Data Protection Policy

Hexanai AG ('Hexanai', 'we', 'us', 'our') is committed to protecting your personal data and respecting your privacy rights. This Data Protection Policy explains how we collect, process, store, and protect your personal information in compliance with applicable data protection laws worldwide.

This policy applies to all personal data processed by Hexanai in connection with our services, website, and business operations. We are committed to full compliance with:

• General Data Protection Regulation (GDPR) - EU Regulation 2016/679

• UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018

• Swiss Federal Act on Data Protection (FADP/DSG) and revised nFADP effective September 1, 2023

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

• Other applicable US state privacy laws including Virginia CDPA, Colorado CPA, Connecticut CTDPA

• Any other applicable international data protection legislation

For the purposes of applicable data protection laws, the data controller is:

Hexanai AG

Registered Address: [To be completed upon registration]

Contact Email: Hexanai@pm.me

Data Protection Officer (DPO): Hexanai@pm.me

EU Representative (Art. 27 GDPR): Hexanai@pm.me

UK Representative (Art. 27 UK GDPR): Hexanai@pm.me

Swiss Representative: Hexanai@pm.me

You have the right to contact our Data Protection Officer at any time with questions or concerns regarding the processing of your personal data.

We process personal data only when we have a valid legal basis under applicable law. The legal bases we rely upon include:

CONTRACT PERFORMANCE (Art. 6(1)(b) GDPR): Processing necessary for the performance of our contract with you, including providing our AI agent services, processing payments, and managing your account.

LEGITIMATE INTERESTS (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, such as fraud prevention, network security, and service improvement, provided these interests are not overridden by your rights and freedoms.

LEGAL OBLIGATION (Art. 6(1)(c) GDPR): Processing necessary to comply with legal obligations, including tax laws, anti-money laundering regulations, and court orders.

CONSENT (Art. 6(1)(a) GDPR): Where you have given explicit consent for specific processing activities, such as marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

VITAL INTERESTS (Art. 6(1)(d) GDPR): In rare circumstances, processing necessary to protect vital interests of you or another person.

We collect and process the following categories of personal data:

IDENTITY DATA: Full name, username, title, date of birth, gender, nationality, government-issued identification numbers where legally required.

CONTACT DATA: Email address, telephone numbers, postal address, company address, country of residence.

FINANCIAL DATA: Payment card details (processed securely via PCI-DSS compliant providers), bank account details, billing address, VAT/tax identification numbers, transaction history.

TECHNICAL DATA: IP addresses, browser type and version, device identifiers, operating system, time zone settings, location data derived from IP address, login data, access times.

USAGE DATA: Information about how you use our website and services, including AI agent configurations, task histories, API usage metrics, feature preferences.

PROFESSIONAL DATA: Company name, job title, industry sector, company size, professional interests relevant to our services.

COMMUNICATIONS DATA: Records of correspondence with us, support tickets, feedback, survey responses.

We do NOT collect special category data (sensitive personal data) unless strictly necessary and with explicit consent or another valid legal basis.

We collect personal data from the following sources:

DIRECTLY FROM YOU: When you register for an account, subscribe to our services, contact us, complete forms, or otherwise interact with our platform.

AUTOMATICALLY: Through cookies, server logs, and similar technologies when you access our website or use our services.

THIRD PARTIES: From business partners, payment processors, identity verification services, and publicly available sources where permitted by law.

We will inform you at the time of collection if providing certain data is mandatory and the consequences of not providing such data.

We process your personal data for the following purposes:

SERVICE DELIVERY: To provide, maintain, and improve our AI agent platform and related services.

ACCOUNT MANAGEMENT: To create and manage your user account, authenticate your identity, and provide customer support.

PAYMENT PROCESSING: To process payments, manage billing, and comply with financial regulations.

COMMUNICATION: To send service-related notifications, respond to inquiries, and provide technical support.

SECURITY: To protect our services, detect and prevent fraud, unauthorized access, and other malicious activities.

LEGAL COMPLIANCE: To comply with applicable laws, regulations, legal processes, and government requests.

BUSINESS OPERATIONS: To conduct internal analytics, improve our services, and develop new features.

MARKETING (with consent): To send promotional communications about our products and services where you have opted in.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

ACCOUNT DATA: Retained for the duration of your account plus 7 years after account closure for legal and tax compliance.

TRANSACTION DATA: Retained for 10 years to comply with financial record-keeping requirements.

TECHNICAL LOGS: Retained for 12 months for security and performance analysis, then anonymized or deleted.

MARKETING PREFERENCES: Retained until you withdraw consent or request deletion.

SUPPORT COMMUNICATIONS: Retained for 5 years after resolution for quality assurance and legal purposes.

When retention periods expire, personal data is securely deleted or anonymized in accordance with our data destruction procedures.

Your personal data may be transferred to, stored, and processed in countries outside your country of residence, including countries that may not provide the same level of data protection.

FOR EU/EEA/UK/SWISS DATA SUBJECTS: When we transfer personal data outside the EU/EEA, UK, or Switzerland, we ensure appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries recognized as providing adequate protection (e.g., Switzerland, UK for EU transfers).

• Standard Contractual Clauses (SCCs): EU Commission-approved standard contractual clauses for transfers to other countries.

• UK International Data Transfer Agreement (IDTA): For transfers from the UK.

• Swiss-specific transfer mechanisms: Compliance with Swiss FADP requirements.

• Binding Corporate Rules: Where applicable for intra-group transfers.

FOR US DATA SUBJECTS: We comply with applicable US state privacy laws and ensure data is protected according to industry standards.

You may request a copy of the safeguards we use for international transfers by contacting our DPO.

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

ENCRYPTION: All data is encrypted in transit (TLS 1.3) and at rest using 4drinary encryption technology and AES-256 standards.

ACCESS CONTROLS: Role-based access controls, multi-factor authentication, and principle of least privilege for all systems.

INFRASTRUCTURE: Secure data centers with physical access controls, environmental safeguards, and redundant systems across multiple geographic locations.

MONITORING: 24/7 security monitoring, intrusion detection systems, and regular security assessments.

INCIDENT RESPONSE: Documented incident response procedures, including breach notification within 72 hours as required by GDPR.

VENDOR MANAGEMENT: Due diligence and contractual safeguards for all third-party processors.

EMPLOYEE TRAINING: Regular data protection training for all staff with access to personal data.

CERTIFICATIONS: We maintain industry-standard security certifications and undergo regular third-party audits.

Under applicable data protection laws, you have the following rights regarding your personal data:

RIGHT OF ACCESS (Art. 15 GDPR): Request confirmation of whether we process your data and obtain a copy of your personal data.

RIGHT TO RECTIFICATION (Art. 16 GDPR): Request correction of inaccurate or incomplete personal data.

RIGHT TO ERASURE (Art. 17 GDPR): Request deletion of your personal data in certain circumstances ('right to be forgotten').

RIGHT TO RESTRICTION (Art. 18 GDPR): Request restriction of processing in certain circumstances.

RIGHT TO DATA PORTABILITY (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.

RIGHT TO OBJECT (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing purposes.

RIGHT TO WITHDRAW CONSENT: Withdraw consent at any time for processing based on consent.

RIGHTS RELATED TO AUTOMATED DECISION-MAKING (Art. 22 GDPR): Not be subject to decisions based solely on automated processing with legal or significant effects, and request human intervention.

To exercise any of these rights, please contact us at Hexanai@pm.me. We will respond within 30 days (or as required by applicable law).

If you are a California resident, you have additional rights under the CCPA and CPRA:

RIGHT TO KNOW: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it.

RIGHT TO DELETE: Request deletion of your personal information, subject to certain exceptions.

RIGHT TO CORRECT: Request correction of inaccurate personal information.

RIGHT TO OPT-OUT: Opt out of the 'sale' or 'sharing' of personal information. Note: Hexanai does NOT sell personal information.

RIGHT TO LIMIT USE OF SENSITIVE PERSONAL INFORMATION: Limit the use of sensitive personal information to specific purposes.

RIGHT TO NON-DISCRIMINATION: We will not discriminate against you for exercising your privacy rights.

To submit a request, contact us at Hexanai@pm.me. We will verify your identity before processing requests.

AUTHORIZED AGENTS: You may designate an authorized agent to make requests on your behalf with proper verification.

For individuals in Switzerland, we comply with the Swiss Federal Act on Data Protection (FADP/DSG) and the revised nFADP effective September 1, 2023:

PRINCIPLES: We adhere to the principles of lawfulness, good faith, proportionality, purpose limitation, accuracy, and data security as required under Swiss law.

TRANSPARENCY: We provide clear information about data processing activities, including the identity of the controller, purposes, and recipients.

CROSS-BORDER TRANSFERS: Transfers outside Switzerland are made only to countries with adequate protection or with appropriate safeguards (recognized contractual clauses, binding corporate rules).

DATA SUBJECT RIGHTS: Swiss residents have rights similar to GDPR including access, rectification, deletion, data portability, and objection to processing.

DATA PROTECTION IMPACT ASSESSMENTS: We conduct DPIAs for high-risk processing activities as required.

DATA BREACH NOTIFICATION: We will notify the FDPIC (Federal Data Protection and Information Commissioner) and affected individuals without delay in case of data breaches likely to result in high risk.

AUTOMATED DECISION-MAKING: We inform you about automated individual decisions and provide the right to request human review.

CONTACT FOR SWISS MATTERS: Hexanai@pm.me

For individuals in the United Kingdom, we comply with the UK GDPR and Data Protection Act 2018:

UK GDPR COMPLIANCE: We adhere to all requirements of the UK GDPR as retained EU law, including lawful basis, data subject rights, and accountability obligations.

ICO REGISTRATION: We maintain appropriate registration with the Information Commissioner's Office (ICO) where required.

UK REPRESENTATIVE: Our UK representative can be contacted at Hexanai@pm.me for any UK-specific data protection matters.

INTERNATIONAL TRANSFERS FROM UK: We use UK-approved transfer mechanisms including the UK IDTA (International Data Transfer Agreement) and UK Addendum to EU SCCs.

CHILDREN'S DATA: We do not knowingly collect data from children under 13. Our services are intended for business users aged 18 and above.

COMPLAINTS: You have the right to lodge a complaint with the ICO at ico.org.uk if you believe your data protection rights have been violated.

We use cookies and similar technologies in compliance with applicable laws including the EU ePrivacy Directive and UK PECR:

STRICTLY NECESSARY COOKIES: Essential for website functionality. No consent required.

PERFORMANCE COOKIES: Help us understand how visitors interact with our website. Collected with consent.

FUNCTIONAL COOKIES: Remember your preferences. Collected with consent.

TARGETING COOKIES: Used for advertising purposes. We do NOT use targeting cookies without explicit consent.

You can manage cookie preferences through our cookie consent banner or browser settings. Refusing non-essential cookies will not affect core functionality.

DO NOT TRACK: We respect browser 'Do Not Track' signals where technically feasible.

ANALYTICS: We use privacy-respecting analytics that do not track individuals across sites.

We share personal data with the following categories of recipients, all bound by data processing agreements:

PAYMENT PROCESSORS: PCI-DSS compliant payment service providers for transaction processing.

CLOUD INFRASTRUCTURE: Secure cloud hosting providers with appropriate certifications (ISO 27001, SOC 2).

IDENTITY VERIFICATION: KYC/AML service providers where required by law.

COMMUNICATION SERVICES: Email and notification service providers.

ANALYTICS PROVIDERS: Privacy-focused analytics services.

PROFESSIONAL ADVISORS: Legal, accounting, and consulting firms under confidentiality obligations.

REGULATORY AUTHORITIES: Government bodies, regulators, and law enforcement when legally required.

We do NOT sell your personal data to third parties. We do NOT share personal data for third-party marketing without your explicit consent.

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children.

AGE VERIFICATION: We implement measures to verify that users are of legal age to enter into contracts.

PARENTAL RIGHTS: If we learn that we have collected personal data from a child without proper consent, we will delete that information promptly.

REPORTING: If you believe we have collected data from a child, please contact us immediately at Hexanai@pm.me.

COMPLIANCE: We comply with COPPA (US), Age Appropriate Design Code (UK), and other applicable children's privacy laws.

In the event of a personal data breach, we follow strict notification procedures:

INTERNAL RESPONSE: Immediate containment, assessment, and documentation of the breach.

REGULATORY NOTIFICATION: Notification to relevant supervisory authorities within 72 hours where required (GDPR Art. 33, UK GDPR, Swiss nFADP).

INDIVIDUAL NOTIFICATION: Direct notification to affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 34).

DOCUMENTATION: Comprehensive documentation of all breaches, including facts, effects, and remedial actions taken.

REMEDIATION: Implementation of measures to prevent recurrence.

We maintain a dedicated incident response team and tested breach response procedures.

If you are not satisfied with how we handle your personal data or your data protection request, you have the right to lodge a complaint with a supervisory authority:

EU: Your local Data Protection Authority in any EU Member State where you reside, work, or where the alleged infringement occurred.

UK: Information Commissioner's Office (ICO) - ico.org.uk - Tel: 0303 123 1113

SWITZERLAND: Federal Data Protection and Information Commissioner (FDPIC) - edoeb.admin.ch

USA (California): California Attorney General - oag.ca.gov/privacy

We encourage you to contact us first at Hexanai@pm.me so we can address your concerns directly.

We may update this Data Protection Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

NOTIFICATION: We will notify you of material changes by email and/or prominent notice on our website at least 30 days before the changes take effect.

VERSION CONTROL: Each version will be dated and previous versions will be archived and available upon request.

CONTINUED USE: Your continued use of our services after changes become effective constitutes acceptance of the revised policy.

Last Updated: May 2026

Version: 2.0

For any questions, concerns, or requests regarding this Data Protection Policy or our data practices, please contact us:

Data Protection Officer: Hexanai@pm.me

Privacy Team: Hexanai@pm.me

General Inquiries: Hexanai@pm.me

Postal Address: [To be completed upon registration]

We are committed to resolving any complaints about our collection or use of your personal data. We will respond to all legitimate requests within the timeframes required by applicable law.