Privacy Notice
Date of Revision: [ 24/10/2024 ]
Privacy Notice of EverAI Limited
EverAI Limited (
"EverAI",
"we",
"us" or
"our") is the Controller for the processing implemented through this website accessible at
https://candy.ai/ (the
"Services"). This notice describes how EverAI processes Personal Data to provide the Services (duly incorporated in the Republic of Malta, having its address at 56 Central Business Centre, Triq Is-Soll, Santa Venera SVR 1833, Malta and registered with the Malta Business Registry under the number C107181).
The Services are an online chat application that uses artificial intelligence algorithms to generate virtual and fictional characters (the "
AI Companions") and can also generate images and messages, so that you can chat with the AI Companions. Parts of the Services offered may require you to create a user account. For purposes of this Privacy Notice, "
you" and "
your" means you as the user of the Services.
This Privacy Notice details how EverAI collects, uses, discloses and handles your Personal Data for the Services and the rights and options you have in this respect, in compliance with the European Union’s General Data Protection Regulation 2016/679, and Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector (“ePrivacy Directive”) (together “EU GDPR”), the UK Data Protection Act 2018 and the Privacy and Electronic Communications, Regulations 2003 (“PECR”) (together “UK GDPR”), or the Federal Act on Data Protection 235.1 (“FADP”) together referred as “Applicable Data Protection Law” as may be applicable to the Services.
1. Definitions
As we are committed to respect your privacy, such Services will always be provided in accordance with the most relevant legal basis.
By using the Services, you agree that you have read and understood our Privacy Notice.
All capitalized terms not otherwise defined in this Privacy Notice or in the GDPR shall have the following meaning:
- “Content”: the information that you will provide us with, so that we can register you as a User and the information you will upload on our Services, such information shall include your Personal Data and the discussions with the AI Companions;
- “Consent”: any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to you;
- “Controller”: the natural or legal person, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and for the purposes of the Services, EverAI;
- “Performance of our Services”: the actions necessary for us to provide our Services notably further to your Subscription;
- “Personal Data”: any information relating to an identified or identifiable natural, person, directly or indirectly (“Data Subject”), such as your name, address, marital status, date of birth, gender, office location, position, company name, spoken languages, photos, your account number, your location data;
- “Processing”: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Subscription”: an arrangement between EverAI Limited and you to enable you to benefit from and / or use the Services;
- “User”, “you” and “your”: collectively a person that has visited or is using the Services;
- “Visitor”: anyone who is browsing the Services without a valid Subscription;.
2. Purpose of Personal Data Processing
Purpose of the Processing |
Categories of Personal Data |
Legal basis |
Account creation
Managing your registration to our Services. |
- Email address (as disclosed by you; mandatory registration field)
- Encrypted password (as disclosed by you; mandatory registration field)
- Nick name/screen name (as disclosed by you)
- User gender (as disclosed by you)
- First and last name (as disclosed by you and if User uses specific authentication methods like google auth to create an account)
- Creation date and time and signup provider (Twitter; Google; Discord; Email direct) (generated based on the options you select)
- Phone number (ability for User in profile settings to set their phone number not mandatory)
|
Necessity for the performance of a contract. |
Account management |
- Currency (based on detected country)
- Country (detected based on IP address)
- Token balance (generated by us on the basis of your purchase)
- Last User account update date and time (generated by us)
- Current and last sign in date and time (generated by us)
- Current and last sign in IP (generated by us)
- Sign in count (how many times a user signed in) (generated by us)
|
Our legitimate interest to address your queries. |
Provision of the Services
- Customization of the AI Companions or linked to specific features of the Service
- Generation of image action, body, clothes
- Interactive chat with AI Companion
- Voice call
|
Content data i.e.:
- User preference vis à vis the AI Companions (ethnicity, age, eye color, hair type, body type, personality, voice, occupation, type of relation, … neither of which relate to a living natural person) (as provided by you)
- User prompt entered to generate Content (image, communications, message, calls to AI Companions) (as provided by you)
- Content generated by AI Companions. (as generated by us)
|
Necessity for the performance of a contract. |
Support of the Services
Service support to inform you and to answer your request (sending of service email, technical support, answers to customers etc.). |
- Supporting data (entered in the free field through the "Contact us" window sent by email to EverAI), email address (as provided by you) and possible answer (generated by us)
- Device information (mobile/desktop) and browser type(mozilla/firefox etc..) when technical issues need to be investigated and/or Cookies (as detected by us)
|
Our legitimate interest to address your queries. |
Provision of the Subscription payment Service
Processing by Payment Service Providers for security and payment purposes of:
- Subscription
- Token
- Refund
|
Emerchant Pay (EMP) and TrustPay (TP)
- First and last name
- Email address
- Card brand
- Credit card number
- Payment transaction date and time
- Type
- Amount
- Currency
- Bin country
- IP address
- Recurring billing type
- Response code (issuer)
Volt
- Email address
- Bank name
- Account details (including sort code)
- Account number
- CPF (for Brazil)
- Whether a business or personal account
- Balance and currency required to make payment
- Unique order reference
- Transaction date and the beneficiary
- Amount and currency of payment
- Internet protocol (IP) address
- Browser type and version
- Operating system and platform
Coingate
- Shopper email
- Crypto wallet address
- IP address
- Country
- Unique order reference
- Transaction date and time
- Amount and currency required to make payment
|
Necessity for the performance of a contract. |
Direct Marketing
- Deliver marketing emails to inform you of our latest updates, offers and features through our newsletter
- Enable Candy.ai affiliate program questionnaire
|
- Email address (as disclosed by you; mandatory registration field)
- First and last name (as disclosed by you and if you used a specific authentication method like google auth to create your account)
- Account number
- Website or traffic source URL
- Data linked to the Candy.ai affiliate program questionnaire free fields to introduce potential affiliate and how they plan to promote the Service
|
Our legitimate interest to improve our Services (direct marketing by us for similar products and Services) or consent (third party marketing). |
Analytics other than through cookies or other tracking technologies
Allowing customer surveys, marketing campaigns, market analysis. |
- Account number
- Email address (as disclosed by you; mandatory registration field)
- Answer provided by the User
|
Consent |
Safety
Moderation of the Services (problematic behaviour, abuse report, action taken). |
- Content of the communication and/or report
- Account data
- Abused messages from Users or AI are being marked as "flagged" in the database and are blocked
|
Necessity to comply with legal obligations or, as the case maybe, necessity for the performance of the Service agreement (in case of breach of the T&Cs). |
Legal & Accounting
- Record keeping
- Invoice recovery
- Compliance with court orders
- Management of data subject access requests
|
Supporting data (as provided by you) such as contact data, payment data or credentials. |
Necessity for compliance with legal obligations. |
Complying with court orders and exercises and/or defend our legal rights. |
Supporting data (as provided by you) such as contact data, payment data or credentials. |
Our legitimate interest to defend our rights. |
If you fail to provide your Personal Data, we may not be able to perform the Services pursuant to the Subscription. In this case, we may have to cancel the Service, provided that we will notify you if this is the case at the time.
3.Marketing
We may send you marketing about Services we provide which may be of interest to you, as well as other information in the form of alerts, newsletters and invitations to events or functions which we believe might be of interest to you or in order to update you with information (such as commercial news) which we believe may be relevant to you. We may communicate this to you in a number of ways that you provided including by, telephone, email or other digital channels.
If you do not wish to receive marketing information from us, you can unsubscribe in any of the following ways:
a. clicking on the 'Unsubscribe' or subscription preferences link in a direct marketing email that you have received from us; or
b. contacting us using the contact details specified in Section 9 below.
Please note that the opt-out of marketing communications will not affect the sending of communications related to Services themselves.
4.Third Party Marketing
We will get your express opt-in Consent before we share your Personal Data with any company outside EverAI for marketing purposes.
You can ask us or third parties to stop sending you direct marketing messages by electronic means at any time by logging into the Services, or third parties websites and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you by such third parties.
5.Sharing your Personal Data
Candy.ai may share your information with:
a. service providers we work with to deliver the Services as follow:
- payment service providers (based in EU for European users); and
- hosting service providers (based in the US); and
- email marketing tools providers (based in the US); and
- affiliate partner tools (based in the EU).
b. our professional advisers where it is necessary for us to obtain their advice or assistance including lawyers, accountants, IT or public relations advisers ;
c. legal and regulatory authorities, as required by applicable laws and regulations; and our employees.
We will not disclose, sell, trade, or otherwise transfer your Personal Data to any third parties without your Consent where required or unless otherwise stated in this Privacy Notice.
If EverAI Limited merges with, or is acquired by, another company or organization, or sells all or a portion of its assets, your Personal Data may be disclosed to our advisers and any prospective purchaser or any prospective purchaser’s adviser and may be among the assets transferred. However, Personal Data will always remain subject to this Privacy Notice, as updated in accordance with section 11.
6.Retention Period
We retain your Personal Data for as long as your account is in existence or necessary to fulfill the purposes for which we collect it or as needed to provide you with the Services, except if required otherwise by law. However, when you terminate your account, we will still retain your Personal Data for a period of time. Usually, we will store your Personal Data for a period after you cease being a User of our Services, beginning at the date your account is closed.
Retention periods may be changed from time to time based on business or regulatory requirements.
We generally keep:
a. the Personal Data relating to your account up to three to five years after your last use of the Services to address potential customer inquiries, legal requirements, or disputes (in accordance with applicable statutes of limitations bearing on us);
b. the financial and transactional data seven years from their date of issuance (in accordance with our tax obligations); and
c. the marketing data until you withdraw your Consent or for a period of two years after your last interaction.
Our team remains available to take into account any (i) account closure and/or (ii) right of opposition to further marketing communications you would express
7.Personal Data of minors
EverAI Limited does not provide Services and collect Personal Data from anyone under 18 years of age or equivalent minimum age depending on jurisdiction. Our Services are intended for use only by adults who are 18 years of age and over. If we learn that we have been misled by an individual under 18, or equivalent minimum age depending on jurisdiction, we will take steps to delete the information as soon as possible and block this User.
8.Third-party Links
The Services may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the Privacy Notice of every website that can be accessed through the Services.
9.Your Rights under GDPR
9.1.Right to access your Personal Data
At any time, you have the right to request a copy of your Personal Data that we hold in accordance with Article 15 GDPR. You have the right to be informed of: (a) the purposes of the Processing; (b) the categories of your Personal Data; (c) the recipients or categories of recipient to whom your Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) the envisaged period for which your Personal Data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the data subject or to object to such Processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the Personal Data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling. In order to submit such request, please see the contact us section below.
9.2.Right to rectification
You have the duty to maintain your Personal Data up to date. To do so, you have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the Personal Data you provide to us.
9.3.Right to erasure
You can also request that we erase your Personal Data in limited circumstances where it is no longer needed for the purposes for which it was collected; or you have withdrawn your Consent (where the Processing was based on Consent), and where there is no other legal ground for the Processing; or following a successful right to object (see right to object); or it has been processed unlawfully; or to comply with a legal obligation to which EverAI is subject.
We are not required to comply with your request to erase Personal Data if the Processing of your Personal Data is necessary;
a. for compliance with a legal obligation; or
b. for the establishment, exercise or defense of legal claims; or
c. for performance of a contract.
9.4.Right to request restriction of Processing of your Personal Data
This enables you to ask our Controller to suspend the Processing of your Personal Data in the following scenarios: (a) if you want us to establish the Personal Data’s accuracy; (b) where our Processing of the Personal Data is unlawful and you do not want us to erase it and request us to suspend the Processing instead; (c) where it is no longer needed for the purposes for which it was collected, but you need us to hold the Data to establish, exercise or defend legal claims; or (d) you have objected to our Processing of your Personal Data and we need to verify whether we have overriding legitimate grounds to use it.
We can continue to use your Personal Data following a request for restriction where:
a. we have your Consent; or
b. we need to:
- establish, exercise or defend legal claims; or
- protect the rights of another natural or legal person.
9.5.Right to portability
You can ask us to provide you with the Personal Data you provided to us in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another Controller, where the Processing is:
a. based on your Consent or on the performance of a contract with you; and
b. carried out by automated means.
9.6.Right to withdrawal your Consent
We are committed to make it as easy to withdraw as to give Consent.
You have the right to withdraw your Consent at any time and free of charge. The withdrawal of Consent shall not affect the lawfulness of Processing of your Personal Data based on Consent before its withdrawal.
If you withdraw your Consent, we may not be able to provide our Services to you to their full extent
9.7.Right to object to the Processing of your Personal Data
You can object to any Processing of your Personal Data based on our legitimate, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
9.8.Right to object to how we use your Personal Data for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes. You can withdraw your Consent to the transfer of your Personal Data to unaffiliated third parties for the purposes of direct marketing at any time and free of charge.
10.Right to obtain a copy of Personal Data safeguards used for transfers outside your jurisdiction
You can ask to obtain a copy of, or reference to, the safeguards under which your Personal Data is transferred outside of the European Union, the United Kingdom or Switzerland, as the case may be redacted of any terms unrelated to data protection.
11.Contact us
If you have concerns about how we are Processing your Personal Data, we ask that you please attempt to resolve any issues with us first. If you have any questions, concerns, or complaints regarding this Privacy Notice, or if you wish to exercise your rights related to your Personal Data, you can reach us at the following contact details. You have a right to lodge a complaint with your local supervisory authority (a list of European national data protection authorities can be found
here; the Information Commissioner Office contact details may be found
here).
Privacy Team
Email:
[email protected]
Mailing Address: EverAI Limited, 56 Central Business Centre
Triq Is-Soll, Santa Venera SVR 1833, Malta
Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfil your request. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Contact details:
[email protected]
12.Data Security
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.
13.Changes to the Privacy Notice and your duty to inform us of changes
We may revise this Privacy Notice from time to time to take account of our changes of practices or of new applicable data protection law. If we modify our Privacy Notice, we will post the revised version on the Services with an updated revision date. Where such changes are substantial, we will also notify you by other means prior to the changes taking effect, such as by sending you an email notification or through the Service. By continuing to use our Services thirty days after such revisions are in effect, you will be deemed to accept and agree to the revisions and to abide by them.