Privacy Policy

SCD Global OÜ ("Company," "we," "us," or "our"), a private limited company (osaühing) duly organized and existing under the laws of the Republic of Estonia, bearing registry code 17309316 and VAT identification number EE102893128, with its registered office at Sepapaja tn 6, 15551 Tallinn, Harju maakond, Republic of Estonia, operates the Intelrift platform ("Platform") accessible at intelrift.com and all associated subdomains.

This Privacy Policy ("Policy") describes in detail how we collect, use, process, store, share, transfer, retain, and protect your personal data when you access, browse, register for, subscribe to, or otherwise use our Platform and Service. This Policy forms an integral part of our Terms of Service and should be read in conjunction therewith.

We are firmly committed to protecting your privacy and to processing your personal data lawfully, fairly, and transparently, in full compliance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC), and all other applicable data protection and privacy legislation.

As a company established in the European Union, we are directly subject to the GDPR. SCD Global OÜ acts as the "data controller" within the meaning of Article 4(7) GDPR for the personal data processed through the Platform, meaning that we determine the purposes and means of the processing of your personal data. We take our obligations as a data controller seriously and have implemented comprehensive technical and organizational measures to ensure compliance with applicable data protection legislation.

This Policy applies to all individuals who interact with the Platform, including registered Users, visitors, free-tier Users, paid subscribers, and any person who communicates with us via email or other channels. By accessing or using the Platform, you acknowledge that you have read and understood this Policy.

We collect and process the following categories of personal data in connection with the provision and operation of the Platform. The specific data elements collected depend on how you interact with the Platform, your subscription tier, and the features you use.

Account Data: Information you provide during account registration and profile creation, including: email address; full legal name; role, job title, or professional function; organization or company name; organization size; and account preferences. This data is required to create and manage your account and to provide the Service.

Authentication and Security Data: Password hashes (we never store plaintext passwords); session tokens and identifiers; authentication timestamps; login and logout events; IP addresses associated with authentication events; failed login attempts; and account recovery requests. This data is necessary for account security and fraud prevention.

Profile Data: Optional information you choose to provide beyond the mandatory registration fields, including: role preferences; team size; feature interests; language and locale preferences; timezone settings; notification preferences; and any other profile customizations.

Usage Data: Information about your interactions with the Platform, including: pages visited and navigation paths; features accessed and actions performed; AI queries submitted and features invoked; research sessions conducted and their duration; briefings, reports, and analyses generated; credits consumed and credit transaction history; dashboard configurations and customizations; export activities; API calls and their parameters (for API users); and associated timestamps for all of the foregoing.

Payment and Financial Data: All payment processing is handled exclusively by Stripe, Inc. We do NOT directly collect, process, store, or have access to your full credit card numbers, bank account details, CVV codes, or complete payment instrument data. Through Stripe, we receive and retain only: Stripe customer identifiers; transaction identifiers and payment confirmation status; subscription plan identifier and status; billing cycle dates and renewal dates; invoice amounts and currency; payment method type (e.g., "Visa ending in 4242"); and billing address (if provided to Stripe).

Technical Data: Information collected automatically through your use of the Platform, including: IP address (IPv4 and/or IPv6); browser type, version, and language settings; operating system and version; device type, model, and screen resolution; unique device identifiers; referrer URL and exit pages; time zone setting; network information; and other technical metadata transmitted by your browser or device.

AI Interaction Data: Data generated through your use of AI-powered features, including: queries, prompts, and instructions submitted to Spectre AI and other AI-powered features; the AI-generated responses, analyses, briefings, and outputs produced for your account; timestamps and credit costs associated with each AI interaction; the specific AI model and configuration used for each request; and any feedback you provide on AI Output quality.

Communication Data: Information contained in communications you direct to us, including: email correspondence; support requests and helpdesk tickets; feedback submissions and feature requests; waitlist registration information; and any other communications sent to our contact addresses.

Cookie and Tracking Data: Data collected through cookies and similar technologies deployed on the Platform, as further described in the Cookies and Similar Technologies section of this Policy.

Aggregate and Derived Data: We may derive additional data from the categories listed above through aggregation, anonymization, pseudonymization, or statistical analysis. Such derived data may include usage patterns, feature adoption metrics, performance benchmarks, and demographic insights. Where derived data cannot be used to identify you, it is no longer considered personal data under the GDPR.

We process your personal data exclusively on the basis of one or more lawful grounds as set forth in Article 6 of the GDPR. The specific legal basis applicable to each processing activity depends on the nature of the data, the purpose of the processing, and your relationship with the Platform. Below we identify each legal basis we rely upon and the processing activities to which it applies.

Contract Performance (Article 6(1)(b) GDPR): Processing that is necessary for the performance of the contract between you and the Company (the Terms of Service), or for taking steps at your request prior to entering into a contract. This includes: account creation, authentication, and management; provision, operation, and delivery of the Service; subscription management, plan upgrades, and downgrades; Credit allocation, consumption tracking, and balance management; payment processing through Stripe; generating AI-powered analyses, briefings, and Content at your request; communicating service-critical information (maintenance notices, security alerts, account notifications); and providing customer support in response to your inquiries.

Legitimate Interest (Article 6(1)(f) GDPR): Processing that is necessary for the legitimate interests pursued by the Company or a third party, where such interests are not overridden by your fundamental rights and freedoms. We have conducted data protection impact assessments and legitimate interest balancing tests for each processing activity relying on this basis. Our legitimate interests include: ensuring the security, integrity, and availability of the Platform and preventing fraud, abuse, and unauthorized access; monitoring and improving the performance, reliability, and user experience of the Service; conducting internal analytics, usage pattern analysis, and feature adoption measurement using aggregated and/or pseudonymized data; enforcing our Terms of Service, Acceptable Use policy, and other applicable policies; detecting, investigating, and responding to security incidents, vulnerabilities, and potential threats; and administering and protecting our business operations, assets, and Intellectual Property Rights.

Consent (Article 6(1)(a) GDPR): Processing based on your freely given, specific, informed, and unambiguous consent, indicated by a clear affirmative action. This applies to: marketing communications, newsletters, and promotional content (opt-in); deployment of non-essential cookies, specifically analytics cookies (Google Analytics), as described in the Cookies section of this Policy; and any other processing activity for which we specifically request and obtain your consent. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal. To withdraw consent for marketing communications, use the unsubscribe link in any marketing email. To withdraw consent for analytics cookies, adjust your browser settings or use the cookie preference controls on the Platform.

Legal Obligation (Article 6(1)(c) GDPR): Processing that is necessary for compliance with a legal obligation to which the Company is subject under EU or Estonian law. This includes: maintenance of accounting, tax, and financial records as required by the Estonian Accounting Act (Raamatupidamise seadus) and the Taxation Act (Maksukorralduse seadus); compliance with lawful requests from tax authorities, regulators, law enforcement, or judicial bodies; retention of transaction records and invoicing data as required by VAT legislation; and compliance with any other mandatory reporting or record-keeping obligations under applicable law.

Where we process special categories of personal data (Article 9 GDPR), we will obtain your explicit consent unless another exception under Article 9(2) GDPR applies. As of the date of this Policy, we do not intentionally collect or process special categories of personal data through the Platform.

We process your personal data for the following specific, explicit, and legitimate purposes. We do not process personal data for purposes incompatible with those stated below without providing you with additional notice and, where required, obtaining your consent.

• Providing, operating, delivering, and maintaining the Service, including account management, authentication, session management, and content delivery;
• Processing subscription payments, managing billing cycles, issuing invoices, handling payment failures, and administering refunds where legally required;
• Managing Credit allocations, tracking Credit consumption, maintaining Credit transaction history, and enforcing plan-based feature entitlements;
• Generating AI-powered analyses, briefings, SITREPs, research syntheses, hypothesis analyses, playbooks, causal graphs, and other Content in response to your requests;
• Improving, optimizing, and personalizing the Service, including analyzing usage patterns, identifying areas for improvement, testing new features, and enhancing the user interface and experience;
• Communicating service-critical information, including maintenance notifications, security alerts, Terms of Service updates, Privacy Policy changes, and account-related notices;
• Sending marketing communications, newsletters, and promotional content, but only where you have opted in to receive such communications;
• Preventing, detecting, investigating, and responding to fraud, abuse, unauthorized access, security incidents, Terms of Service violations, and other harmful or illegal activities;
• Ensuring the security, integrity, availability, and stability of the Platform's infrastructure, systems, and networks;
• Complying with applicable legal, regulatory, tax, and accounting obligations, including record-keeping, reporting, and responding to lawful requests from competent authorities;
• Exercising, establishing, or defending legal claims, rights, or interests of the Company;
• Producing aggregated, anonymized, and/or pseudonymized analytics, statistics, and insights for internal business purposes, service development, and reporting;
• Administering the waitlist and managing early access or beta feature invitations;
• Providing customer support, responding to inquiries, and resolving complaints and disputes.

We retain your personal data only for as long as is strictly necessary to fulfill the purposes for which it was collected, as described in this Policy, or as required by applicable law. We apply the principle of data minimization and storage limitation as required by Article 5(1)(c) and (e) of the GDPR. The specific retention periods applicable to each category of personal data are as follows:

• Account data (name, email, profile information): Retained while your account remains active and for a period of thirty (30) calendar days following account deletion or termination to facilitate account recovery requests. After this period, account data is permanently deleted from active systems, subject to backup retention cycles.
• Authentication and security data (login logs, session records, security events): Retained for twelve (12) months from the date of the event for security monitoring, audit, and fraud prevention purposes.
• Payment and financial records (transaction IDs, subscription records, invoices): Retained for seven (7) years from the end of the financial year in which the transaction occurred, in accordance with the Estonian Accounting Act (Raamatupidamise seadus, §12) and the Taxation Act (Maksukorralduse seadus). This retention period is a mandatory legal requirement.
• Usage and analytics data (page views, feature usage, navigation patterns): Retained for twenty-four (24) months from the date of collection. After this period, usage data is either permanently deleted or irreversibly anonymized for aggregate statistical analysis.
• AI interaction logs (queries, prompts, AI responses): Retained for twelve (12) months from the date of the interaction. After this period, AI interaction data is either permanently deleted or irreversibly anonymized.
• Credit transaction history: Retained for the duration of the account plus twenty-four (24) months following account termination for billing reconciliation and dispute resolution purposes.
• Communication data (emails, support tickets): Retained for thirty-six (36) months from the date of the last communication in the thread.
• Cookie data: Retained according to the specific lifetime of each cookie as described in the Cookies section of this Policy. Session cookies expire when you close your browser; persistent cookies have a maximum lifetime of twelve (12) months.
• Waitlist data: Retained until the User is admitted to the Platform or withdraws from the waitlist, plus twelve (12) months thereafter.

Anonymized and aggregated data from which individuals cannot be identified, directly or indirectly, may be retained indefinitely for statistical, analytical, and research purposes, as such data falls outside the scope of the GDPR.

When personal data is no longer required for the purposes described above and no legal retention obligation applies, we will permanently delete or irreversibly anonymize the data within a reasonable timeframe, typically within thirty (30) days. Backup copies may be retained for up to ninety (90) additional days before permanent deletion in accordance with our backup rotation schedule.

You may request the deletion of your personal data at any time by exercising your right to erasure as described in the Your Rights section of this Policy, subject to applicable legal retention requirements.

As a data subject under the General Data Protection Regulation, you have the following rights with respect to the personal data we process about you. These rights are subject to certain conditions, limitations, and exceptions as set forth in the GDPR.

Right of Access (Article 15 GDPR): You have the right to obtain confirmation from us as to whether your personal data is being processed and, where that is the case, to access a copy of that data together with the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the data has been or will be disclosed; the envisaged retention period; the existence of your other rights; information about the source of the data; and the existence of automated decision-making, including profiling.

Right to Rectification (Article 16 GDPR): You have the right to request the correction of inaccurate personal data concerning you without undue delay, and to have incomplete personal data completed, including by providing a supplementary statement.

Right to Erasure — "Right to be Forgotten" (Article 17 GDPR): You have the right to request the deletion of your personal data without undue delay where: the data is no longer necessary for the purposes for which it was collected; you withdraw your consent and there is no other legal ground for the processing; you object to the processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or the data must be erased to comply with a legal obligation. This right is subject to exceptions, including where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defense of legal claims, or for archiving purposes in the public interest.

Right to Restriction of Processing (Article 18 GDPR): You have the right to request the restriction of processing of your personal data where: you contest the accuracy of the data (for the period needed to verify accuracy); the processing is unlawful and you oppose erasure and request restriction instead; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of whether our legitimate grounds override yours.

Right to Data Portability (Article 20 GDPR): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance from us, where: the processing is based on consent or contract performance; and the processing is carried out by automated means.

Right to Object (Article 21 GDPR): You have the right to object at any time to the processing of your personal data based on our legitimate interests (Article 6(1)(f) GDPR), including profiling based on those provisions. Upon receiving an objection, we will cease processing your data for the contested purpose unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. You have an absolute right to object to processing of your data for direct marketing purposes at any time, and we will comply with such objection without exception.

Right Not to be Subject to Automated Decision-Making (Article 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. As of the date of this Policy, the Platform does not make decisions based solely on automated processing that produce legal effects or similarly significant effects on Users.

Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw your consent at any time, free of charge, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

Right to Lodge a Complaint: If you believe that our processing of your personal data infringes the GDPR or applicable data protection law, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for the Company is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia, website: www.aki.ee. You also have the right to lodge a complaint with the supervisory authority of your habitual residence or place of work.

How to Exercise Your Rights: To exercise any of the above rights, please submit a written request to [email protected], clearly specifying the right you wish to exercise and providing sufficient information to verify your identity. We may request additional information to confirm your identity before processing your request, to prevent unauthorized access to personal data.

Response Time: We will respond to your request within thirty (30) calendar days of receipt. Where requests are complex or numerous, this period may be extended by an additional sixty (60) calendar days, in which case we will inform you of the extension and the reasons for it within the initial thirty-day period. Where we are unable to comply with a request, we will inform you of the reasons and of your right to lodge a complaint with the supervisory authority.

Cost: The exercise of your rights is free of charge. However, where requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee based on administrative costs or refuse to act on the request, in accordance with Article 12(5) GDPR.

In the course of providing the Service, certain categories of personal data may be transferred to and processed by third-party service providers (sub-processors) located outside the European Economic Area (EEA), in jurisdictions that may not provide an equivalent level of data protection to that required under the GDPR. All international data transfers are conducted in strict compliance with GDPR Chapter V (Articles 44-49) and are subject to appropriate safeguards.

The following third-party service providers process personal data outside the EEA:

• OpenAI, LLC (United States): Processes AI queries, prompts, and contextual data for the purpose of AI analysis, content generation, briefing production, hypothesis analysis, and natural language processing. Data transferred: AI Interaction Data (queries and prompts submitted by Users).
• Perplexity AI, Inc. (United States): Processes research queries for the purpose of real-time information retrieval, research synthesis, and briefing generation. Data transferred: research queries and contextual parameters.
• Stripe, Inc. (United States): Processes payment data for the purpose of payment processing, subscription management, invoicing, and fraud detection. Data transferred: Payment and Financial Data as described in the Data We Collect section.
• Google LLC (United States): Processes analytics data for the purpose of web analytics and usage measurement (Google Analytics). Data transferred: Technical Data, Usage Data (in anonymized/pseudonymized form where possible).
• ActiveCampaign, LLC / Postmark (United States): Processes email delivery data for the purpose of transactional email delivery (account notifications, security alerts, billing notices). Data transferred: email address, name, and email content.

All international data transfers to the above providers are protected by the following appropriate safeguards as required by Article 46 GDPR:

• Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Decision (EU) 2021/914 of 4 June 2021, as applicable;
• Data Processing Agreements (DPAs) executed with each provider, specifying the subject matter and duration of processing, the nature and purpose of processing, the types of personal data processed, the categories of data subjects, and the obligations and rights of both parties;
• Supplementary technical and organizational measures where the transfer impact assessment identifies risks, including encryption in transit, data minimization, and pseudonymization;
• Regular assessment of the adequacy of safeguards and monitoring of the legal framework in each recipient country, including assessment of government access laws and surveillance practices.

We conduct Transfer Impact Assessments (TIAs) in accordance with the guidance of the European Data Protection Board (EDPB) to evaluate the level of data protection in each recipient country and to identify and implement supplementary measures where necessary.

You may request a copy of the relevant Standard Contractual Clauses, Data Processing Agreements, or Transfer Impact Assessments by contacting us at [email protected], subject to redaction of commercially confidential provisions.

The Platform uses cookies and similar technologies in accordance with the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC) and applicable national implementations. This section explains the types of cookies we use, their purposes, and your choices regarding them.

Essential Cookies (Strictly Necessary): These cookies are required for the fundamental operation of the Platform, including session management, user authentication, CSRF protection, locale routing, and load balancing. Strictly necessary cookies do not require your consent under Article 5(3) of the ePrivacy Directive, as they are indispensable for the provision of the Service you have explicitly requested. Disabling these cookies will impair or prevent your ability to use the Platform.

• Session cookie (better-auth.session_token): Manages your authenticated session. Expires when browser is closed or after session timeout.
• CSRF protection cookie: Prevents cross-site request forgery attacks. Expires per session.
• Locale preference cookie (NEXT_LOCALE): Stores your language preference (en/es). Expires after 12 months.

Functional Cookies: These cookies persist user preferences and settings to enhance your experience across sessions, including interface theme (light/dark mode), dashboard layout configurations, and notification preferences. While not strictly necessary, these cookies improve usability. These cookies are set based on your explicit interactions with preference controls on the Platform.

Analytics Cookies (Consent Required): We use Google Analytics (provided by Google LLC) to understand usage patterns, measure feature adoption, analyze navigation flows, and improve the Service. Analytics cookies are deployed ONLY after obtaining your explicit prior consent in accordance with the ePrivacy Directive. Analytics data is processed in anonymized or pseudonymized form where technically feasible. Google Analytics cookies include:

• _ga: Distinguishes unique users. Expires after 2 years.
• _ga_[ID]: Maintains session state. Expires after 2 years.

You may revoke your consent for analytics cookies at any time by adjusting your browser cookie settings or by clearing cookies for the intelrift.com domain.

We do NOT use, deploy, or permit any advertising cookies, retargeting cookies, cross-site tracking cookies, social media tracking pixels, fingerprinting technologies, or any third-party tracking mechanisms for advertising, profiling, or behavioral targeting purposes.

Managing Cookies: You can manage, block, or delete cookies through your browser settings. Most browsers allow you to: view what cookies are set; delete individual or all cookies; block cookies from specific or all sites; block third-party cookies; and set preferences for specific websites. For detailed instructions, consult your browser's help documentation. Please note that blocking or deleting essential cookies will significantly impair or prevent your ability to use the Platform.

We engage the following third-party service providers ("sub-processors") in the operation of the Platform. Each provider processes personal data solely for the specific purposes described below. We share only the minimum data necessary for each provider to perform its designated function, in accordance with the data minimization principle of Article 5(1)(c) GDPR.

• Stripe, Inc. (San Francisco, CA, USA): Payment processing, subscription management, invoicing, fraud detection, and compliance. Processes: Payment and Financial Data. Stripe is PCI DSS Level 1 certified. Privacy policy: stripe.com/privacy.
• OpenAI, LLC (San Francisco, CA, USA): AI model provider for natural language processing, analysis, content generation, briefing production, and research synthesis. Processes: AI Interaction Data (queries and prompts). Data processing agreement in place with zero data retention for API usage. Privacy policy: openai.com/privacy.
• Perplexity AI, Inc. (San Francisco, CA, USA): AI research provider for real-time information retrieval, web research, and briefing generation. Processes: research queries and contextual parameters. Privacy policy: perplexity.ai/privacy.
• Finnhub (Finland): Financial market data provider. Provides: stock prices, forex rates, crypto data, and financial indicators. Minimal personal data processing — primarily Technical Data for API authentication.
• Alpaca Markets, Inc. (San Mateo, CA, USA): Financial market data provider. Provides: real-time and historical market data, price feeds, and trading indicators. Minimal personal data processing — primarily Technical Data for API authentication.
• Google LLC (Mountain View, CA, USA): Web analytics provider (Google Analytics). Processes: Technical Data and Usage Data (anonymized/pseudonymized). Deployed only with user consent. Privacy policy: policies.google.com/privacy.
• ActiveCampaign, LLC / Postmark (Chicago, IL, USA): Transactional email delivery service. Processes: email address, recipient name, and email content for the purpose of delivering account notifications, security alerts, billing notices, and other transactional communications. Privacy policy: postmarkapp.com/privacy-policy.

Each third-party service provider operates under its own privacy policy and terms of service, which govern their processing of personal data. We have entered into Data Processing Agreements (DPAs) with each provider where required by the GDPR, specifying the nature, scope, and purpose of processing, data security obligations, sub-processing restrictions, and data subject rights assistance obligations.

We regularly review and assess our third-party service providers to ensure continued compliance with applicable data protection requirements. We reserve the right to change, add, or remove service providers at any time, subject to appropriate safeguards and, where required, notification to Users.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 of the GDPR. These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing.

Technical measures include:

• Encryption of all data in transit using TLS 1.2 or higher (HTTPS) for all communications between your browser/client and the Platform;
• Encryption at rest for database storage using AES-256 or equivalent encryption standards;
• Secure password storage using industry-standard one-way cryptographic hashing algorithms with unique per-user salts;
• Role-based access control (RBAC) systems limiting access to personal data based on job function and the principle of least privilege;
• Network segmentation and firewall protection to isolate critical systems and databases;
• Regular automated vulnerability scanning and manual security assessments;
• Secure API authentication using tokens and rate limiting to prevent abuse;
• Automated monitoring and alerting for suspicious activities, anomalous access patterns, and potential security incidents.

Organizational measures include:

• Access to personal data restricted to authorized personnel on a strict need-to-know basis;
• Confidentiality obligations imposed on all employees and contractors with access to personal data;
• Regular review and audit of access permissions;
• Documented incident response procedures for data breaches;
• Data protection considerations integrated into the development and design of new features and systems (data protection by design and by default, Article 25 GDPR).

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (Estonian Data Protection Inspectorate) within seventy-two (72) hours of becoming aware of the breach, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR.

Despite these measures, no method of transmission over the Internet, method of electronic storage, or system connected to the Internet is completely secure. While we strive to use commercially reasonable and industry-standard means to protect your personal data, the Company cannot guarantee absolute security and shall not be liable for any unauthorized access, data breach, or security incident resulting from: (a) circumstances beyond the Company's reasonable control; (b) vulnerabilities in third-party software or infrastructure; or (c) your failure to maintain the security of your account credentials.

The Platform and Service are not directed to, designed for, or intended for use by individuals under the age of sixteen (16) years, in accordance with Article 8 of the GDPR and applicable national implementations. We do not knowingly collect, solicit, process, or store personal data from minors under the age of sixteen.

We do not employ age-verification technology during registration. However, by creating an account and using the Platform, you represent and warrant that you are at least sixteen (16) years of age, or the applicable minimum age in your jurisdiction if higher, and that you have the legal capacity to consent to the processing of your personal data.

If we become aware, through any means, that we have collected or are processing personal data from an individual under the age of sixteen without valid, verifiable parental or guardian consent, we will take prompt and reasonable steps to: (a) cease processing such data immediately; (b) permanently delete such data from our active systems and, where technically feasible, from backup systems; and (c) take any other measures required by applicable law.

Parents, legal guardians, or other responsible adults who believe that a minor under the age of sixteen has provided personal data to us, created an account on the Platform, or otherwise interacted with the Service, should contact us immediately at [email protected], providing sufficient information to identify the minor's account. We will investigate promptly and take appropriate action.

For Users located in jurisdictions where a higher minimum age applies for the processing of children's personal data (for example, under Article 8(1) GDPR, Member States may provide for a minimum age of up to 16 years), the applicable minimum age of that jurisdiction shall apply.

We reserve the right to update, modify, supplement, or replace this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, regulatory guidance, or business operations. We will indicate the "Last Updated" date at the top of this Policy to reflect the date of the most recent revision.

Changes to this Policy become effective immediately upon posting the revised Policy on the Platform, unless a later effective date is specified.

For material changes that substantially affect how we collect, use, or share your personal data, or that materially affect your data protection rights, we will make reasonable efforts to provide advance notice through one or more of the following means: (a) email notification to the address associated with your account; (b) a prominent banner or notification within the Platform displayed upon login; or (c) any other reasonable method of notification. We will provide at least fifteen (15) calendar days' advance notice for material changes where practicable.

Where a change to this Policy requires your consent under applicable data protection law (for example, the introduction of a new processing purpose not compatible with the original purposes), we will obtain your explicit consent before implementing the change.

Your continued use of the Service after the effective date of any changes to this Privacy Policy constitutes your acceptance of the updated Policy. If you do not agree with the revised Policy, you must discontinue use of the Service and, if applicable, request deletion of your personal data in accordance with the Your Rights section of this Policy.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data. Previous versions of this Privacy Policy are available upon written request to [email protected].

If you have any questions, concerns, requests, or complaints regarding this Privacy Policy, our data processing practices, or your data protection rights, please contact us using the information below.

Data Controller: SCD Global OÜ Registry code: 17309316 VAT identification number: EE102893128

Registered Address: Sepapaja tn 6, 15551 Tallinn Harju maakond, Republic of Estonia

General and privacy inquiries: [email protected] Data protection requests (GDPR rights): [email protected]

We will acknowledge receipt of your inquiry within two (2) business days and will provide a substantive response within the timeframes specified in this Policy (thirty (30) calendar days for GDPR rights requests, five (5) business days for general inquiries).

Competent Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Address: Tatari 39, 10134 Tallinn, Estonia Phone: +372 627 4135 Email: [email protected] Website: www.aki.ee

You also have the right to lodge a complaint with the data protection supervisory authority in your country of habitual residence or place of work if you believe that our processing of your personal data infringes the GDPR.

EU Online Dispute Resolution: For complaints that remain unresolved after contacting us, EU consumers may refer to the European Commission's Online Dispute Resolution (ODR) platform at: https://ec.europa.eu/consumers/odr/