Koyden

Privacy Policy

1. Introduction

Purpose of this Privacy Policy

This Privacy Policy explains how Koyden collects, uses, stores, and protects personal data when you use our services.

Its purpose is to provide clear and transparent information about:

  • What types of personal data are processed
  • Why this data is collected
  • How it is used and protected
  • What rights users have regarding their personal data

Koyden is committed to handling personal data in a lawful, fair, and transparent manner, in accordance with applicable data protection laws.

Scope of This Policy

This policy applies to the Koyden mobile application and any official websites or online services directly operated by Koyden.

Who This Policy Applies To

This Privacy Policy applies to all users of Koyden, including:

  • Buyers who browse products or stores
  • Sellers who create stores, publish products, or manage listings
  • Visitors who access the app or website without creating an account

Different categories of users may provide different types of data, depending on how they interact with the services.

Jurisdiction and Applicable Law

Koyden is established in Belgium and operates primarily within the European Union.

This Privacy Policy is intended to comply with applicable data protection laws, including:

  • The General Data Protection Regulation (GDPR) (EU Regulation 2016/679)
  • Applicable Belgian data protection laws

Where local laws provide additional or mandatory protections, those protections apply accordingly.

2. Who We Are (Data Controller)

Koyden is the data controller responsible for the processing of personal data under this Privacy Policy.

For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR), the data controller is:

As the data controller, Koyden determines the purposes and means of processing personal data collected through the Koyden mobile application and related services.

If you have any questions about this Privacy Policy, the way your personal data is processed, or if you wish to exercise your data protection rights, you may contact us using the email address above.

3. Personal Data We Collect

Koyden collects and processes different categories of personal data depending on how users interact with the services. Some data is provided directly by users, while other data is collected automatically for operational, security, and legal purposes.

3.1 Data You Provide Directly

When you create an account or use Koyden’s features, you may provide personal data such as:

  • Account information (for example: name, email address)
  • Profile information
  • Store information provided by sellers (such as store name, description, address, opening hours, and contact details if shared)
  • Product information published by sellers (including product names, descriptions, prices, media such as images or videos, tags, and availability)
  • Content submitted through reports, feedback, or support requests
  • Records of policy acceptance (for example, the date and time you accepted the Terms of Service and Privacy Policy, and the version accepted)

The type and amount of data collected depends on whether you use Koyden as a buyer, seller, or visitor.

3.2 Authentication and Account Data

Koyden uses a third-party authentication provider to manage account creation and sign-in.

As part of this process, the following data may be processed:

  • Email address
  • Authentication identifiers
  • Account status (such as active, deactivated, or pending deletion)

Koyden does not store passwords directly.

3.3 Location Data

To enable discovery of local stores and products, Koyden processes location-related data provided by sellers, including:

  • Store address details (such as city, postal code, and country)
  • Geographic coordinates used to display store locations on maps

Location data is used solely to support app functionality, such as displaying nearby stores and products, and is not used for tracking users beyond what is necessary to provide these features.

If a user chooses to enable location-based search features, Koyden may access the user’s approximate or device location, depending on the permissions granted, to display nearby stores or products.

When a user enables location-based search, the app may access location while the feature is being used (for example, to refresh nearby results).

Koyden does not collect location data in the background unless the user explicitly grants background permission and the feature requires it.

3.4 Usage and Technical Data

When you use the app, certain technical data may be collected automatically, including:

  • Device and app interaction data
  • Log data related to app performance, security, and abuse prevention
  • Approximate network information (such as IP address) for security, fraud prevention, and operational purposes

This data is used to maintain the stability, security, and proper functioning of the services.

This data may also be used to support automated security and abuse-prevention measures, as described in Section 4.9.

3.5 Billing and Subscription Data (If Applicable)

If you are a seller and choose a paid plan, billing and payment processing are handled by a third-party payment provider.

Koyden does not store full payment card details.

Billing-related data processed by Koyden may include:

  • Subscription status
  • Plan type
  • Billing identifiers provided by the payment provider

3.6 Aggregated and Non-Identifying Data

Koyden may generate aggregated or anonymized data for analytics, statistics, or service improvement purposes. This data does not identify individual users.

4. Purposes of Processing

Koyden processes personal data only for specific, explicit, and legitimate purposes. Personal data is collected and used solely to operate, maintain, and improve the services, and to comply with legal obligations.

4.1 Providing and Operating the Services

Personal data is processed to allow users to access and use Koyden’s core features, including:

  • Creating and managing user accounts
  • Enabling buyers to browse stores and products
  • Allowing sellers to create stores, publish products, and manage listings
  • Displaying store and product information to other users

Without this processing, the services cannot function properly.

4.2 Authentication, Account Management, and Security

Personal data is processed to:

  • Authenticate users and manage sign-in sessions
  • Maintain account status (active, deactivated, or pending deletion)
  • Protect accounts against unauthorized access, fraud, or abuse
  • Enforce platform rules and usage limits

This processing helps ensure the security and integrity of the platform.

4.3 Location-Based Functionality

Location-related data provided by sellers is processed to:

  • Display stores and products on maps
  • Enable location-based discovery and search
  • Provide relevant results based on geographic proximity

Location data is used only for functional purposes and is not used for continuous tracking of users.

4.4 Communication and Support

Personal data may be processed to:

  • Respond to support requests or inquiries
  • Handle reports submitted by users
  • Communicate important service-related information (such as account or subscription status)

Koyden does not use personal data for unsolicited marketing communications.

4.5 Billing and Subscription Management (If Applicable)

For sellers using paid plans, personal data is processed to:

  • Manage subscriptions and plan entitlements
  • Track subscription status and billing state
  • Coordinate with the payment provider for billing-related operations

Koyden does not process or store full payment card details.

4.6 Moderation, Safety, and Abuse Prevention

Personal data may be processed to:

  • Detect, prevent, and investigate misuse of the platform
  • Enforce content rules and reporting mechanisms
  • Apply rate limits and moderation actions when necessary

This processing is essential to maintain a safe and fair environment for all users.

4.7 Analytics and Service Improvement

Koyden may process aggregated or non-identifying data to:

  • Understand how the services are used
  • Improve performance, reliability, and user experience
  • Develop new features or improve existing ones

This data does not directly identify individual users.

4.8 Legal and Regulatory Compliance

Personal data may be processed where necessary to:

  • Comply with applicable legal obligations
  • Respond to lawful requests from public authorities
  • Protect Koyden’s legal rights and interests

4.9 Automated Security and Abuse Prevention Measures

Koyden may use automated measures to protect the services, including rate limiting, spam detection, fraud prevention, and abuse-prevention mechanisms.

These measures may automatically and temporarily restrict access or requests when unusual or excessive activity is detected, in order to protect platform security, service availability, and infrastructure costs.

Koyden does not use automated decision-making or profiling that produces legal or similarly significant effects within the meaning of applicable data protection laws.

5. Publicly Visible Information

Some information published on Koyden is intentionally made visible to other users or to the public, depending on how the services are used.

5.1 Information Made Public by Sellers

When sellers create a store or publish products, certain information becomes publicly visible, including:

  • Store name, description, and public profile information
  • Store location details displayed on maps (such as city or approximate location)
  • Store tags, categories, and delivery options
  • Product listings, including product names, descriptions, prices, availability, and media (such as images or videos)
  • Any additional information voluntarily included by the seller in public fields

This information is displayed to allow buyers to discover stores and products and to facilitate direct contact between buyers and sellers.

5.2 Seller Responsibility for Published Content

Sellers are solely responsible for the accuracy, completeness, and legality of the information they choose to publish on Koyden.

Koyden does not verify, certify, or guarantee:

  • The authenticity of labels, tags, or claims made by sellers
  • The accuracy of product descriptions or store information
  • Compliance of seller-provided content with external standards, certifications, or regulations

Buyers are encouraged to contact sellers directly if they need additional clarification.

5.3 Information That Is Not Public

The following types of data are not publicly visible to other users:

  • Authentication data and contact information that has not been intentionally published by the user
  • Account status or internal identifiers
  • Billing and subscription information, except for indirect inferences that may result from publicly visible features or limits
  • Reports, moderation actions, or internal enforcement data
  • Support communications

If a user voluntarily includes contact details (such as an email address or phone number) in their public store profile, bio, or product descriptions, that information will be publicly visible.

This information is processed internally and only for the purposes described in this Privacy Policy.

5.4 Control Over Public Information

Sellers can update or remove most publicly visible information through their account settings or by unpublishing content, subject to applicable retention or legal requirements.

Koyden may retain certain data where required to comply with legal obligations or to protect its legitimate interests.

6. Legal Bases for Processing

Koyden processes personal data only where there is a valid legal basis under applicable data protection laws, in particular the General Data Protection Regulation (GDPR).

Depending on the context, personal data may be processed on one or more of the following legal bases:

6.1 Performance of a Contract

Personal data is processed where necessary to perform a contract with users, or to take steps at the user’s request prior to entering into a contract.

This includes, for example:

  • Creating and managing user accounts
  • Providing access to app features
  • Allowing sellers to publish stores and products
  • Displaying store and product information to buyers
  • Managing subscriptions and paid plans (where applicable)

Without this processing, Koyden would not be able to provide the services requested by users.

6.2 Legitimate Interests

Koyden may process personal data where it is necessary for its legitimate interests, provided that such interests are not overridden by the rights and freedoms of users.

Legitimate interests include, for example:

  • Ensuring the security and integrity of the platform
  • Preventing fraud, abuse, and misuse
  • Enforcing platform rules and usage limits
  • Improving performance, reliability, and user experience
  • Moderating content and handling reports

Where processing is based on legitimate interests, Koyden takes appropriate measures to balance its interests against user rights.

6.3 Legal Obligations

Personal data may be processed where necessary to comply with legal or regulatory obligations, including:

  • Accounting and tax requirements
  • Responding to lawful requests from authorities
  • Complying with applicable data protection, consumer protection, or other laws

6.4 Consent (Where Applicable)

In limited and specific cases, personal data may be processed based on user consent, where required by applicable law.

Where consent is required:

  • It is requested in a clear and specific manner
  • Users may withdraw their consent at any time
  • Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal

6.5 Vital Interests

In rare cases, personal data may be processed where necessary to protect the vital interests of a user or another person, for example in emergency or safety-related situations.

7. Data Sharing and Third Parties

Koyden does not sell personal data to third parties.

Personal data may be shared only where necessary to operate the services, comply with legal obligations, or protect Koyden’s legitimate interests, and only with trusted third parties acting on Koyden’s behalf or as independent service providers.

7.1 Service Providers and Processors

Koyden relies on third-party service providers to support core functionality of the app. These providers process personal data only as necessary to perform their services and in accordance with applicable data protection laws.

Such providers include, in particular:

  • Clerk (authentication services), used to manage user registration, sign-in, session management, and account security. Data processed may include email addresses, authentication identifiers, and security-related metadata. Clerk acts as a data processor or as an independent controller depending on the specific processing activities.
  • Supabase (database and backend infrastructure), used to store and manage application data such as user accounts, profiles, stores, products, and related operational data. Supabase acts as a data processor.
  • Cloudflare (network, storage, security, and edge services), used for media storage and delivery, network routing, abuse prevention (such as rate limiting), and execution of server-side logic through Cloudflare Workers. Cloudflare acts as a data processor.
  • Stripe (payment and subscription processing), used to manage subscriptions, billing, and payment transactions. Stripe processes payment-related data as an independent data controller in accordance with its own privacy policy. Koyden does not store full payment card details.

These service providers act as data processors or independent controllers, depending on their role, and are subject to contractual obligations regarding data protection and security.

Some of these service providers may process personal data outside the European Economic Area; further information on international transfers is provided in Section 10.

7.2 Payment and Billing Providers (If Applicable)

If a seller uses paid features, billing and payment processing are handled by a third-party payment provider.

Koyden may share limited data with this provider, such as:

  • Account identifiers
  • Subscription or plan information
  • Billing references required to manage subscriptions

Koyden does not receive or store full payment card details.

7.3 Legal and Regulatory Disclosures

Personal data may be disclosed where required to:

  • Comply with applicable laws or regulations
  • Respond to lawful requests from public authorities
  • Enforce legal rights or defend against legal claims
  • Protect the safety, rights, or property of Koyden, its users, or others

Such disclosures are made only where legally required or permitted.

7.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction, subject to applicable data protection laws and appropriate safeguards.

Users will be notified where required by law.

8. Data Retention

Koyden retains personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods vary depending on the type of data and the context in which it is processed.

8.1 Account and Profile Data

Personal data related to user accounts (such as account information, profile data, and store information) is retained for the duration of the user’s account.

If a user requests account deletion:

  • The account may enter a deactivation period, during which reactivation is possible
  • After this period, personal data is deleted or anonymized, unless retention is required for legal, regulatory, or security reasons

Acceptance records (such as timestamps and policy versions) may be retained for as long as necessary to demonstrate compliance and to establish, exercise, or defend legal claims.

8.2 Seller Content and Public Information

Content published by sellers (such as stores, products, descriptions, images, and other public information) is retained:

  • While the content is published
  • Or until it is removed or unpublished by the seller

Koyden may retain certain content or metadata for a limited period after removal where necessary for:

  • Legal compliance
  • Dispute resolution
  • Enforcement of platform rules
  • Prevention of abuse or fraud

Due to technical constraints, copies of removed content may remain temporarily available through caching or content delivery systems, but are automatically refreshed or invalidated over time.

8.3 Usage, Logs, and Technical Data

Usage data, logs, and technical information are retained only for as long as necessary to:

  • Ensure platform security and stability
  • Investigate incidents or misuse
  • Comply with legal or regulatory obligations

Retention periods for such data may vary depending on the nature of the data and operational requirements.

8.4 Billing and Subscription Data

Billing-related data is retained for as long as required to:

  • Manage subscriptions
  • Comply with accounting, tax, and legal obligations

Payment providers may retain billing data in accordance with their own legal and regulatory requirements.

8.5 Reports, Moderation, and Abuse-Prevention Data

Reports, moderation records, and related data may be retained for a reasonable period to:

  • Enforce platform rules
  • Detect repeated violations
  • Prevent abuse or misuse
  • Defend against legal claims

Retention duration depends on the nature and severity of the issue.

8.6 Legal Obligations and Disputes

In some cases, personal data may be retained longer where necessary to:

  • Comply with legal obligations
  • Respond to lawful requests
  • Establish, exercise, or defend legal claims

9. User Rights (GDPR)

Under the General Data Protection Regulation (GDPR), users have certain rights regarding their personal data. These rights apply subject to applicable legal conditions and limitations.

9.1 Right of Access

Users have the right to request confirmation as to whether Koyden processes their personal data and, where applicable, to access that data.

This includes information about:

  • The categories of personal data processed
  • The purposes of processing
  • The categories of recipients of the data

9.2 Right to Rectification

Users have the right to request correction of inaccurate or incomplete personal data.

Most account, profile, store, and product information can be updated directly through the app.

9.3 Right to Erasure (“Right to Be Forgotten”)

Users may request deletion of their personal data where:

  • The data is no longer necessary for its original purpose
  • The user withdraws consent (where applicable)
  • The data has been unlawfully processed

This right is not absolute. Certain data may be retained where required for:

  • Legal or regulatory compliance
  • Security and abuse prevention
  • Establishment, exercise, or defense of legal claims

9.4 Right to Restriction of Processing

Users may request that processing of their personal data be restricted in certain circumstances, such as where:

  • The accuracy of the data is contested
  • Processing is unlawful but erasure is not requested
  • The data is required for legal claims

9.5 Right to Data Portability

Where applicable, users have the right to receive personal data they have provided to Koyden in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

This right applies only to data processed based on consent or performance of a contract and by automated means.

9.6 Right to Object

Users may object to processing of their personal data where processing is based on legitimate interests.

Koyden will assess such requests and will stop processing unless there are compelling legitimate grounds to continue or processing is required for legal reasons.

9.7 Right to Withdraw Consent

Where processing is based on user consent, users may withdraw their consent at any time.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

9.8 Right to Lodge a Complaint

Users have the right to lodge a complaint with a competent data protection authority if they believe their personal data has been processed unlawfully.

In Belgium, this is the Belgian Data Protection Authority. Users may also contact their local supervisory authority within the European Union.

9.9 Exercising Your Rights

Users may exercise their rights by contacting Koyden using the contact details provided in this Privacy Policy.

For security and privacy reasons, Koyden may need to verify the identity of the requesting user before responding to a request.

Requests will be handled within the time limits required by applicable data protection laws.

10. International Data Transfers

Koyden operates primarily within the European Union. However, personal data may be transferred to, stored, or processed in countries outside the European Economic Area (EEA) as part of the operation of the services.

This may occur, for example, when Koyden uses third-party service providers with global infrastructure.

10.1 Transfers via Third-Party Service Providers

Some of Koyden’s service providers may process personal data in countries outside the EEA.

When such transfers occur, Koyden ensures that appropriate safeguards are in place, such as:

  • Transfers to countries recognized by the European Commission as providing an adequate level of data protection; or
  • The use of approved contractual safeguards, such as Standard Contractual Clauses (SCCs); or
  • Other lawful transfer mechanisms permitted under applicable data protection laws

In particular, certain service providers used by Koyden, such as authentication, infrastructure, network, or payment providers, may process personal data on infrastructure located outside the European Economic Area, including in the United States, depending on their service configuration and global operations.

10.2 Safeguards and Compliance

Koyden takes reasonable steps to ensure that international data transfers comply with applicable data protection requirements and that personal data continues to be protected in accordance with this Privacy Policy.

Where required, additional technical or organizational measures may be implemented to protect transferred data.

10.3 Transparency

Users may contact Koyden using the details provided in this Privacy Policy to obtain further information about international data transfers and the safeguards applied.

11. Data Security Measures

Koyden implements appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction.

These measures are intended to ensure a level of security appropriate to the nature of the data processed and the risks involved.

11.1 Technical Safeguards

Koyden relies on industry-standard security practices, including but not limited to:

  • Secure communication using encryption in transit (HTTPS/TLS)
  • Access controls and authentication mechanisms to limit access to authorized users and systems
  • Role-based access restrictions within the platform and its infrastructure
  • Separation of public and restricted data through database policies and permissions
  • Monitoring and logging mechanisms used for security, abuse prevention, and system integrity

Passwords and authentication secrets are not stored directly by Koyden.

11.2 Infrastructure and Service Providers

Koyden uses reputable third-party infrastructure and service providers to host, process, and deliver parts of the services.

These providers implement their own security measures, which may include:

  • Physical and environmental security controls
  • Network security protections
  • Data redundancy and backup mechanisms
  • Incident detection and response procedures

While Koyden carefully selects service providers that apply recognized security standards, Koyden does not control all aspects of their internal security practices.

11.3 Media Storage and Content Delivery

User-uploaded media (such as images or videos) may be stored and delivered through external infrastructure and content delivery networks.

Due to the nature of distributed caching systems:

  • Media may remain temporarily accessible through cached copies after deletion
  • Cached content is subject to automatic expiration and invalidation mechanisms
  • Koyden does not guarantee immediate global removal of cached content once media is deleted

Koyden takes reasonable steps to manage media access and visibility but cannot eliminate all residual copies instantly due to technical constraints inherent to content delivery systems.

11.4 Organizational Measures

Access to personal data is limited to individuals who require it for operational, security, or legal purposes.

Koyden applies internal controls designed to:

  • Reduce unnecessary access to personal data
  • Prevent accidental or unlawful processing
  • Support data minimization and purpose limitation principles

11.5 Security Limitations

Despite reasonable safeguards, no system can be guaranteed to be fully secure.

Koyden cannot warrant or guarantee absolute security of personal data and encourages users to take appropriate precautions when using the services.

12. Children’s Data

Koyden is not intended for use by children under the age of 16.

Koyden does not knowingly collect or process personal data from children under 16.

If Koyden becomes aware that personal data of a child under 16 has been collected without an appropriate legal basis, steps will be taken to delete such data as soon as possible.

If you are a parent or legal guardian and believe that a child has provided personal data to Koyden, please contact us using the contact details provided in this Privacy Policy.

13. Changes to This Privacy Policy

Koyden may update this Privacy Policy from time to time to reflect:

  • Changes in legal or regulatory requirements
  • Updates to the services or data processing practices
  • Improvements in transparency or clarity

When changes are made:

  • The updated version will be made available through the app or associated services
  • The “Last updated” date at the end of this policy will be revised accordingly
  • Where required by law, users will be notified of material changes

Continued use of the services after an update constitutes acceptance of the revised Privacy Policy, subject to applicable legal requirements.

14. Contact Information

For questions or concerns regarding this Privacy Policy or the processing of personal data, you may contact Koyden at:

15. Last Updated

Last updated: 09 January 2026

16. Languages and interpretation

This Privacy Policy may be made available in multiple languages. In the event of any inconsistency between language versions, the versions shall be interpreted consistently. Where required by applicable law, users’ rights under the applicable language version remain unaffected.

For internal consistency purposes, the English version is used as the drafting reference. This does not affect users’ rights under applicable law.