Privacy Policy

1. Introduction

HEVN Inc. ("HEVN," "we," "our," or "us") is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose, and protect information when you access or use our website at hevn.finance (the "Website"), our mobile application, and the technology platform and related services we provide (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Privacy Policy, please do not use our Services.

Capitalized terms used but not defined in this Privacy Policy have the meanings set forth in our Terms of Use .

Digital Asset Architecture

HEVN provides Non-Custodial Smart Contract Wallet infrastructure. You retain full control of your Digital Assets, which are authorized via PassKey-based cryptographic authentication directly at the smart contract level.

Private keys remain exclusively under your control. HEVN does not take custody of Digital Assets and does not have unilateral or joint control over user funds.

Blockchain Transparency

Blockchain transactions are publicly recorded and immutable. HEVN does not control the blockchain network and cannot reverse confirmed transactions.

Scope of Data Processing

HEVN processes only the minimum personal and business information necessary to provide technology services, facilitate user-authorized transactions, and comply with applicable legal and regulatory requirements.

Data Minimization and Deletion

Your data security is a priority. HEVN collects and retains only the minimum personal data necessary to provide the Services and to comply with applicable legal obligations.

We retain on a long-term basis only basic account information required for ongoing service delivery: your name, email address, phone number, and wallet address. All other personal data — including identity documents, financial statements, and verification materials — is collected solely for KYB/KYC verification, transmitted to regulated third-party verification providers as part of the account opening process you initiate, and deleted from HEVN's systems after the verification process is complete across all providers.

We do not maintain long-term storage of identity documents, government-issued IDs, or other sensitive verification materials.

Special Categories and Sensitive Data

HEVN does not intentionally collect or process special categories of personal data as defined under GDPR Article 9, including health information, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation.

HEVN does not collect or store raw biometric templates. Where biometric verification is required as part of third-party identity verification (e.g., facial recognition for KYC), such processing is performed entirely by the third-party provider under its own data processing terms.

Certain information collected by HEVN — such as government-issued identification numbers, financial account details, and precise geolocation — may be classified as "sensitive personal information" under the California Privacy Rights Act (CPRA) and similar state privacy laws. HEVN's collection and processing of such data is described in Section 2 and is limited to what is strictly necessary to provide the Services and comply with legal obligations.

Role Clarification

HEVN acts as an independent technology provider. Where regulated financial institutions require personal data to provide fiat conversion or banking services, such institutions act as independent controllers under their own regulatory frameworks.

2. Information We Collect

We collect different categories of information depending on how you interact with our Services. Information is classified as either retained data (stored for the duration of the account relationship) or transient verification data (collected for KYB/KYC purposes, shared with verification providers as part of the user-initiated account opening process, and deleted from HEVN's systems after verification is complete).

Retained Account Data

• Full legal name and email address
• Phone number
• Stablecoin wallet addresses

Transient Verification Data (Deleted After KYB/KYC Completion)

The following information is collected solely for identity and business verification, transmitted to regulated third-party providers as part of the user-initiated account opening process, and deleted from HEVN's systems once verification is complete across all providers:

• Date of birth, nationality, and residential address
• Government-issued identification documents (passport, national ID, driver's license)
• Proof of address documentation
• Tax identification numbers and tax residency information
• Company registration number, jurisdiction of incorporation, and business address
• Industry and description of business activities
• Beneficial ownership information and details of directors, officers, and authorized signatories
• Financial statements and source-of-funds documentation
• Expected transaction volumes and business purpose

Financial Information

• Transaction history, payment details, and account balances
• On-chain transaction data

Technical and Usage Data

• IP address, browser type, operating system, and device identifiers
• Log data, clickstream data, and pages viewed on our Website
• Geolocation data (where permitted by your device settings)
• Information collected through cookies, pixels, and similar technologies

Communications Data

• Records of your communications with our support team
• Survey responses and feedback you provide
• Any other information you voluntarily submit to us

Sensitive Personal Information (CPRA)

As described in Section 1, certain transient verification data we collect may be classified as sensitive personal information under the CPRA, including government-issued identification numbers and financial account information. This data is collected solely for KYB/KYC verification as part of the user-initiated account opening process, shared with regulated verification providers, and deleted from HEVN's systems after verification is complete. HEVN does not use sensitive personal information for profiling or advertising purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To open and maintain your account, process transactions, issue cards, and provide our core Services
• Identity Verification: To verify your identity and conduct Know Your Customer (KYC) and Know Your Business (KYB) checks as required by applicable regulations
• Compliance: To comply with anti-money laundering (AML), counter-terrorist financing (CTF), sanctions screening, and other applicable legal and regulatory obligations
• Fraud Prevention and AML Monitoring: To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities
• Communication: To send you service-related notifications, security alerts, transaction confirmations, and account updates
• Product Improvement: To analyze usage patterns, improve our Services, and develop new features
• Marketing: To send you promotional communications about our Services (with your consent where required; you may opt out at any time)
• Legal Proceedings: To establish, exercise, or defend legal claims and to comply with court orders or legal process

4. Legal Bases for Processing

We process your personal data on the following legal grounds, as applicable:

• Contractual Necessity: Processing is necessary to perform our contract with you, including providing our Services and managing your account
• Legal Obligation: Processing is required to comply with applicable laws, including AML/CTF regulations, tax reporting requirements, and financial regulations
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as fraud prevention, security, service improvement, and business analytics, provided these interests do not override your fundamental rights
• Consent: Where required by law, we process your data based on your freely given consent, which you may withdraw at any time

5. Data Sharing and Disclosure

We are transparent about how your data is shared. Personal and identity data is shared with third parties only for KYB/KYC verification and regulatory compliance purposes and only as part of the user-initiated account opening and verification process . We never share your personal data for marketing, advertising, or profiling.

We may share your information with the following categories of third parties:

• Identity and Business Verification Providers: Third-party services that conduct KYC/KYB checks, identity verification, and sanctions screening
• Digital Asset Conversion Providers: When users initiate Digital Asset conversion to fiat currency, HEVN shares necessary transaction data with regulated conversion providers to facilitate settlement
• Banking and Payment Partners: Regulated financial institutions that provide banking infrastructure, including account services, card issuance, and payment processing
• Regulatory and Government Authorities: Tax authorities, financial regulators, law enforcement agencies, and other government bodies as required by law or legal process
• Service Providers: Technology vendors, cloud hosting providers, customer support platforms, and analytics providers who assist in operating our Services
• Professional Advisors: Legal, accounting, and auditing professionals as needed for our business operations
• Corporate Transactions: In connection with a merger, acquisition, reorganization, or sale of all or a portion of our assets

We do not sell, rent, or trade your personal information.

6. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside, including the United States, Switzerland, and the European Economic Area. These countries may have data protection laws that differ from the laws in your jurisdiction.

When we transfer your data internationally, we implement appropriate safeguards to ensure that your information remains protected. These safeguards may include Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (UK IDTA) for transfers from the United Kingdom, adequacy decisions, or other legally recognized transfer mechanisms.

7. Data Security

We implement robust technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Multi-factor authentication and role-based access controls
• Regular security assessments and vulnerability scanning
• Secure data centers with physical access controls and redundancy
• Employee security training and strict data handling procedures
• Incident response procedures and breach notification protocols

We are committed to maintaining the highest industry standards for data protection. While no method of electronic transmission or storage is 100% secure, we continuously invest in improving our security measures to safeguard your information.

8. Data Retention

HEVN applies differentiated retention periods based on data category:

• Retained Account Data (name, email, phone number, wallet address): Retained for the duration of the account relationship and for a reasonable period thereafter as required by applicable law
• Transient Verification Data (identity documents, business documents, financial statements, government-issued IDs): Deleted from HEVN's systems after KYB/KYC verification is complete across all providers
• Transaction Data: Retained as required by applicable laws and regulations, including AML record-keeping requirements (minimum 5 years after the end of the business relationship)
• Technical and Usage Data: Retained for the period necessary for security, analytics, and service improvement purposes

When your data is no longer required, we will securely delete or anonymize it in accordance with our data retention policies and applicable law.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete personal data
• Erasure: Request deletion of your personal data, subject to legal retention requirements
• Restriction: Request that we limit the processing of your personal data in certain circumstances
• Portability: Request a machine-readable copy of your data for transfer to another service provider
• Objection: Object to processing of your data based on our legitimate interests
• Withdraw Consent: Where processing is based on consent, withdraw your consent at any time
• Automated Decision-Making: Request not to be subject to decisions based solely on automated processing
• Right to Limit (CPRA): If you are a California resident, you may request that we limit the use and disclosure of your sensitive personal information

To exercise any of these rights, please contact us at [email protected] .

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and deliver personalized content. The types of cookies we use include:

• Essential Cookies: Required for the operation of our Website and Services, including session management and security features. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our Website by collecting usage statistics and performance data
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences

Where required by applicable law, we obtain your consent before placing non-essential cookies on your device. You may also manage your cookie preferences through your browser settings.

11. Third-Party Services

Our Services may contain links to or integrate with third-party websites, applications, or services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you interact with.

Your use of banking and financial products through our platform may be subject to additional privacy policies of our banking partners, which will be provided to you when you open an account or apply for related services.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete such information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, or applicable laws. We will notify you of any material changes by posting the updated policy on our Website and updating the "Last updated" date. For material changes that affect how we process your data, we will provide you with reasonable prior notice through email or an in-platform notification.

Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: