Privacy Policy

1. GENERAL PRINCIPLES

1.1 What is Personal Data?

"Personal Data" means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.2 What is Special Category Data?

"Special Category Data" (also known as "sensitive personal data") means Personal Data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. We do not process Special Category Data unless explicitly permitted by law and with your specific consent.

1.3 What is Processing?

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4 Who is the Data Controller?

The Data Controller responsible for the processing of your Personal Data is:

• AiTato
• Contact Email: aitato@seennext.com

The Data Controller is responsible for ensuring compliance with GDPR and for responding to your data protection requests.

1.5 Applicable Law

Our processing of your Personal Data is subject to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). If you are located outside the European Economic Area (EEA), we will ensure that appropriate safeguards are in place to protect your Personal Data, such as relying on EU Standard Contractual Clauses for transfers to third countries.

1.6 Legal Bases for Processing Personal Data

Under GDPR, we may only process your Personal Data if we have a valid legal basis. Our legal bases include:

• Consent: You have given your specific, informed, and unambiguous consent to the processing of your Personal Data for one or more specific purposes.
• Contract Performance: The processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract.
• Legal Obligation: The processing is necessary for compliance with a legal obligation to which we are subject.
• Legitimate Interests: The processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, provided that such interests are not overridden by your fundamental rights and freedoms which require protection of Personal Data.
• Vital Interests: The processing is necessary to protect the vital interests of you or another natural person.

We will clearly inform you of the specific legal basis for each processing activity at the time of collecting your Personal Data.

1.7 Data Retention Period

We will process and store your Personal Data only for the period necessary to achieve the purposes for which it was collected, unless a longer retention period is required or permitted by law. After the retention period expires, your Personal Data will be securely deleted or anonymised. Specific retention periods for different types of Personal Data are as follows:

• Website usage data: Retained for 12 months after collection.
• Contact information: Retained for the duration of our business relationship plus 3 years.
• Transaction data: Retained for 7 years to comply with tax and accounting obligations.
• Consent records: Retained for 5 years after consent is withdrawn or expired.

1.8 Data Protection Authority

If you are not satisfied with how we handle your Personal Data or your data protection requests, you have the right to lodge a complaint with the relevant Data Protection Authority (DPA) in your country of residence. For EU residents, you can find your local DPA contact information at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/where-lodge-complaint_en

2. PERSONAL DATA WE COLLECT AND PROCESS

2.1 Types of Personal Data

We may collect and process the following types of Personal Data about you:

• Identification data: Name, email address, phone number, postal address, username, password.
• Contact data: Email address, phone number, postal address.
• Technical data: IP address, browser type and version, operating system, device information, cookie identifiers, browsing history, access times, page views, referral sources.
• Usage data: Information about how you use our Website and services, including features used, content viewed, search queries, interaction patterns.
• Transaction data: If you make purchases through our Website, we may collect payment information, order details, delivery information.
• Communication data: Records of your communications with us, including emails, support tickets, chat logs.

We do not collect or process Special Category Data unless explicitly stated and with your specific consent.

2.2 Methods of Collection

We collect Personal Data from you in the following ways:

• Direct collection: When you provide information to us directly, such as when you register an account, submit a contact form, make a purchase, subscribe to a newsletter, or contact customer support.
• Automated collection: When you use our Website, we automatically collect technical and usage data through cookies, web beacons, and other tracking technologies.
• Third-party sources: From trusted third parties, such as payment processors, identity verification services, marketing partners, and social media platforms (with your permission).

We will always inform you when we collect Personal Data from third parties and the source of such data.

2.3 Website Hosting

We use the hosting services of Amazon Web Services (AWS) (410 Terry Avenue North, Seattle, WA 98109, USA). AWS processes your Personal Data (including technical and usage data) on our behalf as a Data Processor. We have entered into a Data Processing Agreement (DPA) with AWS that incorporates the EU Standard Contractual Clauses, ensuring adequate protection of your Personal Data when transferred outside the EEA. For more information about AWS' data protection practices, please visit: https://aws.amazon.com/compliance/gdpr/

2.4 Spam Protection

We use Google's reCAPTCHA service (provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to protect our Website from spam and automated abuse. reCAPTCHA may collect technical data about your device and browsing behavior to determine whether a user is a human or a robot. Google processes this data in accordance with its own privacy policy: https://policies.google.com/privacy. We have entered into a DPA with Google to ensure compliance with GDPR.

2.5 Cookies and Similar Technologies

We use cookies and similar tracking technologies (such as web beacons, pixels, and local storage) on our Website.

• What are cookies? Cookies are small text files that are stored on your device when you visit a website. They help websites recognize your device and remember certain information about your preferences and usage.
• Types of cookies we use:
  • Necessary cookies: Essential for the operation of our Website and services. They enable basic functions such as page navigation and access to secure areas. These cookies cannot be disabled.
  • Analytical cookies: Help us understand how visitors use our Website by collecting and reporting information in an anonymous form, such as which pages are visited most often and how users navigate between pages.
  • Functional cookies: Allow our Website to remember choices you make (such as your language preference) and provide enhanced, more personalized features.
  • Marketing cookies: Used to deliver relevant advertisements to you and measure the effectiveness of advertising campaigns.
• Cookie consent: You can manage your cookie preferences through our cookie consent tool on the Website homepage. You can also disable cookies through your browser settings, although this may affect the functionality of our Website.
• Cookie retention: Most cookies expire after a certain period (usually 12 months), while session cookies expire when you close your browser.

For more information, please see our separate Cookie Policy.

2.6 Links to Third-Party Websites

Our Website may contain links to third-party websites, services, or content. This Privacy Policy does not apply to those third-party websites. We are not responsible for the privacy practices or content of third-party websites. We recommend that you review the privacy policies of any third-party websites you visit through links on our Website.

2.7 Children's Data Protection

Our Website and services are not intended for children under the age of 16. We do not knowingly collect or process Personal Data from children under 16 without the explicit consent of a parent or legal guardian. If we become aware that we have collected Personal Data from a child under 16 without proper consent, we will take immediate steps to delete such data. If you believe we may have collected data from a child under 16, please contact us at aitato@seennext.com.

3. PURPOSES OF PROCESSING

3.1 Core Processing Purposes

We process your Personal Data for the following core purposes:

• To provide and maintain our Website and services: Including website hosting, technical maintenance, and ensuring the functionality and security of our services. (Legal basis: Contract performance, Legitimate interests)
• To communicate with you: Including responding to your inquiries, providing customer support, sending service updates, and delivering important information about your account. (Legal basis: Contract performance, Legitimate interests)
• To process transactions: If you make purchases through our Website, to process payments, fulfill orders, arrange delivery, and provide post-purchase support. (Legal basis: Contract performance)
• To personalize your experience: To tailor our Website and services to your preferences, provide personalized content and recommendations. (Legal basis: Consent, Legitimate interests)
• To improve our Website and services: To analyze usage patterns, identify areas for improvement, develop new features, and enhance the overall user experience. (Legal basis: Legitimate interests)
• To ensure security: To detect and prevent fraud, unauthorized access, data breaches, and other security threats. (Legal basis: Legitimate interests, Legal obligation)
• To comply with legal obligations: Including tax, accounting, and regulatory requirements. (Legal basis: Legal obligation)

3.2 Marketing and Promotional Communications

We may process your Personal Data to send you marketing and promotional communications about our products, services, special offers, and events, provided that we have your consent or are otherwise permitted by law.

• You can opt out of receiving marketing communications at any time by clicking the "unsubscribe" link in our marketing emails, or by contacting us at aitato@seennext.com.
• We will not share your Personal Data with third parties for their marketing purposes without your explicit consent.

(Legal basis: Consent, Legitimate interests where permitted by law)

3.3 Economic Analyses and Market Research

We may analyze aggregated and anonymized data for business purposes, including market research, economic analyses, trend identification, and strategic planning. This analysis is based on anonymized data that cannot be used to identify you personally. (Legal basis: Legitimate interests)

4. DATA SHARING AND DISCLOSURE

4.1 Data Processors

We may engage third-party Data Processors to process Personal Data on our behalf. These include:

• Hosting providers (e.g., AWS)
• Payment processors
• Email service providers
• Analytics providers (e.g., Google Analytics)
• Customer relationship management (CRM) providers
• Security service providers

We only engage Data Processors that meet high data protection standards and enter into formal Data Processing Agreements (DPAs) with them, which include the EU Standard Contractual Clauses where applicable. These agreements require Data Processors to process Personal Data only in accordance with our instructions and to implement appropriate security measures.

4.2 Other Third-Party Disclosures

We may disclose your Personal Data to other third parties in the following circumstances:

• With your consent: When you have given us explicit consent to share your data with specific third parties.
• For contract performance: To third parties involved in fulfilling a contract with you, such as delivery services.
• Legal obligations: When required by law, regulation, court order, or other legal process.
• Protection of rights: To protect our legitimate business interests, rights, property, or safety, or the rights, property, or safety of our users or others.
• Business transactions: In connection with a merger, acquisition, sale of assets, or other business transaction, where your Personal Data may be transferred as part of the business assets.

We will not sell your Personal Data to third parties for marketing purposes without your explicit consent.

4.3 International Data Transfers

Your Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). These countries may have different data protection laws than the EEA. We ensure that all international transfers of Personal Data comply with GDPR by implementing appropriate safeguards, including:

• EU Standard Contractual Clauses: For transfers to Data Processors located in third countries.
• Adequacy decisions: Transfers to countries deemed to provide an adequate level of data protection by the European Commission.
• Binding Corporate Rules: If transferring data within a group of companies.
• Other appropriate safeguards: As required by GDPR, such as encryption and access controls.

You can request a copy of the safeguards used for specific international transfers by contacting us at aitato@seennext.com.

5. SECURITY MEASURES

5.1 Technical and Organizational Security Measures

We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption: Encrypting Personal Data in transit (using TLS/SSL) and at rest.
• Access controls: Implementing role-based access controls to ensure only authorized personnel can access Personal Data.
• Authentication: Requiring strong authentication for access to systems containing Personal Data.
• Regular security assessments: Conducting regular security audits, vulnerability assessments, and penetration testing.
• Employee training: Providing regular data protection and security training to our employees.
• Incident response: Maintaining a data breach incident response plan to handle and report security incidents promptly.
• Data minimization: Only collecting and processing Personal Data that is necessary for the stated purposes.

While we take all reasonable steps to protect your Personal Data, no security system is completely impenetrable. You should also take steps to protect your data, such as using strong passwords and keeping your login credentials secure.

5.2 Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant Data Protection Authority without undue delay, in accordance with GDPR requirements.

Our data breach notification will include:

• A description of the nature of the breach (including the categories and approximate number of data subjects and Personal Data records affected).
• The name and contact details of our data protection officer or other contact point.
• A description of the likely consequences of the breach.
• A description of the measures we have taken or propose to take to address the breach, including measures to mitigate any possible adverse effects.

If you become aware of any unauthorized access to your Personal Data, please contact us immediately at aitato@seennext.com.

6. YOUR DATA PROTECTION RIGHTS

6.1 Your Data Protection Rights Under GDPR

Under GDPR, you have the following data protection rights. We will respond to all valid requests free of charge within one month of receipt, unless the request is complex or you make multiple requests, in which case we may extend the response period by a further two months and will inform you of this extension.

6.2 Right to Access

You have the right to request access to the Personal Data we hold about you. Upon request, we will provide you with:

• Confirmation of whether we process your Personal Data.
• A copy of your Personal Data that we hold.
• Information about the purposes of processing, the categories of Personal Data concerned, and the categories of recipients with whom your data has been shared.
• Information about the retention period or the criteria used to determine the retention period.
• Information about the right to request correction, erasure, restriction, or objection to processing.
• Information about the right to lodge a complaint with a Data Protection Authority.
• The source of your Personal Data if it was not collected directly from you.
• Information about any automated decision-making, including profiling, and the logic involved.

6.3 Right to Rectification

You have the right to request that we correct any inaccurate Personal Data we hold about you. If your Personal Data is incomplete, you have the right to request that we complete it, including by providing a supplementary statement. We will take steps to inform any third parties with whom we have shared your Personal Data of the correction, where appropriate.

6.4 Right to Erasure (Right to be Forgotten)

You have the right to request that we erase your Personal Data in the following circumstances:

• The Personal Data is no longer necessary for the purposes for which it was collected.
• You withdraw your consent and there is no other legal basis for processing.
• You object to processing and there are no overriding legitimate interests for continuing the processing.
• The Personal Data has been processed unlawfully.
• Erasure is required to comply with a legal obligation.
• The Personal Data relates to a child and was collected in the context of offering information society services.

We may not be able to erase your Personal Data if we need to retain it to comply with legal obligations or for legitimate business purposes.

6.5 Right to Restriction of Processing

You have the right to request that we restrict the processing of your Personal Data in the following circumstances:

• You contest the accuracy of your Personal Data (for a period enabling us to verify the accuracy).
• The processing is unlawful, but you do not want your data erased.
• We no longer need the Personal Data for processing, but you need it for the establishment, exercise, or defense of legal claims.
• You have objected to processing (pending verification of whether our legitimate interests override your interests).

When processing is restricted, we may only process your Personal Data with your consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest.

6.6 Right to Data Portability

You have the right to receive your Personal Data that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to request that we transmit this data directly to another Data Controller, where technically feasible.

This right applies only to Personal Data processed on the basis of your consent or for the performance of a contract, and where processing is carried out by automated means.

6.7 Right to Object

You have the right to object to the processing of your Personal Data at any time if the processing is based on our legitimate interests or for direct marketing purposes.

• For direct marketing: We will stop processing your Personal Data for marketing purposes immediately upon receipt of your objection.
• For other legitimate interests: We will review your objection and will stop processing if we determine that your interests, rights, and freedoms override our legitimate interests.

You also have the right to object to processing of your Personal Data for scientific or historical research purposes or for statistical purposes, unless the processing is necessary for important public interest.

6.8 Right to Withdraw Consent

If we process your Personal Data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw your consent by contacting us at aitato@seennext.com or through the relevant settings on our Website.

6.9 Right to Non-Discrimination

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Exceptions apply where the decision is:

• Necessary for the performance of a contract between you and us.
• Authorized by law that also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests.
• Based on your explicit consent.

In such cases, we will ensure that appropriate safeguards are in place, including the right to obtain human intervention, to express your point of view, and to contest the decision.

6.10 How to Exercise Your Rights

To exercise any of your data protection rights, please submit a written request to us at:

• Email: aitato@seennext.com

We may need to request additional information from you to verify your identity before responding to your request, to ensure the security of your Personal Data. This information will only be used for verification purposes.

If you are not satisfied with our response to your request, you have the right to lodge a complaint with your local Data Protection Authority.

7. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations. When we make significant changes to this Privacy Policy, we will notify you by:

• Posting a prominent notice on our Website homepage.
• Sending you an email notification (if we have your email address).
• Providing a pop-up notification on our Website.

The updated Privacy Policy will take effect immediately upon posting. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your Personal Data.

This Privacy Policy was last updated on: November 24, 2025

8. CONTACT INFORMATION

For questions, comments, or requests related to this Privacy Policy or our data processing practices, please contact us at:

• Email: aitato@seennext.com
• Website: http://aitato.seennext.com/

We aim to respond to all inquiries within 5 business days.