Privacy Policy

1. Introduction

Konatamo LLC is the data controller for the personal data described in this Privacy Policy when we determine the purposes and means of processing. When we process personal data on behalf of a Merchant in connection with that Merchant's loyalty program, the Merchant is the data controller and we act as a data processor. The applicable data-processing terms are set out in our Data Processing Agreement.

For questions about this Privacy Policy or our processing activities, you may contact our Data Protection Officer at privacy@satoob.com or by post at the address in Section 16.

2. Information we collect

We collect personal data in the following categories. The specific data fields collected depend on whether you use the Service as an End-User (consumer) or as a Merchant (business representative).

3. Sources of information

We obtain personal data from three sources:

1. Directly from you — when you create an account, complete onboarding, configure preferences, redeem Vouchers, contact support, or otherwise interact with the Service.
2. Automatically — through cookies, server logs, analytics tools, and security-monitoring systems.
3. From third parties — public business registries (INSEE, VIES, Companies House and equivalents) for KYB verification; sanctions-screening providers; payment-processor confirmations from our payment partner; and, where applicable, fraud-signal aggregators.

4. How we use personal data

We process personal data for the following purposes:

1. To provide and maintain the Service — authenticating accounts, recording satoPOINTS and Voucher activity, generating clearing reports, supporting cross-device continuity.
2. To verify Merchant eligibility — completing KYB checks, screening against sanctions lists, validating tax identifiers, and re-running these checks periodically.
3. To process transactions — issuing and validating Vouchers, recording the corresponding ledger entries, supporting Merchant settlements.
4. To communicate with you — sending transactional emails (account verification, security alerts, receipts, clearing reports) and, with your consent, marketing communications.
5. To personalise your experience — applying your locale, currency, and accessibility preferences.
6. To improve the Service — analytics, A/B testing, debugging, capacity planning.
7. To prevent fraud and abuse — detecting suspicious activity, blocking automated abuse, protecting Merchant programs from gaming and accounts from takeover.
8. To comply with legal obligations — tax and accounting record-keeping, response to lawful requests from supervisory or judicial authorities, anti-money-laundering compliance where applicable.
9. To establish, exercise, or defend legal claims — when we are involved in or threatened by legal proceedings.

5. Lawful basis for processing (GDPR Article 6)

For users in the European Union or the United Kingdom, we rely on the following lawful bases:

• Performance of a contract with you (GDPR Art. 6(1)(b)) — for authentication, transaction processing, account management, and customer support, which are required to deliver the Service you signed up for.
• Compliance with a legal obligation (GDPR Art. 6(1)(c)) — for KYB verification, sanctions screening, tax record-keeping, and response to lawful authority requests.
• Legitimate interests (GDPR Art. 6(1)(f)) — for fraud prevention, security monitoring, product analytics, and direct marketing to existing customers, where our interests are not overridden by your fundamental rights and freedoms. We document our legitimate-interest assessments and provide them on request.
• Consent (GDPR Art. 6(1)(a)) — for non-essential cookies, email marketing to prospects, precise geolocation, and any optional feature explicitly identified as consent-based at the moment you enable it. Consent can be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

We do not process special categories of personal data (Art. 9 GDPR) in ordinary operations. Where the verification of a KYB document incidentally reveals such data (for example, an identity card containing biometric or health information), we do not extract or further process those special categories.

6. How we share personal data

We share personal data only where strictly necessary to operate the Service, to comply with the law, or with your consent.

7. Data retention

We retain personal data only for as long as is necessary for the purposes described above, unless a longer retention period is required by law.

• Active account data — retained for as long as your account is active.
• Closed-account data — retained for the longer of seven (7) years (US tax record-keeping) or ten (10) years (EU commercial-code retention), and then permanently deleted or anonymised. Specific records may be retained longer where required by law (e.g. anti-money-laundering compliance).
• Transactional ledger entries — retained for the longer of the applicable statute of limitations and ten (10) years, in line with double-entry-accounting integrity requirements.
• Audit logs (cashier portal) — retained for thirteen (13) months and then automatically purged.
• Behavioural analytics events — retained for twenty-six (26) months by our analytics provider with default settings, and may be reduced on request.
• Server logs — retained for thirty (30) days.
• Backups — retained for thirty (30) days on a rolling basis.

When a legal hold applies, the retention periods above are extended until the hold is lifted.

8. International data transfers

Konatamo LLC is established in the United States, and our infrastructure is hosted across regions that include the United States, the European Union, and the United Kingdom. When personal data of EU or UK residents is transferred to a country that does not benefit from an adequacy decision by the European Commission or the United Kingdom, we rely on appropriate safeguards as required by Articles 44 to 49 GDPR, including:

• the Standard Contractual Clauses issued by the European Commission (Decision 2021/914) for transfers from the European Economic Area to third countries;
• the UK International Data Transfer Addendum to the EU SCCs for transfers from the United Kingdom.

We perform a transfer impact assessment for each onward transfer and apply supplementary measures where the assessment indicates they are necessary (e.g. additional encryption, contractual restrictions on government access, audit rights). A summary of our transfer impact assessment is available on request.

9. Your rights — EU and UK

If you are a resident of the European Union or the United Kingdom, applicable data-protection laws grant you the following rights with respect to your personal data:

1. Right of access (Art. 15 GDPR / equivalents) — to obtain confirmation of whether personal data concerning you is processed and, where it is, a copy of that data and meta-information about the processing.
2. Right to rectification (Art. 16 GDPR) — to correct inaccurate personal data and complete incomplete data.
3. Right to erasure / "right to be forgotten" (Art. 17 GDPR) — to obtain the deletion of personal data, subject to the exceptions provided by law (e.g. retention required for legal obligations).
4. Right to restriction of processing (Art. 18 GDPR) — to require us to limit the processing of your data in specific circumstances.
5. Right to data portability (Art. 20 GDPR) — to receive the personal data you have provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller.
6. Right to object (Art. 21 GDPR) — to object, at any time and on grounds relating to your particular situation, to processing based on our legitimate interests (Art. 6(1)(f)). Where the processing is direct marketing, you may object at any time without justification.
7. Right to withdraw consent — where processing is based on your consent (Art. 6(1)(a)), you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
8. Right to lodge a complaint with a supervisory authority — for example, the CNIL in France, the BfDI in Germany, the AEPD in Spain, the Garante per la protezione dei dati personali in Italy, the CNPD in Portugal, and the ICO in the United Kingdom.

To exercise any of these rights, please email privacy@satoob.com from the address associated with your account or, where that is not possible, with a level of detail sufficient to identify the account in question. We will respond within thirty (30) days. We may extend this period by up to two months for complex or numerous requests, in which case we will inform you of the extension and the reasons for it.

10. Your rights — California

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), grants you the following rights with respect to your personal information:

1. Right to know — to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collecting, the categories of third parties with whom we share, and (if applicable) any sale or sharing for cross-context behavioural advertising.
2. Right to delete — to request the deletion of your personal information, subject to legal exceptions.
3. Right to correct — to request the correction of inaccurate personal information.
4. Right to opt out of sale or sharing — although we do not sell or share personal information for cross-context behavioural advertising, we honour the Global Privacy Control ("GPC") signal as a valid opt-out request and we display a "Do Not Sell or Share My Personal Information" link in the footer of the Service.
5. Right to limit use of sensitive personal information — although we do not use sensitive personal information beyond what is necessary to deliver the Service, you may at any time request that we limit such use.
6. Right to non-discrimination — we will not discriminate against you for exercising any of these rights. We will not deny the Service, charge different prices, or provide a different level of quality based on your exercise of CCPA/CPRA rights.

To exercise these rights, please email privacy@satoob.com or use the dedicated link in the Service footer. We will verify your identity through reasonable means before fulfilling the request and will respond within forty-five (45) days, with one extension of up to forty-five (45) additional days where reasonably necessary.

You may also designate an authorised agent to make a request on your behalf. The agent must provide signed proof of authority and we may request that you confirm the agent's authority directly.

11. Your rights — other regions

Residents of other jurisdictions enjoy similar rights under their local data-protection laws, including:

• Brazil — Lei Geral de Proteção de Dados (LGPD): rights of access, correction, anonymisation, blocking, deletion, portability, information about sharing, and revocation of consent. The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD).
• Quebec — Loi 25: rights of access, rectification, deletion, portability, cessation of dissemination, de-indexing, and refusal of automated decision-making. The supervisory authority is the Commission d'accès à l'information du Québec (CAI).
• Canada (federal) — Personal Information Protection and Electronic Documents Act (PIPEDA): rights of access and correction, with complaints handled by the Office of the Privacy Commissioner of Canada.
• Australia — Privacy Act 1988: access and correction rights, with complaints handled by the Office of the Australian Information Commissioner.

To exercise any of these rights, please contact privacy@satoob.com. We will identify the applicable framework based on your country of residence and respond within the timeframe required by that framework, generally not exceeding thirty (30) days.

12. Security measures

We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, without limitation:

• Encryption in transit — TLS 1.3 across all client-facing endpoints and internal service-to-service communication.
• Encryption at rest — AES-256 on database storage and on object storage.
• Credential hygiene — passwords are stored as bcrypt hashes (cost factor 12 minimum); merchant cashier PINs are stored as bcrypt hashes with anti-timing-attack verification and exponential lockouts after repeated failures.
• Identity & access management — least-privilege access controls, multi-factor authentication for production environments, audit logging of administrative actions.
• Audit-grade ledger — financial activity is recorded in an immutable double-entry ledger, providing tamper-evident accounting.
• Anti-abuse systems — rate limiting, anomaly detection, and automated lockouts for suspicious activity.
• Vulnerability management — periodic dependency review, security patching, and a coordinated vulnerability disclosure programme described in our Security policy.
• Incident response — documented procedure for detecting, containing, and notifying personal-data breaches in accordance with applicable law (within 72 hours where required by GDPR Art. 33).

No system is perfectly secure. If you suspect that your account or your personal data has been compromised, please notify us immediately at security@satoob.com.

13. Children's privacy

The Service is not directed at children under the age of eighteen (18). We do not knowingly collect personal data from individuals under eighteen. If you believe a child has provided personal data to us, please contact privacy@satoob.com and we will take steps to delete the relevant data promptly, subject to legal-retention exceptions.

For users in the United States, this Privacy Policy is intended to comply with the Children's Online Privacy Protection Act ("COPPA"). For users in the European Union, this is intended to comply with Article 8 GDPR (information-society services offered directly to a child).

14. Cookies and similar technologies

We use cookies and equivalent technologies for authentication, security, locale routing, analytics, and (where applicable) optional product-improvement features. The categories of cookies we set, the providers involved, the retention periods, and the controls available to you are documented in detail in the Cookie Policy.

The cookie banner displayed on your first visit reflects the consent regime applicable to your country of residence: opt-in for users in the EU, the UK, Quebec, and Brazil; opt-out (with respect for the Global Privacy Control signal) for California residents; and no banner where local law does not require one.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If a modification is material — that is, if it would expand the categories of personal data we process, change the purposes for which we process, change the lawful bases on which we rely, or change the retention periods in a non-trivial way — we will provide at least thirty (30) days' notice before the modification takes effect, by email to the address associated with your account or through a prominent notice on the Service.

For non-material modifications (clarifications, typo fixes, formatting), we will publish the updated Privacy Policy with a revised "Last updated" date. Your continued use of the Service after the effective date of any modification constitutes acceptance of the updated Privacy Policy.

16. Contact

For questions, complaints, or requests under this Privacy Policy, please contact:

• Data Protection Officer — privacy@satoob.com
• Legal & contractual matters — legal@konatamo.com
• Customer support — contact@satoob.com
• Security disclosures — security@satoob.com

Postal address (for legal service of process): Konatamo LLC, 1209 Mountain Road Pl NE, Ste R, Albuquerque, NM 87110, USA.

If you are not satisfied with our response, you may lodge a complaint with the supervisory authority in your country of residence. A list of EU/EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.