Privacy Policy

Introduction

HEVEA Genius is a Bitcoin Wealth Intelligence Platform operated by Hevea Investment, Unit G, 15/F, TAL Building, 49 Austin Road, Kowloon, Hong Kong. This privacy policy governs all personal data collected and processed through heveagenius.io — including the public website, member platform, affiliate programme, and any communications associated with your account.

This policy covers all categories of personal data we collect from visitors, registered members, affiliate partners, and ambassador programme participants. It explains the basis on which that data is processed, how long it is retained, and the rights available to you at any time.

For the purposes of applicable data protection law, the data controller is Hevea Investment. This means Hevea Investment determines the purposes and means of processing your personal data and is responsible for ensuring that processing is lawful, fair, and transparent. For all data-related enquiries, you can reach us at privacy@heveagenius.io.

We do not sell personal data to third parties under any circumstances. Your data is used solely to operate the HEVEA Genius platform, fulfil your subscription, process commissions where applicable, and meet our legal obligations.

Data We Collect

We collect only what is necessary to provide and improve the HEVEA Genius platform. Here is a clear overview of the categories of personal data we process and the purpose each serves.

Account Data

When you register for a HEVEA Genius account, we collect the information necessary to create and manage your membership.

• Name, email address, and password (stored as a salted hash — never in plain text)
• Plan tier and subscription status, including billing cycle and renewal dates
• Two-factor authentication settings, if you choose to enable TOTP-based 2FA
• Founding Member pseudonym and founding record timestamp, if applicable to your registration cohort

Usage Data

We collect limited behavioural data to understand how the platform is used and to detect anomalies that may indicate security issues.

• Platform activity, including pages visited and features used — anonymised where technically feasible
• Signal engagement data, such as views and interactions with published analyses
• Device type, browser, and IP address, collected for authentication and security purposes
• Session duration and navigation patterns, used in aggregate to guide platform improvements

Payment Data

Subscription payments are processed by our third-party payment provider. Our exposure to raw financial data is intentionally limited.

• Billing address, retained for invoice and tax compliance purposes
• Payment processing is handled entirely by Stripe, under Stripe's own privacy policy and PCI DSS compliance framework
• HEVEA Genius does not store credit card numbers, CVV codes, or full payment instrument details at any point

Affiliate & Commission Data

For members participating in the affiliate or ambassador programme, we collect additional data necessary to track referrals and process payouts.

• Referral link usage and attribution tracking across your unique link
• Referred member activity — specifically plan tier and subscription status, to calculate applicable commission
• Bitcoin wallet address, provided voluntarily by affiliates and ambassadors for BTC commission payouts via Binance Pay
• Commission history, payout records, and programme tier status

How We Use Your Data

We use your data to operate the platform, communicate with you, and fulfil our legal obligations. Nothing more. Every processing activity described below has a clear purpose directly connected to the service you have subscribed to or the legal framework we operate within.

• Provide and maintain your subscription access, including gating member-only content and features by plan tier
• Process payments, manage billing cycles, and generate invoices where required
• Send signal alerts, platform updates, and account communications relevant to your membership
• Calculate and process affiliate and ambassador commissions, including BTC payouts on the first of each month
• Monitor the platform for fraud, abuse, unauthorised access attempts, and security threats
• Improve platform features and user experience, using aggregated and anonymised data only
• Comply with applicable legal obligations and respond to lawful regulatory or authority requests

Legal Basis (GDPR)

For users in the European Economic Area, all personal data processing must rest on a recognised legal basis. The table below identifies the basis we rely on for each category of processing activity.

Who We Share Data With

We share personal data only where necessary to operate the platform or meet legal requirements. We do not grant third parties access to your data for their own purposes. All providers we work with are required to process data solely on our behalf, within the scope of documented agreements.

Payment Processors

Stripe processes all subscription payment transactions on behalf of HEVEA Genius. Stripe acts as a data processor under its own privacy policy and operates within a PCI DSS compliance framework. We share billing-related data — including your billing address and subscription details — strictly as required for payment processing and fraud prevention. We do not control Stripe's own data practices; we encourage you to review the Stripe Privacy Policy for full details.

Platform Infrastructure

We use a small number of carefully selected third-party services for transactional email delivery, platform hosting, and usage analytics. These providers operate under data processing agreements that bind them to confidentiality and restrict use of your data to the services they provide on our behalf. They are not permitted to use your data for their own marketing or third-party purposes.

Affiliate and Commission Processing

Bitcoin wallet addresses provided by affiliate and ambassador members are used solely for the purpose of processing BTC commission payouts via Binance Pay. Wallet addresses are not displayed to other members, not used for any purpose beyond commission payments, and not shared with any party other than Binance Pay in the context of executing a payout transaction.

Legal Authorities

We may be required to disclose personal data to competent governmental authorities, regulators, or courts where mandated by applicable law, a lawful court order, or a binding regulatory request. We will notify you of such disclosure where we are legally permitted to do so, and we will limit disclosure to what is strictly required by the relevant legal obligation.

How Long We Keep Your Data

We retain personal data for as long as necessary to fulfil the purpose for which it was collected and to meet our legal and compliance obligations. The specific retention periods we apply are set out below.

• Account data: retained for the duration of your active subscription, plus up to 3 years after cancellation for legal and fraud-prevention purposes
• Payment and billing records: retained for up to 7 years to meet financial reporting and tax compliance obligations
• Affiliate and commission records: retained for up to 3 years after the date of the last payout or last programme activity, whichever is later
• Usage analytics (anonymised): retained indefinitely in aggregated, non-identifiable form — this data cannot be linked back to any individual
• Security logs: retained for 12 months, after which they are automatically purged

Your Rights

You have meaningful rights over your personal data. These rights are not formalities — they are enforceable, and we are committed to honouring them promptly and without obstruction. Here is a clear summary of what you can request at any time.

Cookies

HEVEA Genius uses cookies and browser local storage to operate the platform and improve your experience. Cookies are small data files stored on your device. They allow us to keep you authenticated between sessions, remember your preferences, and understand how the platform is being used in aggregate.

We use three categories of cookies. Strictly necessary cookies are essential for the platform to function — they manage authentication sessions and security tokens, and cannot be disabled without breaking core functionality. Analytics cookies collect anonymised usage data to help us understand which features are most useful and where the platform can be improved. Preference cookies store settings you have chosen, such as display preferences, so you do not need to reconfigure them on each visit.

You can manage cookie preferences through your browser settings at any time. Blocking strictly necessary cookies may affect your ability to log in or access member content. For a complete breakdown of cookies used, their duration, and how to manage them, please review our full Cookie Policy.

Read our full Cookie Policy

How We Protect Your Data

All data transmitted between your browser and HEVEA Genius is encrypted in transit using TLS (Transport Layer Security). This ensures that data cannot be intercepted or read by third parties while in transit between your device and our servers. We enforce HTTPS across all platform endpoints without exception.

Personal data stored at rest is protected using AES-256 encryption. Access to personal data within our infrastructure is restricted on a strict need-to-know basis — only authorised personnel whose role requires access to a specific category of data are granted it, and all access is logged. Passwords are stored as salted hashes and are never stored or transmitted in plain text.

We conduct regular security reviews of our infrastructure and codebase, including vulnerability assessments and dependency auditing. We maintain access controls, rate limiting, and anomaly detection to identify and respond to potential threats promptly. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within the timeframes required by applicable law.

International Data Transfers

Hevea Investment is headquartered in Hong Kong. As a result, your personal data is primarily processed in Hong Kong. Some of our third-party service providers — including those handling email delivery, payment processing, and platform infrastructure — may process data in other jurisdictions, including countries outside the European Economic Area.

Where we transfer personal data to a jurisdiction that does not benefit from an adequacy decision by the European Commission, we put in place appropriate safeguards to ensure your data receives a level of protection equivalent to that provided under European data protection law. These safeguards typically take the form of Standard Contractual Clauses (SCCs) approved by the European Commission, which contractually bind the receiving party to data protection obligations consistent with GDPR requirements.

You are entitled to obtain information about the specific safeguards in place for any given international transfer of your personal data. To request this information, contact us at privacy@heveagenius.io.

Contact & Data Controller

If you have any questions about this privacy policy, wish to exercise your rights, or want to understand more about how we handle your personal data, please use the contact details below. We take data privacy seriously and are committed to responding promptly and transparently.