Who are we?

GAMEGEARS LTD operates the Cifratar Project under the "Cifratar" brand. Cifratar is a web-based AI influencer network, AI-generated virtual character catalogue, request-based advertising service, character application flow, and digital-double / AI-avatar production service.

The current public Project is web-based only. We do not currently operate native iOS or Android applications under the Cifratar brand, and we do not currently collect mobile advertising identifiers through Cifratar native applications. We may process browser, device, cookie, local storage, session, analytics, and technical data when you access the public Site or related web pages.

The Project may be used by visitors, advertisers, agencies, creators, talent, business partners, and other professional users worldwide, including in Latin America, the United States, the European Union, Mexico, Indonesia, Vietnam, the Philippines, and other regions where the Project is lawfully available. The Project is not available to sanctioned persons, sanctioned territories, or where access, contracting, payment, campaign delivery, account operation, or publication would be prohibited by applicable law.

The Project is intended for adults and professional users. If you are under 18, please do not use the Project, submit forms, submit a character application, provide voice samples, photos, videos, or likeness materials, or request creation of a digital double.

For any questions, concerns, privacy requests, deletion requests, cookie requests, security reports, copyright complaints, abuse reports, or other communications, please contact us by email at: support@cifratar.ai.

If, under applicable law, we are required to appoint a Data Protection Officer, EU/UK representative, "Encarregado" under LGPD, or similar representative, we will provide the relevant contact information by updating this Policy or by other appropriate means. GAMEGEARS LTD is established in Cyprus, a Member State of the European Union, and we currently consider that a separate EU representative under Article 27 GDPR is not required for Cifratar because the controller is established in the EU.

Data Controller

For the purposes of the GDPR and other applicable data protection laws, the Data Controller is:

AI Character Disclosure

Cifratar characters are AI-generated virtual entities. They are not real persons, do not have consciousness, personal beliefs, independent judgment, professional qualifications, personal experience, or legal capacity, and do not speak for or endorse any real individual unless a separate written agreement expressly states otherwise. Where required by the EU AI Act or applicable law, AI-generated content is labelled with machine-readable, visible, platform, or equivalent disclosures, subject to technical feasibility and platform limitations.

GAMEGEARS LTD acts as a provider of an AI system within the meaning of Article 3(3) of Regulation (EU) 2024/1689 (the AI Act) with respect to Cifratar AI characters and related AI-generated character content made available under the Cifratar brand. Starting from the version date of this Policy, and subject to technical feasibility, platform functionality, and applicable law, we deploy machine-readable AI-content markers for synthetic audio, image, video, and text content generated or manipulated by Cifratar systems in accordance with Article 50(2) of the AI Act.

What data do we collect and why?

We consider any information that can identify you as personal data. We collect different categories of data depending on whether you visit the Site, submit an advertising request, apply to become a character, provide materials for a digital double / AI avatar, participate in a campaign, communicate with support, or appear in campaign-related materials. In order to clearly explain the data we process, please refer to the table below.

Where we rely on your consent as the legal basis for processing, you may withdraw that consent at any time, subject to processing that occurred before withdrawal and subject to lawful retention where required or permitted by law. Where we rely on legitimate interests, we consider the nature of the data, the reasonable expectations of the individuals involved, the safeguards applied, and your rights to object where applicable.

AI avatar, digital double, voice, photo and likeness data

Some Cifratar features involve the creation, operation, review, or publication of AI-avatar or digital-double content. This may require collection and processing of materials that identify, depict, sound like, or are associated with a real person, including voice samples, photographs, video recordings, likeness materials, performance materials, biography, social-media identity, and persona materials.

We process such materials only for the purposes described in this Policy, the applicable Talent / Persona / Likeness Agreement, the relevant consent form, or another written arrangement. Those purposes may include evaluating an application, creating or improving a character, generating or editing content, operating managed social accounts, publishing campaign content, applying AI-origin and advertising disclosures, handling platform moderation, responding to deletion requests, and protecting legal rights.

Voice samples, photos, videos, and likeness materials may be sensitive in practice, even if they do not always qualify as special-category personal data under every law. We do not use these materials for biometric identification, face recognition, voice identification, identity verification, or unique identification of a person unless we have separately disclosed that purpose and obtained any legally required consent or other lawful basis.

If you provide materials of another person, you represent that you have all notices, permissions, authorizations, consents, releases, and legal bases required for us and our service providers to process those materials for the requested purposes. You must not submit a minor's voice, image, video, likeness, school, family, or personal information unless we have given prior written approval and all parental, guardian, platform, advertising, and legal clearances are in place.

Cookies, analytics and session recording

We use cookies and similar technologies as described in our Cookie Policy. The current public Site may use Google Analytics 4 for analytics and ContentSquare for heatmaps and session recording, subject to consent where required by applicable law. These technologies help us understand how visitors use the Site, which pages are viewed, where visitors come from, how forms are used, whether the Site works correctly, and how we can improve the user experience.

ContentSquare session recording, where used, is configured to capture anonymized or pseudonymized interaction data such as mouse movements, scroll depth, and click patterns, while masking input fields and not intentionally recording form contents. Session recordings are used to improve usability and identify technical issues, not to identify individuals by name.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising as defined under California law. We do not currently use advertising cookies or cross-site behavioral advertising technologies on the current public Site. If we introduce such technologies, we will update this Policy and the Cookie Policy and, where required by law, request consent or provide applicable opt-out controls.

Legal bases for data processing

We process personal data only where we have a lawful basis to do so. Depending on the context and applicable law, our legal bases include:

• Contract or pre-contractual steps: to respond to requests, review applications, prepare Proposals, provide campaign services, operate managed character accounts, and administer agreements.
• Consent: for optional cookies where required, marketing communications, certain AI-avatar / digital-double uses, certain voice/photo/video/likeness processing, optional training/fine-tuning, and any processing that legally requires consent.
• Legitimate Interests: for Site operation, security, fraud prevention, troubleshooting, analytics where permitted, campaign administration, rights clearance, service improvement, internal records, legal defense, abuse prevention, and protection of users, talent, platforms, advertisers, and the public.
• Legal Obligations: to comply with tax, accounting, sanctions, anti-money-laundering, advertising, consumer-protection, data protection, copyright, regulatory, platform, law-enforcement, litigation, and recordkeeping requirements.

Where we rely on legitimate interests, we balance our interests against the rights and freedoms of affected individuals and apply safeguards such as minimization, access restrictions, masking, contractual controls, deletion workflows, and opt-out or objection mechanisms where applicable.

How do we share your data?

We do not sell your personal data. We do not share personal data for cross-context behavioral advertising as defined under California law. We share personal data only where necessary for the purposes described in this Policy, where you instruct or authorize us to do so, where required by law, or where necessary to protect rights, safety, security, compliance, or the operation of the Project.

1. Service Providers, Processors and Production Partners

We may share data with service providers and processors that help us operate the Site, secure infrastructure, monitor errors, analyze usage, process requests, produce campaign content, operate managed character accounts, store production files, handle support, and comply with legal obligations. These providers process data on our behalf or under our instructions where they act as processors.

Current public Site processors and service providers

Internal production systems and affiliated infrastructure

For AI-avatar, digital-double, managed social account, campaign production, and generated video workflows, we may use Reteller production database / storage infrastructure and related internal or affiliated systems to store production records, generated assets, digital-double materials, prompts, drafts, final videos, approvals, deletion workflow records, and backup copies. Depending on the technical and legal configuration, such infrastructure may operate as internal GAMEGEARS infrastructure, affiliated infrastructure, or a service environment supporting Cifratar production.

Generated videos and related production files may remain temporarily in Reteller backup systems or disaster-recovery copies after deletion from active systems. Such backup copies are protected, access-restricted, and are not used for ordinary production, publication, or new campaign creation after the relevant deletion request has been processed in active systems.

Third-party platforms that generally act as independent controllers

2. Affiliates and Corporate Group

We may share data within our corporate group, affiliates, or related operational entities where necessary to operate, support, administer, secure, finance, audit, or develop Cifratar, including internal legal, finance, security, compliance, product, production, and management teams. Such sharing is limited to personnel and entities that need access for the relevant purpose and is subject to confidentiality and access controls.

3. Professional Advisers, Banks and Commercial Counterparties

We may share data with professional advisers, auditors, insurers, banks, payment intermediaries, tax advisers, legal counsel, accountants, and commercial counterparties where relevant to invoices, payments, tax, accounting, audits, insurance, corporate governance, compliance, contract administration, and disputes.

4. Authorities, Courts, Regulators and Safety Recipients

We may disclose data to authorities, courts, regulators, law-enforcement bodies, platform trust-and-safety teams, rights holders, complainants, or other third parties where required by law, necessary to enforce agreements, respond to lawful requests, investigate suspected violations, defend claims, protect rights, prevent abuse, address safety issues, comply with sanctions, or protect the Project, users, talent, advertisers, platforms, or the public.

5. Public Campaign Publication

If campaign content, character content, or digital-double content is published, personal data contained in that content may become public. Published content may be viewed, shared, downloaded, embedded, indexed, archived, screenshotted, reposted, quoted, commented on, translated, or otherwise processed by third-party platforms and users. We cannot fully control how third parties process public content after publication.

International transfers

We are established in Cyprus and may process personal data in the European Economic Area, the United States, the United Kingdom, Latin America, Mexico, Indonesia, Vietnam, the Philippines, and other countries where users, service providers, platforms, advertisers, talent, or production partners are located. Some countries may not provide the same level of data protection as your home jurisdiction.

Where personal data is transferred outside the EEA or another protected jurisdiction, we use appropriate safeguards where required by law, such as adequacy decisions, the EU-US Data Privacy Framework where applicable, the UK Extension where applicable, the 2021 EU Standard Contractual Clauses, UK transfer addendum or IDTA where applicable, transfer impact assessments, contractual controls, encryption, access restrictions, minimization, pseudonymization, and supplementary safeguards where required.

For US-based providers such as hosting, analytics, error-monitoring, AI, payment, support, or platform providers, the applicable transfer mechanism may be a Data Privacy Framework certification, Standard Contractual Clauses, another lawful transfer mechanism, or a combination of safeguards depending on the provider, data category, service configuration, and applicable law.

When content is published through global third-party platforms, that content may be accessible worldwide. Platform publication is different from private processor access: viewers, platforms, search engines, archives, and third parties may process published content according to their own rules and laws. We cannot guarantee that foreign laws, platforms, or third parties will provide identical protections to those in your jurisdiction.

Data retention

We retain personal data only as long as necessary for the purposes described in this Policy, including to operate the Site, respond to inquiries, review character applications, administer campaigns, create and manage digital doubles, operate managed social accounts, comply with tax and accounting obligations, resolve disputes, enforce agreements, handle legal complaints, process deletion requests, maintain security, and protect rights.

Retention periods depend on the type of data, the purpose of processing, the applicable agreement, platform requirements, legal obligations, and whether the data relates to public campaign content, a managed social account, an active dispute, a deletion request, a rights clearance issue, or a legal hold. Examples include:

• Advertising request and business inquiry records may be retained for the evaluation period and, if a relationship proceeds, for the duration of the commercial relationship and the applicable legal, audit, tax, accounting, and dispute period.
• Character application, talent onboarding, voice sample, photo, video, and likeness materials may be retained for the evaluation period and, if accepted, for the duration of the talent/persona relationship and related rights-clearance, legal, audit, platform, and dispute periods.
• Campaign approvals, scripts, prompts, drafts, generated outputs, disclosure labels, publication records, reports, and proof-of-publication records may be retained to evidence campaign performance, compliance, AI disclosures, advertising disclosures, and legal clearance.
• Commercial, invoice, tax, accounting, and transaction records may be retained for up to 7 years or longer where required by law, audit, legal hold, or dispute obligations.
• Security logs, error logs, diagnostic data, and abuse-prevention records are retained for a limited period appropriate to security monitoring and may be retained longer where needed for investigation, fraud prevention, legal claims, or compliance.
• Privacy request, deletion request, takedown, copyright, and abuse complaint records may be retained to evidence compliance, prevent unauthorized reactivation, defend claims, and protect rights.
• Aggregated, anonymized, or de-identified data that no longer reasonably identifies a person may be retained for longer periods for analytics, reporting, compliance, and service improvement.

Deletion and de-identification

When a purpose has been fulfilled, we delete, anonymize, aggregate, or de-identify personal data unless retention is required or permitted for legal, accounting, security, audit, enforcement, platform, dispute, backup, or evidence-preservation reasons.

For digital-double deletion requests, we do not intentionally retain anonymized copies of the person's persona profile for continued character operation or model use. This does not affect aggregate analytics, legal records, deletion logs, security logs, platform records, or non-identifying operational statistics that do not identify the person.

Please note that deletion may not immediately remove copies stored in security, archive, disaster-recovery, or Reteller backup systems. Such backups are protected, access-restricted, and overwritten or deleted according to manual or scheduled backup lifecycles. Published content may remain available on third-party platforms according to their own rules and retention practices, and may persist in screenshots, reposts, search results, caches, archives, embeds, comments, or downloads outside our control.

How can you control your data?

Subject to applicable law, you may have rights to access, correct, delete, restrict, object to processing, receive a portable copy of data, withdraw consent, opt out of certain uses, and lodge a complaint with a supervisory authority. Where processing is based on consent, withdrawal does not affect processing before withdrawal.

To exercise rights, contact us at support@cifratar.ai. We may need to verify your identity, authority, relationship to the relevant company or character, and control over the relevant email address, managed account, or persona rights before processing your request. We may refuse, limit, or delay requests where permitted by law, including where data is needed for legal obligations, fraud prevention, security, rights of others, trade secrets, platform compliance, dispute defense, or evidence preservation.

Digital double / AI character deletion requests

A person whose digital double or AI character is managed by Cifratar may submit a verified deletion or deactivation request. Following verification, we will take reasonable steps to delete or disable the relevant character profile, persona materials, voice samples, photos, videos, likeness materials, unpublished generated materials, account/channel administration records, and active production records under our control, unless retention is required or permitted for legal, accounting, tax, security, audit, rights-clearance, dispute, evidence-preservation, sanctions, platform, or compliance purposes.

A deletion request may affect Cifratar active records, Reteller production database / storage, relevant production files, managed social accounts, and platform requests. Where applicable, we may submit deletion, takedown, deactivation, or account-closure requests to third-party platforms on which we created or managed the relevant character account or content, including YouTube, TikTok, Instagram, Facebook / Meta, and other applicable social platforms.

We may retain a minimal deletion record showing the request date, verification status, systems checked, actions taken, responsible internal reviewer/team, platform requests submitted, and completion date. This record is retained solely to evidence compliance, prevent reactivation, handle disputes, and protect legal rights.

We cannot guarantee that third-party platforms will delete content within a specific time or in a specific way. We also cannot delete copies that have been saved, screenshotted, reposted, embedded, indexed, cached, archived, or otherwise processed by third parties outside our control.

Limits on rights requests

Your privacy rights do not require us to disclose trade secrets, source code, model configurations, prompts, prompt libraries, system instructions, safety rules, ranking logic, generation pipelines, internal legal advice, privileged materials, or information that would adversely affect the rights and freedoms of others. Where possible, we will provide meaningful information without disclosing protected internal information.

If we cannot fulfill your request, we will explain the reason where permitted by law. We typically respond to verified requests within 30 days, unless a different period applies under local law or an extension is permitted due to complexity or volume.

How do we protect your data?

We implement technical and organizational measures designed to safeguard personal data against unauthorized access, alteration, disclosure, loss, misuse, or destruction. Security measures are selected based on the sensitivity of the data, the nature of processing, the state of the art, implementation costs, and the risks presented by processing.

Our security measures may include:

• encryption in transit and, where appropriate, encryption or other safeguards at rest;
• access controls, role-based access, least-privilege principles, internal authorization, and personnel confidentiality obligations;
• logging, monitoring, incident triage, vulnerability management, and abuse escalation processes;
• vendor diligence, data-processing terms, contractual safeguards, and appropriate technical settings with service providers;
• input-field masking or exclusion for session-recording tools where used;
• separation of active production systems from backup and disaster-recovery copies where appropriate;
• manual review and escalation for sensitive deletion, persona, likeness, abuse, sanctions, copyright, and child-safety matters; and
• internal policies and procedures for privacy, security, access, deletion, and incident response.

Despite the measures we take, no method of transmission or storage is completely secure. You should avoid sending sensitive personal data, unnecessary third-party data, confidential business information, passwords, payment card details, government IDs, precise location, health information, financial account data, or other highly sensitive information through public forms unless we specifically request it through a secure process.

If you suspect a security breach, identify a vulnerability, or believe a managed account or digital-double material has been misused, contact us immediately at: support@cifratar.ai. Please include a detailed description, relevant technical details, screenshots where appropriate, and steps to reproduce where safe and lawful. Do not access, copy, disclose, delete, exfiltrate, or alter data that does not belong to you.

Children's privacy

The Project is not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 13 and do not knowingly allow minors to submit advertising requests, character applications, digital-double materials, voice samples, photos, videos, or likeness materials through the Project.

We do not knowingly create, publish, promote, or commercialize AI characters or digital doubles based on persons under 18 unless we have given prior written approval and all mandatory parental, guardian, platform, advertising, and legal clearances are in place. Any such exception, if ever permitted, would be subject to additional safeguards and documentation.

If we discover that we have inadvertently collected personal data from a child or minor in a manner not permitted by law or this Policy, we will take appropriate steps to delete, restrict, or de-identify the data, unless retention is required for safety, abuse investigation, evidence preservation, legal claims, platform compliance, or protection of rights.

If you believe that a child or minor has provided personal data to us, or that a minor's voice, image, video, likeness, school, family, or personal information has been submitted without appropriate rights and clearances, contact us at: support@cifratar.ai.

California and other regional privacy rights

Depending on your location, additional privacy rights may be available under California privacy laws or other regional laws. This section provides additional disclosures for California residents and may also help users in other jurisdictions understand our practices.

Categories of personal information

• Identifiers: name, email address, phone number, business contact details, IP address, cookie identifiers, account/channel identifiers, social handles, and platform identifiers.
• Commercial information: campaign inquiries, Proposals, invoice data, payment status, order details, products or services promoted, and campaign records.
• Internet or other electronic network activity: page views, events, referral data, session interactions, error logs, device/browser data, and platform publication or engagement information.
• Audio, electronic, visual or similar information: voice samples, photos, videos, generated audio, generated images, generated videos, and likeness materials submitted for character applications or digital-double production.
• Professional or employment-related information: company, brand, business type, role/title, professional biography, talent information, and commercial relationship data.
• Inferences and creative profile information: character persona attributes, campaign preferences, style notes, and creative direction used to operate AI characters and digital doubles.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined under California law. If our practices change, we will update this Policy and provide required opt-out mechanisms. We do not knowingly sell or share personal information of minors.

To exercise regional privacy rights, contact: support@cifratar.ai. We may need to verify your identity and may decline or limit requests where permitted by law.

Changes to this policy

We reserve the right to modify or update this Privacy Policy at any time. If we make material changes, we may notify you through the Site, by email, in a Proposal, through support communications, or by other reasonable means. The revised version will be effective when posted or otherwise made available unless stated otherwise. Your continued use of the Project after updates means that you acknowledge the updated Policy.

Contact us

If you have any questions, concerns, notices, requests, complaints, security reports, copyright complaints, abuse reports, or other communications regarding this Policy, the Project, the Services, or our data processing practices, please contact us at:

This Policy is written in English. In the event of any discrepancy between the English version and any translation, the English version shall prevail.

Faithfully yours,
GAMEGEARS LTD

Related documents: Terms of Service · Cookie Policy