PRIVACY POLICY

Last Updated: 04 Mar 2026

Company information, standard definitions, regulatory compliance framework, and document integration: See Shared Legal Definitions and Legal Framework Integration

1. INTRODUCTION

1.1 Scope and Purpose

This Privacy Policy ("Policy") describes how Innovatica Technologies FZ-LLC collects, uses, processes, shares, retains, and protects personal data and non-personal information when you access or use our Brilio platform. This Policy has been designed to achieve global legal defensibility across all jurisdictions where we operate.

1.2 Service Coverage

This Policy applies to all users of the Brilio platform, including individuals who create an account, create or use AI agents, or otherwise interact with our Services. It covers information collected through: - The Brilio website (brilio.ai) - The Brilio platform and all associated services - Communications between you and Innovatica regarding the Service - Any mobile applications or API integrations we may offer - Third-party integrations and connected services

1.3 User Acknowledgment

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein, subject to your rights under applicable law.

2. DATA CONTROLLER AND PROCESSOR ROLES

2.1 Data Controller Responsibilities

Innovatica Technologies FZ-LLC is the data controller for personal information processed in connection with our Services. For users who create and deploy AI agents on our platform, Innovatica acts as a data processor with respect to information processed by those agents on behalf of the agent creator, who acts as the data controller for such processing activities.

2.2 Contact Information

Data Controller Contact Information: - Company: Innovatica Technologies FZ-LLC - Address: VUNE0632, Compass Building - Al Hulaila, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates - Email: legal@brilio.ai

Data Protection Officer: - Email: legal@brilio.ai - Responsible for: Privacy compliance, data subject requests, and regulatory correspondence

3. CATEGORIES OF DATA WE COLLECT

3.1 Account Information

• Email address
• Full name
• Password (stored in hashed format)
• Billing information and payment details (processed through our payment provider)
• Account preferences and settings
• Profile information you choose to provide

3.2 Usage Data

• Log data (IP address, browser type, referring/exit pages, operating system)
• Device information (device type, operating system, unique device identifiers)
• Usage metrics (features used, interactions with agents, session duration)
• Location data (region and country, derived from IP address)
• Telemetry data for platform performance monitoring
• Subscription information and credit usage

3.3 Agent-Related Data

• Content provided to create and train agents
• Names, descriptions, and configuration of agents
• Knowledge bases and data sources connected to agents
• Agent interactions and usage statistics
• Content generated by agents

3.4 Communications Data

• Customer support inquiries and related communications
• Responses to surveys or feedback requests
• Marketing preferences and interactions with marketing communications

3.5 Platform-Generated Data

• Automatically generated IDs and technical identifiers
• Timestamps and audit logs
• Technical error reports and debugging information
• Performance metrics and analytics

4. HOW WE USE YOUR DATA

4.1 Service Provision

• Creating and managing your account
• Providing platform features and functionality
• Processing payments and managing subscriptions
• Delivering customer support

4.2 Platform Operation

• Monitoring platform performance and security
• Detecting and preventing fraud, abuse, and security threats
• Troubleshooting technical issues
• Maintaining data integrity and backup systems

4.3 Improvement and Development

• Analyzing usage patterns to improve platform features
• Developing new products and services
• Conducting research and development
• We do not use your personal content or agent conversations to train AI models; anonymous, aggregated usage data may be used to improve platform functionality

4.4 Legal and Compliance

• Complying with legal obligations and regulatory requirements
• Protecting our rights and interests
• Responding to law enforcement requests
• Enforcing our terms of service

4.5 Communication

• Sending service-related communications
• Providing customer support
• Delivering marketing communications (with proper consent)
• Notifying you of policy changes or security issues

5. LEGAL BASIS FOR PROCESSING

5.1 Contractual Necessity

We process personal data as necessary to perform our contract with you, including account management, service delivery, and payment processing.

5.2 Legitimate Interests

We process data based on legitimate interests including platform security, fraud prevention, service improvement, and business operations.

5.3 Legal Obligations

We process data to comply with applicable laws, regulations, and legal proceedings.

5.4 Consent

For certain processing activities, we rely on your explicit consent, which you may withdraw at any time.

6. DATA SHARING AND DISCLOSURE

6.1 Service Providers

We share data with trusted third-party service providers who help us operate the platform, including: - Cloud hosting providers (Microsoft Azure) - Payment processors (Stripe) - AI model providers (OpenAI, Anthropic) - Analytics and monitoring services - Customer support tools

6.2 Business Transfers

In connection with any merger, acquisition, or sale of assets, user data may be transferred as part of the transaction.

6.3 Legal Requirements

We may disclose data when required by law, regulation, legal process, or governmental request.

6.4 Protection of Rights

We may disclose data to protect our rights, property, safety, or that of our users or others.

6.5 With Your Consent

We may share data for other purposes with your explicit consent.

7. DATA RETENTION AND DELETION

7.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.

7.2 Account Data Retention

• Active accounts: Data retained while account is active
• Deleted accounts: 90-day soft delete period, then permanent deletion
• Billing data: Retained for tax and regulatory compliance (typically 7 years)
• Support communications: Retained for 3 years for service improvement

7.3 Usage and Analytics Data

• Raw usage logs: 2 years
• Aggregated analytics: 5 years (anonymized)
• Security logs: 1 year (unless incident-related)

7.4 Agent and Content Data

• Agent configurations: Retained until account deletion
• User-uploaded content: Retained according to user preferences
• AI-generated content: Subject to user control and deletion requests

7.5 User-Requested Deletion

Users may request data deletion through account settings or by contacting our Data Protection Officer. We will process deletion requests within 30 days, subject to legal retention requirements.

8. DATA SECURITY

8.1 Technical Safeguards

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Regular security assessments and penetration testing
• Automated threat detection and response systems

8.2 Organizational Measures

• Employee training on data protection and privacy
• Access controls and need-to-know principles
• Regular security policy reviews and updates
• Incident response and breach notification procedures

8.3 Third-Party Security

All service providers are required to maintain appropriate security measures and undergo regular security assessments.

8.4 Limitations

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data against all possible threats.

8.5 Data Breach Notification

8.5.1 Detection and Assessment We maintain continuous monitoring and detection systems to identify potential data breaches. Upon detecting a suspected breach, we immediately: - Contain the breach and secure affected systems - Assess the scope and severity of the breach - Determine what data was affected and how many users are impacted - Investigate the root cause and attack vector

8.5.2 Notification to Supervisory Authorities (GDPR Compliance) For breaches affecting EU residents' personal data, we will: - Notify the relevant supervisory authority (data protection authority) without undue delay and where feasible within 72 hours of becoming aware of the breach - Provide required information including: - Nature of the breach (categories and approximate number of affected individuals and records) - Name and contact details of our Data Protection Officer (legal@brilio.ai) - Likely consequences of the breach - Measures taken or proposed to address and mitigate the breach - Provide updates as more information becomes available

Supervisory Authority Contact: We will notify the supervisory authority in the EU Member State where the affected data subjects primarily reside, or the lead supervisory authority under GDPR Article 56 where applicable.

8.5.3 Notification to Affected Users We will notify affected users without undue delay when a breach is likely to result in a high risk to their rights and freedoms.

User Notification Timeline: - Within 7 days of confirming the breach for high-risk incidents affecting personal data - Notification sent via email to the address on file - Additional notification methods (in-platform alerts, website banner) for severe breaches

User Notification Content: - Clear description of the breach in plain, non-technical language - Categories of personal data affected (e.g., names, emails, passwords, payment information) - Likely consequences of the breach for the individual - Measures we have taken to address the breach and prevent future incidents - Recommendations for users to protect themselves (e.g., change passwords, monitor accounts) - Contact information for questions and support (security@brilio.ai)

8.5.4 When User Notification May Be Delayed or Exempted We may delay or not provide user notification if: - Law enforcement request: Authorities request delay for investigation purposes (documented in writing) - Not high risk: Breach does not pose high risk to users' rights and freedoms (e.g., encrypted data with secure key management) - Protective measures: Technical protection measures (strong encryption) render data unintelligible to unauthorized parties - Disproportionate effort: Large-scale breach where individual notification is impossible (public communication substituted)

8.5.5 Breach Response Assistance Following a breach that affects your data, we will: - Provide dedicated support channel for affected users (security@brilio.ai) - Answer questions about the breach and its impact - Assist with account security measures (password reset, enable MFA, review access logs) - Provide updates as remediation progresses - Issue written incident report upon request (within 30 days of resolution)

8.5.6 Your Responsibilities After a Breach If you are notified of a breach affecting your data: - Change your password immediately on Brilio and any other services where you used the same password - Enable multi-factor authentication (MFA) if not already enabled - Monitor your accounts for suspicious activity (financial accounts, email, other services) - Review account activity logs in your Brilio account settings - Contact us if you notice unauthorized access or suspicious activity (security@brilio.ai) - Be vigilant for phishing - we will never ask for your password via email

8.5.7 Breach Records We maintain records of all data breaches including: - Facts of the breach (date, scope, affected data) - Effects and consequences - Remedial actions taken - Notifications provided (to authorities and users)

These records are available to supervisory authorities upon request and may be provided to you upon request under data subject rights.

8.5.8 Right to Lodge Complaint If you are unsatisfied with how we handled a data breach affecting your data, you have the right to lodge a complaint with your local data protection authority (supervisory authority in your EU Member State, or relevant authority in your jurisdiction).

9. INTERNATIONAL DATA TRANSFERS

9.1 Global Operations

Data may be transferred to and processed in countries where we or our service providers operate, including the United States, European Union, and Asia-Pacific regions.

9.2 Transfer Safeguards

For transfers outside your jurisdiction, we implement appropriate safeguards including: - Standard Contractual Clauses (SCCs) - Adequacy decisions by relevant authorities - Binding Corporate Rules where applicable - Additional security measures as required

9.3 Data Sovereignty Options

Enterprise customers may request data residency in specific regions subject to technical and commercial feasibility.

10. YOUR PRIVACY RIGHTS

10.1 Universal Rights

Regardless of location, you have the right to: - Access your personal data - Correct inaccurate information - Request data deletion (subject to legal requirements) - Object to certain processing activities - Withdraw consent where applicable

10.2 Enhanced Rights (GDPR, CCPA, and Similar Laws)

If you are in a jurisdiction with enhanced privacy laws, you may also have rights to: - Data portability - Restriction of processing - Automated decision-making opt-out - Detailed information about data processing

10.3 Exercising Your Rights

To exercise your privacy rights, contact us at legal@brilio.ai or use the privacy controls in your account settings. We will respond to requests within 30 days (or as required by applicable law).

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 Types of Cookies

We use the following categories of cookies:

Essential Cookies (Always Active) - Required for basic platform functionality - Authentication and session management (login state, security tokens) - Security and fraud prevention (CSRF tokens, rate limiting) - Load balancing and performance optimization - These cookies cannot be disabled as they are necessary for the platform to function

Functional Cookies - Remember user preferences and settings (language, theme, dashboard layout) - Provide enhanced features and personalization - Support multi-language functionality - Store non-sensitive user interface preferences - Can be disabled through browser settings (may reduce functionality)

Analytics Cookies (Requires Consent) We use Google Analytics to understand how users interact with our platform and to improve our services.

Google Analytics Cookies: - _ga: Distinguishes unique users (expires after 2 years) - ga: Persists session state (expires after 2 years) - _gid: Distinguishes users (expires after 24 hours) - _gat: Used to throttle request rate (expires after 1 minute)

Data Collected by Google Analytics: - Pages visited and time spent on each page - Device type, browser, operating system, screen resolution - Geographic location (country, region, city - based on IP address) - Referral source (how you arrived at our website) - User interactions (clicks, scrolls, form interactions - no form data content) - Session duration and bounce rate

Google Analytics Configuration: - IP anonymization enabled (last octet of IP address removed before storage) - User ID tracking for logged-in users (allows cross-device behavior analysis) - No personally identifiable information (PII) is sent to Google Analytics - Data retention: 26 months (Google's default)

Your Google Analytics Choices: - Opt-out via cookie banner: Decline analytics cookies when prompted - Browser extension: Install Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout) - Browser settings: Block third-party cookies or all cookies - Platform settings: Adjust analytics preferences in your account settings

Google's Privacy Policy: https://policies.google.com/privacy

Marketing Cookies (Requires Consent) - Deliver relevant advertising (currently not used) - Measure marketing campaign effectiveness (currently not used) - Personalize marketing communications (email preferences) - Will only be deployed with explicit user consent

11.2 Cookie Management

You can control cookies through: - Browser settings and preferences - Platform cookie consent tools - Third-party opt-out mechanisms

11.3 Impact of Cookie Choices

Disabling certain cookies may limit platform functionality and user experience.

12. CHILDREN'S PRIVACY

12.1 Age Restrictions

The Brilio platform is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

12.2 Parental Rights

If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

13. CHANGES TO THIS POLICY

13.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

13.2 Notification of Changes

We will notify users of material changes through: - Email notifications to registered users - Prominent notices on our website - In-platform notifications

13.3 Continued Use

Continued use of the platform after policy changes constitutes acceptance of the updated policy.

14. CONTACT INFORMATION

For questions about this Privacy Policy or our privacy practices, contact us at:

Email: legal@brilio.ai
Data Protection Officer: legal@brilio.ai
Support & Billing: support@brilio.ai
Address: VUNE0632, Compass Building- Al Hulaila, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates

---

This Privacy Policy consolidates data protection terms from multiple documents to provide comprehensive coverage while maintaining regulatory compliance across all jurisdictions.