Confidentiality, Intellectual Property & Legal Notice

This notice applies to all information, materials, documents, media assets, software, APIs, demonstrations, technical data, and any other content made available by SINAURA S.R.L., whether accessed through the website, digital platforms, private portals, downloads, or direct communication. This includes, but is not limited to: - Product documentation and specifications - Technical drawings, CAD/BIM models, source code, SDKs, APIs - Videos, presentations, brochures, datasets, images, prototypes - Internal testing materials, R&D information, commercial offers - Software, firmware, mobile/desktop apps and related data All such content is collectively referred to as "Confidential Information".

By accessing, viewing, downloading, or using any material from SINAURA S.R.L., you agree to: (a) keep all Confidential Information strictly confidential (b) use it solely for the purpose of evaluating products, solutions, or business opportunities (c) not copy, distribute, disclose, reverse engineer, decompile, or create derivative works (d) restrict access to individuals with a demonstrable need-to-know, under equivalent obligations (e) implement appropriate safeguards and promptly notify SINAURA S.R.L. of any breach (f) return or permanently delete all materials upon written request No license, transfer of ownership, or right of use is granted unless expressly authorized in writing.

All intellectual property rights, including patents, trademarks, copyrights, design rights, trade secrets, and know-how remain the exclusive property of SINAURA S.R.L. Nothing in this notice shall be construed as: a license (express or implied), a waiver of rights, or an authorization to reproduce, modify, or exploit content. All rights are reserved under applicable laws, including Italian Copyright Law (Law 633/1941), EU IP regulations, and international treaties.

Unless expressly authorized, it is prohibited to: - Forward, print, photograph, screen-capture, or extract contents - Download offline copies or remove watermarks / metadata - Bypass DRM, access controls, or technical protection systems Access may be monitored using digital watermarking, access logs, or unique identifiers exclusively to prevent misuse.

SINAURA S.R.L. ("we", "us", "our"), with registered office at Viale Luigi Majno n. 7, 20122 Milano (MI), Italia, VAT number 14280020968, is the data controller responsible for your personal data in accordance with: • The EU General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) • The ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) • The Italian Personal Data Protection Code (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018) • Any other applicable national data protection legislation implementing the GDPR Data Protection Officer (DPO): Name: Sinaura™ Legal Dept. Email: info@sinauragroup.com Address: Viale Luigi Majno n. 7, 20122 Milano (MI), Italia For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, you may contact our DPO at the above address or email.

This Privacy Policy applies to all personal data collected through our waitlist registration form and demo access request process. It governs the processing of personal data of all individuals ("data subjects") who interact with our registration systems, regardless of their country of residence. This policy applies in conjunction with any other privacy notices or terms that may be provided at the point of data collection. In the event of any conflict between this policy and a specific notice, the specific notice shall prevail to the extent of the inconsistency. By submitting the waitlist registration form, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy in its entirety, including but not limited to the provisions regarding the use of your company name and/or logo as set forth in Section 13.

For the purposes of this Privacy Policy, the following definitions apply, consistent with Article 4 GDPR: • "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. • "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. • "Controller" means SINAURA S.R.L., which determines the purposes and means of the processing of personal data. • "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. • "Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. • "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 GDPR (e.g., the Garante per la protezione dei dati personali in Italy, CNIL in France, BfDI in Germany, ICO in the United Kingdom). • "Third Country" means a country outside the European Economic Area (EEA).

When you register for our waitlist or request access to our product demo, we collect and process the following categories of personal data: a) Identity Data: • First name, last name b) Contact Data: • Work email address • Business telephone number • Personal telephone number (where voluntarily provided) c) Professional and Organizational Data: • Company or organization name • Job title or role within the organization • Company size (number of employees) • Industry sector • Primary use case or intended application (where voluntarily provided) d) Technical and Device Data (collected automatically): • IP address (anonymized where feasible) • Browser type and version • Operating system and device type • Screen resolution • Referring URL and pages visited • Date and time of access (timestamps) • Unique device identifiers e) Communication Data: • Records of correspondence between you and us • Communication preferences f) Company Visual Identity Data: • Company name as a brand identifier • Company logo (if publicly available or provided by the data subject) We do not collect any special categories of personal data (as defined in Article 9 GDPR), such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation.

In accordance with Article 6 GDPR, we process your personal data on the following legal bases: a) Consent (Art. 6(1)(a) GDPR): You have given explicit, informed, freely given, and unambiguous consent to the processing of your personal data for the specific purposes described in this Privacy Policy. This consent covers: • The collection and processing of all data categories listed in Section 8 • The use of your company name and/or logo as described in Section 13 • Communications related to your waitlist status and product updates Consent may be withdrawn at any time pursuant to Article 7(3) GDPR, without affecting the lawfulness of processing based on consent before its withdrawal. b) Contractual Necessity (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This includes managing your waitlist registration and provisioning demo access. c) Legitimate Interest (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the Controller, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject. Our legitimate interests include: • Improving and developing our products and services • Conducting internal analytics, statistical analysis, and market research • Ensuring the security and integrity of our systems • Preventing fraud and unauthorized access A Legitimate Interest Assessment (LIA) has been conducted for each processing activity relying on this legal basis and is available upon request. d) Legal Obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the Controller is subject, including tax, accounting, and regulatory reporting obligations.

We process your personal data strictly for the following purposes: a) Waitlist Management: to register and manage your position on our product waitlist, to verify your identity and eligibility, and to provision access to the product demo when available. b) Communication: to contact you regarding your registration status, product launch dates, demo availability, product updates, feature announcements, and related operational communications. c) Service Improvement: to analyze usage patterns, conduct internal research, and develop improvements to our products, services, and user experience. All data used for this purpose is aggregated and/or pseudonymized where possible. d) Brand Traction and Credibility (Section 13): to use your company name and/or logo in connection with our sales and marketing activities, strictly as described in Section 13 of this Privacy Policy. e) Legal Compliance: to comply with applicable laws, regulations, legal processes, or enforceable governmental requests. f) Rights Protection: to exercise or defend legal claims, to protect the rights, property, or safety of SINAURA S.R.L., its users, or the public. g) Security: to detect, prevent, and address technical issues, security threats, fraud, and unauthorized access. We will not process your personal data for any purpose incompatible with the purposes listed above without first providing you with notice and, where required, obtaining your additional consent. Any new purpose shall be assessed for compatibility in accordance with Article 6(4) GDPR.

We retain your personal data only for as long as is strictly necessary to fulfill the purposes for which it was collected, in compliance with the principles of data minimization and storage limitation (Articles 5(1)(c) and 5(1)(e) GDPR). Specific retention periods: • Waitlist registration data: retained for a maximum of 24 months from the date of collection, or until you withdraw your consent, whichever occurs first. • Communication records: retained for 36 months from the date of the last communication for customer relationship management purposes. • Technical/log data: retained for 12 months for security and system integrity purposes, then anonymized or deleted. • Tax and accounting records: retained for the period required by applicable tax and commercial law (typically 10 years under Italian law, per Art. 2220 of the Italian Civil Code). • Company name/logo usage records: retained for the duration of the license granted under Section 13, plus 12 months after revocation for audit purposes. Upon expiration of the applicable retention period, your personal data will be securely deleted, anonymized, or destroyed using methods that prevent reconstruction or recovery, in compliance with recognized standards (e.g., NIST SP 800-88 for digital media). If you become an active user or customer, your data will be governed by our Customer Privacy Policy, which will be provided to you at that time.

We do not sell, rent, lease, trade, or otherwise make available your personal data to third parties for their own independent commercial or marketing purposes. This is an absolute commitment. Your personal data may be shared with or disclosed to the following categories of recipients, solely for the purposes described in this Privacy Policy: a) Authorized Processors: Trusted third-party service providers who process data on our behalf and under our documented instructions, pursuant to Article 28 GDPR. These include: • Cloud hosting and infrastructure providers (data stored within the EEA or in countries with an adequacy decision) • Email service and communication platforms • Customer relationship management (CRM) systems • Analytics and business intelligence tools (with anonymized/pseudonymized data where possible) • Payment processing services (if applicable) All processors are bound by Data Processing Agreements (DPAs) that include: obligations of confidentiality, technical and organizational security measures, sub-processor approval procedures, data breach notification obligations, and data return/deletion upon termination. b) Professional Advisors: Legal counsel, auditors, accountants, and consultants, to the extent necessary for the provision of their professional services and subject to professional confidentiality obligations. c) Public Authorities: Law enforcement agencies, courts, regulatory bodies, or other public authorities where disclosure is required by applicable law, regulation, judicial order, or enforceable governmental request. d) Business Transfers: In the event of a merger, acquisition, reorganization, asset sale, or bankruptcy, your data may be transferred to the acquiring or successor entity. You will be notified of any such transfer and any changes to this Privacy Policy, in compliance with Article 13 GDPR. e) With Your Explicit Consent: To any other third party where you have provided specific, informed consent for such disclosure. A current list of our sub-processors and their respective roles is available upon request by contacting our DPO.

IMPORTANT: By accepting this Privacy Policy and submitting the waitlist registration form, you expressly grant SINAURA S.R.L. a limited, non-exclusive, revocable, royalty-free, worldwide license to use your company name and/or company logo (collectively, "Brand Assets") solely under the following terms and conditions: a) Permitted Use, Sales Traction and Credibility: We may display your Brand Assets on our website, landing pages, marketing materials, sales collateral, pitch decks, investor presentations, case study listings, and internal reports solely to indicate that your organization has expressed interest in, registered for, or engaged with our product or demo. The display shall be limited to the Brand Assets themselves (name and/or logo) without any accompanying statement that could be interpreted as a testimonial, endorsement, or recommendation unless separately and explicitly agreed in writing. b) Absolute Truthfulness Obligation: We commit, without exception, to never make false, misleading, deceptive, or exaggerated claims or representations about the nature, scope, duration, or extent of your engagement with our product or company. Specifically: • We will NOT represent a waitlist registration as an active customer relationship, paid subscription, formal partnership, or commercial endorsement. • We will NOT attribute quotes, testimonials, case studies, or performance metrics to your organization without separate, explicit, written authorization. • We will NOT imply any level of satisfaction, approval, or recommendation by your organization unless such sentiment has been expressly communicated and authorized in writing. • All representations made in connection with your Brand Assets will be factually accurate, verifiable, and made in good faith. c) Prohibition of Third-Party Commercial Use: We will NOT license, sell, sublicense, assign, transfer, pledge, or otherwise provide your Brand Assets to any third party for their own commercial, marketing, advertising, or promotional purposes. Your Brand Assets will only be used in direct connection with our own legitimate sales, marketing, and investor relations activities. This prohibition extends to affiliated entities, partners, distributors, resellers, and any other third parties unless separately agreed in writing with you. d) Revocation Right: You may revoke this license at any time, for any reason or no reason, by sending a written request to info@sinauragroup.com or by contacting our DPO. Upon receipt of such request: • We will acknowledge receipt within 5 business days. • We will remove your Brand Assets from all digital materials within 15 business days. • We will cease distribution of any printed materials containing your Brand Assets at the next reprint cycle, and in any event within 30 business days. • We will provide written confirmation of removal upon completion. e) Trademark Compliance: This license is subject to all applicable trademark laws, including but not limited to Regulation (EU) 2017/1001 (European Union Trade Mark Regulation), the Paris Convention for the Protection of Industrial Property, and applicable national trademark legislation. We will use your Brand Assets: • In their original form without modification, distortion, or alteration • With appropriate trademark notices and attributions where required • In a manner that does not tarnish, dilute, blur, or bring into disrepute your brand, reputation, or goodwill • In compliance with any brand usage guidelines you may provide to us f) Indemnification: We agree to indemnify and hold harmless your organization from any damages, losses, costs, or expenses (including reasonable legal fees) arising from our breach of the obligations set forth in this Section 13. g) Survival: The obligations of truthfulness (Section 13(b)), prohibition of third-party use (Section 13(c)), and indemnification (Section 13(f)) shall survive the termination or revocation of this license.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or countries that have not received an adequacy decision from the European Commission. In such cases, we ensure that your data is protected by appropriate safeguards as required by Chapter V of the GDPR (Articles 44–49): a) Adequacy Decisions (Art. 45 GDPR): We may transfer data to countries that the European Commission has determined provide an adequate level of data protection (e.g., Switzerland, Japan, Republic of Korea, United Kingdom under the EU-UK Trade and Cooperation Agreement). b) Standard Contractual Clauses (Art. 46(2)(c) GDPR): For transfers to countries without an adequacy decision, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented where necessary by additional technical and organizational measures following the EDPB Recommendations 01/2020 on supplementary measures. c) Binding Corporate Rules (Art. 47 GDPR): Where applicable, intra-group transfers are governed by Binding Corporate Rules approved by the competent supervisory authority. d) Transfer Impact Assessments: We conduct Transfer Impact Assessments (TIAs) for all transfers relying on SCCs, evaluating the legal framework of the recipient country, the nature of the data transferred, and the effectiveness of supplementary measures in place. e) Supplementary Measures: Where a TIA identifies risks, we implement supplementary technical measures such as: encryption in transit and at rest with keys managed within the EEA, pseudonymization, access controls limiting data visibility, and contractual prohibitions on government access disclosure. You may request a copy of the applicable transfer safeguards by contacting our DPO at info@sinauragroup.com.

As a data subject, you are entitled to the following rights under the GDPR and applicable national legislation. These rights may be exercised at any time by contacting our DPO at info@sinauragroup.com: a) Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access a copy of such data together with information about: the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period or criteria used, your rights, and the source of the data. b) Right to Rectification (Art. 16 GDPR): You have the right to obtain the correction of inaccurate personal data and the completion of incomplete personal data without undue delay. c) Right to Erasure / Right to be Forgotten (Art. 17 GDPR): You have the right to obtain the deletion of your personal data where: (i) the data is no longer necessary for the purposes collected; (ii) you withdraw consent and no other legal basis applies; (iii) you object to processing under Art. 21 and there are no overriding legitimate grounds; (iv) the data has been unlawfully processed; or (v) deletion is required by law. d) Right to Restriction of Processing (Art. 18 GDPR): You have the right to restrict processing where: (i) you contest the accuracy of the data (for the period needed to verify accuracy); (ii) the processing is unlawful and you oppose erasure; (iii) we no longer need the data but you need it for legal claims; or (iv) you have objected under Art. 21 (pending verification of legitimate grounds). e) Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format (e.g., JSON, CSV, XML) and to transmit it to another controller without hindrance, where processing is based on consent or contract and is carried out by automated means. f) Right to Object (Art. 21 GDPR): You have the right to object at any time to the processing of your personal data based on legitimate interests (Art. 6(1)(f)) or public interest (Art. 6(1)(e)), including profiling. Upon objection, we shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. Where data is processed for direct marketing, you have an absolute right to object at any time. g) Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. h) Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw consent at any time by contacting our DPO or using the unsubscribe mechanism provided in our communications. i) Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

In compliance with Article 35 GDPR, we conduct Data Protection Impact Assessments (DPIAs) for any processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. This includes, but is not limited to: • Large-scale processing of personal data • Systematic monitoring of publicly accessible areas • Processing involving new technologies • Processing that could result in a decision that significantly affects the data subject

In accordance with Article 25 GDPR, we implement appropriate technical and organizational measures to ensure that, by default, only personal data that is necessary for each specific purpose is processed. This applies to the amount of data collected, the extent of processing, the period of storage, and the accessibility of data. Our approach includes: • Minimizing the collection of personal data to what is strictly necessary (data minimization) • Pseudonymizing or anonymizing personal data where possible • Limiting access to personal data to authorized personnel on a need-to-know basis • Regularly reviewing and updating data processing operations to ensure ongoing compliance • Integrating data protection considerations into the design and development of all products, services, and business processes

Our website and platform may use cookies and similar tracking technologies (including web beacons, pixels, and local storage) in accordance with the ePrivacy Directive (Directive 2002/58/EC) and GDPR. Categories of cookies used: a) Strictly Necessary Cookies: essential for the operation of the website and cannot be disabled. These include cookies for session management, load balancing, and security. b) Analytical/Performance Cookies: used to collect aggregated, anonymized data about how visitors interact with our website, enabling us to improve its performance and usability. Deployed only with your prior consent. c) Functionality Cookies: used to remember your preferences and settings (e.g., language, region). Deployed only with your prior consent. d) Marketing/Targeting Cookies: used to deliver relevant advertisements and track campaign effectiveness. We do NOT currently use marketing or targeting cookies on our waitlist registration page.

In compliance with Article 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of data subjects. Technical measures include: • Encryption of personal data in transit using TLS 1.2 or higher • Encryption of personal data at rest using AES-256 or equivalent • Secure key management with regular key rotation • Firewalls, intrusion detection/prevention systems (IDS/IPS) • Regular vulnerability assessments and penetration testing • Multi-factor authentication (MFA) for all administrative access • Automated logging and monitoring of access to personal data • Regular backup procedures with encrypted offsite storage

In the event of a personal data breach as defined by Article 4(12) GDPR, we will: a) Notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. b) Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 GDPR.

In accordance with the principle of accountability (Article 5(2) and Article 24 GDPR), we maintain comprehensive documentation to demonstrate compliance with data protection legislation. This includes: • Records of Processing Activities (ROPA) as required by Article 30 GDPR • Data Protection Impact Assessments (DPIAs) where required by Article 35 GDPR • Data Processing Agreements (DPAs) with all processors per Article 28 GDPR • Documentation of consent records, including timestamp, method, and scope of consent • Policies and procedures for data protection, data retention, breach response, and data subject rights • Training records and awareness materials • Audit logs and compliance reports

Our services and waitlist registration are not directed to individuals under the age of 16 (or the applicable minimum age in your jurisdiction, as specified in Article 8 GDPR and national implementing legislation). We do not knowingly collect, solicit, or process personal data from children. If we become aware that personal data has been collected from a child without verifiable parental or guardian consent, we will take immediate steps to delete such data and, where applicable, notify the relevant supervisory authority.

In addition to the GDPR, we are committed to compliance with the following international data protection frameworks and principles, to the extent applicable: • California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) • Brazil General Data Protection Law (LGPD – Lei Geral de Proteção de Dados) • Swiss Federal Act on Data Protection (FADP / nDSG) • UK GDPR and Data Protection Act 2018 • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data • ISO/IEC 27001 and ISO/IEC 27701 • Convention 108+

All materials are provided "as is", without warranties of any kind, express or implied. SINAURA S.R.L. does not warrant that the information is complete, accurate, current, or fit for any particular purpose. Nothing herein constitutes an offer, binding commitment, legal advice, or contractual representation.

To the maximum extent permitted by applicable law, SINAURA S.R.L. shall not be liable for any direct, indirect, incidental, consequential, or special damages arising from or in connection with the use of, or inability to use, any materials provided, even if SINAURA S.R.L. has been advised of the possibility of such damages.

We reserve the right to modify, amend, or update this Privacy Policy at any time. Any changes will be effective upon posting the revised Privacy Policy on this page with an updated "Last Updated" date. For material changes, we will: • Provide you with advance notice via email at least 30 days before the changes take effect • Clearly describe the nature and impact of the changes • Where required by law, obtain your renewed consent before implementing the changes

This notice and Privacy Policy shall be governed by and construed in accordance with the laws of the Italian Republic. Any disputes shall be subject to the exclusive jurisdiction of the courts of Milan, Italy, without prejudice to mandatory consumer protection provisions applicable in the user's country of residence.

If you have any questions, concerns, requests, or complaints regarding this Privacy Policy, the processing of your personal data, or your rights as a data subject, please contact: SINAURA S.R.L. Data Protection Officer (DPO) Name: Sinaura™ Legal Dept. Address: Viale Luigi Majno n. 7, 20122 Milano (MI), Italia Email: info@sinauragroup.com PEC: sinaurasrl@legalmail.it Contact Person: Valerio di Vico (CEO) Email: valerio.divico@sinauragroup.com Contact Person: Brahim Ghezboury (CTO) Email: brahim.ghezboury@sinauragroup.com For complaints, you may also contact your local Data Protection Authority. We are committed to resolving any concerns you may have about our data processing practices and will endeavor to respond to all inquiries within the timeframes required by applicable law.