Privacy Policy — Mavvrixx.ai Inc.

Privacy Policy

Mavvrixx.ai Inc. | GigID™ · IndieID™ · GigVerify™ · GigATM™ Last updated: April 1, 2026 [DRAFT — Requires attorney review before publication]

Plain English first. This policy explains what data we collect, why we collect it, who we share it with, and what you can do about it. If you have questions, email privacy@mavvrixx.ai.

1. Who We Are

Mavvrixx.ai Inc. (“Mavvrixx,” “we,” “us,” “our”) is a Delaware corporation operating the GigID™, IndieID™, GigVerify™, and GigATM™ products and the Mavvrixx.ai platform.

We are: - Data Controller for personal data we process about you as a worker/member - Data Processor on behalf of verifiers and partners when we process their customers’ data

Our registered address: 850 New Burton Road, Suite 201, Dover, DE 19904, USA

Privacy inquiries: privacy@mavvrixx.ai Data Protection Officer (EU/UK): dpo@mavvrixx.ai

2. What Data We Collect and Why

2.1 Data You Give Us Directly

Data	Why We Collect It	Legal Basis
Email address	Issue your credential, communicate with you	Contract + Consent
Name	Personalize your badge and profile	Contract
Work type (gig, freelance, etc.)	Categorize your credential correctly	Contract
Country of residence	Apply correct legal protections, country-specific terms	Legal obligation + Contract
Platform connections (optional)	Generate income signals for your GigScore™	Consent
Government-issued ID (Level 3 KYC, optional)	Identity verification — processed by KYC partner, we receive status only	Consent + Legal obligation
Business registration (IndieID Level 3, optional)	Business identity verification	Consent

2.2 Data We Collect Automatically

Data	Why We Collect It	Legal Basis
IP address	Security, fraud prevention, approximate location	Legitimate interest
Device type and browser	Ensure service compatibility	Legitimate interest
Session data and usage logs	Improve the service, detect errors	Legitimate interest
Consent records (timestamp, decision, query ID)	Legal compliance — proof of consent for every B2B query	Legal obligation
Query log entries	Worker transparency — you can see who queried your GigID	Contract + Legal obligation

2.3 Data From Connected Platforms (Optional — Level 2+)

When you connect a gig platform (e.g., Uber, Upwork, Fiverr), we access: - Your earnings data for the period you authorize - Your activity history (hours worked, jobs completed) — income signal only - Platform tenure (how long you’ve been active)

We do not access: - Your platform login credentials (we use OAuth — you never share your password with us) - Customer or client contact information - Messages or private communications on the platform - Any data beyond income signals

2.4 Data From KYC Partner

Level 3 identity verification is performed by a third-party KYC provider (currently Persona.com). They process your identity documents. We receive only a pass/fail verification status and a reference ID — we do not receive or store copies of your ID documents.

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Issue and maintain your GigID/IndieID credential	Email, name, work type, country	Contract
Generate your GigScore™	Platform earnings signals, activity data	Contract + Consent
Create and display your badge	Name, verification level, score tier	Contract
Process B2B income verification queries (GigVerify™)	Verification level, income signal, score range — only with your consent	Consent
Operate GigATM™ income advance service	GigScore™ data, platform earnings signals	Contract + Consent
Send service emails (credential issued, query received, etc.)	Email address	Contract
Send marketing emails (product updates, new features)	Email address	Consent (opt-in)
Fraud prevention and security	IP, device, usage logs	Legitimate interest
Legal compliance	Whatever is required by law	Legal obligation
Service improvement and analytics	Aggregated, de-identified usage data	Legitimate interest

We do NOT use your data for: - Advertising targeting (we don’t serve ads) - Selling to data brokers or third-party marketers - Credit bureau reporting - Employment background checks without your explicit consent - Any purpose not listed above

4.1 Verifiers (B2B — Banks, Lenders, Insurers, Landlords)

We share your GigID data with Verifiers only when you explicitly approve a query through our consent flow. What they receive is limited to what was disclosed in the consent notification. We never share your data with Verifiers without a valid consent record.

4.2 Platform Partners

If you claimed your GigID through a partner platform, that partner may receive confirmation that you have a verified GigID (not your underlying data). Revenue sharing between Mavvrixx and partners does not involve sharing your personal data.

4.3 Infrastructure and Service Providers

We use trusted sub-processors to operate our service:

Sub-processor	Role	Location	Safeguard
AWS	Cloud infrastructure, data storage	US (with EU region option)	AWS DPA + SCCs
Persona.com	KYC / identity verification	US	Persona DPA
Plaid	Platform data connections	US	Plaid DPA
SendGrid (Twilio)	Transactional email	US	SendGrid DPA + SCCs
Stripe	Payment processing	US	Stripe DPA
Pinecone	Vector database (AI features)	US	Pinecone DPA

We require all sub-processors to maintain appropriate security and privacy standards and to process data only as instructed by us.

4.4 Legal Requirements

We may disclose your data if required by law, court order, or valid legal process. Where permitted, we will notify you before disclosing.

4.5 Business Transfers

If Mavvrixx is acquired, merged, or its assets are transferred, your data may transfer to the successor entity. You will be notified and have the opportunity to delete your account before any transfer.

4.6 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal data to anyone. Ever.

5. Your Rights

You have the following rights over your personal data:

Right	What It Means	How to Exercise
Access	See what data we hold about you	Login → Settings → Download My Data, or email privacy@mavvrixx.ai
Correction	Fix inaccurate data	Email privacy@mavvrixx.ai
Deletion (Erasure)	Delete your account and all personal data	Login → Settings → Delete Account (data deleted within 30 days)
Portability	Receive your data in a machine-readable format	Login → Settings → Export My Data
Restrict Processing	Ask us to stop processing your data while a dispute is resolved	Email privacy@mavvrixx.ai
Object	Object to processing based on legitimate interest	Email privacy@mavvrixx.ai
Withdraw Consent	Withdraw any consent at any time (platform connections, B2B queries, marketing)	Vault dashboard or email privacy@mavvrixx.ai
Revoke B2B Query	Revoke a past approval from your Vault	Login → Vault → Query Log → Revoke

We will respond to rights requests within 30 days (or sooner, as required by applicable law).

6. Data Retention

Data Type	Retention Period
Account data (email, name, country)	For the life of your account + 30 days after deletion
GigScore™ and income signals	For the life of your account + 30 days after deletion
Platform connection data	Until you disconnect the platform + 7 days
B2B query consent records	Minimum 3 years (legal compliance)
Query log entries	Minimum 3 years (your right to audit who queried your data)
KYC verification status	For the life of your account + 30 days after deletion
Marketing consent records	Until withdrawn + 3 years
Security and fraud logs	12 months rolling

When you delete your account, we delete your personal data within 30 days and notify you when deletion is complete. Some data (consent records, query logs) may be retained in anonymized/aggregated form for legal compliance purposes.

7. Security

We protect your data with:

Encryption at rest: AES-256 for all stored personal data
Encryption in transit: TLS 1.2+ for all data transmissions
Access controls: Role-based access; employees access only what they need
KYC data isolation: Identity document processing is handled entirely by our KYC partner — we never store your documents
Consent tokens: Every B2B query is tied to a unique, non-reusable consent token
Security audits: Annual penetration testing (planned); SOC 2 Type I certification in progress
Breach response: We will notify you and relevant authorities within 72 hours of discovering a breach affecting your personal data

8. Cookies

We use the following cookies:

Cookie Type	Purpose	Consent Required
Essential	Session management, CSRF protection, authentication	No — necessary for service
Analytics	Understanding how users use the service (aggregated, no personal profiling)	Yes — opt-in
No advertising cookies	We do not serve ads and use no advertising cookies	N/A

You can manage cookies via our cookie banner on first visit. For detailed information, see our Cookie Policy.

9. Children

Our services are for individuals aged 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a minor, contact privacy@mavvrixx.ai immediately and we will delete it.

10. International Data Transfers

We are a US company and your data is processed in the United States. When we transfer personal data from the EU, UK, or other regions with transfer restrictions, we use:

Standard Contractual Clauses (SCCs) — EU Commission-approved clauses for transfers to the US
UK IDTA — International Data Transfer Agreement for UK-to-US transfers
Adequacy decisions — where applicable (e.g., transfers to countries with EU adequacy)

A copy of our SCC framework is available on request from privacy@mavvrixx.ai.

11. Changes to This Policy

We will notify you by email at least 30 days before making material changes to this Privacy Policy. Continued use after the effective date = acceptance. If you don’t accept changes, delete your account before the effective date.

12. Country-Specific Addenda

Lawful basis for processing: Consent (Art. 6(1)(a)) for income data and B2B queries; Contract (Art. 6(1)(b)) for account-related processing; Legal obligation (Art. 6(1)(c)) for compliance; Legitimate interest (Art. 6(1)(f)) for security/fraud
Special category data: We do not intentionally process special category data (Art. 9 GDPR). If you believe you’ve shared such data, contact us to have it deleted.
Right to lodge a complaint: You may lodge a complaint with your national data protection authority (e.g., CNIL in France, BfDI in Germany, ICO in the UK — see 12.2 for UK)
Data Protection Officer: dpo@mavvrixx.ai
Automated decision-making: GigScore™ generation involves automated processing. You have the right to request human review of any decision significantly affecting you (Art. 22 GDPR). Contact privacy@mavvrixx.ai.

UK GDPR and the Data Protection Act 2018 apply to UK residents
ICO registration number: [pending — to be added before UK launch]
DPO: dpo@mavvrixx.ai
To complain to the ICO: ico.org.uk/make-a-complaint

12.3 California, USA (CCPA/CPRA)

We do not sell or share your personal information for cross-context behavioral advertising
Categories of personal information collected: identifiers, commercial information (income signals), internet/electronic activity, geolocation (country only), professional/employment information
Your rights under CCPA: Right to know, delete, correct, opt-out of sale/sharing, and non-discrimination
“Do Not Sell or Share My Personal Information”: We do not sell or share. If you wish to formally exercise this right anyway, email privacy@mavvrixx.ai.
To submit a CCPA rights request: privacy@mavvrixx.ai or 1-800-[TBD]

12.4 Canada (PIPEDA)

Consent under PIPEDA is meaningful, informed, specific, and withdrawable at any time
You may access your personal information and challenge its accuracy by contacting privacy@mavvrixx.ai
Privacy complaints: Office of the Privacy Commissioner of Canada at priv.gc.ca
Section 13 arbitration in our Terms of Service applies only to the extent permitted under applicable Canadian law

12.5 Australia (Privacy Act 1988)

We comply with the Australian Privacy Principles (APPs)
You have the right to access and correct your personal information
If you believe we have breached the APPs, contact privacy@mavvrixx.ai first; if unresolved, you may contact the Office of the Australian Information Commissioner at oaic.gov.au

12.6 India (DPDP Act 2023)

We comply with the Digital Personal Data Protection Act 2023
Your rights: Consent withdrawal, access to data held, correction and erasure, grievance redressal
Consent notices are provided in English; regional language versions available on request
Grievance Officer: grievance@mavvrixx.ai — respond within 30 days
We will comply with applicable requirements for Data Fiduciary registration as they come into force

12.7 Philippines (Data Privacy Act 2012)

We comply with Republic Act No. 10173 and the implementing rules of the National Privacy Commission
Data Protection Officer (Philippines): dpo@mavvrixx.ai
NPC registration: [pending — to be completed before Philippines launch]
Data breach notification: you and the NPC will be notified within 72 hours of discovering a breach affecting your data
Your rights: access, correction, erasure, data portability, object to processing, and damages in case of breach

12.8 Brazil (LGPD)

We comply with the Lei Geral de Proteção de Dados Pessoais (LGPD — Law No. 13,709/2018)
Lawful basis: consent (Art. 7, I, LGPD) — specific, informed, freely given, and withdrawable at any time
You may withdraw consent without detriment to any other service
DPO: dpo@mavvrixx.ai
Complaints: Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd

12.9 Mexico (LFPDPPP)

We comply with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares
A Privacy Notice (Aviso de Privacidad) is provided to Mexican residents on request and at data collection
Your rights (ARCO): Access, Rectification, Cancellation, Opposition — exercise at privacy@mavvrixx.ai
Complaints: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)

12.10 Turkey (KVKK)

We comply with the Kişisel Verilerin Korunması Kanunu (KVKK — Law No. 6698)
You have the right to learn whether your personal data is processed, access it, request correction or deletion, object to processing, and claim compensation for damage
Data Controller registration: [pending — before Turkey launch]
Contact: privacy@mavvrixx.ai

13. Contact Us

Privacy inquiries: privacy@mavvrixx.ai Data deletion requests: privacy@mavvrixx.ai (subject: “Data Deletion Request”) DPO (EU/UK/Brazil): dpo@mavvrixx.ai Grievance Officer (India): grievance@mavvrixx.ai Postal: Mavvrixx.ai Inc., 850 New Burton Road, Suite 201, Dover, DE 19904, USA

We aim to respond to all privacy inquiries within 5 business days and to resolve them within 30 days.

GigID™, IndieID™, GigVerify™, GigATM™, GigScore™, and Mavvrixx™ are trademarks of Mavvrixx.ai Inc. [DRAFT — This document requires review by qualified legal counsel before publication. Last substantive update: April 1, 2026.]