EU REGULATION 679/2016 ON THE PROCESSING OF PERSONAL DATA - ART. 13

Braino.AI S.r.l. Società Benefit, with registered office in via Ippodromo 56, 20151 Milan VAT number 13049530960 (hereinafter, "Data Controller" or "Company"), as Data Controller, informs you, pursuant to Legislative Decree 101/2018 (hereinafter, "Privacy Code") and art. 13 of EU Regulation no. 2016/679 (hereinafter, "GDPR"), that your data will be processed according to principles of fairness, lawfulness, transparency, in compliance with the purposes and methods indicated below, collecting them to the extent necessary and exact for the processing.

The contact details of the Data Protection Officer, RPD or DPO (Data Protection Officer), are as follows: [email protected], by writing to whom you can exercise the rights contemplated by art. 15 et seq. of the GDPR.

Braino.AI srl provides a financial platform called "Braino" to private individuals and end users, to open a payment account, receive incoming transactions, send bank transfers and better manage their financial resources.

This Privacy Policy ("Policy") describes the Personal Data collected by Braino.AI srl, how it is used and shared, and details on how users can contact Braino.AI srl regarding privacy requests. In addition, the Policy indicates the rights of the data subjects and their respective choices, such as the right to object to certain uses by Braino.AI srl of the users' Personal Data.

Braino.AI srl acts as the "data controller" for the data collected through the platform. This means that we determine the purpose and means of the processing of the collected personal data. In this context, some of our partners, in particular our payment institution Treezor, are appointed as "data processors."

With reference to the provision of Payment Services, Braino.AI acts as an agent of Treezor (SAS), a simplified joint-stock company with its registered office at 33 rue de Wagram, 750175 - Paris (France), authorized by the French financial regulatory authority (Autorité de contrôle prudentiel et de résolution) ("ACPR") to operate as an Electronic Money Institution and registered under no. 16798 in the relevant register ("Treezor"). Braino.AI is an agent of Treezor (REGAFI ID. 742358).

The use of the Payment Services is also subject to the personal data protection regulations applied by Treezor; therefore, the data processing connected to these Services will take place in accordance with Treezor's privacy policy, as well as Braino.AI's provisions, where applicable.

"Personal Data" refers to any information associated with an identified or identifiable individual, such as the data provided to Braino.AI srl by users and the information collected by Braino.AI srl during users' interaction with the related Services (e.g., device data, IP address, etc.).

The term "Services" refers to products, services, and applications provided by Braino.AI srl pursuant to the Terms of Service for consumers ("End-User Services"), to websites ("Sites") such as www.next.braino.ai and to other online applications and services of Braino.AI srl.

"End Users" are those who use a Service, and are private individuals who enter into a contract with Braino.AI srl and operate through the use of the platform of the same name.

Visitors. When users interact with Braino.AI srl by visiting a Site without having logged into a Braino.AI srl account or if the interaction with Braino.AI srl does not require the generic user to be an End User, the user is considered a "Visitor." For example, users are considered Visitors when they send a message to Braino.AI srl asking for further information about the Services.

In this Policy, the term "Transaction Data" refers to the data collected and used by Braino.AI srl to facilitate transactions requested by users. Some Transaction Data constitutes Personal Data and may include: name, e-mail address, contact number, billing address, shipping address, payment method data (e.g., credit or debit card number, bank account information, or image of the payment card selected by the user), merchant and location details, purchase amount, date of purchase and, in some cases, information on the products purchased.

We collect Data based on a legal obligation, a legitimate interest, or your consent. This collection is necessary to perform the contract concluded when you use our Services in the Application. We collect your Data through the forms you fill out on our website or our mobile applications to access our services or those of our partners. We also collect your Data when you communicate with us, particularly with our customer service via the chat in our Application or by email. In this case, we keep a copy of our conversation. It is also likely that we collect your Data when you interact with us on social networks. At the time of collecting your Data, we inform you whether it is mandatory or optional to provide it. Mandatory data is necessary for the functioning of the Services. As for optional data, you are completely free to provide it or not. We also indicate to you the possible consequences of a lack of a response.

Your Data is collected in order to fulfill the contract concluded when you use our Services in the Application or to fulfill a legal obligation. We use it for one or more of the following purposes:

• Manage your access to the Service, accessible in the Application and its use
• Manage the electronic money account and payment instruments made available to you
• Prevent, research, and detect payment fraud so that your payments are secure
• Process your complaints, according to the procedure we apply
• Create a file of registered members, users, customers, and potential customers
• Inform you about changes to the service we offer, including new features
• Improve your navigation on our website or the use of our applications and ensure that the content we display is tailored to your needs Process commercial and frequency statistics of our services Comply with our legal and regulatory obligations, particularly in the context of the fight against money laundering and the financing of terrorism, obliging us to identify you and verify your identity

1. Detecting the degree of Customer satisfaction regarding the quality of the services rendered and the activity carried out by the Company, through personal interviews, telephone calls, questionnaires, etc., also through third-party companies;
2. Carrying out direct and indirect marketing activities for the promotion of the App's products and services, including the organization of events, both through the use of automated calling or communication systems without the intervention of an operator and electronic communications (email, SMS, MMS or other types), and through the use of paper mail and telephone calls via operator;
3. Promotional initiatives for products and services of third-party companies, including the organization of events, also through automated systems (SMS, MMS, fax, and email);
4. Communication or transfer of data to third-party companies for commercial information purposes, market research, direct offers of their products and services both through the use of automated calling or communication systems without the intervention of an operator and electronic communications (email, SMS, MMS or other types), and through the use of paper mail and telephone calls via operator.

The provision of data necessary for these purposes is optional and the legal basis for processing is the consent of the data subjects. Lack of consent will have no consequence in the relationship between the parties, possibly resulting only in an improvement of the service. Consent may be revoked at any time by communicating it to the Data Controller.

Carrying out analysis of the use of the Services, in order to improve the Services provided and meet specific user needs.

The provision of data necessary for these purposes is optional and the legal basis for processing is the consent of the data subjects. Lack of consent will have no consequence in the relationship between the parties, possibly resulting only in an improvement of the service. Consent may be revoked at any time by communicating it to the Data Controller.

The collected Data is intended for us and, when strictly necessary, for our subcontractors and partners involved in the provision of our services, as well as for employees and collaborators of the Data Controller in their capacity as authorized and/or internal data processors and/or system administrators. Your Data may also be communicated to the competent authorities, upon their request, in the context of legal proceedings, requests for information by authorities, or simply to comply with legal obligations.

We retain your Data only for the time necessary for the purposes pursued. In accordance with our obligations in the fight against money laundering and terrorist financing, data related to your transactions will be kept for a period of five years after the closure of your account and the end of our contractual relationship.

We retain your Data only for the time necessary for the purposes pursued. In accordance with our obligations in the fight against money laundering and terrorist financing, data related to your transactions will be kept for a period of five years after the closure of your account and the end of our contractual relationship.

The Data we collect is stored on the servers of our provider Amazon Web Services, which ensures a high level of security. These servers are located within the European Union.

In order to protect your Data, we adopt all precautions, organizational and technical measures useful to preserve its security, integrity, and confidentiality and, in particular, to prevent it from being distorted, damaged, or accessed by unauthorized third parties. We also use secure payment systems compliant with the state of the art and applicable legislation. The transmission of your Data via the Internet is protected through the HTTPS connection secured by an SSL certificate.

We inform you that, at any time and if the prerequisites exist, you can exercise your rights under Articles 15 et seq. of the GDPR:

• obtain confirmation as to whether or not personal data concerning you exist and a copy thereof in an intelligible form;
• obtain the updating, rectification, or integration of your data;
• request the erasure of your data, within the limits permitted by law;
• object, in whole or in part, to the processing of personal data concerning you;
• limit processing, in case of violation, request for rectification, or objection;
• request the portability of electronically processed data, provided on the basis of consent or contract;
• withdraw consent to the processing of your data, where provided.
• in relation to fully automated profiling, obtain human intervention from the Controller to express your opinion and contest the decision.

If you deem it appropriate, you may lodge a complaint with the Italian Data Protection Authority.

To exercise your rights, you can contact the Data Controller or the DPO at the following e-mail address: [email protected]

We normally process your data within the European Union; however, for technical or operational reasons, we may transfer data outside the European Union or the European Economic Area (so-called Third Countries). The Company ensures from now on that the transfer will be carried out in compliance with applicable legal provisions by stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission. For more information, you can contact the DPO by writing to the address [email protected]

This Policy entered into force on 01/01/2026

Braino.AI srl may modify this Policy periodically to comply with the introduction of new services or any changes to privacy practices or current laws. The wording "Last updated" at the beginning of the page of this Policy indicates the date of the last material revision. Any changes take effect from the moment Braino.AI srl publishes the revised Policy on the Services or sends a notice of the update, as required by law, whichever condition occurs later.

Braino.AI srl may provide communications and notices relating to the Policy or the Personal Data acquired by publishing them on its website and contacting End Users or Representatives through the Braino.AI platform, the e-mail address and/or the physical address indicated in the users' Braino.AI accounts.