Platform Privacy Policy

How we process your personal data, in plain language.

This Privacy Policy describes how SINAURA S.R.L. processes the personal data of users of the website and platform ariaplt.com, pursuant to Regulation (EU) 2016/679 (the “GDPR”) and Italian data protection law.

Version 1.3 · Last updated: 16 May 2026 · Reference: GDPR · Italian D.Lgs. 196/2003 · EU AI Act (Reg. 2024/1689) · NIS2 (Dir. 2022/2555) · EU Data Act (Reg. 2023/2854)

DOCUMENT MAP

1. Controller, joint roles and privacy contact
2. Scope, intended audience and roles
3. SINAURA acting as Controller — processing of prospects, visitors, candidates, business contacts
4. SINAURA acting as Processor — processing of Customer data on the Platform
5. Categories of data
6. Purposes, legal bases and retention — Controller-side
7. Purposes, legal bases and retention — Processor-side
8. Legitimate interest — synthetic balancing test (LIA summary)
9. Automated processing, Artificial Intelligence and transparency under the AI Act
10. Industrial data, telemetry, and interaction with the EU Data Act
11. Recipients and sub-processors
12. Extra-EU transfers
13. Security measures (Art. 32 GDPR), NIS2 and DORA
14. Personal data breach — dual-track procedure (Controller / Processor)
15. Data subject rights
16. Cookies, trackers and tracking pixels
17. Privacy by design and by default (Art. 25 GDPR)
18. DPIA and accountability
19. Children
20. Special categories (Art. 9) and criminal-conviction data (Art. 10)
21. Complaints to the Supervisory Authority
22. Document hierarchy and language
23. Amendments
24. Applicable addenda and exhibits
25. Contacting SINAURA
26. Changelog

1 · CONTROLLER, JOINT ROLES AND PRIVACY CONTACT

Controller

SINAURA S.R.L. ("SINAURA", "we", "us", "our") — Viale Luigi Majno n. 7, 20122 Milan, Italy. VAT no. IT14280020968. Certified email (PEC): sinaurasrl@legalmail.it. General email: info@sinauragroup.com.

Privacy contact

Sinaura Legal Department. Email: info@sinauragroup.com Certified email (PEC): sinaurasrl@legalmail.it

All data-protection requests may be sent through these channels.

For industrial and workspace data uploaded by the Customer onto the platform, SINAURA acts as Processor (Art. 28 GDPR) on behalf of the Customer, according to the terms of the DPA signed by the Parties.

Joint controllers

SINAURA does not act as joint controller (Art. 26 GDPR) for the operation of the AriaPLT™ Platform. Any future joint controllership arrangement will be governed by a separate written agreement and disclosed in this Privacy Policy.

2 · SCOPE, INTENDED AUDIENCE AND ROLES

This Privacy Policy describes how SINAURA processes the personal data of:

• visitors of the website ariaplt.com;
• prospects who submit demo requests, contact forms, attend webinars or events organised by SINAURA;
• candidates who apply for open positions;
• suppliers, partners and business contacts of SINAURA;
• Authorised Users (natural persons designated by Customers) of the SaaS platform reachable at ariaplt.com;
• Customer-side data subjects whose personal data is uploaded onto or generated within the Platform by the Customer.

AriaPLT™ is a professional B2B Agentic AI platform addressed to legal entities operating in safety/mission-critical industrial environments (DCS, SCADA, MES, SIS). The Platform is not directed to consumers and not directed to minors (see §19).

Roles under GDPR

SINAURA processes personal data under two distinct GDPR roles, with separate disciplines:

The distinction is binding. Where SINAURA acts as Processor, the instructions of the Customer prevail, subject to the limits of Art. 28(3)(a) GDPR (unlawful instructions).

3 · SINAURA AS CONTROLLER — WEBSITES, MARKETING, PROSPECTS, CANDIDATES, BUSINESS CONTACTS

This section discharges the information obligations of Art. 13 GDPR (and, where applicable, Art. 14 for data not collected from the data subject) for processing activities carried out by SINAURA as Controller.

3.1 Visitors of ariaplt.com

• Data: IP address, browser, operating system, pages visited, referrer, technical event data, technical cookies and aggregated analytics (see §16).
• Purpose: operation, security and statistical analysis of the websites.
• Legal basis: Art. 6(1)(f) GDPR — legitimate interest of SINAURA in operating and securing its websites (see §8 for balancing test).
• Retention: technical server logs 12 months; aggregated analytics up to 24 months in anonymised form.

3.2 Prospects (demo requests, contact forms, webinars, events)

• Data: name, business email, company, role, country, message content.
• Purpose: respond to the request, evaluate pre-contractual interest, send the requested commercial information.
• Legal basis: Art. 6(1)(b) GDPR — pre-contractual measures taken at the request of the data subject; Art. 6(1)(a) GDPR for subsequent direct marketing.
• Retention: 24 months from last interaction in the absence of a contract; afterwards anonymisation or deletion. Marketing consent: until withdrawal.

3.3 Candidates (recruiting)

• Data: CV, contact details, professional history, technical skills, optional information voluntarily provided by the candidate.
• Purpose: evaluation of the application for a current or future open position.
• Legal basis: Art. 6(1)(b) GDPR — pre-contractual measures; for retention beyond the specific position, Art. 6(1)(a) consent.
• Retention: 12 months from receipt of the application; longer retention only with explicit consent to be kept in the talent pool, maximum 36 months.
• Note: candidates are invited not to upload special categories of data under Art. 9 GDPR (e.g. health information, photographs revealing sensitive information) unless strictly relevant.

3.4 Direct marketing communications

• Existing Customers — communications on similar products/services: legal basis Art. 6(1)(f) GDPR combined with Art. 130(4) D.Lgs. 196/2003 ("soft opt-in"). Right to object at any time at no cost, including via the one-click withdrawal link in every email.
• Prospects and contacts not yet Customers: legal basis Art. 6(1)(a) GDPR — explicit, freely given, specific, informed, unambiguous and documented consent obtained at registration. Withdrawal at any time without consequences (Art. 7(3) GDPR).
• Retention: until withdrawal of consent or exercise of the right to object; logs of consent collection retained for 10 years to demonstrate accountability under Art. 5(2) GDPR.

3.5 Newsletter and event registrations

• Data: business email, name, organisation, topics of interest.
• Legal basis: Art. 6(1)(a) GDPR.
• Retention: until withdrawal.

3.6 Suppliers and business contacts

• Data: name, role, business email, business phone, organisation.
• Legal basis: Art. 6(1)(b) GDPR (contract); Art. 6(1)(f) GDPR for ongoing relationship management and B2B prospecting on professional roles.
• Retention: term of the contractual relationship + 10 years for accounting/fiscal purposes under Art. 2220 Italian Civil Code and tax laws including Art. 22 DPR 600/1973 within statutory limits.

3.7 Billing and tax compliance

• Legal basis: Art. 6(1)(c) GDPR — legal obligation (accounting, VAT, electronic invoicing via SdI).
• Retention: 10 years (Art. 2220 c.c.) in encrypted read-only archives.

3.8 Whistleblowing (where applicable)

[DA COMPLETARE: confirm whether SINAURA, having reached the thresholds of D.Lgs. 24/2023 transposing the Whistleblowing Directive (EU) 2019/1937, has activated an internal reporting channel. If yes, indicate URL or channel, data categories collected, separate dedicated privacy notice, retention 5 years from closure of the report, and confirmation of access restricted to the appointed Whistleblowing Manager. If not yet applicable, indicate the thresholds and timing under which SINAURA will activate it.]

4 · SINAURA AS PROCESSOR — PROCESSING OF CUSTOMER DATA ON THE PLATFORM

When SINAURA processes personal data uploaded by, or generated within, the Customer's tenant workspace of AriaPLT™ (including Authorised User accounts, telemetry, work orders, agent conversations and outputs), SINAURA acts as Processor under Art. 4(8) and Art. 28 GDPR on behalf of the Customer, who is the Controller.

The terms of this processing are governed by the Data Processing Agreement (DPA) executed between SINAURA and the Customer in compliance with Art. 28(3) GDPR, available at sinauragroup.com/en/legal/dpa. The DPA prevails over this Privacy Policy on Processor-side processing.

In particular, the DPA covers:

• subject-matter, nature, duration and purpose of the processing;
• categories of personal data and data subjects;
• detailed obligations of the Processor (assistance, audit rights, sub-processor management, return/deletion, breach notification within 48 hours, technical and organisational measures);
• sub-processor list and management;
• international transfer regime.

5 · CATEGORIES OF DATA

We process only data strictly necessary to provide the Platform and related services. We do not sell data to third parties. We do not use Customer data to train generalist AI models intended for or shared with other customers.

A. Account and identity data (Authorised Users)

• Name, surname, business email, role/title, organisation.
• Hashed credentials, MFA factors.
• Access logs and device information.

B. Usage and telemetry data

• Product events, sessions.
• Application logs (IP, user-agent).
• Performance metrics.
• Audit trail of actions.

C. Industrial content data (uploaded or generated by the Customer)

• Technical documents (P&IDs, manuals, SOPs).
• Work orders, CMMS/ERP integration data.
• SCADA/PLC/DCS telemetry (may or may not be personal — see §10).
• AgenticAI inputs, outputs and agent conversations.

D. Website browsing data

• Technical cookies, anonymised analytics, technical session data.

E. Prospect, candidate and supplier data (Controller-side)

• See §3 for detail.

Special categories (Art. 9 GDPR) and criminal-conviction data (Art. 10)

See §20.

6 · PURPOSES, LEGAL BASES AND RETENTION — CONTROLLER-SIDE

Controller-side processing purposes, legal bases and retention periods:

7 · PURPOSES, LEGAL BASES AND RETENTION — PROCESSOR-SIDE (CUSTOMER DATA)

Processor-side processing purposes, legal bases and retention periods:

End of retention: irreversible deletion or anonymisation. See §6.4 (T0–T15–T30 procedure below).

T0–T15–T30 deletion procedure (Customer offboarding)

• T0 — workspace closure, suspension of access, security snapshot.
• T1–T15 — final export window (CSV/JSON/PDF/API) at Customer's request.
• T16–T30 — deletion of accounts, embeddings, RAG vault, specialized agent configurations and crypto-shredding of backups.

Statutory exceptions

• Billing and tax records: 10 years (Art. 2220 c.c.).
• Security and access logs: 12 months for accountability and security.
• GDPR audit trail: term of agreement + 12 months.
• Litigation hold: data subject to ongoing proceedings or authority requests retained until conclusion.

8 · LEGITIMATE INTEREST — SYNTHETIC BALANCING TEST (LIA SUMMARY)

Pursuant to Art. 6(1)(f) GDPR, Recital 47, EDPB Guidelines 1/2024 on legitimate interest and CJEU C-621/22 KNLTB (4 October 2024), SINAURA carries out, prior to the start of processing, a documented three-step test (purpose / necessity / balancing). The complete Legitimate Interest Assessment (LIA) is available upon request sent to info@sinauragroup.com.

Summary

Summary of the main legitimate-interest assessments:

Right to object: at any time, by writing to info@sinauragroup.com or, where a certified channel is required, to sinaurasrl@legalmail.it, with no formal requirements and without prejudice to any other right.

9 · AUTOMATED PROCESSING, ARTIFICIAL INTELLIGENCE AND TRANSPARENCY UNDER THE AI ACT

AriaPLT™ is an Agentic AI platform: it uses AI models to assist industrial processes. This section satisfies the transparency obligations under Art. 13(2)(f) GDPR (existence of automated decision-making) and Art. 50 AI Act (transparency obligations for certain AI systems).

9.1 Four binding commitments

• No training of generalist models — Customer data and content is never used to train AI models intended for or shared with other customers.
• Zero data retention with external LLM providers — calls to LLM providers are made with "no training" and "zero retention" flags active, under dedicated DPAs with the providers.
• Isolated vertical RAG — embeddings derived from Customer documents are stored within the Customer's tenant workspace, segregated, encrypted at-rest (AES-256) and deleted on closure.
• Human-in-the-loop by design — agent outputs are decision-support and require human review; they do not represent fully automated decisions under Art. 22 GDPR, see §9.4 below.

9.2 Per-Customer agent specialization

The Platform's AgenticAI agents may be specialized to the Customer's own context through fine-tuning, instruction-tuning, retrieval-augmented configuration and reinforcement on the Customer's data and feedback. This is the only form of training that SINAURA performs on Customer data. It is exclusively:

• per-tenant, within the isolated Customer workspace, never cross-tenant;
• on the Customer's own Input, Output, Customer Data and feedback as training signal;
• for the sole benefit of the Customer's own agents, with no carry-over of trained weights, prompts or specialization artefacts to agents serving other customers;
• under the same encryption, segregation and access-control safeguards as Customer Data (AES-256 at-rest, tenant isolation, RBAC, immutable audit trail);
• with the right of the Customer to opt out at any time via the workspace administration settings (the agents will then operate in pre-trained baseline mode);
• with complete deletion of the specialized agent configurations and any derived training artefacts upon termination of the Subscription, under the T0–T15–T30 procedure.

9.3 Data distillation

By "data distillation" we mean the extraction of vector representations (embeddings) and semantic summaries from technical documents, enabling search, retrieval and answering by AgenticAI agents over Customer data. Distillation is carried out within the tenant workspace, never cross-tenant, with AES-256 at-rest encryption, logical segregation, no feeding of generalist models, and complete deletion on workspace closure.

9.4 Art. 22 GDPR — automated individual decision-making

SINAURA does not, in the design and default operation of the Platform, carry out solely automated decisions producing legal effects or similarly significantly affecting natural persons within the meaning of Art. 22(1) GDPR, as interpreted by CJEU judgment C-634/21 SCHUFA of 7 December 2023. The Platform's agents produce decision-support outputs that require human review by Authorised Users (Human-in-the-Loop by design). The natural person responsible for the final action remains the Authorised User and/or the Customer.

Where the Customer chooses to integrate AriaPLT™ outputs into its own decision workflows in such a way that the result is a solely automated decision producing legal or similarly significant effects on natural persons (e.g. employees, contractors, third parties), the Customer is the Controller responsible for compliance with Art. 22 GDPR and must:

• ensure that one of the exceptions of Art. 22(2) applies (necessary for contract, authorised by Union or Member State law with safeguards, or explicit consent);
• implement suitable measures to safeguard the rights and freedoms of the data subject, including at minimum the right to obtain human intervention, to express his or her point of view and to contest the decision (Art. 22(3) GDPR);
• inform data subjects pursuant to Art. 13(2)(f) and Art. 14(2)(g) GDPR with meaningful information about the logic involved and the significance and envisaged consequences.

SINAURA makes available technical documentation and FRIA/DPIA support materials to assist the Customer.

9.5 AI Act — Art. 50 transparency

Where the Customer integrates AriaPLT™ output into systems, products or services made available to natural persons, the Customer is responsible for the transparency duties of Art. 50 AI Act:

• disclosure of interaction with an AI system to natural persons interacting with it;
• labelling of AI-generated or AI-manipulated content as such (text, audio, image, video), with machine-readable markings where required.

SINAURA supports compliance through digital signatures and metadata on agent outputs.

9.6 AI Act — High-risk AI systems (Art. 6 and Annex III)

Where the Customer integrates Outputs into AI systems classified as high-risk under Art. 6 and Annex III AI Act (e.g. critical infrastructure, employment management, access to essential services, law enforcement, education), the Customer assumes the obligations of deployer (or, where applicable, provider) including risk management, conformity assessment, human oversight, post-market monitoring and reporting.

The Customer acknowledges that, as deployer:

• under Art. 26(9) AI Act, it shall use the information provided by the provider to comply with its DPIA obligation under Art. 35 GDPR;
• under Art. 27 AI Act, where it is a body governed by public law or a private operator providing public services, it shall conduct a Fundamental Rights Impact Assessment (FRIA) before deployment;
• under the Digital Omnibus on AI (political agreement of 7 May 2026), the applicability of certain high-risk AI obligations has been postponed from August 2026 to December 2027 (with further extensions for products covered by EU product safety legislation). This postponement does not exempt the deployer from preparatory work, which should begin now.

SINAURA's role is limited to providing the underlying Platform and does not, on its own, constitute deployment of a high-risk AI system.

9.7 Prohibited AI practices (Art. 5 AI Act)

The Customer undertakes not to use AriaPLT™ to implement AI practices prohibited under Art. 5 AI Act (e.g. social scoring, biometric categorisation for sensitive inference, real-time biometric identification in publicly accessible spaces outside the legal exceptions, manipulative or exploitative techniques, untargeted scraping of facial images). Violation may result in immediate suspension of the Service and notification to the competent authorities.

9.8 Specific rights related to AI

In compliance with Art. 22 GDPR and the AI Act, every data subject has the right to:

• request meaningful information on the logic of the agents that concern them;
• obtain human review of any decision producing significant effects on them;
• express their point of view and contest the decision.

Requests are addressed to info@sinauragroup.com or, where appropriate, to sinaurasrl@legalmail.it.

10 · INDUSTRIAL DATA, TELEMETRY AND INTERACTION WITH THE EU DATA ACT

AriaPLT™ processes large volumes of industrial data (SCADA/PLC/DCS telemetry, MES events, CMMS records, work orders, technical documents, agent conversations). The qualification of such data under GDPR requires case-by-case assessment.

10.1 Personal vs non-personal industrial data

Industrial data is qualified as personal data under Art. 4(1) GDPR and Recital 26, as interpreted by CJEU C-582/14 Breyer of 19 October 2016, when it relates to an identified or identifiable natural person, including by means of combination with other available information. Examples relevant to industrial environments:

• HMI/SCADA actions associated with operator login or shift schedule;
• manual overrides, safety acknowledgements, near-miss reports identifying operators;
• biometric badge access logs;
• video/image data from plant cameras;
• agent conversations including operators' names or signatures.

Such data is treated by SINAURA as personal data under the discipline of §4 and the DPA.

Industrial data that is purely machine-to-machine, without any link (direct or indirect) to identifiable natural persons, falls outside the scope of the GDPR. It remains subject, where applicable, to the EU Data Act and to contractual confidentiality.

10.2 EU Data Act (Reg. 2023/2854)

The EU Data Act applies in full from 11 September 2025. By 12 September 2026, connected products newly placed on the EU market must be designed and manufactured in compliance with the access-by-design principle of Art. 3 Data Act, allowing the user to access generated data in a structured, machine-readable, free, continuous and real-time format.

AriaPLT™, as a B2B platform for connected industrial environments, supports the Customer (as data holder vis-à-vis the Customer's own users) in fulfilling its access-by-design and data sharing obligations under the EU Data Act, by providing export functionalities (CSV/JSON/PDF/API) and documented data interfaces.

[DA COMPLETARE: confirm scope of supported export formats and granularity of access for each module (connected product / industrial process data), with reference to SINAURA's Data Act readiness statement to be published by 12 September 2026.]

10.3 EU Data Governance Act (Reg. 2022/868)

SINAURA does not provide data intermediation services within the meaning of Art. 10 of the Data Governance Act. Any future deployment of such services will be notified to the competent authority and disclosed in this Privacy Policy.

11 · RECIPIENTS AND SUB-PROCESSORS

All sub-processors operate under DPAs compliant with Art. 28(2) to 28(4) GDPR. The up-to-date list and revision history are published at sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors and are incorporated by reference into the DPA.

Current sub-processors:

Changes to the sub-processor list are notified to the Customer at least 30 days in advance via email to the administrative address and via update of sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors, with a right of reasoned objection under §5(1) of the DPA. The list of AWS sub-sub-processors is published and kept up to date at the provider publication.

12 · EXTRA-EU TRANSFERS

AriaPLT™ is designed as an EU-resident platform by design. The entire production infrastructure for Customer data is hosted on AWS Frankfurt (eu-central-1), distributed across three physically separated Availability Zones.

• Storage, compute, backup never outside the EU for Customer production data by default.
• AES-256 at-rest, TLS 1.3 in-transit.
• No extra-EU transfer of Customer Data by default.

Any extra-EU transfer (e.g. activation of an extra-EU LLM module upon explicit Customer opt-in, or support access from non-EU entities of SINAURA's group [DA COMPLETARE: confirm absence/presence]) takes place under:

(i) an adequacy decision pursuant to Art. 45 GDPR, including the EU-US Data Privacy Framework (Commission Implementing Decision 2023/1795 of 10 July 2023), where the recipient is DPF-certified and the data falls within the recipient's certification scope; or

(ii) Standard Contractual Clauses (Commission Implementing Decision 2021/914 of 4 June 2021), accompanied by a documented Transfer Impact Assessment following EDPB Recommendations 01/2020 and 02/2020, with supplementary technical, contractual and organisational measures where the TIA so requires.

Although the validity of the DPF was confirmed by the General Court of the EU on 3 September 2025 (Case T-553/23 Latombe v Commission), SINAURA monitors the evolving case-law and reserves the right to apply SCC + TIA as a precautionary primary mechanism, without prejudice to DPF coverage.

The Customer is informed that activation of extra-EU LLM modules may trigger the Customer's obligation to perform a DPIA under Art. 35 GDPR; SINAURA makes available an up-to-date DPIA template aligned with the EDPB DPIA Template 2026.

13 · SECURITY MEASURES (ART. 32 GDPR), NIS2 AND DORA

13.1 Technical and organisational measures (Art. 32 GDPR)

SINAURA adopts a security-by-design approach, aligned with the NIST CSF framework and with the requirements of Directive (EU) 2022/2555 (NIS2) as transposed in Italy by D.Lgs. 138/2024.

• SSO SAML/OIDC, mandatory MFA for admins, granular RBAC.
• AES-256 at-rest and TLS 1.3 in-transit encryption, strict tenant segregation.
• Immutable audit trail, cryptographic hashes, digital signatures on outputs.
• Multi-AZ backups, RPO < 24h, RTO < 4h, 99.9% SLA.
• Annual penetration tests, continuous vulnerability scanning (SAST/DAST/SCA).
• DLP and content scanning at upload time to detect and flag potential special-category data and minors' data.
• GDPR / EU AI Act / NIS2 training programmes for personnel.
• AI Governance Committee.
• Designated Authorised Personnel under Art. 29 GDPR with documented instructions.

Technical details are set out in Annex 1 of the DPA (Technical and Organisational Measures).

13.2 NIS2 — SINAURA as ICT service provider

[DA COMPLETARE: confirm SINAURA's qualification under D.Lgs. 138/2024 — essential entity, important entity, or out-of-scope. If in scope, confirm: registration with ACN (Italian National Cybersecurity Agency) within the annual window (1 January – 28 February of each year, next applicable window 2027); designation of the NIS2 Point of Contact; classification of activities and services in the May–June annual window; adoption of cybersecurity measures under Art. 24 D.Lgs. 138/2024 by the applicable deadlines (already in force for measures from 1 October 2026); ensure no conflict of interest between DPO (Art. 38(6) GDPR) and CISO functions, as required by NIS2 guidance.]

13.3 DORA — Customers in the financial sector

For Customers that are financial entities under Regulation (EU) 2022/2554 (DORA), applicable since 17 January 2025, SINAURA supports the Customer's obligations under Art. 28-30 DORA, including:

• inclusion in the Customer's Register of Information (ROI) with the reference date applicable to each annual cycle (the 2026 cycle reference date is 31 December 2025);
• inclusion of contractual provisions required by Art. 30 DORA in the DPA and MSA;
• cooperation with the Customer in resilience testing where applicable;
• monitoring of designations of Critical ICT Third-Party Providers (CTPPs) by ESAs, including the 19 designated on 18 November 2025 (AWS, Microsoft Azure, Google Cloud, others), where they are part of SINAURA's supply chain.

13.4 Vulnerability disclosure

Security vulnerability reports may be sent to info@sinauragroup.com or, where a formal communication channel is required, to sinaurasrl@legalmail.it.

14 · PERSONAL DATA BREACH — DUAL-TRACK PROCEDURE

SINAURA distinguishes its obligations depending on the role.

14.1 Breach affecting Customer data — SINAURA as Processor (Art. 33(2) GDPR)

SINAURA notifies the Customer without undue delay and in any case within 48 hours of becoming aware of a personal data breach affecting Customer data, under §3.5 of the DPA, providing the information required by Art. 33(3) GDPR (nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, measures taken or proposed). Upon Customer request and at reasonable cost, SINAURA assists the Customer in any subsequent notification to the supervisory authority (Art. 33(1) GDPR) and communication to data subjects (Art. 34 GDPR).

14.2 Breach affecting Controller-side data — SINAURA as Controller (Art. 33(1) and Art. 34 GDPR)

For breaches affecting personal data processed by SINAURA as Controller (e.g. website users, marketing contacts, candidates, suppliers), SINAURA:

• assesses the breach following EDPB Guidelines 9/2022 and the internal data breach procedure;
• notifies the Garante per la Protezione dei Dati Personali via the portal the competent authority portal within 72 hours of becoming aware where the breach is likely to result in a risk to the rights and freedoms of natural persons (Art. 33(1) GDPR);
• communicates the breach to the affected data subjects without undue delay where the breach is likely to result in a high risk (Art. 34 GDPR), unless one of the exceptions of Art. 34(3) applies;
• documents every breach in the internal Breach Register pursuant to Art. 33(5) GDPR.

14.3 NIS2 cyber incident reporting

Where the breach also qualifies as a significant cyber incident under Art. 23 NIS2 / Art. 25 D.Lgs. 138/2024, SINAURA performs the early warning to CSIRT Italia within 24 hours, the incident notification within 72 hours and the final report within one month, in coordination with the privacy notification timeline.

15 · DATA SUBJECT RIGHTS

Under Chapter III GDPR, every data subject may exercise the following rights by writing to info@sinauragroup.com or, where a certified channel is required, to sinaurasrl@legalmail.it. SINAURA responds within one month of receipt of the request (extendable by two further months in case of complexity, with notice within the first month) pursuant to Art. 12(3) GDPR.

• Art. 15 — Right of access to personal data and to information.
• Art. 16 — Right to rectification of inaccurate or incomplete data.
• Art. 17 — Right to erasure (right to be forgotten).
• Art. 18 — Right to restriction of processing.
• Art. 19 — Notification obligation regarding rectification, erasure or restriction.
• Art. 20 — Right to data portability in a structured, commonly used and machine-readable format.
• Art. 21 — Right to object to processing based on legitimate interest or direct marketing (the latter is absolute and cost-free).
• Art. 22 — Right not to be subject to solely automated decisions producing legal or similarly significant effects.
• Art. 7(3) — Right to withdraw consent at any time, without affecting the lawfulness of previous processing.

Where the data subject exercises a right relating to Customer data processed by SINAURA as Processor, SINAURA forwards the request to the Customer (Controller) within reasonable time and assists the Customer under Art. 28(3)(e) GDPR.

For security reasons, SINAURA may, only in case of reasonable doubts about the identity of the requester (Art. 12(6) GDPR), request additional information necessary to confirm the identity. Such verification is proportionate, minimised and the documents are deleted upon completion of the case.

16 · COOKIES, TRACKERS AND TRACKING PIXELS

The website ariaplt.com uses:

• Strictly necessary technical cookies (no consent required under Art. 122(1) D.Lgs. 196/2003);
• Analytics cookies anonymised in compliance with the criteria of the Italian Garante's Provv. n. 231 of 10 June 2021 (Cookie Guidelines), or, in absence of such anonymisation, subject to consent.

No third-party profiling cookies or marketing trackers are activated without prior, free, specific, informed, granular and unambiguous consent collected through a cookie banner compliant with EDPB Guidelines 03/2022 (deceptive design patterns) and with the Italian Garante's Cookie Guidelines.

The cookie banner offers, on equal-level placement, the options "Accept all", "Reject all" and granular preferences, with no pre-ticked boxes and with the ability to withdraw consent at any time at the same ease with which it was given (Art. 7(3) GDPR).

The extended cookie notice with full list of cookies, durations, providers and purposes is available at sinauragroup.com/en/legal/website-privacy-policy#cookies.

Tracking pixels in email communications

In compliance with the Italian Garante's Provv. of 17 April 2026 on tracking pixels in email communications, SINAURA:

• in transactional emails (e.g. password reset, billing, service notifications), uses only technical pixels strictly necessary to deliverability and security, on the legal basis of Art. 6(1)(b) and (f) GDPR;
• in marketing emails, where tracking pixels for open-rate analytics are used, collects prior explicit consent at the same level of granularity as the marketing consent, with a separate option, and provides at any time the ability to opt out;
• documents pixel usage in the cookie/tracker policy referenced above.

EDPB Guidelines 2/2023 on the technical scope of Art. 5(3) ePrivacy

SINAURA acknowledges that the application of Art. 5(3) ePrivacy extends beyond cookies to a broad range of tracking technologies (tracking pixels, URL parameters, IP-based tracking, fingerprinting, IoT-side identifiers) and ensures that the same consent regime applies to all such technologies when used for non-strictly-necessary purposes.

17 · PRIVACY BY DESIGN AND BY DEFAULT (ART. 25 GDPR)

SINAURA implements privacy-by-design and privacy-by-default measures in compliance with Art. 25 GDPR and EDPB Guidelines 4/2019, including:

• data minimisation in collection forms and platform inputs;
• default tenant isolation and least-privilege RBAC for Authorised Users;
• default encryption at-rest and in-transit;
• default deletion at expiration of retention periods;
• prior privacy/security review of every new feature (DPbDD Gate within the SDLC);
• maintenance of records of design decisions to demonstrate accountability (Art. 5(2) GDPR).

18 · DPIA AND ACCOUNTABILITY

SINAURA has carried out a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR on the Platform's high-risk processing activities, in line with the EDPB DPIA Template 2026 (adopted in consultation in April 2026, expected to become the harmonised standard). The DPIA is reviewed at every material change.

A summary of the DPIA, including the residual risk assessment and the technical and organisational measures, is available to the Customer upon request and under confidentiality, to assist the Customer in its own DPIA obligations as Controller and, where applicable, as deployer of high-risk AI systems under Art. 26(9) AI Act.

[DA COMPLETARE: indicate publication date of the latest DPIA version, next scheduled review, and whether SINAURA voluntarily submits the DPIA to the Garante for prior consultation under Art. 36 GDPR.]

The Italian Garante's national list of processing operations subject to mandatory DPIA (Provv. n. 467 of 11 October 2018) is taken into account.

19 · CHILDREN

AriaPLT™ is a professional B2B platform addressed to legal entities. The Platform is not directed to minors. Authorised Users designated by the Customer must be of legal age and act within the scope of duties assigned by the Customer.

SINAURA does not knowingly process personal data of minors. Technical detection measures (DLP, content scanning at upload) are in place to identify potential upload of minors' data. Where such data is detected, SINAURA notifies the Customer within 5 working days requesting prompt removal and, where the Customer fails to act, may suspend the affected processing pursuant to Art. 28(3)(a) GDPR and the DPA.

The age of consent under Art. 8 GDPR for information society services in Italy is 14 (Art. 2-quinquies D.Lgs. 196/2003); this does not apply to AriaPLT™, which is not an information society service offered to minors.

20 · SPECIAL CATEGORIES (ART. 9) AND CRIMINAL-CONVICTION DATA (ART. 10)

20.1 Special categories under Art. 9 GDPR

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for identification purposes, health data, data concerning sex life or sexual orientation, are not processed by the Platform unless under a specific written agreement between SINAURA and the Customer, supported by a documented Art. 9(2) condition (e.g. Art. 9(2)(a) explicit consent, Art. 9(2)(b) employment law context, Art. 9(2)(h) occupational medicine) and a prior DPIA.

In industrial environments such data may be incidentally relevant — e.g. occupational health certificates, biometric access control, near-miss reports containing health data. SINAURA implements technical safeguards (DLP, content classifiers, redaction tooling, segregation of buckets with elevated controls) to detect and prevent unintended upload, and notifies the Customer in case of detection within 5 working days.

20.2 Criminal-conviction data under Art. 10 GDPR

Personal data relating to criminal convictions and offences are not processed by the Platform, save in compliance with Art. 10 GDPR and Art. 2-octies D.Lgs. 196/2003 and only under a specific written agreement with a documented legal basis. The same technical safeguards as 20.1 apply.

20.3 Prohibited AI practices

The Customer further undertakes not to upload onto the Platform any data used for AI practices prohibited under Art. 5 EU AI Act, including biometric categorisation for sensitive inference and untargeted scraping of facial images.

21 · COMPLAINTS TO THE SUPERVISORY AUTHORITY

Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with the Italian Data Protection Authority — Garante per la Protezione dei Dati Personali (Piazza Venezia 11, 00187 Rome — the Italian Data Protection Authority website) or with the supervisory authority of the EU Member State of his or her residence, workplace or place of the alleged infringement (Art. 77 GDPR).

22 · DOCUMENT HIERARCHY AND LANGUAGE

This Privacy Policy is an integral part of the contractual document set (ToS, Order Form, DPA, SLA, Privacy Policy). In case of conflict on matters of personal data processing, the DPA prevails; for other matters, the order of precedence set out in Art. 18 of the ToS applies.

This Privacy Policy is published in English and in Italian on sinauragroup.com/en/legal/platform-privacy-policy. For data subjects resident in Italy, the Italian version is fully effective. Between SINAURA and the Customer, on the purely contractual portion of this document, in case of interpretative conflict the English version prevails; this priority is not enforceable against individual data subjects in their relationship with SINAURA in respect of their understanding of the processing.

23 · AMENDMENTS

SINAURA may update this Privacy Policy to reflect regulatory or product evolution. Material changes are notified via email to registered users and to the Customer administrative address, and via notice on sinauragroup.com/en/legal/platform-privacy-policy. The current version is always available at sinauragroup.com/en/legal/platform-privacy-policy with indication of version, date and changelog (see §26). Prior versions are archived and available upon request.

24 · APPLICABLE ADDENDA AND EXHIBITS

The following documents are incorporated by reference into this Agreement and form an integral part of it:

25 · CONTACTING SINAURA

© 2026 SINAURA S.R.L. · AriaPLT™ and Sinaura™ are registered trademarks of SINAURA S.R.L · Version 1.3 · Last updated: 16 May 2026