GDPR Data Protection Addendum

This GDPR Data Protection Addendum ("GDPR Addendum") applies to users located in the European Union, European Economic Area, and the United Kingdom and supplements the Privacy Policy and Terms of Service.

In the event of a conflict, this GDPR Addendum shall prevail with respect to personal data protection matters.

1. Data Controller

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Ayconic, LLC acts as the Data Controller with respect to personal data transmitted through the App and temporarily processed via the Company's backend systems.

Contact: support@ayconic.io

2. Categories of Personal Data

Due to the nature of the Services, the App may process any personal data visible on a user's device screen, including but not limited to:

• Identifiers and contact information
• Private communications
• Financial or transactional information
• Health-related information
• Credentials or authentication data
• Any other personal or sensitive data displayed on the screen

The Company does not intentionally target specific categories of personal data and does not perform data classification on screen content.

In addition, the Company processes limited account-related data, including email address and unique user identifiers, for authentication and account management purposes.

Where enabled by the user, the Company may also store a limited history of user-submitted textual AI requests. Such request history does not include screen content, screenshots, or visual data extracted from the user's device.

3. Purposes of Processing

Personal data is processed strictly for the following purposes:

• Providing AI-based analysis and functionality explicitly requested by the user
• Enabling contextual actions initiated by the user
• Ensuring security, stability, and proper functioning of the Services
• Maintaining user accounts and, where enabled, providing continuity through stored textual request history

Personal data is not processed for advertising, behavioral profiling, or unrelated analytics.

All processing activities described herein are triggered solely by explicit user actions. The Company does not engage in automated decision-making, background data collection, or autonomous processing unrelated to a specific user request.

4. Legal Bases for Processing (Article 6 GDPR)

The Company relies on the following legal bases:

4.1 Consent (Article 6(1)(a))

Processing of screen content occurs only after the user:

• Explicitly enables required permissions
• Actively triggers App functionality

Consent may be withdrawn at any time by disabling permissions or uninstalling the App. Withdrawal of consent does not affect processing strictly necessary for account management and contractual obligations.

Storage of textual request history is optional and based on user consent, which may be withdrawn at any time through in-app settings.

4.2 Performance of a Contract (Article 6(1)(b))

Processing is necessary to perform the contract between the user and the Company, including delivery of paid Services and provision of limited functionality under the free tier, including:

• Delivering paid Services
• Providing limited functionality under the free tier

Without such processing, the Services cannot function as intended.

This includes processing account identifiers and, where enabled by the user, storing limited textual request history to provide continuity of service.

4.3 Legitimate Interests (Article 6(1)(f))

The Company may process limited technical data to:

• Maintain service reliability
• Prevent misuse
• Ensure security

Such processing does not override users' fundamental rights and freedoms.

5. Special Categories of Data (Article 9 GDPR)

The Company does not intentionally collect special categories of personal data. However, such data may be incidentally processed if it appears on the user's screen.

In such cases, processing is based on:

• Explicit user consent
• User-initiated actions

The Company does not retain or further process such data beyond the requested operation.

6. Data Minimization and Retention

• Screen content is processed ephemerally through the Company's backend systems in volatile memory and discarded immediately after the requested processing is completed.
• The Company does not store, archive, or create historical records of screen content or screenshots.
• Account-related data (such as email address and user identifiers) is retained for the duration of the user account or as required by applicable law.
• When enabled by the user, textual request history is retained until deleted by the user or until the account is terminated, subject to legal retention obligations.

7. Data Processors and International Transfers

Screen content may be transmitted to the Company's backend systems and subsequently forwarded to third-party AI service providers acting as data processors.

Such processing may involve transfers outside the EU/EEA/UK.

Where applicable, transfers are safeguarded by:

• Adequacy decisions
• Standard Contractual Clauses (SCCs)
• Equivalent contractual protections provided by the processor

8. User Rights Under GDPR

Users have the right to:

• Access their personal data (Article 15)
• Rectification (Article 16)
• Erasure ("right to be forgotten") (Article 17)
• Restriction of processing (Article 18)
• Data portability (Article 20)
• Object to processing based on legitimate interests (Article 21)
• Withdraw consent at any time (Article 7)

Given the ephemeral nature of screen content processing, certain rights (e.g., access or erasure) may be limited with respect to screen data. However, users retain full GDPR rights with respect to stored account information and textual request history.

9. Automated Decision-Making

The Services do not engage in automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

AI-generated outputs are assistive and advisory only. AI-generated outputs do not constitute professional, legal, medical, or financial advice.

10. Security Measures

The Company implements appropriate technical and organizational measures to protect personal data, including encryption in transit and access controls.

However, no method of transmission or processing is completely secure.

11. Complaints and Supervisory Authority

Users have the right to lodge a complaint with a supervisory authority in their EU Member State or the UK Information Commissioner's Office (ICO).

12. Contact