PRIVACY POLICY

This privacy policy (hereinafter, "Privacy Policy") has been drafted by CODEX INSIGHTS INSIGHTS S.L., (hereinafter, "Codex Insights" or the "Data Controller") in order to comply with the duty of transparency in the processing of personal data that may be carried out as a Data Controller, in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, "GDPR").

The information contained in this Privacy Policy allows you to consult the details of the different types of processing of your personal data that may be carried out as a result of accessing and using the website www.codex-insights.com (hereinafter, the "Website"), as well as the different legal or commercial relationships that you may have with Codex Insights.

1. WHO WILL PROCESS YOUR PERSONAL DATA?

• Owner: Codex Insights S.L.

• Registered office: Calle Bécquer No. 18, 08860 – Castelldefels (Barcelona).

• Tax ID number: B-21942214

• Email: codex@codex-insights.com

Below, we provide details of the personal data processing that may be carried out at Codex Insights.

2. FOR WHAT PURPOSE, ON WHAT LEGITIMATE BASIS AND FOR HOW LONG WILL WE STORE YOUR PERSONAL DATA?

The personal data collected will be processed by the Data Controller for the purposes specified below, on the corresponding lawful basis, and retained for the period indicated:

Purpose

Legal basis

Retention period

Management of the relationship with Website’s users: Your identification, professional, contact, and billing details will be collected through the booking form (Acuity). These details are used to provide you with the requested services, process your payment, and issue the corresponding invoice on behalf of Codex Insight. Also, this information (if applicable) will be used if a registration process is enabled, to facilitate recurring bookings and the sale of service packages

Performance of the contractual relationship

The data will be kept for the time necessary to fulfil the stated purpose or until the user requests his data to be removes. Subsequently, it will be securely stored and blocked for the duration of the limitation period applicable to legal actions, and once this period has expired, it will be deleted.

Provision of services offered through our Website to registered users: your identification, professional and contact details will be used to display your profile (customer or consultant) to other users, to enable the coordination and booking of sessions, to manage linked calendars (Acuity), to enable the signing of documentation (as an NDA) between the parties (not mandatory, only if requested by the user) and to ensure the proper performance of the contracted service.

Performance of the contractual relationship

The data will be kept for the time necessary to fulfil the stated purpose. Subsequently, it will be kept duly blocked for the duration of the limitation period for legal actions and, once this period has expired, it will be deleted.

Management of the payment and billing process: your identification, contact and bank details will be used to correctly process the payment for the contracted service and any incidents related to the purchase process. We use Stripe as a payment provider, which act as a data processor on our behalf.

Performance of the contractual relationship

The data will be kept for as long as necessary to fulfil the stated purpose. Subsequently, it will be duly blocked for the duration of the limitation period for legal actions and, once this period has expired, it will be deleted.

Contact form support: Your identification and contact details, as well as any personal data provided through the contact form, will be used to respond to any queries and requests for information you wish to send to Codex Insights.

Performance of the contractual relationship

The data will be kept for the time necessary to process and respond to your queries or requests for information. Subsequently, it will be kept duly blocked for the duration of the limitation period for legal actions and, once this period has expired, it will be deleted.

Sending of Newsletters or commercial information about Codex Insights services and news: your identification and contact details will be used to send you commercial communications about products or services similar to those you have enjoyed if you are a customer, if you have subscribed to the Newsletter through the form provided for this purpose on the Website or if you have expressly consented to receiving commercial information from Codex Insights by checking the corresponding boxes on other forms enable in the website.

Legitimate interest

Consent

The data will be kept for the time necessary to fulfil the stated purpose or until the user revokes their consent. Subsequently, will keep the data duly blocked for the duration of the limitation period for legal actions and, once this period has expired, the data will be deleted.

Use of photographs and biography in marketing materials and social media: Codex Insights may use the name, biographical information, and photographs displayed in the Consultant user profile in marketing materials and social media to promote the consulting services offered on the Website, to increase the visibility of Consultant users, and to attract customers through social media posts, web posts, and commercial materials.

Consent

The data will be kept for as long as necessary to fulfil the stated purpose. Subsequently, it will be kept duly blocked for the duration of the statute of limitations for legal actions, and once this period has expired, it will be deleted.

Use of Automated Matching System: Codex Insight’s website uses LLM-based matching tool to offer Users personalized suggestions of Consultants whose professional background, expertise, and profile characteristics may align with their stated needs. To generate these recommendations, the system processes:

1. Information provided by Users through the Website’s form, and

2. data voluntarily disclosed by the users-consultants, such as professional profiles, CV details, and publications.

Performance of the contractual relationship

The data will be kept for the time necessary to fulfil the stated purpose. Subsequently, it will be kept duly blocked for the duration of the limitation period for legal actions and, once this period has expired, it will be deleted.

Management of cookies installed on our Website: only cookies used by integrated tools (Squarespace, Acuity, Stripe, etc.) are active. No additional cookies will be added beyond those necessary for the functionality and analysis provided by the tools indicated above.

Consent

The data will be kept for as long as necessary to fulfil the stated purpose or until the user revokes their consent. Subsequently, it will be kept duly blocked for the duration of the limitation period for legal actions and, once this period has expired, it will be deleted.

3. NECESSITY OF PROVIDING DATA.

We inform you that merely accessing the Website does not entail any obligation to provide personal information, except as set out in the Cookies Policy.

However, the use of some services or features of the Website does require you to provide certain personal data, indicated in the corresponding forms, and implies their processing for the purposes and on the legal bases indicated in this Privacy Policy.

Refusal to provide the data required in these cases may prevent us from delivering certain services or functionalities, or from processing the requests or contracts submitted, particularly where such data is identified as mandatory.

As the data subject, you are responsible for ensuring that the data you provide to us through the Website is true, accurate, complete and up to date. To this end, you are responsible for the accuracy of all the data you provide and must keep the information provided duly updated so that it reflects your actual situation.

Likewise, you will be responsible for any false or inaccurate information you provide and for any direct or indirect damages this may cause to the Data Controller or to third parties.

Under no circumstances may personal data relating to third parties be included in the forms, unless you have previously obtained their consent, and you shall be personally liable for any failure to comply with this obligation. You may be required to provide supporting documentation of such authorization at any time.

4. WITH WHOM WILL THE USER'S DATA BE SHARED?

Unless otherwise indicated, Codex Insights will not disclose data to third parties, except where there is a legal obligation enforceable on the Data Controller, or where necessary for the fulfilment of contractual obligations.

Your personal data may be communicated to the competent Public Authorities and Bodies and/or to the Law Enforcement Agencies that may require it at any time, in accordance with the current legislation and based on the need to comply with a legal obligation.

The Data Controller follows strict criteria for selecting service providers in order to comply with its data protection obligations and undertakes to sign the corresponding data processing agreement with them, which will ensure that the third parties it contracts comply with the applicable regulations and that, under no circumstances process the data they access for purposes other than those indicated by the Data Controller.

5. INTERNATIONAL TRANSFERS.

In order to fulfil the purposes mentioned, we may use service providers (Acuity, Stripe, Open AI, Google, etc.) located outside the European Economic Area (EEA) or in countries that have not been declared to have an adequate level of protection. In any case, we ensure that the security and legitimacy of the processing of personal data is guaranteed.

To this end, we require adequate guarantees from these service providers in accordance with the provisions of the GDPR so that they have, for example, binding corporate rules that guarantee the protection of information in a manner similar to that established by European standards or that they subscribe to the latest standard contractual clauses approved by the European Commission.

Likewise, in our Cookies Policy you will find information on the use of cookies by third parties that may carry out international transfers of personal data. You can consult the privacy information of the third parties that serve cookies on this website through our Cookies Policy .

6. EXERCISE OF RIGHTS.

The user's personal data will be treated by Codex Insights with absolute confidentiality. However, in accordance with data protection regulations, as a user who provides personal data, you have the following rights:

• Right of access: to access your personal data.

You have the right to be informed by the Data Controller whether or not your personal data is being processed and, if so, to access that data and receive information about the purposes for which it is being processed, the categories of data affected by the processing, the recipients to whom your personal data has been disclosed and the expected period of data retention, among other information.

• Right to rectification: to rectify inaccurate or incomplete data.

You may at any time request the Data Controller to rectify, without undue delay, any inaccurate personal data concerning you, as well as to complete the data being processed.

• Right to withdraw consent: to withdraw your consent at any time, without prejudice to the lawfulness of the processing base don consent prior to its withdrawal.

Withdrawal of consent shall not affect the lawfulness of processing carried out before such withdrawal, and no justification will be required.

• Right to object to processing, in whole or in part: to object to the processing of data where appropriate.

You have the right to object to the processing of your personal data in certain circumstances and for reasons related to your particular situation. In these cases, the Data Controller will stop processing your personal data, unless it can demonstrate legitimate grounds for processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims..

• Right to data portability: request the portability of your data.

You have the right to receive the personal data you have provided to the Controller in a structured, commonly used and machine-readable format, and to transmit those data to another Controller without being prevented by the Controller to whom you originally provided them, in the cases legally established for this purpose.

• Right to erasure: request the right to erasure of your personal data when it is no longer necessary for the purposes for which it was collected or when it has been processed unlawfully, among other circumstances.

You have the right to request the erasure of your personal data provided that the applicable legal requirements are met, including, among other reasons, that the data is no longer necessary for the purposes for which it was collected.

• Right to restriction of processing: to obtain from the Data Controller the restriction of data processing when any of the conditions provided for in the data protection regulations are met.

In certain circumstances (for example, if you contest the accuracy of your data, while the accuracy of the data is being verified), you may request that the processing of your personal data be restricted, and the data will only be processed for the exercise or defense of claims.

In order to exercise the above rights, you have the right to contact the Data Controller at any time and free of charge by writing to the following address: Calle Bécquer Nº.18, 08860 – Castelldefels (Barcelona), or by sending an email to the address provided for this purpose: codex@codex-insights.com. In case of doubt about your identity, you may be required to provide supporting documentation for the processing of your request.

Likewise, if, as the data subject, you consider that the Data Controller has violated any of your rights under the applicable data protection regulations, you may file a complaint against the Spanish Data Protection Agency (www.aepd.es), at C/ Jorge Juan, 6 (28001), Madrid.

7. SECURITY MEASURES.

In order to safeguard the security of your personal data, please note that Codex Insights has implemented all necessary technical and organisational measures to ensure the protection of the personal data provided. These measures aim to prevent any alteration, loss, and/or unauthorised processing or access, as required by law. However, please be aware that absolute security cannot be guaranteed.

Likewise, the Controller informs you that all its personnel, regardless of the stage of processing in which they are involved, are committed to handling your personal data with the utmost care, secrecy and confidentiality, and that such data will be processed in compliance with the applicable personal data protection legislation.

8. Changes to the privacy policy.

To ensure that data protection guidelines remain compliant with current legal requirements, Codex Insights reserves the right to make any necessary changes to keep them aligned with applicable legislation at all times.

In such cases, Codex Insights will announce the changes and publish them on this Website, ensuring that you can access them easily and at any time.