Personal Data Protection Policy of NEON FLOWER sp. z o.o.

This is an English translation provided for convenience. In case of any discrepancy, the Polish-language version is authoritative.

1. Subject of the information

We hereby provide you with detailed information regarding our processing of your personal data, as referred to in Article 13(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”).

2. Data controller

2.1. The controller, i.e. the entity deciding how your personal data will be used, is NEON FLOWER spółka z ograniczoną odpowiedzialnością, with its registered office in Kraków, address: ul. Eliasza Radzikowskiego 94A/106, 31-315 Kraków, KRS: 1193580, NIP: 9452316953.

2.2. We have not appointed a data protection officer.

2.3. You can contact us:

2.3.1. by post to the address: NEON FLOWER spółka z ograniczoną odpowiedzialnością with its registered office in Kraków, ul. Eliasza Radzikowskiego 94A/106, 31-315 Kraków,
2.3.2. by e-mail to: privacy@neonflower.ai.

3. Purpose and legal basis for processing

We use your personal data, obtained when establishing cooperation and during its course, for the following purposes:

3.1. to conclude and perform the contract entered into (legal basis: Article 6(1)(b) GDPR), e.g.:

3.1.1. preparing and submitting an offer,
3.1.2. concluding the contract,
3.1.3. selling goods/providing services,
3.1.4. verifying the compliance of performance with the provisions of the contract or the law,
3.1.5. fulfilling warranty obligations,

3.2. activities necessary to fulfil a legal obligation incumbent on the controller (legal basis: Article 6(1)(c) GDPR), e.g. disclosing data at the request of authorized authorities and institutions,

3.3. pursuing our so-called legitimate interests (legal basis: Article 6(1)(f) GDPR), namely:

3.3.1. granting and managing access to services, in particular login credentials for digital services and computer programs,
3.3.2. ensuring the handling of payment services,
3.3.3. debt collection, including conducting court, arbitration, and mediation proceedings,
3.3.4. detecting infringements of our subjective rights and preventing infringements,
3.3.5. verifying payment credibility.

3.4. Your personal data will not be subject to profiling or automated decision-making.

3.5. In connection with the use of technology providers (including providers of artificial intelligence language models, hosting services, and databases), your personal data may be transferred to third countries (outside the European Economic Area) in respect of which the European Commission has issued a decision confirming an adequate level of protection.

4. Transfer of data

Your personal data may be transferred by us to:

4.1. entities processing data on our behalf to the extent necessary for us to conduct our business activity, namely:

4.1.1. employees/contractors in the scope of performing their professional duties,
4.1.2. other entities acting as intermediaries in the sale of our goods/services,
4.1.3. entities servicing our ICT systems or providing us with such systems and tools, including entities providing language models (LLM), hosting platforms, and remote databases that are used by or integrated with the computer programs and digital services we offer,
4.1.4. counterparties supporting us in performing the contract binding us with you or with your employer or principal, e.g. in handling correspondence or granting and managing access rights,
4.1.5. entities providing us with advisory, IT, hosting, consulting, audit, legal, tax, accounting, or HR services.

4.2. other data controllers processing data in their own name:

4.2.1. entities conducting postal/courier activity,
4.2.2. entities acquiring receivables,
4.2.3. entities conducting payment activity (e.g. banks or payment institutions),
4.2.4. entities cooperating with us, among others, in handling accounting, bookkeeping, tax, IT, hosting, legal, or HR matters to the extent that they become a data controller,

4.3. authorized state authorities and institutions.

5. Voluntary nature of providing data

Providing your personal data is fully voluntary. We require you to provide the data necessary to conclude and perform the subject matter of the mutual contract. If we are not provided with the necessary personal data, unfortunately we will not be able to conclude a contract with you or with the entity on whose behalf you are acting, and if it is concluded, we will have to terminate or withdraw from the contract. In the event of establishing cooperation, we may require you to provide the data necessary to fulfil obligations provided for by generally applicable law, e.g. for the purpose of making tax settlements. If such data required by law is not provided, you may be exposed to claims and sanctions specified by law, e.g. claims for damages.

6. Data retention period

6.1. In transactions related to the performance of the contract, the data will be stored for the period of performing the subject matter of the contract and the period necessary for establishing, asserting, or defending claims relating to the contract.

6.2. In connection with the implementation of legal provisions, your personal data will be stored for the periods specified in generally applicable law.

6.3. For the period in which we may bear legal consequences for failing to fulfil a legal obligation, we will store your personal data for that period.

7.1. You have the following rights related to our processing of your personal data:

7.1.1. the right of access to personal data, including the right to information about the personal data and to obtain a copy of the personal data,
7.1.2. the right to rectify personal data if it is incorrect, and the right to supplement incomplete data,
7.1.3. the right to restrict the processing of personal data,
7.1.4. the right to data portability,
7.1.5. the right to erasure of personal data,
7.1.6. the right to lodge a complaint with the data protection authority, i.e. the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warszawa), if unlawful processing of personal data is found,
7.1.7. the right to withdraw, at any time, any consent given to the processing of data without giving reasons,
7.1.8. the right to object to:
- 7.1.8.1. our processing of data for marketing purposes, if you have given or will give us such consent in the future,
- 7.1.8.2. our processing of personal data for purposes arising from the legitimate interests we pursue, for reasons related to your particular situation.

7.2. You may exercise the rights listed above at any time by submitting an appropriate request to us in accordance with the contact information provided above.

7.3. We are obliged to provide you with information about the actions taken in connection with the requests without undue delay, and in any case within one month of receiving the request. Where necessary, we may extend the aforementioned period by a further two months due to the complex nature of the request or the number of requests, provided that within one month of receiving the request we must inform you of the extension of the period together with the reasons for it.

7.4. If we do not take action in connection with your requests, we will promptly — no later than within one month of receiving the request — inform you of the reasons for not taking action and of the possibility of lodging a complaint with the President of the Personal Data Protection Office and of using legal remedies before a court.

7.5. We will provide you with the information referred to above by registered letter, to the postal address you provide, or electronically, to the e-mail address you provide.

7.6. We will inform each recipient to whom your personal data has been disclosed about the rectification or supplementation or erasure or restriction of the processing of your personal data that we have carried out in fulfilment of a request. We will not have to provide such information only where it proves impossible (e.g. in the event of winding up the business) or would require a disproportionate effort (the data was disclosed many years ago and, despite attempts made, it was not possible to contact the recipient). Upon request, we will inform you about the recipients to whom we have provided information about the rectification or erasure or restriction of the processing of personal data, as well as about the recipients whom we were unable to notify.

7.7. All communication and actions taken by us in connection with your requests referred to above are free of charge. However, if your requests are manifestly unfounded or excessive, e.g. due to their recurring nature, we may charge a reasonable fee taking into account the administrative costs of providing the information, communication, or taking the requested actions, or refuse to act on the request.

Contact regarding this policy

NEON FLOWER sp. z o.o., ul. Eliasza Radzikowskiego 94A/106, 31-315 Kraków

E-mail: privacy@neonflower.ai

Document information

Title: Personal Data Protection Policy of NEON FLOWER sp. z o.o.
Organization: NEON FLOWER sp. z o.o.
Effective date: 1 March 2026
Version: 1.0
Status: Approved by the Management Board
Document owner: President of the Management Board of NEON FLOWER sp. z o.o.

Copyright notice

The economic copyright to this document belongs to NEON FLOWER sp. z o.o. Recording, trading, reproduction, or distribution requires the written consent of NEON FLOWER sp. z o.o., under pain of nullity.

NEON FLOWER sp. z o.o. does not consent to the distribution of this document for the purpose of text and data mining.

Approved by: Tomasz Łaś, President of the Management Board of NEON FLOWER sp. z o.o. Date: 1 March 2026.