Privacy Policy - kordi AVE

1. Introduction

Welcome to kordi. This Privacy Policy explains how RALLYO CONCEPTS LLC ("Company," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our mobile application and related services (collectively, the "Service").

By using kordi, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

When you create an account and use kordi, we collect information you provide directly:

Account Information: Name, email address, phone number, profile photo
Profile Data: Bio and profile preferences you choose to add
kordinator Data: Your digital avatar customizations and preferences
Content: Posts, comments, event descriptions, goal information, and venue or pickup/drop-off addresses you create
Communications: Messages you send through the platform, including direct messages, group and team chats, and event discussions
Contacts You Choose to Invite: With your permission, kordi accesses your device's address book so you can invite people to events or communities. We store the name and the phone number or email address of the specific contacts you select for an invitation, including people who are not kordi users, solely to deliver and track that invitation
Family and Children's Information: If you add a child or family member to manage an event RSVP or a youth sports roster, we collect the limited information you provide as the adult account holder, typically a first name and, for family RSVPs, an age or birth year. See Section 13
Health and Wellness Data: Goal tracking information (fitness goals, habit tracking, progress metrics, target dates, and optional mood notes) that you voluntarily provide

2.2 Information We Collect Automatically

When you use the Service, we automatically collect:

Activity Data: Events attended, goals completed, reliability metrics, points earned
Device Information: Device type, operating system, unique device identifiers, push notification token, and device name
Usage Data: Features used, screens visited, interaction patterns
Log and Security Data: IP address, and a device fingerprint we generate to detect fraud and abuse (for example, to prevent referral and points abuse)
Location Data: When you opt in, we use your device location to suggest nearby events, find communities, and look up venues and addresses. We resolve your location to a general area (such as your city) and do not retain your precise GPS coordinates on our servers
Inferred Data: Reliability scores, interests, preferences, and recommendations derived from your activity and usage patterns

2.3 Information from Third Parties

We may receive information from third parties:

Social Sign-In: If you sign in with Google or Apple, we receive basic profile information (name and email address) from the provider via OAuth 2.0. If you use Apple's "Hide My Email" feature, we receive an Apple-generated private relay email address instead of your personal email. We do not receive your password or any additional data beyond what the provider shares during authentication
Payment Processors: When you make in-app purchases, Apple (App Store) or Google (Play Store) provide us with transaction confirmation data. When you make purchases on our website or business portal, Stripe provides transaction confirmation data. We do not receive or store full credit card numbers from any payment processor
Business Partners: Information about perk redemptions and business point purchase records from the kordi business portal

Note on calendar access: if you grant calendar permission, kordi adds events you choose to your device calendar. We write events to your calendar; we do not read or collect your existing calendar data.

3. Phone Number & SMS Communications

If you choose to use phone number authentication in the kordi mobile app:

3.1 What We Collect

Your phone number for account verification purposes only

3.2 How We Use Your Phone Number

Account Verification: Send one-time passcodes (OTP) when you sign in
Security Alerts: Notify you about suspicious account activity
Account Recovery: Send verification codes if you request account recovery

3.3 What We Don't Do

We never send marketing or promotional SMS messages
We never sell, rent, or share your phone number with third parties for marketing
We never use your phone number for advertising purposes

3.4 Message Frequency

Typically 1-2 messages per login attempt
You control when messages are sent by initiating the verification process
Standard message and data rates may apply

3.5 Your Rights

Reply STOP to any SMS message to opt out
Switch to email-based authentication at any time
Contact support@kordiave.com for assistance

4. How We Use Your Information

We use your information to:

Provide the Service: Create accounts, enable features, process transactions
Personalize Experience: Recommend events, communities, and content based on your interests
AI-Powered Features: Process your inputs through third-party AI services to generate informational responses, event suggestions, goal milestones, and scheduling recommendations (see Section 11)
Improve the Service: Analyze usage patterns, develop new features, fix bugs
Safety and Security: Detect fraud, enforce community guidelines, protect users
Communications: Send service updates, notifications, and promotional content (with your consent)
Legal Compliance: Comply with applicable laws and regulations

Data Processing Purposes

Data Category	Purpose	Legal Basis
Account Information	Provide and maintain your account	Contract performance
Activity Data	Calculate reliability scores, track progress	Legitimate interest
Location Data	Suggest nearby events and communities	Consent (opt-in)
Communications	Enable messaging between users	Contract performance
Health/Wellness Data	Goal tracking and Ask kordi features	Consent
AI Interaction Data	Generate informational responses and suggestions	Consent
Payment Data	Process consumer point purchases (in-app and website) and business point purchases (portal)	Contract performance
Usage/Analytics Data	Improve service, fix bugs, develop features	Legitimate interest
Inferred Data	Personalize recommendations and content	Legitimate interest

5. No Background Checks or Identity Verification

IMPORTANT: kordi does not conduct criminal background checks, identity verification, or screenings of any kind on its users. We do not verify the identity, character, or background of any user.

This means:

We cannot guarantee that users are who they claim to be
Users may misrepresent themselves, their intentions, or their background
You are solely responsible for your safety when interacting with other users
We encourage you to meet in public places and take appropriate precautions

6. Community Safety Tools

Our safety model relies on community-driven tools rather than background verification:

Group Administration: Group admins can approve or decline join requests
Member Questionnaires: Admins may use built-in questionnaires to vet potential members
Access Controls: Groups can be set to private or invite-only
Moderation Roles: Admins can assign moderation responsibilities to trusted members
User Reporting: All users can report violations through the app
Content Moderation: We review reported content and take appropriate action

7. How We Share Your Information

7.1 With Other Users

Based on your privacy settings, other users may see:

Your profile information (name, photo, bio)
Your reliability score
Events you're attending
Goals you've made public
Your kordinator avatar
Circles, communities, and teams you join: Other members can see your name, roster information you provide (for a sports team, this is the roster name; we do not require a phone number or other personal details on a roster), and messages you send in a shared group or team chat
Guide profiles: If you publish a guide profile, the information you choose to share (display name, photo, bio, specialties, certifications, rate, website, and social links) is visible to other users in the guide directory. When you connect as a guide and learner, each of you can see the other's name and your shared messages
Out-of-Town status: If you turn on an Out-of-Town (travel) notice and choose to share it, friends you select can see that you are away and the dates
Sparks and shared boards: Content you post to a spark or a circle board is visible to the circle members or friends you share it with

7.2 With Service Providers

We share information with trusted service providers who process data on our behalf:

Cloud hosting and infrastructure (Supabase): Stores your account and app data and provides authentication. Account-verification SMS messages are delivered through Supabase's telephony sub-processor
Email delivery (Resend): Sends transactional email such as event and group invitations, support replies, purchase receipts, and data-export deliveries. Resend processes recipient email addresses and the contents of those messages on our behalf
Maps and geolocation (Google Maps Platform): Address lookup, venue search, and resolving your device location to a place or general area
Push notifications (Expo): Delivers push notifications, processing your device push token and the notification content
Weather data (Open-Meteo): Receives an event's approximate, reduced-precision location to show event-day forecasts
Payment processing: Consumer in-app purchases are processed by Apple (App Store) and Google (Play Store) per their respective privacy policies. Website and business portal purchases are processed by Stripe. We do not store full credit card numbers
Artificial intelligence services (currently Groq, Inc., subject to change): When you use AI-powered features (Ask kordi, event planning suggestions, goal milestone generation, scheduling inference), your relevant interaction data (such as messages, goal context, and event details) is sent to our AI service provider's API for processing. Our current provider processes this data to generate responses and does not use your data for model training. For more information, see our current provider's privacy policy at Groq's Privacy Policy

We do not use third-party advertising, analytics, or tracking SDKs. Usage insights are derived from our own database.

7.3 No Sale or Sharing for Advertising

kordi does NOT sell your personal information as defined under the CCPA/CPRA, or any other applicable state privacy law. kordi does NOT share your personal information for cross-context behavioral advertising or targeted advertising purposes.

Our service providers (including Supabase, Stripe, Groq, Inc., Resend, Google Maps Platform, Expo, and Open-Meteo) process data solely on our behalf under written contracts that prohibit them from using your data for their own purposes.

7.4 With Business Partners

With your consent, we may share:

Anonymized usage data for analytics
Perk redemption information with participating businesses (redemption details such as perk name, date, and points spent; we do not share your personal identity with businesses during perk redemptions unless you explicitly consent)
When businesses purchase points through the business portal (business.kordiave.com), we process their business name, owner identity, and purchase records

7.5 For Legal Reasons

We may disclose information:

To comply with legal obligations
To protect our rights, privacy, safety, or property
To respond to lawful requests from public authorities
In connection with a merger, acquisition, or sale of assets

8. Your Privacy Rights

8.1 Rights Available to All Users

All kordi users have the following rights regardless of location:

Access: Request a copy of your personal data
Correction: Update or correct inaccurate information
Deletion: Request deletion of your account and data
Portability: Export your data in a portable format
Opt-Out: Opt out of marketing communications
Withdraw Consent: Withdraw consent for optional data processing

8.2 Additional Rights for Residents of US States with Privacy Laws

Residents of California, Virginia, Colorado, Connecticut, Indiana, Utah, Iowa, Delaware, New Hampshire, Nebraska, New Jersey, Minnesota, Tennessee, Montana, Kentucky, Rhode Island, Oregon, Maryland, Arkansas, Texas, Florida, and other states with comprehensive privacy laws may have the following additional rights:

Right to Know/Access: Request disclosure of the categories and specific pieces of personal information we collect, the sources, the purposes, and the third parties with whom we share it
Right to Delete: Request deletion of your personal information, subject to certain legal exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt Out of Sale: Although we do not sell personal information, you have the right to direct us not to sell your data. You can exercise this by enabling "Do Not Sell My Data" in Privacy & Security settings
Right to Opt Out of Targeted Advertising: We do not engage in targeted advertising. You may opt out of personalized recommendations in Privacy & Security settings
Right to Opt Out of Profiling: You may opt out of profiling that produces legal or similarly significant effects. kordi's reliability score is informational and does not produce legal effects. You may disable reliability score visibility and personalized recommendations in Privacy & Security settings
Right to Data Portability: Request your data in a commonly used, machine-readable format via the "Export My Data" feature in Privacy & Security settings

8.3 Right to Appeal

If we deny your privacy rights request in whole or in part, you have the right to appeal our decision. To appeal:

Email privacy@kordiave.com within 45 days of receiving our response
Include "Privacy Rights Appeal" in the subject line
We will respond to your appeal within 60 days

If your appeal is denied, you may contact your state Attorney General:

California: oag.ca.gov
Virginia: oag.state.va.us
Colorado: coag.gov
Connecticut: portal.ct.gov/AG
Indiana: in.gov/attorneygeneral

8.4 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not:

Deny you the Service
Charge you different prices or rates
Provide you a different level or quality of service
Suggest that you may receive a different price, rate, or quality

8.5 How to Exercise Your Rights

You may exercise your privacy rights by:

In-App: Use Privacy & Security settings
Email: Contact privacy@kordiave.com
Data Export: Use the "Export My Data" feature in Privacy & Security settings

We will acknowledge your request within 10 business days and respond substantively within 45 days. If we need more time, we will notify you of the extension (up to an additional 45 days) and explain the reason.

8.6 Authorized Agents

You may designate an authorized agent to submit privacy rights requests on your behalf. Authorized agents must provide:

Written authorization signed by you
Proof of their identity

We may contact you directly to verify the request.

8.7 Verification Process

To protect your privacy, we verify your identity before processing rights requests. We may ask you to:

Confirm the email address associated with your account
Provide additional information to match against our records

We will not collect new personal information solely for verification purposes.

9. Privacy Controls

kordi provides granular privacy controls:

Profile Visibility

Everyone: Your profile is visible to all users
Friends Only: Only friends can see your full profile
Private: Minimal profile visibility

Location

Location access is controlled by your device permissions and is used on demand to suggest nearby events and look up venues and addresses. kordi does not broadcast your live location to other users. You can turn location access off at any time in your device settings.

Availability

Out-of-Town notice: Choose whether friends can see when you are away and your travel dates.

Data Sharing

Third-Party Sharing: Control anonymized data sharing with partners
Personalized Recommendations: Toggle AI-powered suggestions
Analytics: Choose whether to contribute usage data for improvements

10. Data Security

We implement industry-standard technical and organizational measures to protect your data:

Encryption in transit: Data transmitted between your device and our servers is protected using TLS (Transport Layer Security)
Encryption at rest: Stored data is encrypted at rest using AES-256
Secure authentication: Industry-standard authentication methods including OAuth 2.0 and secure token management
SOC 2-compliant infrastructure providers: We host our infrastructure on third-party providers that maintain SOC 2 compliance (for example, Supabase). kordi itself has not undergone a SOC 2 audit
Security reviews: We periodically review our security configuration and run automated security checks against our codebase
Access controls: We restrict access to personal data and log administrative and sensitive actions
Incident response: We maintain documented incident-response procedures for responding to security events

While no method of transmission over the Internet or electronic storage is 100% secure, we use widely adopted encryption and security practices to protect your information.

10.1 Data Breach Notification

In the event of a data breach involving your personal information, we will:

Notify affected users by email (and, where feasible, in-app notification) as soon as practicable and no later than the timeframe required by the most protective applicable state law. Key state deadlines include:

Most states (including Indiana, California, New York, Texas, Florida, Illinois, Virginia, Colorado, Connecticut): Notification without unreasonable delay, and no later than 30 to 60 days after discovery, depending on state law
Shortest statutory deadlines: Some states require notification within 30 days of discovery (e.g., Colorado, Florida). We target 30 days or sooner to comply nationwide.

Breach notifications will include:

A description of the incident and the types of personal information involved
The date or estimated date of the breach
Steps we have taken and are taking in response
Steps you can take to protect yourself (e.g., changing passwords, monitoring accounts)
Contact information for questions (privacy@kordiave.com)
Contact information for relevant state agencies (e.g., your state Attorney General), where required by law

Additional state-specific requirements we honor:

California (Cal. Civ. Code §1798.82): Notification to affected California residents and, if more than 500 California residents are affected, notification to the California Attorney General
New York (N.Y. Gen. Bus. Law §899-aa): Notification to affected New York residents, the New York Attorney General, the Department of State, and the Division of State Police
Indiana (IC 24-4.9): Notification to affected Indiana residents and the Indiana Attorney General within 60 days of discovery
Illinois (815 ILCS 530): Notification to affected Illinois residents and the Illinois Attorney General
Other states: We comply with all applicable state breach notification laws, including those that require notification to state attorneys general, consumer protection agencies, or credit reporting agencies

What constitutes a breach: Unauthorized acquisition of unencrypted personal information (or encrypted information where the encryption key is also compromised) that compromises the security, confidentiality, or integrity of personal information maintained by us.

Exceptions: Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation. Notification will proceed promptly after the law enforcement agency determines it will no longer compromise the investigation.

We maintain documented incident-response procedures to support rapid detection, containment, and notification. We also carry professional liability insurance that includes cyber coverage.

11. Artificial Intelligence and Data Processing

11.1 AI-Powered Features

kordi uses third-party artificial intelligence services to provide the following features:

Ask kordi (Goals): Informational responses, milestone suggestions, milestone scheduling, progress check-ins, goal refinement, and target date recommendations based on your goal context, progress, and category
Ask kordi (Events): Event planning suggestions, preparation task generation, schedule optimization, budget recommendations, attendee message drafts, and post-event summaries
Goal Milestones: Automated milestone generation based on your goal description and target date
Scheduling Inference: Natural language processing for voice and text-based scheduling
Community Search: AI-assisted matching of search queries to communities

11.2 Data Shared with AI Providers

When you use AI-powered features, the following data may be sent to our AI service provider(s) (currently Groq, Inc., subject to change) for processing:

Messages and prompts you submit to Ask kordi
Goal information (title, category, description, milestones, progress, target date)
Event details (title, description, type, date, time, venue, attendee count, budget range, dietary restrictions, and other event configuration data)
Task and checklist information when generating preparation suggestions
Scheduling requests (voice transcriptions, text input)

We do not send your account credentials, payment information, phone number, or precise location data to AI providers.

11.3 How AI Data Is Processed

AI interactions are processed via API calls to generate responses in real time
When you record a voice message or use voice-based scheduling, the audio is sent to our AI provider for transcription and may be stored as part of your message or conversation history
Our current AI provider(s) do not retain your interaction data for model training purposes
AI-generated responses are stored in our database as part of your conversation history
We may retain anonymized AI interaction data for service improvement and quality assurance

11.4 AI Provider Changes

We may use multiple AI service providers or change providers at any time to deliver the best possible experience. This Privacy Policy will be updated to reflect material changes in AI data processing. Our commitment to not sharing account credentials, payment information, phone numbers, or precise location data with AI providers applies regardless of which provider(s) we use.

11.5 Your Choices Regarding AI

You may use kordi without engaging with AI-powered features
Ask kordi interactions are optional and initiated by you
You may request deletion of your AI interaction history as part of a data deletion request (see Section 8)

11.6 Consent for AI Data Processing

By using AI-powered features (Ask kordi, event planning, goal milestones, task generation, scheduling inference), you consent to the processing of your interaction data by our third-party AI service provider(s) as described in this section. You may withdraw this consent at any time by disabling "AI-Powered Features" in Privacy & Security settings. Disabling AI features will prevent your data from being sent to AI service providers but will not affect other Service functionality.

11.7 AI Transparency

In accordance with applicable and forthcoming state AI transparency laws, including the Colorado AI Act (SB 24-205, as amended by SB 25-189; effective January 1, 2027), we disclose the following:

kordi uses automated AI systems for informational responses, scheduling suggestions, goal milestone generation, event planning, task generation, and community search
These AI systems process your data to generate personalized informational outputs
AI-generated outputs are recommendations only and do not make decisions that produce legal or similarly significant effects on you
AI features do not determine your eligibility for employment, financial services, healthcare, housing, insurance, or education
You have the right to opt out of AI-powered features at any time through Privacy & Security settings

12. Data Retention

We retain your personal data for the following periods:

Account Data (name, email, profile): Duration of your account plus 90 days after account deletion
Activity Data (events, goals, reliability score): Duration of your account plus 30 days after account deletion
AI Interaction History (coach messages, suggestions): Duration of your account plus 30 days after account deletion
Communications (direct messages): 2 years from the date of the message
Transaction Records (point purchases, transfers): 7 years (required for tax and legal compliance)
Location Data: We do not store your precise GPS coordinates on our servers. Location is resolved to a general area (such as your city) at the time of use; any cached coordinates remain only briefly on your device and are cleared when you sign out
Anonymized/Aggregated Data: May be retained indefinitely for analytics and service improvement

Upon account deletion, we will delete or anonymize your personal data within 30 days, except for transaction records retained for legal compliance. You may request immediate deletion by contacting privacy@kordiave.com.

For detailed instructions on how to delete your account or request data deletion, visit our Account & Data Deletion page.

13. Children's Privacy

kordi is intended for adults and is not directed to children. Children do not create accounts and do not use the Service. We do not knowingly allow anyone under 16 to register for or independently use kordi, and we do not knowingly collect personal information directly from children.

Adult account holders may, however, provide limited information about their own children or family members in order to manage shared activities. For example, a parent may provide a child's first name and age or birth year to include them in an event headcount or RSVP, or a player's name on a youth sports roster. This information is entered and controlled entirely by the responsible adult, is used only for the purpose for which it was provided (such as RSVP counts or team rosters), is never collected from the child, and can be edited or deleted by the adult at any time in the app. We do not use this information for advertising, profiling, or any purpose unrelated to the activity it supports.

Users between 16 and 18 must have parental or guardian consent for certain features.

If you believe a child has independently provided us personal information, contact privacy@kordiave.com and we will delete it promptly.

14. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers.

15. Sensitive Data

We collect and process the following categories that may be classified as "sensitive personal data" under applicable state privacy laws:

15.1 Precise Geolocation Data

Collected only when you explicitly opt in via your device's location permissions
Used solely to suggest nearby events, find local communities, and provide event logistics
NOT sold, shared for advertising, or used for profiling
You may disable location sharing at any time through your device settings or in-app Privacy & Security settings
States with enhanced geolocation protections include California, Colorado, Oregon, Maryland, Virginia, and Connecticut

15.2 Health and Wellness Data

Goal tracking data (fitness goals, habit tracking, progress metrics) may be classified as health-related data under certain state privacy laws
Used solely to provide the goal tracking, Ask kordi, and progress visualization features
NOT sold, shared for advertising, or disclosed to third parties except as described in Section 7
You may delete your goal and progress data at any time

15.3 Data of Users Under 18

kordi requires users to be at least 16 years of age (see Section 13)
Under the California Consumer Privacy Act (CCPA/CPRA) as amended effective January 1, 2026, personal information of consumers under 16 years of age is classified as "sensitive personal information" regardless of data category
We apply enhanced protections to all users who indicate they are under 18, including: we do not sell or share their data, we do not use their data for targeted advertising, and we do not engage in profiling that produces legal effects
Users aged 16-17 must have parental or guardian consent for certain features
Where an adult account holder provides limited information about a child or family member (see Section 13), we treat that information as sensitive: we do not sell it, share it for advertising, or use it for profiling

15.4 Biometric Data

kordi does NOT create or use biometric identifiers. We do not generate faceprints, voiceprints, fingerprints, iris or retinal scans, or gait patterns, and we do not use any such data to identify you
If you use your device's biometric authentication (Face ID, Touch ID, fingerprint unlock) to access the app, that data is processed entirely by your device's operating system. We never access, receive, store, or transmit it
If you choose to send a voice message or use voice-based scheduling, we store and transcribe the audio you record in order to provide that feature (see Section 11). We do not use voice recordings to create a voiceprint or to identify you biometrically
This applies regardless of expanded biometric data definitions under federal or state law

16. Universal Opt-Out Signals

Effective January 1, 2026, kordi recognizes and honors universal opt-out preference signals, including the Global Privacy Control (GPC), as valid requests to:

Opt out of the "sale" of personal information (as defined under applicable state laws)
Opt out of "sharing" of personal information for cross-context behavioral advertising
Opt out of targeted advertising

When we detect a universal opt-out signal from your browser or device:

We will treat it as a valid opt-out request under all applicable state privacy laws
No additional action is required from you
The opt-out applies to the browser or device from which the signal is sent

States requiring recognition of universal opt-out signals include California, Colorado, Connecticut (effective January 1, 2025), Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon (effective January 1, 2026), and Texas.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the new Privacy Policy in the app
Sending an email notification
Displaying a prominent notice in the Service

Your continued use after changes constitutes acceptance of the updated policy.

18. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

RALLYO CONCEPTS LLC
Email: privacy@kordiave.com
Support: support@kordiave.com
Legal: legal@kordiave.com

19. State-Specific Privacy Disclosures

19.1 California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act. In addition to the rights described in Section 8:

Categories of Personal Information Collected in the Past 12 Months:

Category	Collected	Source	Purpose	Sold	Shared for Ads
A. Identifiers (name, email, phone)	Yes	You	Account creation	No	No
B. Personal Info (Cal. Civ. Code 1798.80)	Yes	You	Service provision	No	No
D. Commercial Info (transaction history)	Yes	You, Stripe	Points economy	No	No
F. Internet Activity (usage data)	Yes	Automatic	Service improvement	No	No
G. Geolocation Data	Yes	You (opt-in)	Event suggestions	No	No
K. Inferences (reliability score, interests)	Yes	Derived	Personalization	No	No

We do NOT sell your personal information. We have not sold personal information in the preceding 12 months.

We do NOT share your personal information for cross-context behavioral advertising.

Financial Incentive Disclosure: kordi's referral program awards kordi points (which have no cash value) for referring new users. This constitutes a "financial incentive" under the CCPA. The value of the incentive is reasonably related to the value of the data provided. You may opt out of the referral program at any time without affecting your use of the Service.

Under-16 Data: Pursuant to CCPA amendments effective January 1, 2026, we treat all personal information of users under 16 as "sensitive personal information" and apply enhanced protections as described in Section 15.3.

California Delete Act: kordi is not a data broker as defined by California Civil Code 1798.99.80 and is not subject to the California Delete Act (SB 362).

To exercise your California privacy rights, see Section 8 or contact privacy@kordiave.com.

19.2 Virginia Residents (VCDPA)

If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act, including the rights described in Section 8. To exercise your rights or file an appeal, contact privacy@kordiave.com. You may also contact the Virginia Attorney General.

19.3 Colorado Residents (CPA)

If you are a Colorado resident, you have rights under the Colorado Privacy Act, including the rights described in Section 8. We recognize universal opt-out signals as described in Section 16.

Colorado AI Act Disclosure: kordi uses artificial intelligence as described in Section 11. The Colorado AI Act (SB 24-205, as amended by SB 25-189) takes effect January 1, 2027. Our AI features are informational tools that do not make "consequential decisions" as defined by that Act. They do not determine eligibility for employment, education, financial services, healthcare, housing, insurance, or legal services.

Precise geolocation data is classified as sensitive data under Colorado law. We collect geolocation only with your opt-in consent (see Section 15.1).

To exercise your rights, see Section 8 or contact privacy@kordiave.com. You may also contact the Colorado Attorney General.

19.4 Connecticut Residents (CTDPA)

If you are a Connecticut resident, you have rights under the Connecticut Data Privacy Act, including the rights described in Section 8. Connecticut has required recognition of universal opt-out signals since January 1, 2025, which we honor (see Section 16). To exercise your rights or file an appeal, contact privacy@kordiave.com. You may also contact the Connecticut Attorney General.

19.5 Indiana Residents

If you are an Indiana resident, you have rights under Indiana's comprehensive privacy law, effective January 1, 2026, including the rights described in Section 8. RALLYO CONCEPTS LLC is an Indiana limited liability company and is committed to compliance with Indiana privacy requirements. To exercise your rights or file an appeal, contact privacy@kordiave.com. You may also contact the Indiana Attorney General.

19.6 Other US State Residents

If you are a resident of Utah, Delaware, Iowa, New Hampshire, Nebraska, New Jersey, Minnesota, Tennessee, Montana, Kentucky, Rhode Island, Oregon, Maryland, Arkansas, Texas, or Florida, you may have additional privacy rights under your state's comprehensive privacy law. The rights described in Section 8 apply to you. To exercise your rights, contact privacy@kordiave.com.

States with laws requiring universal opt-out signal recognition: Oregon (effective January 1, 2026), Montana. See Section 16.

19.7 European Residents (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation including access, rectification, erasure, restriction of processing, data portability, and objection. Our legal bases for processing include consent, contract performance, and legitimate interests as described in Section 4. You have the right to lodge a complaint with your local data protection authority.

20. Data Broker Disclosure

RALLYO CONCEPTS LLC is NOT a data broker as defined under any applicable federal or state law. We do not purchase, receive, sell, or license personal data to or from third parties for the purpose of selling, licensing, or trading that data. We collect data directly from you for the sole purpose of providing the kordi Service.