Privacy Policy — Nvelop Technologies Oy

1. Our Commitment to Data Protection

At Nvelop Technologies Oy ("Nvelop," "we," "us," "our"), we are committed to safeguarding your personal data with the highest standards of transparency, security, and respect. As a Finnish technology company, we adhere to strict data protection principles outlined in Finnish and European Union regulations, including the General Data Protection Regulation (GDPR) and the Finnish Data Protection Act. We continually review our data practices to ensure they meet or exceed legal requirements and industry best practices.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected and processed by Nvelop in connection with the use of our public website, our AI-powered software-as-a-service sourcing platform, and related services (collectively, the "Services"). This includes personal data obtained through:

• Online interactions: Information you provide on our website (e.g. via contact forms or newsletter sign-ups) and data collected through cookies or similar tracking technologies.
• Use of our Platform: Data you submit when registering an account, using platform features, uploading documents or other materials, and through your interactions and activities on the platform (including support tickets or in-platform communications).
• Communication channels: Content of communications via email, chat, or support requests you send to us.
• Offline engagements: Personal data you may provide during in-person events, meetings, or customer support interactions.

Please note that our Services are intended for business and professional use. They are not directed to individuals under 18, and we do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from an individual under 18 years of age, we will take immediate action to delete such information from our systems. We also do not intentionally collect any special categories of personal data (such as information about health, racial or ethnic origin, religious beliefs, etc.) in the normal course of our Services, and we ask that you refrain from submitting such sensitive information unless absolutely necessary. If you do not agree with any part of this Privacy Policy, please refrain from using our Services or otherwise providing your personal data.

3. Our Role Under GDPR

Nvelop operates in different capacities under GDPR depending on the context of the data processing:

• Data Controller: We act as a data controller for personal data that we collect directly from you for our own purposes – for example, information from website visitors, business contacts, or user account details for our platform. As a controller, we determine the purposes and means of processing this personal data and this Privacy Policy governs how we handle it.
• Data Processor: We act as a data processor when we process personal data on behalf of our customers as part of providing our Services. This is typically the case for any personal data contained in procurement-related content that customers or their authorized users input into our platform (e.g. personal data in RFP documents, vendor proposals, or other materials uploaded to the platform). In these situations, the customer (or their organization) is the data controller and determines the purposes and means of processing, and we only process the data according to their instructions.

When acting as a Data Processor, we process personal data strictly in accordance with our client's instructions and our contractual agreements (including our Data Processing Addendum). We use such data only for the purposes that our client (the controller) has defined. If you have questions or requests regarding personal data that one of our clients has entered into our platform (for example, if your information is part of a client's RFP process), please direct your inquiry to that client, as they are the data controller for that data. Our responsibilities as a processor are further detailed in our agreements with clients (such as our Service Agreement and Data Processing Addendum).

When acting as a Data Controller, we will process your personal data in accordance with this Privacy Policy and applicable law. When acting as a Data Processor for our clients, this Privacy Policy will apply only to the limited extent we use your data for our own purposes (for example, your account information or usage data for improving the service), whereas the client's privacy notice will govern the core processing of that procurement data. In all cases, we handle personal data with care and in compliance with GDPR.

4. Legal Basis for Data Processing

We only process personal data when we have a valid legal basis under GDPR. Depending on the context, our processing of your data is justified on one or more of the following bases:

• Contractual Necessity: When processing is necessary to perform a contract with you (or to take steps at your request before entering a contract). For example, we process personal data to provide and maintain our Services – such as creating user accounts, hosting your procurement content on our platform, or handling customer support – because it is required to fulfill our contractual obligations to you or your organization.
• Legitimate Interests: We may process data as needed for our legitimate business interests, provided those interests are not overridden by your data protection rights. This can include improving and optimizing our platform functionality, ensuring IT security and fraud prevention, developing new features, or analyzing usage patterns to enhance user experience. When we rely on legitimate interests, we carefully consider and balance any potential impact on your rights.
• Consent: We will rely on your explicit consent for certain processing activities when required. For instance, we will obtain your consent to send you marketing communications (if you are not already our customer), or to use non-essential cookies (see Section 10 on Cookies and Tracking). Whenever we process data based on consent, you have the right to withdraw that consent at any time (see Section 12 on Your Data Rights).
• Legal Obligation: In some cases, we need to process personal data to comply with a legal or regulatory obligation. This includes fulfilling duties under applicable laws (for example, complying with tax accounting rules or responding to lawful requests from authorities), or other mandatory regulations.

If we ever need to process your personal data for a purpose that is incompatible with the original purpose we collected it for, we will provide you with information on that new purpose and, if required, seek your consent. For more details on our data processing practices and contractual commitments (particularly in our role as a processor), please refer to our Data Processing Addendum or contact us at privacy@nvelop.ai.

Marketing Communications and Opt-Out

We may use your contact information (such as your name and work email address) to send you updates about our Services, including newsletters, product announcements, industry event invitations, or other marketing communications. We will only do so where we have a lawful basis: either your prior consent (e.g. when you sign up for our newsletter or agree to receive marketing emails) or our legitimate interest in keeping business customers informed about our offerings. In every case, we respect your choice. If you receive marketing emails from us, you can opt out at any time by clicking the "unsubscribe" link included in those emails or by contacting us at privacy@nvelop.ai with your request. Once you opt out, we will stop using your information for marketing purposes. (Please note you may still receive non-promotional communications from us as needed for service administration or contractual purposes, such as important notices about your account or platform updates.)

5. Types of Data We Collect

Through your use of our website and platform, we may collect various categories of personal data. The exact data collected depends on your interactions with us, but generally includes:

• Account Information: Contact and profile details that you or your organization provide when creating or managing an account for our platform or contacting us through the website. This may include your name, professional title/role, company name, business email address, phone number, and login credentials (like usernames and hashed passwords).
• User-Provided Content: Any personal data contained in the materials or documents you upload or input into our platform in the course of using the Services. For example, if you include personal data in a contract document, RFP document within an RFP document, vendor proposal, project notes, or other content on the platform, we will process that information as part of delivering the service. Important: You should ensure you have a lawful basis to include any personal data in such content. We process this data on your behalf and do not use it for any purpose other than delivering our Services according to your instructions (see Section 3 on our Role as Processor).
• Usage Data: Information about how you and your users interact with our platform or website. This includes activity logs and analytics data such as pages or features accessed, the sequence of actions taken, frequency of use, session duration, click-stream data, and other interaction details. It may also encompass support interactions (e.g., whether you utilized in-app guidance or help resources).
• Technical Data: Device and network information automatically collected when you use our Services. This can include your IP address, browser type and version, device type, operating system, screen resolution, language preferences, and timestamps of access. We also maintain system logs, error reports, and other diagnostic data, and performance metrics to help us troubleshoot and secure the platform. Some of this technical data is collected via cookies and similar technologies (see our sites See Section 10 below for details).
• Communication Records: Copies of communications and contact history if you correspond with us. For example, when you send us an email, chat with our support, or submit a support ticket, we will retain the correspondence and any information you choose to include (such as your contact details and the content of your inquiry or request). This helps us manage your requests and improve our support services.
• Aggregated and Analytics Data: We may derive aggregate or anonymized data from your use of the Services. For instance, we might compile general usage trends, performance metrics, or security audit information. This analytics data does not identify any individual and is not considered personal data. We use it to understand how our Services perform and to improve features and user experience. In some cases, we may also generate statistical insights or benchmarks across customers in de-identified form. (Any such aggregated data cannot be linked back to you or any specific person, and we ensure it remains anonymized and identifiable.)

No sale of personal data: We do not sell or rent your personal data to third parties. We only collect and use personal data as described in this Policy and in accordance with applicable law.

6. How We Use Personal Data

We use the personal data we collect for the following purposes, in each case based on the appropriate legal basis as described in Section 4:

• Providing and Improving Services: First and foremost, we process data as necessary to deliver our Services to you. This includes using account and authentication data to let you log in and access the platform, processing the content you upload to facilitate sourcing workflows (e.g. generating an RFP or evaluating proposals), and operating the core functionality of our platform. We also use data (especially Usage and Technical Data) to maintain and improve the quality and functionality of our platform – for example, to debug issues, analyze performance, and develop new features or AI capabilities that enhance user experience.
• Customer Support and Communications: We use your contact information and communication records to communicate with you about the Services. This includes responding to inquiries or support tickets, providing customer service, sending administrative or account-related messages (such as password reset emails, important updates about the platform, or notices about terms or policy changes), and otherwise managing our relationship with you and your organization. These communications are typically part of our contract or legitimate interest in providing good service.
• Marketing and Outreach: With your consent or as permitted by law (see the Marketing section above), we use certain information like your email to send promotional materials, newsletters, surveys, or event invitations. We strive to only send communications that are relevant and valuable to our business audience. You can opt out of marketing at any time, as described.
• Analytics and Product Development: We analyze usage, technical, and aggregated data to understand trends and user preferences. This helps us troubleshoot performance issues, enhance security, and make informed decisions about product improvements and innovation. For instance, understanding which features are most used can guide us in allocating development resources. We may also use anonymized data to train or improve our AI models and algorithms that power the platform's smart features, but only in a manner that does not identify individuals and in compliance with our contractual and legal obligations.
• Anonymized vs. Pseudonymized Data: When we generate aggregate or statistical data for analysis, development, or service improvement, we ensure that such data is anonymized—meaning it cannot be used to identify any individual, directly or indirectly, and thus falls outside the scope of data protection law. In contrast, where we apply pseudonymization (e.g., replacing identifiers with artificial keys while retaining the ability to re-link under controlled conditions), the data remains personal and is handled with the same safeguards and legal obligations under GDPR.
• Legal Compliance and Security: We may process personal data as needed to comply with applicable laws and regulations, or to protect the rights and safety of our users, ourselves, and others. This includes using data to meet legal obligations (such as financial record-keeping or responding to lawful government requests), to enforce our agreements and Terms of Use, and to detect or prevent fraud, security incidents, and other harmful or illegal activities on our platform. For example, IP addresses and login records may be used in security investigations to identify suspicious login attempts and help prevent unauthorized access to accounts.

We will not use your personal data for entirely new, unrelated purposes without first providing you notice and, if required, obtaining your consent. Our goal is to ensure you understand how your data is being used and that such use remains within the expected functions set out when your data was collected.

7. Data Processing Principles

Our handling of personal data is guided by core data protection principles:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully and fairly. We strive to be transparent by clearly communicating our data practices (through policies like this) and informing you about how your data will be used.
• Purpose Limitation: We collect personal data for specific, explicit, and legitimate purposes, and do not process it in ways that are incompatible with those purposes without informing you and obtaining consent if required.
• Data Minimization: We collect and process only the personal data that is necessary to achieve the stated purposes. If a particular piece of information is not needed, we will not ask for it.
• Accuracy: We take reasonable steps to keep personal data accurate and up to date. You can help by keeping your account information current and contacting us to correct any inaccuracies (see Section 12 on your right to rectification).
• Storage Limitation: We do not keep personal data longer than necessary (see Section 9 on Data Retention). When data is no longer needed, we delete or anonymize it in a secure manner.
• Integrity and Confidentiality (Security): We implement appropriate technical and organizational measures to ensure the security of personal data, protecting it against unauthorized or unlawful processing and against accidental loss, destruction, or damage (see Section 14 on Data Security).
• Accountability: We are responsible for and able to demonstrate compliance with these principles. This means we maintain documentation of our data processing activities, train our staff on data protection, and include data protection considerations in our product design and vendor selection.

Importantly, we also empower you with control over your data. As described in Section 12 below, you have various rights under GDPR to access, correct, or erase your data, and to object or restrict certain processing. We honor these rights and have processes in place to respond promptly to your requests.

8. Data Sharing and Third Parties

We treat your personal data with care and confidentiality. We do not sell personal data to anyone. However, in order to run our business and provide the Services, there are circumstances where we share personal data with third parties, as detailed below:

• Service Providers (Sub-Processors): We use trusted third-party companies to perform certain business-related functions on our behalf. These include, for example, cloud hosting providers (to store and process data securely), data center or infrastructure providers, analytics services (to help us understand how our Services are used), email and notification delivery services, customer support software, and other relevant vendors. When we share data with service providers, it is only to the extent necessary for them to perform their work. All such providers are bound by contractual data processing agreements to protect your data and to process it in compliance with GDPR (including, where applicable, Standard Contractual Clauses for international transfers – see Section 11). They are not permitted to use your data for any independent purposes.
• Affiliates and Advisors: We may share information with our affiliates (e.g., a parent or subsidiary company, or entities under common ownership) as needed to operate the platform and business. We may also disclose relevant data to our professional advisors – such as our legal counsel, accountants, auditors, or insurers – but solely for lawful purposes in the scope of the advice or services they provide to us. In all such cases, these parties are subject to confidentiality obligations and will be required to handle the data consistent with this Privacy Policy and applicable law.
• Business Transfers: If Nvelop engages in a merger, acquisition, reorganization, or sale of some or all of our assets, personal data may be transferred to the acquiring or successor entity as part of that transaction. We will ensure any such transfer is subject to appropriate safeguards. In the event of a business transfer, we will notify affected users if their personal data will be subject to a new privacy policy or if additional choices about their data are available.
• Legal Obligations and Protection of Rights: We may disclose personal data when required to do so by law or lawful request – for example, in response to a subpoena, court order, or government demand with proper authority. We may also share information if we believe in good faith that such disclosure is necessary to (a) comply with a legal obligation, (b) protect and defend the rights, property, or safety of Nvelop, our customers, or others, (c) investigate or assist in preventing any violation of law or our terms of service, or (d) detect, prevent, or address fraud or security issues. In these cases, we will only disclose what is reasonably necessary.
• With Your Consent: Apart from the situations above, if we ever need to share your personal data with any third party for a purpose not covered by this Privacy Policy, we will obtain your consent. For example, if we wanted to use a customer testimonial that includes personal information, we would seek your approval first.

Whenever we share your data with third parties, we remain accountable for its protection. We carefully vet our partners and service providers and require that they maintain strict privacy and security standards. If any also disclose personal data, we will remain responsible for their acts and omissions as if they were our own.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Policy, and to comply with our legal and contractual obligations. The retention period can vary depending on the type of data and the context in which it is used:

• Operational and Account Data: For active user accounts, we retain personal data for as long as your account is in use or as needed to provide you Services. If you or your organization terminates your contract or account with Nvelop, we will delete or anonymize personal data associated with your account after a defined period, unless we are required to retain it longer for legal reasons.
• Client Procurement Data: When we act as a processor handling data on behalf of a client (for example, personal data contained in RFPs or proposals on our platform), the retention of that data is governed by our agreement with the client. Generally, we will not delete or modify such data from our platform without direction from the client (the controller). Upon termination or expiration of a client contract, we follow the client's instructions regarding return or deletion of their data, as specified in our Data Processing Addendum.
• Legal and Regulatory Requirements: We may need to retain certain records to comply with laws or regulations (e.g., finance or tax laws require us to keep certain transaction data for a set number of years). We also may retain information needed for resolving disputes or enforcing agreements to the extent permitted by law, but only for as long as necessary to fulfill those purposes.

In all cases, when personal data is no longer needed for its intended purpose and we have no legal obligation to retain it, we will either irreversibly anonymize the data or securely delete it. We use secure deletion methods to prevent any unauthorized access or recovery of data after deletion. If anonymized, the data will no longer be associated with any identifiable individual and may be used for analytics or statistical purposes without further notice to you.

10. Cookies and Tracking Technologies

When you visit our website or use our platform, we use cookies and similar tracking technologies to provide and improve the Services. Cookies are small text files placed on your device (computer, smartphone, etc.) when you visit a website. They help us remember your preferences and recognize you on subsequent visits, among other functions. In our use of cookies, we adhere to applicable data protection and ePrivacy laws, and we obtain consent where required.

Types of cookies we use include:

• Essential Cookies: These cookies are necessary for the website or platform to function properly and cannot be switched off in our systems. For example, they may enable basic features like page navigation, access to secure areas (such as logging into your account), or remembering your cookie consent choices. You can set your browser to block or alert you about these cookies, but some parts of the site or Service may not work without them.
• Analytics and Performance Cookies: We use these cookies to collect information about how visitors use our website or platform – for instance, which pages are visited most often, how users navigate through the site, or if they encounter error messages on certain pages. The data collected is generally aggregated and anonymous. It helps us understand user interactions and improve the performance and content of our Services. For example, we might use a third-party analytics tool that sets its own cookies to provide us with insights (any such third party is listed as a service provider in Section 8). We only deploy analytics cookies in compliance with legal requirements, which in many cases means we will ask for your consent before placing them.
• Functionality Cookies: These cookies allow our site or platform to remember choices you make (such as your language or region, or other preferences) to provide enhanced, more personalized features. They may also be used to provide services you have asked for, like live chat support or remembering settings to improve your experience.
• Advertising/Marketing Cookies: Currently, we do not use third-party advertising cookies on our site. If in the future we integrate marketing or retargeting cookies (which track your browsing activity to show you targeted ads on other sites), we will update this Policy and obtain your consent where required.

Cookie Consent and Options:

On your first visit to our website, and periodically as required, we will present you with a cookie banner to inform you about the types of cookies we use and to obtain your consent for any non-essential cookies. You have the right to accept or reject individual cookies if you wish. You can change your mind at any time and typically adjust your preferences by: (a) using our website's cookie settings or preferences center (if available), (b) clicking the "Privacy" or "Cookie Settings" link (often found in the footer of the site) to revise your choices, or (c) changing your browser settings to block or delete cookies. Most web browsers allow you to refuse new cookies, delete existing cookies, or alert you when new cookies are set. Please refer to your browser's help section for instructions on how to do this.

Keep in mind that if you disable or delete certain cookies, our website or platform might not function as intended, and you may lose certain preferences or experience reduced functionality.

Other Tracking Technologies:

We may use technologies similar to cookies, such as web beacons or GIFs) in our emails or on our site. These help us track whether you have opened an email or visited a certain page. This information is used mainly for statistical analysis and to improve our communications. It is typically not used to identify you individually, but rather to gauge the effectiveness of our outreach.

We do not respond to browser-based Do Not Track signals. We rely instead on your cookie preferences and consent choices.

For more detailed information about our use of cookies and to see a current list of the cookies in use, you may contact us at privacy@nvelop.ai. We are happy to provide additional explanations or a copy of our full cookie policy if available.

11. International Data Transfers

Nvelop is based in Finland, and our primary data storage and processing typically occur within the European Economic Area (EEA). However, the global nature of cloud services and the Internet means that personal data may be transferred to or accessible from other countries, including those outside of the EEA. For example, we may engage certain service providers or sub-processors that are located outside of the EU/EEA (such as cloud infrastructure providers or customer service providers based in the United States or other countries).

Whenever we transfer personal data internationally, we take steps to ensure that adequate safeguards are in place to protect it, as required by GDPR and applicable law:

• If data is transferred outside the EEA to a country that the European Commission has not recognized as providing an adequate level of data protection, we will use Standard Contractual Clauses (SCCs) or other lawful data transfer mechanisms in our contracts with the data importer. These SCCs obligate the recipient to protect the personal data to the same standard as it is protected in the EU.
• We may also rely on an EU Commission adequacy decision where applicable (for instance, if a non-EEA country is officially deemed to have adequate data protection laws, or frameworks like the EU-U.S. Data Privacy Framework for transfers to certified U.S. organizations, if applicable).
• In addition, we implement technical measures such as encryption in transit and at rest, so that data is protected as it moves between jurisdictions. We also limit access to personal data to authorized personnel or partners with a need-to-know, and we continuously monitor our data flows and our partners' compliance with data protection requirements.

You can request more information about international data transfers relevant to your personal data (including copies of the SCCs we use) by contacting us at privacy@nvelop.ai. We will be transparent about the protections we have put in place for cross-border data transfers. Our aim is to ensure that your personal data enjoys a high level of protection wherever it is processed.

12. Your Data Rights

As a data subject in the EU (and in other regions with similar laws), you have a number of important rights regarding the personal data we hold about you. Nvelop is committed to honoring these rights. Please note: Where we process data on behalf of a client (as a processor), we may need to refer your request to the relevant client/controller, but we will assist as needed. Subject to certain legal limitations, your rights include:

• Right of Access: You have the right to ask us whether we are processing your personal data and, if so, request access to that data. This allows you to receive a copy of the personal data we hold about you and information about how we use it.
• Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to ask us to correct or update it. We encourage you to keep your account information up-to-date and to notify us of any changes or errors so we can ensure accuracy.
• Right to Erasure: You can request that we delete your personal data if: (a) it is no longer necessary for the purposes for which we collected it; (b) you withdraw consent (where the processing was based on consent) and we have no other legal basis to continue processing; (c) you object to our processing for direct marketing or, in other cases, there are no overriding legitimate grounds for us to continue; (d) we have processed your data unlawfully; or (e) the data must be erased to comply with a legal obligation. This is sometimes called the "right to be forgotten." Please note that this right is not absolute – sometimes we may have legal grounds to retain data (for example, ongoing contractual relations or legal obligations might prevent immediate deletion, but we will inform you accordingly).
• Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain circumstances. For example, if you contest the accuracy of data, you can request we restrict processing while we verify accuracy; or if you object to processing based on legitimate interest, you can request restriction pending verification of overriding grounds. When processing is restricted, we can still store your data but will not use it for further until the restriction is lifted (unless necessary for legal claims or to protect others' rights).
• Right to Data Portability: For personal data you have provided to us and which we process by automated means on the basis of consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, CSV), and you can ask that we transmit it directly to another data controller where technically feasible. This right is designed to make it easier for you to move your data between service providers.
• Right to Object: You have the right to object to certain processing activities. You can object at any time to the processing of your personal data for direct marketing purposes, and we will stop processing your data for that purpose. Additionally, if we are processing your data based on a legitimate interest, you can object if you believe your fundamental rights and freedoms outweigh our legitimate interest. If you then re-evaluate our reasoning for processing your data and, unless we have a compelling legitimate interest that overrides your rights or we need the data for legal claims, we will cease the challenged processing.
• Right to Withdraw Consent: If we rely on your consent for any processing of your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing we conducted prior to your withdrawal, and it will not affect processing of your data under other legal bases (for example, processing based on contract or legitimate interests). If you withdraw consent, we will stop the specific processing that was based on consent (such as sending you a newsletter).

Exercising Your Rights:

You may contact us at any time to exercise the rights listed above (see Section 16 for contact details). For security, we may need to verify your identity before processing certain requests (to ensure that we do not disclose data to the wrong person or delete data at the request of someone other than the data subject). We will respond to legitimate requests as soon as possible and at the latest within one month, as required by GDPR. If your request is particularly complex or if you have made a large number of requests, we may need to extend the response time by up to two further months, but we will inform you of the extension and the reasons without delay.

If you are dissatisfied with how we process your personal data, you also have the right to lodge a complaint with the Finnish supervisory authority:

13. Automated Decision-Making

No solely automated decisions: We do not use your personal data for any decision-making processes that are solely automated and that produce legal effects or similarly significant effects on you. In other words, there are no "automated decisions" without human involvement in our Services that would significantly affect your rights or interests. If this policy changes in the future (for instance, if we introduce automated decision features), we will update this Privacy Policy and, where required by law, obtain your consent or provide you with an opt-out.

Our platform does incorporate AI-assisted features to enhance user experience and efficiency. For example, our system may use artificial intelligence or large language models to help draft sections of an RFP document, to provide suggestions for requirements, or to analyze and summarize information from vendor proposals. These AI features are provided as an aid for users – not as final decision-makers. All AI-generated outputs on our platform are subject to human review and control. Users decide whether and how to use the AI's suggestions, and all critical decisions (such as selecting vendors or approving content) are made by human users, not by the AI alone. By keeping a human in the loop, we ensure that AI serves as a tool for productivity and insights, rather than replacing human judgment or making binding decisions on its own.

We are committed to using AI technology in a transparent and responsible manner. If you have any questions about how AI is used within our platform, please refer to our service documentation or reach out to us for more information. We also allow users to disable or avoid certain AI features if they prefer not to use them.

14. Ethical Use of AI

At Nvelop, we are committed to the responsible and ethical use of artificial intelligence across our platform. All AI features are designed to augment human decision-making, and we maintain human oversight over all AI-generated outputs. Our AI systems are developed and monitored with a focus on fairness, transparency, and explainability, and we take steps to minimize bias and ensure that AI-driven suggestions support objective and inclusive outcomes. We continuously evaluate the performance of our models and invite client feedback to improve their accuracy, relevance, and reliability.

15. Data Security Commitments

We understand the importance of securing personal data and have implemented multiple layers of security measures to protect the information in our custody. These measures are designed to prevent, unauthorized access, maintain data integrity, and ensure appropriate use of personal data. Key security practices include:

• Encryption: We use strong encryption protocols to protect personal data during transmission (e.g., SSL/TLS encryption for data in transit over the internet) and at rest in our databases or storage. This means that even if data were intercepted or accessed without authorization, it would be unreadable without the proper decryption keys.
• Access Controls: We employ strict role-based access controls and authentication mechanisms. Only authorized personnel with a legitimate need to access your information (for example, ISO 27001, SOC 2, or support or maintain the system) can do so, and their access is limited to the data necessary for their role. All employees and contractors are bound by confidentiality obligations. We also enforce measures like two-factor authentication and strong password policies for our internal systems.
• Network & System Security: We use firewalls and website are protected by firewalls and monitoring systems to guard against malicious traffic and attacks. We keep our software and infrastructure updated with the latest security patches.
• Audit and Monitoring: We maintain logs of access and actions within our platform to provide an audit trail. This helps in detecting any irregular access patterns or potential breaches quickly. Our security team continuously monitors for threats or anomalies and has established incident response procedures to handle any security events swiftly and effectively.
• Sub-processor Security: We vet our critical service providers (such as hosting or cloud services) for strong security practices. Our contracts with them require that they implement appropriate security measures and notify us promptly of any incidents. We strive to work with industry-leading providers that have certifications or external audits attesting to their security (for example, ISO 27001, SOC 2, or similar standards where applicable).

While we are committed to protecting your data, it's important to note that no method of transmission over the Internet, and no method of electronic storage, is 100% secure. Therefore, we cannot guarantee absolute security. However, we continuously assess and improve our security measures to align with best practices and reduce risks. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the appropriate authorities as required by law.

16. Contacting Our Data Protection Team

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, we encourage you to contact us. Our data protection team is here to help. You can reach us by email at privacy@nvelop.ai.

Alternatively, you may write to us at our business address:

Please address correspondence to "Data Protection" or "Privacy Team." When you contact us, please provide sufficient detail about your question or request, including any account or interaction context, so we can assist you. We will respond as soon as reasonably possible, and no later than within the timeframes required by law.

17. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our data practices, advances in technology, new regulatory requirements, or other reasons. When we make material changes to the Policy, we will notify users in an appropriate manner. For example, we may send a notice to the email address associated with your account, or display a prominent notice within the platform or on our website (such as a banner or pop-up notification) informing you of the update. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

At the top of this Policy, you can find the effective date of the latest revision ("Last Updated" date). Continued use of our Services after any updates take effect will constitute acceptance of the revised Policy to the extent permitted by law. If you do not agree with any changes, you should stop using our Services and contact us if you wish to have your data removed.

We are committed to transparency and will not retroactively change how we handle previously collected personal data without obtaining any required consent. If you have any questions or concerns about changes to this Privacy Policy, please contact us (see Section 16).