Privacy statement

ENDOXIA B.V.

PRIVACY STATEMENT


Privacy Statement

How Endoxia B.V. processes personal data as a data controller under the GDPR.


VERSION

1.1

STATUS

Final

EFFECTIVE DATE

[to be filled in]

DOCUMENT TYPE

Privacy Statement


Endoxia B.V.

Tweede Jan van der Heijdenstraat 16-1, 1073 VH Amsterdam, The Netherlands

endoxia.com · privacy@endoxia.com

Confidential · © 2026 Endoxia B.V. · All rights reserved.


Table of Contents

1. Who are we? 2

2. Contact details 2

3. What personal data do we process? 2

4. Users of the Platform 2

5. Representatives of customers and suppliers 3

6. Website visitors 4

7. Cookies 4

8. Contact requests 4

9. Newsletter 5

10. Job applicants 5

11. Personal data in customer data 5

12. AI functionalities 6

13. Purposes of processing 6

14. Obligatory information 6

15. Retention periods 6

16. Sharing of personal data 7

17. Sub-processors 7

18. International transfers 7

19. Security 8

20. Your rights 8

21. Third-party websites 8

22. Complaints 9

23. Changes 9

24. Contact 9


PRIVACY STATEMENT endoxia.com

1. Who are we?

Endoxia B.V. (“Endoxia”, “we”, “us”, “our”) develops and operates an AI-driven software platform for professional service providers and organizations that work with complex documents, knowledge-intensive processes, regulations, transactions, compliance issues, and advisory work.

This Privacy Statement describes how Endoxia processes personal data when acting as a data controller within the meaning of the General Data Protection Regulation (“GDPR”).

For personal data processed by customers through the Platform, Endoxia acts in principle as a processor. The Data Processing Agreement applies to those processing operations.

2. Contact details

Endoxia B.V.

Tweede Jan van der Heijdenstraat 16-1

1073 VH Amsterdam

The Netherlands


Website: endoxia.com

E-mail: privacy@endoxia.com

3. What personal data do we process?

We process personal data of:

users of the Platform;

representatives of customers;

suppliers;

website visitors;

newsletter recipients;

job applicants;

individuals contacting Endoxia.

4. Users of the Platform

When a user accesses the Platform, we may process the following data.

ACCOUNT DATA

name;

business email address;

organization;

user ID;

authentication details.

USAGE DATA

login times;

session data;

IP address;

device details;

browser information;

usage statistics;

log files;

interactions with functionalities.

PURPOSES

account management;

authentication;

security;

support;

product improvement;

performance analysis;

fraud prevention.

LEGAL BASIS

performance of the contract;

legitimate interest;

legal obligations where applicable.

5. Representatives of customers and suppliers

We may process:

name;

job title;

company name;

email address;

phone number;

invoice details;

payment details;

correspondence.

PURPOSES

relationship management;

contract management;

invoicing;

administration;

support;

compliance with legal obligations.

LEGAL BASIS

performance of the contract;

legal obligations;

legitimate interest.

6. Website visitors

When you visit our website, we may process:

IP address;

browser type;

device type;

operating system;

language settings;

visited pages;

times of visits;

cookie data.

PURPOSES

functioning of the website;

security;

performance improvement;

statistical analysis;

debugging.

LEGAL BASIS

legitimate interest;

consent where legally required.

7. Cookies

Our website and Platform use cookies and similar technologies. A cookie is a small text file placed on your device during a visit that recognizes your browser or device on a subsequent visit.

We use functional, analytical, and tracking cookies. We only place tracking cookies with your consent. For a complete overview and your setting options, please refer to our Cookie Statement.

8. Contact requests

When you contact us, we may process:

name;

email address;

phone number;

content of the correspondence.

PURPOSES

answering questions;

handling complaints;

providing support;

improving service provision.

LEGAL BASIS

legitimate interest;

performance of the contract.

9. Newsletter

When you sign up for our newsletter, we process:

name;

email address.

PURPOSES

sending newsletters;

product updates;

events;

company news.

LEGAL BASIS

consent.

An unsubscribe link is included in every newsletter. You can unsubscribe at any time.

10. Job applicants

If you apply for a job at Endoxia, we may process:

name;

contact details;

curriculum vitae;

motivation letter;

work experience;

educational details;

LinkedIn profile and other public profiles;

interview notes.

PURPOSES

assessment of job applications;

selection procedures;

communication during the application process.

LEGAL BASIS

legitimate interest;

consent where required.

11. Personal data in customer data

Personal data entered into the Platform by customers or users is in principle processed on behalf of the customer.

In that situation:

the customer is the data controller;

Endoxia is the data processor.

The Data Processing Agreement applies to these processing operations. Data subjects should in the first instance contact the respective customer.

12. AI functionalities

The Platform utilizes artificial intelligence.

When customers process documents or information through the Platform, personal data may be part of that processing. Endoxia uses such personal data solely to provide the agreed services.

NO AI TRAINING WITHOUT CONSENT

Endoxia does not use customer data for:

training of AI models;

fine-tuning of AI models;

improvement of AI models,

unless the respective customer has given explicit prior consent for this.

13. Purposes of processing

We process personal data for:

delivery of the Platform;

account management;

security;

support;

invoicing;

contract management;

product improvement;

statistical analysis;

fraud prevention;

compliance with legislation;

communication;

recruitment.

14. Obligatory information

In certain cases, it is legally or contractually required that you provide certain personal data to us, for example your contact details. If you do not provide this data, this may result in us being unable to provide you with certain Services or perform part of our contract with you.

15. Retention periods

We do not store personal data longer than necessary. In principle, the following retention periods apply:

Category

Retention Period

Account data

30 days after deletion

Contract data

5 years after end of relationship

Invoice data

7 years

Correspondence

2 years

Newsletter details

Until unsubscribing

Applications

4 weeks after rejection, or up to 1 year with consent

Log files

Maximum 12 months


If legal obligations require a longer period, that longer period applies.

16. Sharing of personal data

We may share personal data with:

hosting providers;

cloud providers;

email providers;

support vendors;

security vendors;

payment providers;

accountants;

legal advisors;

supervisory authorities;

government agencies.

We only share data to the extent necessary.

17. Sub-processors

For the delivery of the Platform, Endoxia uses specialized suppliers.

A current overview of Sub-processors can be requested via privacy@endoxia.com.

18. International transfers

Endoxia processes personal data in principle within the European Economic Area.

If transfer outside the EEA is necessary, we ensure appropriate safeguards in accordance with the GDPR, including where necessary:

adequacy decisions;

Standard Contractual Clauses;

additional security measures.

19. Security

Endoxia takes appropriate technical and organizational measures to protect personal data. These measures include, among others:

encryption in transit;

access control;

authentication;

logging;

monitoring;

network security;

backups;

incident management;

vendor assessments.

20. Your rights

Under the GDPR, you have the following rights:

access – you can ask us for access to and a copy of your personal data;

rectification – you can ask us to correct incorrect or incomplete data;

erasure – you can ask us to erase your data (the “right to be forgotten”);

restriction – you can ask us to temporarily restrict the use of your data;

data portability – you can ask us to transfer your data in a structured, commonly used format;

objection – you can object to certain processing operations, including direct marketing;

withdrawal of consent – when processing is based on consent, you can withdraw it at any time.

Requests can be directed to privacy@endoxia.com. We may ask for additional information to verify your identity.

21. Third-party websites

Our website may contain links (hyperlinks) to websites, products, or services of third parties. Endoxia has no control over these websites and is not responsible for their content or the way these third parties handle personal data. The terms and privacy statements of these third parties apply to the use of third-party websites.

22. Complaints

You have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via autoriteitpersoonsgegevens.nl.

23. Changes

Endoxia may amend this Privacy Statement. The most current version will be published on endoxia.com.

In case of material changes, we will inform users and customers about this.

24. Contact

For questions about privacy or data protection:


Endoxia B.V.

Tweede Jan van der Heijdenstraat 16-1, 1073 VH Amsterdam


Privacy Officer: privacy@endoxia.com

Website: endoxia.com