Introduction

This Privacy Policy (hereinafter - "Policy") outlines how Kaiyo Labs Limited, a company duly established under the laws of British Virgin Island, with Company number 2151660 and its address Ritter House, Wickhams Cay II, PO Box 3170, Road Town, Tortola VG1110, British Virgin Islands (hereinafter - "Company", "We", or "Us"), collects, uses, discloses, stores, and otherwise processes Personal Information of Our User(-s) (hereinafter - "User" or "You") in connection with Your use of Our Website: https://v2.secserv.me/ (hereinafter - "Website"). Services are provided by the Platform called "Secserv.me".

This Policy is developed in accordance with the following legislation:

• European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR");
• British Virgin Islands Data Protection Act, 2021.
• other applicable legal acts.

By accessing or using Our Services in any manner, You confirm that You have read and understood this Policy, and consent to the collection and processing of Your Personal Information in accordance with the practices described herein.

Our main policy is to collect as little information about Users (including personal data) as possible to ensure the confidentiality of the use of the Services. We do not have the technical means to access the content of Your encrypted data and content.

Privacy is the default priority.

Definitions

• "Controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. The Data Controller in accordance with this Policy is the Company.
• "Data Subjects" means any identified or identifiable natural person whose personal data is processed by the Company.
• "Data Protection Legislation" refers to all applicable laws and regulations relating to data privacy and protection in force from time to time in any relevant jurisdiction in which We operate.
• "Platform" refers to the online service branded as Secserv.me, operated by the Company, which enables Users to upload, encrypt, monetize, access, and share digital content through time-limited, encrypted links.
• "Secserv.me" means the Platform as described above, including all associated software, source code, user interfaces, APIs, documentation, infrastructure, and any related services provided by the Company.
• "User" means any natural person that accesses or uses the Platform in any capacity, including both Uploaders and Downloaders, as defined herein.
• "Uploader" refers to a User over the age of majority who uploads, encrypts, and/or monetizes digital content on the Platform, whether for sale or restricted access.
• "Downloader" means a User over the age of majority who purchases access to Encrypted Content offered by an Uploader via the Platform. A Downloader receives a time-limited, non-transferable, single-use license to access the content.
• "Content" means any digital material, including without limitation videos, audio files, images, documents, text, or data streams, uploaded or encrypted by an Uploader via the Platform for the purpose of access, distribution, or sale.
• "Encrypted Content" refers to any Content that has been processed using encryption technology through the Platform, rendering it inaccessible without the corresponding Decryption Key.
• "Link" means a unique, time-sensitive hyperlink or code generated by the Platform, through which a Downloader may decrypt and access specific Encrypted Content within a defined period.
• "Transaction" means any exchange in which a Downloader pays for access to Encrypted Content provided by an Uploader, using mechanisms facilitated by the Platform.
• "Decryption Key" means a digital password or key required to access and decrypt Encrypted Content. This may be delivered via the Platform or separately, depending on the Uploader's configuration.

Limited Collection of Personal Data

The Platform does not log IP addresses, set tracking cookies, or use analytics tools to monitor User activity. No persistent identifiers are created for Users who access or use the service.

Decryption keys are never stored by the Company. They exist only within the unique access link and are partially derived from random browser data, User interactions (e.g., mouse/keyboard/touchpad movements), and any optional passphrase set by the Uploader. The key becomes available only when the link is opened by the intended recipient and is never transmitted to or retained by the Company.

The Platform operates without requiring sign‑up for most features. Paid transactions may require limited payment‑related information to process purchases and to comply with AML, Counter‑Terrorist Financing ("CTF"), and sanctions screening requirements. Such data may include payment identifiers, wallet addresses, and minimal transaction metadata necessary for lawful processing.

When Users choose to pay in fiat currency or authenticate via email, Google, or another Web2 provider, the Company may collect and process the User's email address and authorization token solely for the purposes of payment processing and authorization.

Where Users connect to the Platform through third-party wallet connection or authentication providers that support crypto wallets, email-based access, or social authentication (including Google, Apple, or other supported services), such authentication is processed directly by the relevant third-party provider. The Company does not collect, store, or have access to Users login credentials, social media account data, or authentication secrets.

The Company may receive only limited technical information strictly necessary to confirm the authentication or wallet connection and does not access or control the User's account or data held by such third-party providers.

For identity verification (when required) and payment processing, the Company may engage trusted third‑party providers. These providers are contractually bound to strict confidentiality and security obligations and may process only the minimum data necessary for the specific transaction.

Banking information used for payments made through the Platform, as well as data, is not collected, processed, or stored by Us, and We do not have access to such data. You can connect Your WEB3 wallet to conduct all transactions. We rely on third parties to process payments and transactions.

Any payment‑related or verification data is retained only for as long as is necessary to fulfil its purpose or comply with applicable retention laws. Messages and files are stored in encrypted form (AES‑256) and are automatically and permanently deleted once the access link expires or the content is accessed, whichever occurs first.

All files in the Platform are protected with end-to-end encryption. We do not possess the ability to decrypt end-to-end encrypted data and therefore cannot share it with third parties. Furthermore, all Content is also end-to-end encrypted.

However, We do NOT have access to file contents, file and folder names, and previews. Such data is end-to-end encrypted. We can only access the contents of a shared file or folder if a sharing URL is sent to Us by a third party that themselves has access to the shared file, along with the access password (if enabled). This can happen from time to time, for instance, if the third party is reporting abuse to Us.

We do not store, extract, or process EXIF data in any way. If a file contains metadata, it is encrypted along with the rest of the file content exactly as it was uploaded. We have no access to the contents of the file and cannot determine whether any metadata is present. Only the recipient, upon decryption, will receive the original file in full - including any EXIF data it may contain.

Exceptionally, where a User pays via fiat currency (e.g., by card), the Platform may collect and retain the User's email address and create an associated account for the purpose of managing access to paid content and ensuring payment confirmation.

In compliance with the GDPR the Company requires explicit, informed consent from Users before processing any personal data. This consent must be granted affirmatively (e.g., via a checkbox or clear opt‑in action) and cannot be implied solely from the User's use of the Platform. Users are presented with this Privacy Policy in advance and may refuse consent; in such cases, no personal data will be processed except as required by law.

Data disclosure

We will only disclose the limited user data We possess if We are legally obligated to do so by a binding request coming from the competent authorities. Under no circumstances can We decrypt end-to-end encrypted content and disclose decrypted copies.

Links to Third-Party Websites or Services

Our Services may include links to third-party websites or services that are not owned, controlled, or operated by the Company. These external platforms may collect, use, or process Your personal information independently and in accordance with their own privacy policies and data protection practices.

We do not assume any responsibility or liability for the privacy practices, data processing activities, content, or security measures of such third-party websites or services. The inclusion of a link does not imply Our endorsement of the third party or its content.

We strongly encourage You to carefully review the applicable privacy policies and terms of use of any external websites or services You choose to access through Our Platform, especially before submitting any personal data or engaging with their functionality.

Where third-party integrations (including but not limited to Web3 wallets, decentralized identity services, or embedded analytics tools) are available via Our Platform, You acknowledge that these tools may be subject to separate data processing rules and are not governed by this Privacy Policy.

Technical Logs and Security Measures

Legal Basis for Processing:

• Art. 6(1)(b) GDPR – processing is necessary for the performance of a contract (i.e., provision of the Website and related functionalities);
• Art. 6(1)(f) GDPR – We have a legitimate interest in maintaining IT security, preventing misuse, and improving user experience.

For information on the use of cookies, please refer to Our Cookies Policy.

The Company implements all appropriate physical, technical, and organizational safeguards to maintain a high standard of personal data protection, with a particular focus on preventing unauthorized access, alteration, or destruction of data. Should any modifications be made to the applied security controls, the Company undertakes not to lower the existing level of protection.

Data Subject Rights

Data Subjects are entitled to exercise the following rights:

Before contacting the supervisory authority, We encourage You to contact Us directly so We may promptly address Your concerns. We are committed to resolving any issues in a transparent and timely manner.

You may submit Your complaint or inquiry regarding Our data handling practices via E-mail ssgsystems@protonmail.com.

Consideration of the complaint takes place in full compliance with the GDPR and the relevant legislation of the BVI.

Changes to this Policy

The Company reserves the right to revise, update, or otherwise modify this Privacy Policy at any time, in whole or in part, to reflect changes in applicable laws and regulations, technological developments, service enhancements, or internal business practices. Any amendments will be published on this page, and the "Last Updated" date at the top of this Policy will be revised accordingly.

Material changes that significantly affect how We collect, use, store, or share Your personal data will be communicated through Our Website. Unless otherwise specified, such changes become effective immediately upon publication, and such publication shall constitute valid notice to You.

By continuing to access or use the Company's Services after the effective date of any updates to this Policy, You acknowledge and agree to be legally bound by the revised terms. If You do not agree to the updated Policy, You must immediately discontinue use of the Services and terminate Your relationship with the Company.

All official notices and communications under this Privacy Policy shall be made in the English language.

Contact Us

If You have any questions about this Policy, Our data handling practices, or if You wish to exercise Your privacy rights, please reach out to Us via E-mail ssgsystems@protonmail.com.