Legal
Privacy Policy
This Privacy Policy describes how MONVADEL ("we", "us", "our") collects, uses, and protects personal data in connection with the ORILO application and website (orilo.eu).
We are committed to privacy by design. We collect the minimum data necessary to provide our services, and we never sell or share your data for advertising purposes.
1. Data Controller
The data controller is MONVADEL (legal structure currently being established in the European Union). Until legal registration is complete, the controller is the project founder. Contact: privacy@orilo.eu
2. Data We Collect
We collect only the data necessary to provide the service:
- Registration data: email address or phone number for account creation
- Profile data: username and profile information you choose to provide
- Communication data: messages are end-to-end encrypted — we cannot access their content
- Technical data: IP address, device type, operating system — for security and service provision only
- KYC data (if you choose higher verification tiers): identity document and selfie, processed by our KYC provider and stored in encrypted form
We do not collect behavioural data for advertising. We do not build user profiles for commercial purposes.
3. Legal Basis for Processing
- Contract performance (Article 6(1)(b) GDPR): processing necessary to provide the ORILO service
- Legal obligation (Article 6(1)(c) GDPR): compliance with applicable EU law
- Legitimate interests (Article 6(1)(f) GDPR): security, fraud prevention, service improvement
- Consent (Article 6(1)(a) GDPR): for optional features where you have given explicit consent
4. Data Storage and Infrastructure
All user data is stored exclusively on servers located in the European Union (Hetzner, Germany and Finland). We do not transfer data outside the EU/EEA. We do not use US-based cloud providers. Our infrastructure has no exposure to the US CLOUD Act or equivalent extraterritorial legislation.
5. Data Retention
- Account data: retained for the duration of your account, deleted within 30 days of account deletion
- Communication data: stored on device (E2EE); server-side metadata deleted per our retention schedule
- KYC data: retained only as long as required by applicable law
6. Your Rights
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict or object to processing
- Data portability
- Withdraw consent at any time (where processing is based on consent)
- Lodge a complaint with your national supervisory authority
To exercise these rights, contact: privacy@orilo.eu
7. Third-Party Services
We use the following third-party services to operate ORILO:
- KYC verification (for users who choose Tier 1 or Tier 2 verification): processed by an EU-based provider under a GDPR Data Processing Agreement
- Link scanning: VirusTotal API (MVP phase) for malware detection. Only URLs are submitted — no user identifiers
We do not use Google Analytics, Facebook Pixel, or any behavioural tracking service.
8. Children
ORILO is not intended for users under the age of 16. We do not knowingly collect data from children under 16. If you believe a minor has created an account, please contact us at privacy@orilo.eu.
9. Changes to This Policy
We will notify you of material changes to this Privacy Policy via email or in-app notification at least 30 days before changes take effect. Continued use of ORILO after that date constitutes acceptance of the updated policy.
10. Contact
For privacy-related questions or to exercise your rights:
Email: privacy@orilo.eu
Website: orilo.eu