PRIVACY POLICY

Last updated on 20th January 2025

This privacy statement for turnus.ai GmbH (“we”, “us” or “our”) describes how and why we collect, store, use and/or share (“process”) your personal data when you use our services (“services”), including when you visit our website at http://www.turnus.ai or any of our other websites that link to this privacy statement.

Use turnus.ai. With turnus.ai, you can handle sustainability inquiries efficiently and automatically. Powered by AI – developed with a focus on security.

To get in touch with us in other related ways, including sales, marketing or events

Questions or concerns? Reading this privacy statement will help you understand your privacy rights and choices. We are responsible for making decisions about how to process your personal data. If you disagree with our policies and practices, please do not use our services. If you still have questions or concerns, please contact us at privacy@turnus.ai.

SUMMARY OF KEY POINTS

This summary contains the key points from our privacy statement but you can find more details about each of these topics by clicking on the link following each key point or by using our table of contents below to find the section you are looking for.

What personal data do we process? If you visit, use or navigate our services, we may process personal data depending on how you interact with us and the services, the decisions you make and the products and features you use. Find out more about personal data you share with us.

Do we process sensitive personal data? Some of the information may be considered as “special” or “sensitive” in certain jurisdictions, such as your racial or ethnic origin, sexual orientation, and religious beliefs. We do not process sensitive personal data.

Do we collect information from third parties? We do not collect information from third parties.

How do we process your data? We process your data to provide, improve and manage our services, communicate with you, for safety and fraud prevention, and to comply with laws. Additionally, we process your personal data to ensure the security and integrity of our platform (for example, to prevent unauthorised access) and to comply with legal obligations, such as fulfilling tax retention obligations. With your consent, we may also process your data for other purposes. We only process your data when we have a valid legal reason to do so. Find out more about how we process your data.

In what situations and with what types of parties do we share personal data? We may share information in specific situations and with specific categories of third parties. Find out more about when and with whom we share your personal data.

How do we keep your data safe? We have appropriate organisational and technical processes and procedures in place to protect your personal data. However, it cannot be guaranteed that electronic transmission over the internet or information storage technology is 100% secure, so we cannot promise or guarantee that hackers, cybercriminals or other unauthorised third parties will not be able to circumvent our security and improperly collect, access, steal or modify your data. Find out more about how we protect your data.

What are your rights? Depending on where you are geographically located, the applicable privacy law may mean you have certain rights with regard to your personal data. Find out more about your privacy rights.

How can you exercise your rights? The easiest way to exercise your rights is to visit privacy@turnus.ai, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

Want to learn more about what we do with the information we collect? Read the full privacy statement.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?

2. HOW DO WE PROCESS YOUR DATA?

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL DATA?

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

6. DO WE OFFER PRODUCTS BASED ON ARTIFICIAL INTELLIGENCE?

7. HOW DO WE HANDLE YOUR SOCIAL MEDIA LOGINS?

8. HOW LONG DO WE STORE YOUR DATA?

9. HOW DO WE KEEP YOUR DATA SAFE?

10. DO WE COLLECT INFORMATION FROM MINORS?

11. WHAT ARE YOUR PRIVACY RIGHTS?

12. CONTROLS FOR DO-NOT-TRACK FEATURES

13. DO WE MAKE UPDATES TO THIS STATEMENT?

14. HOW CAN YOU CONTACT US ABOUT THIS STATEMENT?

15. HOW CAN YOU REVIEW, UPDATE OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal data you disclose to us

In short: We collect personal data that you provide to us.

We collect personal data that you voluntarily provide to us when you register for the services, express interest in obtaining information about us or our products and services, when you participate in activities on the services or otherwise contact us.

Personal data provided by you. The personal data that we collect depends on the context of your interactions with us and the services, the choices you make and the products and features you use. The personal data we collect may include the following:

• Names

• Email addresses

• Job titles

• Usernames

• Passwords

• Billing addresses

• Debit/credit card numbers

Sensitive information. We do not process sensitive information.

Payment data. We may collect data necessary to process your payment if you make a purchase, such as your payment instrument number and the security code associated with your payment instrument. Allocation data is processed and stored by Stripe. Links to the privacy notices can be found here: https://stripe.com/en-gb/privacy

Social media login data. We may provide you with the option to register with us using your existing social media account details, like your Facebook, X, or other social media account. If you register in this way, we will collect certain profile information about you from the social media provider, as described in the section "HOW DO WE HANDLE YOUR SOCIAL MEDIA LOGINS?" below.

All personal data you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal data.

Automatically collected information

In short: Some information – such as your IP address (Internet Protocol) and/or browser and device characteristics – is collected automatically when you visit our services.

We automatically collect certain information when you visit, use or navigate the services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information on how and when you use our services, and other technical information. This information is primarily needed to maintain the security and operation of our services, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies. You can find out more in our Cookie Notice: https://www.framer.com/legal/cookie-policy/

The information we collect includes:

• Log and usage data. Log and usage data is service-related, diagnostic, usage and performance information our servers automatically collect when you access or use our services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type and settings and information about your activity in the services (such as the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take, like which features you use), device event information (such as system activity, error reports (sometimes called ‘crash dumps’) and hardware settings).

• Device data. We collect device data such as information about your computer, phone, tablet or other device you use to access the services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system and system configuration information.

• Location data. We collect location data such as information about your device’s location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt-out of allowing us to collect this information either by refusing access to the information or by disabling your location setting on your device. However, if you choose to opt-out, you may not be able to use certain aspects of the services.

Google API (English)

In using information we obtain from Google APIs, the policy for Google API services user data applies, including the requirements for restricted use.

2. HOW DO WE PROCESS YOUR DATA?

In short: We process your data to provide, improve and manage our services, communicate with you, ensure safety and fraud prevention, and comply with laws. With your consent, we may also process your data for other purposes.

We process your personal data for a variety of reasons, depending on how you interact with our services, including:

To facilitate account creation and authentication and otherwise manage user accounts. We may process your data so that you can create and log in to your account, as well as keep your account in working order.

To deliver and facilitate delivery of services to the user. We may process your data to provide you with the requested service.

To respond to user inquiries/offer support to users. We may process your data to respond to your inquiries and solve any potential issues you might have with the requested service.

To send you administrative information. We may process your data to send you details about our products and services, changes to our terms and policies, and other similar information.

To fulfil and manage your orders. We may process your data to fulfil and manage your orders, payments, returns, and exchanges made through the services.

To enable user-to-user communications. We may process your data if you choose to use any of our offers that allow communication with another user.

To request feedback. We may process your data when necessary to request feedback and to contact you about your use of our services.

To send you marketing and promotional communications. We process the personal data you send to us for our marketing purposes if this is in line with your marketing preferences. You can opt-out of our marketing emails at any time. For more information, see “WHAT ARE YOUR PRIVACY RIGHTS? "Below.

To deliver targeted advertising to you. We may process your data to develop and display personalised content and advertising tailored to your interests, location, and more. More information is available in our Cookie Notice: https://www.framer.com/legal/cookie-policy/

To protect our services. We may process your data as part of our efforts to keep our services safe and secure, including fraud monitoring and prevention.

To identify usage trends. We may process information about how you use our services to better understand how they are being used so we can improve them.

To determine the effectiveness of our marketing and promotional campaigns. We may process your data to better understand how to provide marketing and promotional campaigns that are most relevant to you.

To save or protect an individual’s vital interest. We may process your data when necessary to save or protect an individual’s vital interest, such as to prevent harm.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR DATA?

In short: We only process your personal data when we believe it is necessary and we have a valid legal reason (i.e. legal basis) to do so under applicable law, such as with your consent, to comply with laws, to provide you with services, to enter into or fulfil our contractual obligations, to protect your rights, or to further our legitimate business interests.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal data. Therefore, we may rely on the following legal bases to process your personal data:

• Consent. We may process your data if you have given us permission (i.e. consent) to use your personal data for a specific purpose. You can withdraw your consent at any time. Find out more about withdrawing your consent.

• Performance of a contract. We may process your personal data when we believe it is necessary to fulfil our contractual obligations to you, including providing our services or at your request prior to entering into a contract with you.

• Legitimate interests. We may process your data when we believe it is reasonably necessary to achieve our legitimate business interests, and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal data for some of the purposes described in order to:

o Send users information about special offers and discounts on our products and services

o Develop and display personalised and relevant advertising content for our users

o Analyse how our services are used so we can improve them to engage and retain users

o Support our marketing activities

o Diagnose problems and/or prevent fraudulent activities

o Understand how our users use our products and services to improve the user experience

• Legal obligations. We may process your data when we believe it is necessary for compliance with our legal obligations, such as cooperating with a law enforcement body or regulatory agency, exercising or defending our legal rights, or disclosing your information as evidence in litigation in which we are involved.

• Vital interests. We may process your data when we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to any person’s safety.

Specific legal bases for processing each data category include:

• Ensuring platform security: Art. 6 Para. 1 lit. f GDPR (legitimate interest),

• Fulfilment of legal obligations: Art. 6 Para. 1 lit. c GDPR

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

In short: We may share information in specific situations described in this section and/or with the following categories of third parties.

Vendors, consultants and other third-party service providers. We may share your data with third-party vendors, service providers, contractors or agents (“third parties”) who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal data. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.

The categories of third parties we may share personal data with are as follows:

• Advertising networks

• AI platforms

• Cloud computing services

• Communication and collaboration tools

• Data analytics services

• Data storage service providers

• Finance & accounting tools

• Payment processors

• Performance monitoring tools

• Product development and design tools

• Retargeting platforms

• Sales & marketing tools

• Social networks

• Testing tools

• User account registration & authentication

• Web hosting service providers

We may also need to share your personal data in the following situations:

Business transfers. We may share or transfer your data in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Online tracking technologies, such as cookies, help us manage and better understand how users interact with our services and offer more personalised services.

We also allow third parties and service providers to use online tracking technologies in our services for analytics and advertising purposes, including to help manage and display ads, tailoring ads to your interests or sending reminders of abandoned baskets (based on your communication preferences). The third parties and service providers use their technology to provide advertisements for products and services tailored to your interests and which can appear within our services or on other websites.

Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice:

https://www.framer.com/legal/cookie-policy/

Google Analytics

We may share your data with Google Analytics to track and report the usage of the services. Google Analytics advertising features that we may use include Google Analytics Demographics and Interest Reporting and Remarketing with Google Analytics. You can opt out of having your data processed by Google Analytics across the services by visiting https://tools.google.com/dlpage/gaoptout. You may opt out of Google Analytics Advertising features through your ads settings and mobile app ads settings. Other opt-out options include http://optout.networkadvertising.org/ and http://www.networkadvertising.org/mobile-choice. For more information about Google’s privacy practices, please see Google’s privacy and terms page.

6. DO WE OFFER PRODUCTS BASED ON ARTIFICIAL INTELLIGENCE?

In short: We offer products, features or tools that are based on artificial intelligence, machine learning, or similar technologies.

As a part of our services, we offer products, features, or tools based on artificial intelligence, machine learning, or similar technologies (collectively referred to as “AI products”). These tools are designed to enhance your experience by offering innovative solutions. The conditions in this privacy statement govern your use of the AI products within our services.

Use of AI Technologies

We provide our AI products via third-party vendors ("AI providers"), including Amazon Web Services (AWS) AI. As described in this privacy statement, your input, output, and personal data are shared with and processed by these AI providers to enable your use of our AI products for the purposes outlined under “WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL DATA?”. You must not use the AI products in any manner that violates the terms or policies of any AI provider.

Our AI products

Our AI products are designed for the following functions:

• AI automation

How we process your data using AI

All personal data processed by our AI products is treated in accordance with our privacy statement and agreements with third parties. This ensures high security and safeguards your personal data throughout the process so you can rely on the security of your data.

7. HOW DO WE HANDLE YOUR SOCIAL MEDIA LOGINS?

In short: If you choose to register or log in to our services using a social media account, we may have access to certain information about you.

Our services provide you with the option to register and login using third-party social media account details (like your Facebook or X logins). If you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the concerned social media provider but will often include your name, email address, friend list, and profile picture, as well as other information you choose to make public on such a social media platform.

We use the information we receive only for the purposes described in this privacy statement or that are otherwise made clear to you on the relevant services. Please note that we do not control, and are not responsible for, other uses of your personal data by your external social media provider. We recommend that you review their privacy statement to understand how they collect, use, and share your personal data, and how you can set your privacy preferences on their sites and apps.

8. HOW LONG DO WE STORE YOUR DATA?

In short: We store your data for as long as necessary to fulfil the purposes outlined in this privacy statement unless otherwise required by law.

We only retain your personal data for as long as necessary for the purposes set out in this privacy statement unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this statement will require us to retain your personal data for longer than the period of time during which users have an account with us.

When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it, or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

The retention period for specific data categories includes:

• Contact data: will be retained for the duration of the contractual relationship,

• Usage data: storage up to 6 months after collection, unless legally required otherwise,

• Content data: deleted at latest 30 days after termination of contract unless legal retention obligations exist.

9. HOW DO WE KEEP YOUR DATA SAFE?

In short: Our aim is to protect your personal data through a system of organisational and technical security measures.

We have implemented appropriate and reasonable technical security measures to protect the security of any personal data we process. Despite our safeguards and efforts to secure your data, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your data. Although we will do our best to protect your personal data, the transmission of personal data to and from our services is at your own risk. You should only access the services within a secure environment.

10. DO WE COLLECT INFORMATION FROM MINORS?

In short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age or knowingly sell such personal information. By using the services, you declare that you are at least 18 years old or that you are the parent or guardian of such a minor and consent to the use of the services. If we learn that personal information from users under 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from children under 18, please contact us at support@turnus.ai

11. WHAT ARE YOUR PRIVACY RIGHTS?

In short: You may review, change, or terminate your account at any time, depending on your country, region, or state of residence.

We take your privacy rights seriously. If you are in certain regions (such as the EEA, UK or Switzerland), you may have rights under the applicable data protection laws. These rights may include (i) The right to request access to your personal data and obtain a copy of your data, (ii) the right to request correction or deletion; (iii) request restrictions on the processing of your personal data; (iv) where applicable, data portability; and (v) the right not to be subject to automated decision-making. Under certain circumstances, you may also have the right to object to the processing of your personal data. You also have the right to data portability under Art. 20 GDPR, allowing you to request the transmission of your personal data in a structured, commonly used and machine-readable format. You can make such a request by contacting us using the contact information provided in the section “HOW CAN YOU CONTACT US ABOUT THIS STATEMENT?" below.

We will consider and act upon any request in accordance with applicable data protection laws.

If you are in the EEA or UK and you believe we are unlawfully processing your personal data, you have the right to complain to your data protection authority of the Member State or UK.

If you reside in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Withdrawal of your consent: If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us using the contact information provided in the section “HOW CAN YOU CONTACT US ABOUT THIS STATEMENT?” below.

Please note; however, this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal data conducted in reliance on lawful processing grounds other than consent.

Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking the unsubscribe link in the emails we send or contacting us using the contact information provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?". You will then be removed from the marketing lists. However, we may still communicate in relation to service-related matters such as management and account-related usage messages that are necessary for service requests or for other non-marketing purposes.

Account information If you would like to review or change the information in your account or terminate your account, you can:

• Contact us using the contact information provided.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist any investigations, enforce our legal terms and/or comply with applicable legal requirements.

Cookies and similar technologies: Most web browsers are set to accept cookies by default. If you prefer, you can usually set your browser to remove cookies and reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our services. To opt-out, you may refer to our Cookie Notice: HTTPS://www.framer.com/legal/cookie-policy/.

If you have any questions or comments about your privacy rights, you may email us at support@turnus.ai.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers, some mobile operating systems and applications include a Do-Not-Track ('DNT') feature or setting that you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. No uniform technology standard for recognising and implementing DNT signals has been finalised. Therefore, we do not currently respond to DNT browser signals or other mechanisms that automatically communicate your choice not to be tracked online. If an online tracking standard that we must follow is adopted, we will update this privacy statement to inform you about that practice.

13. DO WE MAKE UPDATES TO THIS STATEMENT?

In short: Yes, we will update this statement as necessary to stay compliant with relevant laws.

We reserve the right to update this privacy statement from time to time. The updated version will be indicated by an updated “Revised” date, and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy statement, we may notify you either by posting a notice of such changes or by directly sending a notification. We encourage you to review this privacy statement frequently to be informed of how we are protecting your information.

14. HOW CAN YOU CONTACT US ABOUT THIS STATEMENT?

If you have questions or comments about this statement, you may email us at support@turnus.ai or contact us by post at:

turnus.ai GmbH

Fiedelerstraße 35A

Hannover 30519

Germany

15. HOW CAN YOU REVIEW, UPDATE OR DELETE THE DATA WE COLLECT?

Based on the applicable laws of your country, you may have the right to request access to the personal data we collect, details concerning how we process your data, correct inaccuracies, or delete your personal data. You may also have the right to withdraw your consent to our processing of your personal data. These rights may be limited under certain circumstances by applicable law. To request to review, update or delete your personal data, please visit: support@turnus.ai.