ShowRunway Privacy Policy

ShowRunway Privacy Policy

Effective Date: November 6, 2025

Data Controller: Baoding Guokai Technology Co., Ltd. (hereinafter referred to as "we", "us" or "our"), a legally established and validly existing enterprise under Chinese law, focusing on AI technology research and development and related application services.

Contact Address: Room 301, Unit 2, Building 4, Jinchang East District, Hengxiang North Street, Hepingli Sub-district Office, Lianchi District, Baoding, Hebei, 071000

Contact Email: uptonroncarteddybl@gmail.com (for handling all user inquiries, complaints, requests and objections related to personal information)

Data Protection Officer (DPO): Our company designates a full-time Data Protection Officer who is responsible for coordinating personal information protection work, supervising the implementation of this Privacy Policy, handling various user requests regarding personal information, and coordinating responses to data protection-related regulatory requirements. Users may communicate directly with the Data Protection Officer through the above-mentioned contact email, and the email subject should be marked as "Personal Information Request + Specific Matter" for quick response.

This Privacy Policy (hereinafter referred to as "this Policy") is formulated by us and applies to all users who use the ShowRunway mobile application (hereinafter referred to as "this Application"). This Application is an AI fashion show short video generation tool for users aged 18 and above. Its core function is to allow users to input text prompts and upload images, and AI will automatically generate model catwalk short videos, and provide relevant community interaction services. This Application has no registration or login functions. When users open the Application for the first time, they can use all functions of this Application free of charge after checking "I have carefully read and agree to the Privacy Policy and User Service Agreement"; if users do not agree to any terms of this Policy, they shall immediately stop downloading, installing and using this Application. If they have already downloaded it, they shall uninstall it in a timely manner, and we will not collect any user-related information.

This Policy details the specific rules for our collection, use, storage, sharing, transfer, deletion, protection and other related operations of personal information during the entire process of users using this Application, clarifies the personal information rights legally enjoyed by users, the ways to exercise their rights, as well as our responsibilities and obligations. By checking and agreeing to this Policy, users are deemed to have carefully read, fully understood and voluntarily accepted the constraints of all terms of this Policy, including but not limited to the scope of personal information collection, purpose of use, sharing rules and restrictions on user rights; if users do not agree to the modification or any terms of this Policy during use, they shall immediately stop using this Application.

We strictly follow the principles of "legality, legitimacy, necessity, transparency and minimization" in processing users' personal information, resolutely put an end to excessive collection and illegal use of user information, and at the same time strictly abide by relevant data protection laws and regulations in various regions around the world, including but not limited to the European Union's General Data Protection Regulation (GDPR), the United States' California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Consumer Data Protection Act (CDPA), Brazil's General Data Protection Law (LGPD), the United Arab Emirates' Federal Data Protection Law (FADP), Singapore's Personal Data Protection Act (PDPA), etc., to fully protect users' legitimate information rights and interests in different jurisdictions and ensure that all personal information processing activities comply with the regulatory requirements of the corresponding regions.

I. Scope of Application

This Policy applies to the entire process of users accessing, downloading, installing and using all functions and services of this Application, including but not limited to the following scenarios:

1. Using the core functions of this Application: inputting text prompts (such as "futuristic silver dress, Paris Fashion Week catwalk, spotlight effect"), uploading images (such as clothing images, scene images), and generating AI model catwalk short videos;

2. Using the community functions of this Application: browsing AI catwalk videos published by other users in the community, liking, commenting on and sharing videos, and publishing AI catwalk videos generated by themselves and related creative experiences;

3. Using the auxiliary functions of this Application: saving the generated short videos to the local device, sharing them to third-party social platforms (such as TikTok, Instagram), and recording voice feedback (such as suggestions or complaints about video effects and function experience);

4. Visiting relevant sections of this Application such as function descriptions, help centers, user feedback tools, and version update prompts;

5. The process of users communicating with our customer service and Data Protection Officer to consult personal information-related issues, submit requests or complaints.

This Policy only applies to our collection, use, storage and other processing activities of users' personal information, and does not apply to the information processing rules of any third-party platforms or third-party service providers (such as advertising service providers, cloud storage service providers, third-party sharing platforms). This Application may contain third-party links, plug-ins or service entrances. After users click to enter the third-party service page, their information processing activities shall be the sole responsibility of the third party. We shall not be liable for any third party's information processing activities, nor shall we participate in the third party's information collection and use.

II. Collection and Use of Personal Information

(I) Collection Principles

We strictly follow the "minimum necessity" principle in collecting users' personal information. We only collect the personal information necessary for users to use the services for the purpose of realizing the functions of this Application, improving service experience and ensuring the normal operation of the Application. We do not collect redundant information unrelated to the services, do not force bundled collection of personal information, and do not induce users to provide unnecessary personal information. All access involving sensitive permissions (camera, microphone, album, external storage, etc.) is enabled only after the user's active express authorization, and information collection is triggered only when the user uses the corresponding function. After the function is closed, collection is stopped immediately. Users can withdraw authorization at any time, and withdrawing authorization will not affect the normal use of other unrelated functions of this Application.

We will inform users of the purpose, scope and method of information collection in a clear and clear manner, ensure that users fully understand and voluntarily provide relevant information, and will not collect users' personal information by means of fraud, concealment, etc.

(II) Types of Collected Information, Permission Description and Purpose of Use

The permissions required by this Application and the corresponding collected information are all necessary to realize core functions and improve user experience. There are no redundant permission requests. The detailed description of the collection, purpose of use, usage scenarios and management methods of each permission and information is as follows:

1. Camera Permission
       

￮ Collected Content: Only when the user actively clicks the "Take Picture" button and triggers the shooting operation, will we collect the photo and image information taken by the user through the camera (including images related to clothing, scenes, characters, etc.); when there is no shooting operation, the camera function will not be activated, and no camera-related data streams, image information or device camera parameters will be collected.

￮ Purpose of Use: To provide users with the convenience of "instant shooting and quick upload". The taken pictures will be used as the core material for AI fashion show short video generation, helping users realize personalized creative needs (such as taking pictures of their own clothes to generate exclusive catwalk videos); the taken pictures are only used for this video generation and not for any other purposes.

￮ Usage Scenarios: The user clicks "Upload Material" → selects "Take Picture", the camera is activated. After the user finishes shooting, the picture is automatically uploaded to the temporary cache area of this Application for AI model analysis and video generation. After the generation is completed, the pictures in the temporary cache area will be deleted or retained in accordance with the agreement of this Policy.

￮ Permission Management: Users can enable or disable the camera permission at any time in "Settings - Apps - ShowRunway - Permissions - Camera" of the device operating system (Android); after disabling the camera permission, users cannot use the "Take Picture" function, but can normally use the "Select Picture from Album" function and all other core functions (such as video generation, community browsing, etc.), which will not affect the overall user experience.

2. Album (Picture) Permission
        

￮ Collected Content: Only when the user actively clicks the "Select from Album" button and clearly selects one or several pictures, will we collect the picture information selected by the user; we will not actively access, scan or collect other unselected pictures, videos, files and other contents in the user's album, will not obtain full access to the album, and only obtain access to the "user-selected content".

￮ Purpose of Use: To provide users with the convenience of selecting creative materials from the local album. Users can select existing clothing pictures, scene pictures, model pictures, etc., and upload them to this Application for AI fashion show short video generation to meet users' diverse creative needs; the selected pictures are only used for this video generation and not for any other purposes.

￮ Usage Scenarios: The user clicks "Upload Material" → selects "Select from Album", the system jumps to the user's device album. After the user checks the pictures to be uploaded, the pictures are automatically uploaded to the temporary cache area of this Application for AI model analysis and video generation. After the generation is completed, the pictures in the temporary cache area will be deleted or retained in accordance with the agreement of this Policy.

￮ Permission Management: Users can enable or disable the album permission at any time in "Settings - Apps - ShowRunway - Permissions - Album" of the device operating system (Android); after disabling the album permission, users cannot use the "Select Picture from Album" function, but can normally use the "Take Picture" function and all other core functions, which will not affect the overall user experience.

3. Microphone Permission
        

￮ Collected Content: Only when the user actively clicks the "Voice Feedback" button and triggers the recording operation, will we collect the voice audio information recorded by the user (including the user's suggestions, complaints, evaluations, etc. on the application functions, video effects and user experience); when there is no recording operation, the microphone function will not be activated, and no microphone-related audio data streams or device microphone parameters will be collected.

￮ Purpose of Use: To provide users with a convenient feedback channel. Users can quickly feedback problems encountered during use, optimization suggestions for functions, evaluations of video effects, etc. through voice. We will optimize product functions, improve service quality and solve problems encountered by users by analyzing the voice feedback content; the recorded voice is only used for user feedback processing, not for other purposes such as voice recognition and personalized recommendation, and will not be shared with any third party.

￮ Usage Scenarios: The user clicks "My - Feedback and Help - Voice Feedback", the microphone is activated, the user starts recording voice, clicks "Submit" after recording, and the voice file is automatically uploaded to our server for processing by relevant staff; after the feedback is processed, the voice file will be deleted in accordance with the agreement of this Policy.

￮ Permission Management: Users can enable or disable the microphone permission at any time in "Settings - Apps - ShowRunway - Permissions - Microphone" of the device operating system (Android); after disabling the microphone permission, users cannot use the "Voice Feedback" function, but can submit requests through text feedback, which will not affect the normal use of all other core functions.

4. External Storage Permission
        

￮ Collected Content: Only two types of information are collected: first, the AI catwalk short videos and creative materials (such as uploaded pictures, generated video thumbnails) generated after the user actively clicks "Save Video" and "Save Picture" are saved to the designated folder (ShowRunway exclusive folder) of the user's device external storage; second, the necessary cache files generated during the operation of this Application (such as temporary data during video generation, application interface cache, picture thumbnail cache, etc.) are used to improve the application running speed and loading efficiency. We will not access, modify or delete any other files or data (such as the user's private photos, videos, documents, etc.) in the user's device external storage except the exclusive folder of this Application.

￮ Purpose of Use: To realize the function of users saving the generated AI catwalk short videos and creative materials to the local, facilitating users to view and share them at any time; at the same time, by caching necessary data, reducing application loading time, improving video generation speed and overall use fluency, and optimizing user experience.

￮ Usage Scenarios: After the user generates an AI catwalk video, clicks the "Save" button, and the video is automatically saved to the ShowRunway folder of the device's external storage; when the user browses community videos and application interfaces, the system automatically generates temporary caches to improve loading speed; when the user clears the application cache, they can manually delete this part of the cache files without affecting the saved videos and materials.

￮ Permission Management: Users can enable or disable the external storage permission at any time in "Settings - Apps - ShowRunway - Permissions - Storage" of the device operating system (Android); after disabling the external storage permission, users cannot save the generated videos and materials to the local, and the application cannot generate caches, which may cause the application loading speed to slow down, but will not affect the normal use of core functions such as video generation, community browsing and voice feedback.

5. Application Information Reading Permission
        

￮ Collected Content: Including but not limited to the user's device model (such as Samsung Galaxy S23, Google Pixel 8), operating system version (such as Android 14), version number of this Application (such as v1.0.0), unique device identifier (such as Android ID, used to identify the user's device and ensure the normal operation of the application on different devices), network access method and type (such as Wi-Fi, 4G, 5G), network status, device screen resolution, device language settings and other non-identifiable device information.

￮ Purpose of Use: First, to ensure the normal operation of this Application in different devices and different system environments, troubleshoot faults such as application crashes, freezes and inability to generate videos, and fix compatibility issues (such as optimizing the video generation function for specific device models); second, to count application usage data (such as the proportion of users of each device type, system version distribution) to provide data support for product iteration and function optimization; third, to identify abnormal device behaviors (such as malicious traffic brushing, malicious content generation) to ensure the security of the application ecosystem and protect the legitimate rights and interests of all users.

￮ Usage Scenarios: When the user opens this Application, the system automatically reads the above device information for application startup detection; during the operation of the application, the network status is read in real time to ensure the stability of functions such as video generation and community browsing; when the application fails, the device information and fault logs are automatically recorded to facilitate our technical personnel to troubleshoot and repair.

￮ Permission Management: This permission is a necessary permission for the normal operation of the application. After the user opens the application, it is authorized by default without separate checking; if the user disables this permission, it may cause the application to fail to start and run normally and be unable to use core functions.

6. Advertising Identifier Permission

￮ Collected Content: The advertising identifier of the user's device (such as Android Advertising ID, referred to as AAID), which is generated by the device operating system to identify the device and is not directly associated with the user's personal identity information.

￮ Purpose of Use: To provide users with personalized advertising recommendations. According to the user's application usage habits (such as the type of generated videos, browsed community content), push advertisements related to fashion and AI creation to improve advertising relevance and avoid pushing irrelevant advertisements; at the same time, count data such as the number of advertising impressions and clicks, optimize advertising placement strategies, improve advertising effects, and provide us with reasonable sources of income to continuously optimize product functions and provide free services.

￮ Usage Scenarios: After the user opens this Application, the advertising module automatically reads the device advertising identifier, and pushes personalized advertisements combined with the user's application usage behavior; when the user clicks on the advertisement, the system records the advertisement click data for advertising effect statistics.

￮ Permission Management: Users can disable the advertising identifier (i.e., enable "Limit Ad Tracking") in "Settings - Privacy - Ads" of the device operating system; after disabling, we will not be able to obtain the advertising identifier, and can only display general advertisements to users (not pushed based on user usage habits), which will not affect the normal use of core functions of this Application (video generation, community browsing, etc.) nor the user's personal information security.

(III) Collection and Use of Non-Personal Information

To optimize product services and improve user experience, we will collect non-identifiable usage behavior data. Such data cannot identify the user's identity alone or in combination with other information, and belongs to non-personal information, including but not limited to:

• Application Usage Behavior Data: The usage frequency of each function of this Application (such as the number of video generations, the number of album uploads, the number of voice feedbacks), the preference for the type of video generation content (such as fashion dresses, street trends, futuristic styles), the browsing duration of community content, the behavior data of likes/comments/shares, application startup time, usage duration, etc.;

• Function Operation Data: Video generation success rate, generation time-consuming, cache size, number of advertising impressions, number of advertising clicks, etc.;

• Non-Identifiable Device Data: The approximate geographic location of the device (only accurate to the city level, no specific latitude and longitude collected), device time zone, network type, etc.

We may analyze, integrate and desensitize such non-personal information for product iteration (such as optimizing AI generation algorithms according to user preferences), service optimization (such as adjusting function layout according to usage frequency), advertising placement effect analysis, etc., without obtaining additional user authorization, and will not associate such data with user personal information. We have the right to use the desensitized non-personal information for commercial cooperation (such as providing advertising effect statistics to advertising partners), but such data does not contain any information that can identify the user's identity.

III. Storage of Personal Information

(I) Storage Methods and Security Guarantees

We adopt industry-standard technical measures and security protection systems to ensure the storage security of users' personal information, prevent risks such as information leakage, tampering, loss, unauthorized access, copying and use. The specific measures are as follows:

• Encrypted Storage: The user's personal information (such as uploaded pictures, recorded voices, device information) is transmitted to our server using end-to-end encryption technology (such as SSL/TLS encryption) to ensure that the data is not stolen or tampered with during transmission; the personal information stored in the server is encrypted using the AES-256 encryption algorithm, which can only be accessed by authorized staff, and access requires multiple identity verifications (such as account password, dynamic verification code).

• Secure Storage Environment: Our servers and cloud storage nodes are all deployed in globally compliant data centers, which meet the requirements of relevant laws and regulations such as GDPR and LGPD for the data storage environment. The data centers are equipped with professional security protection equipment (such as firewalls, intrusion detection systems), establish a sound security management system, and conduct regular security inspections and vulnerability repairs to prevent servers from being attacked and invaded.

• Access Control: Establish a strict personal information access permission management system, clarify the access permissions of staff. Only authorized technical personnel, customer service personnel and Data Protection Officers can access users' personal information within the scope of performing their job duties, and all access behaviors will be recorded throughout the process (including access time, access personnel, access content, operation behaviors) to facilitate subsequent auditing and tracing; staff are strictly prohibited from accessing, copying, spreading or disclosing users' personal information without permission, and violations will be severely punished (including but not limited to dismissal and pursuit of legal liability).

• Cache Management: Temporary data such as pictures uploaded by users and recorded voices are only stored in the application's temporary cache area. After the generation is completed or the feedback is submitted, they will be deleted in a timely manner in accordance with the agreement of this Policy; users can manually clear the application cache and delete all temporarily stored data.

(II) Storage Period

We follow the principle of "minimizing storage period" and only store users' personal information for the period necessary to achieve the purpose of collection. After the storage period expires, it will be automatically deleted or anonymized. The specific storage periods are as follows:

• Taken/Uploaded Pictures: After the user completes the AI video generation, if the user does not actively save the picture, our server and the application's temporary cache area will automatically delete the picture within 7 natural days; if the user actively saves the picture, the picture will only be saved to the user's device local (ShowRunway exclusive folder in external storage), and our server will not retain the picture, only temporarily cache it during the video generation process, and delete it immediately after the generation is completed.

• Recorded Voice Feedback: After the user submits the voice feedback, our staff will complete the feedback processing within 15 working days. After the processing is completed, the voice file will be automatically deleted within 7 natural days; if the feedback is not processed, the maximum storage period will not exceed 30 natural days, and it will be deleted immediately after the processing is completed.

• Device Information and Advertising Identifier: During the period when the user continues to use this Application, we will retain such information to ensure the normal operation of the application and optimize services; if the user does not use this Application for 12 consecutive months (i.e., no application startup or function usage records within 12 months), we will automatically delete all device information, advertising identifiers and related cache data of the user, except as required by laws and regulations.

• Videos and Materials Saved by Users: The videos and materials actively saved by users to the local device are managed by the users themselves. We do not store such content, nor are we responsible for the backup and recovery of such content. Users can delete or back up them by themselves.

• Non-Personal Information: We will retain the desensitized non-personal information indefinitely for product analysis, function optimization, advertising effect statistics, etc. Such information cannot identify the user's identity and does not involve the user's privacy security.

If it is necessary to retain users' personal information in accordance with legal requirements or the mandatory requirements of judicial or administrative organs, we will retain it within the statutory retention period. After the retention period expires, it will be deleted or anonymized immediately.

(III) Storage Region

Our servers and cloud storage nodes are mainly located in globally compliant data centers, including but not limited to Singapore, the United States, EU member states (such as Ireland), Brazil and other regions. Users' personal information may be transmitted to regions outside the user's country/region for storage. We will ensure that such cross-border data transmission complies with the requirements of data protection laws and regulations in the corresponding regions, and take the following measures to ensure the security of cross-border data transmission:

• For EU (GDPR) users: We will store users' personal information through data centers in countries/regions recognized by the European Commission as having "adequacy decisions", or sign EU Standard Contractual Clauses (SCCs) with third parties receiving the data to ensure that cross-border data transmission complies with the requirements of GDPR;

• For Brazilian (LGPD) users: We will ensure that cross-border data transmission is approved by the Brazilian Data Protection Authority (ANPD), or sign a data processing agreement that meets the requirements of LGPD with third parties receiving the data;

• For users in other regions: We will follow the relevant regulations on cross-border data transmission in that region, take measures such as data encryption and signing cross-border data transmission agreements to ensure the security of users' personal information during cross-border transmission, and will not transmit users' personal information to countries/regions that have not obtained compliant qualifications.

By agreeing to this Policy, users are deemed to agree that we will transmit their personal information to compliant data centers outside the user's country/region for storage and processing, and we will always ensure the security of such data.

IV. Sharing and Transfer of Personal Information

(I) Sharing Principles

We strictly follow the principles of "minimum necessity, express consent, and legality and compliance", and will not arbitrarily share or transfer users' personal information to any third party, unless it falls into one of the following situations. In addition, we will take necessary security measures to ensure the security of users' personal information and limit the scope of information use by third parties:

1. With the user's express written consent: Under the condition of the user's explicit authorization, share the personal information specified by the user with a third party, and the scope of sharing is limited to the content authorized by the user. The third party shall not use the user's information beyond the authorized scope; the user can withdraw the authorization at any time. After the authorization is withdrawn, we will immediately stop sharing the user's information with the third party.

2. Necessary for realizing the functions of this Application: Share personal information with our legally compliant third-party service providers, and such third parties can only use the user's information within the scope of providing services for us, and shall not use the information for any other purposes or share it with any other third parties. Such third-party service providers include but are not limited to:
        We have signed strict data processing agreements with all cooperating third-party service providers, clarifying the rights and obligations of both parties, requiring third parties to strictly abide by relevant laws and regulations and the requirements of this Policy, take necessary security measures to protect users' personal information, and regularly audit the information processing behaviors of third parties. If a third party has illegal processing of user information, we will immediately terminate the cooperation and pursue its legal liability.

￮ Cloud Storage Service Providers: Used to store temporary data such as pictures uploaded by users and recorded voices to ensure data storage security;

￮ AI Technology Service Providers: Used to provide technical support such as AI model analysis and video generation, and only obtain creative materials such as pictures and text prompts uploaded by users to complete the video generation function;

￮ Advertising Service Providers: Used to provide advertising placement services, and only obtain the user's device advertising identifier and non-personal information (such as usage behavior data) to push personalized advertisements, and do not obtain the user's identity information, uploaded pictures and other sensitive content;

￮ Customer Service Providers: Used to assist us in handling user feedback and complaints, and only obtain the user's feedback content and necessary device information to solve user problems.

3. Compliance with legal provisions: Provide users' personal information to relevant authorities in accordance with applicable laws and regulations and the mandatory requirements of judicial or administrative organs (such as court subpoenas, administrative organ instructions). Before providing information, we will try our best to verify the legality of the relevant authorities and the rationality of the requirements, and only provide the necessary information that meets the requirements, without providing additional irrelevant information.

4. Protection of legitimate rights and interests: Share personal information within a reasonable and necessary scope to protect the legitimate rights and interests of us, users or third parties, for example: responding to security incidents such as network attacks and data leaks to protect the security of the application ecosystem; handling infringement disputes between users (such as content published by users infringing on the intellectual property rights of others) and providing necessary information for rights protection; preventing malicious behaviors of users (such as malicious traffic brushing, malicious generation of illegal content) to ensure the normal use rights and interests of other users.

5. Enterprise Merger, Division, Acquisition: If we undergo changes such as enterprise merger, division, acquisition, asset transfer, etc., the user's personal information will be transferred to the subject after the change as part of the enterprise assets. The subject after the change will continue to perform the information protection obligations agreed in this Policy. If the subject after the change is unable to perform the obligations, we will notify the user in advance and take necessary measures to ensure the security of the user's information.

(II) Prohibition of Data "Selling" and User Choice Right

We explicitly prohibit the sale, transaction, lease and other forms of commercial circulation of users' personal information, and will not use users' personal information as commodities for transaction in any way. At the same time, in accordance with the requirements of laws and regulations such as CCPA, CPRA and VCDPA, users have the right to choose not to allow their personal data to be shared by us for commercial purposes (i.e., "refuse data sharing").

If the user wishes to refuse the non-essential sharing of their personal data (excluding the sharing necessary for realizing the functions of this Application, such as sharing creative materials with AI technology service providers), they may send a written request to our contact email (uptonroncarteddybl@gmail.com) specified in this Policy. The request shall clearly include the following information: the user's device identification information (such as Android ID), the specific request (such as "refuse personal data to be shared for commercial purposes"), and the contact email. We will complete the processing within 15 working days after receiving the request, stop the relevant non-essential sharing, and feedback the processing result to the user, with no charge during the processing.

After the user exercises this right, it will not affect the normal use of the core functions of this Application, but will only affect the push of personalized advertisements (only general advertisements will be displayed), and will not affect the user's creation, community interaction and other functions.

(III) Methods to Opt Out of Data Sharing/Selling

If the user later wishes to withdraw the previously authorized sharing of personal data, or requests to opt out of any form of non-essential data circulation (including commercial purpose sharing, third-party service sharing, etc.), they may submit a request through the following methods:

• Send a written request to our contact email: uptonroncarteddybl@gmail.com. The request shall clearly include: the user's device identification information (such as Android ID), the specific request (such as "withdraw personal data sharing authorization", "opt out of data selling/sharing"), and the contact email, so that we can accurately identify the user's identity and process the request quickly;

• If the user wishes to withdraw the sharing authorization to a specific third party, they may clearly specify the name of the third party in the request. We will immediately stop sharing the user's personal information with the third party and require the third party to delete the obtained user information (except as required by laws and regulations).

After receiving the user's request, we will complete the review and processing within 15 working days, terminate the relevant data sharing operations, delete the relevant shared data (except as required by laws and regulations), and send the processing result email to the user; if the user's request does not comply with the requirements of laws and regulations or the agreement of this Policy, we will explain the reasons to the user in the email and provide a reasonable solution.

V. Users' Personal Information Rights

We fully respect and protect users' personal information rights in various jurisdictions around the world, and in strict accordance with the requirements of relevant data protection laws and regulations such as GDPR, CCPA, CPRA, VCDPA, LGPD and FADP, provide users with convenient channels for exercising their rights. Users can exercise the following rights free of charge. We do not charge any fees, nor will we discriminate against users (such as increasing service prices, reducing service quality, restricting function use, etc.) because users exercise their rights.

(I) General Rights (Applicable to Users in All Regions)

1. Right of Access: Users have the right to request us to provide details of all personal information held about them at any time, including but not limited to: the type of information collected, collection time, purpose of use, storage period, sharing object, purpose of sharing, storage region, etc.; if users need to obtain a copy of personal information, we will provide it to users in a structured, common and machine-readable format (such as CSV, PDF) for users to save and use.

2. Right of Correction: If users find that the personal information stored by us is inaccurate, incomplete or outdated (such as incorrect device information), they have the right to request us to correct and supplement it; after receiving the request, we will verify the accuracy of the information within 15 working days. If the situation is true, we will correct and supplement it immediately and feedback the processing result to the user.

3. Right to Erasure: Users have the right to request us to delete all or part of the personal information held about them at any time, including but not limited to uploaded pictures, recorded voices, device information, etc.; after receiving the request, we will immediately stop the collection, use and sharing of such information, complete the deletion operation within 15 working days (except as required by laws and regulations), and feedback the processing result to the user; after deletion, the relevant information cannot be recovered.

4. Right to Withdraw Authorization: Users have the right to withdraw the authorization for each permission of this Application in the device operating system at any time (such as camera, microphone, album, etc.). After withdrawing the authorization, we will immediately stop the collection and use of relevant information; users can also request to withdraw the information sharing authorization through the contact email. After withdrawing the authorization, we will immediately stop sharing the user's information with third parties and require third parties to delete the obtained user information (except as required by laws and regulations).

5. Right to Know: Users have the right to consult us about relevant issues of personal information processing at any time (such as the scope of information collection, purpose of use, sharing rules, etc.). We will reply in a timely and truthful manner within 15 working days, provide detailed explanations, and ensure that users fully understand the processing of their own personal information.

6. Right to Complaint: If users believe that our personal information processing behavior has infringed their legitimate rights and interests, or violated the agreement of this Policy and the requirements of relevant laws and regulations, they have the right to complain to the data protection regulatory authority in the user's country/region. We will actively cooperate with the investigation and processing of the regulatory authority, truthfully provide relevant information, rectify illegal behaviors in a timely manner, and protect the legitimate rights and interests of users.

(II) Additional Rights for Users in Specific Regions

According to the data protection laws and regulations in different regions, in addition to the above general rights, users in specific regions also enjoy the following additional rights:

1. EU (GDPR) Users:
        

￮ Right to Data Portability: Users have the right to request us to transmit their personal information to other data controllers designated by the user (such as other AI creation applications) in a structured, common and machine-readable format. We will complete the data transmission within 30 working days after receiving the request to ensure the integrity and availability of the data;

￮ Right to Restriction of Processing: Users have the right to request us to restrict the processing of their personal information (such as suspending information sharing, suspending use). If users believe that the personal information is inaccurate, the processing behavior is illegal, or we no longer need the information but the user wishes to retain it, they can exercise this right; after receiving the request, we will immediately restrict the processing of relevant information until the user revokes the restriction or the problem is solved;

￮ Right to Object: Users have the right to object to our personal information processing behavior based on legitimate interests (such as for product optimization, personalized advertising push). After receiving the objection request, we will immediately stop the relevant processing behavior, unless we can prove that there are legitimate interests that take precedence over the user's rights and interests, or the processing behavior is necessary to perform legal obligations;

￮ Right to Claim Damages: If our personal information processing behavior violates the provisions of GDPR and causes damage to the user, the user has the right to request us to bear liability for damages.

2. California (CCPA/CPRA) Users in the United States:
        

￮ Right to Non-Discrimination: If users exercise their personal information rights (such as access, deletion, refusal of data sharing), we shall not discriminate against users, including but not limited to increasing service prices, reducing service quality, restricting function use, refusing to provide services, etc.;

￮ Right to Refuse Automated Decision-Making: Users have the right to refuse the personalized recommendations, advertising pushes, etc. made by us based on automated decisions (such as AI algorithms). After refusal, we will stop the relevant automated decisions and only provide general services;

￮ Right to Know About Data Disclosure: Users have the right to request us to disclose the situation of sharing personal information to third parties in the past 12 months (including the name of the third party, the type of shared information, the purpose of sharing). We will provide such information to users in a clear and easy-to-understand manner;

￮ Right to Withdraw Consent: Users have the right to withdraw their consent to personal information processing at any time, and the effect of withdrawing consent retroacts to the time when the consent is given. We will delete the personal information collected based on the consent (except as required by laws and regulations).

3. Brazilian (LGPD) Users:
        

￮ Right to Anonymization: Users have the right to request us to anonymize their personal information. After processing, the data cannot identify the user's identity. We will complete the anonymization processing within 15 working days after receiving the request and feedback to the user;

￮ Right to Withdraw Consent: Users have the right to withdraw their consent to personal information processing at any time. After withdrawing consent, we will immediately stop the collection, use and sharing of relevant information, delete the personal information collected based on the consent (except as required by laws and regulations), and the effect of withdrawing consent retroacts to the time when the consent is given;

￮ Right to Notification of Data Breach: If a user's personal information is leaked and may cause serious impact on the user's rights and interests, we will notify the user by email, application pop-up, etc. within 72 hours after discovering the leak, and inform the type of leaked information, the scope of impact and remedial measures;

￮ Right to Judicial Remedy: If users believe that our personal information processing behavior violates the provisions of LGPD, they have the right to complain to the Brazilian Data Protection Authority (ANPD) or file a lawsuit with the court to claim damages.

4. UAE (FADP) Users:
        

￮ Right to Obtain Data Copies: Users have the right to request us to provide free copies of their personal information. We will provide them in a structured and common format free of charge;

￮ Right to Request Explanation: Users have the right to request us to provide a detailed explanation of the rules, methods, purposes, storage periods, etc. of personal information processing. We will reply in a clear and easy-to-understand manner to ensure that users fully understand;

￮ Priority Processing Right for Data Correction/Deletion: For users' requests for personal information correction and deletion, we will complete the processing within 10 working days, which is 5 working days shorter than the general processing period, to ensure the rapid realization of users' rights.

5. Users in Other Regions: If the laws and regulations in the user's region stipulate other personal information rights, we will strictly in accordance with the requirements of local laws, protect users' exercise of relevant rights and provide corresponding service support.

(III) Methods and Notes for Exercising Rights

Users can submit requests to exercise the above personal information rights through the following methods:

1. Send a written request to our contact email: uptonroncarteddybl@gmail.com. The email subject should be marked as "Exercise of Personal Information Rights + Specific Matter" (such as "Request for Access to Personal Information", "Request for Deletion of Personal Information");

2. The request shall clearly include the following information to facilitate us to accurately identify the user's identity and process the request quickly:
        

￮ The user's device identification information (such as Android ID, which can be queried in "Settings - About Phone - Status Information" of the device);

￮ Specific request (clearly access, correction, deletion, withdrawal of authorization, etc.);

￮ Contact email (consistent with the email sending the request);

￮ If the request involves specific information (such as a certain uploaded picture, a certain voice feedback), please provide the approximate time and content description of the relevant information to facilitate us to locate it quickly.

After receiving the user's request, we will conduct identity verification (verify device identification information, contact email, etc.). After verification, we will process it within the following time limits:

• General requests (access, correction, deletion, withdrawal of authorization, etc.): Complete processing and feedback within 15 working days;

• Requests from EU (GDPR) users: Complete processing within 1 month. If the situation is complex, it can be extended by 1 month, but the user must be notified in advance and the reason for the extension explained;

• Correction and deletion requests from UAE (FADP) users: Complete processing within 10 working days.

Notes:

• If the user's request does not comply with the requirements of laws and regulations or the agreement of this Policy (such as requesting to delete information required to be retained by laws and regulations), we will explain the reasons to the user and provide a reasonable solution;

• The request submitted by the user must be true and effective. If the user provides inaccurate or incomplete information, resulting in us being unable to identify the user's identity or process the request, we will notify the user to supplement the relevant information;

• After the user exercises their rights, if it affects the use of some functions of this Application (such as being unable to take pictures after withdrawing the camera permission), we will clearly inform the user in the feedback, and the user can decide whether to re-authorize by themselves.

VI. Personal Information Protection Measures

We attach great importance to the security of users' personal information, incorporate personal information protection into the entire process of product research and development and operation, establish a sound personal information protection system, and take various measures such as technology, management and systems to comprehensively ensure the security of personal information and prevent risks such as information leakage, tampering, loss, unauthorized access, copying and use. The specific measures are as follows:

(I) Technical Protection Measures

• Encryption Technology: Adopt multiple encryption technologies such as end-to-end encryption, transmission encryption and storage encryption to encrypt users' personal information (such as uploaded pictures, recorded voices, device information) throughout the process to ensure that the data is not stolen or tampered with during transmission, storage and use;

• Access Control: Establish a strict access control system, conduct hierarchical management of staff's access permissions. Only authorized personnel can access users' personal information. Access requires multiple identity verifications (such as account password, dynamic verification code, fingerprint verification), and all access behaviors are recorded throughout the process to facilitate auditing and tracing;

• Security Detection and Vulnerability Repair: Regularly conduct security detection on our servers and applications, use professional security detection tools to investigate risks such as security vulnerabilities and malicious codes; after discovering vulnerabilities, immediately organize technical personnel to repair them to ensure the security of applications and servers;

• Data Desensitization: Desensitize users' personal information and hide sensitive information (such as some characters of the unique device identifier) to ensure that even if the information is leaked, the user's identity cannot be identified;

• Emergency Response Mechanism: Establish an emergency response plan for personal information security, formulate detailed disposal processes for security incidents such as data leakage, network attacks and equipment failures, clarify the responsibilities of each department, and ensure that security incidents can be responded to and disposed of quickly to minimize the impact on users.

(II) Management Protection Measures

• Management System: Establish a sound management system for personal information processing, including operation specifications for each link such as information collection, use, storage, sharing and deletion, clarify the responsibilities and obligations of staff, and ensure that personal information processing behaviors are legal and standardized;

• Personnel Training: Regularly train our staff (including technical personnel, customer service personnel, Data Protection Officers) on personal information protection, popularize data protection laws and regulations and security protection knowledge, improve staff's awareness of information protection, and strictly prohibit staff from accessing, copying or disclosing users' personal information without permission;

• Audit and Supervision: Establish an audit mechanism for personal information processing, regularly audit personal information processing behaviors, check for illegal processing behaviors, and timely discover and rectify problems; the Data Protection Officer is responsible for supervising the audit process to ensure the authenticity and effectiveness of the audit results;

• Third-Party Supervision: Conduct strict qualification review on cooperating third-party service providers, sign strict data processing agreements, regularly supervise and audit the information processing behaviors of third parties. If a third party has violations, immediately terminate the cooperation and pursue its legal liability.

(III) Handling of Security Incidents

If a security incident such as personal information leakage, tampering or loss occurs, we will handle it in strict accordance with the following processes:

1. Immediately activate the emergency response plan, organize relevant personnel such as technical personnel and Data Protection Officers to investigate the cause and scope of the security incident, take remedial measures (such as closing the leakage port, deleting the leaked data, repairing security vulnerabilities) to prevent the damage from expanding;

2. Within 72 hours after discovering the security incident, inform the affected users of the incident (including the type of leaked information and the scope of impact), remedial measures, contact information, etc. through application pop-ups, contact emails, etc. to ensure that users are informed in a timely manner;

3. Report the security incident to the data protection regulatory authority in the user's country/region in accordance with the requirements of relevant laws and regulations, submit an incident handling report, and actively cooperate with the investigation and handling of the regulatory authority;

4. Conduct a comprehensive review of the security incident, analyze the cause of the incident, improve security protection measures to avoid similar incidents from happening again; at the same time, feedback the incident handling result to the user and accept the user's supervision.

VII. Legal Basis for Data Processing

All of our processing of users’ personal information is based on the following legitimate legal bases, in compliance with relevant data protection laws and regulations worldwide, to ensure that all personal information processing activities are lawful and compliant:

1. Explicit Consent of the UserWe process users’ personal information for the core functions of this Application (including but not limited to video generation, voice feedback, album upload, etc.) based on the user’s explicit authorization for various permissions and consent to this Agreement. This is a legitimate basis under laws and regulations including GDPR, LGPD, and FADP. Users may withdraw their consent at any time, and we will immediately cease the relevant information processing upon withdrawal of consent.

2. Necessity for the Performance of a ContractWe process users’ personal information to perform the User Service Agreement between us and users, and to provide the agreed services (such as AI video generation, community interaction, etc.). This is a legitimate basis under laws and regulations including GDPR, CCPA, and VCDPA, to ensure that users can properly use all functions of this Application.

3. Legitimate Interests of UsWe process users’ non-personal information and necessary personal information (such as device information, usage behavior data) to optimize service experience, conduct product iteration, provide personalized recommendations, and safeguard the security of the application ecosystem. Such legitimate interests do not exceed users’ reasonable expectations, do not infringe upon users’ legitimate rights and interests, and cannot be achieved through other means. This is a legitimate basis under laws and regulations including GDPR.

4. Compliance with Legal ObligationsWe process users’ personal information to comply with applicable laws and regulations or mandatory requirements issued by judicial or administrative authorities (such as court summons, administrative orders). This is a legitimate basis under data protection laws and regulations in all jurisdictions. We will provide information strictly in accordance with relevant requirements and will not provide any irrelevant information.

5. Necessity to Protect Legitimate Rights and InterestsWe process users’ personal information within a reasonably necessary scope to protect the legitimate rights and interests of us, users, or third parties (such as responding to cyberattacks, handling infringements, preventing malicious activities). This is a legitimate basis under laws and regulations including GDPR and LGPD, to ensure that the legitimate rights and interests of all parties are protected.

VIII. Third-Party Services

To improve service quality and provide convenient functions, this Application may contain links, plug-ins, or service entrances provided by third parties, including but not limited to:

• Advertising Services: We integrate third-party advertising providers (such as Google Ads) to deliver advertisements. Advertising providers may collect users’ advertising identifiers and non-personal information. Their information processing activities are governed by their own privacy policies.

• Sharing Functions: We integrate third-party social platforms (such as TikTok, Instagram) to allow users to share generated videos to such platforms. During sharing, third-party platforms may collect users’ sharing behavior data, which is governed by their own privacy policies.

• Cloud Storage Services: We integrate third-party cloud storage providers (such as Amazon S3) to store temporary data uploaded by users. The information processing activities of cloud storage providers are governed by their own privacy policies.

• Customer Service: We integrate third-party customer service providers to assist in handling user feedback and complaints. Customer service providers may collect users’ feedback and necessary device information, which is governed by their own privacy policies.

We integrate the above third-party services solely for the convenience of providing services. We do not control or interfere with third parties’ information processing activities, nor do we collect or store any information generated when users use third-party services.When using third-party services, users should carefully read the third parties’ privacy policies and choose whether to use such services voluntarily. Refusing to use a third-party service will not affect the normal use of the core functions of this Application.

We have signed strict data processing agreements with all cooperating third-party service providers, requiring them to strictly comply with applicable laws and regulations and take necessary security measures to protect users’ personal information. If a third party processes user information in violation of regulations, we will immediately terminate the cooperation and pursue its legal liability, but we shall not bear any joint liability.

IX. Amendment and Update of the Agreement

1. We reserve the right to amend and update this Agreement under the following circumstances:

￮ Updates or revisions of relevant laws and regulations (such as amendments to GDPR, CCPA, etc.);

￮ Iteration and upgrade of this Application’s functions (e.g., new functions leading to changes in the scope of information collection and purposes of use);

￮ Changes in data protection regulatory requirements;

￮ Improvement of user information protection, optimization of agreement terms, and protection of users’ legitimate rights and interests.

2. After amending this Agreement, we will notify users of the changes through the following prominent channels:

￮ Posting an amendment announcement on the homepage, settings page, login pop-up (if any), and other prominent positions of this Application, specifying the amended content and effective date;

￮ For material amendments (including but not limited to changes in the scope of personal information collection, purposes of use, sharing methods, or adjustments to user rights), we will provide a mandatory pop-up notice to require users to re-read and confirm their consent. The revised Agreement shall only take effect for users upon confirmation. If users do not agree to the revised Agreement, they shall immediately stop using this Application.

3. The revised Agreement shall take effect 7 days from the date of notice. If users continue to use this Application after the revised Agreement takes effect, it shall be deemed that users have accepted the revised Agreement. If users do not agree to the revised Agreement, they shall immediately stop using this Application, and we will no longer process their personal information (except for retention required by laws and regulations).

4. We will retain previous versions of this Agreement. Users may view historical versions and check amendment records via the path: Settings – Privacy Policy in this Application.

X. Disclaimer

1. We have adopted reasonable and necessary measures to protect users’ personal information. However, we shall not be liable for compensation if personal information is leaked, altered, or lost due to inherent risks of Internet technologies, equipment failures, cyberattacks, natural disasters, or other force majeure events, but we will actively take remedial measures.

2. We shall not be liable for any leakage of personal information caused by users’ own faults (such as device theft, password disclosure, unauthorized authorization to third parties to access this Application).

3. We shall not be liable for providing users’ personal information in accordance with laws and regulations or mandatory requirements of judicial or administrative authorities.

4. We shall not be liable for any infringement in connection with the collection, analysis, and use of non-personal information.

XI. Dispute Resolution

1. Any dispute arising out of or in connection with this Agreement shall first be resolved through friendly negotiation between both parties.

2. If negotiation fails, either party may submit the dispute to the people’s court with jurisdiction at the domicile of our company.

3. During the dispute resolution period, other provisions of this Agreement shall remain in effect.

XII. General Provisions

1. This Agreement is a supplementary agreement to the ShowRunway User Service Agreement and has the same legal effect. In case of any inconsistency between the two, this Agreement shall prevail.

2. If any provision of this Agreement is deemed invalid, revocable, or unenforceable, it shall not affect the validity of the remaining provisions.

3. Failure or delay in exercising any right under this Agreement shall not constitute a waiver of such right.

Baoding Guokai Technology Co., LtdMarch 18, 2026