Privacy Policy

Last Updated: May 10, 2026

This Privacy Policy explains how we collect, use, store, and protect your personal information. Please read this policy carefully to understand our data processing practices.

Data Controller

Data Controller: Torvexus Ltd.
Contact Email: adrian@tovexus.com

Purposes of Data Collection

We collect and process your personal data for the following purposes:

• Providing and maintaining our services
• Processing your transactions and orders
• Communicating with you, including sending service notifications
• Improving and optimizing our website and services
• Complying with legal obligations
• Protecting our legitimate interests

Legal Basis for Data Processing

We process your personal data based on the following legal grounds:

• Consent：You have given explicit consent for us to process your personal data (e.g., cookie consent)
• Contract Performance：Processing is necessary for the performance of a contract with you
• Legal Obligation：Processing is necessary for compliance with a legal obligation
• Legitimate Interest：Processing is necessary for our legitimate interests, provided they do not unduly infringe upon your rights

Data Retention Period

36. When data is no longer needed, we will securely delete or anonymize it.

Retention Periods by Data Type

• Account Information：Retained during the account's existence, plus 30 days after deletion for potential recovery requests
• Transaction Records：Retained for 6 years in accordance with applicable tax regulations
• Cookie Consent Logs：Retained for 36 months (to meet GDPR audit requirements)
• Analytics Data：Retained for 26 months
• Marketing Data：Retained until you withdraw your consent

Data Security Measures

Technical Measures

• SSL/TLS encryption to protect data in transit
• Encryption of stored sensitive data
• Strict access control mechanisms, limiting personal data access to authorized personnel only
• Firewalls and intrusion detection systems to protect server security

Organizational Measures

• Regular data protection and privacy security training for employees
• Data Processing Agreements (DPAs) with data processors
• Regular security audits and vulnerability assessments

Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authorities and affected data subjects within the timeframes required by applicable law. We will take all reasonable measures to mitigate the potential harm caused by the breach.

EU General Data Protection Regulation (GDPR)

Legal Basis

Under Article 6 of the GDPR, we process your personal data based on the following legal grounds: (a) your explicit consent; (b) necessity for contract performance; (c) compliance with legal obligations; (d) legitimate interests of the data controller or a third party.

Data Subject Rights

Under Articles 15-22 of the GDPR, you have the following rights: right of access (to know what personal data we process), right to rectification (to correct inaccurate data), right to erasure (to request deletion of your personal data), right to restriction of processing, right to data portability (to receive your data in a structured format), and right to object (to object to processing based on legitimate interests).

Data Protection Officer

If you have any questions about our data processing practices, you may contact our Data Protection Officer (DPO).

Cross-Border Data Transfers

When your personal data is transferred to countries outside the European Economic Area (EEA), we will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions.

Right to Complain

If you believe our data processing infringes your rights, you have the right to lodge a complaint with the data protection supervisory authority in your country.

Records of Processing Activities (Article 30)

Under Article 30 of the GDPR, we maintain comprehensive records of our data processing activities, including processing purposes, data categories, recipient categories, cross-border transfer information, and estimated data deletion timelines. These records are available for inspection by supervisory authorities upon request.

Data Protection Impact Assessment (Article 35)

For processing activities that are likely to result in a high risk to the rights and freedoms of data subjects, we conduct Data Protection Impact Assessments (DPIAs) under Article 35 of the GDPR to identify and mitigate data processing risks.

Automated Decision-Making (Article 22)

We may use automated decision-making and profiling technologies to optimize service experience. Under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. To learn about the logic involved and its impact on you, please contact us.

California Consumer Privacy Act (CCPA/CPRA)

Consumer Rights

Under the CCPA, California residents have the following rights: right to know (what personal information we collect, use, and share), right to delete (request deletion of your personal information), right to opt-out (choose not to have your personal information sold or shared), and right to non-discrimination (exercising privacy rights will not result in discriminatory treatment).

Sale of Personal Information

We do not sell your personal information. If this policy changes in the future, we will provide a "Do Not Sell My Personal Information" link on our website for you to exercise your opt-out right.

Categories of Information Collected

In the past 12 months, we may have collected the following categories of personal information: identifiers (name, email, IP address), internet activity information (browsing history, search records), geolocation data, and commercial information (purchase records).

Financial Incentives

We do not offer financial incentive programs related to the collection, sale, or deletion of personal information.

Sensitive Personal Information

Under the CPRA, sensitive personal information includes social security numbers, driver's license numbers, financial account information, precise geolocation, racial/ethnic information, communication content, genetic data, biometric information, health information, and sexual orientation information. We only process sensitive personal information to the extent necessary to provide the services or goods you request, and we limit its use and disclosure.

Data Sharing Disclosure

In the past 12 months, we may have disclosed personal information to the following categories of third parties for business purposes: service providers (such as payment processing, data analytics), advertising partners (where applicable and with your consent), and legal and compliance advisors. You may contact us for more detailed disclosure records.

Consumer Request Response Time

We will respond to verifiable consumer requests within 45 days of receipt. If additional time is needed, we will notify you of the reason for the extension and the expected response date within the initial 45-day period, with the extension not exceeding an additional 45 days.

Brazil General Data Protection Law (LGPD)

Legal Basis

Under Article 7 of the LGPD, we process your personal data based on the following legal grounds: (a) data subject consent; (b) contract performance; (c) legal or regulatory obligations; (d) legitimate interests of the data controller.

Data Subject Rights

Under Article 18 of the LGPD, you have the following rights: confirmation of the existence of processing, access to data, correction of incomplete or inaccurate data, anonymization/blocking/deletion of unnecessary data, data portability, and withdrawal of consent.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) responsible for handling matters related to personal data protection.

International Data Transfers

When your personal data is transferred outside Brazil, we will ensure that the receiving country has an adequate level of data protection, or adopt appropriate safeguards, including standard contractual clauses, binding corporate rules, or obtaining your explicit consent. We will comply with ANPD (Brazilian National Data Protection Authority) regulations regarding international data transfers.

Data Breach Notification

In the event of a security incident that may cause significant risk or harm to data subjects, we will, under Article 48 of the LGPD, notify the ANPD (Brazilian National Data Protection Authority) and affected data subjects within a reasonable timeframe, describing the nature of the incident, the types of data affected, the risks, and the remedial measures taken.

Automated Decision-Making

Under Article 20 of the LGPD, you have the right to request a review of decisions made solely based on automated processing of personal data, including decisions aimed at defining your personal, professional, consumer, and credit profile or personality aspects.

Japan Act on the Protection of Personal Information (APPI)

Purpose of Use

We will process your personal information within the scope of clearly defined purposes of use and will not use it beyond what is necessary.

Personal Information Rights

You have the right to request disclosure, correction, deletion of your personal information, as well as cessation of use or provision to third parties.

Cross-Border Provision

When providing personal information to third parties outside Japan, we will obtain your prior consent or confirm that the recipient has a level of protection equivalent to the APPI.

UK Data Protection Act (UK GDPR)

Legal Basis

Under the UK GDPR, we process your personal data based on the following legal grounds: consent, contract performance, legal obligations, and legitimate interests.

Data Subject Rights

You have the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. To exercise your rights, please contact us.

International Data Transfers

When your data is transferred outside the UK, we will ensure appropriate safeguards are in place.

Right to Complain

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

Legitimate Interests Assessment (LIA)

When we rely on legitimate interests as the legal basis for data processing, we conduct a Legitimate Interests Assessment to ensure our interests do not override your rights and freedoms. Assessment records are available upon request.

Data Protection Impact Assessment

For data processing activities that are likely to result in a high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) as required by the UK GDPR to identify, assess, and mitigate data protection risks.

ICO Complaint

If you are dissatisfied with how we process your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). ICO contact details: Website https://ico.org.uk, Phone 0303 123 1113, Postal address Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.

China Personal Information Protection Law (PIPL)

Processing Rules

Under Article 13 of the PIPL, we process your personal information based on the following circumstances: (a) obtaining your consent; (b) necessity for concluding or performing a contract; (c) necessity for performing statutory duties or obligations; (d) necessity for responding to public health emergencies; (e) processing publicly available personal information within a reasonable scope.

Personal Information Rights

Under Articles 44-49 of the PIPL, you have the following rights: right to know and decide, right to restrict or refuse processing, right to access and copy, right to portability, right to correction and supplementation, and right to deletion. We will respond within 15 business days upon your exercise of these rights.

Sensitive Personal Information

For sensitive personal information (such as biometrics, religious beliefs, specific identities, medical health, financial accounts, location tracking, etc.), we only process such information when there is a specific purpose and sufficient necessity, and after obtaining your separate consent.

Cross-Border Transfer

If your personal information needs to be transferred outside the People's Republic of China, we will conduct a security assessment in accordance with the law and obtain your separate consent. We will ensure that the processing activities of overseas recipients meet the protection standards prescribed by this law.

Personal Information Processor

As a personal information processor, we will strictly process your personal information in accordance with the purposes, methods, and scope prescribed by law, and take necessary measures to ensure the security of personal information.

Personal Information Protection Impact Assessment

Under Article 55 of the PIPL, for processing sensitive personal information, using personal information for automated decision-making, entrusting the processing of personal information, or providing personal information to overseas parties, we will conduct a personal information protection impact assessment beforehand, covering the legality of processing purposes and methods, the impact on individual rights and security risks, and the legality and effectiveness of protective measures.

Automated Decision-Making

Under Article 24 of the PIPL, when we push information or conduct commercial marketing through automated decision-making, we will simultaneously provide options that are not targeted at your personal characteristics, or provide a convenient way to refuse. When automated decision-making is used to make decisions that have a significant impact on your rights and interests, you have the right to request an explanation and to refuse decisions made solely through automated decision-making.

Deceased Persons' Personal Information

Under Article 49 of the PIPL, upon the death of a natural person, their close relatives may exercise the rights of access, copying, correction, and deletion of the deceased's relevant personal information for their own lawful and legitimate interests, unless the deceased made other arrangements during their lifetime.

Thailand/Singapore Personal Data Protection Act (PDPA)

Consent for Data Collection

We will obtain your consent before collecting, using, or disclosing your personal data, unless otherwise provided by law.

Data Subject Rights

You have the right to access, correct, and delete your personal data, as well as to withdraw consent and object to data processing.

Data Protection Officer

We have appointed a Data Protection Officer to handle matters related to personal data protection.

South Africa Protection of Personal Information Act (POPIA)

Processing Conditions

Under POPIA, we process your personal information based on the following conditions: consent, contract performance, legal obligations, and legitimate interests.

Data Subject Rights

You have the right to access, correct, and delete your personal information, as well as to object to data processing.

Right to Complain

You have the right to lodge a complaint with the South African Information Regulator.

Cookie Policy

What Are Cookies

Cookies are small text files stored on your device by websites to remember your preferences, login status, and other information to provide a better experience on your next visit. Cookies may also be used for analytics and advertising purposes.

Types of Cookies We Use

• Necessary Cookies：These cookies are essential for the basic functionality of the website, such as maintaining login sessions, ensuring security, and remembering cookie consent preferences. These cookies cannot be disabled in our system.
• Analytics Cookies：These cookies help us understand how visitors interact with the website by collecting anonymous statistics to improve website performance and user experience.
• Marketing Cookies：These cookies are used to track visitor browsing activity to display relevant personalized advertisements. These cookies are typically set by third-party advertising services.
• Functional Cookies：These cookies enable the website to provide enhanced functionality and personalization, such as remembering your language preferences, region selection, or interface customization settings.

How to Manage Cookie Preferences

When you first visit our website, you will see a cookie consent banner where you can choose to accept or reject non-essential cookies. You can also manage your cookie preferences at any time through the following methods:

• Modify preferences through the cookie settings panel on our website
• Delete or block cookies through your browser settings
• Browse using your browser's privacy/incognito mode

Please note that disabling certain cookies may affect the functionality of the website and your user experience.

Third-Party Service Data Processing

Our website uses the following third-party services, which may collect and process your personal data:

Google Analytics

Purpose: Website traffic analytics service

Data Collected: Page views, device information, IP address (anonymized), browser type, visit duration

Legal Basis: Legitimate interest (website optimization) or user consent

For more information, please refer to the Google Analytics Privacy Policy。

Stripe

Purpose: Online payment processing service

Data Collected: Payment card information, billing address, transaction records, IP address, device information

Legal Basis: Contract performance (payment processing)

For more information, please refer to the Stripe Privacy Policy。

Cloudflare

Purpose: CDN and website security service

Data Collected: IP address, HTTP request headers, access logs

Legal Basis: Legitimate interest (website security and performance)

For more information, please refer to the Cloudflare Privacy Policy。

Google reCAPTCHA

Purpose: Bot verification and anti-spam service

Data Collected: IP address, browser information, mouse behavior, cookies

Legal Basis: Legitimate interest (website security)

For more information, please refer to the Google reCAPTCHA Privacy Policy。

Children's Privacy

Our services are not directed at children under the age of 16 (as required by the GDPR), and we do not knowingly collect personal data from children under 16.

If we discover that we have inadvertently collected personal data from a child without parental or guardian consent, we will take immediate steps to delete such data. If you believe we may have collected personal information from a child, please contact us immediately using the contact information provided in this policy.

Your Rights

Under applicable data protection laws, you may have the following rights:

• Access your personal data
• Rectify inaccurate personal data
• Erase your personal data
• Restrict or object to data processing
• Data portability
• Withdraw consent

To exercise any of these rights, please contact us using the information provided below.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our data processing practices or updates to applicable laws and regulations.

When we make significant changes to this policy, we will notify you through the following methods:

• Posting a prominent notice on our website
• Sending a change notification via email to registered users
• Updating the "Last Updated" date at the top of this page

We recommend that you review this Privacy Policy periodically to stay informed about how we protect your personal information. Continued use of our services constitutes acceptance of the updated Privacy Policy.

Contact Information

If you have any questions about this Privacy Policy or need to exercise your data rights, please contact us through the following methods:

• Company Name: Torvexus Ltd.
• Email: adrian@tovexus.com

Legal Disclaimer

This Privacy Policy was generated with the assistance of automated tools to help you understand our data processing practices. We recommend consulting a professional legal advisor to ensure full compliance with applicable laws and regulations.