Privacy Policy

1. Scope

This Policy explains how Cativae  ("Cativae," "we," "us") collects, uses, shares, and secures personal data when you visit www.cativae.com (the "Site") or use any related services (the "Service"). It applies to both registered members and casual visitors.

2. Data We Collect

• Account data – username, email, hashed password, age-confirmation, location (city/state/country).
• Profile data – non-explicit photos, biography, interests, event preferences.
• Payment data – tokenised card ID, last four digits, billing ZIP/postcode (handled by PCI-compliant processor).
• Usage data – log files, IP address, device ID, browser type, pages viewed, clicks, referring URLs.
• Communications – private messages, support tickets, survey responses.
• Cookie & tracking data – described in Section 10.
• Verification data – images of government IDs and AI/moderator logs.

3. How We Use Your Data

• Provide, secure, and maintain the Service.
• Process payments and manage subscriptions.
• Recommend profiles, events, or content.
• Detect, prevent, and investigate fraud or policy violations.
• Send transactional emails and important account notices.
• With your consent, send optional newsletters or promotions (you may opt‑out at any time).

Legal bases for EU/UK users: contract performance, legitimate interests (security, service improvement), legal obligation, and consent where required (marketing cookies).

4. Sharing & Disclosure

We never sell or rent personal data. We share only with:

• Payment processors (e.g., CCBill) for billing.
• Cloud hosting & backup providers (AWS).
• Email/SMS vendors for 2FA and notifications.
• Analytics providers (aggregate, anonymised metrics).
• Law enforcement when legally compelled or to protect rights, property, or safety.

All third parties are bound by confidentiality and data-processing agreements.

5. International Transfers

Your data may be processed in the United States or other countries where we or our service providers operate. Where required, we rely on Standard Contractual Clauses and equivalent safeguards for cross‑border transfers.

6. Data Retention

We retain account data while your membership is active and for up to 12 months after closure for dispute resolution, anti-fraud, and legal compliance. Logs may be kept longer in anonymised form.

We retain ID-verification records for up to 3 years and moderation logs for up to 5 years.

7. Security Measures

• TLS 1.3 encryption in transit and AES‑256 at rest.
• Zero‑knowledge bcrypt password hashing with pepper.
• Optional WebAuthn / TOTP two‑factor authentication.
• Quarterly penetration tests & annual SOC‑2 Type II audits.

8. Your Rights

EU/UK users: under GDPR you may access, correct, delete, restrict, object to processing, and port your personal data. California residents: under CCPA you may know, delete, and opt-out of sale/sharing of your personal data. Submit requests via privacy@cativae.com. We will respond within 30 days.

9. Children’s Privacy

The Service is not intended for anyone under 18. We do not knowingly collect children’s data. Accounts found to belong to minors are terminated and data erased.

10. Cookies & Similar Technologies

We use first‑party cookies for session management and security, plus third‑party analytics cookies (Google Analytics 4 with IP‑anonymisation). You can manage preferences via the Cookie Settings panel or browser controls. Rejecting cookies may impact functionality.

11. Do Not Track Signals

Cativae does not respond to browser "Do Not Track" signals. We adhere to the practices described in this Policy regardless of DNT status.

12. Changes to This Policy

We may update this Policy from time to time. We will notify members by email and post a prominent notice on the Site at least 7 days before changes take effect.

13. Contact & Data Protection Officer

If you have questions or complaints about privacy, contact our Data Protection Officer at dpo@cativae.com

14. Breach Notification & Incident Response

In the event of a security breach, we will notify affected users without undue delay and in any event within 72 hours of discovery, providing details on the nature of the breach and remedial measures.

15. Automated Decision-Making

We use AI (AWS Rekognition, Onfido) to detect explicit content and verify age. You have the right to request a human review of any automated decision by contacting privacy@cativae.com.