PRIVACY POLICY – REVELA

1. WHO WE ARE The REVELA platform is operated by NUKOD LTD, a company registered in England and Wales. For the purposes of applicable data protection laws, including the UK General Data Protection Regulation and, where applicable, the EU General Data Protection Regulation, NUKOD LTD acts as the data controller in relation to personal data processed through the REVELA platform. REVELA may be contacted at: contact@revela.club The development, maintenance and hosting of the platform are provided by HyperDrift, acting as an independent technical service provider and, where applicable, as a data processor acting on behalf of REVELA. 2. SCOPE OF THIS PRIVACY POLICY This Privacy Policy applies to personal data processed in connection with: access to and use of the REVELA platform; creation and management of user accounts; invitation-only access; identity verification and KYC checks; submission and review of artworks; submission, transmission and management of acquisition offers; transactions between users; payment processing through third-party providers; logistics and delivery coordination; compliance, AML, fraud prevention and sanctions checks; user communications; platform security; analytics, cookies and similar technologies; improvement and development of REVELA’s services. This Privacy Policy does not apply to third-party websites, services, payment providers, identity verification providers, carriers or other external providers that REVELA does not own or control. Such third parties may apply their own privacy policies. 3. PERSONAL DATA WE COLLECT REVELA may collect and process the categories of personal data described below. 3.1 Account and profile data This may include: first name and last name; email address; phone number, where required; password or authentication credentials; account status; invitation code or invitation status; language preference; verification status; user role, such as buyer, seller, invited user or verified user; account activity and access history. REVELA does not store passwords in plain text. 3.2 Identity verification and KYC data For identity verification and compliance purposes, REVELA may process, directly or through a third-party provider, data such as: identity verification status; identity document information; date of birth; nationality; residential address; verification result; risk indicators; fraud indicators; information required to confirm the identity of a user. Identity documents, facial verification, biometric checks or similar verification data may be processed by a third-party KYC provider, such as Didit or any equivalent provider, in accordance with its own terms and privacy policy. REVELA may retain verification status, reference identifiers, audit trails and compliance information necessary for the operation of the platform and for legal, regulatory, fraud prevention or compliance purposes. 3.3 Seller and artwork data When a user submits an artwork, REVELA may collect and process: seller identification details; information about the owner or authorised representative; artwork description; artist name; title, medium, dimensions, date and condition information; images or videos of the artwork; provenance information; certificates, invoices or supporting documentation; estimated value, desired price, reserve or indicative amount; information relating to resale royalty, artist’s resale right, droit de suite, taxes or reporting obligations; internal review notes relating to the submitted artwork. 3.4 Offer and transaction data When users submit, receive, accept or confirm offers, REVELA may process: offer amounts; offer history; timestamps; status of the offer; seller acceptance or refusal; buyer confirmation; transaction amount; commission amounts; payment status; transaction references; records of communications relating to the transaction; records necessary to evidence the formation, confirmation or follow-up of a transaction. 3.5 Payment data Payments are processed by a third-party payment service provider, including Stripe or any equivalent provider. REVELA may process limited payment-related information, such as: payment status; transaction reference; amount paid; commission amount; subscription amount; invoice or receipt details; payment failure or cancellation status; refund or dispute status, where applicable. REVELA does not collect or store full card numbers, card security codes or full payment credentials. Payment data is processed by the relevant payment service provider in accordance with its own contractual terms and privacy policy. 3.6 Delivery and logistics data For delivery purposes, REVELA may process: buyer name; delivery address; carrier information; tracking number; shipment references; delivery status; contact details required by a carrier, where strictly necessary. By default, REVELA does not transmit the buyer’s direct email address or phone number to the seller. Where strictly necessary for delivery, REVELA may transmit only the minimum necessary contact details directly to the carrier or logistics provider—not to the seller. Where possible, REVELA transmits necessary delivery information directly to the carrier rather than through the seller. 3.7 Compliance, AML and sanctions data For compliance, anti-money laundering, counter-terrorist financing, sanctions screening and fraud prevention purposes, REVELA may process: identity information; source of funds information; source of wealth information; beneficial ownership information; politically exposed person status; sanctions screening results; provenance and ownership information relating to artworks; risk assessments; supporting documents; compliance notes; audit trails. REVELA may request additional documents or information where necessary to assess legal, regulatory, financial, reputational or compliance risks. 3.8 Communications data When users contact REVELA or communicate through the platform, REVELA may process: email messages; contact form submissions; support requests; feedback; complaints; communications relating to artworks, offers, transactions, delivery or disputes. 3.9 Technical, usage and security data REVELA may collect technical and usage data such as: IP address; device type; browser type; operating system; approximate location derived from technical data; access logs; session data; page views; actions performed on the platform; security logs; error logs; cookie identifiers or similar technologies. This data is used to operate, secure, maintain and improve the platform. 3.10 Marketing and preference data Where applicable, REVELA may process: newsletter subscription status; marketing preferences; communication preferences; consent records; unsubscribe requests; responses to campaigns or communications. 4. DATA WE RECEIVE FROM THIRD PARTIES REVELA may receive personal data from third parties where necessary for the operation of the platform and related services. This may include data received from: identity verification and KYC providers; payment service providers; logistics or delivery providers; buyers, sellers or authorised representatives; professional advisers; compliance databases; sanctions or fraud prevention tools; public sources, where relevant for provenance, compliance or risk assessment. REVELA will process such data only where it has a lawful basis to do so. 5. HOW REVELA USES PERSONAL DATA REVELA may process and use personal data recorded on the platform where necessary for the operation, management, protection and development of its activity. This includes, without limitation, processing personal data for: providing access to the platform and related services; managing user accounts and invitations; verifying user identity and access rights; carrying out compliance, KYC, AML, fraud prevention and sanctions checks; reviewing artworks submitted to the platform; managing the confidential presentation of artworks; transmitting and managing acquisition offers; enabling sellers to accept, refuse or follow up on offers; enabling buyers to confirm transactions; following up transactions between users; processing payments through third-party payment service providers; calculating commissions and subscription fees; issuing or managing invoices, receipts or transaction records; coordinating logistics and delivery information; preventing fraud, misuse, abusive conduct and circumvention; managing complaints, disputes and enforcement of the Terms; protecting REVELA’s legal, commercial and reputational interests; securing, maintaining, troubleshooting and improving the platform; analysing the use and performance of the platform; developing REVELA’s services and commercial activity; sending service communications; sending marketing communications where permitted by law; complying with legal, regulatory, tax, accounting, AML and sanctions obligations. REVELA shall only process personal data for purposes that are lawful, specified, legitimate and proportionate to the operation of the platform and its activity. REVELA shall not sell personal data to third parties. 6. LAWFUL BASES FOR PROCESSING REVELA processes personal data only where a lawful basis applies. Depending on the context, the lawful bases may include: 6.1 Performance of a contract Processing may be necessary to provide access to the platform, manage user accounts, enable offers, support transactions, process payments and provide related services. 6.2 Legal obligation Processing may be necessary to comply with legal, regulatory, tax, accounting, AML, sanctions, fraud prevention or reporting obligations. 6.3 Legitimate interests REVELA may process personal data where necessary for its legitimate interests, including: operating a private art transaction platform; preserving confidentiality between users; reviewing artworks submitted to the platform; protecting the integrity and reputation of the platform; preventing fraud, abuse and circumvention; enforcing the Terms; securing the platform; managing disputes; improving services; protecting REVELA’s legal and commercial interests. REVELA will not rely on legitimate interests where such interests are overridden by the rights and freedoms of the individual. 6.4 Consent REVELA may rely on consent where required, including for certain marketing communications, non-essential cookies or optional features. Where processing is based on consent, the user may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal. 7. KYC, AML AND COMPLIANCE CHECKS Access to certain features of REVELA may require identity verification and compliance checks. REVELA may use third-party providers, including Didit or equivalent providers, to verify identity, perform KYC checks, screen users and reduce fraud or compliance risks. REVELA may also request additional information directly from users, including information relating to: identity; source of funds; source of wealth; beneficial ownership; artwork ownership; provenance; sanctions status; tax or reporting obligations; any other matter relevant to compliance or risk assessment. Where REVELA considers that the information provided is incomplete, inconsistent, insufficient or gives rise to legal, regulatory, financial, reputational or compliance concerns, REVELA may refuse, restrict, suspend or terminate access to the platform or to a transaction. 8. WHO WE SHARE PERSONAL DATA WITH REVELA may share personal data only where necessary and proportionate. Personal data may be shared with: technical service providers, including HyperDrift; hosting providers; identity verification and KYC providers, including Didit or equivalent providers; payment providers, including Stripe or equivalent providers; email and communication service providers; analytics providers, where applicable; security, fraud prevention, compliance or sanctions screening providers; professional advisers, including lawyers, accountants, auditors or compliance consultants; transporters or logistics providers, where necessary for delivery; buyers or sellers, only to the extent necessary to complete a transaction; public authorities, regulators, courts, law enforcement, tax authorities or other competent bodies where required or permitted by law; any successor, purchaser or transferee in the event of a corporate transaction, restructuring, merger, transfer of assets or similar operation, subject to appropriate safeguards. REVELA does not sell personal data. 9. DATA SHARED BETWEEN BUYERS AND SELLERS REVELA is designed to preserve confidentiality between users as far as reasonably possible. REVELA does not automatically disclose full contact details between buyers and sellers. Seller and buyer information may be shared only where necessary for: confirmation of a transaction; payment processing; delivery; legal or tax compliance; dispute resolution; compliance checks; enforcement of the Terms; prevention of fraud or circumvention. For delivery purposes, the buyer’s name and address may be shared with the seller only after confirmation of the transaction and full payment via the platform. By default, the buyer’s direct email address and phone number are not transmitted to the seller. Where a carrier requires additional contact details, REVELA may transmit only the strictly necessary information directly to the carrier where possible. 10. CONFIDENTIALITY OF ARTWORKS, OFFERS AND TRANSACTIONS REVELA operates as a confidential platform. Information relating to artworks, sellers, buyers, offers, transaction amounts, provenance, ownership and negotiations may be treated as confidential and may be disclosed only where necessary for: operation of the platform; review of submitted artworks; transmission and management of offers; completion of a transaction; payment processing; delivery; compliance checks; tax, legal or regulatory obligations; enforcement of the Terms; protection of REVELA’s rights, users or platform. REVELA may keep internal records of artworks, offers and transactions where necessary for legal, compliance, accounting, tax, audit, security, dispute resolution or business continuity purposes. 11. PAYMENT PROCESSING Payments are processed by third-party payment service providers, including Stripe or equivalent providers. REVELA does not collect or store full payment card details. Payment providers may process personal data independently in accordance with their own terms and privacy policies. REVELA may receive limited information from payment providers, including payment status, transaction references, amount paid, commission amount, subscription amount, refund status, dispute status or payment failure information. 12. INTERNATIONAL TRANSFERS REVELA, its service providers or third-party partners may process personal data in the United Kingdom, the European Economic Area or other countries. Where personal data is transferred outside the United Kingdom or the European Economic Area, REVELA will take appropriate steps to ensure that such transfer is made in accordance with applicable data protection laws. This may include relying on: an adequacy decision; standard contractual clauses; the UK International Data Transfer Agreement or UK Addendum; contractual, organisational and technical safeguards; any other lawful transfer mechanism available under applicable law. 13. HOW LONG WE KEEP PERSONAL DATA REVELA keeps personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law. Retention periods may vary depending on the type of data and the reason for processing. In general: account data may be kept for as long as the account remains active and for a reasonable period after closure; invitation and access data may be kept for as long as necessary to manage access, security and abuse prevention; transaction data may be kept for the period necessary for contractual, accounting, tax, legal and audit purposes; KYC, AML and compliance records may be kept for the period required by applicable law or for as long as necessary to evidence compliance; artwork submission data may be kept for as long as necessary to manage the submitted artwork, related offers, legal risks, provenance issues or platform records; communications may be kept for as long as necessary to manage requests, disputes, enforcement or legal risks; technical logs may be kept for a limited period necessary for security, troubleshooting and audit purposes; marketing preference records may be kept for as long as necessary to respect opt-out requests. Where data is no longer required, REVELA will delete, anonymise or securely archive it, unless continued retention is required for legal, regulatory, tax, accounting, dispute resolution, compliance, security or fraud prevention purposes. 14. SECURITY REVELA takes reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These measures may include: access controls; authentication systems; encryption where appropriate; restricted administrative access; secure hosting; logging and monitoring; data minimisation; confidentiality obligations for service providers; internal access restrictions; security review and maintenance. No online platform can guarantee absolute security. Users are responsible for keeping their account credentials confidential and for notifying REVELA of any suspected unauthorised access. 15. USER RIGHTS Subject to applicable law and any legal limitations, users may have the following rights: the right to access their personal data; the right to request correction of inaccurate or incomplete data; the right to request deletion of personal data; the right to restrict processing; the right to object to processing; the right to data portability; the right to withdraw consent where processing is based on consent; the right not to be subject to certain automated decisions; the right to lodge a complaint with a data protection authority. To exercise these rights, users may contact REVELA at: contact@revela.club REVELA may request proof of identity before responding to a request. Some requests may be refused or limited where REVELA is required or permitted to retain data, including for legal, regulatory, AML, tax, accounting, security, dispute resolution, fraud prevention or enforcement purposes. 16. COMPLAINTS TO A SUPERVISORY AUTHORITY Users may lodge a complaint with a competent data protection authority. For the United Kingdom, the supervisory authority is the Information Commissioner’s Office (ICO). Users located in the European Union may also contact the data protection authority of their country of residence. REVELA encourages users to contact REVELA first so that any issue may be addressed directly where possible. 17. MARKETING COMMUNICATIONS REVELA may send service communications relating to: account activity; invitations; verification; artworks; offers; transactions; payments; delivery; security; updates to the platform; changes to legal documents. These service communications are necessary for the operation of the platform and cannot usually be opted out of while the user maintains an active account. REVELA may also send marketing communications, newsletters, invitations or promotional messages where permitted by law. Users may unsubscribe from marketing communications at any time by using the unsubscribe link or by contacting: contact@revela.club Unsubscribing from marketing communications does not affect the sending of service or transactional communications. 18. COOKIES AND SIMILAR TECHNOLOGIES REVELA may use cookies and similar technologies to operate the platform, maintain sessions, improve security, remember preferences, measure audience activity and improve the user experience. Cookies may include: strictly necessary cookies; authentication cookies; security cookies; preference cookies; analytics cookies; marketing or advertising cookies, where applicable. Strictly necessary cookies are required for the operation of the platform and cannot be disabled through the platform. Non-essential cookies, such as analytics or marketing cookies, will be used only where permitted by law and, where required, subject to user consent. Users may manage their cookie preferences through the cookie banner or settings made available on the platform, where applicable. Users may also manage cookies through their browser settings. Where REVELA uses non-essential cookies, additional information may be provided in a separate Cookie Policy or cookie preferences tool. 19. AGGREGATED AND ANONYMISED DATA REVELA may create aggregated, anonymised or statistical data from information collected through the platform. Where data has been anonymised so that it no longer identifies any individual, REVELA may use it for legitimate business purposes, including: analysing platform performance; understanding market activity; improving services; developing new features; producing internal reporting; commercial strategy; security analysis. Aggregated or anonymised data does not identify individual users and is not treated as personal data under this Privacy Policy where it cannot reasonably be used to identify an individual. 20. AUTOMATED TOOLS AND RISK ASSESSMENT REVELA does not make decisions producing legal effects concerning users solely by automated means. However, REVELA or its third-party providers may use automated tools to assist with: identity verification; fraud prevention; sanctions screening; AML checks; risk assessment; security checks; platform moderation; abuse prevention. Where such tools indicate a potential risk, REVELA may manually review the situation or request additional information before granting access, allowing an artwork to be submitted or allowing a transaction to proceed. 21. THIRD-PARTY SERVICES REVELA may use third-party services for hosting, identity verification, payment processing, analytics, email delivery, security, logistics or other operational purposes. These third-party services may process personal data in accordance with their own terms and privacy policies. REVELA is not responsible for the privacy practices of third-party websites or services that are not owned or controlled by REVELA. 22. CHILDREN The REVELA platform is not intended for children. Users must be legally capable of using the platform and entering into transactions. REVELA does not knowingly collect personal data from children. If REVELA becomes aware that personal data has been collected from a child without appropriate legal basis, REVELA may delete such data and suspend or close the relevant account. 23. CHANGES TO THIS PRIVACY POLICY REVELA may update this Privacy Policy from time to time. The updated version will be published on the platform with a revised “Last updated” date. Where changes are material, REVELA may notify users by email or through the platform. Continued use of the platform after publication of the updated Privacy Policy constitutes acknowledgement of the updated Privacy Policy. 24. LANGUAGE In case of divergence, inconsistency or contradiction between different language versions of this Privacy Policy, the English version shall prevail. 25. CONTACT For any question relating to this Privacy Policy or the processing of personal data, REVELA may be contacted at: contact@revela.club