Erasa Privacy Policy

1. Introduction

Erasa provides comprehensive digital content protection services worldwide, including breach monitoring, reverse image matching, impersonation detection, search engine listing removal, and assistance with taking down unauthorized content. Our mission is to empower users to protect their digital content while upholding the highest standards of privacy and data security principles.

This Privacy Policy applies to all visitors, registered users, and individuals who use the Services (hereinafter referred to as "you"), regardless of your country or region of residence. It describes how we collect and process personal information (defined as any information relating to an identified or identifiable individual), including data related to your account, device, and any content you voluntarily upload to the platform. By accessing or using the Services, you confirm that you have read, understood, and agree to the practices described in this Policy.

For users accessing the Services from regions with specific data protection laws, such as the European Economic Area (EEA), the United Kingdom, California, or Brazil, we have implemented additional safeguards to ensure compliance with local requirements. If regional laws impose more stringent obligations, such requirements shall take precedence.

2. Details of Data Processing

We collect and process personal information only for legitimate, necessary purposes consistent with the Services we provide. We adhere to the principles of "data minimization" (collecting only the information needed) and "purpose limitation" (using data only for the stated purposes), which are required by global privacy regulations. Below is a detailed description of our data processing activities:

2.1 Account Creation and Eligibility Verification

When creating an Erasa account, we need to verify your registration eligibility and establish your user profile. This processing is necessary to fulfill the contract between you and us (i.e., providing the Services you request). Specifically, we use your information to:

• Verify that you meet the minimum age requirement for registering as an Erasa user (13 years old, or higher as required by your jurisdiction) and have the legal capacity to enter into agreements.

• Create and manage your account, login credentials, and user settings.

• Authenticate your identity during the login process to prevent unauthorized account access.

• Send important account-related information, such as password resets, subscription updates, or security alerts.

2.2 Provision and Improvement of Services

The core purpose of collecting personal information is to provide and enhance the Services you use. This processing is necessary to fulfill our contractual obligations to you and to pursue our legitimate interests in providing high-quality, secure Services. We use your personal information to:

• Provide the specific Services you request, including breach detection, content monitoring, reverse image search, and removal assistance.

• Process payments and manage service subscriptions, including issuing invoices, billing cycles, and payment confirmations (in collaboration with our payment processors).

• Respond promptly to your requests, feedback, or customer support inquiries. This includes resolving technical issues, addressing account problems, and answering questions about the Services.

• Improve Service performance, stability, and user experience by analyzing usage patterns, identifying areas for improvement, and testing new features.

• Personalize your experience by adjusting Service features according to your preferences (e.g., saving your search criteria or notification settings).

2.3 Device-Level Access (Requiring Your Explicit Permission)

Certain features of the Services require temporary access to content on your device. We will only request such access when performing specific functions explicitly requested by you, and we will always obtain your prior consent before accessing any device content. This processing is based on your consent, which you can withdraw at any time through your device settings. Examples of device-level access include:

• Accessing images, photos, or screenshots you wish to upload for breach detection or reverse image search.

• Accessing files needed for similarity searches (e.g., documents or media files you suspect have been shared without authorization).

• Accessing device storage (only if explicitly authorized by you) to temporarily store processed data or save report results to your device.

We will never access or collect device content beyond what is necessary to perform the explicitly requested action. After the action is completed, all temporary access to device content will be revoked, and no residual data will be retained unless you choose to save it.

2.4 Information You Provide Directly

We collect information that you voluntarily provide to us when using the Services. This includes information you submit during account registration, when using Service features, or when contacting our support team. This processing is based on your consent or is necessary to fulfill our contractual obligations. Categories of information you may provide directly include:

2.4.1 Contact and Account Information

When registering an account or updating your profile, you may provide contact information such as your full name, email address, phone number, and mailing address (if required for billing or service delivery). You also create account credentials, including a username and password, and can set preferences such as notification frequency or language.

2.4.2 Uploaded Content

A key feature of the Services is the ability to upload content for monitoring or protection. Such content may include:

• Images or videos you voluntarily upload to check for unauthorized distribution online.

• Screenshots or samples of content you suspect has been breached or misused.

• Documents required for impersonation or misuse reports (e.g., copies of fake profiles or unauthorized posts).

2.5 Automatically Collected Information

When you access or use the Services, we may automatically collect certain information about your device, usage, and interactions with the platform. This processing is based on our legitimate interests in maintaining the security, performance, and functionality of the Services and improving the user experience. Automatically collected information includes:

• Device identifiers and hardware information: Unique identifiers associated with your device (e.g., IMEI, MAC address), device model, operating system version, and hardware specifications.

• Network and technical information: Your IP address, browser type and version, internet service provider (ISP), and system configuration (e.g., screen resolution, language settings).

• Usage data: Information about how you interact with the Services, such as page views, search queries, navigation paths, time spent on each feature, and the order in which features are used.

• Interaction data: Detailed information about your interactions with specific elements of the Services, such as clicks, taps, or form submissions.

• Approximate location: Country or region inferred from your IP address (we do not collect precise location data such as GPS coordinates unless you explicitly provide it).

We use this automatically collected data for the following purposes:

• Security monitoring and fraud prevention, including detecting and blocking unauthorized access attempts, suspicious activities, or potential vulnerabilities.

• Diagnosing technical issues and improving the performance and stability of the Services (e.g., identifying features that cause errors or slowness).

• Analyzing user behavior to understand how the Services are used, identify trends, and drive data-informed improvements to the user experience.

• Personalizing content and features (e.g., showing you relevant help articles or updates based on your usage patterns).

You can control the collection of certain automatically collected information by adjusting your browser settings (e.g., disabling cookies), but this may affect the availability of certain features of the Services.

3. Data Collected During Content Monitoring ("Data Scraping")

To provide breach detection, impersonation detection, or content monitoring services (excluding the image/portrait reverse image search described in Section 4), Erasa and its authorized third-party service providers may conduct limited data scraping of publicly available online sources. This processing is based on our legitimate interest in providing the Services you request and complies with applicable laws and website terms of service. The data scraping activities of us and our third-party service providers include:

• Indexing publicly available URLs from websites, social media platforms, forums, and other online services that allow scraping.

• Extracting publicly accessible thumbnails or preview images associated with these URLs.

• Analyzing page titles, metadata, or cached copies of publicly available content to determine if it matches the content you uploaded.

• Scanning text descriptions, tags, or public links to identify potential unauthorized use of your content.

• Detecting instances of unauthorized appearance of the images or content you uploaded.

Important Limitations on Data Scraping: We and our third-party service providers strictly adhere to the following rules when scraping data:

• We do not bypass paywalls, login requirements, or other access controls that restrict access to non-public content.

• We do not access private accounts, password-protected pages, or non-publicly available content.

• We do not collect non-publicly available personal data, such as private messages, contact information, or other sensitive data.

• We do not use scraped data for purposes unrelated to providing the Services (e.g., marketing or data resale).

All data collected during scanning is used solely for: (1) detecting unauthorized content that matches the materials you uploaded; (2) generating detailed reports for you; (3) providing content removal assistance upon request. After the monitoring period ends or you delete your account, Erasa and its third-party service providers will securely delete all scraped data related to your content.

4. Image/Face Reverse Search: Processing, Third-Party Authorization, and Regional Restrictions

The reverse image search feature for images containing your portrait is a special feature of the Services, subject to additional privacy safeguards and regional restrictions. This section outlines the processing of this feature, your authorization to third-party service providers, and applicable regional restrictions.

4.1 Feature-Specific Processing Details

When you use the reverse image search feature for images containing your portrait, we implement strict processing protocols to protect your privacy:

• Non-Biometric Processing: All processing for this feature is non-biometric and is solely used to compare the visual similarity between the image you uploaded and online sources. Erasa does not perform facial recognition, identify individuals, or determine personal identities from uploaded images.

• No Extraction of Biometric Data: We do not extract or store biometric identifiers, facial geometry, or similar biometric data from images uploaded for this feature. Only visual features necessary for similarity comparison are processed, and these features are discarded immediately after analysis is completed.

• Temporary Storage: Uploaded images used for reverse image search are automatically deleted within 24-48 hours after analysis is completed. If you choose to save the search results, only the report (not the original uploaded image) is stored in your account.

• Prohibited Uses: We will never use images uploaded for this feature to train artificial intelligence (AI) models, create internal datasets, build recognition systems, or for law enforcement/monitoring purposes (unless required by law and legally permitted).

4.2 Third-Party Service Provider Authorization

Erasa does not directly conduct data scraping or processing for the image/portrait reverse image search feature. Instead, this feature is provided by authorized third-party service providers with expertise in visual similarity analysis. By using this feature, you explicitly authorize Erasa to engage Third-Party Service Providers to perform the following functions on your behalf:

• Temporarily process the images you upload to conduct visual similarity searches across publicly available online sources.

• Generate search results indicating potential matches for the images you uploaded.

• Transmit the search results to Erasa for delivery to your account in the form of a report.

All Third-Party Service Providers are contractually obligated to adhere to the same privacy standards as Erasa, including:

• Data minimization and non-retention of uploaded images after processing.

• Prohibition on using your data for AI training, dataset creation, or unrelated purposes.

• Implementation of industry-standard security measures to protect your information.

• Compliance with applicable data protection laws and regulations.

4.3 Regional Restrictions for This Feature

Due to varying regional regulations on image processing and biometric data, the image/portrait reverse image search feature may be restricted, constrained, or unavailable in certain jurisdictions. These jurisdictions include but are not limited to:

• Countries in the European Economic Area (EEA) due to restrictions under the General Data Protection Regulation (GDPR) on certain types of image processing.

• The United Kingdom, pursuant to UK GDPR.

• Belgium and Luxembourg, which have implemented strict regulations on facial recognition and image analysis.

• Specific U.S. states, including Illinois (Biometric Information Privacy Act, BIPA), Texas (Capture or Use of Biometric Identifiers Act), and Washington (Biometric Information Privacy Act).

• Other regions with restrictive laws on non-biometric image similarity analysis of portrait-related content.

If this feature is restricted in your region, it will be automatically disabled in your account. You agree not to use VPNs, proxy servers, or other methods to bypass these regional restrictions. Attempting to circumvent such restrictions may result in account suspension or termination.

5. Disclosure or Sharing of Personal Information

Erasa values your privacy and will not share your personal information with third parties except as described in this section. We only disclose personal information when necessary to provide the Services, comply with legal obligations, or protect our legitimate interests. The following are circumstances in which we may share your information:

5.1 Group Companies and Affiliates

We may share your personal information with affiliated companies (e.g., parent companies, subsidiaries, or sister companies) to provide the Services, offer support, and maintain security features. All affiliated companies are bound by this Privacy Policy and strict confidentiality obligations, and may only use your information for the same purposes as Erasa.

5.2 Third-Party Service Providers

We engage authorized third-party service providers to assist in operating the Services, performing business functions, or providing support. These third-party service providers are carefully selected and contractually obligated to protect your personal information. Examples of third-party service providers include:

• Secure cloud storage providers (for storing your account information and report results).

• Payment processing providers (for processing subscription payments and billing).

• Customer support platforms (for managing and responding to your support inquiries).

• Security and analytics providers (for monitoring fraud and improving the Services).

Obligations of Third-Party Service Providers: All third-party service providers are contractually required to:

• Adhere to the principle of data minimization, processing only the minimum amount of data necessary.

• Comply with binding contractual confidentiality obligations and implement appropriate security measures.

• Allow Erasa to audit their data processing activities to ensure compliance.

We do not permit third-party service providers to retain, use, or disclose your personal information for any purposes beyond the scope of their collaboration with Erasa.

5.3 Legal and Regulatory Authorities

We may disclose your personal information if required by law, regulation, or valid legal order (such as a court order, subpoena, or search warrant). We may also disclose information to law enforcement or regulatory authorities if we reasonably believe such disclosure is necessary to: (1) comply with applicable legal obligations; (2) enforce our Terms of Service or other agreements; (3) prevent or investigate fraud; (4) protect the security, rights, or property of Erasa, our users, or the public; or (5) respond to emergencies.

In such cases, we will only disclose the minimum amount of information necessary to comply with the request and will take reasonable steps to verify the legality of the request before disclosing any data.

5.4 Sale of Personal Information

Erasa does not sell your personal information to third parties for marketing or commercial purposes, and will never do so without obtaining your explicit consent. This includes not selling your contact information, account data, or uploaded content to advertisers, data brokers, or other entities.

6. Retention of Personal Information

We retain your personal information only for the period necessary to provide the Services you request or as required by applicable law. This is referred to as the "retention period." After the retention period expires, we will securely delete or anonymize your personal information to ensure it is no longer associated with you. Our retention practices are as follows:

6.1 Retention of Uploaded Images

Uploaded images (including those used for reverse image search) are automatically deleted within 24-48 hours after analysis is completed. If you explicitly choose to save the report, only the report (which may include thumbnails of matching content but not the original uploaded image) is stored in your account. Saved reports will be retained for the duration of your account's active status or until you delete the report.

6.2 Retention of Account Information

Your account information (such as contact details, username, and preferences) is retained for the duration of your account's active status. If you terminate your account, we will delete your account information within 30 days, unless法律 requires retention for a longer period. We may retain certain limited information (such as transaction records) for tax, accounting, or legal compliance purposes, but such information will be anonymized where possible.

6.3 Retention of Automatically Collected Data

Automatically collected data (such as device information, usage data, and interaction data) is retained for up to 12 months from the date of collection. After this period, the data will be securely deleted or anonymized (e.g., removing identifiers that can be associated with you) and used for aggregated analysis to improve the Services.

6.4 Retention of Scraped Data During Monitoring

Data collected during content monitoring (such as URLs, thumbnails, and metadata) is retained only for the duration of your active monitoring request. If you cancel the monitoring service or delete your account, all scraped data related to your content will be securely deleted within 7 days.

6.5 Secure Deletion Practices

When personal information is no longer needed, we securely delete it using industry-standard methods, including overwriting data on physical storage devices and permanently deleting data in cloud storage systems. Anonymized data that cannot be associated with any individual may be retained indefinitely for analytical purposes.

7. Your Rights Regarding Personal Information

Depending on your country or region of residence, you may have certain rights regarding personal information under applicable data protection laws. We are committed to helping you exercise these rights promptly and effectively. Below is an overview of the rights you may have, along with information on how to exercise them:

7.1 Key Rights Under Global Privacy Laws

• Right of Access: You have the right to request access to the personal information we hold about you, including details on how it is collected, used, and shared.

• Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal information we hold about you.

• Right to Erasure ("Right to be Forgotten"): You have the right to request that we delete your personal information, subject to certain exceptions (e.g., if we are required by law to retain it).

• Right to Restriction of Processing: In certain circumstances (e.g., if you dispute the accuracy of the data), you have the right to request that we restrict the processing of your personal information.

• Right to Object to Processing: You have the right to object to the processing of your personal information for certain purposes, such as direct marketing or based on our legitimate interests.

• Right to Withdraw Consent: If we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

• Right to Data Portability: You have the right to request that we provide you with a copy of your personal information in a structured, machine-readable format, or to transmit it directly to another data controller if technically feasible.

7.2 Region-Specific Rights

For users residing in specific regions, additional rights may apply:

• Users in the European Economic Area and the United Kingdom: Your rights are governed by the General Data Protection Regulation (GDPR) and UK GDPR, respectively. We only process your personal information if we have a lawful basis (e.g., consent, contractual necessity, or legitimate interest).

• Users in California: Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), you have the right to opt out of the sale of personal information (though we do not sell your information), request disclosure of the categories of personal information we collect and share, and request deletion of your personal information. You also have the right not to be discriminated against for exercising your rights under CCPA/CPRA.

• Users in Brazil: Under Brazil's General Data Protection Law (LGPD), you have rights similar to those under GDPR, including the right to access, correct, and delete your personal information, as well as the right to withdraw consent and file complaints with Brazil's data protection authority (ANPD).

7.3 How to Exercise Your Rights

To exercise any of the above rights, please submit a request through the official support channel on our website. You can find the support form by logging into your account and navigating to the "Help" or "Privacy" section. When submitting a request, please provide sufficient details to allow us to verify your identity (e.g., your registered email address, account username) and understand the nature of your request.

We will respond to your request within 30 days of receipt. If we need more time to process your request (up to an additional 30 days), we will notify you of the delay and the reason for it. We will not charge a fee for processing your request unless the request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request.

8. Minors

Erasa does not intentionally collect or process personal information from individuals under the age of 18 ("the age of majority" in most jurisdictions). Our Services are not directed at minors. If you are under 18, you may not use the Services or provide any personal information to us without the explicit consent and supervision of a parent or legal guardian.

If we discover that we have collected personal information from a minor without parental consent, we will immediately take steps to delete that information from our systems. If you are a parent or legal guardian and believe your child has provided personal information to us without your consent, please contact us through our support form to request deletion of that information.

9. Security Measures

We implement industry-standard technical and organizational security measures to protect your personal information from unauthorized access, use, disclosure, modification, or destruction. While no system is 100% secure, we strive to maintain the highest possible level of security. Our security measures include:

• Encrypted Transmission: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) 1.3, the latest and most secure encryption protocol.

• Access Controls: We only grant access to personal information to employees, contractors, and third-party service providers who need it to perform their job functions. Access rights are based on the "need-to-know" principle and are protected by strong authentication measures (e.g., multi-factor authentication, complex passwords).

• Segmented Storage Environment: Personal information is stored in a segmented, secure environment with restricted network access. Cloud storage providers are selected based on their strong security practices and compliance with global standards (e.g., ISO 27001, SOC 2).

• Security Logging and Monitoring: We maintain security logs of system activities and regularly monitor these logs to detect suspicious behavior or unauthorized access attempts. We also use intrusion detection and prevention systems to identify and block potential threats.

• Data Minimization and De-identification: We only collect and store the minimum amount of personal information necessary to provide the Services, and de-identify or anonymize data where possible.

• Regular Security Audits and Updates: We conduct regular security audits and vulnerability assessments to identify and address potential weaknesses. Our systems and software are regularly updated with security patches to protect against known threats.

Your Role in Security: You also play an important role in protecting your personal information. Please keep your account password confidential and do not share it with others. If you suspect that your account has been compromised or your personal information has been accessed without authorization, please notify us immediately through our support channel.

Please note that despite all reasonable steps we take to protect your information, transmitting data over the Internet inherently involves risks, and we cannot guarantee the absolute security of your information during transmission.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, the Services, or applicable laws and regulations. When we make changes to the Policy, we will:

• Update the "Last Updated" date at the top of this page to indicate when the changes were made.

• Notify registered users of material changes at least 7 days (or as required by law) before the changes take effect, via email, in-app notification, or a prominent notice on our website.

• Provide a summary of the key changes to help you understand how they affect your privacy rights.

Continuing to use the Services after the updated Privacy Policy takes effect constitutes your confirmation that you have read, understood, and agreed to the revised terms. If you do not agree to the changes, you may terminate your account and stop using the Services at any time.

We encourage you to review this Privacy Policy regularly to stay informed about our data practices.

11. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data processing practices, or your personal information, please contact contact us by email at: [email protected].