IMIKI AI Privacy Policy

Version 1.1 | Effective Date: January ●, 2026

Chapter 1: General Provisions

1.1 Data Controller

Shenzhen Mihome Up Technology Co.,Ltd. a company incorporated in the People’s Republic of China, with registered address at Unit 1802A, Building 2, Jingji Yujing Times Tower Huanggekeng Community, Longcheng Subdistrict Longgang District, Shenzhen City Guangdong Province, China, is the data controller within the meaning of Article 4(7) GDPR for the processing activities described in this Policy.

1.2 EU Representative

Pursuant to Article 27 GDPR, the data controller has appointed the following EU representative:

Name: Universal International business SARL
Address: 5 Impasse de la Colombette, 31000, Toulouse
Contacts: Leroy.Holliana
Tel: +33 773332462
Email: Leroy.Holliana@outlook.com

1.3 [Basis for Formulation]

This Policy is formulated in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Personal Information Protection Law of the People's Republic of China, and other relevant data protection regulations in the sales regions (Europe, United States). It aims to clarify the rules for processing your personal information by us and our cooperative third parties, safeguarding your information rights and data subject rights.

1.4 Scope of Application

This Policy applies to the entire process of your use of the Smart Camera Glasses (hereinafter referred to as "Smart Glasses") and the supporting APP (hereinafter referred to as "this APP"). It primarily covers the "AI Interaction Information Upload" scenario. Photos, audio, and video files you capture or record using the Smart Glasses are stored locally on the glasses or paired phone by default; we do not actively collect or upload them. Personal information is only transmitted to third-party AI servers when necessary to provide the specific intelligent services you activate, such as AI Q&A, image recognition, and multilingual translation.

Chapter 2: Personal Information Processing Rules for AI Interaction Scenarios

2.1 Personal Data

Including account identifiers (if registered), device identifiers, AI interaction inputs (text, images selected by the user, real-time transcribed speech).

2.2 Biometric and Sensitive Data

2.2.1 Images and voice data processed in connection with certain AI functionalities of the Smart Glasses may, under applicable law, qualify as biometric data or special categories of personal data within the meaning of Article 9 of the GDPR. Such biometric data is processed only on the basis of the user’s explicit consent, obtained in advance and in a clear, specific, and informed manner, and solely for the purpose of providing the specific AI service expressly requested by the user (such as image recognition or voice-based translation).

Explicit consent for biometric data processing is obtained separately and granularly, by reference to: the specific AI functionality activated, and the specific category of data involved (e.g. image data or voice data). The user’s active operation of an AI function (such as clicking a button or initiating a request) does not in itself constitute consent, but serves solely as a technical trigger following the prior granting of explicit consent.

Records of user consent are maintained in accordance with applicable legal requirements. Users may withdraw their consent at any time through the settings of the companion application, without affecting the lawfulness of processing carried out prior to such withdrawal. Withdrawal of consent will not affect the user’s ability to use the Smart Glasses for non-AI or non-biometric functionalities. Such consent records include information sufficient to evidence: the identity or account reference of the user; the date and time at which consent was granted or withdrawn; the specific AI functionality concerned; the relevant category of biometric data involved; and the consent action performed (grant or withdrawal). Consent records are securely stored for a period necessary to demonstrate compliance with applicable legal obligations and to establish, exercise, or defend potential legal claims. Retention periods are determined based on applicable statutory limitation periods and regulatory requirements.

2.2.2 Prior to or at the time of activating any AI functionality that involves the processing of biometric data (including image recognition or voice-based AI features), the User is required to provide explicit consent through a clear, specific, and separate consent mechanism within the companion application. Such consent mechanism: clearly identifies the relevant AI functionality concerned; specifies the category of biometric data involved; explains the purpose and nature of the processing operations; requires an affirmative, function-specific opt-in action by the User; and allows the User to continue using non-biometric functionalities without granting consent to biometric data processing. Explicit consent may be withdrawn at any time through the application settings, without affecting the lawfulness of processing carried out prior to withdrawal.

2.3 Information Collection Scope and Purpose (Principle of Minimum Necessity)
  • AI Q&A Function: Only the text content or voice snippet you input is uploaded. Voice is converted to text in real-time before transmission; the original audio is processed temporarily only on the local device. This is used by the third-party server to understand the request and return an answer.
  • Image Recognition Function: Only the image you actively select for recognition is uploaded. Before upload, the APP automatically de-identifies the image, removing sensitive information such as faces, ID numbers, street addresses, and license plate numbers that might be present, retaining only image feature data relevant to the recognition target.
  • Multilingual Translation Function (including dialogue translation and simultaneous interpretation): Only the text fragment or real-time transcribed speech you need translated is uploaded. This content is promptly deleted from the third-party server after translation is completed.
  • Special Note: Photos, audio recordings, and videos stored locally on your Smart Glasses or paired phone will not be automatically uploaded to any server unless you actively click the share button. You have full control over these files through the device's local storage management functions.
2.4 Third-Party (Bystander) Protection

When using recording or capture functionalities of the Smart Glasses, users are required to comply with applicable laws and regulations relating to the protection of third parties, including laws governing image, audio, and personal data protection. The Company does not automatically collect, receive, store, or otherwise control images, audio recordings, or videos captured by users, as such content is stored locally on the device or the paired mobile phone by default. Accordingly, the Company is not the data controller in respect of such locally stored content and is not technically able to directly access, modify, or delete recordings involving third parties.

Notwithstanding the above, the Company applies the principles of privacy by design (The Smart Glasses incorporate the following technical measures: Visible LED Indicator: A clearly visible LED light on the front frame illuminates whenever the device is actively recording video, capturing images, or recording audio. This indicator cannot be disabled by the user) and by default in the design of the Smart Glasses and related software, with the aim of reducing foreseeable risks to third parties. Such measures may include, for example, making the recording status of the device perceivable through device design or user interface features, and implementing data minimization or de-identification measures where technically feasible.

Where a third party believes that the Smart Glasses may have been used in a manner that infringes their rights, they may contact the Company through the contact channels provided in this Policy to obtain information about the operation of the device, raise concerns regarding potential misuse, or request compliance-related assistance. The Company may, where appropriate and subject to legal and technical limitations, provide guidance or facilitate communication with the relevant device user. Any assistance provided by the Company to third parties is limited to what is legally required and technically feasible, and does not imply that the Company assumes control over or responsibility for locally stored recordings created and retained by users.

2.5 International Data Transfers (Third-Party Service Cooperation and Data Protection)

Personal data may be transferred to third-country processors, including service providers located in the United States. Such transfers are safeguarded through the use of the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and supplementary technical and organizational measures.

2.5.1 To enable the aforementioned intelligent interaction functions of this APP, we cooperate with the following third-party AI service providers (data processors). All cooperation complies with GDPR Article 28 and CCPA requirements:

Third-Party Name Service Content Official Website Link Compliance Credentials
【ChatGPT】 AI-powered question answering and image-based object recognition. https://chatgpt.com/ GDPR SOC 2
【Microsoft Cognitive Services Speech】 Dialogue translation, simultaneous interpretation, speech synthesis, speech transcription learn.microsoft.com ISO/IEC 27001 SOC 1,2,3 GDPR HIPAA
【Google Play Services】 Location information developers.google.com ISO/IEC 27001 27017 & 27018 27701 SOC 1/2/3 GDPR

2.5.2 We have signed Data Processing Addendums and GDPR Standard Contractual Clauses (SCCs 2021 version) with the aforementioned third parties, explicitly stipulating that: Third parties may only process information within the scope of our written instructions. They must not retain, reuse, or transfer your information to other parties. Third parties must implement security measures compliant with ISO27001 and regularly submit data processing compliance reports to us.

Chapter 3: Data Subject Rights (Your Rights and How to Exercise Them)

In addition to access, rectification, and erasure, users have the right to data portability, restriction of processing, objection, and the right to lodge a complaint with an EU supervisory authority. Third parties who believe that their rights may have been affected through the use of the Smart Glasses may submit a complaint to the Company via the contact details provided in this Privacy Policy or to the designated EU Representative. The Company will review such complaints in good faith and respond within a reasonable period, taking into account the nature and complexity of the request. Where the complaint concerns the processing of personal data subject to the GDPR, responses will be provided in accordance with the timeframes set out in Article 12 GDPR. Where the Company does not control or have access to the relevant data (for example, where content is stored locally on the user’s device), the Company will provide appropriate information regarding the applicable responsibilities and technical limitations.

Chapter 4: EU Data Act – Device Data

4.1 Categories of Device Data

The Smart Glasses generate device data such as sensor telemetry, usage logs, diagnostics, and performance data.

4.2 Data Holder

The manufacturer acts as the data holder within the meaning of Regulation (EU) 2023/2854 (Data Act).

4.3 User Access and Sharing

Users may access and export device data via the companion application in a structured, commonly used, machine-readable format.

4.4 Manufacturer Use of Data

Device data is used for product improvement, security, and analytics on an aggregated and anonymized basis, without training general-purpose AI models unless expressly agreed.

4.5 Trade Secrets and Security

Access to device data may be limited where necessary to protect trade secrets, cybersecurity, or comply with legal obligations.

4.6 Data Security Measures
  • Local Data Security: Local storage on the Smart Glasses and bound mobile phone utilizes partitioned encryption mechanisms. Only the authorized product application can access relevant data; reading by other third-party applications is prohibited. Support for device lock screen passwords and biometric authentication (e.g., fingerprint, facial recognition) prevents data leakage in case of device loss or theft.
  • Data Transmission Security: During data transmission for "AI Q&A, Image Recognition, Dialogue Translation, Simultaneous Interpretation" functions, the TLS 1.3 encryption protocol is used for end-to-end encryption to prevent data theft or tampering during transmission. A data verification mechanism ensures data integrity and accuracy.
  • Third-Party Server Data Security Control: We sign strict data security agreements with AI service providers, explicitly requiring them to use AES-256 encryption for stored transmitted data, establish graded access control mechanisms, and ensure compliance with requirements of laws and regulations such as the Personal Information Protection Law and the Data Security Law of the People's Republic of China.
  • Security Incident Response: We have established a comprehensive data security incident response plan. In the event of a security incident such as a data breach, tampering, or loss, the emergency plan will be activated immediately, implementing remedial measures like data isolation, vulnerability patching, and information tracing. As required by laws and regulations, we will notify you promptly within 72 hours via App push notifications, SMS, or phone calls.

Chapter 5: Data Protection Impact Assessment (Article 35 GDPR)

In accordance with Article 35 of the General Data Protection Regulation (GDPR), the Company has conducted a Data Protection Impact Assessment (DPIA) in respect of processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. In particular, a DPIA has been carried out for processing operations involving: the use of artificial intelligence (AI) systems, the processing of biometric data and other special categories of personal data, and the operation of wearable smart devices. The DPIA assessed the necessity and proportionality of the processing activities, the potential risks to data subjects, and the technical and organizational measures implemented to address and mitigate such risks, including data minimization, security safeguards, and user control mechanisms. The DPIA is reviewed and updated where required, taking into account changes in processing activities, technologies, or applicable legal requirements. Documentation relating to the DPIA is maintained internally and may be made available to competent supervisory authorities upon lawful request, in accordance with applicable law.

Chapter 6: Data Retention Periods

The Company retains personal data only for as long as is necessary to fulfil the purposes for which the data is processed, in accordance with the principles of data minimization and storage limitation under applicable data protection laws. Retention periods vary depending on the category of data involved and the context in which it is processed, as described below:

(a) Locally Stored Images, Audio, and Video
Images, audio recordings, and videos captured using the Smart Glasses are stored locally on the device or the paired mobile phone by default. The Company does not collect, store, or control such locally stored content. Retention and deletion of this data are determined solely by the user through the device or application settings.

(b) AI Interaction Data
Data transmitted to third-party AI service providers in connection with user-activated AI functionalities (such as text inputs, selected images, or real-time transcribed speech) is retained only for the period necessary to generate the requested service results. Such data is deleted or anonymized after completion of the relevant processing, in accordance with contractual obligations and applicable legal requirements.

(c) Device and Application Data
Certain device-related and application-related data (such as configuration information, diagnostic data, and usage logs) may be retained for as long as necessary to ensure product functionality, security, maintenance, and compliance with applicable legal obligations. This data is deleted or anonymized once the relevant purpose has been achieved, unless a longer retention period is required by law.

(d) Compliance and Legal Obligations
Where personal data must be retained to comply with applicable laws, regulations, or lawful requests from competent authorities, such data will be retained for the period required under the relevant legal obligation and deleted thereafter. In all cases, personal data will not be retained for longer than is necessary for the purposes for which it was processed, unless otherwise required or permitted by applicable law.

Chapter 7: Legal Basis for Processing

The Company processes personal data only where there is a valid legal basis under Article 6 of the GDPR, and, where applicable, Article 9 of the GDPR. Depending on the category of data involved, processing activities are based on the following legal grounds:

(a) Biometric Data
Images and voice data processed in connection with certain AI functionalities may qualify as biometric data or special categories of personal data under Article 9 GDPR. The processing of biometric data is based on the user’s explicit consent in accordance with Article 6(1)(a) and Article 9(2)(a) GDPR. Such consent is obtained in advance, in a specific and informed manner, and is limited to the particular AI functionality and data type concerned. Users may withdraw their consent at any time through the application settings, without affecting the lawfulness of processing carried out prior to such withdrawal.

(b) Location Data
Location data may be processed through Google Play Services or similar system-level services solely for the purpose of enabling certain device, application, or system functionalities (such as connectivity, compatibility, or compliance with platform requirements). The processing of location data is based on the user’s consent in accordance with Article 6(1)(a) GDPR. Location permissions are managed by the operating system of the user’s device and may be granted, limited, or withdrawn by the user at any time. The Company does not use location data for continuous tracking, profiling, targeted advertising, or behavioral analysis. Refusal or withdrawal of consent for location data processing does not affect the availability of core functionalities of the Smart Glasses that do not rely on location data. Where applicable, Google may process location data as an independent controller in accordance with its own privacy policies.

(c) Other Personal Data
Other personal data processed in connection with the use of the Smart Glasses and the companion application (such as device identifiers, configuration information, and diagnostic data) is processed on the basis of performance of a contract with the user in accordance with Article 6(1)(b) GDPR, where such processing is necessary to provide the requested products and services, or on the basis of compliance with legal obligations under Article 6(1)(c) GDPR, where applicable.

Chapter 8: Policy Updates, Version Control, and Notification

This Privacy Policy may be updated from time to time to reflect changes in applicable laws, regulatory requirements, or the Company’s data processing practices. Where updates are made, users will be notified through appropriate channels, including in-application pop-up notifications, email communications, or announcements on the official website. For changes that materially affect users’ rights or interests, a reasonable advance notice period of 30 days will be provided, where required by applicable law. Continued use of the services following the effective date of an updated Policy constitutes acknowledgment of the updated Policy.

Version: 1.1
Last Updated: January ●, 2026

Chapter 9: EU Data Act – Current Applicability and Conditional Compliance (Regulation (EU) 2023/2854)

Regulation (EU) 2023/2854 (the “EU Data Act”) entered into full application on 12 September 2025. The Company is aware of the requirements of the EU Data Act and monitors its applicability to the products and services offered. At present, device-generated data produced through the use of the Smart Glasses is stored locally on the device or on the user’s paired mobile phone. The Company does not operate a backend server or cloud infrastructure for the collection, storage, aggregation, or centralized processing of such device-generated data. The companion application functions solely as a local user interface and control tool within the user’s environment. Accordingly, under the current technical architecture, the Company does not act as a “data holder” within the meaning of the EU Data Act and does not provide services for making device-generated data available to users or to third parties. As a result, the provisions of the EU Data Act relating to third-party data sharing mechanisms, response timeframes, cost or fee transparency, and data format specifications are not applicable under the current product configuration. Should the Company, in the future, introduce technical changes that result in the Company holding, accessing, or making available device-generated data (including through server-based services, cloud synchronization, or data access interfaces), the Company will comply with the applicable requirements of the EU Data Act, including those relating to data access, data sharing with third parties at the user’s request, response timeframes, reasonable compensation (if applicable), and the provision of data in structured, commonly used, and machine-readable formats, in accordance with applicable law.

Chapter 10: AI Act Compliance and AI System Classification (Regulation (EU) 2024/1689)

Regulation (EU) 2024/1689 (the “EU AI Act”) became applicable on 1 August 2024. The Company has conducted an internal assessment of the AI functionalities integrated into the Smart Glasses in order to determine their classification and regulatory obligations under the EU AI Act.

AI System Classification
Based on this assessment, the AI systems used in the Smart Glasses are not classified as prohibited AI practices and do not qualify as high-risk AI systems within the meaning of the EU AI Act. In particular: The AI functionalities are not designed or used for biometric identification or verification of natural persons, including facial recognition or identity matching. The AI functionalities do not perform remote biometric identification in publicly accessible spaces, whether in real time or retrospectively. The AI functionalities are activated solely upon explicit user request and are limited to assistive or functional purposes, such as object recognition, language translation, or AI-assisted information retrieval. The outputs generated by the AI systems do not produce legal effects or similarly significant effects on users or third parties. Accordingly, the AI systems do not fall within the categories of high-risk AI systems listed in Annex III of the EU AI Act.

Registration and Conformity Assessment
Under the EU AI Act, registration in the EU AI systems database and conformity assessment procedures apply only to high-risk AI systems. As the AI systems used in the Smart Glasses are not classified as high-risk, these obligations are not applicable under the current system design and functionality.

Human Oversight and User Control
The AI functionalities of the Smart Glasses operate under human-in-the-loop principles appropriate for non-high-risk AI systems. In particular: AI features are activated only through deliberate user actions. AI-generated outputs are provided solely as supportive or informational results and do not replace human judgment. Users remain free to accept, disregard, or stop using AI functionalities at any time through the device or application interface.

Future Assessment
Should the functionality, intended use, or technical architecture of the AI systems change in a manner that may affect their classification under the EU AI Act, the Company will reassess the applicability of the EU AI Act and implement any additional compliance measures required by applicable law.

Chapter 11: Contact Us

If you have any questions or wish to exercise your rights under this Privacy Policy, please contact us at:

Email: help@imikilife.com