GENERAL DATA PROTECTION REGULATION (GDPR)

1. Identity of the Data Controller

This Privacy Notice is issued by Pronize Technology Inc. (“Pronize”, “Company”, “we”, “us”, or “our”) acting as the Data Controller for personal data processed through the Pronize cloud-based software platform and related services.

Where required under Article 27 GDPR, Pronize will appoint an EU Representative and update this notice accordingly.

2. Scope of This Notice

This Privacy Notice applies to:

• Users of the Pronize SaaS platform
• Customer employees and authorized representatives
• Business partners and suppliers
• Website visitors
• Individuals whose personal data is included in customer-provided business content

Processing is carried out in accordance with:

• Regulation (EU) 2016/679 (GDPR)
• Applicable EU Member State data protection laws

3. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• Data Subject: The individual to whom personal data relates.
• Processor / Sub-processor: Entities processing personal data on behalf of the Company.

4. Categories of Personal Data Processed

Pronize may process the following categories:

4.1 Identity and Contact Data

• Name, surname
• Business email address
• Phone number
• Company name, role, and department

4.2 Account and Usage Data

• User identifiers
• Login credentials (hashed)
• IP address and device data
• Access logs and activity history

4.3 Business and Operational Data

• Orders, production, and supply-chain records
• Supplier and customer contact details
• Product, pricing, quotation, and shipment data
• Trade and logistics documentation

4.4 Billing and Financial Data

• Invoices and payment status
• Subscription plan information
• Transaction identifiers (no full card storage by Pronize)

4.5 AI-Processed Content

• Documents, text, tables, or contracts uploaded by users
• AI-generated analysis and outputs

Customer content is processed solely to provide the service and is not used to train shared AI models unless explicitly agreed.

4.6 Technical & Analytics Data

• Browser type, operating system
• Usage metrics and performance data
• Cookie identifiers

5. Purposes of Processing

Personal data is processed only where necessary to:

• Provide, operate, and maintain the Pronize SaaS platform
• Enable production, sourcing, and trade workflow management
• Deliver AI-assisted analytics, automation, and decision-support tools
• Authenticate users and secure the platform
• Provide customer support and technical assistance
• Manage billing, subscriptions, and contractual obligations
• Detect fraud, abuse, or security incidents
• Comply with legal and regulatory requirements
• Improve system performance, usability, and reliability

6. Legal Bases for Processing (Article 6 GDPR)

Processing is based on one or more of the following:

• Contract performance — providing the Pronize services
• Legal obligation — accounting, tax, compliance duties
• Legitimate interests — security, service improvement, fraud prevention
• Consent — cookies, marketing communications, or optional AI features

Where processing relies on legitimate interests, Pronize performs balancing tests to ensure rights and freedoms are not overridden.

7. Special Categories of Data

Pronize does not intentionally process special categories of personal data under Article 9 GDPR.

Customers must not upload sensitive data unless explicitly agreed via a Data Processing Agreement.

8. Data Sharing and Recipients

Personal data may be shared with:

• Cloud infrastructure providers
• Payment service providers
• IT and security vendors
• Professional advisors (legal, accounting)
• Competent public authorities where legally required

All processors are bound by:

• Data Processing Agreements (Art. 28 GDPR)
• Confidentiality obligations
• Security and audit requirements

9. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), Pronize ensures appropriate safeguards, including:

• European Commission Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Supplementary technical and organizational safeguards

Copies of safeguards may be requested via info@pronize.com.

10. Data Retention

Personal data is retained only for as long as necessary to:

• Fulfill contractual purposes
• Meet legal and regulatory obligations
• Resolve disputes and enforce agreements

After retention periods expire, data is:

• Securely deleted, or
• Irreversibly anonymized

11. Security Measures (Article 32 GDPR)

Pronize implements appropriate technical and organizational measures, including:

• Encryption in transit and at rest
• Role-based access control
• Secure authentication mechanisms
• Continuous logging and monitoring
• Vulnerability management and security testing
• Backup and disaster recovery procedures
• Employee confidentiality and security training

12. Automated Decision-Making & AI

Pronize AI features provide decision support only.

No solely automated decisions with legal or similarly significant effects are made under Article 22 GDPR.

Human review remains available.

13. Cookies and Tracking Technologies

Pronize uses:

• Strictly necessary cookies — service functionality
• Analytics cookies — performance measurement (consent-based where required)

Marketing cookies are used only with explicit consent.

Details are provided in the separate Cookie Policy.

14. Data Subject Rights

Under GDPR, individuals have the right to:

• Access personal data
• Rectify inaccurate data
• Erase data (“right to be forgotten”)
• Restrict processing
• Object to processing based on legitimate interests
• Data portability
• Withdraw consent at any time
• Lodge a complaint with an EU supervisory authority

Requests can be submitted to: info@pronize.com

Pronize responds within one month as required by GDPR.

15. Data Breach Notification

In the event of a personal data breach, Pronize will:

• Notify the competent supervisory authority within 72 hours where required
• Inform affected data subjects when risk is high
• Document all breaches internally

16. Children's Data

Pronize services are not directed to children under 16, and the Company does not knowingly collect such data.

17. Changes to This Privacy Notice

Pronize may update this Privacy Notice to reflect:

• Legal or regulatory changes
• Service or technology updates
• Security improvements

The latest version will always be available on the official website.