Privacy Policy.

Kalva is the BNPO escrow booking platform operated by Nexzend LLC, a Delaware limited liability company. Nexzend LLC is the data controller responsible for the personal information you submit to Kalva. For privacy inquiries, contact privacy@kalva.app.

We collect personal information in the following categories:

• Account and contact: full name, email address, phone number, country of residence, password (stored as a salted hash; we never see your password).
• Booking and travel: the operator and product you booked, travel dates, number of guests, selected installment plan, booking reference.
• Identity verification (KYC): passport number, passport country, date of birth, nationality, and for bookings above $5,000 USD a government-issued photo ID image and a selfie capture collected through our verification partner.
• Payment: card brand, last four digits, expiry month and year. Full card data (PAN, CVV) is collected directly by our PCI-DSS-certified payments processor and never touches Kalva's servers.
• Communications: emails, SMS, and in-app messages between you and Kalva's support team.
• Device and usage: IP address, browser, operating system, device identifier, pages viewed, timestamps, referring URL.
• Compliance results: screening outcomes from OFAC sanctions checks, fraud-detection signals, identity-verification results.

We use the information above to:

• Process your booking and collect installment payments in accordance with the plan you selected;
• Verify your identity and screen for sanctions and fraud, as required by our BSA/AML program;
• Send transactional notifications (booking confirmation, installment receipts, payment reminders, cancellation notices);
• Issue refunds and process disputes;
• Detect, investigate, and prevent fraudulent, deceptive, malicious, or illegal activity;
• Operate, maintain, secure, and improve the Kalva platform;
• Comply with U.S. and applicable foreign legal obligations, including the Bank Secrecy Act, OFAC sanctions regulations, and consumer-protection laws;
• Defend our legal rights and respond to lawful requests from government authorities.

We do not sell your personal information. We do not use your personal information for third-party advertising.

Where the GDPR or comparable laws apply, our legal bases are:

• Contract: processing necessary to place and fulfill your booking.
• Legal obligation: KYC, AML, sanctions screening, tax recordkeeping.
• Legitimate interest: fraud prevention, platform security, service improvement.
• Consent: where you have given specific consent (e.g., marketing communications, if any).

Kalva shares personal information only with the third-party processors required to operate the service. Each processor is contractually bound to use your data only on Kalva's instructions and to maintain industry-standard security.

• Stripe Payments & Stripe Connect — payments processing, escrow arrangement, operator payouts. Stripe is the merchant of record for card transactions.
• Stripe Identity — government-ID and biometric (selfie) verification for Tier 2 and Tier 3 bookings.
• Stripe Radar — machine-learning fraud-detection signals.
• Twilio — SMS and one-time-passcode delivery.
• Resend (with React Email) — transactional email delivery.
• Meta Cloud API — WhatsApp customer notifications (where you have opted in).
• Sanctions-screening provider — OFAC SDN and Consolidated Sanctions List screening.
• Clerk — authentication and session management.
• Supabase & Railway — database and infrastructure hosting (data resides in the United States).
• Vercel — web hosting and edge delivery.

We may also disclose personal information to professional advisors (legal, accounting, insurance), to government authorities responding to lawful requests, and to a successor entity in connection with a corporate transaction (merger, acquisition, asset sale).

Retention periods are dictated primarily by U.S. federal law and by our BSA/AML program:

• KYC records (passport, ID, selfie, screening results): retained for five (5) years following the closure of your account or the date of the last transaction, whichever is later, per 31 CFR § 1010.430.
• Transaction records: retained for seven (7) years following the transaction, per BSA recordkeeping requirements.
• Communications and support records: retained for three (3) years.
• Account profile data (name, email, phone): retained for the life of your account plus a five (5) year tail to satisfy the BSA retention floor.

After the applicable retention period, personal information is deleted or irreversibly de-identified.

We implement the following controls:

• AES-256 encryption at rest for sensitive identifiers (passport number, KYC artifacts);
• TLS 1.2+ encryption in transit;
• PCI DSS Level 1 compliance via Stripe Payments — card data never touches our servers;
• 3D Secure bank verification on 100% of card transactions;
• Role-based access controls and audit logging on the operator dashboard;
• Periodic security review of third-party processors.

No system is perfectly secure. If we discover a security incident affecting your personal information, we will notify you and, where required, the relevant supervisory authority within the timelines required by applicable law.

Kalva uses a small set of strictly necessary cookies (authentication, security, session state, pre-launch gate). We do not currently use third-party advertising or behavioral tracking cookies. We use first-party analytics with IP anonymization to measure aggregate platform performance.

Kalva is not directed to children. We do not knowingly collect personal information from anyone under eighteen (18) years of age. If you believe a child has provided us information, please contact privacy@kalva.app and we will delete it.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you;
• Correct inaccurate or incomplete information;
• Request deletion (subject to our BSA/AML retention obligations);
• Receive a portable copy of your data in a machine-readable format;
• Object to or restrict certain processing;
• Withdraw consent at any time, where processing is based on consent;
• California residents (CCPA/CPRA): request disclosure of categories of information collected, opt out of any "sale" or "share" (Kalva does not sell or share), and not be discriminated against for exercising these rights.

To exercise any right, email privacy@kalva.app. We will respond within thirty (30) days, or the shorter period required by applicable law. We may require identity verification before processing your request.

Kalva's primary infrastructure is hosted in the United States. If you are accessing Kalva from outside the United States, your information will be transferred to, stored, and processed in the United States. Where required by law, transfers are made under appropriate safeguards (for transfers from the EEA, UK, or Switzerland, the Standard Contractual Clauses).

We may update this Privacy Policy from time to time. Material changes will be notified to registered users at the email address on file at least fourteen (14) days before the changes take effect, except where a shorter period is required by law.

Privacy inquiries: privacy@kalva.app.
Postal address: Nexzend LLC, c/o Privacy Office, Delaware, USA (full address provided on request to legal@kalva.app).