Privacy Policy
Effective: 2026-07-14 · Version: 2026-07-14
SayDraw (the “Service”) is a creative app for children. A child does not create a separate account. The guardian (legal representative) manages the account and child profiles and consents to the processing of personal information. This Policy explains how GREATEARTH CO., LTD. (“we,” “us,” or the “Company”) collects, uses, discloses, retains, and deletes information.
- Effective date: July 14, 2026
- Version: 2026-07-14
1. Controller and Contact
- Controller: GREATEARTH CO., LTD.
- Privacy inquiries and rights requests: [email protected]
- Company information: greatearth.studio.site
We provide the Company’s address and representative’s name without delay upon a request to [email protected], as required by applicable law.
This Policy applies to the Service’s apps, API, and guardian support features. Where Apple, Google, or another third party independently processes information for its own account or payment service, that third party’s policy also applies.
2. Core Principles
- The guardian owns the account and gives consent. A child uses the Service only through a profile under that account.
- A voice recording is sent through our server to OpenAI, an AI service provider in the United States, for speech-to-text conversion. It is not stored in our database or artwork storage.
- OpenAI receives the voice recording, recognized text, constrained drawing instruction, and generated image only as needed at each processing stage. Guardian and child account or profile identifiers are not included.
- Guardians are instructed not to let a child say a real name, school, address, contact detail, or other identifying information in a creative request. If such information is detected in the recognized text, or safety is uncertain, generation stops without further processing or storage.
- We do not use children’s data for advertising, behavioral tracking, data sales, or a public feed.
- We notify guardians and obtain renewed consent before making a material change to processing.
3. Information Processed, Collection Method, Purpose, and Retention
Guardian email, authentication-provider identifier, and authentication/session information
How collected and why used: Received from the authentication service when the guardian signs in with Apple, Google, or email. Used for account identity, sign-in, security, support, and linking payment status
Retention: Deleted with the SayDraw authentication account and sessions managed by Supabase. The guardian’s Apple ID or Google Account itself is not deleted. Transaction records subject to a legal retention duty follow the period below
Consent timestamp and Privacy Policy/Terms versions
How collected and why used: Recorded when the guardian presses the consent button. Used to verify valid consent and manage renewed consent
Retention: For the life of the account. Deleted with the account, except a record strictly necessary for a legal dispute may be segregated for the period permitted by applicable law
Child-profile nickname, preset avatar, and birth year
How collected and why used: Entered or selected by the guardian. Used to display the profile and apply age-appropriate safety settings
Retention: Deleted when the profile or account is deleted
Voice recording
How collected and why used: The app records the creative request in its private temporary area and sends it over an encrypted connection to our server. Our server sends the audio, without account or profile identifiers, to OpenAI Audio Transcriptions to convert it to text
Retention: Our server processes it only for the request and does not persist it in a database, application log, or artwork store. A server request-scoped temporary upload file is discarded after processing. A device temporary file is deleted or overwritten according to the app implementation and operating-system temporary-storage policy and may remain in the app-private area until the next recording or OS cleanup. OpenAI’s currently published endpoint table states: no model training, no abuse-monitoring retention, and no application-state retention. It is not used for speaker identification or a voiceprint
Recognized text
How collected and why used: Returned by OpenAI transcription to our server and app and shown on the confirmation screen. Used to screen for identifying and unsafe content, for safety moderation and child-appropriate interpretation through OpenAI Moderations and Chat Completions, to make the artwork, and to show creation history to the guardian
Retention: We do not store it if generation is blocked. If generation succeeds, it is kept with the creation and deleted when the creation, profile, or account is deleted. OpenAI currently states no retention for Moderations; Chat Completions content may be kept in abuse-monitoring logs for up to 30 days
Constrained generation instruction
How collected and why used: Created by our server by limiting the recognized text to a child-appropriate drawing instruction and sent to OpenAI Images. Used for image generation and safety checks
Retention: We keep it with the creation and delete it with the creation, profile, or account. It may be kept in OpenAI abuse-monitoring logs for up to 30 days
Generated images and line art, coloring results, album and favorite records
How collected and why used: Created when generation, coloring, and save features are used. Used to display, store, download, and delete the child’s work
Retention: Database records and private-storage objects are deleted when the guardian deletes the creation, profile, or account
Credit ledger, product and transaction identifiers, and receipt-verification results
How collected and why used: Collected when an Apple App Store or Google Play purchase is verified. Used to grant credits, prevent duplicate grants, and handle refunds and accounting
Retention: Generally seven years from the day after the filing deadline for the relevant fiscal year and up to ten years where tax law requires. Links to child content are removed on account deletion; records are deleted after the period expires
Guardian support messages and replies, inquiry category/language, and app version, OS, and device model shown to the guardian before submission
How collected and why used: Collected when the guardian sends a 1:1 support inquiry. Used to answer the inquiry and investigate errors
Retention: Deleted with the support thread when the account is deleted
APNs/FCM push token and notification metadata
How collected and why used: Collected only when the guardian enables notifications in the guardian area. Used only for support-reply and credit-grant notifications
Retention: Deleted when notifications are withdrawn, the token expires or is rejected, or the account is deleted
Operational and security logs
How collected and why used: Automatically generated during API use: request ID, processing stage/status, latency, retry count, and error type. Used for reliability, security, and safety auditing
Retention: We do not log voice, recognized text, prompts, images, or email. Logs are ordinarily deleted within 30 days. Minimal records may be kept longer only as necessary for a security incident or legal duty
Safety-decision records
How collected and why used: Only the pipeline stage, outcome, and reason code are recorded. Used to audit safety and verify blocks
Retention: Kept while the account or creation exists. On deletion, the account link is removed and the record is anonymized; source content is not retained
Do not enter or say a real name, school, address, contact detail, or other identifying information in a nickname or creative voice request. Because OpenAI transcribes the audio before text screening can occur, if personal information is detected after transcription we stop later OpenAI moderation, interpretation, and image-generation calls and do not store the request, but cannot reverse transcription that has already occurred. Whether voice or generated content is personal information under applicable law depends on its content and whether it can be linked with other information, so we treat it as protected user data regardless.
4. AI Processing and What OpenAI Receives
Artwork generation follows these steps:
- The app sends the voice recording to our server. Our server sends the audio file, without account or profile identifiers, to OpenAI Audio Transcriptions to convert it to text. Our server does not persist the original audio in a database, application log, or artwork store. The app uses an app-private temporary file for recording and upload, and that file may remain until the next recording or operating-system cleanup.
- Our server first screens the recognized text for identifying information. If it is detected or the result is uncertain, generation stops without another OpenAI call or storage by us.
- Text that passes that screen is sent to OpenAI Moderations for harmful-content screening and to OpenAI Chat Completions to turn it into a short, child-appropriate drawing instruction.
- The constrained instruction, with safety guardrails, is sent to OpenAI Images to generate an image.
- The generated image is sent to OpenAI Moderations for output safety review. Only a safe result is stored in our private storage.
OpenAI receives the voice recording, recognized text, constrained generation instruction, and generated image. We do not send OpenAI:
- guardian email or authentication identifier;
- child nickname, birth year, avatar, or profile ID; or
- support messages, push tokens, or payment and transaction information.
We do not enable OpenAI settings that share API data for model training. Under OpenAI’s published policy, API inputs and outputs are not used for model training unless the customer explicitly opts in. Zero Data Retention (ZDR) is not enabled. OpenAI’s currently published endpoint-specific terms state:
- Audio Transcriptions and Moderations: no abuse-monitoring retention and no application-state retention.
- Chat Completions and Images Generations: no application-state retention; inputs and outputs may be retained in abuse-monitoring logs for up to 30 days.
OpenAI may retain data longer where required by law or reasonably necessary to protect its services or a third party. We exclude guardian and child account or profile identifiers from OpenAI requests, instruct guardians not to let a child say identifying information in a creative request, and stop further AI processing and storage if such information is detected after transcription.
Safety screening is automated and fails closed: if a result is uncertain, no artwork is generated. It does not make a decision that produces legal or similarly significant effects for a child.
5. Service Providers and Disclosures
We entrust or transmit only the minimum information necessary to the following providers.
Supabase
Role: Guardian authentication and database
Information and location: Guardian authentication data, child profile, consent record, recognized text, constrained instruction, artwork metadata, credits, and support data. Primary database in the Tokyo region
Google Cloud
Role: API hosting, generation queue, operational logs, and Android notification infrastructure
Information and location: Information processed by the server; generation jobs containing a creation ID and recognized text; minimal operational logs; FCM token and notification metadata. Core server and queue in the Tokyo region
Cloudflare R2
Role: Private artwork storage
Information and location: Generated images, line art, and coloring results. Uses an APAC location hint, but no particular country or Japan-only storage is guaranteed. Voice is never stored
OpenAI
Role: Speech transcription, text and image safety screening, child-appropriate interpretation, and image generation
Information and location: Voice recording, recognized text, constrained generation instruction, and generated image. No account or profile identifier is sent. The recipient is in the United States; processing may occur in the United States or other permitted locations. Audio Transcriptions and Moderations currently have no retention; Chat Completions and Images Generations may be kept for abuse monitoring for up to 30 days
Apple
Role: Sign in with Apple, App Store purchase verification, and APNs notifications
Information and location: Guardian authentication and transaction identifiers, receipt-verification information, device push token, and content-free notification metadata
Google
Role: Google sign-in, Google Play purchase verification, and FCM notifications
Information and location: Guardian authentication and transaction identifiers, purchase-token verification information, device push token, and content-free notification metadata
We do not permit providers to use data outside the stated purposes, sell it, use it for advertising, or use it for unauthorized model training. Through contracts and technical controls, we require confidentiality, security, deletion assistance, and protection equal to or greater than this Policy, and we supervise providers on an ongoing basis. We do not send personal information to a provider if we cannot verify those protections. Before a new provider processes personal information or a provider’s scope materially changes, we update this Policy and the consent screen and obtain renewed consent where required.
We do not send personal information or a support-inquiry identifier linkable to a person to any unlisted third-party webhook or notification service. We will give prior notice and obtain any required consent before introducing one.
6. International Processing and Transfers
Some providers are headquartered outside Japan or may process information outside Japan. Before consenting, a guardian can review the provider, information transferred, purpose, country or region, and safeguards on the consent screen and in this Policy.
- United States: OpenAI, Supabase, Cloudflare, Google, and Apple entities may be located or involved in processing there. The United States is not designated by Japan as a jurisdiction with a protection level equivalent to the APPI. Federal, state, and sector-specific privacy laws apply, and lawful government access may occur.
- EU/EEA and United Kingdom: Where processing occurs there, the region’s data-protection laws and the provider’s contractual safeguards apply.
- Cloudflare R2 APAC storage: The exact storage country cannot be identified in advance because the service is distributed. We use private buckets, encryption in transit and at rest, short-lived signed URLs, restricted access, contractual safeguards, and ongoing review.
Where required by the APPI or another applicable law, we obtain prior guardian consent or use a contractual and supervisory framework that requires the foreign provider to continuously implement measures equivalent to those under the APPI. A guardian may request current information about providers and safeguards at [email protected].
7. Guardian Consent and Withdrawal
- After signing in, the guardian must review the information sent, recipient, purpose, retention conditions, this Policy, and the Terms on an adult-facing consent screen and actively press [Agree and continue].
- The server records the consent time and each document version. Before consent to the current versions, the Service does not allow child-profile creation, artwork generation, AI transfer, or payment.
- A material change increments the version, blocks the Service again, and requires renewed consent.
- A guardian may withdraw consent at any time by deleting the account in the guardian area or contacting [email protected]. We do not offer a separate dormant-account state. Withdrawal therefore stops future processing and deletes the account and child data. Transaction records that must be retained by law are disconnected from child content and kept only for the required period.
8. Guardian Rights and Deletion
A guardian may request notice of purpose, access or a copy, correction, suspension of use, suspension of third-party disclosure, or deletion of information concerning the guardian and child. Where applicable law grants additional rights, such as portability, restriction, or objection, those rights may also be exercised.
- Delete a child profile or creation: guardian area in the app
- Delete the whole account and withdraw consent: guardian area in the app or [email protected]
- Other rights requests and complaints: [email protected]
We request only information reasonably necessary to verify the requester’s identity and guardian authority. Account deletion removes app data, child profiles, recognized text, generation instructions, support threads, and private-storage artwork, and also deletes or revokes the SayDraw authentication account and active sessions managed by Supabase. It does not delete the guardian’s Apple ID or Google Account itself. If a step fails, the deletion request remains recorded and is retried until completion. A provider log that we cannot delete individually at once, such as OpenAI’s abuse-monitoring log, expires under that provider’s published retention period.
We ordinarily charge no fee for a rights request. If applicable law permits recovery of a reasonable actual cost in an exceptional case, we give advance notice of the amount and basis.
9. Security
We use encryption in transit, private storage, least-privilege access, server-only API keys, short-lived signed URLs, guardian-account access controls, log filtering, retryable deletion, and fail-closed generation. If a personal-data incident occurs, we make any report or notice required by applicable law to Japan’s Personal Information Protection Commission (PPC), affected guardians, and other relevant authorities.
No system can guarantee absolute security, but we continuously review safeguards appropriate to the sensitivity of children’s data.
10. No Advertising, Tracking, or Sale
The Service does not use third-party advertising SDKs, IDFA-based advertising, behavioral targeting of children, data-broker sales, public profiles, or a public feed. We do not use children’s data outside the account, creation, safety, payment, and support functions necessary to operate the Service.
11. Availability and Children’s Protection
Initial distribution is limited to the countries and regions we enable in the app stores. We do not offer the child-directed Service in the United States until controls required by U.S. law, including verifiable parental consent where applicable, are implemented. When offering the Service in another jurisdiction, mandatory local law prevails over this Policy and we implement any required guardian-consent and rights process before collection begins.
12. Changes and Contact
We announce changes and their effective date in the app or on the website. If there is a material change to the categories collected, purposes, third parties, international transfers, retention, or processing of children’s data, we stop the affected processing until the guardian consents to the new version.
Privacy inquiries and rights requests: [email protected]
Japan Personal Information Protection Commission: www.ppc.go.jp