Introduction & Important Notice

Sinioo operates the Trust-Vault Protocol platform (the "Platform"). This Privacy Policy explains how we collect, use, share, and protect your personal information in compliance with applicable data protection laws.

• Regulation (EU) 2016/679 (General Data Protection Regulation — "GDPR")
• California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA")
• Personal Information Protection and Electronic Documents Act ("PIPEDA")
• Lei Geral de Proteção de Dados ("LGPD")
• Other applicable national or regional privacy laws

IMPORTANT: By accessing or using the Platform, you confirm that you have read and agree to this Privacy Policy. If you do not agree, do not use the Platform.

1. Data Controller & Contact Information

Sinioo is the data controller responsible for the personal information described in this Privacy Policy. The legal entity is Sinioo Ltd., incorporated in The Gambia.

Company Name: Sinioo
Legal Entity: Sinioo Ltd.
Website: https://sinioo.com
Email: hello@sinioo.com

For privacy requests or inquiries, contact us at hello@sinioo.com. EU/UK/CH residents may also lodge a complaint with their local supervisory authority.

2. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set forth below:

• "Personal Data" or "Personal Information": Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• "Processing": Any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Special Category Data": Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
• "Data Subject": An identified or identifiable natural person whose personal data is processed by Sinioo.
• "Data Controller": The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Sinioo Ltd.).
• "Data Processor": A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
• "Third Party": Any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, or persons who, under the direct authority of the controller or processor, are authorized to process personal data.

3. Scope & Applicability

This Privacy Policy applies to all personal information collected, processed, or stored by Sinioo through:

• The Platform (website, applications, APIs, and services)
• Direct communications (emails, support tickets, forms)
• Automated collection mechanisms (cookies, log files, analytics)
• Third-party integrations and service providers acting on our behalf

This Policy does not apply to personal information collected by any third-party websites, services, or platforms that may be linked to or from the Platform. We are not responsible for the privacy practices of such third parties.

4. Categories of Personal Data Collected

We collect and process the following categories of personal data:

4.1 Identity & Contact Information

• Full name (given name and surname)
• Email address
• Physical address (optional, for business verification)
• Professional title and organization name
• Date of birth (for identity verification purposes)
• Government-issued identification numbers (passport, national ID, business registration numbers)

4.2 Verification & Application Data

• Verification application forms and submitted data
• Supporting documentation (business licenses, certificates, proof of address, identity documents)
• Verification status, history, and audit trails
• Credential identifiers and public verification records
• Payment information (processed via third-party payment processors; full card details are not stored by Sinioo)

4.3 Technical & Usage Data

• IP address and geolocation data (approximate location derived from IP)
• Browser type, version, and settings
• Operating system and device information
• Unique device identifiers (cookies, local storage, fingerprinting signals)
• Pages visited, features accessed, time spent on Platform
• Referral source and clickstream data
• Performance metrics (PageSpeed scores, LCP, FID, CLS, TTFB) from monitoring services
• Error logs and diagnostic information
• Session duration, frequency of visits, and interaction patterns

4.4 Communications Data

• Content of emails, support tickets, and messages sent to Sinioo
• Correspondence history and metadata
• Feedback and survey responses

4.5 Data from Third-Party Sources

• Identity verification services (background check results, registry lookups, business entity verification)
• Technical performance APIs (Google PageSpeed Insights, Lighthouse, WebPageTest)
• Authentication providers (OAuth providers, if applicable)
• Public business registries and government databases for verification purposes

5. Purposes & Legal Basis for Processing

We process your personal data for specific, legitimate purposes. The legal basis for processing depends on the applicable jurisdiction and the specific processing activity.

5.1 Purposes of Processing

We process personal data for the following purposes:

• Service Provision: To create and manage your account, process verification applications, issue credentials, and provide the Platform's core services.
• Authentication & Security: To verify your identity, authenticate access, secure the Platform, detect and prevent fraud, abuse, or unauthorized access.
• Communication: To respond to inquiries, provide customer support, send service-related notifications, security alerts, and updates.
• Payment Processing: To process payments, manage subscriptions, issue invoices, and prevent payment fraud.
• Platform Improvement: To analyze usage patterns, debug errors, monitor performance, develop new features, and improve user experience.
• Compliance: To comply with legal obligations, including tax reporting, anti-money laundering (AML), know-your-customer (KYC), and regulatory requirements.
• Legal Rights Enforcement: To establish, exercise, or defend legal claims, or when required by court order, governmental request, or legal process.

5.2 Legal Basis for Processing (GDPR/EEA/UK/CH)

For Data Subjects in the EEA, UK, and Switzerland, we process personal data under one or more of the following lawful bases:

• Performance of a Contract (Article 6(1)(b) GDPR): Processing is necessary to provide the verification service you have requested and to fulfill our contractual obligations to you.
• Legal Obligation (Article 6(1)(c) GDPR): Processing is required to comply with applicable laws, regulations, judicial proceedings, or governmental orders (e.g., tax compliance, AML/KYC regulations).
• Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for our legitimate interests in operating and improving the Platform, preventing fraud, ensuring security, and conducting analytics, provided such interests are not overridden by your fundamental rights and freedoms. We conduct legitimate interest assessments (LIA) where required.
• Consent (Article 6(1)(a) GDPR): For direct marketing communications and any processing not based on the above grounds, we obtain your explicit consent, which you may withdraw at any time.

For processing special category data (if any), we rely on explicit consent or other specific grounds under Article 9(2) GDPR.

5.3 Legal Basis for Processing (CCPA/CPRA — California)

For California residents, personal information is collected and processed for the following business and commercial purposes:

• To perform the verification service and fulfill contractual obligations
• To authenticate and secure your account
• To provide customer service and communicate with you
• To process payments and manage subscriptions
• To improve and develop the Platform
• To comply with legal and regulatory requirements
• To detect and prevent fraud and illegal activities

We do not sell your personal information. We may share it with service providers who process it on our behalf ("business purposes") and as otherwise described in this Policy.

6. International Data Transfers

Sinioo is headquartered in The Gambia. Our primary cloud infrastructure and data processing operations are located in the United States and other jurisdictions where our service providers operate. As a result, your personal data may be transferred to, stored, and processed in countries outside your country of residence, including the United States.

6.1 Transfers Outside the EEA, UK, and Switzerland

For transfers of personal data originating from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection by the European Commission, UK Information Commissioner's Office, or Swiss Federal Data Protection and Information Commissioner, we implement appropriate safeguards to protect your data. These safeguards include:

• EU-U.S. Data Privacy Framework (DPF): Our service providers may participate in the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework, ensuring adequate protection for data transferred to the United States.
• Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses (2021/914/EU) for data transfers, incorporating any supplementary measures where necessary to ensure an adequate level of protection.
• Binding Corporate Rules (BCRs): Where applicable, our service providers may be bound by BCRs approved by relevant data protection authorities.

You may request a copy of the specific transfer mechanisms in place by contacting us at hello@sinioo.com.

6.2 Your Consent to International Transfers

By using the Platform and providing your personal data, you expressly consent to the transfer, processing, and storage of your personal data in jurisdictions outside your country of residence, including the United States. You acknowledge that the data protection laws in these jurisdictions may differ from those in your country, but we will ensure appropriate safeguards are in place as described above.

7. Data Sharing & Third-Party Disclosures

We do not sell your personal data. We may share your personal information only in the following circumstances:

7.1 Service Providers & Processors

We engage trusted third-party service providers to perform functions on our behalf and provide services necessary to operate the Platform. These providers have access to personal data only to perform these tasks on our instructions and are obligated not to disclose or use it for any other purpose. Categories of service providers include:

• Cloud Infrastructure & Hosting: Google Cloud Platform (Firebase), Amazon Web Services (AWS) — for data storage, hosting, and computing resources.
• Email & Communications: SendGrid, Mailgun, or similar services — for transactional and service-related emails.
• Analytics & Monitoring: Google Analytics (with IP anonymization enabled), Firebase Analytics, and performance monitoring tools — for usage analytics and platform health.
• Payment Processing: Stripe, PayPal, or similar PCI-DSS compliant providers — for payment processing. Card data is handled exclusively by these providers; we do not store full payment card details.
• Identity & Business Verification: Third-party verification services (e.g., identity validation, business registry checks, background screening) — to verify information you provide. These services are bound by strict data protection agreements.
• Technical Performance APIs: Google PageSpeed Insights, Lighthouse, WebPageTest — for retrieving technical health metrics.
• Customer Support: Help desk and ticketing systems (e.g., Zendesk, Intercom) — for managing support requests.

7.2 Legal & Regulatory Disclosures

We may disclose your personal data if required to do so by law, regulation, court order, or governmental request, or when reasonably necessary to:

• Comply with legal process (subpoenas, warrants, court orders)
• Enforce our Terms of Service or other agreements
• Protect the rights, property, or safety of Sinioo, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Respond to government or regulatory inquiries (tax authorities, data protection authorities, law enforcement)

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred as part of the transaction. We will provide notice (via email and/or prominent notice on the Platform) before such transfer occurs, and the acquiring entity will assume responsibility for your personal data under this Privacy Policy or a successor policy.

7.4 Public Verification Records

Certain information you provide becomes part of a public verification record when a credential is issued. This includes, at minimum: organization name, verification status, credential identifier, issue date, and public verification URL. Public verification records are intentionally non-anonymous and are displayed publicly to enable transparency and third-party verification. Such records are retained indefinitely as described in Section 10 (Data Retention).

7.5 Aggregated & anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for research, analytics, marketing, or business purposes. Such data does not constitute personal information under applicable law.

8. Data Retention & Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless longer retention is required or permitted by law. Retention periods are determined based on:

• The purpose for which the data was collected
• Legal, tax, or regulatory obligations
• Statutes of limitations
• Accreditation or audit requirements
• Legitimate business interests (e.g., fraud prevention, platform security)

8.1 Retention Periods by Data Category

• Account & Profile Data: Retained while your account is active. Upon account deletion or closure, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax records) or necessary for legitimate business purposes (e.g., fraud prevention).
• Verification Applications & Supporting Documents: Retained for a minimum of seven (7) years from the date of credential issuance or final decision to satisfy regulatory, audit, and legal hold requirements. Public verification records (credential IDs, organization names, verification status) are retained indefinitely.
• Payment & Transaction Records: Retained for seven (7) years to comply with tax and financial regulations.
• Communications & Support Tickets: Retained for three (3) years after the last communication for customer service quality and dispute resolution.
• Server & Application Logs: Retained for up to ninety (90) days for security monitoring, debugging, and incident response, unless longer retention is required for security investigations or legal obligations.
• Analytics & Performance Data: Aggregated and anonymized data may be retained indefinitely for analytical and improvement purposes.

8.2 Public Verification Records — Perpetual Retention

Public verification records (including credential identifiers, organization names, verification status, issue and expiry dates, and public verification URLs) are retained indefinitely to maintain the integrity, transparency, and immutability of the Trust-Vault Protocol's public ledger. These records serve a public interest in organizational accountability and cannot be deleted or altered once issued, except in limited circumstances required by law (e.g., a court order to redact specific personal information). Expired or revoked credentials remain accessible but are clearly marked as such.

8.3 Data Deletion & Anonymization

When personal data is no longer needed, we will securely delete or permanently anonymize it using industry-standard methods (e.g., cryptographic erasure, physical destruction of storage media, or irreversible aggregation). Anonymized data will be stored separately and cannot be linked back to you.

9. Data Security & Confidentiality

We implement and maintain technical, organizational, and administrative security measures designed to protect personal data against unauthorized access, alteration, disclosure, destruction, or accidental loss. These measures are appropriate to the risk level and include:

• Encryption: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS 1.2 or higher). Personal data at rest is encrypted using industry-standard algorithms (AES-256 or equivalent).
• Access Controls: Role-based access controls (RBAC), least-privilege principles, and multi-factor authentication (MFA) for administrative and privileged access.
• Network & Infrastructure Security: Firewalls, intrusion detection and prevention systems (IDS/IPS), regular vulnerability assessments, and security monitoring.
• Service Provider Vetting: We select service providers that maintain robust security programs, including SOC 2 Type II, ISO 27001, or equivalent certifications where applicable.
• Incident Response: We maintain an incident response plan to detect, contain, and remediate security incidents. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and applicable supervisory authorities within the legally required timeframe (typically 72 hours under GDPR).
• Employee Training: Regular security and privacy awareness training for personnel with access to personal data.
• Regular Audits: Periodic security audits, penetration testing, and compliance reviews to identify and address vulnerabilities.

9.1 Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR and applicable laws. Notifications will include:

• The nature of the breach
• Categories and approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken to mitigate the breach and protect affected individuals
• Contact information for further inquiries

9.2 Your Responsibility

While we implement reasonable security measures, no method of transmission over the Internet or electronic storage is 100% secure. You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords and enabling multi-factor authentication where available
• Ensuring your device and browser are secure and up to date
• Reporting any suspected unauthorized access or security incidents to us immediately at hello@sinioo.com

10. Your Data Subject Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data. We will honor these rights to the extent required by applicable law.

10.1 Rights Under GDPR (EEA/UK/CH Residents)

Under the GDPR, you have the following rights:

• Right of Access (Article 15): Request confirmation that your personal data is being processed and obtain a copy of that data, along with information about the processing.
• Right to Rectification (Article 16): Request correction of inaccurate personal data and completion of incomplete data.
• Right to Erasure ("Right to be Forgotten") (Article 17): Request erasure of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent (if processing is based on consent), when you object to processing (and no overriding legitimate grounds exist), or when the data has been unlawfully processed. Note: Public verification records are exempt from erasure as required by law to maintain the integrity of the verification service.
• Right to Restriction of Processing (Article 18): Request that we restrict processing of your personal data in certain circumstances (e.g., when accuracy is contested, processing is unlawful but you oppose erasure, or we no longer need the data but you require it for legal claims).
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another data controller, where processing is based on consent or contract and carried out by automated means.
• Right to Object (Article 21): Object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Rights Related to Automated Decision-Making (Article 22): Not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Verification decisions are partially automated but may be reviewed upon request (see Section 12).

10.2 Rights Under CCPA/CPRA (California Residents)

California residents have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the sources, business purposes for collection, and categories of third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., to complete a transaction, comply with legal obligations, or maintain public verification records).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information. You may opt out of the sharing of your personal information for cross-context behavioral advertising purposes.
• Right to Limit Use and Disclosure of Sensitive Personal Information: We do not collect sensitive personal information beyond what is necessary for service provision.
• Right to Non-Discrimination: You will not be discriminated against for exercising your CCPA/CPRA rights.

10.3 Other Jurisdictions

Residents of other jurisdictions (e.g., PIPEDA in Canada, LGPD in Brazil) may have similar rights. We will respond to all verifiable requests in accordance with applicable law.

10.4 How to Exercise Your Rights

To exercise any of these rights, please submit a verifiable request to hello@sinioo.com with the subject line "Privacy Rights Request" and include:

• Your full name and email address associated with your account
• A clear description of the specific right you are exercising and the personal data to which the request relates
• Proof of identity (to prevent fraudulent requests) — typically a copy of a government-issued ID matching the account information

We will verify your identity before fulfilling your request to protect your privacy and security.

10.5 Response Timeframe

We will respond to verifiable requests within the following timeframes:

• GDPR (EEA/UK/CH): Within one (1) month of receipt, which may be extended by two (2) further months if necessary due to complexity or volume. We will notify you of any extension.
• CCPA/CPRA (California): Within forty-five (45) days of receipt, which may be extended up to ninety (90) days if reasonably necessary, with notice to you.
• Other jurisdictions: Within a reasonable timeframe in accordance with applicable law.

10.6 Fees

There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee or refuse to act, and we will notify you of our decision.

11. Cookie Policy & Tracking Technologies

We use cookies, web beacons, local storage, and similar technologies ("Tracking Technologies") to operate and improve the Platform. This section explains how these technologies work and your choices regarding them.

11.1 Types of Cookies & Technologies Used

Essential Cookies: These cookies are strictly necessary for the Platform to function. They enable core functions such as security, network management, account authentication, and remembering your preferences (e.g., language, consent settings). Without these cookies, the Platform cannot operate properly. They do not store any personally identifiable information.

Performance & Analytics Cookies: These cookies collect information about how visitors use the Platform — which pages are visited, where clicks occur, how long users stay, any errors encountered, etc. This data is aggregated, anonymized, and used solely to improve the Platform's performance and user experience. We use Google Analytics (with IP anonymization enabled) and Firebase Analytics for this purpose. You can opt out of analytics cookies as described below.

Functionality Cookies: These cookies remember choices you make (e.g., your username, language, region) to enhance your experience. They do not track your activity across other websites.

Targeting & Advertising Cookies: The Platform does not serve targeted advertising and does not use cookies for behavioral advertising purposes.

11.3 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages (e.g., Google Fonts, Pexels). We do not control these third-party cookies. Please review the privacy policies of those third parties for information on their data practices.

11.4 Your Cookie Choices

You can manage cookie preferences in several ways:

• Browser Settings: Most browsers allow you to block, delete, or alert you to cookies. However, blocking essential cookies may impair the Platform's functionality.
• Do Not Track Signals: Our Platform does not currently respond to browser-based Do Not Track (DNT) signals.
• Google Analytics Opt-out: You can install the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics.
• Consent Banner: Upon first visit, you will be presented with a cookie consent banner allowing you to accept or customize non-essential cookies.

11.5 More Information

For more detailed information about the cookies and tracking technologies we use, please visit our Cookie Policy page (if available) or contact us at hello@sinioo.com.

12. Children's Privacy

The Platform is not directed at children under the age of sixteen (16) years. We do not knowingly collect or solicit personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will promptly delete such information from our systems.

Parents or legal guardians who believe that a child under 16 has provided personal information to Sinioo are encouraged to contact us at hello@sinioo.com to request deletion of the information.

Note: In jurisdictions where the age of digital consent is higher (e.g., 13 in some US states under certain laws, 16 under GDPR), we will not knowingly process data from individuals below that age without verifiable parental consent where required.

13. Automated Decision-Making & Profiling

Verification decisions are made through a combination of automated and manual processes. Our automated systems evaluate evidence against predefined criteria to determine verification eligibility. These automated decisions have legal or similarly significant effects because they determine whether an organization receives a credential, which may impact the organization's reputation and business opportunities.

Under Article 22 GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. However, automated processing is necessary for entering into, or performance of, a contract between you and Sinioo (the verification service) and is authorized by applicable law.

You have the right to obtain human intervention from Sinioo, to express your point of view, and to contest the decision. If you believe a verification decision was made in error or if you wish to appeal, you may request a manual review by contacting us at hello@sinioo.com with a clear explanation and any supporting evidence for reconsideration. We will review your appeal promptly and communicate the outcome.

The logic involved in the automated decision-making process is based on publicly available criteria outlined in our verification guidelines. These criteria assess factors such as legal business registration, identity verification, technical health metrics, and document authenticity.

14. Data Protection Impact Assessments (DPIA)

We conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, particularly when introducing new technologies or significantly changing existing processing activities. DPIAs help us identify and mitigate privacy risks at the design stage.

While we do not routinely disclose internal DPIA findings, we are committed to implementing their recommendations to enhance privacy protections for all users.

15. Privacy by Design & Default

Sinioo adheres to the principles of Privacy by Design and Privacy by Default. Our systems and processes are designed to:

• Collect only the minimum personal data necessary for specified, explicit, and legitimate purposes
• Implement default settings that protect privacy (e.g., opt-in for marketing, minimal data sharing)
• Embed privacy protections throughout the development lifecycle
• Provide transparency about data practices
• Enable user control over personal data

16. California Privacy Disclosures (CCPA/CPRA)

This section provides additional disclosures required under the California Consumer Privacy Act, as amended by the CPRA.

16.1 Collection, Use, and Disclosure of Personal Information

In the past twelve (12) months, we have collected the categories of personal information described in Section 4 above for the business and commercial purposes described in Section 5. We obtain such information directly from you when you use the Platform, submit verification applications, or communicate with us. We also collect data automatically through cookies and similar technologies, and from third-party sources such as identity verification services.

16.2 Sale of Personal Information

We do not sell your personal information. We may share personal information with service providers as described in Section 7.1, which constitutes a "business purpose" under CCPA/CPRA, not a sale. We do not sell the personal information of minors under 16 years of age.

16.3 Sensitive Personal Information

We may collect sensitive personal information (e.g., government-issued identification numbers, account credentials) strictly as necessary to provide the verification service. We do not use or disclose sensitive personal information for purposes beyond those necessary to fulfill the service. We do not sell sensitive personal information.

16.4 retention period

Personal information is retained as described in Section 8 above.

16.5 Shine the Light & Do Not Sell My Personal Information

California Civil Code Section 1798.83, also known as the "Shine the Light" law, requires businesses to disclose whether they have shared personal information with third parties for their direct marketing purposes in the preceding calendar year. Sinioo does not share personal information with third parties for their direct marketing purposes.

California residents may submit a request exercising their CCPA/CPRA rights by contacting us at hello@sinioo.com or by calling +220 XXXX XXXX (voice & TTY).

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or regulatory requirements. When we make material changes, we will notify you via:

• Email to your registered email address (at least 30 days before effective date for GDPR/CCPA-covered individuals), or
• A prominent notice on the Platform (e.g., banner notification) at least fourteen (14) days before effective date, or
• Such other reasonable means to provide actual notice

Non-material changes (e.g., corrections, contact details, service provider updates) may be made at any time without prior notice, and your continued use of the Platform after such changes constitutes acceptance.

Last updated: May 14, 2026
Effective date: May 14, 2026

18. Contact & Complaints

For all privacy-related inquiries, data subject requests, or complaints regarding this Privacy Policy or our data practices:

Supervisory Authorities (EEA/UK/CH): You have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates applicable law. Contact details for European Data Protection Board (EDPB) members: https://edpb.europa.eu/about-edpb/board/members_en

California Residents: The California Attorney General's office oversees CCPA/CPRA enforcement. You may submit a complaint at https://oag.ca.gov/privacy or by calling (877) 553-2803.

Sinioo Contact: hello@sinioo.com

19. Additional Provisions

19.1 Language

This Privacy Policy is provided in English. In the event of any conflict or discrepancy between this English version and any translated version, the English version shall prevail and govern.

19.2 Severability

If any provision of this Privacy Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be severed and the remainder of this Privacy Policy shall continue in full force and effect to the maximum extent permissible.

19.3 No Third-Party Beneficiaries

This Privacy Policy is solely for the benefit of you and Sinioo. It is not intended to confer any rights or benefits upon any other person or entity.