Privacy Policy

Summary of Key Points

1. About This Policy & The Controller

This Privacy Policy describes how TB Security, Inc., doing business as TRUSTBYTES (“TRUSTBYTES,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information through hivy.live and any associated mobile applications, APIs, or related services (collectively, the “Service”).

TB Security Inc. DBA TRUSTBYTES / hivy is the data controller for purposes of applicable privacy laws, including the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and the EU/UK General Data Protection Regulation (“GDPR”).

2. Scope of This Policy

This Policy applies to all individuals who access or use the Service, regardless of geographic location. It does not apply to third-party websites or services we may link to; those services govern their own data practices.

This Policy is governed by the laws of the State of California and the United States, without regard to conflict-of-law provisions, except where specific regional laws (e.g., GDPR) impose additional requirements.

3. Key Definitions

• Personal Information (PI): Any information that identifies, relates to, or could reasonably be linked to an individual, directly or indirectly.
• Sensitive Personal Information (SPI): A subset of PI including account login credentials, financial data, and precise geolocation (as defined under CPRA §1798.100 et seq. and GDPR Art. 9).
• Processing: Any operation performed on PI, including collection, storage, use, disclosure, or deletion.
• Service Providers: Third parties that process PI solely on our behalf pursuant to a written contract.
• Business Purpose: A legitimate operational reason for which we process PI, as enumerated in Cal. Civ. Code §1798.140.

4. Information We Collect

4.1 Information You Provide Directly

• Identity & Contact Data: Full name, email address, username, password (stored as a one-way hash), phone number, and profile photo.
• Professional Data: Job title, employer name, LinkedIn profile URL, and professional bio (if provided).
• Payment Data: Billing address and transaction amounts. Full payment card details are collected and stored solely by our PCI-DSS-compliant payment processors (Stripe, Inc. (fiat payments) and approved cryptocurrency transfer processors); we store only the last four digits of card numbers and payment tokens.
• Communications: Messages you send us via support, feedback forms, or email.
• User-Generated Content: Any content you upload or create within the Service.

4.2 Information Collected Automatically

• Device & Technical Data: IP address, browser type and version, operating system, device identifiers, and screen resolution.
• Usage Data: Pages visited, features used, clicks, search queries, time spent on the Service, and referring URLs.
• Log Data: Server access logs, error reports, and diagnostic data.
• Location Data: Approximate geolocation inferred from IP address. We do not collect precise GPS-level location without your express consent.

4.3 Cookies & Tracking Technologies

We use the following categories of cookies and similar technologies:

• Strictly Necessary: Required for the Service to function (e.g., authentication tokens, session cookies). Cannot be disabled.
• Functional: Remember your preferences (e.g., language, timezone). May be disabled but may impair functionality.
• Analytics & Performance: Measure and improve Service performance (e.g., Google Analytics, Mixpanel). You may opt out via our Cookie Preference Center or your browser settings.
• Marketing / Advertising: Track engagement with our communications (e.g., email open pixels). You may opt out at any time.

You can manage cookie preferences by accessing our Cookie Preference Center at hivy.live/cookies or configuring your browser settings. Note that blocking certain cookies may limit Service functionality.

4.4 Information from Third Parties

• Single Sign-On (SSO) Providers: If you authenticate via Google, Microsoft, or LinkedIn, we receive your name, email address, and profile photo from that provider, subject to its privacy policy.
• Analytics Partners: We receive aggregated analytics reports from third-party analytics providers.
• Publicly Available Sources: We may supplement your profile with publicly available professional information.

5. Legal Basis for Processing (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under GDPR Art. 6 and, where applicable, Art. 9:

• Contract Performance (Art. 6(1)(b)): Processing necessary to create and manage your account, authenticate your identity, process payments, and deliver the Service.
• Legitimate Interests (Art. 6(1)(f)): Fraud detection, network and information security, improving the Service, and direct marketing to existing customers (subject to your right to object).
• Compliance with Legal Obligations (Art. 6(1)(c)): Responding to lawful government requests, tax reporting, and financial record-keeping.
• Consent (Art. 6(1)(a)): Non-essential cookies, marketing communications, and processing of any special categories of data. You may withdraw consent at any time without affecting prior lawful processing.

For California residents, we rely on the CCPA/CPRA framework and process PI for the Business Purposes enumerated in Section 6 below.

6. How We Use Your Information

6.1 Business Purposes

• Account Creation & Management: Registering your account, verifying your identity, and authenticating your sessions.
• Service Delivery: Providing, personalizing, and maintaining the features of the Service you use.
• Payment Processing: Facilitating billing, invoicing, and subscription management via Stripe and PayPal.
• Customer Support: Responding to your inquiries, troubleshooting issues, and improving support resources.
• Security & Fraud Prevention: Detecting, investigating, and preventing unauthorized access, fraud, and abuse.
• Legal Compliance: Meeting obligations under applicable law, including tax, financial reporting, and responding to lawful legal process.

6.2 Additional Purposes

• Service Improvement: Analyzing usage patterns and feedback to develop new features and fix bugs.
• Marketing Communications: Sending promotional emails, newsletters, and in-app messages. You may opt out at any time (see Section 9).
• Aggregated Analytics: Creating de-identified, aggregated datasets for internal reporting and product development. De-identified data is not subject to this Policy.
• Automated Decision-Making: We do not engage in solely automated decision-making that produces legal or similarly significant effects without human review. If we introduce such processing in the future, we will update this Policy and provide required notices.

7. Disclosure of Your Information

7.1 Service Providers

We share PI with trusted service providers that process data solely on our behalf under written data processing agreements. These include:

• Fiat Payment Processing: Stripe, Inc. (PCI-DSS Level 1 compliant). Stripe processes payment card details directly; we store only the last four digits of card numbers and Stripe-issued payment tokens. Stripe’s privacy policy is available at stripe.com/privacy.
• Cryptocurrency Account Funding: We facilitate cryptocurrency transfers for account funding. In connection with such transfers, we collect your public wallet address and on-chain transaction hashes. We do not collect, store, or have access to private keys at any time. Cryptocurrency transactions are irreversible; users are solely responsible for ensuring the accuracy of wallet addresses provided.
• Cloud Infrastructure & Hosting: OVH SAS (OVH Cloud). Primary infrastructure is hosted in OVH-operated data centers in US, France and Canada. Data stored in US-based OVH facilities. OVH’s privacy policy is available at ovhcloud.com/en/personal-data-protection/.
• Analytics: Google Analytics 4 (Google LLC), operated with IP anonymization enabled and data retention set to 14 months. You may opt out via the Google Analytics Opt-Out Browser Add-on (tools.google.com/dlpage/gaoptout) or our Cookie Preference Center.
• Email & Internal Communications: Google Workspace (Google LLC), used for internal business communications and transactional email delivery to users. Google’s privacy policy is available at policies.google.com/privacy.
• Customer Relationship Management & Support: HubSpot, Inc., used to manage customer support tickets, communications history, and CRM records. HubSpot processes contact information, support correspondence, and account interaction data. HubSpot’s privacy policy is available at legal.hubspot.com/privacy-policy.

We do not permit service providers to use your PI for their own independent purposes beyond the services they provide to us. All service providers are bound by written data processing agreements that include appropriate confidentiality, security, and (where applicable) GDPR Standard Contractual Clauses.

7.2 Affiliated Companies

We may share PI with subsidiaries or parent companies of TB Security, Inc. under equivalent data protection standards. Any such sharing will be subject to this Policy.

7.3 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, reorganization, or sale of all or substantially all of our assets, your PI may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service at least 30 days before any such transfer becomes effective, and you will have the right to delete your account before the transfer.

7.4 Legal Requirements & Safety

We may disclose PI without your consent if we believe in good faith that disclosure is reasonably necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request.
• Enforce our Terms of Service, including investigating potential violations.
• Detect, prevent, or address fraud, security threats, or technical issues.
• Protect the rights, property, or safety of TRUSTBYTES, our users, or the public.

We will notify affected users of such disclosures where legally permissible.

7.5 What We Do NOT Do

• We do not sell your personal information for monetary consideration.
• We do not share your personal information for cross-context behavioral advertising without your explicit opt-in consent.
• We do not share sensitive personal information beyond what is strictly necessary for the Business Purposes described herein.

California residents: The disclosures in Sections 7.1–7.4 constitute our complete list of disclosures in the preceding 12 months for CCPA/CPRA purposes. We do not sell or share PI as defined under Cal. Civ. Code §1798.140(ad) and §1798.140(ah).

8. Data Retention

We retain your personal information for as long as your account remains active and as long as necessary to fulfill the purposes described in this Policy. The following retention periods apply:

• Active Account Data: Retained for the duration of your account, plus 12 months following account closure to enable reactivation and resolve disputes.
• Financial & Transaction Records: Retained for 7 years from the date of transaction, as required by U.S. federal and California tax and financial reporting laws.
• Security & Fraud Logs: Retained for 24 months to support incident investigation and regulatory compliance.
• Marketing & Communications Data: Retained until you opt out, then for an additional 12 months to honor suppression lists.
• Backup Data: Encrypted backups are retained for up to 90 days after deletion from primary systems.

After applicable retention periods expire, we securely delete or irreversibly anonymize your PI. Note that certain data may need to be retained longer pursuant to legal holds, litigation, or regulatory investigations.

The original policy’s 3-month post-termination retention period has been extended to align with U.S. federal and California legal minimum requirements. Shorter retention may cause compliance exposure.

9. Your Privacy Rights

9.1 Rights for All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention obligations.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
• Opt Out of Marketing: Unsubscribe from marketing emails via the link in any email or by emailing legal@trustbytes.io.

9.2 Additional Rights — EEA, UK & Swiss Residents (GDPR/UK GDPR)

• Data Portability: Receive your PI in a structured, machine-readable format (Art. 20).
• Restriction of Processing: Request that we restrict processing while you contest accuracy or object to processing (Art. 18).
• Object to Processing: Object to processing based on legitimate interests (Art. 21).
• Automated Decision-Making: Not be subject to solely automated decisions with legal effect without human review (Art. 22).
• Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority (e.g., the Irish DPC for EU users, the ICO for UK users).
• EU Representative: [To be designated — required under GDPR Art. 27 if you offer services to EU residents]

9.3 Additional Rights — California Residents (CCPA/CPRA)

• Know: Request disclosure of categories and specific pieces of PI collected, the purposes of collection, and third parties with whom PI is shared (Cal. Civ. Code §1798.110).
• Delete: Request deletion of your PI (Cal. Civ. Code §1798.105).
• Correct: Request correction of inaccurate PI (Cal. Civ. Code §1798.106).
• Opt Out of Sale/Sharing: We do not sell or share PI. If this changes, you will have the right to opt out at any time at hivy.live/do-not-sell.
• Limit Use of Sensitive Personal Information: Restrict our use of SPI to essential Business Purposes (Cal. Civ. Code §1798.121).
• Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights (Cal. Civ. Code §1798.125).
• California Shine the Light: California Civil Code §1798.83 permits California residents to request annually a list of third parties to whom we disclosed PI for direct marketing purposes. We do not disclose PI for third-party direct marketing. Contact us at legal@trustbytes.io for confirmation.

9.4 How to Submit a Rights Request

To exercise your rights, submit a verifiable request by:

• Email: legal@trustbytes.io (subject: “Privacy Rights Request”)
• Online form: hivy.live/privacy-request

We will verify your identity before processing your request. We will respond within 30 days (extendable by an additional 60 days with notice). We will not charge a fee for reasonable requests; we reserve the right to charge a reasonable fee or decline manifestly unfounded or excessive requests.

Authorized Agents: California residents may designate an authorized agent by providing a signed written authorization. We may still require direct identity verification.

10. International Data Transfers

Your personal information may be transferred to and processed in countries other than the country in which you reside, including the United States. These countries may have data protection laws that differ from those of your jurisdiction.

Our primary infrastructure is hosted on OVH Cloud, with data centers located in France, Canada, and other OVH regions. Where PI is transferred outside the EEA, UK, or Switzerland (e.g., to U.S.-based service providers), we rely on the following safeguards:

• EU-U.S. Data Privacy Framework (DPF): We rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914) as our primary transfer mechanism.
• UK Addendum: For UK-to-US transfers, we use SCCs as supplemented by the UK International Data Transfer Addendum.
• Adequacy Decisions: Where applicable, we transfer PI to countries that have received an adequacy decision from the European Commission.

You may request a copy of the relevant transfer safeguards by contacting legal@trustbytes.io.

11. Data Security

We implement industry-standard technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption in transit using TLS 1.2 or higher; encryption at rest using AES-256.
• Role-based access controls (RBAC) limiting internal access to PI on a need-to-know basis.
• Regular penetration testing and vulnerability assessments.
• Multi-factor authentication (MFA) for all administrative system access.
• Vendor security reviews for all service providers with access to PI.

No method of electronic storage or transmission is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify you and applicable regulatory authorities as required by law (within 72 hours for GDPR; without unreasonable delay for U.S. state laws). Notifications will be sent to the email address associated with your account.

12. Children’s Privacy (COPPA)

The Service is not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or under 16 in the EEA/UK as required by GDPR). If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at legal@trustbytes.io. We will promptly delete such information from our systems.

If we become aware that we have inadvertently collected PI from a child under the applicable minimum age without verifiable parental consent, we will take immediate steps to delete that information.

13. Third-Party Links & Integrations

The Service may contain links to, or integrations with, third-party websites, services, and applications. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services before providing them with your personal information. We are not responsible for the privacy practices or content of third-party services.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Policy on this page with a revised “Last Updated” date.
• Sending an email notification to the address associated with your account at least 30 days before material changes take effect.
• Displaying a prominent in-app banner for material changes affecting your rights.

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree with the revised Policy, you must discontinue use of the Service and may request account deletion.

15. Governing Law & Dispute Resolution

This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of the State of California and applicable U.S. federal law, without regard to its conflict-of-law provisions. Nothing in this section limits any rights you may have under applicable mandatory data protection law in your jurisdiction (including GDPR or CPRA).

16. Contact Information & Data Protection Officer

Privacy Inquiries — General

Data Protection Officer (EU/UK/Swiss Residents)

EU Representative (GDPR Art. 27)

[REQUIRED ACTION: You must designate an EU-based representative if you offer services to EU residents and are not established in the EU. Insert representative name, address, and contact details here before publishing. Failure to appoint an EU representative exposes TB Security, Inc. to administrative fines of up to €10 million or 2% of global annual turnover.]

This is a mandatory legal requirement under GDPR Art. 27 for non-EU controllers offering services to EU data subjects. Consult qualified EU counsel to appoint a representative.