Legal

Privacy Policy

Studio, Inc. (hereinafter “the Company”) handles User Information in connection with the Service as follows.

Key Terms

“User”: A person, corporation, or organization that uses the Service.
“Service”: Pablo.
“User Information”: All information collected about or from Users in connection with the Service, including personal information as defined in Article 2, Paragraph 1 of the Act on the Protection of Personal Information (Act No. 57 of 2003, hereinafter “APPI”).
“Connected Services”: Third-party services connected by the User, such as Slack and GitHub.

1. What Information Do We Collect?

The Company collects the following categories of User Information in connection with the Service.
1. Information provided by the User: Name, email address, and other information provided during account registration or use of the Service.
2. Automatically collected information: Device information, IP addresses, browser type, operating system, access timestamps, usage history, and website content data (HTML, CSS, and other assets) collected when the Service crawls and analyzes the User's website at the User's direction.
3. Information from connected services: When the User connects third-party services, the following information may be collected:
  - Slack: Messages, channel information, and user profile information within the connected workspace;
  - GitHub: Repository metadata, code, and related data within connected repositories.
4. Information generated through AI processing: Conversation records, analysis results, and other data generated when the User utilizes the AI features of the Service.
5. AEO (Answer Engine Optimization) analysis data: Search engine results and brand mention data collected when the User utilizes the AEO analysis features of the Service.

2. How Do We Use Your Information?

The Company uses User Information for the following purposes. The legal basis for each purpose under the APPI and, where applicable, the GDPR is indicated below.

Purpose	Categories of Information Used	Legal Basis
Provision, operation, and maintenance of the Service	Name, email, device information, usage history	Performance of contract (APPI Art. 17)
Provision of AI features (content generation, analysis, etc.)	Conversation content, project data, connected service data	Performance of contract; consent for cross-border transfer (APPI Art. 28)
Responding to inquiries and sending notifications	Name, email	Performance of contract
Payment processing and billing management	Billing-related information	Performance of contract; legal obligation
Service improvement and development	Anonymized or aggregated usage data	Legitimate interest
AEO analysis and brand monitoring	Search engine results, brand mention data	Performance of contract

The Company shall not provide personal information to third parties without the prior consent of the User, except in the following cases:
1. When required by law;
2. When necessary for the protection of human life, body, or property, and it is difficult to obtain the consent of the User;
3. When specially necessary for improving public health or promoting the sound growth of children, and it is difficult to obtain the consent of the User;
4. When it is necessary to cooperate with a national or local government authority or a person entrusted thereby in executing affairs prescribed by law, and obtaining the consent of the User may impede such execution;
5. When the business is succeeded through merger, corporate split, business transfer, or other reasons;
6. When outsourcing the handling of personal information within the scope necessary to achieve the purposes of use;
7. When otherwise permitted by the APPI or other applicable laws.

The Company shares User Information with the following third-party service providers to operate the Service:

Registration & Authentication

Provider	Purpose	Data Shared	Location
WorkOS	User authentication	Name, email, authentication credentials	United States

AI Processing

Provider	Purpose	Data Shared	Location
Anthropic (Claude)	AI content generation and analysis	User input content, project data	United States
OpenAI	AI analysis	Search queries, brand names	United States
Google (Gemini)	AI analysis	Search queries, brand names	United States
Perplexity	AI analysis	Search queries, brand names	United States
XAI (Grok)	AI analysis	Search queries, brand names	United States

Payment

Provider	Purpose	Data Shared	Location
Stripe	Payment processing	Billing-related information	United States

Infrastructure & Communications

Provider	Purpose	Data Shared	Location
Cloudflare	Infrastructure and hosting	Service data	United States, Japan
Loops	Email delivery	Email address	United States

The Company may outsource the handling of User Information to third parties within the scope necessary to achieve the purposes of use. In such cases, the Company shall exercise necessary and appropriate supervision over the outsourced party.

4. Cookies and Similar Technologies

The Service uses cookies and similar technologies for session management and authentication purposes.
The Service uses only strictly necessary cookies. No tracking or advertising cookies are used.

The following cookies are used by the Service:

Cookie Name	Purpose	Duration	Type
`pablo_session`	Session management and authentication	7 days	Strictly necessary
`pablo_sid`	Logout tracking	Session	Strictly necessary
OAuth state	OAuth authentication flow	10 minutes	Strictly necessary

Users may manage cookie settings through their browser. However, disabling cookies may prevent normal use of certain features of the Service.

5. How Do We Protect Your Information?

The Company implements appropriate security measures to protect User Information from unauthorized access, loss, destruction, falsification, and leakage.
The Company has taken the following categories of measures for the safe management of User Information:
1. Organizational measures: Establishment of internal rules for handling personal information, appointment of a data protection officer, and implementation of audit procedures;
2. Human measures: Regular training of employees on data protection and confidentiality obligations;
3. Physical measures: Access controls to areas where personal information is processed and measures to prevent unauthorized removal of equipment;
4. Technical measures: Encryption of data in transit and at rest, access control systems, audit logging, and incident response procedures.

6. How Long Do We Retain Your Information?

The Company retains User Information for the period necessary to fulfill the purposes of use described in this Policy. The following table sets forth the standard retention periods for each category of data:

Data Category	Retention Period	Basis
Account information (name, email)	Duration of account + 30 days after deletion	Performance of contract
Conversation and AI-generated content	Duration of account + 30 days after deletion	Performance of contract
AEO analysis results	Duration of account + 30 days after deletion	Performance of contract
Billing and payment records	7 years after the transaction	Legal obligation (tax law)
Audit logs	1 year from creation	Legitimate interest (security)
Anonymized or aggregated data	Indefinitely	Legitimate interest (service improvement)

When a User deletes their account, the Company shall delete the User’s personal information and associated data in accordance with the retention periods set forth above, except where longer retention is required by law.

7. AI Processing and Automated Decision-Making

The Service uses artificial intelligence to generate content, perform analysis, and publish updates based on the User’s instructions or automation rules configured by the User.
The Company does not engage in solely automated decision-making that produces legal effects or similarly significant effects on Users within the meaning of GDPR Article 22 or equivalent provisions under the APPI.
The scope of automated processing is limited to what the User has configured or approved within the Service.

8. Where Is Your Information Stored?

User Information may be transferred to and processed in countries outside of Japan, including the United States, in connection with the use of third-party service providers described in Section 3. By using the Service, the User consents to such transfer and processing.
User Information is primarily stored and processed on cloud infrastructure located in the United States and Japan.
The Company takes reasonable steps to ensure that any third-party service providers to whom User Information is transferred maintain appropriate data protection standards.

9. Your Rights

Users may exercise the following rights regarding their personal information held by the Company in accordance with the APPI:

Right	Description
Right to disclosure	Request disclosure of personal information held by the Company
Right to correction, addition, or deletion	Request correction of inaccurate personal information
Right to suspension of use or erasure	Request suspension of use when information is handled beyond the stated purposes
Right to suspension of third-party provision	Request suspension of provision of personal information to third parties
Right to data portability	Request export of personal information in a commonly used, machine-readable format

To make such a request, please contact the Company through the inquiry form available after logging in to the Service. The Company shall respond to such requests without delay after verifying the identity of the requester.

10. Children’s Privacy

If the User is 16 years of age or younger, the User shall use the Service only with the consent of a parent or legal guardian.

11. Changes to This Policy

The Company may amend this Policy as necessary. Amendments shall take effect upon notification to Users through the Service or publication on the Company’s website.
If a User continues to use the Service after the amendment takes effect, the User shall be deemed to have agreed to the amended Policy.

12. Contact Us

For inquiries regarding this Policy or the handling of User Information, please use the inquiry form available after logging in to the Service.

Version 1.0 — Enacted: March 30, 2026