Privacy Policy (Model Gateway)

1. Introduction

This Privacy Policy (“Policy”) describes how Diaflow Pte. Ltd. (“Diaflow,” “we,” “us,” or “our”), a company incorporated in the Republic of Singapore, collects, uses, stores, shares, and protects personal data in connection with the Diaflow Model Gateway (the “Service”), accessible at https://gateway.diaflow.io.

The Service provides Users with API-based access to artificial intelligence models supplied by BytePlus Pte. Ltd. (“Byteplus”). This Policy applies to all Users of the Service, including individuals and organizations accessing the Service through personal or team/business Accounts.

By creating an Account and using the Service, you acknowledge that you have read and understood this Policy and consent to the collection, use, and processing of your personal data as described herein.

2. Data Controller

The data controller responsible for the processing of your personal data under this Policy is:

Diaflow Pte. Ltd.

Singapore

Email: [email protected]

3. Personal Data We Collect

We collect and process the following categories of personal data in connection with your use of the Service:

3.1. Account Registration Data

When you create an Account through the Settings page, we collect the following information:

3.2. API and Usage Data

When you use the Service, we automatically collect:

3.3. Input and Output Data

When you make API calls to the BytePlus Models (including through the model playground), we may process:

(a) Input data: Prompts, text, image URLs, and any other data you submit as part of an API request;

(b) Output data: Text, images, videos, audio, and any other content generated by the BytePlus Models in response to your requests; and

(c) Request parameters: Model selection, size specifications, duration settings, and other configuration parameters.

3.4. Payment Data

When you purchase Credits through the Billing page, our third-party payment processor collects payment information (such as credit card details or bank account information) on our behalf. Diaflow does not directly store or have access to your full payment card details. We retain only transaction records including invoice numbers, dates, amounts, and payment status.

3.5. Technical Data

We automatically collect technical data when you access the Service, including IP address, browser type and version, device type, operating system, referral URLs, access timestamps, and pages visited within the Service.

4. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

5. Data Sharing and Third-Party Processing

We may share your personal data with the following categories of recipients:

5.1. BytePlus Pte. Ltd.

When you make API calls to BytePlus Models through the Service, your input data (prompts, images, parameters) is transmitted to BytePlus’s infrastructure for processing. BytePlus processes this data in accordance with its own privacy policy and data processing practices. Diaflow does not control how BytePlus processes, stores, or retains the input and output data once it is transmitted to BytePlus’s systems. Users are responsible for reviewing BytePlus’s privacy practices before submitting personal data through the Service.

5.2. Payment Processors

We use third-party payment processors to handle Credit purchases. These processors collect and process your payment information under their own privacy policies. We do not have access to or store your full payment card details.

5.3. Infrastructure and Hosting Providers

We use third-party cloud infrastructure providers to host and operate the Service. These providers process data on our behalf under data processing agreements that require them to protect your data in accordance with applicable law.

5.4. Professional Advisors

We may share personal data with our lawyers, accountants, auditors, and other professional advisors as necessary for the provision of their services.

5.5. Law Enforcement and Legal Requirements

We may disclose personal data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights, safety, or property of Diaflow, our Users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms and Conditions.

5.6. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you of any such transfer and any choices you may have regarding your data.

6. International Data Transfers

Diaflow is based in Singapore. Your personal data may be transferred to and processed in countries other than your country of residence, including Singapore and the countries where BytePlus operates its infrastructure. These countries may have data protection laws that differ from your jurisdiction.

Where we transfer personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, we will implement appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.

By using the Service, you acknowledge and consent to the transfer of your personal data to Singapore and other jurisdictions as described in this Policy.

7. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations:

After the applicable retention period, personal data will be securely deleted or anonymized. Aggregated, anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.

8. Data Security

We implement commercially reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

(a) Encryption of data in transit using TLS/SSL protocols;

(b) Secure storage of API Keys with masked display in the user interface (only partial key identifiers are shown after initial generation);

(c) Access controls and authentication mechanisms for Account access;

(d) Regular security assessments and monitoring of the Service infrastructure;

(e) Logical separation of User data across Accounts and Workspaces; and

(f) Incident response procedures for security breaches.

While we take reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your personal data.

9. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

9.1. Rights Under the GDPR (EEA, UK, and Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to:

(a) Access: Request a copy of the personal data we hold about you;

(b) Rectification: Request correction of inaccurate or incomplete personal data;

(c) Erasure: Request deletion of your personal data, subject to legal retention requirements;

(d) Restriction: Request that we restrict the processing of your personal data;

(e) Portability: Receive your personal data in a structured, commonly used, machine-readable format;

(f) Objection: Object to the processing of your personal data based on legitimate interests; and

(g) Withdrawal of consent: Where processing is based on consent, withdraw your consent at any time.

You also have the right to lodge a complaint with your local supervisory authority.

9.2. Rights Under the PDPA (Singapore)

If you are located in Singapore, you have the right under the Personal Data Protection Act 2012 (PDPA) to: (a) request access to personal data we hold about you; (b) request correction of personal data that is inaccurate; and (c) withdraw consent to the collection, use, or disclosure of your personal data (subject to legal or contractual restrictions and reasonable notice).

9.3. Rights Under Other Jurisdictions

If you are located in another jurisdiction with applicable data protection laws (including but not limited to the California Consumer Privacy Act, Vietnam’s Decree on Personal Data Protection, or other regional frameworks), you may have additional rights. Please contact us at [email protected] to make a request under your applicable law.

9.4. Exercising Your Rights

To exercise any of the above rights, please contact us at [email protected]. We will respond to your request within thirty (30) days or within the timeframe required by applicable law. We may request additional information to verify your identity before processing your request.

10. Cookies and Tracking Technologies

The Service may use cookies, local storage, and similar tracking technologies to maintain session state, authenticate Users, remember preferences, and analyze usage patterns. We use the following categories of cookies:

(a) Strictly necessary cookies: Required for the Service to function, including session management and authentication;

(b) Functional cookies: Used to remember your preferences and settings; and

(c) Analytics cookies: Used to collect aggregated information about how Users interact with the Service to help us improve it.

You can manage cookie preferences through your browser settings. Please note that disabling certain cookies may impair the functionality of the Service.

11. Children’s Privacy

The Service is not directed to individuals under the age of eighteen (18) or the age of majority in their jurisdiction, whichever is greater. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

12. Third-Party Links and Services

The Service may contain links to third-party websites or services, including BytePlus documentation and integration endpoints. This Policy does not apply to third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.

13. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. Material changes will be communicated through the Service or via the email address associated with your Account. The “Effective Date” at the top of this Policy indicates when it was last updated. Your continued use of the Service after any changes constitutes your acceptance of the revised Policy.

14. Data Protection Officer

If you have any questions, concerns, or requests regarding this Policy or our data protection practices, you may contact our Data Protection Officer:

Data Protection Officer

Diaflow Pte. Ltd.

Email: [email protected]

15. Supplemental Notices

15.1. For Users in the European Economic Area

Where we rely on legitimate interest as a legal basis for processing, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time.

15.2. For Users in Singapore

We comply with the obligations under the Personal Data Protection Act 2012 (PDPA) of Singapore. For data-related complaints, you may also contact the Personal Data Protection Commission (PDPC) of Singapore.

15.3. For Users in California (USA)

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents may have additional rights including: the right to know what personal information is collected and how it is used; the right to delete personal information; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising privacy rights. Diaflow does not sell your personal data. To exercise your rights, contact us at [email protected].

Contact Information

For privacy-related inquiries, please contact us at: [email protected]