Privacy Policy

Provena by AffectLog ("AffectLog", "we", "us", "our") is the data controller responsible for your personal data. AffectLog operates the AI governance and evidence platform available at affectlog.com and all associated subdomains (collectively, the "Platform"). Our designated contact for all data protection matters is: Email: [email protected] General enquiries: [email protected] Where required under applicable law, AffectLog has appointed or will appoint a Data Protection Officer (DPO). DPO contact: [email protected]. We are registered as a data controller with the relevant supervisory authority. Our lead supervisory authority within the European Economic Area is the Commission Nationale de l'Informatique et des Libertés (CNIL), France.

This Privacy Policy ("Policy") applies in full to all personal data collected, used, stored, disclosed, or otherwise processed by AffectLog in connection with: (a) Your use of the Platform, including all features, dashboards, APIs, webhooks, and integrations; (b) Your registration for, and management of, an Account; (c) All communications between you and AffectLog, including support tickets and sales enquiries; (d) Your visit to our marketing website and any associated landing pages; (e) Our commercial relationships, including billing, contracting, and partner programmes. This Policy applies to users worldwide and specifically addresses the requirements of: • General Data Protection Regulation (EU) 2016/679 ("GDPR") • UK General Data Protection Regulation as retained in UK law ("UK GDPR") • California Consumer Privacy Act 2018 as amended by the California Privacy Rights Act 2020 ("CCPA/CPRA") • Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and its provincial equivalents • Brazil's Lei Geral de Proteção de Dados ("LGPD") • EU Artificial Intelligence Act (Regulation (EU) 2024/1689) insofar as it relates to personal data processed through AI systems • Any other applicable national data protection and privacy legislation Where this Policy refers to "EEA", this includes all member states of the European Union plus Iceland, Liechtenstein, and Norway.

We collect and process the following categories of personal data: 3.1 Registration and Account Data First name, last name, work email address, password (stored exclusively as a non-reversible cryptographic hash — never in plaintext), organisation name, job title or role category, primary use case, country, and any profile image you upload. We also record the date and time of account creation and your acceptance of our legal terms. 3.2 Professional and Organisational Data Information about your organisation including company name, company size, industry sector, VAT registration or company registration number (where provided voluntarily), and names and email addresses of colleagues you invite to your workspace. 3.3 Identity Verification Data Where required for access to elevated-privilege features, regulated activities, or compliance programmes, we may collect government-issued identification document numbers, entity registration numbers, or professional credentials. Such data is handled with heightened security controls. 3.4 Platform Content and Evidence Data All content you create, upload, configure, or generate within the Platform, including: AI tool descriptions, AI supplier profiles, Evidence Passport content, agent configuration data, governance assessment responses, uploaded documents, audit logs, risk scores, and governance reports. You are the data controller in respect of any personal data of third parties contained within this content. 3.5 Technical and Device Data IP address, browser type and version, operating system and version, device identifiers, screen resolution, time zone setting, referring URLs, pages and features accessed, session start and end timestamps, API request and response logs (excluding payloads where not necessary for debugging), error events, and performance telemetry. 3.6 Payment and Transaction Data Subscription plan, billing period, payment status, invoice history, and VAT/tax identification information. Payment card numbers, card verification codes, and bank account details are processed exclusively by our payment processor (Stripe, Inc.) under PCI-DSS Level 1 certification and are never transmitted to or stored on AffectLog systems. 3.7 Communications Data Content of emails, live chat messages, support tickets, and any other communications you send to us, together with associated metadata (sender address, timestamps, thread identifiers). 3.8 Survey, Feedback, and Research Data Responses to optional surveys, in-product feedback prompts, NPS scores, user research session recordings (only where you explicitly opt in), and beta programme participation data.

We collect personal data from the following sources: 4.1 Directly from you: registration forms, profile settings, Platform content, in-platform actions, and direct communications. 4.2 Automatically via technology: cookies, server log files, analytics SDKs, and error-monitoring tools embedded in the Platform and marketing website. 4.3 From third-party identity providers: where you authenticate using a Single Sign-On (SSO) provider (such as Google Workspace or Microsoft Entra ID), we receive the profile data made available by that provider subject to your authorisation. 4.4 From your organisation: where your organisation's administrator provisions an account for you, your administrator-supplied details (name, email, role) are used to create your account. 4.5 From payment processors: Stripe provides us with transaction status, subscription state, and billing event notifications. 4.6 From public sources: where you are acting on behalf of an organisation, we may verify organisational details against public business registries or Companies House equivalent databases.

For users in the EEA, UK, and Switzerland, every processing activity has a defined lawful basis under GDPR Article 6. We do not process personal data beyond what is necessary for these purposes ("data minimisation"). 5.1 Performance of Contract — Article 6(1)(b) We process your data to perform our contractual obligations to you, including: • Account creation, authentication, and session management • Delivering Platform features, workspaces, and dashboards • Billing, invoicing, and subscription management • Providing customer support and technical assistance • Sending transactional communications (email verification, password reset, billing notifications, security alerts) 5.2 Legitimate Interests — Article 6(1)(f) We process data where our legitimate interests (or those of a third party) are not overridden by your fundamental rights and freedoms: • Fraud detection, abuse prevention, and platform security monitoring • Product improvement based on aggregated and anonymised usage analytics • Technical debugging, error resolution, and platform reliability • Enforcement of our Terms of Service and Acceptable Use Policy • Business continuity and disaster recovery • Defence of legal claims In each case, we have conducted a legitimate interests assessment (LIA) and concluded that our interests do not override your rights. 5.3 Compliance with Legal Obligation — Article 6(1)(c) • Retention of tax records, invoices, and financial data as required by applicable law • Response to lawful orders from courts, regulators, or law enforcement agencies • Record-keeping and reporting obligations under applicable AI regulation, including the EU AI Act • Anti-money-laundering (AML) and know-your-customer (KYC) checks where required 5.4 Consent — Article 6(1)(a) We process data on the basis of your freely given, specific, informed, and unambiguous consent for: • Optional marketing communications (newsletters, governance insights, product updates, event invitations) • Non-essential analytics cookies and performance tracking • User research sessions, interviews, and beta programme participation • Any processing not covered by the bases above that we separately ask you to consent to Consent withdrawal: You may withdraw consent at any time by emailing [email protected], using the unsubscribe link in any marketing email, or adjusting your notification settings in the Platform. Withdrawal does not affect the lawfulness of processing before withdrawal.

6.1 AffectLog does not intentionally collect or process special category data as defined under GDPR Article 9 (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a person's sex life or sexual orientation). 6.2 If you upload content to the Platform that incidentally contains special category data of third parties, you are acting as a separate data controller in respect of that data. You are solely responsible for ensuring you hold a valid legal basis under Article 9(2) (such as explicit consent of the data subjects or a legal obligation) and for implementing appropriate supplementary safeguards. 6.3 If we become aware that special category data has been uploaded without an appropriate legal basis, we reserve the right to take steps to isolate or remove that data and to notify you accordingly.

7.1 AffectLog uses automated processing to generate governance assessments, risk scores, readiness indicators, and compliance gap analyses based on the data you enter into the Platform. These outputs are analytical tools to support human decision-making by qualified professionals. They do not constitute automated individual decisions within the meaning of GDPR Article 22(1) because they do not produce legal effects or similarly significant effects on individuals without a human review stage. 7.2 Where AffectLog introduces any processing that meets the threshold of GDPR Article 22 — producing legal or similarly significant effects solely through automated means — we will: (a) notify affected users; (b) provide the safeguards required by Article 22(2); and (c) ensure the rights under Article 22(3) are available, including the right to human review, to express one's point of view, and to contest the decision. 7.3 We do not use personal data to build user profiles for third-party advertising purposes. We do not sell profiling data to data brokers, marketing networks, or data aggregators. 7.4 AI Act compliance: Where features of the Platform constitute an AI system within the meaning of the EU AI Act, we will maintain the documentation and transparency obligations required by that Regulation and will notify you if any high-risk AI system processing your data is introduced.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Our standard retention schedule is as follows: Category | Retention Period Account registration and profile data | Duration of account + 90 days following account closure Platform content and evidence records | Duration of account + 90 days, or as configured by your organisation's administrator (compliance-grade records may be retained up to 7 years) Billing records, invoices, and VAT data | 10 years (statutory tax retention obligation) Server access and API request logs | 30 rolling days Error and crash reports | 90 days Security event and audit logs | 12 months (or longer if subject to a security investigation) Marketing consent and preference records | 5 years from the date of last interaction Support and communications records | 3 years from ticket closure Legal hold and dispute records | Duration of dispute or investigation + 3 years thereafter Data subject to a legal hold or regulatory investigation will be retained beyond the above periods until the hold is lifted. We will inform you if a legal hold applies to your data where we are legally permitted to do so. At the end of the applicable retention period, data is securely and irreversibly deleted or anonymised.

9.1 AffectLog primarily processes and stores personal data within the European Economic Area. However, certain sub-processors (see Section 10) may process data outside the EEA or the United Kingdom. 9.2 Where personal data is transferred outside the EEA or UK, we ensure adequate protection through one or more of the following mechanisms, as appropriate: (a) An adequacy decision issued by the European Commission pursuant to GDPR Article 45 (e.g., transfers to countries recognised as providing adequate protection); (b) Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914, as updated from time to time); (c) The UK International Data Transfer Agreement (IDTA) or UK addendum to EU SCCs, for transfers from the UK; (d) Binding Corporate Rules (BCRs) approved by a competent supervisory authority; (e) The EU–U.S. Data Privacy Framework (DPF) and/or UK Extension to the DPF, where applicable; (f) Other derogations or safeguards permitted under Chapter V of GDPR, applied narrowly and only where no other mechanism is available. 9.3 You may request copies of our applicable transfer mechanisms by emailing [email protected]. Where we rely on SCCs, we will provide a copy upon request. 9.4 We conduct Transfer Impact Assessments (TIAs) for transfers to third countries where required by supervisory authority guidance. If a TIA identifies unacceptable risks, we will implement supplementary technical measures (such as end-to-end encryption) or find an alternative sub-processor.

10.1 We share personal data with trusted sub-processors only to the extent necessary to deliver the Service. All sub-processors are bound by written data processing agreements that impose obligations no less protective than those in this Policy. 10.2 Current sub-processor categories (full list available at affectlog.com/sub-processors or by request): Category | Purpose | Data Region Cloud infrastructure & hosting | Platform hosting, database storage, object storage | EU / EEA (with appropriate SCCs for any US sub-processors) Payment processing | Billing, subscription management, invoicing | USA (Stripe, Inc. — EU–US Data Privacy Framework and SCCs) Transactional email delivery | Account verification, password reset, billing notifications | EU / USA (SCCs) Marketing email platform | Opted-in newsletters and product updates (separate from transactional) | EU / USA (SCCs) Error monitoring | Anonymised crash and exception reporting | EU / USA (SCCs) Product analytics | Anonymised usage analytics (PostHog or equivalent) | EU / USA (SCCs) Authentication infrastructure | SSO / SAML identity federation (optional) | Variable (SCCs) Customer support platform | Support ticket management | EU / USA (SCCs) 10.3 We do not permit sub-processors to use personal data for their own independent purposes. 10.4 Sub-processor changes: We will give you at least 30 days' prior written notice (via email or Platform notification) of any intended addition or replacement of a sub-processor that involves personal data processing. You may object to such changes in writing; if we cannot accommodate your objection, you may terminate the agreement. 10.5 We will not sell, rent, lease, or otherwise transfer personal data to any third party for that third party's own commercial purposes. 10.6 Disclosures required by law: We may disclose personal data to courts, regulators, law enforcement, or other governmental authorities where required by applicable law or pursuant to a valid legal order. Where permitted by law, we will notify you before making such a disclosure and will cooperate with any effort to obtain a protective order.

11.1 Rights of EEA and UK Users under GDPR / UK GDPR You have the following rights, subject to applicable exemptions and conditions: Right of Access (Article 15): Receive a copy of all personal data we hold about you and information about how it is processed. Right to Rectification (Article 16): Have inaccurate or incomplete personal data corrected without undue delay. Right to Erasure — "Right to be Forgotten" (Article 17): Request deletion of your personal data where: (a) it is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and no other legal basis applies; (c) you object and we have no overriding legitimate grounds; (d) the data was unlawfully processed; or (e) deletion is required to comply with a legal obligation. Right to Restriction of Processing (Article 18): Restrict processing of your personal data in certain circumstances (e.g., while we verify the accuracy of data you have disputed). Right to Data Portability (Article 20): Receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible, where processing is based on consent or contract and is carried out by automated means. Right to Object (Article 21): Object at any time to processing of your personal data on the basis of legitimate interests (Article 6(1)(f)) or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds or the processing is for the establishment, exercise, or defence of legal claims. Rights in Relation to Automated Decision-Making (Article 22): Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except where necessary for contract performance, authorised by law, or based on explicit consent. Right to Withdraw Consent (Article 7(3)): Withdraw any consent at any time without affecting the lawfulness of processing carried out before withdrawal. 11.2 Rights of California Residents under CCPA/CPRA In addition to applicable rights above, California residents have the right to: • Know what personal information is collected, used, disclosed, or sold/shared • Delete personal information (subject to exceptions) • Opt out of the sale or sharing of personal information (AffectLog does not sell personal information) • Correct inaccurate personal information • Limit the use and disclosure of sensitive personal information • Not be discriminated against for exercising privacy rights • Designate an authorised agent to submit rights requests on your behalf 11.3 Rights of Canadian Residents under PIPEDA Canadian residents have the right to: (a) access personal information held about them; (b) challenge the accuracy and completeness of that information; and (c) have it amended where inaccurate. 11.4 Rights of Brazilian Residents under LGPD Brazilian residents have the right to: confirmation of processing; access; correction; anonymisation, blocking, or deletion; data portability; information about entities with whom data is shared; information about the possibility of denying consent and the consequences thereof; revocation of consent; and to lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD). 11.5 How to Exercise Your Rights Submit a request to [email protected] with the subject line "Privacy Rights Request — [Right you are exercising]". We will verify your identity before processing the request. We will respond within: • GDPR / UK GDPR: 30 days (extendable by a further 60 days in complex cases, with notice) • CCPA/CPRA: 45 days (extendable by a further 45 days, with notice) • PIPEDA: 30 days We will not charge a fee for reasonable requests. We may charge a reasonable administrative fee or decline manifestly unfounded or excessive requests. 11.6 Supervisory Authority Complaints If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority: • EEA users: the supervisory authority in your country of habitual residence, place of work, or the place of the alleged infringement. AffectLog's lead EEA supervisory authority is the CNIL (France) — www.cnil.fr • UK users: Information Commissioner's Office (ICO) — ico.org.uk • Swiss users: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch We encourage you to contact us first so we can try to resolve your concern.

12.1 The Platform is directed exclusively at professionals and business users. We do not knowingly collect, process, or store personal data of individuals under the age of 18 (or such higher minimum age as required by applicable law in the user's jurisdiction, including 16 years under GDPR Article 8 for certain processing). 12.2 If we become aware that personal data of a child below the applicable minimum age has been collected, we will take immediate steps to delete that data and, where required, to notify the relevant supervisory authority. 12.3 If you believe a child has created an account or provided personal data to us without appropriate parental or guardian consent, please contact us immediately at [email protected].

13.1 We use the following categories of cookies and similar tracking technologies (including local storage and session storage): STRICTLY NECESSARY (no consent required) These cookies are essential for the Platform to function. They include: session authentication tokens, CSRF protection tokens, load-balancing cookies, and preference cookies that remember your opt-out choices. These cannot be disabled through our cookie preferences without making the Platform non-functional. FUNCTIONAL (consent required) These cookies remember your preferences and settings to improve your experience, such as preferred language, theme, dismissed banners, and notification preferences. ANALYTICS (consent required) These cookies collect information about how you use the Platform — pages visited, features used, and time spent — to help us understand and improve the product. We use PostHog or an equivalent analytics tool with IP anonymisation and data residency within the EEA where possible. We do not use this data to build advertising profiles. 13.2 We do not use: • Third-party advertising cookies or pixels • Cross-site behavioural tracking cookies • Fingerprinting scripts for cross-site identification • Social media tracking pixels on the Platform 13.3 Cookie controls: You can control cookie settings through: (a) our in-platform cookie preference centre; (b) your browser settings (note: disabling strictly necessary cookies will impair Platform functionality); or (c) by contacting [email protected]. 13.4 Third-party SDKs embedded in our Platform may set their own cookies subject to their own privacy policies. We contractually require such third parties to comply with applicable data protection law.

14.1 AffectLog implements technical and organisational security measures appropriate to the risk of processing, including: Technical measures: • Encryption of all data in transit using TLS 1.3 (minimum TLS 1.2) • Encryption of data at rest using AES-256 or equivalent industry-standard encryption • Password storage using bcrypt or scrypt (adaptive cryptographic hashing with per-user salts — passwords are never stored in recoverable form) • Multi-factor authentication (MFA/TOTP) available to all users and enforced for administrator accounts • Role-based access control (RBAC) limiting internal and user access on a strict need-to-know basis • Network segmentation and firewall controls • Automated vulnerability scanning and dependency patching • Web Application Firewall (WAF) and DDoS protection • Comprehensive audit logging of all administrative and privileged actions Organisational measures: • Annual penetration testing by qualified independent security professionals • Security awareness training for all staff who access personal data • Background screening for staff with access to production systems • Vendor security assessments before onboarding sub-processors • Incident response plan and documented data breach notification procedures • Business continuity and disaster recovery planning 14.2 Responsible disclosure: If you discover a security vulnerability in our Platform, please report it responsibly to [email protected] before any public disclosure. We will acknowledge receipt within 2 business days and provide a remediation timeline. We do not take legal action against good-faith security researchers. 14.3 No system is 100% secure. Despite our measures, we cannot guarantee the absolute security of data transmitted over the internet. You use the Platform at your own risk in this regard.

15.1 In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. The notification will include, where available: the nature of the breach; the categories and approximate number of individuals and records affected; contact details of our DPO; likely consequences; and measures taken or proposed to address the breach. 15.2 Where the breach is likely to result in a high risk to your rights and freedoms (e.g., identity theft, financial loss, reputational damage), we will notify you directly without undue delay under GDPR Article 34, unless: (a) we have implemented appropriate technical and organisational protection measures that render the data unintelligible; (b) we have taken subsequent measures that ensure the high risk is no longer likely to materialise; or (c) notification would involve disproportionate effort (in which case a public communication will be made instead). 15.3 For CCPA purposes, we will notify California residents in the event of a breach of their unencrypted personal information in accordance with California Civil Code Section 1798.82. 15.4 Breach notifications to you will be sent to the email address associated with your Account or, where unavailable, posted as a prominent notice on the Platform.

16.1 No training use: AffectLog will not use your personal data, Your Content, or any data derived from your use of the Platform to train, fine-tune, evaluate, benchmark, or improve any artificial intelligence or machine learning model, whether operated by AffectLog or by any third party, without your explicit written consent. 16.2 AI-powered Platform features: Certain features of the Platform use AI models to analyse content you enter and generate governance assessments, risk indicators, or recommendations. Such processing occurs solely to provide the requested functionality to you. The underlying models may be operated by AffectLog or by a sub-processor subject to our standard data processing agreement. Inputs are not retained by model providers for training purposes under our contractual terms. 16.3 EU AI Act: Where features of the Platform constitute an "AI system" within the meaning of EU AI Act Article 3(1), AffectLog maintains the technical documentation, conformity assessments, and transparency obligations required by that Regulation for the relevant risk category. Where a feature involves a high-risk AI system under Annex III of the AI Act, we will notify you and provide the disclosures required by Articles 13 and 14. 16.4 Human oversight: AffectLog's AI-generated outputs are not intended to replace human professional judgement. You are responsible for reviewing, validating, and applying human expertise to any AI-generated content before relying on it for governance or compliance decisions.

17.1 We may revise this Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or feedback from regulators. We will indicate the "Version" and "Last Reviewed" date at the top of this Policy. 17.2 Material changes: For any material change to this Policy (i.e., a change that affects your rights or the way we process your personal data in a significant way), we will: (a) notify registered users by email at least 14 days before the change takes effect; and (b) where required by law, obtain fresh consent. 17.3 Non-material changes (such as clarifications, corrections, and updates to reflect new sub-processors within existing categories already listed) will be posted with an updated "Last Reviewed" date without individual notification, although we will maintain a change log available upon request. 17.4 If you do not accept a material change to this Policy, you should close your account before the effective date of the change. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

For all data protection enquiries, rights requests, and complaints: Data Protection & Privacy: [email protected] Data Protection Officer: [email protected] Security disclosures: [email protected] General enquiries: [email protected] Response times: within 2 business days for general queries; within the statutory period for formal rights requests (see Section 11.5). Supervisory authority: If you are not satisfied with our handling of your request or complaint, you have the right to lodge a complaint with your national data protection supervisory authority (see Section 11.6 for authority contact details). We encourage you to contact us first. Dispute resolution: For informal dispute resolution regarding this Policy, email [email protected] with the subject line "Privacy Dispute". We will acknowledge your dispute within 5 business days and work in good faith to resolve it. If we are unable to resolve the dispute, you may refer it to your national supervisory authority or seek judicial remedy. Version history: Copies of prior versions of this Policy are available upon request.