Kevula Data Privacy Policy

1) Who We Are & Scope

This Data Privacy Policy supplements the Privacy Policy and applies to CF Midas LLC (“Kevula,” “we,” “us,” “our”) in relation to the EU GDPR, UK GDPR, and California CPRA/CCPA. It covers our website, apps, and related services (the “Services”).

Controller: CF Midas LLC, Plano, Texas, USA.

2) Lawful Bases for Processing (GDPR Art. 6)

• Contractual necessity: To provide the Services, deliver digital goods, track commissions, process payouts, and provide support.
• Legitimate interests: Platform safety, fraud prevention, service improvement, analytics, and relevant service communications. We perform Legitimate Interests Assessments (LIA) when required.
• Legal obligations: Tax, accounting, regulatory recordkeeping, and compliance requests.
• Consent: Optional marketing emails, certain cookies/trackers, and voluntary publicity features (e.g., Member Spotlights). You may withdraw consent at any time without affecting prior lawful processing.

3) Categories of Personal Data

• Identity & contact: name, email, username, profile details.
• Financial & transactional: wallet funding, purchases, payouts (processed via trusted providers; we only receive limited identifiers/status necessary to complete transactions).
• Content & social: posts, comments, stories, followers/following relationships.
• Device & usage: IP address, device/browser info, app version, logs, performance, security signals.
• Support & feedback: messages and metadata you send to us.

4) Special Category & Sensitive Data (GDPR Art. 9 / CPRA)

Kevula does not intentionally collect or process special category data (e.g., health, biometric, racial/ethnic origin, political opinions, religious beliefs) or sensitive personal information as defined by CPRA, unless you voluntarily provide it (e.g., in user-generated content). Please avoid sharing sensitive data in posts or profile fields.

If we ever need to process such data, we will obtain explicit consent or rely on another valid legal basis where permitted by law.

5) Your Rights (GDPR/UK GDPR/CPRA)

Subject to applicable law and verification, you may exercise:

• Access — obtain a copy of personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion (“right to be forgotten”).
• Restriction — limit certain processing while we assess or resolve issues.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Object — object to processing based on legitimate interests and to direct marketing at any time.
• Consent withdrawal — withdraw consent for optional processing (e.g., marketing; certain cookies).

California CPRA Additions

• Know categories and specific pieces of personal information collected.
• Delete personal information (with statutory exceptions).
• Correct inaccurate personal information.
• Opt out of “sale” or “sharing” of personal information and certain profiling for targeted advertising (Kevula does not sell personal data; we honor opt-out signals where required).
• Limit the use/disclosure of sensitive personal information (Kevula does not use SPI for additional purposes).
• Non-discrimination for exercising your rights.

6) How to Make a Rights Request

• Submit: Email privacy@kevula.com with “Data Rights Request” in the subject and specify which right(s) you wish to exercise.
• Verify: We must verify your identity (and authority, if applicable) before acting. We may request additional information solely to verify.
• Timing: We aim to respond within 1 month (GDPR/UK GDPR). For complex requests we may extend up to 2 additional months and will notify you of the extension.
• Appeals: If you disagree with our decision, reply to our response and request an internal review. You may also contact a regulator (see below).
• Authorized agents (CPRA): We will verify both you and your agent; a signed authorization may be required.

7) International Transfers & Safeguards

Kevula is based in the United States. Your data may be processed in the U.S. and other countries that may have different data-protection laws from your jurisdiction.

• SCCs: For EU/EEA/UK transfers to the U.S. or other third countries, we implement European Commission Standard Contractual Clauses (and UK addendum where applicable).
• Supplementary measures: encryption in transit/at rest (where applicable), strict access controls, data minimization, and vendor due diligence.
• Vendor contracts: We require processors to follow applicable data protection laws and act only on our instructions.

8) Data Retention & Minimization

• We keep personal data only as long as necessary for the purposes described (service delivery, payouts, security, compliance), then delete or anonymize it.
• Financial/transaction records are retained as required by tax and accounting laws.
• Content you delete will be removed or anonymized from active systems; residual copies may persist temporarily in backups with restricted access until overwritten.

9) Security Measures

• Encryption: bank-level encryption for payment/payout flows; TLS for data in transit; encryption at rest where applicable.
• Access controls: least-privilege, logging/audit of sensitive operations, background checks where appropriate.
• Risk management: vendor assessments, incident response procedures, and periodic reviews.
• Your role: Use strong passwords and enable two-factor authentication (2FA) when available.

No system is 100% secure, but we take reasonable and appropriate measures to protect your data.

10) Cookies, Consent & Preferences

We use cookies and similar technologies to operate and improve the Services. Where required, we ask for your consent and provide controls to manage preferences.

• Strictly necessary: authentication, security, basic functionality.
• Performance & analytics: usage measurement, crash diagnostics, feature improvement.
• Marketing (optional): announcements and events; disabled by default where consent is required.

Manage cookies in your browser (e.g., Settings → Privacy) and via our in-app cookie banner/preferences center.

11) Data Protection Officer & Representatives

• DPO: Data Protection Office, dpo@kevula.com
• EU Representative (Art. 27): EU Data Protection Office, eurep@kevula.com
• UK Representative (Art. 27 UK): UK Data Protection Office, ukrep@kevula.com

12) Complaints & Regulatory Contacts

If you believe your privacy rights have been infringed, you can:

• Contact us at privacy@kevula.com or the DPO above.
• Contact your EU/EEA supervisory authority, the UK ICO (ico.org.uk), or the California Attorney General (oag.ca.gov/privacy).

You have the right to lodge a complaint with a regulator without first contacting us, though we encourage you to give us the opportunity to address your concerns.

13) Updates to this Policy

We may update this Data Privacy Policy from time to time. When we do, we will revise the “Effective date” above. Material changes will be signposted within the Services where appropriate. Your continued use of the Services after changes take effect constitutes acceptance.

14) Contact Kevula