Privacy Policy - kordi AVE

1. Introduction

Welcome to kordi. This Privacy Policy explains how RALLYO CONCEPTS LLC ("Company," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our mobile application and related services (collectively, the "Service").

By using kordi, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

When you create an account and use kordi, we collect information you provide directly:

Account Information: Name, email address, phone number, profile photo
Profile Data: Bio, interests, location preferences
kordinator Data: Your digital avatar customizations and preferences
Content: Posts, comments, event descriptions, goal information you create
Communications: Messages you send through the platform
Health and Wellness Data: Goal tracking information (fitness goals, habit tracking, progress metrics, target dates) that you voluntarily provide

2.2 Information We Collect Automatically

When you use the Service, we automatically collect:

Activity Data: Events attended, goals completed, reliability metrics, points earned
Device Information: Device type, operating system, unique device identifiers
Usage Data: Features used, screens visited, interaction patterns
Location Data: When you opt in, we collect your location to suggest nearby events and communities
Inferred Data: Reliability scores, interests, preferences, and recommendations derived from your activity and usage patterns

2.3 Information from Third Parties

We may receive information from third parties:

Social Sign-In: If you sign in with Google or Apple, we receive basic profile information
Payment Processors: When you make in-app purchases, Apple (App Store) or Google (Play Store) provide us with transaction confirmation data. When you make purchases on our website or business portal, Stripe provides transaction confirmation data. We do not receive or store full credit card numbers from any payment processor.
Calendar Integration: If enabled, calendar data for event syncing
Business Partners: Information about perk redemptions and business point purchase records from the kordi business portal

3. Phone Number & SMS Communications

If you choose to use phone number authentication in the kordi mobile app:

3.1 What We Collect

Your phone number for account verification purposes only

3.2 How We Use Your Phone Number

Account Verification: Send one-time passcodes (OTP) when you sign in
Security Alerts: Notify you about suspicious account activity
Account Recovery: Send verification codes if you request account recovery

3.3 What We Don't Do

We never send marketing or promotional SMS messages
We never sell, rent, or share your phone number with third parties for marketing
We never use your phone number for advertising purposes

3.4 Message Frequency

Typically 1-2 messages per login attempt
You control when messages are sent by initiating the verification process
Standard message and data rates may apply

3.5 Your Rights

Reply STOP to any SMS message to opt out
Switch to email-based authentication at any time
Contact support@kordiave.com for assistance

4. How We Use Your Information

We use your information to:

Provide the Service: Create accounts, enable features, process transactions
Personalize Experience: Recommend events, communities, and content based on your interests
AI-Powered Features: Process your inputs through third-party AI services to generate informational responses, event suggestions, goal milestones, and scheduling recommendations (see Section 11)
Improve the Service: Analyze usage patterns, develop new features, fix bugs
Safety and Security: Detect fraud, enforce community guidelines, protect users
Communications: Send service updates, notifications, and promotional content (with your consent)
Legal Compliance: Comply with applicable laws and regulations

Data Processing Purposes

Data Category	Purpose	Legal Basis
Account Information	Provide and maintain your account	Contract performance
Activity Data	Calculate reliability scores, track progress	Legitimate interest
Location Data	Suggest nearby events and communities	Consent (opt-in)
Communications	Enable messaging between users	Contract performance
Health/Wellness Data	Goal tracking and Ask kordi features	Consent
AI Interaction Data	Generate informational responses and suggestions	Consent
Payment Data	Process consumer point purchases (in-app and website) and business point purchases (portal)	Contract performance
Usage/Analytics Data	Improve service, fix bugs, develop features	Legitimate interest
Inferred Data	Personalize recommendations and content	Legitimate interest

5. No Background Checks or Identity Verification

IMPORTANT: kordi does not conduct criminal background checks, identity verification, or screenings of any kind on its users. We do not verify the identity, character, or background of any user.

This means:

We cannot guarantee that users are who they claim to be
Users may misrepresent themselves, their intentions, or their background
You are solely responsible for your safety when interacting with other users
We encourage you to meet in public places and take appropriate precautions

6. Community Safety Tools

Our safety model relies on community-driven tools rather than background verification:

Group Administration: Group admins can approve or decline join requests
Member Questionnaires: Admins may use built-in questionnaires to vet potential members
Access Controls: Groups can be set to private or invite-only
Moderation Roles: Admins can assign moderation responsibilities to trusted members
User Reporting: All users can report violations through the app
Content Moderation: We review reported content and take appropriate action

7. How We Share Your Information

7.1 With Other Users

Based on your privacy settings, other users may see:

Your profile information (name, photo, bio)
Your reliability score
Events you're attending
Goals you've made public
Your kordinator avatar

7.2 With Service Providers

We share information with trusted service providers who assist us:

Cloud hosting and infrastructure (Supabase)
Analytics and performance monitoring
Customer support tools
Payment processing: Consumer in-app purchases are processed by Apple (App Store) and Google (Play Store) per their respective privacy policies. Website purchases and business portal purchases are processed by Stripe. We do not store full credit card numbers.
Artificial intelligence services (currently Groq, Inc., subject to change): When you use AI-powered features, your relevant interaction data is sent to our AI service provider's API for processing. Our current provider processes this data to generate responses and does not use your data for model training

7.3 No Sale or Sharing for Advertising

kordi does NOT sell your personal information as defined under the CCPA/CPRA, or any other applicable state privacy law. kordi does NOT share your personal information for cross-context behavioral advertising or targeted advertising purposes.

Our service providers (Supabase, Stripe, Groq, Inc.) process data solely on our behalf under written contracts that prohibit them from using your data for their own purposes.

7.4 With Business Partners

With your consent, we may share:

Anonymized usage data for analytics
Perk redemption information with participating businesses (redemption details such as perk name, date, and points spent; we do not share your personal identity with businesses during perk redemptions unless you explicitly consent)
When businesses purchase points through the business portal (business.kordiave.com), we process their business name, owner identity, and purchase records

7.5 For Legal Reasons

We may disclose information:

To comply with legal obligations
To protect our rights, privacy, safety, or property
To respond to lawful requests from public authorities
In connection with a merger, acquisition, or sale of assets

8. Your Privacy Rights

8.1 Rights Available to All Users

All kordi users have the following rights regardless of location:

Access: Request a copy of your personal data
Correction: Update or correct inaccurate information
Deletion: Request deletion of your account and data
Portability: Export your data in a portable format
Opt-Out: Opt out of marketing communications
Withdraw Consent: Withdraw consent for optional data processing

8.2 Additional Rights for Residents of US States with Privacy Laws

Residents of California, Virginia, Colorado, Connecticut, Indiana, Utah, Iowa, Delaware, New Hampshire, Nebraska, New Jersey, Minnesota, Tennessee, Montana, Kentucky, Rhode Island, Oregon, Maryland, Arkansas, Texas, and other states with comprehensive privacy laws may have the following additional rights:

Right to Know/Access: Request disclosure of the categories and specific pieces of personal information we collect, the sources, the purposes, and the third parties with whom we share it
Right to Delete: Request deletion of your personal information, subject to certain legal exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt Out of Sale: Although we do not sell personal information, you have the right to direct us not to sell your data. You can exercise this by enabling "Do Not Sell My Data" in Privacy & Security settings
Right to Opt Out of Targeted Advertising: We do not engage in targeted advertising. You may opt out of personalized recommendations in Privacy & Security settings
Right to Opt Out of Profiling: You may opt out of profiling that produces legal or similarly significant effects. kordi's reliability score is informational and does not produce legal effects. You may disable reliability score visibility and personalized recommendations in Privacy & Security settings
Right to Data Portability: Request your data in a commonly used, machine-readable format via the "Export My Data" feature in Privacy & Security settings

8.3 Right to Appeal

If we deny your privacy rights request in whole or in part, you have the right to appeal our decision. To appeal:

Email privacy@kordiave.com within 45 days of receiving our response
Include "Privacy Rights Appeal" in the subject line
We will respond to your appeal within 60 days

If your appeal is denied, you may contact your state Attorney General:

California: oag.ca.gov
Virginia: oag.state.va.us
Colorado: coag.gov
Connecticut: portal.ct.gov/AG
Indiana: in.gov/attorneygeneral

8.4 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not:

Deny you the Service
Charge you different prices or rates
Provide you a different level or quality of service
Suggest that you may receive a different price, rate, or quality

8.5 How to Exercise Your Rights

You may exercise your privacy rights by:

In-App: Use Privacy & Security settings
Email: Contact privacy@kordiave.com
Data Export: Use the "Export My Data" feature in Privacy & Security settings

We will acknowledge your request within 10 business days and respond substantively within 45 days. If we need more time, we will notify you of the extension (up to an additional 45 days) and explain the reason.

8.6 Authorized Agents

You may designate an authorized agent to submit privacy rights requests on your behalf. Authorized agents must provide:

Written authorization signed by you
Proof of their identity

We may contact you directly to verify the request.

8.7 Verification Process

To protect your privacy, we verify your identity before processing rights requests. We may ask you to:

Confirm the email address associated with your account
Provide additional information to match against our records

We will not collect new personal information solely for verification purposes.

9. Privacy Controls

kordi provides granular privacy controls:

Profile Visibility

Everyone: Your profile is visible to all users
Friends Only: Only friends can see your full profile
Private: Minimal profile visibility

Location Sharing

Always: Location shared for all features
During Events Only: Location shared only during active events
Never: Location never shared

Data Sharing

Third-Party Sharing: Control anonymized data sharing with partners
Personalized Recommendations: Toggle AI-powered suggestions
Analytics: Choose whether to contribute usage data for improvements

10. Data Security

We implement bank-level technical and organizational measures to protect your data:

Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3
Encryption at rest: All stored data is encrypted using AES-256
Secure authentication: Industry-standard authentication methods including OAuth 2.0 and secure token management
SOC 2 compliant infrastructure: Our systems are hosted on enterprise-grade, continuously monitored infrastructure
Regular security assessments: Ongoing vulnerability scanning and security reviews
Access controls and monitoring: Strict access policies with comprehensive audit logging
Incident response procedures: Documented procedures for rapid response to security events

10.1 Data Breach Notification

In the event of a data breach involving your personal information, we will:

Notify affected users by email (and, where feasible, in-app notification) as soon as practicable and no later than the timeframe required by the most protective applicable state law. Key state deadlines include:

Most states (including Indiana, California, New York, Texas, Florida, Illinois, Virginia, Colorado, Connecticut): Notification without unreasonable delay, and no later than 30 to 60 days after discovery, depending on state law
Shortest statutory deadlines: Some states require notification within 30 days of discovery (e.g., Colorado, Florida). We target 30 days or sooner to comply nationwide.

Breach notifications will include:

A description of the incident and the types of personal information involved
The date or estimated date of the breach
Steps we have taken and are taking in response
Steps you can take to protect yourself (e.g., changing passwords, monitoring accounts)
Contact information for questions (privacy@kordiave.com)
Contact information for relevant state agencies (e.g., your state Attorney General), where required by law

Additional state-specific requirements we honor:

California (Cal. Civ. Code §1798.82): Notification to affected California residents and, if more than 500 California residents are affected, notification to the California Attorney General
New York (N.Y. Gen. Bus. Law §899-aa): Notification to affected New York residents, the New York Attorney General, the Department of State, and the Division of State Police
Indiana (IC 24-4.9): Notification to affected Indiana residents and the Indiana Attorney General within 60 days of discovery
Illinois (815 ILCS 530): Notification to affected Illinois residents and the Illinois Attorney General
Other states: We comply with all applicable state breach notification laws, including those that require notification to state attorneys general, consumer protection agencies, or credit reporting agencies

What constitutes a breach: Unauthorized acquisition of unencrypted personal information (or encrypted information where the encryption key is also compromised) that compromises the security, confidentiality, or integrity of personal information maintained by us.

Exceptions: Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation. Notification will proceed promptly after the law enforcement agency determines it will no longer compromise the investigation.

We maintain and regularly test our incident response plan to ensure rapid detection, containment, and notification. We carry professional liability insurance with a cyber insurance endorsement to support our response capabilities.

11. Artificial Intelligence and Data Processing

11.1 AI-Powered Features

kordi uses third-party artificial intelligence services to provide the following features:

Ask kordi: Personalized informational responses based on your goal context, progress, and category
Event Planning: AI-assisted event title generation and planning suggestions
Goal Milestones: Automated milestone generation based on your goal description and target date
Scheduling Inference: Natural language processing for voice and text-based scheduling
Community Search: AI-assisted matching of search queries to communities

11.2 Data Shared with AI Providers

When you use AI-powered features, the following data may be sent to our AI service provider(s) (currently Groq, Inc., subject to change) for processing:

Messages and prompts you submit to Ask kordi
Goal information (title, category, description, milestones, progress, target date)
Event details (title, description, date, time, location)
Scheduling requests (voice transcriptions, text input)

We do not send your account credentials, payment information, phone number, or precise location data to AI providers.

11.3 How AI Data Is Processed

AI interactions are processed via API calls to generate responses in real time
Our current AI provider(s) do not retain your interaction data for model training purposes
AI-generated responses are stored in our database as part of your conversation history
We may retain anonymized AI interaction data for service improvement and quality assurance

11.4 AI Provider Changes

We may use multiple AI service providers or change providers at any time to deliver the best possible experience. This Privacy Policy will be updated to reflect material changes in AI data processing.

11.5 Your Choices Regarding AI

You may use kordi without engaging with AI-powered features
Ask kordi interactions are optional and initiated by you
You may request deletion of your AI interaction history as part of a data deletion request (see Section 8)

11.6 Consent for AI Data Processing

By using AI-powered features, you consent to the processing of your interaction data by our third-party AI service provider(s) as described in this section. You may withdraw this consent at any time by disabling "AI-Powered Features" in Privacy & Security settings. Disabling AI features will prevent your data from being sent to AI service providers but will not affect other Service functionality.

11.7 AI Transparency

In accordance with applicable state AI disclosure laws, including the Colorado AI Act, we disclose the following:

kordi uses automated AI systems for informational assistance, scheduling suggestions, goal milestone generation, and community search
These AI systems process your data to generate personalized informational outputs
AI-generated outputs are recommendations only and do not make decisions that produce legal or similarly significant effects on you
AI features do not determine your eligibility for employment, financial services, healthcare, housing, insurance, or education
You have the right to opt out of AI-powered features at any time through Privacy & Security settings

12. Data Retention

We retain your personal data for the following periods:

Account Data (name, email, profile): Duration of your account plus 90 days after account deletion
Activity Data (events, goals, reliability score): Duration of your account plus 30 days after account deletion
AI Interaction History (coach messages, suggestions): Duration of your account plus 30 days after account deletion
Communications (direct messages): 2 years from the date of the message
Transaction Records (point purchases, transfers): 7 years (required for tax and legal compliance)
Location Data: 30 days from the date of collection; not retained long-term
Anonymized/Aggregated Data: May be retained indefinitely for analytics and service improvement

Upon account deletion, we will delete or anonymize your personal data within 30 days, except for transaction records retained for legal compliance. You may request immediate deletion by contacting privacy@kordiave.com.

For detailed instructions on how to delete your account or request data deletion, visit our Account & Data Deletion page.

13. Children's Privacy

kordi is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn we have collected information from a child under 16, we will delete it promptly.

Users between 16 and 18 must have parental or guardian consent for certain features.

14. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers.

15. Sensitive Data

We collect and process the following categories that may be classified as "sensitive personal data" under applicable state privacy laws:

15.1 Precise Geolocation Data

Collected only when you explicitly opt in via your device's location permissions
Used solely to suggest nearby events, find local communities, and provide event logistics
NOT sold, shared for advertising, or used for profiling
You may disable location sharing at any time through your device settings or in-app Privacy & Security settings
States with enhanced geolocation protections include California, Colorado, Oregon, Maryland, Virginia, and Connecticut

15.2 Health and Wellness Data

Goal tracking data (fitness goals, habit tracking, progress metrics) may be classified as health-related data under certain state privacy laws
Used solely to provide the goal tracking, Ask kordi, and progress visualization features
NOT sold, shared for advertising, or disclosed to third parties except as described in Section 7
You may delete your goal and progress data at any time

15.3 Data of Users Under 18

kordi requires users to be at least 16 years of age (see Section 13)
Under the CCPA/CPRA as amended effective January 1, 2026, personal information of consumers under 16 is classified as "sensitive personal information" regardless of data category
We apply enhanced protections to all users who indicate they are under 18: we do not sell or share their data, we do not use their data for targeted advertising, and we do not engage in profiling that produces legal effects
Users aged 16-17 must have parental or guardian consent for certain features

15.4 Biometric Data

kordi does NOT collect biometric identifiers such as fingerprints, facial geometry, voiceprints, iris patterns, retinal scans, or gait patterns
If you use your device's biometric authentication (Face ID, Touch ID) to access the app, this data is processed entirely by your device's operating system. We never access, receive, store, or transmit biometric data
This applies regardless of expanded biometric data definitions under federal or state law

16. Universal Opt-Out Signals

Effective January 1, 2026, kordi recognizes and honors universal opt-out preference signals, including the Global Privacy Control (GPC), as valid requests to:

Opt out of the "sale" of personal information (as defined under applicable state laws)
Opt out of "sharing" of personal information for cross-context behavioral advertising
Opt out of targeted advertising

When we detect a universal opt-out signal from your browser or device:

We will treat it as a valid opt-out request under all applicable state privacy laws
No additional action is required from you
The opt-out applies to the browser or device from which the signal is sent

States requiring recognition of universal opt-out signals include California, Connecticut, Oregon, Colorado, and Montana.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the new Privacy Policy in the app
Sending an email notification
Displaying a prominent notice in the Service

Your continued use after changes constitutes acceptance of the updated policy.

18. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

RALLYO CONCEPTS LLC
Email: privacy@kordiave.com
Support: support@kordiave.com
Legal: legal@kordiave.com

19. State-Specific Privacy Disclosures

19.1 California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act. In addition to the rights described in Section 8:

Categories of Personal Information Collected in the Past 12 Months:

Category	Collected	Source	Purpose	Sold	Shared for Ads
A. Identifiers (name, email, phone)	Yes	You	Account creation	No	No
B. Personal Info (Cal. Civ. Code 1798.80)	Yes	You	Service provision	No	No
D. Commercial Info (transaction history)	Yes	You, Stripe	Points economy	No	No
F. Internet Activity (usage data)	Yes	Automatic	Service improvement	No	No
G. Geolocation Data	Yes	You (opt-in)	Event suggestions	No	No
K. Inferences (reliability score, interests)	Yes	Derived	Personalization	No	No

We do NOT sell your personal information. We have not sold personal information in the preceding 12 months.

We do NOT share your personal information for cross-context behavioral advertising.

Financial Incentive Disclosure: kordi's referral program awards kordi points (which have no cash value) for referring new users. This constitutes a "financial incentive" under the CCPA. The value of the incentive is reasonably related to the value of the data provided. You may opt out of the referral program at any time without affecting your use of the Service.

Under-16 Data: Pursuant to CCPA amendments effective January 1, 2026, we treat all personal information of users under 16 as "sensitive personal information" and apply enhanced protections as described in Section 15.3.

California Delete Act: kordi is not a data broker as defined by California Civil Code 1798.99.80 and is not subject to the California Delete Act (SB 362).

To exercise your California privacy rights, see Section 8 or contact privacy@kordiave.com.

19.2 Virginia Residents (VCDPA)

If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act, including the rights described in Section 8. To exercise your rights or file an appeal, contact privacy@kordiave.com. You may also contact the Virginia Attorney General.

19.3 Colorado Residents (CPA)

If you are a Colorado resident, you have rights under the Colorado Privacy Act, including the rights described in Section 8. We recognize universal opt-out signals as described in Section 16.

Colorado AI Act Disclosure: kordi uses artificial intelligence as described in Section 11. Our AI features are informational tools that do not make "consequential decisions" as defined by the Colorado AI Act.

Precise geolocation data is classified as sensitive data under Colorado law. We collect geolocation only with your opt-in consent (see Section 15.1).

To exercise your rights, see Section 8 or contact privacy@kordiave.com. You may also contact the Colorado Attorney General.

19.4 Connecticut Residents (CTDPA)

If you are a Connecticut resident, you have rights under the Connecticut Data Privacy Act, including the rights described in Section 8. Effective January 1, 2026, we recognize universal opt-out signals as required by Connecticut law (see Section 16). To exercise your rights or file an appeal, contact privacy@kordiave.com. You may also contact the Connecticut Attorney General.

19.5 Indiana Residents

If you are an Indiana resident, you have rights under Indiana's comprehensive privacy law, effective January 1, 2026, including the rights described in Section 8. RALLYO CONCEPTS LLC is an Indiana limited liability company and is committed to compliance with Indiana privacy requirements. To exercise your rights or file an appeal, contact privacy@kordiave.com. You may also contact the Indiana Attorney General.

19.6 Other US State Residents

If you are a resident of Utah, Delaware, Iowa, New Hampshire, Nebraska, New Jersey, Minnesota, Tennessee, Montana, Kentucky, Rhode Island, Oregon, Maryland, Arkansas, or Texas, you may have additional privacy rights under your state's comprehensive privacy law. The rights described in Section 8 apply to you. To exercise your rights, contact privacy@kordiave.com.

States with laws requiring universal opt-out signal recognition: Oregon (effective January 1, 2026), Montana. See Section 16.

19.7 European Residents (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation including access, rectification, erasure, restriction of processing, data portability, and objection. Our legal bases for processing include consent, contract performance, and legitimate interests as described in Section 4. You have the right to lodge a complaint with your local data protection authority.

20. Data Broker Disclosure

RALLYO CONCEPTS LLC is NOT a data broker as defined under any applicable federal or state law. We do not purchase, receive, sell, or license personal data to or from third parties for the purpose of selling, licensing, or trading that data. We collect data directly from you for the sole purpose of providing the kordi Service.