Privacy Policy

1. Data controller

Protonaut GmbH
Zur Alten Fähre 8
24837 Schleswig
Germany
is the data controller for processing of your personal data. This privacy policy (“Privacy Policy”) provides you with the information that you are entitled to receive, in accordance with applicable data protection laws. You must read the Privacy Policy before submitting your personal data. The Privacy Policy applies to the processing of personal data collected about you, prior to, during or after the termination of our relation. Collection of personal data can be done via the website www.molteo.com/en and www.molteo.com/de, from public authorities, public records and directly from you.

2. Purpose, types of personal data and legal basis

The purposes for which your personal data is processed, what types of personal data are processed and what the legal basis is for the processing of your personal data, depends on each individual process. The table below shows the possible purposes, types of personal data and legal bases that can apply.

2.1 Providing our services to you as a customer

2.1.1 Customer Information

Our product is a B2B solution, meaning that the processing of personal data is an accessory activity to the overall purpose of delivering our service to business customers. However, in order to deliver such service by way of contract, we process the following personal data about employees of all our business customers: Contact/admin person(s): Name, mail address, phone number, company, job title The legal basis for processing customer information is Article 6(1)(b) of the GDPR, which relates to processing necessary for fulfilling a contract. The data retention period is up to 6 months after the termination/expiry of the contract with you as a customer. Any personal information necessary for bookkeeping reasons in accordance with the Danish Bookkeeping Act will be stored up to 6 years after the end of the contract based on Article 6(1)(c) of the GDPR, which relates to processing that is necessary to fulfill a legal obligation. If we have reason to store personal data as part of the protection of our legitimate interests, including for example legal disputes, we reserve our right to store your personal data for an extended period and minimum until the legal dispute has been determined.

2.2 User creation

Each business customer will have the opportunity to create employee user profiles in the platform in order to facilitate data. For this activity, we are a data processor, meaning that you as a customer are responsible for compliance with GDPR and we can assist in any inquiry upon instruction. The required information regarding user details are:

• Customer profile users (employees/consultants): Name, mail address, phone number, profile picture (voluntary) The legal base for processing customer information is on our behalf the data processor hosting agreement entered between customer and Protonaut, cf. Article 28 of the GDPR. Any individual use of data protection right for customer user profiles must be directed at the customer (employer of the data subjects). We are also happy to assist, as long as we are instructed by the customer. The data retention period is regulated by the data processor hosting agreement, but presumably user data will be deleted within a short period of time after the end of the customer contract.

2.3 Third-party plugins

1. Hubspot Website Tracker - checks if a lead from HubSpot visits our webiste
2. Facebook Pixel - checks if a lead that we targeted on Facebook visits our website
3. Segment Analytics - Sends analytics events such as Pricing Button Press, “Book Demo” and “Signed up for Newsletter”.
4. AutopilotHQ Cookie - checks if a lead contact from AutopilotHQ visits the website \

3. Your visit to the Website

3.1 Inquiries through our Chat function

When you send a message to us through our chat box, we use the personal data (e-mail) that you have stated in the chat for us to answer you. The legal base for processing feedback is Article 6(1)(f), which relates to a legitimate interest. Our interest relies on the fact that you have made the inquiry and will expect us to provide an answer. The data retention period is up to 6 months after completion of processing (latest correspondence). In certain circumstances the chat conversation might result in a demo of our platform, and this will require some data e.g. Name of the contact person, e-mail address. The legal base for this processing of information is as mentioned above legitimate interest to fulfill your request and show a demo of the platform.

3.2 Cookies

Please refer to the Cookie Policy available at the Website and section 11.

4. Marketing activities

4.1 E-mail marketing

We use customer contact information (see customer information section above) to send promotion material via email, if we have received a marketing consent. The legal base for processing email marketing is Article 6(1)(a), which relates to a consent from the data subject. It is possible to withdraw a marketing consent at any time by contacting us or using the unsubscribe link available in every email sent. The data retention period is until the consent is withdrawn.

4.2 Contact to potential customers

We use publicly available information to identify potential customers and reach out to such customers in accordance with German marketing rules. For this purpose, we process the following personal data about relevant contact persons employed by the potential customer: Name, mail address, phone number, company, job title and LinkedIn URL. The legal base for processing potential customer information is Article 6(1)(f) of the GDPR, which relates to a legitimate interest. Our interest is to be able to present our services to other businesses in line with marketing rules and without overriding any personal privacy of potential customer contact persons. The data retention period is until no interest has been shown by the potential customer.

5. Security and transfers of data

We have implemented appropriate technical, organisational and physical measures to ensure a level of protection of your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access in accordance with the data protection legislation in the EU. Despite our efforts to establish a secure environment for the Website, you should be aware that no information is completely secure on the Internet. Therefore, you should always take the necessary safeguards on your own equipment. We transfer your personal data to Security-cleared data processors, who are assisting us with IT or other services. We may also transfer your personal data to third parties if we are obliged to do so according to legislation or in order to protect our interests in legal disputes. We will inform you if such a situation should occur. All personal data are stored on secure servers in the EU except for the following specific processing activities:

1. For e-mail marketing, cf. point 4.1 above, we use AutopilotHQ Inc. who has processing activities in the United States. The transfer of data takes place based on the EU US Privacy Shield scheme. Our agreement with AutopilotHQ is available at request. \
2. For e-mail technical and marketing purposes we use HubSpot. who has processing activities in the United States. The transfer of data takes place based on the EU US Privacy Shield scheme. Our agreement with HubSpot is available at request.

6. Recipients

In some cases, your personal data will be disclosed to independent data controllers, if it is imposed on us or if it otherwise follows from the contract. These are the following categories of recipients: • Accountants • Lawyers • Public authorities • Payment networks (SEPA) Your personal data is neither transferred to or disclosed to data processors or data controllers outside the EU/EEA.

7. Deletion

Your personal data will be deleted on an ongoing basis, when there is no longer a need to process it to fulfil on or more of the purposes set forth above. However, data can be processed and stored for an indefinite period in anonymized form. We have implemented internal retention periods for the processing of the various personal data.

8. Updating information

We continually try to verify that the personal data we process about you is accurate and up to date. We do this, e.g. by contacting you or compare your data with public data bases. However, as our service depends on your data being accurate and up to date, we also ask you to inform us of changes to your data.

9. Security

We have implemented security measures to ensure that internal procedures comply with established safety standards and applicable legal requirements. We try our best to protect the quality and integrity of your personal data. Sensitive and confidential data will only be sent in encrypted form in accordance with the guidelines of the Danish Data Protection Authority. We have implemented internal information security rules, which contains instructions and measures protecting your data from being destroyed, lost, altered, against unauthorized disclosure and against unauthorized access or knowledge.

10. Your rights

• You have the right to access your personal data • You can object to the collection and further processing of your personal data • You have the right to have your data rectified or deleted • You have the right to request the restriction of your personal data • Under certain circumstances you request to receive a copy of your personal data, as well as request transmission of your personal data to another data controller (data portability).

11. Cookies

For information about what cookies are used on www.molteo.com/en and www.molteo.com/de , how they are used, when they are deleted and how you can block them, please refer to the cookie policy at www.molteo.com/de.

12. Contact and complaint

If you would like to complain about how we process your personal data, you are welcome to contact us by email: dsgvo@molteo.de. You can also file a complaint to the German Data Protection Authority (BDI)’: Der Bundesbeauftragten für den Datenschutz und die Informationsfreiheit - Graurheindorfer Str. 153 - 53117 Bonn Telephone: +49 (0)228 99 77 99-0 Fax: +49 (0)228 99 77 99-5550 E-mail: poststelle@bfdi.bund.de

13. Changes to this Privacy Policy

We reserve the right to make changes to this Privacy Policy from time to time. In the event of changes, the date at the top of the Privacy Policy will be updated. The Privacy Policy in effect at any time, will be available upon request. In the event of significant changes, you will be notified by e-mail.