PALMA AI PRIVACY POLICY

In this privacy policy, we, palma.ai, Inc., would like to inform you how we process personal data. We are aware how important the processing of personal data is for the user and therefore fully comply with applicable law. The protection of your privacy is of utmost importance to us. For this reason, compliance with the legal requirements on data privacy is, for us, a matter of course. Personal data, according to the GDPR, refers to any information about personal or factual circumstances of an identified or identifiable person. This includes information and details such as your name, home address or other postal address, telephone number and also your email address.

I. Contact and Controller

The Contact and Controller according to the GDPR is:
palma.ai, Inc.
2261 Market Street STE 10099
San Francisco, CA 94114
US
privacy@palma.ai

The Controller, as defined in the GDPR, is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

Pursuant to Art. 27 GDPR, we have nominated the following EU representative
Rechtsanwalt Christian Weidner, LL.M. (UNSW, Sydney)
Breisgauer Straße 4
141029 Berlin
Germany
christian@weidner-law.de

II. Which Personal Data do we collect during a visit to our Website(s)?

1. Log Files

Purposes and Means of the Data Processing
Every time you access our website(s), usage data is transferred through your specific web browser and stored in the form of protocol files (known as server log files). The datasets stored in this way contain the following data:

The domain from which the user is accessing the website;
Date and time of access;
IP address of the accessing computer;
Website(s) which the user is visiting in the context of the offering;
Amount of data transferred, browser type and version;
Operating system used, name of the internet service provider; and
Indication of whether access was successful.

These logfile datasets are analyzed to identify and resolve errors, and to control server workloads. We do not analyze your personal data for any other purposes in this context.

Legal Basis of the Data Processing
Legal basis for the processing of your personal data in relation to the provision of our website(s) and the creation of log files are our legitimate interests - Art. 6(1)(1) lit. f) of the GDPR.

Retention Period
Your personal data will be deleted at the latest within 30 days of collection.

Right to Object/Remove
The collection of your personal data for the provision of the website(s) and the storage of your personal data in log files is strictly necessary for the operation of the website(s). Therefore, there is no right to object.

2. Cookies

Purposes and Means of the Data Processing
Cookies are small files that your browser stores on your computer in a directory designated specifically for this purpose. These cookies can be used e.g. to find out whether you have already visited a website. There are session cookies and persistent cookies:

Session cookies will be immediately deleted the moment your browser is closed.
Persistent cookies remain on your device (the retention period differs depending on the specific cookie) and allow us or our partners (partner cookies) to reidentify your browser during your next visit.

The purpose of some cookies is to simplify the use of the website(s) – so-called necessary cookies. Some features of our website(s) do not work without such necessary cookies. The user data collected through such necessary cookies are not used to create user profiles.
Other cookies, e.g. our partner cookies, are intended to render our service more attractive to you. If we work together with such partners, we will inform you about the use of such partner cookies and the extent of the information collected in the following paragraphs in more detail.

Legal Basis of the Data Processing
Insofar as cookies implemented by us also process personal data, such data processing is subject to your consent in accordance with Art. 6(1)(1) lit. a) of the GDPR.

Retention Period
Your personal data will be deleted if it is not necessary anymore to fulfil the purpose of their collection, in particular, if the cookies are deactivated. As set out above, session cookies will be immediately deleted the moment your browser is closed.

Right to Object/Remove
Most browsers accept cookies automatically. You may set your browser in a way that no cookies are stored or need prior explicit consent before storage. In addition, you may delete cookies that have been set at any time.
You may find your respective browser settings under the following links:

Another possibility to deactivate cookies in relation to usage-based advertising is offered by the preference manager of the DDOW, https://www.meine-cookies.org/cookies_verwalten/praeferenzmanager-beta.html, as well as by the preference management of YourOnlineChoices, https://www.youronlinechoices.com/de/praferenzmanagement/
Please note that the deactivation of cookies might restrict the use of our website(s).

3. CMP (Hubspot)

Purposes and Means of the Data Processing
We use the services of the CMP services, provided by 25 First Street, Cambridge, MA 02141 US (”Hubspot”). This allows us to collect and manage the consent of the website user. The following data will be processed using cookies:

Your IP address (the last 3 digits will be set to ‚0’);
Date and time of the consent;
Browser information;
URL from which the consent has been sent; and
An anonymous, random and encrypted key of the consent status of the end user as proof of the consent.

You’ll find more information about the cookies used by HubSpot here: https://legal.hubspot.com/de/privacy-policy.

Legal Basis of the Data Processing
The processing is necessary to fulfil a legal obligation (Art. 7(1) of the GDPR) that we have to comply with (Art. 6(1)(1) lit. c) of the GDPR).

Retention Period
Your personal data will be deleted at the latest 2 years after collection or within 90 days after termination of the agreement between us and Hubbot.

Right to Object/Remove
You can object at any time to the collection, processing and storage by Hubspot or remove it. You may find further information about the possibility to object or remove under: https://legal.hubspot.com/de/privacy-policy.
Please note that we cannot ensure the functionality of our website(s) without the processing by Hubspot.

4. Contact with the user, Marketing (HubSpot)

Purposes and Means of the Data Processing
We use the service of HubSpot in relation to our contact form and to distribute marketing materials and company information (e.g. our newsletter). We process the following data provided by you for these purposes:

Distribution of marketing materials and company information: email address
Contacting you (and eventual distribution of marketing materials and company information): First name and surname, email address, employer, job title

You’ll find more information about the cookies used by HubSpot here: https://knowledge.hubspot.com/de/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser as well as https://knowledge.hubspot.com/de/account/hubspot-cookie-security-and-privacy.

Legal Basis of the Data Processing
The legal basis for the processing is your consent, according to Art. 6(1)(1) lit. a) of the GDPR.

Retention Period
Subject to any mandatory legal retention periods, your personal data will be deleted if it is not necessary any more to fulfil the purpose of their collection, at the latest upon termination of our business relationship with HubSpot.

Right to Object/Remove
You can object at any time to the collection, processing and storage by HubSpot or remove it. You may find further information about the possibility to object or remove under: https://legal.hubspot.com/de/privacy-policy.

Processing and Transfer of the Data to a Third Country
We have executed a data processing agreement with HubSpot to comply with applicable law. Data processing may take place outside the scope of the application of European law. Any transfer of personal data to the US takes place on the basis of the EU Commission's adequacy decision of 10 July 2023 regarding the EU-US Data Privacy Framework.

5. Usage of Your Data for Web Analysis and Tracking (Google Analytics)

We use – as almost all website owners – tracking software as analysis tools to determine the frequency of usage and the number of users on our website(s).

Purposes and Means of the Data Processing
To optimise our website(s) and our offer, we use Google Analytics, a web analytics service provided by Google Ireland Limited, a company registered in Ireland (Register-No.: 368047) having its seat in Gordon House, Barrow Street, Dublin 4, Ireland („Google“). Google Analytics uses so-called „Cookies“files that are stored on your PC and allow an analysis of the usage of our website(s) by you. The information about the usage of our website(s) created by the cookie (including your IP address) is transferred to a server of Google located in the US and is stored there. In the event IP anonymisation is activated on the website(s), your IP address will be truncated by Google in the member states of the EU/EEA before transfer. Only in exceptional cases will the entire IP address be transferred by Google to a server in the US and will only be truncated there.
On our behalf, Google will use such information to evaluate your use of the website(s), to compile reports on the website activities for us and to provide services related to the usage of the website and the internet to us. The IP address transferred from your browser as part of the Google Analytics service will not be mingled with other data of Google.

Legal Basis of the Data Processing
The legal basis for the processing is your consent, according to Art. 6(1)(1) lit. a) of the GDPR.

Retention Period
Your personal data will be deleted as soon as it is not necessary any more to fulfil the purpose of their collection or if you have revoked your consent.

Right to Object/Remove
You can prevent the storage of cookies by changing the settings in your browser accordingly; in this case, please note that you may not use all functionalities of the website(s). In addition, you may prevent the collection of the data by the cookie relating to your usage of the website(s) (including your IP address) as well as the processing of such data by Google by downloading and installing the browser plugin available under the following link https://tools.google.com/dlpage/gaoptout?hl=en. As an alternative to the browser add-on or as part of browsers on mobile devices, please click this link to prevent the detection by Google Analytics on this website(s) in the future (the opt-out only works in this browser and only for this domain). An opt-out cookie will thereby be implemented on your device. If you delete your cookies in this browser, you need to click on the link again. You may find further information related hereto under https://tools.google.com/dlpage/gaoptout?hl=en as well as under https://marketingplatform.google.com/intl/de/about/analytics/ (general information about Google Analytics and data protection).
Please note that Google Analytics has been extended with the code „gat._anonymizeIp();“ on the website(s) to ensure an anonymised detection of IP addresses (so-called IP masking).

Processing and Transfer of the Data to a Third Country
We have executed a data processing agreement with Google to comply with applicable law. Data processing may take place outside the scope of the application of European law. Any transfer of personal data to the USA takes place on the basis of the EU Commission's adequacy decision of 10 July 2023 regarding the EU-US Data Privacy Framework.

6. Hosting (Firebase, Sentry)

Purpose and Means of the Data Processing
When you visit our website, we collect the following data transmitted by your browser in log files:

IP address;
Date and time of the enquiry;
Time zone difference to Greenwich Mean Time;
Content of the request;
HTTP status code transmitted data volume; and
Website from which the request originates and information about the browser and operating system.

This is necessary to display our website and to ensure stability and security so that our hoster can bill us for the services provided and to enable efficient delivery of the website.
We use the following hoster for the provision of our website: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US (“Firebase”) and Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105. US (“Sentry”).
Firebase and Sentry are a recipient of your personal data and acts as a processor on our behalf.

Legal Basis of the Data Processing
The legal basis for the processing of your personal data in this context is our legitimate interest pursuant to Art. 6(1) (1) lit. f) GDPR in not having to maintain a server on our premises ourselves.

Retention Period
Your personal data will be deleted by Firebase after 90 days and by Sentry if they are not needed anymore for the specific purpose they have been collected.

Right to Object/Remove
You have the option to object to the processing of your personal data by Firebase and/or Sentry at any time. Further information on objection and removal options vis-à-vis Firebase can be found at https://policies.google.com/privacy?hl=de and vis-à-vis Sentry at https://sentry.io/privacy/.
Please note that the functionality of our website cannot be guaranteed without processing.

Processing and Transfer of the Data to a Third Country
We have executed a data processing agreement with Firebase and Sentry to comply with applicable law. Data processing may take place outside the scope of the application of European law. Any transfer of personal data to the USA takes place on the basis of the EU Commission's adequacy decision of 10 July 2023 regarding the EU-US Data Privacy Framework.

III. Your Rights, Contact Data, Amendments to the Privacy Policy

1. Rights of the Data Subject

Right to access, rectification, right to object, to complaint, erasure and blockage.
You have the right to request information about whether and which personal data is processed by our company. You also have the right to demand that your personal data is rectified or amended.
Under certain circumstances, you have the right to request that your personal data should be deleted.
Under certain circumstances, you have the right to demand that the processing of your personal data should be restricted.
You can withdraw your consent to the processing and use of your data completely or partially at any time with future effect.
You have the right to obtain your personal data in a common, structured and mechanically readable format.
If you have any questions, comments, complaints, or requests in connection with our statement on data protection and the processing of your personal data, you can also contact our data protection officer.
RIGHT TO COMPLAIN: You also have the right to complain to a supervisory authority if you believe that the processing of your personal data is in violation of the legislation.

2. Contact

You may contact us at: privacy@palma.ai.

3. How we respond to your inquiries in relation to Data Protection

We will disclose information we store in relation to you upon request. To access, update or delete information about you, please contact us as set out above and inform us how you found out about us. We will react to your inquiry without undue delay.

4. Necessity of Obligation to provide Data

Insofar as not explicitly set out upon collection, providing data is not necessary or mandatory.

5. Amendments to this Privacy Policy

We reserve the right to amend this privacy policy at any time with immediate effect.

6. Date of this Privacy Policy

1 January 2025