01Who We Are
This Privacy Policy is issued by Eleva Platform Ltd, a company incorporated in England and Wales (Company Number: 17158073), with its registered office at 4A Central Square, Liverpool, L31 0AQ, United Kingdom ("Eleva", "we", "us", "our").
Eleva operates the Eleva mobile application ("the App") — a short-form and long-form video social platform available on Android and iOS — as well as the website located at elevaplatform.org.
For the purposes of UK GDPR and EU GDPR, Eleva Platform Ltd is the data controller of your personal data.
Our designated Data Protection contact is reachable at: privacy@elevaplatform.org
02Scope & Applicability
This Policy applies to all personal data we collect when you:
- Download, install, or use the Eleva mobile application;
- Visit or interact with elevaplatform.org;
- Register an account, create or interact with content, or engage in any transaction on our platform;
- Contact us by any means.
This Policy complies with the following legal frameworks:
- EU General Data Protection Regulation (GDPR) 2016/679
- UK GDPR and the Data Protection Act 2018
- UK Data (Use and Access) Act 2025
- California Consumer Privacy Act (CCPA) / CPRA
- Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
- Privacy and Electronic Communications Regulations (PECR)
03Data We Collect
3.1 Account & Identity Data
- Full name, username, email address, date of birth (to verify minimum age of 16)
- Profile photo, biography, and other profile information you choose to provide
- Country of residence
- Password (stored in hashed form; we never store plain-text passwords)
3.2 Identity Verification (KYC) Data
When your account balance reaches 3 Eleva Tokens, identity verification is mandatory. We collect:
- Government-issued photo identification (passport, national ID card, or driving licence)
- Biometric facial data (liveness check and face match against your document)
- Verification status and outcome
3.3 Content Data
- Videos, images, text, comments, captions, hashtags, and other content you post or upload
- Content metadata (upload time, location tag if enabled, file format, duration)
- All user-generated content is subject to automated moderation via Google Cloud Vision AI prior to publication (see Section 15)
3.4 Financial & Transaction Data
- Token purchase records, token balance, transaction history
- Google Pay payment tokens (we do not receive or store full card numbers)
- Referral conversions and associated earning records
3.5 Usage & Behavioural Data
- Content you view, like, share, or interact with
- Search queries within the App
- Session duration, feature usage, in-app navigation
- Crash reports and diagnostic data
3.6 Device & Technical Data
- Device type, operating system, OS version
- Advertising ID (Android GAID) — collected only with your explicit consent
- IP address (used for geolocation, fraud prevention, and rate limiting)
- App version, language setting
3.7 Communications Data
- Messages you send through any in-app messaging feature
- Support requests and correspondence with our team
04Legal Basis for Processing
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Processing token transactions via Google Pay | Performance of a contract (Art. 6(1)(b)) |
| Identity verification (KYC) at 3-token threshold | Legal obligation / legitimate interests (Art. 6(1)(c) and (f)) |
| Content moderation via Google Vision AI | Legitimate interests / legal obligation (Art. 6(1)(f) and (c)) |
| Serving personalised advertisements via AdMob | Consent (Art. 6(1)(a)) — opt-in required |
| Analytics and platform improvement | Legitimate interests (Art. 6(1)(f)) |
| Referral programme tracking | Performance of a contract (Art. 6(1)(b)) |
| Fraud prevention and security | Legitimate interests / legal obligation (Art. 6(1)(f) and (c)) |
| Responding to support requests | Legitimate interests (Art. 6(1)(f)) |
| Compliance with court orders or regulatory requests | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You may request a copy of this assessment by contacting us.
05How We Use Your Data
We use your personal data for the following purposes:
- To create, verify, and maintain your account;
- To enable you to upload, share, and interact with content on the platform;
- To process token purchases, transfers, and referral rewards;
- To verify your identity when required (KYC at 3-token threshold);
- To moderate content automatically using Google Cloud Vision AI before publication;
- To display advertising through Google AdMob (only with your consent);
- To operate our referral programme and calculate earnings;
- To detect and prevent fraud, abuse, and violations of our Terms of Service;
- To personalise your feed and improve platform recommendations;
- To communicate with you about your account, security, and platform updates;
- To comply with applicable laws and regulatory requirements;
- To enforce our Community Guidelines and Content Policy;
- To respond to legal requests, court orders, or regulatory inquiries.
We do not sell your personal data to third parties. We do not use your personal data for automated decision-making that produces legal or similarly significant effects, except for content moderation (which you may appeal — see Section 15) and identity verification.
06Third-Party Processors
We engage the following sub-processors to operate the platform. All processors are bound by a Data Processing Agreement (DPA) with Eleva Platform Ltd:
| Processor | Purpose | Location | Data Shared |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud database, compute, storage infrastructure | EU (Ireland) + US (where applicable) | All platform data as hosted on our infrastructure |
| AWS Lambda | Serverless backend processing | EU / US | Request data, media processing |
| Backblaze B2 | Video and media object storage | US / EU | Uploaded video and image files |
| Bunny CDN | Content delivery network for media | Global edge nodes | Cached media files, IP addresses for routing |
| Stripe Identity (Stripe Payments UK Ltd) | KYC / identity verification | UK / EU | ID documents, biometric data, verification outcome (FCA authorised — FRN: 900461) |
| Google Cloud Vision AI | Automated content moderation | US / EU | User-uploaded video frames and images |
| Google AdMob | In-app advertising (with consent) | US / Global | Advertising ID, device data, usage signals (consent-gated) |
| Google Pay | Payment processing for token purchases | US / Global | Payment tokens, transaction confirmation |
| Firebase (Google LLC) | Authentication services | US / EU | Email address, UID, sign-in tokens |
We do not permit sub-processors to use your data for their own marketing or commercial purposes, except as described in their own privacy policies where they act as independent data controllers (e.g., Google AdMob when serving ads).
07International Data Transfers
As Eleva uses global cloud infrastructure, your personal data may be transferred to and processed in countries outside the UK and the European Economic Area (EEA), including the United States.
We ensure that all such transfers are protected by appropriate safeguards, including:
- UK International Data Transfer Agreements (IDTAs) for transfers from the UK;
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission for transfers from the EEA;
- Adequacy decisions where applicable;
- Binding Corporate Rules or equivalent mechanisms where relied upon by processors.
You may request a copy of the relevant transfer safeguards by contacting us at privacy@elevaplatform.org.
08Data Retention
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of account + 90 days after deletion request |
| Posted content (videos, comments) | Deleted upon account deletion or content removal request |
| Transaction and token records | 7 years (UK legal / tax obligation) |
| KYC / identity verification records | 5 years from last transaction (AML obligations) |
| Usage and analytics data | 24 months, then aggregated/anonymised |
| Device and technical logs | 12 months |
| Support correspondence | 3 years from resolution |
| Biometric data (KYC) | As per Stripe Identity's retention policy under its AML/KYC regulatory obligations; Eleva does not hold raw biometric data |
When data is no longer required, we delete it securely or anonymise it so that it can no longer identify you.
09Your Rights — EU & UK (GDPR)
If you are located in the European Union or United Kingdom, you have the following rights under the GDPR / UK GDPR:
- Right of Access (Art. 15): Request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to Erasure / "Right to Be Forgotten" (Art. 17): Request deletion of your data where there is no lawful reason for us to continue processing it.
- Right to Restrict Processing (Art. 18): Ask us to pause processing while a dispute is resolved.
- Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling for advertising.
- Right to Withdraw Consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Rights Related to Automated Decision-Making (Art. 22): Not to be subject to solely automated decisions that produce significant legal effects.
To exercise any of these rights, please email privacy@elevaplatform.org. We will respond within 30 days. If your request is complex or you have made multiple requests, we may extend this period by a further 60 days and will notify you of the extension within 30 days of receiving your request, as permitted under GDPR Article 12(3). There is no charge for making a request.
If you are in the UK, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk.
If you are in the EU, you may contact the data protection authority in your country of residence.
10California & US Rights (CCPA / CPRA)
If you are a resident of California, USA, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell personal information. We do not share personal information for cross-context behavioural advertising without your consent.
- Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal data (including precise geolocation and biometric data) to the purposes necessary to provide the requested service.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
To exercise California rights, email privacy@elevaplatform.org with the subject line "CCPA Request". We will respond within 45 days, extendable by a further 45 days with notice.
For residents of other US states with applicable privacy laws (Virginia, Colorado, Connecticut, Texas, etc.), we extend equivalent rights to the extent required by applicable state law.
11Canadian Rights (PIPEDA)
If you are a resident of Canada, your personal data is processed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA).
You have the right to:
- Request access to your personal information and receive it in a clear, understandable form;
- Challenge the accuracy and completeness of your information and have it amended as appropriate;
- Withdraw consent to our collection, use, or disclosure of your information, subject to legal and contractual restrictions;
- File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
12Children and Minors
Eleva is not intended for, and does not knowingly collect personal data from, persons under the age of 16 years.
Our minimum age of use is 16 years. Users who indicate they are under 16 during registration will be denied access. We verify user ages as part of our account registration process and, where applicable, through our KYC provider.
If you are a parent or guardian and believe that a child under 16 has registered on Eleva without your consent, please contact us immediately at privacy@elevaplatform.org. We will promptly investigate and delete any data associated with that account.
Users between the ages of 16 and 17 may have their accounts subject to additional restrictions in jurisdictions where a higher age of consent or different parental consent requirements apply.
13Security
We implement appropriate technical and organisational security measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
- AWS infrastructure with access controls, VPC isolation, and security groups;
- Password hashing using industry-standard algorithms;
- Restricted employee access to personal data on a need-to-know basis;
- Regular security testing and vulnerability assessments;
- Incident response procedures compliant with UK GDPR Article 33 (72-hour breach notification to the ICO) and EU GDPR where applicable.
While we take every reasonable measure, no system is entirely immune from breach. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with applicable law.
14Cookies, Tracking & Advertising
The Eleva mobile application uses the following tracking technologies:
14.1 Essential SDKs
These operate without consent as they are strictly necessary for the App to function (account authentication, security, core features).
14.2 Advertising (Google AdMob)
We display in-app advertisements through Google AdMob. AdMob may use your Android Advertising ID (GAID) and usage signals to serve personalised advertisements. This requires your explicit opt-in consent, which we request upon first launch via an in-app consent prompt.
You may:
- Withdraw advertising consent at any time via App Settings → Privacy → Advertising;
- Reset or limit ad tracking via your device operating system settings;
- Opt out of personalised ads via Google's Ad Settings at adssettings.google.com.
If you decline advertising consent, you will still receive non-personalised advertising.
14.3 Analytics
We collect anonymised, aggregated usage analytics to improve the platform. This does not identify you individually.
15Automated Content Moderation
To protect our community and comply with applicable laws (including the UK Online Safety Act and applicable EU regulations), all user-generated content is subject to automated pre-publication moderation using Google Cloud Vision AI and our own internal classifiers.
This system scans for:
- Nudity, sexual content, and CSAM (child sexual abuse material);
- Graphic violence, gore, and self-harm imagery;
- Hateful symbols or content;
- Illegal content under applicable UK and EU law.
Content that is flagged may be withheld from publication pending human review. This constitutes automated processing under GDPR Article 22 in a limited sense; however, we do not believe it produces significant legal effects on you as it relates to our platform rules, not your legal status.
If your content is withheld or removed and you believe this is an error, you may appeal via our Content Appeals process by contacting: appeals@elevaplatform.org
16Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page;
- Notify you via a prominent in-app notice or push notification at least 14 days before changes take effect;
- Where required by law, seek your renewed consent.
Your continued use of the App after the effective date of any revised Policy constitutes your acknowledgement of the changes. We encourage you to review this Policy periodically.
17Contact Us & Data Protection Enquiries
Eleva Platform Ltd — Privacy & Data Protection
Email: privacy@elevaplatform.org
Postal Address:
Eleva Platform Ltd
4A Central Square
Liverpool, L31 0AQ
United Kingdom
Company Number: 17158073
We aim to acknowledge all privacy requests within 5 working days and to respond fully within 30 days. For urgent data breach matters or safeguarding concerns, please mark your email URGENT.
Regulatory Authorities
- UK: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
- EU (General): Contact the supervisory authority in your EU member state of residence
- Ireland (EU representative matters): Data Protection Commission — dataprotection.ie
- Canada: Office of the Privacy Commissioner — priv.gc.ca
- California: California Privacy Protection Agency — cppa.ca.gov