Privacy Policy
Last Updated: May 1, 2026 | Effective Date: May 1, 2026
Xross Road Inc., a Delaware corporation (“Company,” “we,” “us,” or “our”), takes the protection of personal information seriously and has established this Privacy Policy (this “Policy”) for users (“you” or “User”) of the AI vertical-scroll comic creation platform “HANASEE” (the “Service”). This Policy applies to U.S. users of the Service.
This Policy explains what personal information we collect, how we use, disclose, and protect it. Your use of the Service constitutes your agreement to this Policy.
IMPORTANT: California residents have additional rights under the California Consumer Privacy Act (as amended by the CPRA), as set forth in Section 11 of this Policy. Residents of Virginia, Colorado, Connecticut, Utah, and other states whose laws confer specific privacy rights should review Sections 12 and 13.
Section 1. Company Information
| Item | Details |
| Company Name | Xross Road Inc. (a Delaware corporation) |
| Address | 838 Walker Road Suite 21-2, Dover, Delaware 19904, USA |
| Representative | Yosuke Utsumi |
| Contact | inquiry@hanasee.com |
Section 2. Personal Information We Collect
In providing the Service, we collect the following information.
2.1 Account Information
- Email address
- Username (display name)
- Password (stored as a hash)
- Profile information (if you choose to provide it)
- Confirmation that you are at least 18 years old (timestamp of the checkbox confirmation)
2.2 Payment Information
- Purchase and transaction history
- Subscription details
- Billing address (including state and ZIP code)
- Credit card numbers are not stored by us. Payment processing is handled by Stripe, Inc., and card data is held by Stripe.
2.3 Usage Data
- Vertical-scroll comic generation history
- Credit consumption and balance history
- Activity logs (how you use Service features)
- Public content and content you submit to the Service
2.4 Device and Log Information
- IP address
- Browser type, version, and language settings
- Operating system information
- Access dates and times
- Cookies and similar technologies
2.5 Communications
- Customer support inquiries
- Email correspondence
2.6 Google Account Information
When users choose to sign in to HANASEE using Google Sign-In, we may collect and use certain information associated with the user’s Google account, including the user’s name, email address, profile image, and Google account identifier.
We use this information solely for the purposes of user authentication, account creation, account management, login session management, fraud prevention, security, and providing the HANASEE service.
We do not use Google account information for advertising purposes. We do not sell Google user data to third parties. We do not share Google user data with third parties except where necessary to provide, secure, or maintain the Service, or where required by law.
Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Section 3. CCPA/CPRA Categories of Personal Information Collected
Under the California Consumer Privacy Act (as amended by the CPRA, Cal. Civ. Code §§ 1798.100 et seq.), we disclose the categories of personal information we have collected in the past 12 months as follows.
| CCPA Category | Examples of Information Collected | Sources |
| A. Identifiers | Name, email address, Account ID, IP address | Directly from you; automatic collection |
| B. Customer records (Cal. Civ. Code §1798.80(e)) | Billing address, payment information | Directly from you; Stripe |
| C. Characteristics of protected classifications | Age (only confirmation that you are 18+; gender, race, religion, disability, marital status, etc. are not collected) | Directly from you |
| D. Commercial information | Purchase history, subscription information | Directly from you; Stripe |
| E. Biometric information | Not collected | — |
| F. Internet activity information | Browsing history, search history, activity logs on the Service | Automatic collection |
| G. Geolocation data | Approximate region inferred from IP address | Automatic collection |
| H. Audio / visual information | Not collected | — |
| I. Professional / employment information | Not collected | — |
| J. Education information | Not collected | — |
| K. Inferences | Inferences about your preferences and interests | Automatic collection and analysis |
| L. Sensitive Personal Information (CPRA) | Not collected (no SSN, precise geolocation, race, health information, etc.) | — |
Section 4. How We Use Personal Information
We use the personal information we collect for the following purposes (the “business and commercial purposes” under the CCPA/CPRA):
- Providing, operating, improving, and promoting the Service (including advertising and marketing, under Section 8 of the Terms of Service)
- Managing and authenticating user accounts
- Processing payments and managing billing (including subscription auto-renewal)
- Granting, consuming, and managing the expiration of Credits
- Responding to customer support requests
- Analyzing usage and improving Service quality
- Preventing fraud and ensuring security
- Complying with legal requirements (including responses to subpoenas and court orders)
- Sending important notices and Service-change announcements (including auto-renewal pre-notices required by California ARL/AB 2863)
- Marketing communications (we provide an opt-out mechanism in compliance with the CAN-SPAM Act)
- Improving and training our AI models
Section 5. Disclosure and Sharing of Personal Information
We disclose or share your personal information with third parties only in the following circumstances.
5.1 Service Providers
We engage the following providers to process data as necessary to operate the Service.
| Service Provider | Purpose | Information Provided | Country |
| Stripe, Inc. | Payment processing | Payment-related information | United States |
| Google LLC (Google Analytics) | Web analytics | Usage data, device information | United States |
| Amazon Web Services, Inc. | Infrastructure and data storage | All data (encrypted at rest) | Japan (Tokyo region) |
| Cloudflare, Inc. | Content delivery, security, and geo-blocking | IP address, access information | United States |
5.2 Disclosure Required by Law
We may disclose personal information in the following situations:
- In response to subpoenas, court orders, or valid law-enforcement requests
- To comply with legal obligations
- To protect the rights, property, or safety of the Company, our users, or third parties
- In emergencies (to protect life or physical safety)
5.3 With Your Consent
We may share information with your prior consent.
5.4 Business Transfers
In connection with a merger, acquisition, business transfer, corporate reorganization, bankruptcy reorganization, or similar transaction, we may disclose personal information as part of the business assets. In that case, we will provide advance notice as required by applicable law (including the notice obligations under the CCPA/CPRA and other state laws).
5.5 De-Identified or Aggregated Information
We may use and disclose, without restriction, de-identified information or aggregated information that cannot reasonably be used to identify you.
5.6 Sharing and Disclosure of Google Account Login Information
We do not sell, rent, or disclose to third parties any information obtained through Google account login, except where required by law or where necessary to provide the Service.
We also do not share such information for advertising, with data brokers, or for any independent purposes of third parties.
If we entrust the processing of such information to external service providers, we will exercise necessary and appropriate supervision over such providers.
Section 6. Sale or Sharing of Personal Information — “Do Not Sell or Share My Personal Information”
We do not sell or share your personal information with third parties as those terms are defined in the CCPA/CPRA.
Specifically:
- We do not sell personal information for monetary consideration.
- We do not share personal information for cross-context behavioral advertising.
If we ever begin to sell or share personal information in the future, California residents will have the right to opt out as described in Section 11 of this Policy.
Section 7. Data Storage
7.1 Storage Location
Your personal information is stored on Amazon Web Services servers in the Tokyo region. As a Delaware corporation, we have implemented appropriate safeguards for international data transfers (see Section 10).
7.2 Retention Periods
| Data Type | Retention Period |
| Account information | 1 year after Account termination (to support recovery and disclosure requests) |
| Payment and transaction records | Retention period required by U.S. federal tax law and other applicable laws (up to 7 years) |
| Credit balance and consumption history | 90 days after expiration of each Credit |
| Usage data | Deleted within 90 days of Account termination |
| Device information and logs | 1 year from collection |
| Consent logs (records of acceptance of the Terms of Service) | 3 years (in compliance with California ARL/AB 2863 requirements) |
| DMCA notice records | 3 years from receipt |
7.3 Security
We have implemented the following technical and organizational measures to protect personal information:
- AES-256 encryption at rest
- TLS encryption in transit
- Access controls and audit-log management
- Privacy training for employees
- Regular security audits
However, no method of internet transmission or online storage is 100% secure, and we cannot guarantee absolute protection.
Section 8. General User Rights
Regardless of your state of residence, you have the rights below. Where state law provides additional rights, see Sections 11–13.
- Right of access — request disclosure of the personal information we hold about you.
- Right to correct — request correction of inaccurate personal information.
- Right to delete — request deletion of your personal information (except where we are required by law to retain it).
- Opt-out of marketing communications — under the CAN-SPAM Act, all commercial emails include an unsubscribe link.
How to Exercise Your Rights
- Contact: <inquiry@hanasee.com> (subject: “Privacy Request”)
- Verification: by message from your registered email address or via Account authentication
- Response time: we will respond within a reasonable period after receipt. Where state law specifies a deadline, we will follow that deadline (California, Virginia, Colorado, and Connecticut residents: see Sections 11–12).
- Fees: we do not charge any fee to exercise these rights.
Section 9. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to provide and improve the Service.
9.1 Types of Cookies We Use
| Type | Purpose | Provider |
| Strictly necessary | Maintaining login state, security | We (first-party) |
| Functional | Storing language and user preferences | We (first-party) |
| Analytics | Analyzing usage and improving the Service | Google LLC (third-party) |
| Performance | Measuring site performance and optimizing delivery | Cloudflare, Inc. (third-party) |
9.2 Managing Cookies
- You can disable cookies through your browser settings (some features may become unavailable).
- You may opt out of Google Analytics at https://tools.google.com/dlpage/gaoptout
- Global Privacy Control (GPC) signals: we honor GPC signals sent by your browser as an indication of your opt-out of sale or sharing under the CCPA/CPRA.
Section 10. International Data Transfers
We are a Delaware corporation, and some data is transferred and processed internationally as follows:
- United States: data processing by Stripe, Google, and Cloudflare
- Japan: data storage on Amazon Web Services (Tokyo region)
These transfers are made in accordance with applicable laws (U.S. federal law, state laws, and the laws of the recipient country). We confirm that appropriate data-protection measures (encryption, access restrictions, etc.) are in place at the transfer destinations.
Section 11. Rights of California Residents
If you are a California resident, you have the additional rights below under the California Consumer Privacy Act (as amended by the CPRA, Cal. Civ. Code §§ 1798.100 et seq.).
11.1 Right to Know
You may request the following about the personal information we collected, used, or disclosed in the past 12 months:
- Categories of personal information collected (see Section 3)
- Categories of sources from which it was collected
- Business or commercial purposes for collection or disclosure
- Categories of third parties with whom we shared personal information
- Specific pieces of personal information collected
11.2 Right to Delete
You may request deletion of personal information we hold about you (except where an exception under CCPA § 1798.105 applies).
11.3 Right to Correct (CPRA)
You may request correction of inaccurate personal information.
11.4 Right to Opt Out of Sale or Sharing
We do not sell or share personal information (see Section 6). If we ever begin to do so, California residents will have the right to opt out.
11.5 Right to Limit Use of Sensitive Personal Information (CPRA)
We do not collect Sensitive Personal Information (see Section 3, Category L). If we ever begin to do so, you will have the right to request that its use be limited.
11.6 Right to Non-Discrimination
We will not discriminate against you in service quality, pricing, or otherwise because you exercised any of the rights described above.
11.7 No Financial Incentives
We do not offer financial incentives (such as discounts or perks) in exchange for the provision, retention, consent, or opt-out of personal information.
11.8 How to Exercise These Rights
- Contact: <inquiry@hanasee.com> (subject: “CCPA Request”)
- Response time: within 45 days of receipt (extendable by an additional 45 days)
- Verification: message from your registered email address plus Account authentication
- Authorized agents: requests may be submitted by an authorized agent (proof of authorization required)
11.9 Shine the Light Act (Cal. Civ. Code § 1798.83)
As stated in Section 6, we do not share personal information with third parties for their direct marketing purposes. We therefore have no disclosures to make under the Shine the Light Act.
Section 12. Rights of Virginia, Colorado, and Connecticut Residents
Residents of Virginia (Virginia Consumer Data Protection Act, “VCDPA,” Va. Code § 59.1-575 et seq.), Colorado (Colorado Privacy Act, “CPA”), and Connecticut (Connecticut Data Privacy Act, “CTDPA”) have the following rights:
- Right of access — to confirm the processing of, and to access, personal data.
- Right to correct — to request correction of inaccurate personal data.
- Right to delete — to request deletion of personal data.
- Right to data portability — to receive personal data in a structured format.
- Right to opt out of certain processing:
- targeted advertising;
- the sale of personal data; and
- profiling that produces significant decisions.
- Right to appeal — to use our internal appeal process for our decisions.
How to Exercise These Rights
- Contact: <inquiry@hanasee.com> (subject: “State Privacy Request”)
- Response time: within 45 days (extendable by an additional 45 days)
- Appeals: if you are not satisfied with our response, you may appeal to your state attorney general’s office.
Section 13. Rights of Utah and Other State Residents
Residents of Utah (Utah Consumer Privacy Act, “UCPA”) and other states whose laws confer specific privacy rights have similar privacy rights under those laws. For details, please contact <inquiry@hanasee.com>.
Section 14. Minors and Children’s Privacy
The Service is intended for users 18 years of age or older. (See Section 4.2 of the Terms of Service.)
- Use by individuals under 18: if we discover that a person under 18 is using the Service, we will promptly suspend the account and delete the personal information.
- COPPA compliance: in particular, we do not knowingly collect personal information from children under 13 in compliance with the U.S. Children’s Online Privacy Protection Act (“COPPA,” 15 U.S.C. §§ 6501–6506) and the FTC’s implementing regulations (16 C.F.R. Part 312, including the amendments effective June 23, 2025). If you believe we have collected personal information from a child under 13, a parent or legal guardian should contact us at <inquiry@hanasee.com>.
Section 15. Changes to This Policy
We may modify this Policy in response to legal changes, changes to the Service, or other circumstances.
- Minor changes: notified by posting on the Service; effective 30 days after posting.
- Material changes: notified at least 30 days before the effective date by email to your registered address and by posting on the Service.
Your continued use of the Service after the effective date of the modified Policy constitutes your acceptance of the modified Policy.
Section 16. Contact Us
For questions about this Policy, to exercise your privacy rights, or for other comments and complaints, please contact:
- Email: <inquiry@hanasee.com>
- Company: Xross Road Inc. (a Delaware corporation)
- Representative: Yosuke Utsumi
- Address: 838 Walker Road Suite 21-2, Dover, Delaware 19904, USA
Section 17. Governing Law and Jurisdiction
- This Policy is governed by the laws of the State of Delaware, excluding its conflict-of-laws principles.
- Disputes related to this Policy will be resolved in accordance with Section 17 (Dispute Resolution; Arbitration; Class-Action Waiver) and Section 18 (Governing Law and Jurisdiction) of the Terms of Service.
- Special Provisions for California Residents: in compliance with California Senate Bill 940 (effective January 1, 2025), the special provisions in Section 18.5 of the Terms of Service apply to California residents.
Effective Date: May 1, 2026