First of all, welcome to Spiich! We respect your privacy and are committed to protecting any information we have about you. This policy (the "Privacy Policy") covers how we treat your personal data whenever you access or use our products, services, features and technologies, including our website (the "Site"), platform (the "Services"). The Privacy Policy also covers other interactions you may have with Spiich and describes your rights and how you can exercise them. The Site and Services are collectively referred to as "Spiich Services".

You accept this Privacy Policy by using our Services. If you have any questions or concerns about the Privacy Policy, please contact us at hello@spiich.ai.

Our Services are provided to companies and other legal entities for professional use (our "Subscribers"). The delivery and use of our Services are governed by our General Terms and Conditions ("GTCs").

Controller vs Processor

Please note that this Privacy Policy applies when we act as the data controller for processing personal data and does not cover any input submitted to our Services, output generated by our Services, or documents uploaded to our platform ("Subscriber Content"). For Subscriber Content, we process this data as a data processor on your behalf (where you are the data controller), and our processing is governed by our Data Processing Agreement. Questions about personal data within your Subscriber Content should be directed to you as the relevant Subscriber. If we receive data subject rights requests where we act as a data processor, we will forward them to the appropriate Subscriber.

Our Services may contain links to other websites, and other websites may link to our Services. This Privacy Policy applies only to our platform and website, not to external websites accessible through our Services or websites you use to access our Services.

The information we collect

Provided by you

We collect personal data provided to us if you create an account to use our Services or communicate with us as follows:

User Account Information: To access our Services, you must create and keep an account with us. When you or your employer establishes a Spiich account on your behalf, we collect personal data including your name, email address, job title or role, responsibilities, and account credentials.

Communication Information: When you reach out to us for customer support, to provide feedback, or for any other reason, we gather your name, email address, telephone number, and any supplementary information you share to enable us to provide assistance or address your concerns.

Social Media Information: We maintain accounts on social media platforms such as LinkedIn, YouTube, and X ("Social Media"). When you interact with our Social Media presence, we collect personal data that you choose to provide, such as your contact details. Additionally, third parties that host our Social Media may provide us with aggregate information and analytics regarding your use of our Social Media channels.

Survey and Contest Information: We may offer voluntary surveys on our Site to measure customer satisfaction. If you participate, we may collect your name and email address.

Review Information: We may display personal reviews from satisfied users, provided you have given your consent. If you wish to update or delete your testimonial or review, please contact us directly.

Automatically collected

When you visit, use, and interact with our Services, we will collect certain information about your visit, use, or interactions ("Technical Information") such as:

Log data: Your browser will automatically send us your IP address, browser type and settings, the date and time of your request, and how you interacted whenever you visit our online Services.

Device information: Depending on your device type and settings, we will automatically collect information about the device you are using to access the Online Services, including name of the device, operating system, browser, referring/exit pages, date/time stamps, and clickstream data.

Usage data: Subject to the terms of the Subscriber Agreement, we will automatically collect information about your use of our Services, including, name, email address, the features you use, actions you take, your time zone, location, the dates and times of access, amount of time spent within the Services and types and volumes of queries you submit.

Cookies: Cookies can be used to follow your activity on the website and that information helps us to understand your preferences and improve your website experience. Cookies are also used for such activities as remembering your access credentials for our Services. In addition to the cookies used by us and our service providers, some cookies are placed by third parties such as Google (for analytics, described below). We use cookies for the following purposes:

• Essential Cookies: these are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website.

• Performance and Analytics Cookies: these include Google Analytics and they keep track of the pages that you visit on our Site and the content you access. These cookies may capture a minimal amount of identifiable information.

You can turn off all cookies, in case you prefer not to receive them. You can also have your computer warn you whenever cookies are being used. For both options, you must adjust your browser settings. There are also software products available that can manage cookies for you. Please be aware, however, that when you choose to reject cookies you may limit the features and functionality of our Services.

Information collected from third parties

We may collect information about you from third parties, such as security partners, marketing vendors and event organizers. Our Subscribers may give us information about you, such as your contact details, in order to facilitate us providing our Services. We may combine this information with information we collect from you and use it as described in this Privacy Policy.

Aggregated information and publicly available information

We may aggregate personal data to analyse our Services' effectiveness and improve features. We may also analyse general user behaviour and share aggregated statistics with third parties or publish them publicly. This aggregated information is collected through our Services, cookies, and other means described in this Privacy Policy.

We provide access to publicly available information within our Services. Some of this information may relate to individuals and could be considered personal data in certain jurisdictions. Such personal data is only processed to provide more accurate and relevant responses, not to intentionally identify individuals.

We also collect publicly available information about Subscribers and prospects, including name, email address, phone number and other contact details.

How we use your personal data

These are the purposes for us using your personal data:

• to provide, administer, maintain, and/or improve our Services;

• to provide you with support services, resolve issues or reply to your queries;

• to manage and remember your preferences and customize the Services;

• to communicate with you, including to send you information or marketing about our Services and events;

• to analyze and study the effectiveness of our Services and to develop new features and services;

• to verify your identity, prevent fraud, criminal activity and to ensure the security of our IT systems, architecture, and networks;

• to prevent misuse of the Services and enforce our legal terms;

• to comply with legal obligations and legal processes, and;

• to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties.

When We Share Your Personal Information

We may share your personal information with third parties in these situations:

• Affiliates: With other Spiich group companies, who will use your data consistently with this Privacy Policy

• Service Providers: With vendors providing hosting, cloud services, IT support, event management, email services, marketing, and analytics to help us operate our business

• Third-party Sites: When you use links to external websites or social media, their own privacy policies apply

• Other Users: Your actions may be visible to other users when using collaboration features

• Third-party Apps: When you connect external applications (like our Microsoft Word plug-in), those providers may receive your information

• Business Changes: During mergers, sales, or other strategic transactions, your data may be shared with counterparties and transferred to successors

• Legal Requirements: When required by law, to comply with legal obligations, protect our rights, prevent fraud, ensure user safety, or protect against legal liability

International transfers and safeguarding measures

We always strive to keep your data as close as possible to you, but in some situations, we may transfer limited data to countries outside of the EU/EEA. We always however ensure that the same high level of protection applies to your personal data according to the relevant data protection laws, even when the data is internationally transferred. Your rights in respect to your personal data are not affected when data is internationally transferred and a list of the recipients is shared upon request.

Importantly, we only use vendors to the extent necessary to enable us to provide the best services possible, and we never have and will never sell any personal data to third parties.

To ensure a high level of protection is guaranteed when transferring that data and that appropriate safeguard measures have been taken, in accordance with applicable data protection requirements (such as the GDPR), we ensure that the following safeguards are in place:

• Adequacy Decisions: When the relevant data protection authority has determined that a third country provides an adequate level of data protection equivalent to that required under applicable data protection laws, personal data may be transferred to that country without additional safeguards. This means your personal data continues to receive the same level of protection against unauthorised disclosure, and you retain all your data subject rights regarding your personal data.

• Standard Contractual Clauses: We may use standard contractual clauses approved by the relevant data protection authority, which are built into our agreements with data recipients. These clauses require the recipient to provide the same level of protection for your personal data as mandated by applicable data protection laws, while safeguarding your rights as a data subject. In these instances, we perform a transfer impact assessment to determine whether the recipient country's laws might compromise your personal data protection. When required, we put in place additional technical and organisational safeguards to ensure your data remains properly protected throughout and following the transfer.

• Derogations: In limited circumstances, we may rely on specific exceptions (derogations) under applicable data protection laws to transfer your personal data to countries without adequacy decisions or standard contractual clauses. Such derogations include either Your explicit consent to the specific transfer, necessity for the establishment, exercise, or defence of legal claims (including regulatory proceedings, administrative procedures, or out-of-court dispute resolution) or other limited circumstances as permitted by law

• Data Privacy Frameworks: Where transfers are covered by recognised data privacy frameworks, such as the EU-US Data Privacy Framework — an opt-in certification programme for US companies administered by the US Department of Commerce — we may rely on the recipient's certification under such frameworks. These frameworks establish enforceable principles and requirements that certified companies must adhere to, ensuring your personal data receives sufficient protection equivalent to that required under applicable data protection laws.

Your rights

You have several rights under the applicable data protection laws (including the GDPR) related to your control over your personal data and to receive information directly from us on how we process personal data about you.

• Right to be informed. You have the right to be informed about how we process your information. We do this through this Privacy Policy, other information on our website, and by answering questions sent to us.

• Right to access your data. You may request a copy of your data by email to hello@spiich.ai if you would like to know what personal data we process about you. This copy of your personal data can also be supplied in a machine-readable format.

• Right to rectification. You have the right to correct inaccurate or incomplete information about yourself which you can do either by managing your account and the content contained in it through the setting page or, in relation to personal data not manageable by the account settings page, by email to hello@spiich.ai.

• Right to erasure. You have the right to request deletion of your personal data, for example when it is no longer necessary for us to process the data for the purpose it was collected, or when you have withdrawn your consent, which you request by email to hello@spiich.ai.

• Right to restrict processing of your data. If you believe your information is incorrect or you believe we use your data unlawfully, you have the right to ask us to stop or limit the processing, which you request by email to hello@spiich.ai.

• Right to lodge a complaint. You have the right to lodge a complaint with your national supervisory data protection authority, or the Swedish Authority for Privacy Protection - complaints can be made here.

• Controlling account service settings. You can always access and control the contents of your account by logging into your account.

• Right to opt out. You can choose to opt out of processing of your personal data either by stop using our services or in some cases by asking us via email to hello@spiich.ai.

• Right not to be subject to any automated decision making. We do not conduct any type of automated decision making, including profiling, where the decision would have a legal effect on you.

We will get back to you promptly and at the latest within 30 days after receipt of your request, but please note that we may be required by law to keep some personal data despite your request.

How we keep your personal data safe

We take significant and appropriate steps to protect your personal data in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration and destruction. We use appropriate technical and organizational measures to protect your personal information which may include: physical access controls, encryption, intrusion detection and network monitoring depending on the nature of the information and the scope of processing.

How long we store your personal data

General Retention Principle We retain your personal information only for as long as necessary to achieve the purposes for which it was collected, or for longer periods where required by applicable law.

Subscription Agreement Users If you are covered by a Subscription Agreement between your employer and Spiich, your data will be deleted in accordance with the terms specified in that agreement.

Legal Retention Requirements Personal data that we are legally obligated to retain—such as information required under anti-money laundering or bookkeeping regulations—is kept for the mandatory periods specified by applicable laws (typically 5 to 7 years).

Standard Data Processing Personal data that is not used for contractual purposes or where we have no legal obligation to retain it is kept only as long as necessary to fulfil the specific processing purpose (usually 3 months).

Legal Protection Considerations In limited circumstances, personal data may be stored for extended periods to protect our legal rights. Where we have no legal obligation to retain data, we assess whether the information may be required to defend against potential legal claims.

Important Limitation Please note that having a legal obligation to store your personal data does not grant us permission to use that data for any other purposes.

Data Deletion Process When your personal data is no longer needed, we will delete or anonymise it in accordance with our data retention policies and applicable laws. If immediate deletion is not possible (for example, due to data stored in backup archives), we will securely store the data in isolation from further processing until deletion becomes feasible.

Updates to this Privacy Policy

We may update this Privacy Policy from time to time. When the Privacy Policy is updated, we will post an updated version on this page, unless another type of notice is required by applicable law or contractual agreement. By continuing to use our Online Services or providing us with personal data after we have posted an updated Privacy Policy, or notified you by other means, you consent to the revised Privacy Policy.

Contact us

If you have any questions about our Privacy Policy or any other privacy related issue, please contact us at hello@spiich.ai.

Controller's Contact Information:

Västra Järnvägsgatan 3, c/o Convendum, 111 64 Stockholm, Sweden