1. Who we are

KEST Trust Inc. ("KEST", "we", "us", "our") operates the KEST platform — a licensed image and persona rights marketplace connecting buyers with persona owners. Our registered address and Data Protection Officer can be reached at the contact details in Section 11 below.

KEST acts as a data controller for the personal data it collects from buyers, persona owners, and visitors. Where KEST processes personal data on behalf of persona owners or enterprise buyers, it acts as a data processor under appropriate data processing agreements.

2. Data we collect

We collect the following categories of personal data:

• Account data: name, email address, organization name, role, and password hash when you register.
• Identity and trust data: for persona owners, identity verification documents, biometric consent records, and profile media submitted through the privacy-upload flow.
• Transaction data: licensing demands, payment references, invoice records, wallet balances, and currency preferences.
• Notification preferences: your channel and frequency settings for system and marketing communications.
• Usage data: IP address, browser type, pages visited, request timestamps, and structured access logs retained for operational observability.
• Communications: support requests, beta feedback, and any messages you send to us.

We do not sell your personal data to third parties.

3. How we use your data

We use personal data for the following purposes and legal bases:

• Providing the platform (contract performance): creating and managing accounts, processing licensing demands, handling payments, and delivering notifications.
• Trust and compliance (legal obligation & legitimate interest): verifying persona identities, maintaining audit trails, detecting fraud, and fulfilling GDPR privacy-request obligations (erasure, access, portability).
• Platform improvement (legitimate interest): analysing aggregated usage metrics and beta feedback to improve features and fix defects.
• Marketing communications (consent): sending product updates or promotional messages where you have opted in. You may withdraw consent at any time.
• Legal compliance (legal obligation): retaining records as required by applicable tax, financial, and data protection law.

4. Data retention

• Account & transaction data: retained for 7 years after contract end to satisfy tax and audit obligations, then securely deleted.
• Identity verification documents: retained for the duration of the persona's active status plus 2 years, or as required by applicable law.
• Access logs: retained for 90 days for security and incident response, then automatically purged.
• Marketing preferences: retained until you withdraw consent or delete your account.
• Deleted accounts: personal data is anonymised or deleted within 30 days of a confirmed erasure request, except where retention is legally required.

5. Third-party processors

We share personal data with the following categories of sub-processors under appropriate data processing agreements:

• Payment processing (Stripe): card data is processed directly by Stripe Inc. KEST does not store full card numbers.
• Transactional email (SendGrid / Twilio): used to deliver account and notification emails.
• Cloud infrastructure: database hosting and application servers may be operated on Supabase, Neon, or equivalent PCI-DSS / ISO 27001 certified providers in the EU or Canada.
• Analytics: aggregated, anonymised usage data only — no third-party cookies are used for advertising tracking.

We do not transfer personal data outside the EU/EEA or Canada without appropriate safeguards (Standard Contractual Clauses or adequacy decision).

6. Cookies and local storage

KEST uses localStorage and sessionStorage to maintain session tokens and user preferences within your browser. These are not cookies and are not transmitted to third parties.

We do not use third-party advertising cookies. If this changes, we will update this policy and request consent where required.

7. Security

KEST implements appropriate technical and organisational measures to protect your personal data, including:

• TLS encryption in transit; encryption at rest for sensitive fields.
• JWT-based authentication with short-lived access tokens.
• Role-based access controls separating buyer, persona, and ops staff data.
• Structured access logging and automated alert thresholds for anomaly detection.
• Regular security reviews and dependency scanning.

Despite these measures, no system is completely secure. If you believe your account has been compromised, contact us immediately at security@kest.me.

8. Your rights (GDPR / CCPA / Law 25)

Depending on your jurisdiction, you have the following rights with respect to your personal data:

To exercise any of these rights, submit a request via the Privacy Requests page or email privacy@kest.me. We will respond within 30 days.

9. Children's data

KEST is intended solely for use by individuals aged 18 and over. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us immediately and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy to reflect changes in law, our services, or how we process data. Significant changes will be communicated via email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Continued use of the KEST platform after the effective date constitutes acceptance of the updated policy.