Privacy Notice

Date of Revision: 01 August 2025
Privacy Notice of EverAI Limited
EverAI Limited ("EverAI", "we", "us" or "our") is the Controller for the processing implemented through this website accessible at https://candy.ai/ and/or any affiliated website to which visitors or users may be redirected (the "Services"). EverAI is duly incorporated in the Republic of Malta, having its address at 56 Central Business Centre, Triq Is-Soll, Santa Venera SVR 1833, Malta, and registered with the Malta Business Registry under the number C107181.

The Services are an online chat application that uses artificial intelligence algorithms to generate virtual and fictional characters (the "AI Companions"), with whom you as a user of the Services ("you") can chat and exchange messages. The Services also include, but are not necessarily limited to, other media such as images, videos and voice notes. Parts of the Services may require you to create a user account and/or become a paid subscriber.

This Privacy Notice details how EverAI collects, uses, discloses and handles your Personal Data for the Services and, as applicable, your rights under the European Union’s General Data Protection Regulation 2016/679, and Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector ("ePrivacy Directive") (together "EU GDPR"), the UK Data Protection Act 2018 and the Privacy and Electronic Communications, Regulations 2003 ("PECR") (together "UK GDPR"), or the Federal Act on Data Protection 235.1 ("FADP"), together referred as "Applicable Data Protection Law".

By using the Services, you agree that you have read and understood our Privacy Notice.
1. Definitions
All capitalized terms not otherwise defined in this Privacy Notice or in the GDPR shall have the following meaning:

- "Content": the information that you provide in order to register as a User and/or in the course of using our Services. Such information includes your Personal Data, inputs in the course of conversations with AI Companions, and outputs in response to same;

- "Consent": any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or a clear affirmative action, signifies agreement to the Processing of Personal Data relating to you;

- "Controller": the natural or legal person, alone or jointly with others, who determines the purposes and means of the Processing of Personal Data and for the purposes of the Services (EverAI);

- "Performance of our Services": the actions necessary for us to provide our Services;

- "Personal Data": any information relating to an identified or identifiable natural person, directly or indirectly (“Data Subject”), such as your name, address, marital status, date of birth, gender, office location, position, company name, spoken languages, photos, your account number, your location data;

- "Processing": any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

- "Subscription": an arrangement between EverAI Limited and you to enable you to benefit from and/or use the Services;

- "User", "you" and "your": collectively a person that has visited or is using the Services;

- "Visitor": anyone who is browsing the Services without a valid Subscription.
2. Purposes of Personal Data Processing
As we are committed to respect your privacy, such Services will always be provided in accordance with the most relevant legal basis. If you do not or cannot provide us with the required data, we may not be able to provide the Services to you.

Purpose of the Processing Categories of Personal Data Legal basis
Account creation

Managing your registration to our Services.
  • Email address (as disclosed by you; mandatory registration field);
  • Encrypted password (as disclosed by you; mandatory registration field);
  • Nick name/screenname (as disclosed by you);
  • User gender (as disclosed by you);
  • First and last name (as disclosed by you or third-party authentication systems, e.g., if you create your account via Google single sign-on);
  • Creation date and time and signup provider (e.g., Twitter; Google; Discord; Email) (generated based on the options you select);
  • Phone number (optional field in profile settings).
Consent; necessity for the performance of a contract.
Account management
  • Currency (based on detected country);
  • Country and/or city (detected based on IP address and zipcode (if given));
  • Token balance (generated by us on the basis of your purchase);
  • Last User account update date and time (generated by us);
  • Current and last sign in date and time (generated by us);
  • Current and last sign in IP (generated by us);
  • Sign-in count (how many times a user signed in) (generated by us);
Our legitimate interest in addressing your queries.
Provision of the Services

  • Customization of the AI Companions or linked to specific features of the Service;
  • Generation of image action, body, clothes;
  • Interactive chat with AI Companion;
  • Voice call
Content data i.e.:

  • User preference vis à vis the AI Companions (e.g., AI Companions' ethnicity, age, eye color, hair type, body type, personality, voice, occupation, type of relation, none of which relate to a living natural person) (as provided by you);
  • User prompt voluntarily entered to generate Content, to the extent these contain Personal Data (e.g., communications, message, calls to AI Companions) (as provided by you);
  • Content generated by AI Companions. (as generated by us)
Consent; necessity for the performance of a contract.
Support of the Services

Service support to inform you and to answer your request (sending of service email, technical support, answers to customers etc.).
  • Supporting data (entered in the free field through the "Contact us" window sent by email to EverAI), email address (as provided by you) and possible answer (generated by us);
  • Device information (mobile/desktop), browser type (e.g., Chrome, Firefox etc.), Content as needed e.g., when technical issues need to be investigated;
  • Cookies (as detected by us).
Our legitimate interest in addressing your queries and technical issues.
Payment processing

Processing by payment service providers for security and payment for:

  • Subscriptions;
  • Tokens;
  • Refunds in appropriate cases.
Emerchant Pay (EMP) and TrustPay (TP)
  • First and last name;
  • Email address;
  • Card brand;
  • Credit card number;
  • Payment transaction date and time;
  • Type;
  • Amount;
  • Currency;
  • Bin country;
  • IP address;
  • Recurring billing type;
  • Response code (issuer);
  • Type of refund (full or partial).
Volt
  • Email address;
  • Bank name;
  • Account details (including sort code);
  • Account number;
  • CPF (for Brazil);
  • Account type (business or personal);
  • Balance and currency required to make payment;
  • Unique order reference;
  • Transaction date and the beneficiary;
  • Amount and currency of payment;
  • Internet protocol (IP) address;
  • Browser type and version;
  • Operating system and platform;
  • Type of refund (full or partial).
Coingate
  • Shopper email;
  • Crypto wallet address;
  • IP address;
  • Country;
  • Unique order reference;
  • Transaction date and time;
  • Amount and currency required to make payment;
  • Type of refund (full or partial).
Necessity for the performance of a contract.
Direct Marketing

  • Deliver marketing emails to inform you of our latest updates, offers and features through our newsletter;
  • Enable affiliate marketing program questionnaire.
  • Email address (as disclosed by you; mandatory registration field);
  • First and last name (as disclosed by you and if you used a specific authentication method, e.g., Google, to create your account);
  • Account number;
  • Website or traffic source URL; and
  • Data linked to the affiliate marketing program questionnaire free fields to introduce potential affiliates and how they plan to promote the Service.
Our legitimate interest in improving our Services (direct marketing by us for similar products and Services) or consent (third party marketing).
Analytics other than through cookies or other tracking technologies

Allowing customer surveys, marketing campaigns, market analysis.
  • Account number;
  • Email address (as disclosed by you; mandatory registration field);
  • Answer provided by the User.
Consent
Safety

  • Moderation of the Services (problematic behaviour, abuse report, action taken);
  • Reporting to law enforcement in appropriate cases
  • Content flagged by our moderation controls and/or reported by you;
  • Action taken in response to flagged Content;
  • Metadata regarding your Content (time/date sent, originating IP address);
  • Account data and history;
  • In appropriate cases, information required by local authorities and/or information to facilitate the investigation of individuals who use the Services to conduct unlawful activity, including specifically but not limited to Uploading or creating CSAM.
Necessity to comply with legal obligations or, as the case may be, necessity for the performance of a contract (in case of breach of our policies).
Legal & Accounting

  • Record keeping;
  • Invoice recovery;
  • Compliance with court orders;
  • Management of data subject access requests.
Supporting data (as provided by you) such as contact data, payment data or credentials. Necessity for compliance with legal obligations.
Complying with lawful requests from authorities, court orders and exercising and/or defending our legal rights. Supporting data (as provided by you) such as contact data, payment data or credentials, and/or any information within the scope of lawful legal requests or processes. Complying with our legal obligations; our legitimate interest in defending our rights.
3. Marketing
We may send you marketing about our Services, other information in the form of alerts, newsletters and invitations to events or functions which we believe might be of interest to you, or in order to update you with information which we believe may be relevant to you (such as commercial news). We may communicate this to you according to the contact channels you provided and your stated preferences, including by telephone, email or other digital channels.

If you do not wish to receive marketing information from us, you can unsubscribe by:

a. clicking on the 'Unsubscribe' or subscription preferences link in a direct marketing email that you have received from us; or

b. contacting us using the contact details specified in Section 11 below.

Please note that opting-out of marketing communications will not affect the sending of communications related to the Services themselves.
4. Third Party Marketing
We will get your express opt-in Consent before we share your Personal Data with any company outside EverAI for marketing purposes.

You can ask us or third parties to stop sending you direct marketing messages by electronic means at any time by logging into the Services or third parties' websites and adjusting your marketing preferences, or by following the opt-out links on any marketing message sent to you by such third parties.
5. Sharing your Personal Data
We may share your information with:

a. service providers to deliver the Services as follows:

• payment service providers (based in EU for European users); and

• hosting service providers (based in the US); and

• email marketing tools providers (based in the US); and

• affiliate partner tools (based in the EU).

b. professional advisers where necessary to obtain advice or assistance, including lawyers, accountants, IT or public relations advisers;

c. legal and regulatory authorities, as required by applicable laws and regulations; and

d. our employees, as needed for them to carry out their work.

We will not disclose, sell, trade, or otherwise transfer your Personal Data to any third parties without your Consent (where required) or unless otherwise stated in this Privacy Notice.

If EverAI Limited merges with, or is acquired by, another company or organization, or sells all or a portion of its assets, your Personal Data may be disclosed to our advisers, any prospective purchaser or any prospective purchaser's adviser, and may be among the assets transferred. However, Personal Data will always remain subject to this Privacy Notice, as updated in accordance with section 13.
6. Retention Period
We retain your Personal Data for as long as your account is in existence or necessary to fulfill the purposes for which we collect it or as needed to provide you with the Services, except if required otherwise by law. However, when you terminate your account, we will still retain your Personal Data for a period of time. Usually, we will store your Personal Data for a period after you cease being a User of our Services, beginning at the date your account is closed.

Retention periods may be changed from time to time based on business or regulatory requirements.

We generally keep:

a. Personal Data relating to your account up to three to five years after your last use of the Services to address potential customer inquiries and/or permit further use of the platform (unless you request deletion earlier);

b. financial and transactional data seven years from their date of issuance (in accordance with our tax obligations);

c. marketing data until you withdraw your Consent or for a period of two years after your last interaction; and

d. in accordance with any legally mandated retention periods or in connection with ongoing legal disputes (as applicable).
7. Personal Data of minors
EverAI Limited does not provide Services or collect Personal Data from anyone under 18 years of age or equivalent minimum age depending on jurisdiction. Our Services are intended for use only by adults who are at least 18 years of age, or the age of majority in the jurisdiction in which they reside and/or access the Services. If we learn that we have been misled by an underaged individual, we will take steps to delete the information as soon as possible and block such User. Please also refer to our Underage Policy.
8. Third-party links
The Services may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the Privacy Notice of every website that can be accessed through the Services.
9. Your Rights under the GDPR
9.1. Right to access your Personal Data
You have the right to request a copy of your Personal Data that we hold in accordance with Article 15 GDPR. You have the right to be informed of:

a. the purposes of the Processing;

b. the categories of your Personal Data;

c. the recipients or categories of recipients to whom your Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations;

d. the envisaged period for which your Personal Data will be stored, or, if not possible to say, the criteria used to determine that period;

e. the existence of the right to request rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the data subject or to object to such Processing;

f. the right to lodge a complaint with a supervisory authority;

g. where the Personal Data are not collected from the data subject, any available information as to their source;

h. the existence of automated decision-making, including profiling.

To submit such a request, please see the "Contact us" section below.
9.2. Right to rectification
You have the duty to maintain your Personal Data up to date. To do so, you have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the Personal Data you provide to us.
9.3. Right to erasure
You can also request that we erase your Personal Data in limited circumstances where:

a. it is no longer needed for the purposes for which it was collected; or

b. (where applicable) you have withdrawn your Consent, and where there is no other legal ground for the Processing; or

c. following a successful right to object (see below); or

d. it has been processed unlawfully; or

e. to comply with a legal obligation to which EverAI is subject.

We are not required to comply with your request to erase Personal Data if the Processing of your Personal Data is necessary:

a. for compliance with a legal obligation; or

b. for the establishment, exercise or defense of legal claims; or

c. for performance of a contract.
9.4. Right to request restriction of Processing of your Personal Data
You may request that we suspend the Processing of your Personal Data in the following scenarios:

a. if you want us to establish the Personal Data's accuracy;

b. where our Processing of Personal Data is unlawful, you do not want us to erase it, and you request us to suspend the Processing instead;

c. where it is no longer needed for the purposes for which it was collected, but you need us to hold the Data to establish, exercise or defend legal claims; or

d. you have objected to our Processing of your Personal Data and we need to verify whether we have overriding legitimate grounds to use it.

We can continue to use your Personal Data following a request for restriction where:

a. we have your Consent; or

b. we need to:

• establish, exercise or defend legal claims;

• protect the rights of another natural or legal person; or

• process Personal Data for reasons of important public interest of the Union or of a Member State.
9.5. Right to portability
You can ask us to provide you with the Personal Data you provided in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another Controller, where the Processing is:

a. based on your Consent or on the performance of a contract with you; and

b. carried out by automated means.
9.6. Right to withdraw your Consent
We are committed to make it as easy to withdraw as it is to give Consent.

You have the right to withdraw your Consent at any time and free of charge. The withdrawal of Consent shall not affect the lawfulness of Processing of your Personal Data based on Consent before its withdrawal.

If you withdraw your Consent, we may not be able to provide our Services to you to their full extent
9.7. Right to object to the Processing of your Personal Data
You can object to any Processing of your Personal Data based on our legitimate interests, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms, or for the establishment, exercise, or defense of legal claims.
9.8. Right to object to how we use your Personal Data for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes. You can withdraw your Consent to the transfer of your Personal Data to third parties for the purposes of direct marketing at any time and free of charge, either by clicking on the 'Unsubscribe' or subscription preferences link in a direct marketing email that you have received from us; or by contacting us using the contact details specified in Section 11 below.
10. Right to obtain a copy of Personal Data safeguards used for transfers outside your jurisdiction
You can ask to obtain a copy of, or reference to, the safeguards under which your Personal Data is transferred outside of the European Union, the United Kingdom or Switzerland, as applicable, redacted of any terms unrelated to data protection.
11. Contacting us, Complaints
You have a right to lodge a complaint with your local supervisory authority (a list of European Union national data protection authorities can be found here, and the United Kingdom's Information Commissioner Office's contact details may be found here).

If you have concerns about how we are Processing your Personal Data, we ask that you please attempt to resolve any issues with us first. If you have any questions, concerns, or complaints regarding this Privacy Notice, or if you wish to exercise your rights related to your Personal Data, you can reach us at the following contact details.

Privacy Team
Email: [email protected]
Mailing Address: EverAI Limited, 56 Central Business Centre
Triq Is-Soll, Santa Venera SVR 1833, Malta

Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfil your request. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
12. Data Security
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.
13. Changes to the Privacy Notice
We may revise this Privacy Notice from time to time to take account of our changes of practices or of new applicable data protection law. If we modify our Privacy Notice, we will post the revised version on the Services with an updated revision date. Where such changes are substantial, we will also notify you by other means prior to the changes taking effect, such as by sending you an email notification or through the Service. By continuing to use our Services thirty days after such revisions are in effect, you will be deemed to accept and agree to the revisions and to abide by them.