Security

Last Updated: 2026-02-26

Company: ADASTRA LABS PTE. LTD (dba Playyy)

1. Security Philosophy

At Playyy, security and privacy are foundational to our Services. We follow a "security-by-design" and "privacy-by-default" approach, integrating security principles into every layer of our platform — from system architecture to daily operations. Our core objectives are:

Protect user data (prompts, uploaded images, generated Content, template usage records) from unauthorized access.
Ensure the reliability and availability of the Services (including template retrieval and AI image editing functions).
Comply with global data protection regulations (GDPR, CCPA, PDPA Singapore, etc.).
Maintain transparency with users about our security practices.

2. Data Protection Framework

We classify user data into three categories, each with strict handling and protection rules:

Data Category	Description	Protection Measures
User-Generated Data	Text prompts, uploaded images, generated/edited images, and associated metadata (including template usage records).	Transient processing; no reuse for model training without consent; AES-256 encryption.
Account Data	Name, email, address, payment confirmation records.	Role-based access control; encrypted storage; regular security audits.
System Data	Usage metrics, device information, logs (including template browsing and selection logs, login logs).	Anonymization where possible; restricted access to authorized personnel.

3. Technical Security Measures

3.1 Encryption

Data at Rest: All user data, including uploaded images, generated Content, and template files, is stored in secure cloud environments and encrypted using AES-256, a globally recognized standard for data security.
Data in Transit: Data transmitted between your device and our servers (including image uploads/downloads and template retrieval) is protected via TLS 1.2+ encryption, preventing interception or tampering.

3.2 Access Control

Role-Based Access Control (RBAC): Only authorized personnel with job-related needs can access user data and template resources. Access privileges are reviewed regularly and revoked when no longer needed.
Strong Authentication: We enforce strong password policies (minimum length, complexity) for email-based accounts and support secure authentication via Google accounts. We may introduce Multi-Factor Authentication (MFA) and Single Sign-On (SSO) for enterprise users in the future.
Zero Trust Architecture: "Never trust, always verify"—all access requests (internal and external) are authenticated and authorized before granting access to resources (including template libraries and user data).

3.3 Threat Protection

Web Application Firewall (WAF): Blocks malicious traffic (e.g., SQL injection, cross-site scripting) and protects against common web vulnerabilities, especially for template retrieval and Content upload interfaces.
DDoS Protection: Mitigates distributed denial-of-service attacks to ensure service availability (including stable access to template libraries).
Vulnerability Management: We implement vulnerability management practices aligned with industry standards, including periodic reviews of system security and remediation of identified issues.
Malware Detection: Scans uploaded images, user-generated Content, and template files for malware, viruses, and other malicious code to prevent security risks.

4. Compliance and Certifications

Our program is designed to support compliance with applicable data protection laws (including GDPR, CCPA/CPRA, and Singapore PDPA). Requirements may vary by jurisdiction and use case. Where applicable, additional details about our security program and compliance efforts may be provided under non-disclosure agreement (NDA) upon request.

We implement measures intended to meet key requirements of the following regulations:

GDPR: We implement measures intended to support GDPR requirements for data protection, user rights, and cross-border data transfers.
CCPA/CPRA: We provide California privacy rights mechanisms intended to meet CCPA/CPRA obligations for user data access, deletion, and opt-out.
PDPA Singapore: We maintain practices intended to meet PDPA obligations for personal data protection and user rights in Singapore.
DMCA: We maintain procedures intended to comply with DMCA copyright infringement notification and takedown requirements (especially for template-related copyright issues).

5. Security Operations and Incident Response

Security Monitoring: We monitor our systems for security threats, anomalies, or unauthorized access (including abnormal access to template libraries and user image data) through automated tools and manual reviews.
Incident Response Plan: We maintain an incident response plan aligned with ISO/IEC 27035 guidelines, outlining procedures for detecting, containing, eradicating, and recovering from security incidents (e.g., data breaches, template resource leaks).
Notification Requirements: We notify relevant data protection authorities without undue delay (and where feasible, within 72 hours) of a personal data breach, as required by GDPR and other applicable laws. We will notify you promptly if a security incident is likely to result in a high risk to your rights and freedoms.

6. Data Retention and Deletion

We minimize data retention and retain user data only for as long as necessary (see our Privacy Policy for details). Template files are retained permanently unless discontinued due to copyright or other legal reasons.
Secure deletion is performed in accordance with NIST 800-88 standards. Users may request permanent deletion of their data (excluding public template files) via the account settings or by contacting us.
Backup archives are securely stored and isolated from active systems. Backed-up data is deleted when no longer needed.

7. Third-Party Security

We conduct rigorous security reviews of core third-party service providers (e.g., cloud storage, payment processors, analytics tools, template resource partners) to ensure they meet our security standards. Third parties are required to:

Maintain strong encryption and data protection measures.
Not retain user data or template resources beyond the scope of their assigned tasks.
Comply with applicable data protection laws.
Sign data processing agreements (DPAs) or confidentiality agreements to protect user data and template intellectual property.

8. User Security Best Practices

To help protect your account and data, we recommend the following:

Use a strong, unique password for your email-based account (avoid reusing passwords from other platforms).
Do not share your account credentials with third parties (to prevent unauthorized access to your saved templates and Content).
Regularly review your account activity (including template usage and Content creation records) and notify us of any unauthorized access.
Keep your device and browser updated with the latest security patches.
Avoid accessing the Services (especially uploading images or using paid templates) on public Wi-Fi networks without a VPN.
Enable MFA if and when it becomes available for your account.

9. Continuous Improvement

We are committed to continuously enhancing our security posture:

Regular risk assessments to identify and address emerging threats (including risks related to AI image editing and template distribution).
Periodic third-party security audits and penetration testing.
Mandatory security training for all employees (initial and ongoing), including training on template copyright protection and user data security.
Monitoring of global security trends and updates to our security measures accordingly.

10. Contact Us

If you have any questions or concerns about our security practices, or if you suspect a security breach, unauthorized access to your account, or leakage of template resources, please contact us at:

Security Team Email: [email protected]
General Inquiries: [email protected]

For more information about our privacy practices, please review our Privacy Policy.