Privacy Notice on the processing of personal data

1. Data controller

The data controller is CodeDesign S.r.l., with registered office at Via Nino Pesce 38, 18018 Taggia (IM), P. IVA IT01739830089 (hereinafter "CodeDesign" or "Provider").

For any request relating to the processing of personal data and for the exercise of the rights provided for by the GDPR, you may write to: info@codedesign.it.

2. CodeDesign's role and scope of the notice

In providing the Evolus platform, CodeDesign acts in a dual role:

• a) as data controller, for the data relating to the creation and management of accounts, to authentication, to the use of the platform, to security, to assistance and to compliance with legal obligations;
• b) as data processor pursuant to art. 28 GDPR, for the personal data that are processed on behalf of the Customer (the organisation that subscribed) through the Employee AI and the platform's features. Such processing is governed by a Data Processing Authorisation (DPA) signed between CodeDesign and the Customer, which identifies the Customer as the Controller of such data.

For the data processed on behalf of the Customer, the notice to data subjects and the collection of any legal bases are the responsibility of the Customer. This notice mainly describes the processing operations for which CodeDesign acts as Controller and provides transparency on the entire processing architecture of the platform.

3. Categories of personal data processed

Depending on the features activated, the following categories of data may be processed:

Account and profile data

Access to the portal takes place through the Keycloak identity system (identity.evolus.ai). The following are processed: first name, last name, username, email address, role/groups of membership, preferred language and any profile image (avatar).

Usage and technical data

Data relating to the use of the Service, technical logs, session identifiers, diagnostic and operational telemetry data, audit trail records of the activities performed on the platform.

Content entered into the platform

• content of conversations and messages exchanged with the Employee AI via web chat, instant messaging and email;
• recordings and transcriptions of voice conversations, where the voice feature is activated;
• documents, files and content uploaded to the Knowledge Base for information retrieval (RAG);
• identification and contact data present in the address book (verified contacts) and in the content managed by the Employee AI;
• configurations, instructions and automations defined by the Customer.

The content may include personal data of third parties (employees, collaborators, customers and contacts of the Customer). The Customer is responsible for the lawfulness of their entry and for the provision of the related notices.

4. Cookies and local storage technologies

The portal portal.evolus.ai does not use profiling cookies or advertising tracking tools. For its operation it uses exclusively local storage technologies (localStorage) of the browser, which are indispensable for the provision of the Service:

• authentication and refresh tokens, necessary to maintain the login session;
• interface preferences, such as the theme (light/dark) and the selected language;
• any technical administration parameters (for example for support functions).

Such information remains stored in the user's browser and is not used for profiling purposes. The portal does not integrate Google Analytics or other third-party trackers. For the purposes of technical monitoring and security of the infrastructure, the Provider may collect aggregated diagnostic data on the server side.

5. Purposes and legal bases of the processing

The data are processed for the following purposes and on the following legal bases:

• a) provision of the Evolus platform and of the Employee AI features, management of the account and of authentication — legal basis: performance of the contract (art. 6.1.b GDPR);
• b) assistance and technical support to the user — legal basis: performance of the contract and legitimate interest (art. 6.1.b and 6.1.f GDPR);
• c) security of the platform, prevention of abuse and audit trail (Safety Engine) — legal basis: the Provider's legitimate interest in ensuring the integrity and security of the Service (art. 6.1.f GDPR);
• d) compliance with legal, accounting and tax obligations — legal basis: legal obligation (art. 6.1.c GDPR);
• e) ascertainment, exercise or defence of a right in legal proceedings — legal basis: legitimate interest (art. 6.1.f GDPR).

The Customer's data and content are not used by CodeDesign for its own purposes, nor to train or improve third-party artificial intelligence models, save for the Customer's express and separate written consent.

6. Processing methods and security measures

The processing is carried out with automated tools and, where necessary, with authorised manual interventions. CodeDesign adopts technical and organisational measures adequate pursuant to art. 32 GDPR, including:

• access control: access to data limited to authorised personnel, with strong authentication mechanisms and role profiling;
• encryption: data in transit protected with TLS 1.3; data at rest encrypted with AES-256;
• infrastructure: hosting on certified datacenters located in the European Union;
• audit trail: recording and monitoring of access to data;
• Safety Engine: system protecting against prompt injection, data leakage and improper use of AI tools;
• business continuity: daily backups, disaster recovery with RTO < 24 hours and RPO < 1 hour;
• periodic penetration tests carried out by independent third parties;
• training of personnel in data protection and information security.

7. Artificial intelligence and model providers

To provide the conversational, synthesis and automation features, the platform transmits the necessary content to providers of artificial intelligence models and voice services (sub-processors indicated in section 8).

The Employee AI is a support and automation tool: it may generate inaccurate or incomplete outputs ("hallucinations"). The outputs do not replace human judgement and must be verified before relying on them for significant decisions. The content transmitted to the AI providers is not used for training their models, save for the Customer's express and separate written consent.

8. Recipients and sub-processors of the processing

The data may be communicated to external providers appointed as processors or sub-processors of the processing, selected from among entities that offer adequate guarantees regarding data protection and bound by contract with obligations equivalent to those assumed by CodeDesign. The sub-processors currently used belong to the following categories:

• cloud infrastructure, hosting and storage: Hetzner Online GmbH and Microsoft (Microsoft Azure), on datacenters located in the European Union;
• AI services / language models (LLM): Anthropic PBC, OpenAI Global LLC, OpenRouter Inc. and Google LLC;
• voice transcription services (speech-to-text): Deepgram Inc.;
• voice synthesis and voice agent services: ElevenLabs Ltd;
• productivity integrations activated and authorised by the Customer: Microsoft 365 / Microsoft Graph (mail, calendar, Teams, files), Google Workspace and Meta (WhatsApp Business), limited to the data strictly necessary for the activated feature.

The complete and up-to-date list of sub-processors is available on request. CodeDesign communicates any changes of sub-processors with appropriate notice. The data are not subject to dissemination or sale to third parties.

9. Transfer of data to third countries

CodeDesign undertakes to keep personal data within the European Economic Area (EEA). Should the provision of the Service require a transfer to third countries — for example to AI service providers based outside the EU — such transfer takes place exclusively:

• a) to countries for which the European Commission has adopted an adequacy decision (art. 45 GDPR); or
• b) in the presence of adequate safeguards pursuant to art. 46 GDPR, such as the Standard Contractual Clauses; or
• c) on the basis of one of the derogations provided for by art. 49 GDPR.

10. Retention period

Personal data are retained for the time strictly necessary to achieve the purposes for which they are processed and, in any case:

• account data and the Customer's content are retained for the duration of the contractual relationship; upon termination, at the Customer's choice, they are returned or securely deleted within 60 days, save for legal retention obligations;
• temporary audit files are retained for a limited period (by way of example 24 hours) and then automatically deleted;
• conversation data may be deleted by the user directly from the platform; for external channels the technical time windows provided for by the channel apply (by way of example 24 hours for the WhatsApp conversation window);
• data processed for accounting and tax obligations are retained for the terms provided for by applicable law.

11. Rights of the data subject

Data subjects may exercise at any time the rights provided for by articles 15-22 GDPR, and in particular:

• access to their personal data;
• rectification of inaccurate data and integration of incomplete data;
• erasure of data (right to be forgotten);
• restriction of processing;
• data portability;
• objection to processing based on legitimate interest;
• withdrawal of consent, where the processing is based on consent, without prejudice to the lawfulness of the processing carried out before the withdrawal.

Requests may be sent to info@codedesign.it; CodeDesign responds within one month of the request. Where the data subject is an employee, collaborator or contact of the Customer and the data are processed by CodeDesign on behalf of the Customer, the request will be forwarded to the Customer, as Controller, without undue delay.

The data subject also has the right to lodge a complaint with the competent supervisory authority (in Italy, the Garante per la Protezione dei Dati Personali — the Italian Data Protection Authority — www.garanteprivacy.it).

12. Amendments to the notice

CodeDesign reserves the right to update this notice to reflect regulatory, technical or organisational changes. The updated version will be published on this page with an indication of the date of last update. You are invited to consult this page periodically.