This Data Protection and Privacy Policy (“Privacy Policy”) applies to all data processing activities by Gatewai technologies & Services SAS, a company registered under the laws of France, having its seat at 61 rue de Lyon, 75012 Paris, RCS Paris B 952 570 372, operator of the Legal-AI assistant “Copilex” and owner of the Copilex brand (thereafter “Copilex”).

This Privacy Policy covers the collection, storage, and processing of personal data  about you (“Personal Data”) whenever you access or use Copilex’s products, services, features and technologies, our websites (www.gatewai.tech, or www.copilex.com, including their respective related sub-domains, thereafter “Website”), platform and plug-ins exchanging information with Copilex (“Services”), and all other interactions you may have with us, and describes your rights and how you can exercise them.

This Privacy Policy details (i) how we gather, handle, and store Personal Data; (ii) the rights you can exercise regarding your Personal Data; and (iii) the measures we implement to secure and safeguard your Personal Data.

This Privacy Policy may be modified in the future to reflect changes in the applicable legislation, or for any other reason justifying its change.

The most recent version is the one into force and remains accessible on our website at the following location: www.copilex.com/legal/data.

Copilex respects your privacy and is committed to complying with applicable privacy laws, including (but not limited to): (i) the General Data Protection Regulation 2016/679 of April 27, 2016 (“GDPR”), (ii) the French Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, including future modifications and updates thereof; and (iii) any future national, regional or international legislation concerning the implementation of the GDPR applicable to Copilex (collectively: “Privacy Legislation”).

You accept this Privacy Policy by using the Website or our Services. If you have any questions or concerns about the Privacy Policy, please contact us.

1. Roles and responsibility

Copilex provides its Services exclusively to individuals, companies and/or other legal entities for professional purposes (“Client”). The provision and utilization of the Services are regulated by our client agreements (“Client Agreement”).

This Privacy Policy is applicable when Copilex acts as the data controller responsible for the processing of Personal Data. It does not pertain to any input submitted to, output generated by, or documents uploaded to our Services (“Content”). We handle Content as a data processor on behalf of our Client, who are the data controllers, and our processing of Content is subject to the relevant Client Agreement. Any inquiries regarding Personal Data contained within Content should be directed to our Client. Should we receive any requests related to IP rights or data protection in situations where we function as a data processor, we will redirect them to the appropriate Client.

2. Personal Data collected by us

2.1. Information provided by you

We collect Personal Data provided to us if you create an account to use our Services or communicate with us as follows:

• User account information: We require everyone with access to our Services to have an account with us. When you or your employer creates a copilex account for you, we collect Personal Data including your name, email address, role, language preferences and account credentials.
• Communication information: When you contact us for customer support, feedback, or inquiries, we collect your name, email address, phone number, and any other information you provide us with to assist you or resolve your issue. Copilex may monitor and record phone conversations or email communications between you and Copilex employees for training and quality assurance purposes. We may receive confirmation when you open or click on content in an email from us, which helps us make our communications to you more useful and interesting.
• Social media information: We have accounts on social media sites like LinkedIn, YouTube and X (“Social Media”). When you interact with any of our Social Media, we will collect Personal Data that you elect to provide to us, such as your contact details and third parties that host our Social Media may provide us with aggregate information and analytics regarding your use of our Social Media.
• Survey and contest information: We may provide you with the opportunity to participate in surveys on our Site, to measure customer satisfaction. If you participate, we may request certain personally identifiable information from you. Participation in these surveys or contests is completely voluntary, and you therefore have a choice whether to disclose this information. The requested information typically includes name, email address, and mailing address.
• Testimonial and review information: We may display personal testimonials or reviews from satisfied users if you have consented to it. If you wish to update or delete your testimonial or review, you can contact us.

2.2. Information collected by us

When you visit, use, and interact with our Services, we will collect certain information about your visit, use, or interactions (“Technical Information”) indirectly, including through automated means from your computer or device, including the following:

Log data: Whenever you visit the Services, your browser will automatically send us your IP address, browser type and settings, the date and time of your request, and how you interacted with the Services.

Device information: We will automatically collect information about the device you are using to access the Services, including name of the device, operating system, browser, referring/exit pages, operating systems, date/time stamps, and clickstream data. The information collected may depend on the type of device you use and its settings.

Usage data: We will automatically collect information about your use of our Services, including, name, email address, the features you use, actions you take, your time zone, location, the dates and times of access, amount of time spent within the Services and types and volumes of queries you submit. We will however never collect or store any data directly related to your Content other than in accordance with the applicable Client Agreement.

Cookies: A cookie is a small string of information that websites you visit transfer to your computer for identification purposes. Cookies can be used to follow your activity on the website and that information helps us to understand your preferences and improve your website experience. Cookies are also used for such activities as remembering your access credentials for our Services. In addition to the cookies used by Copilex and our service providers, some cookies are placed by third parties such as Google (for analytics, described below). Copilex uses cookies for the following purposes:

• Essential Cookies: these are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website.
• Performance and Analytics Cookies: these include Google Analytics and they keep track of the pages that you visit on our Site and the content you access, so we can determine which content is most popular and improve the performance of our website. These cookies primarily record aggregate and anonymous statistical data, but may capture a minimal amount of identifiable information.
• Functional Cookies: these cookies remember the choices you make, such as language options or the region you are in. They help to make your visit more personal and are deleted automatically when you close your browser or the session expires.

You can turn off all cookies, in case you prefer not to receive them. You can also have your computer warn you whenever cookies are being used. For both options, you must adjust your browser settings (such as Chrome, Safari, Firefox, Edge, or other browser). There are also software products available that can manage cookies for you.

Please be aware, however, that when you choose to reject cookies you may limit the features and functionality of our Services.

2.3. Information collected from third parties

We may collect information about you from third parties, such as security partners, marketing vendors and event organizers. Our Client may give us information about you, such as your contact details, in order to facilitate us providing our Services. We may combine this information with information we collect from you and use it as described in this Privacy Policy.

2.4. Publicly available information

We provide access to publicly available information (for example, judgments and decisions) within our Services. Some of this information may relate to individuals and can, in some jurisdictions, be considered Personal Data. Personal Data included in publicly available information is only processed so that our Services can provide more accurate and relevant responses. It is not provided to intentionally identify individuals.

Copilex also collects publicly available information about Client and prospects, including name, email address, phone number and other contact details.

3. Use of Personal Data

Copilex may utilize your Personal Data for the following purposes:

• To deliver, manage, maintain, and/or enhance our Services;
• To offer you support services, address issues, or respond to your inquiries;
• To manage and remember your preferences and tailor the Services to your needs;
• To communicate with you, including sending information or marketing materials about our Services and events;
• To assess and evaluate the effectiveness of our Services and to develop new features and services;
• To verify your identity, prevent fraud and criminal activities, and ensure the security of our IT systems, architecture, and networks;
• To prevent misuse of the Services and enforce our legal terms;
• To comply with legal obligations and legal processes; and
• To protect the rights, privacy, safety, or property of Copilex, our affiliates, you, or other third parties.

Detailed disclosures regarding the categories of Personal Data we collect are provided in Annex A to this Privacy Policy.

Copilex may compile Personal Data into aggregated information to evaluate the effectiveness of our Services and to enhance and expand their features. Additionally, we may periodically examine the overall behavior and characteristics of users of our Services.

4. Sharing of Personal Data

In certain circumstances, we may share your Personal Data with third parties without further notice, unless legally required, including without limitation in the situations below:

• Affiliates: Copilex may share your Personal Data with other entities within its corporate group (our “affiliates”). Copilex’s affiliates will only use the Personal Data we share with them in a manner consistent with this Privacy Policy.
• Vendors and Service Providers: To assist us in meeting business operations needs and to perform certain services and functions, we may share your Personal Data with vendors and service providers, including providers of hosting services, cloud service providers, and other information technology services providers, event management services, email communication software and email newsletter services, advertising and marketing services, and web analytics services. Pursuant to our instructions, these parties will access, process, or store Personal Data in the course of performing their duties to us.
• Third-party Websites and Services. Our Services may contain links to other websites not operated or controlled by Copilex, including social media services (“third-party sites”). The information that you share with third-party sites will be governed by the specific privacy policies and terms of service of the third-party sites and not by this Privacy Policy. By providing these links we do not imply that we endorse or have reviewed these sites. Please contact the third-party sites directly for information on their privacy practices and policies.
• Plug-Ins. When you are using third party applications and choose to connect your Copilex account with such external third-party applications (for example to use our Microsoft Word plug-in – currently in development) the providers of those services or products may receive information about you from Copilex or others. Please be aware that when you use third-party sites or services, their own terms and privacy policies will govern your use of those sites or services. Please contact the supplier of such applications directly for information on their privacy practices and policies.
• Business changes: If we are involved in strategic transactions, (such as sale, merger, reorganizations, liquidation, or transition of service to another provider), your Personal Data and other information may be shared in the diligence process with counterparties and others assisting with the transaction and transferred to a successor or affiliate as part of that transaction along with other assets. You will be informed of such transfer if that case arises.
• Legal Requirements: Copilex may also share your Personal Data if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, including to meet national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) prevent fraud, (iv) act in urgent circumstances to protect the personal safety of users of the Services, or the public, or (v) protect against legal liability.

5. Personal Data International transfers

5.1. International Transfers

Copilex consistently aims to process your Personal Data as close to your location as possible. However, by using our Services, you understand and acknowledge that your Personal Data will be transferred from your location to our facilities and servers in EU.

In certain circumstances, such as when we share your information with our Affiliates or with a supplier or subcontractor, your Personal Data may be transferred outside EU/EEA.

Copilex ensures that the same high level of protection is applied to your Personal Data in accordance with relevant data protection laws, even when the data is transferred internationally.

Your rights concerning your Personal Data (detailed in section 6) remain unaffected by international data transfers. More information about the recipients with whom Copilex shares your data can be found in section 4.

5.2. Safety measures for international transfers

Countries outside of EU/EEA or your country of residence may have laws permitting public authorities to request access to Personal Data stored within their jurisdiction for purposes such as combating crime or safeguarding national security. Regardless of whether we or any of our providers process your Personal Data, we will ensure that a high level of protection is maintained during data transfers and that appropriate protective measures are implemented, in accordance with applicable data protection requirements, such as the GDPR.

Such appropriate safeguards include, but are not limited to:

• Adequacy decisions: If the relevant authority (e.g. the EU Commission) has decided that the country to which your Personal Data are transferred has an adequate level of protection, which corresponds to the level of protection afforded by the relevant data protection laws. This means for example that the Personal Data is still protected from unauthorized disclosure, and that you may still exercise your rights with regard to your Personal Data,
• Standard Contractual Clauses: The relevant authority’s standard clauses have been entered into between Copilex and the recipient of the Personal Data. This means that the recipient guarantees that the level of protection for your Personal Data afforded by the relevant data protection laws still applies, and that your rights are still protected. In these cases, we also assess whether there are laws in the recipient country that affects the protection of your Personal Data. Where necessary, we take technical and organizational measures so that your data remain protected during the transfer to the relevant country.
• Derogation: In limited circumstances, we may rely on an exception, or ‘derogation’ under the applicable data protection laws, to transfer your Personal Data to such country despite the absence of an adequacy decision or standard contractual clauses, such as relying on your explicit consent to that transfer or because it is necessary for the establishment, exercise or defence of legal claims (including regulatory, administrative or any out-of-court procedure, and seeking advice).
• Data Privacy Framework: If the transfer is covered by a relevant data privacy framework, such as the EU-US Data Privacy Framework, which is an opt-in certification scheme for US companies, administered by the US Department of Commerce. Data privacy framework include sets of enforceable principles and requirements that must be certified to company, ensuring that your data is still being sufficiently protected.

6. Your Rights

You have several rights under the applicable data protection laws (including the GDPR) related to your control over your Personal Data and to receive information directly from us on how we process Personal Data about you. In the following you can read about your rights.

• Right to information and access. You have the right to be informed of how we process your Personal Data. We do this through this Privacy Policy (6) and by answering your questions. You can request information regarding whether we are processing your Personal Data and ask to receive a copy of your Personal Data (“data extract”), so called data subject access. Through the data extract you will receive information about what Personal Data Copilex holds about you and how we process it.
• Right to rectification. If you believe that your Personal Data is inaccurate or incomplete, you have the right to ask for it to be corrected or completed.
• Right to restriction. If you believe that your Personal Data is inaccurate, that our processing is unlawful or that we do not need the information for a specific purpose, you have the right to request that we restrict the processing of such Personal Data. You also have the possibility to request that we stop processing your Personal Data while we assess your request. If you object to our processing per your right described directly below, you may also request us to restrict processing of that Personal Data while we make our assessment.
• Right to object. You have the right to object to the processing of your Personal Data which is based on our legitimate interest (Article 6(1)(f) GDPR), by referencing your personal circumstances. If we cannot demonstrate compelling and legitimate grounds to continue processing the Personal Data, we must cease the processing. You can also always object to our processing of your Personal Data for direct marketing purposes. If you do so, we will turn off marketing for you, and stop sending it to you.
• Right to be forgotten. In some cases, you have the right to have us delete Personal Data about you. For example, you can request us to delete Personal Data that we (i) no longer need for the purpose it was collected for, or (ii) process based on your consent and you revoke your consent. There are situations where Copilex is unable to delete your data, for example, when the data is still necessary to process for the purpose for which the data was collected, Copilex’s interest to process the data overrides your interest in having them deleted, or because we have a legal obligation to keep it.
• Right to transfer your Personal Data (data portability). If we process your Personal Data to fulfill a contract or on the basis of your consent, you may, in certain cases, be able to obtain the Personal Data for use elsewhere, e.g. by obtaining a copy of it in a machine-readable format and transmitting it to another data controller.
• Right to withdraw consent. In those cases where we process your Personal Data based on your consent, you have the right to withdraw your consent at any time. When you withdraw your consent, we will stop any processing of Personal Data which is based on your consent.
• Right to lodge a complaint. If you have objections or concerns about how we process your Personal Data, you have the right to contact, or lodge a complaint with, the relevant authority for privacy protection, which is the supervisory authority for our Personal Data processing.

To exercise your rights, please contact us at any time at the contact details provided in Section 10 below.

We reserve the right to limit our facilitating such requests to that which is required by applicable law.

In order to protect your Personal Data from unauthorized access or deletion, we may require you to verify your identity before we will process any request to know or delete Personal Data. If we cannot verify your identity (and, where applicable, proof of residency) to our satisfaction, we will not provide or delete your Personal Data. You may submit a request to exercise your rights through an authorized agent. Such an agent must present signed written authority to act on your behalf and must be able to verify your identity (and, where applicable, proof of residency) to our satisfaction.

Rest assured that we will not discriminate against you for making any such request. Your right to access and delete your Personal Data is important to us, and we will take reasonable steps to verify and process your request promptly.

Please be aware that even if we delete your Personal Data, certain residual data may still remain in our backups or archives for a limited period in accordance with our data retention policies and applicable laws.

If you have any questions or concerns about this process or our data deletion practices, please feel free to contact us.

7. Safety Measures for Personal Data

We take significant and appropriate steps to protect your Personal Data in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration and destruction. We use appropriate technical and organizational measures to protect your Personal Data which may include: physical access controls, encryption, intrusion detection and network monitoring depending on the nature of the information and the scope of processing.

For more information regarding our security measures, please view the latest version of our Technical and Organizational Security Measures (accessible at www.copilex.com/legal/security).

8. Personal Data Retaining Policy

Copilex retains your Personal Data for as long as necessary to fulfill the purposes for which we collected it or longer if that is required under applicable law:

• If you are a Copilex user covered by a Subscription Agreement between your employer and Copilex, we will delete your data in accordance with that Subscription Agreement.
• Personal Data that Copilex is under a legal obligation to retain, for example under anti-money laundering or bookkeeping laws, is retained for the required periods under applicable laws (generally for 5 or 7 years).
• Personal Data which is not used for the purposes of a contractual relationship or where Copilex does not have a legal obligation to retain the data is only retained as long as necessary to fulfil the respective purpose for our data processing (usually 3 months).

More information can be found in Annex A below.

In some limited cases, the Personal Data may need to be stored for a longer period in order for Copilex to protect its legal rights. If we don’t have a legal obligation to retain the Personal Data, we instead have to make an assessment if we may require the Personal Data in order to protect Copilex from legal claims.

Please note that just because we have a legal obligation to store your Personal Data, this does not mean that we are also permitted to use this data for any other purpose.

When we no longer need your Personal Data, we will delete it or anonymize it in accordance with our data retention policies and applicable laws, or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.

9. Updates to this Privacy Policy

We may update this Privacy Policy from time to time. When the Privacy Policy is updated, we will post an updated version on this page, unless another type of notice is required by applicable law or contractual agreement. By continuing to use our Services or providing us with Personal Data after we have posted an updated Privacy Policy, or notified you by other means, you consent to the revised Privacy Policy.

10. Contact

If you have any questions about our Privacy Policy or any other privacy related issue, please contact us at data@copilex.com or via mail.

Controller’s Contact Information:

Copilex technologies & Services SAS (Copilex),

61 rue de Lyon, 75012 Paris

France

Annex A

Detailed Personal Data Treatment

The following disclosures are intended to provide additional information about the categories of Personal Data we collect (as defined above), the type of data, how we use each category of Personal Data. These disclosures do not limit our ability to use or disclose information as described above.

| Purpose| Types of Personal Data| Legal basis| Data retention|| --- | --- | --- | --- || To manage our customer relationship with you and/or your employer in accordance with our agreements, for each service you use. This includes creating and sending information to you in electronic format (not marketing)| From you or your employer:·         User account information·         Communication information From other sources:·         User account information·         Log data,·         Device information,·         Usage data.| The processing is necessary for Copilex to perform a contract with you and/or your employer (Article 6(1)(b) GDPR). | When the relevant contracts terminate.|| To be able to perform end user satisfaction surveys, conduct market research as well as ask for reviews from you, through email, text messages, or via other communication channels.| From you:·         Survey and contest information·         Testimonial and review informationFrom other sources:·         Technical Information.| The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, Copilex has determined that we have a legitimate interest in being able to perform the Personal Data processing, that the processing is necessary to achieve that purpose, and that our interest outweighs your right not to have your data processed for this purpose. | When the contract between us terminates.|| To ensure network and information security in Copilex’s Services.| From you:·         User account informationFrom other sources:·         Technical Information.| The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, Copilex has determined that we have a legitimate interest in being able to ensure network and information security, that the processing is necessary to realize that purpose, and that our interest outweighs your right not to have your data processed for this purpose. It is also in your interest as a user and our Client’s interests that we ensure good information security.| For as long as you are using the Services.|| To perform data analysis for development and improving our Services| From you:·         User account informationFrom other sources:·         Technical Information.| The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, Copilex has determined that we have a legitimate interest in using your Personal Data for product development purposes and in analysing customer behaviour in order to improve the service and customer experience. We ensure that the particular processing this entails is necessary to achieve the purpose in question, and that our interest outweighs your right not to have your data processed for this purpose.| For as long as you are using the Services.|| To calculate usage costs in relation to suppliers and Client (if possible, we first anonymize the data).When balancing interests, Copilex has determined that we have a legitimate interest in calculating costs resulting from your usage of our Services.| From other sources:·         Usage data.| The processing is necessary for Copilex to perform a contract with you and your employer (Article 6(1)(b) GDPR) and based on a balancing of interests (Article 6(1)(f) GDPR). | This processing takes place for up to 6 months after using a Service or longer if required under applicable law or to safeguard Copilex’s legal rights.|| To check and verify your identity.| From you:·         User account informationFrom other sources:·         Technical Information| The processing is necessary for Copilex to perform a contract with you and your employer (Article 6(1)(b) GDPR).| As long as you use the Services.|| To share your Personal Data with the categories of recipients described in Section 4 (suppliers and subcontractors and Affiliates)| All types mentioned in section 2.| Varies depending on the recipient (see Section 4).| For the entire period during which Copilex must retain the data in its systems, for example, to fulfil the agreement with your employer or to comply with applicable law.|| To decide what kind of marketing or marketing surveys we will provide to you. If you do not want us to perform this processing of your Personal Data, please contact us. We will then cease to use your data for marketing. The processing may constitute profiling.| From you:·         Communication information·         Social media informationFrom other sources:·         Technical Information| The processing is based on a balancing of interests (Article 6(1)(f) GDPR). | When balancing interests, Copilex has determined that we have a legitimate interest in identifying which type of marketing we should provide to you. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.If you notify us that you are not interested in this processing.|| To provide you with direct marketing and marketing surveys about offers, products or services from Copilex, and our affiliates.| From you:·         Communication information·         Social media informationFrom other sources:·         Technical Information| The processing is based in your consent (Article 6(1) (a) GDPR).| Either when you notify us that you want to withdraw your consent or if you notify us that you are not interested in this processing/opt-out.|| To protect Copilex from legal claims and safeguard Copilex’s legal rights.| All types mentioned in Section 2. In the event of a dispute, we may also collect other types of Personal Data concerning you if we need them to exercise our rights.| The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, Copilex has determined that we have a legitimate interest in being able to protect ourselves from legal claims. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose.| This processing takes place for the entire period during which Copilex must retain the information in its systems, for example to perform the contract with you and your employer or to comply with applicable law.|

‍