@metric-studio.com.

11. AI and Automated Processing

The Services use artificial intelligence (AI) to generate and edit images based on your inputs. We currently use multiple AI providers in parallel, and the specific provider invoked depends on the feature you are using:

• Image generation, editing, reference-based composition, and inpainting: When you provide product assets and prompts, we send these to Google Gemini API (via Google Vertex AI) and/or to OpenAI (including GPT Image 2) to generate or modify advertisement images
• Creative analysis: When you connect advertising accounts, we use Google Gemini and/or OpenAI to analyze ad creatives and generate insights
• Output ownership: You retain ownership of the images you upload and the outputs generated for you, subject to the Terms of Service and applicable third-party model terms

Important notes:

• AI-generated outputs may contain inaccuracies; you are responsible for reviewing outputs before commercial use
• Google Gemini's processing is subject to Google's API terms; OpenAI's processing is subject to the OpenAI API Terms of Use and OpenAI Usage Policies
• No AI training on your data:
  • Google Gemini: We process your data through Google Vertex AI and the paid tier of the Google Gemini API. Under the applicable Google Cloud / Vertex AI terms and the Gemini API Paid Services terms, Google does not use your prompts, inputs, or generated outputs to train or improve its foundation models.
  • OpenAI: We process your data through the paid tier of the OpenAI API. Under the OpenAI API Data Usage Policies, OpenAI does not use API inputs or outputs to train its models. OpenAI may retain inputs and outputs for up to 30 days for the limited purpose of monitoring abuse and policy violations, after which they are automatically deleted; OpenAI personnel access this data only when investigating suspected abuse.
• Your data is used solely to generate responses for your specific request and is not used to develop, train, or improve foundation models.

12. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right to access: Request a copy of the personal information we hold about you
• Right to rectification: Request correction of inaccurate or incomplete information
• Right to erasure ("right to be forgotten"): Request deletion of your personal information
• Right to restrict processing: Request limitation of how we process your information
• Right to data portability: Request your information in a structured, commonly used format
• Right to object: Object to processing based on legitimate interests
• Right not to be subject to automated decision-making: Including profiling that produces legal or similarly significant effects
• Right to withdraw consent: Where processing is based on consent

How to Exercise Your Rights

To exercise any of the rights listed above — including data access, data export, correction, account deletion, restriction, objection, or withdrawal of consent — please contact our Chief Privacy Officer at nnt.aistudio@metric-studio.com. GRYYD handles all such requests through this single email channel rather than through an in-app self-service interface.

When you submit a request, we will:

• Verify your identity using reasonable authentication steps (typically by confirming control of the email address associated with your account) before disclosing, exporting, or deleting any information
• Respond within 30 days of receiving a verifiable request, or within any shorter period required by applicable law (e.g., 45 days under CCPA, "without undue delay" under PIPA §35)
• Provide exported data in a commonly used machine-readable format (e.g., JSON or CSV) where the right to data portability applies

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

13. Region-Specific Provisions

13.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

GRYYD is operated from the Republic of Korea and offered globally in English. We do not currently localize or actively market the Services to the EEA, UK, or Switzerland — we provide no EU-language interfaces, no EUR-denominated pricing, and no EU-targeted marketing campaigns. However, residents of these regions may access and use the Services, and where they do, the General Data Protection Regulation (GDPR), UK GDPR, or Swiss Federal Act on Data Protection (FADP) applies to our processing of their personal information as described below.

• Data Controller: NNT Inc. (주식회사 엔엔티), 13F, D&O Building, 2621 Nambusunhwan-ro, Gangnam-gu, Seoul 06267, Republic of Korea
• Privacy Contact (Chief Privacy Officer): Sungjoon Yoon — nnt.aistudio@metric-studio.com. NNT Inc. has not formally appointed a Data Protection Officer under Article 37 GDPR, as our processing activities do not meet the mandatory designation criteria. However, our Chief Privacy Officer (designated under Korean PIPA §31) serves as the primary point of contact for all privacy-related inquiries from EEA, UK, and Swiss users.
• EU Representative (Art. 27 GDPR): Consistent with the above, we have not appointed an EU representative under Article 27 GDPR at this time, on the basis that the Services are not specifically directed to data subjects in the EU. If we begin to actively offer the Services to EU data subjects (for example, by introducing EU-language interfaces, EUR-denominated pricing, or EU-targeted marketing), we will appoint an EU representative as required.

Legal bases for processing under GDPR Article 6:

• International transfers: See Section 7
• Right to lodge a complaint: With your local supervisory authority or the European Data Protection Board

13.2 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide additional rights:

• Right to know: What personal information we collect, use, disclose, and sell
• Right to delete: Request deletion of your personal information
• Right to correct: Request correction of inaccurate information
• Right to opt-out of sale or sharing: We do not sell your personal information. However, our cookie-based marketing pixels (Meta Pixel, Google Ads) may share identifiers, device/browser information, and internet activity with Meta and Google for cross-context behavioral advertising. You may opt out at any time via our cookie banner ("Reject" / cookie settings), which functions as our "Do Not Sell or Share My Personal Information" mechanism
• Right to limit use of sensitive personal information: We do not use sensitive personal information beyond what is necessary to provide the Services
• Right to non-discrimination: We will not discriminate against you for exercising your rights

To exercise your California rights, contact us at nnt.aistudio@metric-studio.com. We will verify your request using reasonable authentication steps (such as confirming control of the email address associated with your account) before disclosing or deleting information. We will respond to verifiable requests within 45 days, or within any shorter period required by California law. You may also designate an authorized agent to submit a request on your behalf; we may require the agent to provide signed permission from you and may contact you directly to verify the request.

Categories of personal information collected and disclosed in the past 12 months:

We have not sold personal information in the past 12 months. We have shared identifiers, internet/device activity, and (where Automatic Advanced Matching applies) hashed contact identifiers with Meta and Google for cross-context behavioral advertising through cookie-based marketing pixels. California residents may opt out at any time as described above.

13.3 South Korea (PIPA / 개인정보보호법)

If you are a resident of the Republic of Korea, the Personal Information Protection Act (개인정보보호법, "PIPA") applies.

개인정보처리자(Personal Information Controller):

• 회사명: 주식회사 엔엔티 (NNT Inc.) — 서비스명: GRYYD
• 대표자: Cho Kevin Kyungsang (조경상)
• 주소: 서울특별시 강남구 남부순환로 2621 디앤오빌딩 13층 (06267)
• 사업자등록번호: 710-81-02050
• 통신판매업 신고번호: 2023-서울강남-02286
• 대표 연락처: nnt.aistudio@metric-studio.com / +82-70-8804-2605

개인정보보호책임자(Chief Privacy Officer, PIPA §31):

• 성명: Sungjoon Yoon (윤성준)
• 직책: Chief Privacy Officer
• 이메일: nnt.aistudio@metric-studio.com
• 소속: 주식회사 엔엔티

개인정보 관련 문의·열람·정정·삭제·처리정지·동의 철회 요청 및 권익침해에 관한 문의사항은 위 개인정보보호책임자에게 이메일로 연락해 주시기 바랍니다. 주식회사 엔엔티는 PIPA 제31조에 따라 개인정보보호책임자의 업무를 지원하며, 정보주체의 요청에 대해 관계 법령이 정한 기간 내에 성실히 응답합니다.

처리하는 개인정보 항목: Section 1 참조

처리 목적: Section 2 참조

보유 및 이용 기간: Section 8 참조

개인정보의 제3자 제공 및 처리위탁: GRYYD는 정보주체의 개인정보를 원칙적으로 제3자에게 제공하지 않으며, 서비스 제공에 필요한 범위에서 일부 업무를 국내외 전문 사업자에게 위탁하고 있습니다. 위탁 현황은 Section 3.1 (Subprocessors)에 전체 공개되어 있습니다.

개인정보의 국외 이전 (PIPA §28-8 공개): 주식회사 엔엔티는 아래와 같이 개인정보를 국외로 이전하고 있으며, 본 개인정보처리방침의 공개로써 개인정보 보호법 제28조의8 제1항 제3호(처리방침에 공개한 경우)에 따라 이전하고 있습니다. 정보주체는 서비스 가입 시 본 방침의 내용을 확인하고 동의한 것으로 간주되며, 개별 동의 절차 없이도 아래 범위 내에서 이전이 이루어집니다.

국외 이전에 관한 거부권: 정보주체는 국외 이전을 거부할 권리가 있습니다. 다만 위 이전은 서비스 제공을 위해 필요한 처리이므로, 거부 시 해당 기능(예: AI 생성, 광고 연동, 결제) 이용이 제한될 수 있습니다. 국외 이전 거부를 원하시는 경우 개인정보보호책임자(nnt.aistudio@metric-studio.com)에게 연락해 주시기 바랍니다.

이전받는 자의 개인정보 보호 수준: GRYYD는 위 수탁자들과 개인정보 처리 관련 계약(Data Processing Agreement) 또는 그에 준하는 약정을 체결하거나 수탁자의 표준 개인정보 보호 약관을 적용하여, PIPA가 요구하는 수준의 안전성 확보 조치가 이루어지도록 하고 있습니다.

정보주체의 권리:

• 개인정보 열람, 정정·삭제, 처리정지 요구
• 동의 철회
• 만 14세 미만 아동의 경우 법정대리인의 권리 행사

권리 행사 방법: nnt.aistudio@metric-studio.com 으로 이메일 요청 (개인정보보호책임자에게 직접 발송). GRYYD는 모든 정보주체 권리 행사 요청을 본 이메일 채널을 통해 일원화하여 접수·처리하며, 별도의 in-app 자가처리 UI는 제공하지 않습니다. 본인 확인 후 30일 이내(다른 법령에서 더 짧은 기간을 정하는 경우 그 기간 내)에 응답합니다.

개인정보의 안전성 확보 조치: 암호화, 접근통제, 접속기록 보관 등 (Section 9 참조)

자동으로 수집되는 개인정보(쿠키 등)와 거부 방법: Section 5 참조

권익침해 구제방법:

• 개인정보분쟁조정위원회: 1833-6972 (www.kopico.go.kr)
• 개인정보침해신고센터: 118 (privacy.kisa.or.kr)
• 대검찰청 사이버수사과: 1301 (www.spo.go.kr)
• 경찰청 사이버수사국: 182 (cyberbureau.police.go.kr)

14. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated version will be indicated by a revised "Last updated" date at the top of this Privacy Policy.

If we make material changes, we will provide more prominent notice (such as via email or an in-app notification) before the changes take effect. We encourage you to review this Privacy Policy periodically.

15. Contact Information

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

NNT Inc. (주식회사 엔엔티)
13F, D&O Building, 2621 Nambusunhwan-ro, Gangnam-gu
Seoul 06267, Republic of Korea

Contact (all inquiries): Sungjoon Yoon, Chief Privacy Officer — nnt.aistudio@metric-studio.com

We handle all inquiries — including general support, privacy-related requests (access, correction, deletion, portability, objection, withdrawal of consent), refund requests, and complaints regarding the handling of your personal information — through this single email channel. We will respond within 30 days, or within any shorter period required by applicable law.