Customer and Supplier Privacy Notice

PRIVACY NOTICE pursuant to article 13 of EU Regulation 679/2016

BRAINY LABS SRL (hereinafter, the "Controller"), as Data Controller, pursuant to art. 13 of EU Regulation 679/2016 (hereinafter, the "Privacy Regulation"), and subsequent amendments and additions, collects and subsequently processes the personal data of its Customers and Suppliers (hereinafter, the "Data Subject").

1. Purposes and methods of processing

The Data Subject's personal data is processed within the scope of the Controller's normal activity, for the pursuit of the following purposes:

1. correct and complete performance of the obligations of the contractual relationship established (hereinafter, the "Contract");
2. administrative and accounting obligations strictly connected to the Contract;
3. compliance with specific obligations provided for by law, by a regulation or by Community legislation (for example, those provided for in matters of "anti-money laundering");
4. updating the Data Subject on promotional and marketing initiatives, also through the sending of advertising and/or promotional material (for example, newsletters), by means of automated tools and/or traditional means of contact.

The processing of personal data takes place, under the authority of the Controller, by persons specifically appointed, authorised and instructed to process it pursuant to art. 29 of the Privacy Regulation, by means of manual, computer or telematic tools, with logic strictly related to the purposes and in any case in such a way as to guarantee the confidentiality and security of personal data. The processing of personal data may also take place, on behalf of the Controller, by Data Processors specifically designated pursuant to art. 28 of the Privacy Regulation.

Personal data will be stored for a determined period based on criteria founded on the nature and duration of the Contract and on the need to protect the interests of the Data Subject.

2. Legal basis of processing, nature of provision and consequences of any refusal, consent of the Data Subject

2.1) Purposes referred to in the previous paragraph 1, points 1, 2 and 3

With reference to the purposes referred to in the previous paragraph 1, points 1, 2 and 3, the provision of personal data is mandatory and constitutes a necessary requirement for the execution of the Contract; in fact, failure to provide it results in the impossibility of receiving the service that is the subject of the Contract itself and, therefore, the legal basis of the related processing is the correct execution and management of the Contract.

2.2) Purpose referred to in the previous paragraph 1, point 4

With reference to the purpose referred to in the previous paragraph 1, point 4, the provision is optional and the failure to give the related consent results only in the impossibility of receiving updates on promotional and marketing initiatives, also through the sending of advertising and/or promotional material (for example, newsletters).

3. Parties or categories of parties to whom personal data may be communicated and scope of communication

In relation to the purposes of the processing indicated above, and within the limits strictly pertinent to them, the Data Subject's personal data will be or may be communicated to the following categories of parties:

1. to the financial administration and to other public Authorities, where required by law or upon their request;
2. to credit institutions for payment orders or other financial activities instrumental to the execution of the Contract;
3. to the external structures and/or companies that the Controller uses, responsible for carrying out activities connected, instrumental or consequent to the execution of the Contract;
4. to external consultants (for example, for the management of tax obligations), if not designated in writing as Data Processors;
5. to external parties who carry out control activities, such as auditing firms, the board of statutory auditors, the supervisory body;
6. to factoring companies and/or specialised companies or law firms for the recovery of credits and/or for the protection of their own interests/rights.

The parties indicated above, to whom the Data Subject's personal data will be or may be communicated (as they are not designated in writing as Data Processors), will process the personal data as Data Controllers pursuant to the Privacy Regulation, in full autonomy, being extraneous to the original processing carried out by the Controller.

The updated list of the parties indicated and of the Data Processors may be provided upon request by the Data Subject.

The Data Subject's data will not be subject to dissemination.

Should this be necessary for the performance of the Contract, the Data Subject's personal data may be transferred to countries belonging to the EU and/or to countries not belonging to the EU, in full compliance with the provisions of the Privacy Regulation, the measures and decisions of the Data Protection Authority on the matter, as well as Community legislation. In particular, the Controller undertakes to comply with the provisions set out, respectively, in decisions 2001/497/EC, 2004/915/EC and 2010/87/EU (as the case may be), which require the signing of so-called "standard contractual clauses" between the legal entities involved in the processing of data outside the EU.

4. Rights of the data subject

Articles 15 et seq. of the Privacy Regulation grant the Data Subject the right to obtain:

• confirmation of the existence or otherwise of personal data concerning them, even if not yet registered, and its communication in intelligible form;
• the indication of the origin of the personal data, of the purposes and methods of processing, of the logic applied in case of processing carried out with the aid of electronic tools, of the identification details of the controller;
• the updating, rectification, integration, deletion, transformation into anonymous form or blocking of data processed in violation of the law (including those for which storage is not necessary in relation to the purposes for which the data was collected or subsequently processed). Certification that these operations have been brought to the attention of those to whom the data has been communicated or disseminated (also with regard to their content), except in the case where such compliance proves impossible or involves the use of means manifestly disproportionate to the protected right.

The Data Subject also has the right:

• to revoke at any time the consent given to the processing of personal data, where provided for (without prejudice to the lawfulness of the processing based on the consent given before revocation);
• to object, in whole or in part, for legitimate reasons, to the processing of personal data concerning them, even if pertinent to the purpose of the collection;
• to object, in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communication;
• to lodge a complaint with the Data Protection Authority in the cases provided for by the Privacy Regulation;
• to the portability of personal data within the limits of art. 20 of the Privacy Regulation.

To know the detailed and constantly updated list of the parties to whom the Data Subject's personal data may be communicated and to exercise the rights referred to in articles 15 et seq. of the Privacy Regulation, the Data Subject may contact the Data Controller:

BRAINY LABS SRL Via Claudio Treves, 24 40135 — BOLOGNA (BO), Italy E-mail: info@brainylabs.it

Last updated April 2025