1. Personal data: what we collect, why, and our legal basis

We collect and process personal data only for specific, explicit, and legitimate purposes. Below are the details of the data we collect.

• Account & contact data: This includes names, email addresses, phone numbers, job titles, and company information. We process this data to create and manage your user account, provide you with our Services, and communicate with you about service updates, support, and billing. The legal basis for this processing is the performance of a contract with you (Art. 6(1)(b) GDPR).

• Payment & billing data: This includes your billing address, transaction history, and payment card details which are processed securely by our payment provider. We process this data to manage payments for our Services and to comply with financial and tax regulations. The legal basis is for the performance of a contract (Art. 6(1)(b) GDPR) and to comply with our legal obligations (Art. 6(1)(c) GDPR), such as German tax law.

• Uploaded documents & content: This includes any documents, data, and information you voluntarily upload to our platform for analysis. We process this content to perform the core function of our AI Services as instructed by you and to provide you with the analytical output. The legal basis is the performance of a contract, as this processing is core to the service you have purchased (Art. 6(1)(b) GDPR).

• Technical & usage data: This includes your IP address, browser type and version, device information, operating system, and information about your interaction with our platform, such as features used and timestamps. We process this data to ensure the security and stability of our platform, and to analyse usage in order to improve our Services, user experience, and develop new features. The legal basis is our legitimate interest in maintaining a secure, efficient service and improving our business (Art. 6(1)(f) GDPR).

• Communications data: This includes information you provide in support tickets, emails, or feedback forms. We process this data to respond to your inquiries, provide customer support, and gather feedback. The legal basis is our legitimate interest in providing excellent customer service and improving our offerings (Art. 6(1)(f) GDPR).

• Cookie & marketing data: This includes data from cookies, tracking pixels, and your marketing opt-ins. We use this data to deliver and personalise our website experience and to send you marketing communications about our products. The legal basis is your consent, which you can withdraw at any time (Art. 6(1)(a) GDPR).

2. Special categories of personal data

Our Services are not designed to process special categories of personal data as defined in Article 9 of the GDPR, such as data revealing health, ethnic origin, or religious beliefs. However, you may choose to upload documents (e.g., HR-related documents like CVs for a tender) that contain such data. In these limited cases, we process this data solely on your instruction and as a data processor. The legal basis for this is your explicit consent (Art. 9(2)(a) GDPR), which you provide by accepting our Terms of Service and choosing to upload such documents. We apply our highest level of security and access controls to any such data, and you retain full control over it.

3. Data sharing and disclosure

We do not sell your personal data. We partner with trusted third-party service providers (known as "sub-processors") to perform essential functions necessary to deliver our Services, such as cloud hosting, payment processing, and platform security. We maintain legally binding agreements with all our sub-processors, ensuring they protect your data and only use it for the purposes we instruct. A complete and up-to-date list of our sub-processors and the services they provide can be shared upon request, if you have a legitimate interest. We may also disclose your data if required by law, court order, or a binding request from a governmental authority. In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the new entity, which will be bound to protect it under the terms of this policy.

4. International data transfers

Some of our sub-processors are based outside the European Economic Area (EEA), primarily in the United States. When we transfer your personal data outside the EEA, we ensure it is protected by implementing appropriate safeguards as required by GDPR. These safeguards include relying on Adequacy Decisions by the European Commission, our US-based providers' certification under the EU-U.S. Data Privacy Framework (DPF) where applicable, and the use of Standard Contractual Clauses (SCCs).

5. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which we collected it and to comply with our legal obligations. For example, account data is retained for the duration of your active subscription and for up to 6 years after termination for business records. Payment information is retained for up to 10 years as required by German tax law. Uploaded documents are retained for the duration of your subscription and are securely deleted within 30 days of your account's termination, unless you request earlier deletion. Finally, identifiable usage data is retained for up to 24 months.

6. Your data protection rights

Under GDPR, you have several rights regarding your personal data - please contact us, if you wish to exercise any of these:

• The Right to Access (Art. 15) to request a copy of the personal data we hold about you.

• The Right to Rectification (Art. 16) to request the correction of inaccurate or incomplete data.

• The Right to Erasure ('Right to be Forgotten') (Art. 17) to request the deletion of your data in certain circumstances.

• The Right to Restrict Processing (Art. 18) to request the suspension of processing in certain circumstances.

• The Right to Data Portability (Art. 20) to receive your data in a structured, commonly used, and machine-readable format.

• The Right to Object (Art. 21) to our processing of your data where we are relying on a legitimate interest.

• The Right to Withdraw Consent at any time where we rely on your consent to process data.

7. Data security

We take the security of your personal data extremely seriously. We are an ISO/IEC 27001 certified company, meaning our Information Security Management System (ISMS) is independently audited and verified to meet the highest international standards for security. We have implemented robust technical and organizational measures to protect your data, which include the encryption of data in transit and at rest, strict access controls based on the principle of least privilege, regular security audits and penetration testing, comprehensive employee training on data protection, and a robust incident response plan.

8. Cookies and tracking technologies

We use cookies to operate and personalize our website and platform. For detailed information on the cookies we use, their purpose, and how you can manage your consent, please see our dedicated Cookie Policy.

9. Use by minors

Our Services are not intended for or directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected such data, we will take steps to delete it immediately.

10. Changes to this privacy policy

We may update this policy from time to time to reflect changes in our practices or for legal reasons. We will notify you of any material changes by posting the new policy on our website and, where appropriate, notifying you via email or through a notice on our platform. The "Last updated" date at the top of this policy indicates when it was last revised.

11. How to lodge a complaint

If you have any concerns about how we handle your personal data, we encourage you to contact us first. However, you have the right to lodge a complaint with a data protection authority. Our lead supervisory authority in Germany is The Federal Commissioner for Data Protection and Freedom of Information (BfDI).

• Address: Graurheindorfer Str. 153, 53117 Bonn, Germany

• Phone: +49 (0)228-997799-0

• Email: poststelle@bfdi.bund.de

• Website: www.bfdi.bund.de

12. Contact us

If you have any questions about this Privacy Policy or our data protection practices, please contact us at security@forgent.ai