Privacy Policy

Effective date: April 16, 2025.

Privacy Policy

Introduction

In compliance with the General Data Protection Regulation (Regulation EU 2016/679 - GDPR), as well as the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), this Privacy Policy aims to provide users of the CooBook platform with clear, accessible, and up-to-date information regarding the processing of their personal data.

Project Kimiary OÜ, as the legal entity responsible for processing, is committed to respecting and protecting the privacy of all individuals who interact with our digital services, guaranteeing at all times compliance with fundamental data protection principles such as request, transparency, minimization, integrity, and proactive accountability.

This policy applies to all users of the CooBook platform, regardless of their country of origin, and covers all data processing carried out through the website, internal plugins, the Kimiary Smart Chain (KSC) blockchain, the protected digital viewer, investment operations, and any other technological module present or future.

We recommend that you carefully read each section of this document. If you have any questions, you may contact our legal team at legal@coobook.org

1. Data Controller

In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, also known as the General Data Protection Regulation (GDPR), and in particular the provisions of its Article 4, paragraph 7, we inform users of this platform that the controller of the personal data collected, managed, or processed through the website and associated digital services is:

プロジェクトキミアリーOÜ
Registration number: 17198360
Registered address: Pärnu mnt 139b, 11317, Tallinn, Estonia
Contact email: legal@coobook.org

As the data controller, Project Kimiary OÜ independently and exclusively determines the purposes (why data is collected) and the means (how such data is managed, protected, and processed) within the CooBook digital ecosystem, which includes functionalities such as:

  • User registration on the platform.
  • Validation of digital book reading licenses.
  • Content protection through encrypted viewers.
  • Use of unique keys for book and bond transactions.
  • Secure and immutable registration of certain operations on blockchain.
  • Integration of internal modules or plugins that execute automated processes under legal and technical supervision.

We are responsible for ensuring that all processing activities carried out on this platform are carried out in accordance with the principles of lawfulness, loyalty, transparency, and proactive accountability established in the GDPR, as well as the interpretive guidelines issued by the European Data Protection Board (EDPB).

Any questions, requests, or exercise of rights related to your personal data may be directed to our legal team through the designated channel: legal@coobook.org

We also reserve the right to designate a Data Protection Officer (DPO) when required by the conditions established in Article 37 of the GDPR, which will be duly communicated in this same policy.

2. Legal Principles We Apply

At Project Kimiary OÜ, as the entity responsible for processing personal data on the CooBook platform, we guarantee that all processing is carried out in accordance with the fundamental principles established in Article 5 of Regulation (EU) 2016/679 (GDPR). These principles are essential pillars that govern all our operations, automated processes, and internal decisions regarding data protection:

a) Lawfulness, loyalty, and transparency

We process data lawfully, always complying with a clear legal basis (such as consent, a contract, or a legal obligation). We act with loyalty, that is, without hiding information or intentions, and with total transparency, informing the user in an accessible, understandable, and prior manner about how and why their data is collected.

b) Purpose limitation

Personal data is collected for specific, explicit, and legitimate purposes. It will not be subsequently processed in a manner incompatible with those purposes. Example: data collected for registration will not be used for commercial campaigns without express consent.

c) Data minimization

We only process data strictly necessary for the fulfillment of each purpose. No irrelevant or excessive data is collected. Example: we do not request the tax identification number if it is not essential for a legal or accounting transaction.

d) Accuracy

We adopt measures to ensure that personal data is accurate and up to date. Users have the right to correct or update their data at any time from their profile or through a direct request.

e) Storage limitation

We retain data only for as long as necessary to fulfill the processing purposes, or for the periods established by law. Once these periods expire, data is deleted or anonymized, unless it must be kept for legal or historical archive purposes.

f) Integrity and confidentiality

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, loss, or destruction. These include encryption, access control, unique key authentication, and internal protection modules.

g) Proactive accountability

We actively assume our obligation to guarantee and demonstrate compliance with all these principles. We maintain internal documentation, processing records, and carry out data protection impact assessments when necessary, especially in processes involving technologies such as AI or blockchain.

3. Purposes of Processing

In compliance with the provisions of Articles 5.1.b, 6.1, and 13.1.c of the General Data Protection Regulation (GDPR), we inform you that the personal data you provide to us through the use of the CooBook platform will be processed solely for

legitimate, specific, and proportionate purposes related to the operations carried out within our digital ecosystem.

The main purposes are detailed below:

1. User registration management and platform access

We process your personal data to create your user account, enable secure authentication, and grant access to the functionalities offered by the platform. This includes your reader profile, editor profile, investor profile, or any other interaction enabled by our internal systems.

2. Validation of purchases and operations through hashes registered on blockchain

Each sensitive operation, such as the purchase of a bond, access to a protected book, or activation of a key, is validated through a system of unique hashes registered on the Kimiary Smart Chain (KSC) blockchain, guaranteeing integrity, traceability, and immutability of the record.

3. Sending informational or contractual communications

We may contact you by email or other digital means to send you information about your account, legal updates, alerts related to your operations, or any communication necessary for the execution of the contracted service.

4. Prevention of fraudulent activities within the system

We implement automated detection systems to prevent malicious use of licenses, unauthorized access, identity forgery attempts, key manipulation, or unauthorized use of books and bonds. These systems may involve behavior monitoring and cross-verification of internal tokens.

5. Improvement of user experience through internal analytics

We collect and analyze anonymous and pseudonymized information about how users interact with our platform to improve navigation, content, loading speed, and other technical aspects that benefit your overall experience.

6. Access management and security through our protection plugins

Your data may be processed by our internal security plugins, which are responsible for controlling access to digital files, validating reading permissions, blocking improper multiple accesses, and maintaining compliance with our content protection standards.

7. Automatic book classification through supervised AI (Art. 22 GDPR)

CooBook uses artificial intelligence for the initial classification of books uploaded by editors. This classification is carried out under human supervision mechanisms and in accordance with the requirements established in Article 22 of the GDPR, avoiding any significant automated effect without human intervention.

5. Use of Blockchain Technology

The CooBook platform integrates, as a fundamental element of its technical architecture, its own decentralized validation network called Kimiary Smart Chain (KSC). This blockchain technology allows guaranteeing the immutability, security, traceability, and transparency of certain internal operations, especially those linked to the purchase, access, and authorized reading of protected digital content.

Specifically, the following elements are recorded in the use of Kimiary Smart Chain:

  • Cryptographic hashes generated by purchases or activations.
  • Public keys associated with the user or their CooBook wallet.
  • Digital file integrity proofs.
  • Immutable timestamps of access, reading, or validation.

This data, while not directly identifying a natural person, may be considered "pseudonymized data" in accordance with the interpretation of the EDPB (European Data Protection Board). Consequently, it falls within the scope of application of the General Data Protection Regulation (GDPR), as provided for in Recitals 26 and 28 of the regulation.

Additional legal considerations:

The blockchain technology used by CooBook does not store personal data in plain text or store direct identifiers (such as name, email, IP). The pseudonymized data recorded on the KSC cannot be altered or deleted, given the principle of immutability inherent to this technology. The purpose of using blockchain is strictly limited to protecting digital access rights, validating intellectual property, and auditing reading or purchase operations.

In compliance with the GDPR's principle of data minimization, only the information necessary to guarantee the legality, security, and transparency of operations is recorded on the blockchain. Any additional processing is carried out off the network, in protected internal systems.

6. Plugins and Internal Automation

The CooBook platform operates through a modular ecosystem composed of internal plugins developed exclusively by Project Kimiary OÜ. These modules, integrated within our technical architecture, allow automating certain essential functions of the system, guaranteeing operational efficiency, traceability, and legal compliance.

All plugins have been designed in accordance with:

  • Secure development protocols.
  • Cybersecurity regulations.
  • Data protection impact assessments (DPIA) where appropriate.

The main automated processes include:

  • Automatic classification of books according to defined technical and thematic parameters.
  • Validation of reading keys associated with non-transferable individual licenses.
  • Generation of protected viewers that prevent downloading, printing, or copying of books.
  • Automatic registration of critical events (purchases, accesses, readings) on the Kimiary Smart Chain (KSC) blockchain.

Legal and ethical guarantees

All plugins operate under controlled access logic, and none of them process personal data without a valid legal basis or informed consent, in compliance with Articles 6 and 25 of the GDPR.

Additionally:

  • No automated decisions with legal effects are made without human intervention (Art. 22 GDPR).
  • Each module has been technically evaluated by our cybersecurity team and legally by the company's legal department.
  • Internal activity records and audit logs are maintained to guarantee proactive accountability.

7. Disclosure and International Transfers

At CooBook, we are committed to protecting the confidentiality and integrity of personal data processed on our platform. Therefore, we do not disclose or share personal data with third parties except in cases where:

  • Prior, specific, and informed consent from the user exists.
  • The disclosure is necessary for the execution of a contract or provision of the requested service.
  • It is required by a national or Community legal obligation.
  • It derives from a legitimately issued judicial or administrative resolution.

All data disclosure is carried out under strict legal control, respecting the principle of minimization and with adequate guarantees for the affected user.

Regarding international data transfers, we inform you that:

  • The main servers and storage systems of CooBook are located in the European Union (EU), which guarantees compliance with the highest protection standards.
  • In the event that, for technical reasons or specific subcontracting, an international data transfer is required (for example, to technology providers located outside the European Economic Area), compliance with Chapter V of the GDPR will always be guaranteed, including:

The existence of an adequacy decision by the European Commission (Art. 45 GDPR), OR, failing that, the adoption of standard contractual clauses (SCC) approved by the Commission (Art. 46.2.c), OR the application of additional security measures and end-to-end encryption protocols to prevent unauthorized access.

In no case will data be transferred to countries or entities that do not offer an adequate level of protection without applying the safeguards established by current European regulations.

Any updates regarding international providers or changes in service location will be duly notified and reflected in this Policy.

8. Data Retention Period

At CooBook, we apply the principle of storage limitation set forth in Article 5.1.e of the General Data Protection Regulation (GDPR), as well as in § 6 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus). This means that personal data is retained only for as long as necessary to fulfill the processing purposes, or for the periods required by law, and is then securely deleted or anonymized.

The main criterion governing this retention is the direct relationship between:

  • The purpose for which the data was collected.
  • The legal obligations arising from the type of operation performed (fiscal, contractual, administrative, or technological).
  • The existence of a valid user consent, when this is the basis for processing.

Below, the main scenarios and their respective approximate retention periods are detailed:

1. Registration and user profile data

Data linked to user registration (such as email, name, activity, country, public key) is retained while the account remains active. Once deletion is requested or inactivity exceeding 24 months is detected, a blocking policy will be applied for an additional 6 months for technical, security, or legal defense reasons, after which it will be deleted or anonymized.

2. Data associated with contractual operations (bonds, payments, licenses)

In accordance with Estonian tax and accounting legislation (Raamatupidamine seadus – Accounting Act), documents and records related to economic operations must be retained for a period of 7 years from the end of the corresponding fiscal year. This includes:

  • Bond purchase confirmations
  • Invoicing
  • Transaction hashes
  • Contractual access records

This data will be stored securely with access restricted to authorized personnel only, for audit and tax purposes.

3. Blockchain records and public keys

Records generated on the Kimiary Smart Chain (KSC) are, by their technical nature, immutable and permanent. While not direct personal data, insofar as they may be considered pseudonymized, subsequent processing will be subject to GDPR restrictions.

It is guaranteed that these records will not be used for new purposes and that they do not contain direct identifying information. Their permanence on the network is justified by the technical need to protect the traceability, validity, and authorship of digital accesses and transactions.

4. Data associated with specific consents

When processing is based exclusively on user consent (for example, receiving newsletters or participating in surveys), data will be retained only while such consent remains valid. Once withdrawn, processing will cease immediately and data will be deleted, unless another concurrent legal basis justifies its retention (for example, compliance with a previous contract).

5. Anonymized or statistical data

Data that has undergone irreversible anonymization, that is, which cannot be linked to an identified or identifiable person, may be retained indefinitely for purposes of technical analysis, internal research, performance improvements, or strategic development, always under strict protection measures.

Periodic supervision and review

CooBook maintains an internal database review calendar, with periodic automatic and manual controls to detect data that has exceeded its legal or functional retention period. In addition, cleaning mechanisms and progressive pseudonymization are applied according to the data lifecycle.

At all times, users may exercise their right to request deletion, objection, or restriction of processing as provided in Articles 17 to 18 of the GDPR and § 20 of Estonian law.

9. User Rights

As a data subject in the processing of personal data, you have the right to exercise, at any time, all rights recognized by Articles 15 to 22 of Regulation (EU) 2016/679 (GDPR), as well as by applicable national legislation in Estonia. These rights are essential to guarantee user control over their own information and to reinforce the principles of transparency, fairness, and proactive accountability.

The rights you are entitled to are detailed below:

• Right of access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether or not we are processing your personal data, as well as access to information regarding: the purposes of processing, categories of data, recipients, retention period, and source of the data (when not collected directly).

• Right to rectification (Art. 16 GDPR)

You may request the correction of inaccurate personal data or the updating of those that are outdated or incomplete. At CooBook, you can make this rectification directly from your user panel or by written request.

• Right to erasure ("right to be forgotten") (Art. 17 GDPR)

You have the right to request the deletion of your personal data when any of the following circumstances apply:

The data is no longer necessary for the purposes for which it was collected. You withdraw your consent and there is no other legal basis for processing. Processing has been unlawful. You wish to exercise this right in compliance with a legal obligation.

However, this right may be limited when processing is necessary for compliance with a legal obligation or for the defense of legal claims.

• Right to restriction of processing (Art. 18 GDPR)

You may request the restriction of processing of your personal data, temporarily or permanently, when:

You contest the accuracy of the data. Processing is unlawful, but you oppose its erasure. We no longer need the data, but you require it for the establishment, exercise, or defense of legal claims. You have exercised the right to objection and it is pending verification.

• Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller, provided that processing is based on your consent or on a contract, and is carried out by automated means.

• Right to objection (Art. 21 GDPR)

You may object, at any time, to the processing of your personal data based on the controller's legitimate interest or public interest. In such case, CooBook will stop processing the data, unless it demonstrates compelling legitimate grounds that override your rights.

• Right not to be subject to automated decision-making (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects

or similarly significantly affect you. At CooBook, we guarantee human intervention in all sensitive processes that may generate significant consequences for the user.

Exercise of rights

You may exercise any of the rights mentioned above by directly contacting the CooBook legal team through the following email:

legal@coobook.org

For security reasons and to verify your identity, it will be necessary to include a valid proof of identity in your request (for example, a scanned copy of your ID card or passport). All requests will be answered within a maximum period of 30 calendar days, in accordance with Article 12 of the GDPR.

10. Security Measures

At CooBook, we take the protection of personal data and the supporting digital ecosystem very seriously. Therefore, we have implemented a set of appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, in accordance with Article 32 of Regulation (EU) 2016/679 (GDPR) and Estonian national legislation.

These measures are designed, implemented, and audited by our internal cybersecurity team and are subject to periodic reviews, both technical and legal, depending on technological advances, the nature of processing, and the potential impact on users' rights and freedoms.

The main measures implemented include:

End-to-end encryption:

It ensures that sensitive information travels securely between the user and our systems, preventing reading by unauthorized third parties, even in case of interception.

One-time key authentication:

All access to protected content (such as digital books or investment areas) requires a dynamically generated and cryptographically validated unique key, which reduces the possibility of fraudulent use or impersonation.

Malicious access detection systems (IDS):

We have automated mechanisms for detecting and blocking anomalous access, massive scans, brute force attempts, and other activities that may compromise system security or user privacy.

Immutable event logging on blockchain:

Critical operations such as purchases, license validations, content access, or key generation are recorded in an unalterable manner on the Kimiary Smart Chain (KSC). This mechanism guarantees integrity, traceability, and non-repudiation.

Complementary organizational measures:

  • Internal data protection and confidentiality policies for all personnel with access to personal data.
  • Internal processing activity records and periodic compliance audits.
  • Continuous training of technical and legal teams in data protection regulations and incident management.
  • Risk analysis and conduct of data protection impact assessments (DPIA) where appropriate.

In the event of security incidents affecting personal data, our internal breach response protocol will be applied, complying with the notification obligation to the competent authority (Estonian Data Protection Inspectorate) and, if applicable, to affected users, within the timeframes established by Articles 33 and 34 of the GDPR.

11. Modifications

CooBook reserves the right to modify, update, or adjust this Privacy Policy at any time, with the aim of:

  • Adapting it to possible legislative or regulatory changes, both at European and national level (for example, GDPR reforms, application of the NIS2 directive, tax or digital services regulations);
  • Incorporating new guidelines issued by supervisory authorities, such as the European Data Protection Board (EDPB) or the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon);
  • Adequately reflecting technical improvements, functional updates, or new technological developments in the CooBook digital ecosystem (for example, new functionalities, intelligent viewers, AI modules, etc.);
  • Correcting, clarifying, or expanding information for the benefit of transparency and comprehensibility for our users.

Transparency commitment

Any substantial modification to the content of this policy will be announced with reasonable advance notice, through the usual communication channels, including:

  • Informational messages within the platform.

Email, if the change directly affects processing based on user consent. Prominent notifications at the top of this same section.

Previous versions will be archived and available upon request for consultation, thus complying with documentary traceability obligations.

The continued use of the platform after the entry into force of a new version of the Privacy Policy will imply acceptance of its terms, except in cases where express consent is required.

This Privacy Policy has been drafted by the legal team of Project Kimiary OÜ with an effective date of April 16, 2025. It will be periodically reviewed and modified when necessary for legal, technical, or operational reasons.

Project Kimiary OÜ declares that it has adopted all necessary measures, both technical and organizational, to ensure lawful, fair, and transparent processing of personal data in accordance with current European and national legislation.

For the exercise of your rights, the user may contact the data controller by email at any time through:

legal@coobook.org

On behalf of the CooBook team, we thank you for your trust and reiterate our commitment to privacy and the protection of your data.