1. Introduction

This privacy policy (“Privacy Policy”) describes how NOZEBRA (“NOZEBRA”, “we”, “us”, or “our”) processes personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and applicable national data protection legislation.

NOZEBRA provides an AI Marketing Hub (SaaS platform) and AI-based optimisation services, including marketing automation, analytics, and AI-supported optimisation and decision-making tools.

In connection with the provision of its services:

· NOZEBRA generally acts as a data processor when processing personal data on behalf of its customers (the “Customers”), and only in accordance with documented instructions from the Customer; and

· NOZEBRA acts as a data controller where personal data is processed for its own independent purposes, as described in this Privacy Policy.

NOZEBRA’s contact details are as follows:

(relevant address)

2. Processing of personal data

2.1 Categories of personal data and sources

NOZEBRA processes personal data in connection with the operation and provision of its platform and services.

The categories of personal data typically include:

· Identification and contact data, such as name, email address, company, and job title

· Account and authentication data, including usernames and passwords

· Technical data, such as IP address, device type, browser, and approximate geographic location

· Usage and behavioural data, including interactions with the platform, features, campaigns, and website navigation

· Marketing and communication data, including preferences, engagement with newsletters, and interaction with advertisements

· Customer relationship and billing data

· Derived and AI-generated data, such as segmentation, scoring, predictions, and optimisation recommendations

NOZEBRA collects personal data from multiple sources. This includes:

· Information provided directly by users, for example when signing up for the platform, registering for events, subscribing to newsletters, or submitting forms (including via third-party platforms such as LinkedIn or similar lead generation tools)

· Information collected automatically when users interact with NOZEBRA’s websites, platform, or digital content, including through cookies and similar technologies

· Information obtained through integrations enabled by the Customer, such as CRM systems, advertising platforms, and analytics tools

· Information generated through interactions with NOZEBRA’s marketing activities, including advertisements on platforms such as Google, LinkedIn, or similar channels

Such data may include, for example, unique identifiers, technical device data, IP address, browsing behaviour, and interaction data, as well as demographic information where available through third-party platforms.

The platform is a cloud-based, subscription-based solution, and Customers determine which personal data is uploaded and processed within the platform.

2.2 Purpose and legal basis for processing

NOZEBRA processes personal data for the purposes described below.

Provision of services and AI functionality

NOZEBRA processes personal data in order to provide, operate, and maintain the platform and to deliver AI-based optimisation services. This includes generating analytics, predictions, and recommendations, as well as ensuring system performance and security.

Such processing may involve automated processing and profiling within the meaning of Article 4(4) GDPR, where necessary for the provision of the services and within the scope defined by the Customer.

The legal basis for this processing is:

· Article 6(1)(b) GDPR (performance of a contract), and

· Article 6(1)(f) GDPR (legitimate interest in maintaining and improving the services)

Customer administration, support, and billing

NOZEBRA processes personal data to manage customer relationships, provide support, and administer subscriptions and invoicing.

This processing is based on:

· Article 6(1)(b) GDPR, and

· Article 6(1)(f) GDPR

Product development and improvement (including AI optimisation)

NOZEBRA may process personal data, primarily in aggregated or anonymised form, in order to:

· Improve and develop the platform

· Optimise algorithms and AI models

· Enhance analytics, performance, and user experience

This processing is based on Article 6(1)(f) GDPR.

Marketing communications and lead generation

NOZEBRA processes personal data to communicate with users and potential customers, including sending newsletters, event invitations, and relevant content.

This may include processing of personal data collected through:

· Website forms

· Event registrations

· Marketing campaigns and lead generation tools (e.g. LinkedIn Lead Ads or similar)

Processing is based on:

· Article 6(1)(a) GDPR (consent), and/or

· Article 6(1)(f) GDPR where permitted under applicable marketing laws

Consent may be withdrawn at any time.

Analytics, tracking, and user experience

NOZEBRA processes personal data through cookies and similar technologies to analyse behaviour, improve services, and personalise communication.

This may include:

· Tracking page visits, clicks, and interactions

· Analysing user journeys and engagement

· Improving relevance of marketing and communications

Legal basis:

· Article 6(1)(a) GDPR (consent) for non-essential tracking

· Article 6(1)(b) or (f) GDPR for necessary functionality

Compliance with legal obligations

NOZEBRA processes personal data where necessary to comply with applicable legal obligations, including accounting, documentation, and security requirements.

Legal basis: Article 6(1)(c) GDPR.

2.3 Recipients of personal data

NOZEBRA may disclose personal data to third parties where necessary, including:

· Public authorities, where required by law or regulatory obligation

· Service providers acting as data processors, including hosting providers, cloud infrastructure providers, and analytics providers

· Third-party platforms and integrations activated by the Customer

· Advertising and marketing platforms where relevant to campaign execution

· Professional advisors, such as legal, accounting, and audit advisors

All processors are engaged under data processing agreements in accordance with Article 28 GDPR.

2.4 Retention period

NOZEBRA retains personal data only for as long as necessary to fulfil the purposes described above and in accordance with applicable law.

Retention periods may vary depending on the type of data and purpose of processing. Cookies and tracking technologies may have defined lifetimes and may be renewed upon subsequent visits.Please see Cookie Policy for details.

Where personal data is processed on behalf of Customers, retention is determined by the Customer’s instructions.

2.5 Security

NOZEBRA implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

In the event of a personal data breach, NOZEBRA will notify the relevant supervisory authority and affected individuals, where required by law, without undue delay.

2.6 Transfers to third countries

NOZEBRA may transfer personal data to recipients outside the EU/EEA, for example in connection with cloud infrastructure or third-party services.

Such transfers are carried out in accordance with Chapter V GDPR and are based on appropriate safeguards, including:

· Standard Contractual Clauses (SCCs), and/or

· The EU-U.S. Data Privacy Framework, where applicable

3. Data subject rights

Under the GDPR, you have the right to access, rectify, and erase your personal data, as well as the right to restrict or object to processing.

You also have the right to withdraw consent at any time where processing is based on consent. In addition, you may have the right to data portability where applicable.

Requests to exercise these rights may be submitted using the contact details above. NOZEBRA will respond without undue delay and within one month, subject to Article 12 GDPR.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority.

Appendix 1 – Categories of personal data

Customers and platform users

This includes identification and contact details, account data, billing information, marketing preferences, and usage data. It also includes campaign interaction data, technical identifiers, and AI-generated outputs such as segmentation, scoring, and predictions.

Data processed on behalf of Customers

This includes data uploaded by Customers, such as CRM data, marketing lists, behavioural data, and interaction data, as well as profiling and segmentation data generated through AI tools.

Website visitors

This includes technical data such as IP address, device information, browsing behaviour, and interaction data.

Marketing and lead generation data

This includes data collected via forms, event registrations, and third-party lead generation tools, including name, email, company, job title, and, where applicable, phone number.