Privacy Notice
Date of Revision: 05 August 2025
Privacy Notice of EverAI Limited
EverAI Limited ("EverAI", "we", "us" or "our") is the Controller for the processing implemented through this website accessible at https://candy.ai/ and/or any affiliated website to which visitors or users may be redirected (the "Services"). EverAI is duly incorporated in the Republic of Malta, having its address at 56 Central Business Centre, Triq Is-Soll, Santa Venera SVR 1833, Malta, and registered with the Malta Business Registry under the number C107181.
The Services are an online chat application that uses artificial intelligence algorithms to generate virtual and fictional characters (the "AI Companions"), with whom you as a user of the Services ("you") can chat and exchange messages. The Services also include, but are not necessarily limited to, other media such as images, videos and voice notes. Parts of the Services may require you to create a user account and/or become a paid subscriber.
This Privacy Notice details how EverAI collects, uses, discloses and handles your Personal Data for the Services and, as applicable, your rights under the European Union’s General Data Protection Regulation 2016/679, and Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector ("ePrivacy Directive") (together "EU GDPR"), the UK Data Protection Act 2018 and the Privacy and Electronic Communications, Regulations 2003 ("PECR") (together "UK GDPR"), or the Federal Act on Data Protection 235.1 ("FADP"), together referred as "Applicable Data Protection Law".
By using the Services, you agree that you have read and understood our Privacy Notice.
The Services are an online chat application that uses artificial intelligence algorithms to generate virtual and fictional characters (the "AI Companions"), with whom you as a user of the Services ("you") can chat and exchange messages. The Services also include, but are not necessarily limited to, other media such as images, videos and voice notes. Parts of the Services may require you to create a user account and/or become a paid subscriber.
This Privacy Notice details how EverAI collects, uses, discloses and handles your Personal Data for the Services and, as applicable, your rights under the European Union’s General Data Protection Regulation 2016/679, and Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector ("ePrivacy Directive") (together "EU GDPR"), the UK Data Protection Act 2018 and the Privacy and Electronic Communications, Regulations 2003 ("PECR") (together "UK GDPR"), or the Federal Act on Data Protection 235.1 ("FADP"), together referred as "Applicable Data Protection Law".
By using the Services, you agree that you have read and understood our Privacy Notice.
1. Definitions
All capitalized terms not otherwise defined in this Privacy Notice or in the GDPR shall have the following meaning:
- "Content": the information that you provide in order to register as a User and/or in the course of using our Services. Such information includes your Personal Data, inputs in the course of conversations with AI Companions, and outputs in response to same;
- "Consent": any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or a clear affirmative action, signifies agreement to the Processing of Personal Data relating to you;
- "Controller": the natural or legal person, alone or jointly with others, who determines the purposes and means of the Processing of Personal Data and for the purposes of the Services (EverAI);
- "Performance of our Services": the actions necessary for us to provide our Services;
- "Personal Data": any information relating to an identified or identifiable natural person, directly or indirectly (“Data Subject”), such as your name, address, marital status, date of birth, gender, office location, position, company name, spoken languages, photos, your account number, your location data;
- "Processing": any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- "Subscription": an arrangement between EverAI Limited and you to enable you to benefit from and/or use the Services;
- "User", "you" and "your": collectively a person that has visited or is using the Services;
- "Visitor": anyone who is browsing the Services without a valid Subscription.
- "Content": the information that you provide in order to register as a User and/or in the course of using our Services. Such information includes your Personal Data, inputs in the course of conversations with AI Companions, and outputs in response to same;
- "Consent": any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or a clear affirmative action, signifies agreement to the Processing of Personal Data relating to you;
- "Controller": the natural or legal person, alone or jointly with others, who determines the purposes and means of the Processing of Personal Data and for the purposes of the Services (EverAI);
- "Performance of our Services": the actions necessary for us to provide our Services;
- "Personal Data": any information relating to an identified or identifiable natural person, directly or indirectly (“Data Subject”), such as your name, address, marital status, date of birth, gender, office location, position, company name, spoken languages, photos, your account number, your location data;
- "Processing": any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- "Subscription": an arrangement between EverAI Limited and you to enable you to benefit from and/or use the Services;
- "User", "you" and "your": collectively a person that has visited or is using the Services;
- "Visitor": anyone who is browsing the Services without a valid Subscription.
2. Purposes of Personal Data Processing
As we are committed to respect your privacy, such Services will always be provided in accordance with the most relevant legal basis. If you do not or cannot provide us with the required data, we may not be able to provide the Services to you.
| Purpose of the Processing | Categories of Personal Data | Legal basis |
|---|---|---|
|
Account creation Managing your registration to our Services. |
|
Consent; necessity for the performance of a contract; compliance with our legal obligations. |
| Account management |
|
Our legitimate interest in addressing your queries. |
Provision of the Services
|
Content data i.e.:
|
Consent; necessity for the performance of a contract. |
|
Support of the Services Service support to inform you and to answer your request (sending of service email, technical support, answers to customers etc.). |
|
Our legitimate interest in addressing your queries and technical issues. |
|
Payment processing Processing by payment service providers for security and payment for:
|
Emerchant Pay (EMP) and TrustPay (TP)
|
Necessity for the performance of a contract. |
Direct Marketing
|
|
Our legitimate interest in improving our Services (direct marketing by us for similar products and Services) or consent (third party marketing). |
|
Analytics other than through cookies or other tracking technologies Allowing customer surveys, marketing campaigns, market analysis. |
|
Consent |
Safety
|
|
Necessity to comply with legal obligations or, as the case may be, necessity for the performance of a contract (in case of breach of our policies). |
Legal & Accounting
|
Supporting data (as provided by you) such as contact data, payment data or credentials. | Necessity for compliance with legal obligations. |
| Complying with lawful requests from authorities, court orders and exercising and/or defending our legal rights. | Supporting data (as provided by you) such as contact data, payment data or credentials, and/or any information within the scope of lawful legal requests or processes. | Complying with our legal obligations; our legitimate interest in defending our rights. |
3. Marketing
We may send you marketing about our Services, other information in the form of alerts, newsletters and invitations to events or functions which we believe might be of interest to you, or in order to update you with information which we believe may be relevant to you (such as commercial news). We may communicate this to you according to the contact channels you provided and your stated preferences, including by telephone, email or other digital channels.
If you do not wish to receive marketing information from us, you can unsubscribe by:
a. clicking on the 'Unsubscribe' or subscription preferences link in a direct marketing email that you have received from us; or
b. contacting us using the contact details specified in Section 11 below.
Please note that opting-out of marketing communications will not affect the sending of communications related to the Services themselves.
If you do not wish to receive marketing information from us, you can unsubscribe by:
a. clicking on the 'Unsubscribe' or subscription preferences link in a direct marketing email that you have received from us; or
b. contacting us using the contact details specified in Section 11 below.
Please note that opting-out of marketing communications will not affect the sending of communications related to the Services themselves.
4. Third Party Marketing
We will get your express opt-in Consent before we share your Personal Data with any company outside EverAI for marketing purposes.
You can ask us or third parties to stop sending you direct marketing messages by electronic means at any time by logging into the Services or third parties' websites and adjusting your marketing preferences, or by following the opt-out links on any marketing message sent to you by such third parties.
You can ask us or third parties to stop sending you direct marketing messages by electronic means at any time by logging into the Services or third parties' websites and adjusting your marketing preferences, or by following the opt-out links on any marketing message sent to you by such third parties.
5. Sharing your Personal Data
We may share your information with:
a. service providers to deliver the Services as follows:
• payment service providers (based in EU for European users); and
• hosting service providers (based in the US); and
• email marketing tools providers (based in the US); and
• affiliate partner tools (based in the EU).
b. professional advisers where necessary to obtain advice or assistance, including lawyers, accountants, IT or public relations advisers;
c. legal and regulatory authorities, as required by applicable laws and regulations; and
d. our employees, as needed for them to carry out their work.
We will not disclose, sell, trade, or otherwise transfer your Personal Data to any third parties without your Consent (where required) or unless otherwise stated in this Privacy Notice.
If EverAI Limited merges with, or is acquired by, another company or organization, or sells all or a portion of its assets, your Personal Data may be disclosed to our advisers, any prospective purchaser or any prospective purchaser's adviser, and may be among the assets transferred. However, Personal Data will always remain subject to this Privacy Notice, as updated in accordance with section 13.
a. service providers to deliver the Services as follows:
• payment service providers (based in EU for European users); and
• hosting service providers (based in the US); and
• email marketing tools providers (based in the US); and
• affiliate partner tools (based in the EU).
b. professional advisers where necessary to obtain advice or assistance, including lawyers, accountants, IT or public relations advisers;
c. legal and regulatory authorities, as required by applicable laws and regulations; and
d. our employees, as needed for them to carry out their work.
We will not disclose, sell, trade, or otherwise transfer your Personal Data to any third parties without your Consent (where required) or unless otherwise stated in this Privacy Notice.
If EverAI Limited merges with, or is acquired by, another company or organization, or sells all or a portion of its assets, your Personal Data may be disclosed to our advisers, any prospective purchaser or any prospective purchaser's adviser, and may be among the assets transferred. However, Personal Data will always remain subject to this Privacy Notice, as updated in accordance with section 13.
6. Retention Period
We retain your Personal Data for as long as your account is in existence or necessary to fulfill the purposes for which we collect it or as needed to provide you with the Services, except if required otherwise by law. However, when you terminate your account, we will still retain your Personal Data for a period of time. Usually, we will store your Personal Data for a period after you cease being a User of our Services, beginning at the date your account is closed.
Retention periods may be changed from time to time based on business or regulatory requirements.
We generally keep:
a. Personal Data relating to your account up to three to five years after your last use of the Services to address potential customer inquiries and/or permit further use of the platform (unless you request deletion earlier);
b. financial and transactional data seven years from their date of issuance (in accordance with our tax obligations);
c. marketing data until you withdraw your Consent or for a period of two years after your last interaction; and
d. in accordance with any legally mandated retention periods or in connection with ongoing legal disputes (as applicable).
Retention periods may be changed from time to time based on business or regulatory requirements.
We generally keep:
a. Personal Data relating to your account up to three to five years after your last use of the Services to address potential customer inquiries and/or permit further use of the platform (unless you request deletion earlier);
b. financial and transactional data seven years from their date of issuance (in accordance with our tax obligations);
c. marketing data until you withdraw your Consent or for a period of two years after your last interaction; and
d. in accordance with any legally mandated retention periods or in connection with ongoing legal disputes (as applicable).
7. Personal Data of minors
EverAI Limited does not provide Services or collect Personal Data from anyone under 18 years of age or equivalent minimum age depending on jurisdiction. Our Services are intended for use only by adults who are at least 18 years of age, or the age of majority in the jurisdiction in which they reside and/or access the Services. If we learn that we have been misled by an underaged individual, we will take steps to delete the information as soon as possible and block such User. Please also refer to our Underage Policy.
8. Third-party links
The Services may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the Privacy Notice of every website that can be accessed through the Services.
9. Your Rights under the GDPR
9.1. Right to access your Personal Data
You have the right to request a copy of your Personal Data that we hold in accordance with Article 15 GDPR. You have the right to be informed of:
a. the purposes of the Processing;
b. the categories of your Personal Data;
c. the recipients or categories of recipients to whom your Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations;
d. the envisaged period for which your Personal Data will be stored, or, if not possible to say, the criteria used to determine that period;
e. the existence of the right to request rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the data subject or to object to such Processing;
f. the right to lodge a complaint with a supervisory authority;
g. where the Personal Data are not collected from the data subject, any available information as to their source;
h. the existence of automated decision-making, including profiling.
To submit such a request, please see the "Contact us" section below.
a. the purposes of the Processing;
b. the categories of your Personal Data;
c. the recipients or categories of recipients to whom your Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations;
d. the envisaged period for which your Personal Data will be stored, or, if not possible to say, the criteria used to determine that period;
e. the existence of the right to request rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the data subject or to object to such Processing;
f. the right to lodge a complaint with a supervisory authority;
g. where the Personal Data are not collected from the data subject, any available information as to their source;
h. the existence of automated decision-making, including profiling.
To submit such a request, please see the "Contact us" section below.
9.2. Right to rectification
You have the duty to maintain your Personal Data up to date. To do so, you have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the Personal Data you provide to us.
9.3. Right to erasure
You can also request that we erase your Personal Data in limited circumstances where:
a. it is no longer needed for the purposes for which it was collected; or
b. (where applicable) you have withdrawn your Consent, and where there is no other legal ground for the Processing; or
c. following a successful right to object (see below); or
d. it has been processed unlawfully; or
e. to comply with a legal obligation to which EverAI is subject.
We are not required to comply with your request to erase Personal Data if the Processing of your Personal Data is necessary:
a. for compliance with a legal obligation; or
b. for the establishment, exercise or defense of legal claims; or
c. for performance of a contract.
a. it is no longer needed for the purposes for which it was collected; or
b. (where applicable) you have withdrawn your Consent, and where there is no other legal ground for the Processing; or
c. following a successful right to object (see below); or
d. it has been processed unlawfully; or
e. to comply with a legal obligation to which EverAI is subject.
We are not required to comply with your request to erase Personal Data if the Processing of your Personal Data is necessary:
a. for compliance with a legal obligation; or
b. for the establishment, exercise or defense of legal claims; or
c. for performance of a contract.
9.4. Right to request restriction of Processing of your Personal Data
You may request that we suspend the Processing of your Personal Data in the following scenarios:
a. if you want us to establish the Personal Data's accuracy;
b. where our Processing of Personal Data is unlawful, you do not want us to erase it, and you request us to suspend the Processing instead;
c. where it is no longer needed for the purposes for which it was collected, but you need us to hold the Data to establish, exercise or defend legal claims; or
d. you have objected to our Processing of your Personal Data and we need to verify whether we have overriding legitimate grounds to use it.
We can continue to use your Personal Data following a request for restriction where:
a. we have your Consent; or
b. we need to:
• establish, exercise or defend legal claims;
• protect the rights of another natural or legal person; or
• process Personal Data for reasons of important public interest of the Union or of a Member State.
a. if you want us to establish the Personal Data's accuracy;
b. where our Processing of Personal Data is unlawful, you do not want us to erase it, and you request us to suspend the Processing instead;
c. where it is no longer needed for the purposes for which it was collected, but you need us to hold the Data to establish, exercise or defend legal claims; or
d. you have objected to our Processing of your Personal Data and we need to verify whether we have overriding legitimate grounds to use it.
We can continue to use your Personal Data following a request for restriction where:
a. we have your Consent; or
b. we need to:
• establish, exercise or defend legal claims;
• protect the rights of another natural or legal person; or
• process Personal Data for reasons of important public interest of the Union or of a Member State.
9.5. Right to portability
You can ask us to provide you with the Personal Data you provided in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another Controller, where the Processing is:
a. based on your Consent or on the performance of a contract with you; and
b. carried out by automated means.
a. based on your Consent or on the performance of a contract with you; and
b. carried out by automated means.
9.6. Right to withdraw your Consent
We are committed to make it as easy to withdraw as it is to give Consent.
You have the right to withdraw your Consent at any time and free of charge. The withdrawal of Consent shall not affect the lawfulness of Processing of your Personal Data based on Consent before its withdrawal.
If you withdraw your Consent, we may not be able to provide our Services to you to their full extent
You have the right to withdraw your Consent at any time and free of charge. The withdrawal of Consent shall not affect the lawfulness of Processing of your Personal Data based on Consent before its withdrawal.
If you withdraw your Consent, we may not be able to provide our Services to you to their full extent
9.7. Right to object to the Processing of your Personal Data
You can object to any Processing of your Personal Data based on our legitimate interests, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms, or for the establishment, exercise, or defense of legal claims.
9.8. Right to object to how we use your Personal Data for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes. You can withdraw your Consent to the transfer of your Personal Data to third parties for the purposes of direct marketing at any time and free of charge, either by clicking on the 'Unsubscribe' or subscription preferences link in a direct marketing email that you have received from us; or by contacting us using the contact details specified in Section 11 below.
10. Right to obtain a copy of Personal Data safeguards used for transfers outside your jurisdiction
You can ask to obtain a copy of, or reference to, the safeguards under which your Personal Data is transferred outside of the European Union, the United Kingdom or Switzerland, as applicable, redacted of any terms unrelated to data protection.
11. Contacting us, Complaints
You have a right to lodge a complaint with your local supervisory authority (a list of European Union national data protection authorities can be found here, and the United Kingdom's Information Commissioner Office's contact details may be found here).
If you have concerns about how we are Processing your Personal Data, we ask that you please attempt to resolve any issues with us first. If you have any questions, concerns, or complaints regarding this Privacy Notice, or if you wish to exercise your rights related to your Personal Data, you can reach us at the following contact details.
Privacy Team
Email: [email protected]
Mailing Address: EverAI Limited, 56 Central Business Centre
Triq Is-Soll, Santa Venera SVR 1833, Malta
Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfil your request. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you have concerns about how we are Processing your Personal Data, we ask that you please attempt to resolve any issues with us first. If you have any questions, concerns, or complaints regarding this Privacy Notice, or if you wish to exercise your rights related to your Personal Data, you can reach us at the following contact details.
Privacy Team
Email: [email protected]
Mailing Address: EverAI Limited, 56 Central Business Centre
Triq Is-Soll, Santa Venera SVR 1833, Malta
Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfil your request. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
12. Data Security
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.
13. Changes to the Privacy Notice
We may revise this Privacy Notice from time to time to take account of our changes of practices or of new applicable data protection law. If we modify our Privacy Notice, we will post the revised version on the Services with an updated revision date. Where such changes are substantial, we will also notify you by other means prior to the changes taking effect, such as by sending you an email notification or through the Service. By continuing to use our Services thirty days after such revisions are in effect, you will be deemed to accept and agree to the revisions and to abide by them.
