Dear User,

This document, prepared pursuant to Article 13 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), describes how your personal data are processed when you browse the website www.compri.ai (hereinafter referred to as the "Website").

1. Data Controller and contact details

Compri s.r.l. (hereinafter also referred to as "Compri" or the "Data Controller") is the data controller within the meaning of Article 4(7) GDPR. The Data Controller may be contacted at privacy@compri.ai or at its registered office at Via Luigi Porro Lambertenghi 7, 20159, Milan, Italy.

2. Categories of personal data processed

While browsing the Website, the following categories of personal data may be processed:

• Identification data: first name, last name, date of birth, place of birth, IP address

• Contact data: e-mail address, telephone number

• Usage data: information on use collected automatically (e.g., pages visited, browsing patterns, and interaction with Website elements)

3. Purposes of processing and legal basis

Personal data will be processed for specific purposes, each supported by a legal basis. The table below sets out such purposes, the corresponding legal basis, and the categories of data processed.

Website management

Management of the website infrastructure, including technically necessary cookies strictly required for the operation of the Website. Legal basis: Performance of a contract at the request of the data subject (Art. 6(1)(b) GDPR) Data processed: Identification data, usage data

Service improvement

Analysing user activities to identify improvements to the browsing experience. Legal basis: Legitimate interest of the Data Controller in improving its product (Art. 6(1)(f) GDPR) Data processed: Identification data, usage data

Information requests

Managing information requests submitted through the website. Legal basis: Performance of a contract at the request of the data subject (Art. 6(1)(b) GDPR) Data processed: Identification data, contact data

Security

Management of the security of the infrastructure. Legal basis: Legitimate interest of the Data Controller in ensuring the security of the Website (Art. 6(1)(f) GDPR) Data processed: Identification data, usage data

Legal compliance

Fulfilment of applicable legal obligations. Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR) Data processed: Identification data, contact data

Legal proceedings

Defending and/or asserting the Data Controller's rights in legal proceedings. Legal basis: Legitimate interest of the Data Controller in defending its rights in legal proceedings (Art. 6(1)(f) GDPR) Data processed: Identification data, contact data, usage data

Further detail on each of the purposes described above is provided below.

Website management — In order to ensure the stability of the connection to the Website and the ordinary functioning of the internet protocol, certain usage data are used, including technically necessary cookies strictly required for the operation of the Website. Processing is carried out as necessary to perform a service requested by the data subject pursuant to Article 6(1)(b) GDPR.

Service improvement — Information relating to the user's activities is used to evaluate improvements to the service. Malfunctions, for example, may be used to modify the functioning of a web page. Processing is carried out on the basis of the Data Controller's legitimate interest in improving the application's performance and the user experience, pursuant to Article 6(1)(f) GDPR.

Management of information requests — Where you submit an information request through the dedicated form, we will use the information provided therein — first name, last name, e-mail address, and subject of the message — to respond to your request. Processing is carried out as necessary to perform a service requested by the data subject pursuant to Article 6(1)(b) GDPR.

Security — Information relating to user activities within the system, and in particular the logs generated, is used for security purposes, including detecting anomalous behaviour and potential cyberattacks. Processing is carried out on the basis of the Data Controller's legitimate interest in ensuring the security of the infrastructure and the personal data stored therein, pursuant to Article 6(1)(f) GDPR.

Legal compliance — Certain data are processed in order to comply with specific legal obligations, including those relating to regulatory compliance. Processing is carried out as necessary to fulfil a legal obligation pursuant to Article 6(1)(c) GDPR.

Legal proceedings — In the event of a dispute between Compri and a user, personal data may be used to assert the Data Controller's rights or to defend against claims brought by the user in legal proceedings. In such cases, it is not possible to determine in advance the specific data that will be processed, but only those data necessary to establish the Data Controller's rights will be used. Processing is carried out on the basis of the Data Controller's legitimate interest in defending its rights in legal proceedings, pursuant to Article 6(1)(f) GDPR.

4. Cookies and tracking technologies

This website uses cookies and other tracking tools to ensure the correct functioning of the network and to carry out statistical analyses. You may choose which cookies to install, based on their purpose, by interacting with the cookie banner that appears the first time you visit the website, and you may subsequently change your preferences using the "Cookie preferences" function.

For further information, please refer to the Cookie Policy.

5. Data retention periods

Your personal data will be retained for the period necessary to fulfil the purposes for which they were collected.

• Usage and browsing data: retained for a maximum of 1 (one) year

• Data processed in pursuit of legal obligations: retained for a maximum of 10 (ten) years, depending on the specific applicable legislation

• Identification data and contact data: deleted only upon the deletion of the personal account, if applicable

• Data processed for legal proceedings: retained until the judgment in the relevant proceedings becomes final and non-appealable (res judicata)

6. Scope of data circulation and international transfers

Compri carries out its data processing activities directly through its own organisation, using duly designated and instructed authorised persons, as well as external companies that provide services on behalf of the Data Controller, including in the capacity of data processors.

In such cases, Compri ensures that such third parties process data with a level of protection adequate to safeguard the rights and freedoms of data subjects. The updated list of data processors acting on behalf of the Data Controller is available upon request to privacy@compri.ai.

Upon duly reasoned request from a judicial authority, and exclusively where the relevant legal conditions are met, data may also be disclosed to such authority for the purposes of prevention and investigation of criminal offences.

Any transfer of personal data outside the European Economic Area (EEA) is carried out in compliance with Chapter V of the GDPR.

7. Nature of data provision

The provision of personal data is optional. However, in its absence, it may not be possible to access some or all of the Website's features. The provision of technical data — i.e., data inherent in the use of the HTTP protocol and technical cookies — cannot be avoided, as it is necessary to ensure the connection.

8. How personal data are protected

Compri is committed to implementing appropriate technical and organisational measures necessary to maintain and ensure the confidentiality, integrity, and security of personal data, and to protect such data against any loss, misuse, alteration, or unauthorised access. The Data Controller also carries out periodic audits of its systems in order to identify any vulnerabilities and potential attacks.

9. Data subjects' rights

You may at any time, where applicable, request from the Data Controller: access to your personal data, rectification, erasure, or restriction of processing. Where the relevant legal conditions are met, you may also object to the processing of your data (Articles 15 et seq. GDPR).

To exercise your rights, please contact the Data Controller at privacy@compri.ai. You may also delete your account and update your personal information through the dedicated section of the Website.

Should you consider that the processing of your personal data has been carried out in violation of applicable data protection law, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante) (Art. 77 GDPR — https://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-tuoi-dati-personali) or to bring a judicial remedy before the competent courts (Art. 79 GDPR and Art. 140-bis of Legislative Decree No. 196/2003).

Last updated: 12 March 2026