PRIVACY POLICY
Privacy Policy
Last updated: April 4, 2026
1. Data Controller
| Company Name | Mirai Studio Inc. |
| Address | 3F, 3-21-7 Kanda Jimbocho, Chiyoda-ku, Tokyo 101-0051, Japan |
| Representative | CEO Shunichiro Kaneshiro |
| Contact | figmee@miraistudio.co.jp |
2. Personal Information We Collect
Our service (figmee, hereinafter "the Service") collects the following personal information.
- Email address (at account registration)
- Password (stored encrypted)
- Display name (when setting profile)
- Shipping information (name, address, postal code) (when purchasing figurines)
- Payment information (payment processing is handled by Stripe Inc., and credit card information is not stored on our servers)
- Uploaded images
- Information on service usage
- Access logs (IP address, browser information, referrer, etc.)
3. Purpose of Use
We use the collected personal information within the scope of the following purposes.
- Provision, operation, and maintenance of the Service
- User authentication and identity verification
- Generation of figurine-style images and 3D models (including sending images to external AI services)
- Payment processing and product delivery
- Responding to user inquiries
- Creating statistical data for service improvement and new feature development
- Addressing violations of terms of service and preventing unauthorized use
- Sending important notices regarding the Service
4. Handling of Image Data
Images uploaded by users are sent to external service providers for the following processing within the scope necessary for service provision.
- Image feature analysis and figurine-style image generation by AI image processing services
- 3D model data generation by 3D model generation services (when purchased)
We have confirmed that data sent via API will not be used for model training under the terms of service of these service providers.
Generated images and 3D model data are stored in association with the user's account. All related image and model data will be deleted upon account deletion.
The Service will not sell, lease, or disclose user images to third parties (except when users choose to make them public through the sharing feature).
5. Outsourcing and Handling of Personal Data in Foreign Countries
The Service outsources part of the operations necessary for service provision to external operators. We exercise necessary and appropriate supervision over the security management of personal data through contracts and other means.
Some personal data is handled by servers or contractors located in the following countries.
- United States: AI image processing (image analysis and generation), payment processing (Stripe Inc.), database infrastructure, access analytics (Google LLC)
- China: 3D model generation processing
While there is no comprehensive federal-level law for personal information protection in the United States, state-level laws such as the California Consumer Privacy Act (CCPA/CPRA) are in effect. Each contractor takes appropriate data protection measures based on their respective privacy policies, contractual data protection clauses, and industry-standard security certifications (such as SOC 2).
China has enacted the Personal Information Protection Law (PIPL). Processing by the relevant contractors is limited to API-based processing, and the data transmitted consists solely of image data (personally identifiable information such as email addresses is not included). Data protection clauses have been established in the contracts.
6. Disclosure to Third Parties
The Service will not provide personal data to third parties except in the following cases.
- When the user has given consent
- When required by law
- When necessary for the protection of life, body, or property of an individual and it is difficult to obtain the consent of the individual
- When particularly necessary for improving public health or promoting the sound development of children and it is difficult to obtain the consent of the individual
- When it is necessary to cooperate with a national government institution or local government body in executing affairs prescribed by law
Note that provision of personal data to contractors described in the preceding section constitutes provision accompanying outsourcing and does not constitute third-party provision.
7. Security Measures
The Service takes the following measures for the security management of personal data, including prevention of leakage, loss, and damage.
Organizational Security Measures
- Development and operation of regulations regarding the handling of personal data
- Recording and inspection of personal data handling status
Technical Security Measures
- Access control and identification/authentication of accessors
- Encryption of communications (SSL/TLS)
- Encrypted (hashed) storage of passwords
- Measures to prevent unauthorized external access
- Validation and sanitization of input data
Understanding External Environment
As some personal data is handled in foreign countries (United States and China), we implement security management measures after understanding the personal information protection systems in those countries.
8. Use of Cookies
The Service uses cookies and similar technologies for the following purposes. You can choose to allow or deny analytics and marketing cookies through the cookie consent banner displayed on your first visit.
List of Cookies Used
| Cookie Name | Type | Purpose | Provider | Duration |
|---|---|---|---|---|
| sb-*-auth-token | Essential | User authentication and session management | Supabase | Session |
| __stripe_mid / __stripe_sid | Essential | Payment processing and fraud prevention | Stripe | 1 year / 30 min |
| figmee_consent | Essential | Storing cookie consent settings | figmee | 1 year |
| _ga / _ga_* | Analytics | Access analytics and visitor counting | Google Analytics | 2 years |
| _gid | Analytics | User identification (statistical purposes) | Google Analytics | 24 hours |
Consent Management
Analytics and marketing cookies are only used with user consent. You can reset your consent settings at any time by deleting browser cookies. Essential cookies cannot be disabled as they are necessary for the basic functions of the Service.
The Service supports Google Consent Mode v2, which controls data transmission to Google Analytics based on the user's consent status.
9. Access Analytics
The Service uses Google Analytics (provided by Google LLC) for access analysis to improve the Service.
Google Analytics uses cookies to collect user access information (viewed pages, time spent, device information, etc.), but personally identifiable information (email address, name, etc.) is not transmitted. Collected data is managed in accordance with Google's privacy policy.
If you wish to disable data collection by Google Analytics, please install the "Google Analytics Opt-out Browser Add-on" provided by Google.
10. Data Retention Period
The Service retains personal data according to the following criteria.
- Account information: Until account deletion
- Uploaded images, generated images, and 3D models: Until account deletion (completely deleted upon deletion)
- Payment-related information: Legally required retention period (up to 7 years)
- Access logs: Up to 90 days
We endeavor to delete personal data without delay when it exceeds the scope necessary to achieve the purpose of use.
11. Disclosure, Correction, and Deletion of Personal Data
Users may make the following requests regarding their personal data held by the Service, based on the provisions of the Act on the Protection of Personal Information.
- Notification of purpose of use
- Disclosure
- Correction, addition, or deletion of content
- Suspension of use or erasure
- Suspension of provision to third parties
Request Procedure
- Request Method: Please contact us by email at the inquiry desk listed at the end of this policy. We will respond after completing the prescribed identity verification procedures.
- Identity Verification: We will verify your identity through communication from your registered email address or other methods.
- Fees: Requests for disclosure and notification of purpose of use are handled free of charge.
- Response Period: We will respond within two weeks in principle after identity verification is completed.
Account deletion (and the associated deletion of personal data) can be performed at any time from the Service's settings page.
12. Children's Privacy
The Service does not intentionally collect personal information from children under 16. If you are under 16, please obtain parental consent before using the Service. If a parent or guardian becomes aware that their child has provided personal information to the Service, please contact our inquiry desk. We will promptly delete the relevant information.
13. Changes to Privacy Policy
The Service may change this Privacy Policy due to legal amendments, changes in social conditions, or other reasons. Any changes will be published on the Service's website. We will notify users of significant changes through the Service or by email.
14. Complaints and Inquiry Desk
For questions about this Privacy Policy or complaints or consultations regarding the handling of personal information, please contact the following desk.
| Desk Name | Mirai Studio Inc. Personal Information Inquiry Desk |
| figmee@miraistudio.co.jp |