Data Processing Notice Effective Date: 16 March 2026 Last Updated: 16 March 2026 Service: AiEasyPDF.com Company: Dantium Technologies Limited (Company No. 09439021), trading as AiEasyPDF.com Registered Office: 34 Birch Road, Wolverhampton, UK, WV11 2HA 1. Purpose of this notice This Data Processing Notice explains how personal data is processed when you use AiEasyPDF.com. It is a customer information document describing how data is used in connection with account services, PDF processing, AI features, billing, support, and security operations. This notice should be read together with our Privacy Policy, Cookie Policy, Terms and Conditions, and any applicable Data Processing Agreement. 2. Legal framework by region United Kingdom Data processing is governed by the UK GDPR and Data Protection Act 2018. Where we process personal data on behalf of business customers, processor terms and Article 28 contract requirements apply. European Union and EEA Data processing is governed by the EU GDPR and related ePrivacy requirements. Where we act as processor, Article 28 contractual terms apply. United States US privacy requirements are state-based. For California residents, the CCPA and CPRA provide rights including access, deletion, correction, portability, and opt-out rights where applicable. Authoritative legal references: ICO UK GDPR guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/ ICO processor contract guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/contracts-and-liabilities-between-controllers-and-processors-multi/what-needs-to-be-included-in-the-contract/ EU GDPR Article 28: https://gdpr-info.eu/art-28-gdpr/ California AG CCPA and CPRA resources: https://oag.ca.gov/privacy/ccpa California Privacy Protection Agency: https://cppa.ca.gov/faq.html 3. Controller and processor roles When we act as controller For account registration, authentication, billing administration, service communications, abuse prevention, and legal compliance, Dantium Technologies Limited acts as a data controller. When we act as processor For customer-uploaded document content processed through PDF and AI workflows, we may act as processor on customer instructions, particularly for business and enterprise use cases. In these cases, the customer remains controller for that content. Where a signed Data Processing Agreement applies, the DPA governs role allocation and processing terms. 4. Categories of data processed 4.1 Account and authentication data We process account email, optional profile name, password hash, session state, account role, and account status information. 4.2 Uploaded files and derived document data We process uploaded files, file metadata (such as filename, type, size, and page count), extracted document text, and related processing outputs required to provide document services. 4.3 AI interaction data We process chat sessions, prompts, responses, and related citation or context data used to deliver AI-assisted features. 4.4 Subscription and billing data We process subscription records, billing status metadata, and payment event records required to manage paid plans and compliance obligations. Payment details are handled by payment providers. 4.5 Security and operational data We process service logs and security-relevant records used for fraud prevention, abuse control, incident investigation, and platform integrity. 4.6 Consent and analytics data We process consent preferences and, where consent is provided, analytics data used to measure usage and improve service quality. 5. Purposes of processing Personal data is processed for the following purposes: - to provide account access and core PDF services, - to process documents and deliver requested AI features, - to administer plans, credits, and subscriptions, - to provide customer support, - to maintain security, prevent abuse, and manage incidents, - to meet legal, regulatory, and financial recordkeeping obligations, - to measure and improve product performance where permitted. 6. Legal bases for processing Depending on context and jurisdiction, processing is based on one or more of: - performance of a contract, - legitimate interests, - consent (for optional activities where required), - compliance with legal obligations. Where we act as processor, processing is carried out on documented customer instructions and contractual terms. 7. Storage, retention, and deletion Data is retained only as long as necessary for service delivery, security, legal obligations, and legitimate operational needs. Current operational retention settings referenced in the platform include: - document records and content: up to 365 days, - chat sessions and messages: up to 180 days, - security and usage logs: up to 90 days, - billing and accounting records: retained in line with legal requirements. Actual retention may vary where legal obligations, disputes, fraud prevention, or contractual requirements require extended retention. 8. International transfers Where personal data is transferred outside the UK or EEA, appropriate transfer safeguards are applied as required by law, including adequacy mechanisms and approved contractual transfer clauses where applicable. 9. Subprocessors and service providers We use service providers to support infrastructure, AI operations, billing, communications, and security. Providers are required to meet contractual data protection and confidentiality obligations appropriate to their role. Subprocessor information is available at: /legal/subprocessors 10. Security measures We apply technical and organizational measures designed to protect personal data, including access controls, transport security, abuse controls, monitoring, and operational safeguards. Security measures are reviewed and updated as part of ongoing risk management. 11. Data rights and requests Customers may submit data rights requests in accordance with applicable law, including access, correction, deletion, restriction, portability, and objection rights where available. Contact for privacy and data processing requests: privacy@aieasypdf.com support@aieasypdf.com 12. Business and enterprise DPA requests For business and enterprise accounts requiring formal processor terms, a Data Processing Agreement can be requested. Contact: support@aieasypdf.com Subject line: DPA Request 13. Changes to this notice We may update this notice from time to time to reflect legal, operational, or service changes. The Last Updated date indicates the latest revision. 14. Contact details Dantium Technologies Limited Company No. 09439021 Registered office: 34 Birch Road, Wolverhampton, UK, WV11 2HA Privacy contact: privacy@aieasypdf.com Support contact: support@aieasypdf.com This document is provided for customer information and does not constitute legal advice.