1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, phone number, date of birth, and password when you create an account
• Identity Verification Data: Government-issued ID, proof of address, and other KYC/AML required documentation
• Biometric Data: Facial recognition data for identity verification (only with your explicit consent)
• Asset Information: Metadata, descriptions, images, and documentation related to assets you submit for certification
• Payment Information: Billing address, payment method details (processed securely through PCI-compliant third-party payment processors)
• Communications: Content of your communications with us through support channels

1.2 Information Collected Automatically

• Device Information: IP address, browser type, operating system, device identifiers, mobile network information
• Usage Data: Pages visited, features used, transaction history, timestamps, referral URLs
• Blockchain Data: Wallet addresses, transaction hashes, smart contract interactions
• Location Data: Approximate location based on IP address
• Cookie Data: As detailed in Section 11

1.3 Information from Third Parties

• Identity Verification Services: KYC/AML verification results and risk scores
• Blockchain Networks: Public blockchain transaction data
• Payment Processors: Transaction confirmation and status updates
• Social Media: If you choose to link social media accounts

2. Age Verification and Children's Privacy

Kristobi is strictly prohibited for individuals under 18 years of age. We verify age through our mandatory KYC process, which includes:

• Government-issued ID verification showing date of birth
• Automated age calculation and verification
• Manual review for borderline cases

If we discover that we have collected personal information from anyone under 18, we will immediately delete such information and terminate the associated account.

3. How We Use Your Information

We use your personal information for the following purposes:

• Service Provision: To provide digital asset certification and provenance services
• Account Management: To create and maintain your account, authenticate users
• Legal Compliance: To comply with KYC/AML requirements, SEC regulations, and other legal obligations
• Smart Contract Execution: To deploy and manage smart contracts on your behalf
• Security and Fraud Prevention: To detect and prevent fraud, unauthorized access, and other security threats
• Communications: To send service updates, security alerts, and respond to inquiries
• Marketing: To send promotional materials (only with your consent, see Section 10)
• Improvements: To analyze usage patterns and improve our services
• Legal Protection: To establish, exercise, or defend legal claims

4. Legal Basis for Processing

4.1 GDPR Legal Basis

For users in the European Economic Area and UK, we process personal data based on:

• Contract Performance: Processing necessary to provide our services under our Terms of Service
• Legal Obligations: Processing required to comply with KYC/AML, tax, SEC, and other regulatory requirements
• Legitimate Interests: Processing for fraud prevention, security, and service improvements (subject to balancing tests)
• Explicit Consent: For biometric data, marketing communications, and cookies
• Vital Interests: In rare cases where processing is necessary to protect someone's life

4.2 Processing of Special Categories of Data

Biometric data is processed only on the basis of your explicit consent, which includes:

• Clear information about the processing
• Affirmative opt-in action
• Granular consent options
• Easy withdrawal mechanism

5. Automated Decision-Making and Profiling

We use automated decision-making in the following contexts:

• Identity Verification: Automated KYC/AML risk scoring
• Fraud Detection: Transaction monitoring and anomaly detection
• Smart Contract Execution: Automated enforcement of contract terms

6. Information Sharing and Disclosure

6.1 Service Providers

We share information with service providers bound by data processing agreements:

• Identity verification and KYC/AML compliance providers
• Cloud storage and hosting providers (AWS, Google Cloud)
• Payment processors (PCI-compliant)
• Blockchain infrastructure providers
• Smart contract auditors
• Customer support platforms
• Analytics providers (see Cookie Policy)

6.2 Legal Disclosures

• Law enforcement agencies when required by valid legal process
• Regulatory authorities for mandatory reporting
• Courts and tribunals in legal proceedings
• Legal advisors under attorney-client privilege

6.3 Business Transfers

In case of merger, acquisition, or asset sale, we will notify you before your information is transferred and becomes subject to a different privacy policy.

6.4 Blockchain Networks

6.5 No Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

7. Data Retention

We retain personal information based on legal requirements and business needs:

8. Your Privacy Rights

8.3 How to Exercise Your Rights

To exercise any privacy rights:

1. Email us at jeff@jpgroup.tech or plewak.jeff@gmail.com
2. Include "Privacy Rights Request" in the subject line
3. Provide sufficient information to verify your identity
4. Specify which rights you wish to exercise

Identity Verification: We may request additional information to verify your identity before processing requests, including:

• Account information
• Government-issued ID
• Recent transaction details

Response Timeline: We will acknowledge receipt within 10 days and respond fully within 30 days (45 days for CCPA requests, with possible extension).

9. Data Security

We implement comprehensive security measures including:

9.1 Technical Measures

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Controls: Role-based access, principle of least privilege
• Authentication: Multi-factor authentication required
• Monitoring: 24/7 security monitoring and intrusion detection
• Backup: Encrypted backups with geographic redundancy
• Vulnerability Management: Regular scanning and patching

9.2 Organizational Measures

• Employee Training: Annual privacy and security training
• Access Reviews: Quarterly access audits
• Vendor Management: Security assessments of all processors
• Incident Response: Documented response procedures
• Penetration Testing: Annual third-party security audits

9.3 Data Breach Notification

In the event of a personal data breach, we will:

• Notify supervisory authorities within 72 hours (where required)
• Notify affected users without undue delay when high risk to rights
• Document all breaches in our internal register
• Provide details of the breach, likely consequences, and mitigation measures

10. Marketing and Communications

We may send you marketing communications only with your prior consent. You can:

• Opt-in during account creation or through account settings
• Opt-out anytime via unsubscribe link in emails
• Manage preferences in your account dashboard
• Contact us to update preferences

Transactional Communications: We will always send necessary service-related communications (security alerts, legal updates, transaction confirmations) regardless of marketing preferences.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

• Essential Cookies: Required for site security and functionality (no consent required)
• Analytics Cookies: Help us understand usage patterns (consent required)
• Functional Cookies: Remember your preferences (consent required)
• Marketing Cookies: Currently not used

11.2 Cookie Consent

We obtain your consent through our cookie banner before placing non-essential cookies. You can:

• Accept or reject cookies via our cookie banner
• Change preferences anytime in account settings
• Delete cookies through your browser settings

Note: Disabling essential cookies may prevent you from using certain features of our service.

12. International Data Transfers

Your data may be transferred outside your country of residence. We ensure appropriate safeguards:

12.1 Transfer Mechanisms

• Standard Contractual Clauses (SCCs): EU Commission-approved clauses
• Transfer Impact Assessments: Conducted for each third country
• Supplementary Measures: Additional encryption and access controls
• Adequacy Decisions: Where applicable

12.2 Data Localization

Primary data storage locations:

• United States (primary)
• European Union (backup)
• Blockchain networks (global/decentralized)

13. Third-Party Links and Services

Our services may contain links to third-party websites or integrate with external services. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.

14. Limitation of Liability and Indemnification

To the maximum extent permitted by law, Mygeo LLC's liability for any privacy or data security breach shall be limited to direct damages only. Users agree to indemnify Mygeo LLC for claims arising from their violation of this Privacy Policy or misuse of the service.

15. Class Action Waiver

You agree to resolve any privacy-related disputes through individual arbitration and waive any right to participate in class action lawsuits related to privacy matters, to the extent permitted by applicable law.

16. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law or our practices. For material changes, we will:

• Update the "Last Updated" date and version number
• Post a prominent notice on our website 30 days before changes take effect
• Email registered users about material changes
• Obtain new consent where required by law

Version History:

• Version 1.0 - July 14, 2025 - Initial privacy policy

17. Accessibility

We strive to make this Privacy Policy accessible to all users. In compliance with WCAG 2.1 AA standards, we provide:

• Alternative formats upon request
• Plain language summaries
• Translation services for major languages

Contact support@kristobi.com for accessibility assistance.