Privacy Policy Effective Date: 15 March 2026 Last Updated: 15 March 2026 Controller Identity Dantium Technologies Limited (Company No. 09439021), registered in England and Wales, trading as AiEasyPDF Registered office: 34 Birch Road, Wolverhampton, UK, WV11 2HA Contact email for privacy matters: privacy@aieasypdf.com General support contact: support@aieasypdf.com 1. Purpose and Scope This Privacy Policy describes how Dantium Technologies Limited, trading as AiEasyPDF, collects, uses, discloses, stores, transfers, and otherwise processes personal data in connection with AiEasyPDF.com and related services. This Policy applies to individuals who access or use the website, create accounts, upload documents, use AI and PDF features, contact support, or use subscription and billing functionality. This Policy is intended to support UK, EU/EEA, and US operations. Additional notices may apply where required by applicable law. 2. Controller and Processor Roles For account administration, authentication, service delivery, billing administration, customer support, fraud and abuse prevention, and compliance operations, Dantium Technologies Limited acts as data controller. Where Dantium Technologies Limited processes document content solely on behalf of a business customer under contract, Dantium Technologies Limited may act as processor and the customer acts as controller. In those cases, the applicable contract and Data Processing Agreement govern the processor relationship. 3. Categories of Personal Data Depending on service usage, we may process the following categories of personal data: a) Account and identity data, including email address, account identifiers, and authentication/session data. b) Subscription and billing metadata. c) Uploaded files and extracted document text. d) Prompt and response data generated through AI/PDF features. e) Technical, usage, and security data, including IP-related logs, device/browser data, timestamps, and event logs. f) Support communications and related records. g) Consent and preference records, including cookie/privacy preference selections. 4. Sources of Personal Data We collect personal data: a) Directly from users. b) Automatically through use of the Service. c) From service providers used for billing, communications, and operations. d) From security and operational systems used to protect the Service. 5. Purposes of Processing We process personal data for the following purposes: a) Providing and operating the Service. b) Processing uploaded content and generating AI responses. c) Account authentication, session integrity, and security. d) Fraud, abuse, and incident detection/prevention. e) Customer support and service communications. f) Subscription and billing administration. g) Compliance with legal, regulatory, tax, accounting, and enforcement obligations. h) Reliability, diagnostics, and service operations. 6. UK and EU Lawful Bases For UK GDPR and EU GDPR purposes, we rely on one or more lawful bases: a) Contract performance. b) Legitimate interests. c) Consent where required. d) Legal obligation. Where legitimate interests are relied upon, processing is carried out subject to necessity and balancing considerations. 7. EU and EEA Privacy Disclosures Where personal data of users in the European Union or EEA is processed, this section applies in addition to the rest of this Policy. In line with GDPR transparency requirements, users are informed of controller identity, purposes of processing, lawful bases, categories of personal data, categories of recipients, transfer safeguards, retention, and available rights. Subject to applicable law, EU/EEA users may have rights to access, rectification, erasure, restriction, portability, objection, and rights related to certain automated decision-making. Users may contact privacy@aieasypdf.com to exercise these rights. Where required by law, users may also complain to their local EU supervisory authority. For users in the EU/EEA, non-essential cookies and similar technologies are used only on the basis of consent where required by ePrivacy/GDPR rules. Where personal data is transferred outside the UK/EEA, applicable safeguards are used as described in this Policy (including adequacy decisions and contractual transfer safeguards where required). Dantium Technologies Limited will assess and implement additional governance measures where legally required, including representative and data-protection governance obligations, based on the nature and scale of processing. 7A. US State Privacy Disclosures Where applicable US state privacy laws apply, users may have statutory rights as described in this Policy. Definitions of terms such as sale, share, targeted advertising, sensitive data, and profiling vary by state law. This Policy should be read using applicable statutory definitions in the user’s state of residence. 8. Disclosure of Personal Data We may disclose personal data to categories of recipients including: a) Hosting and infrastructure providers. b) Payment providers. c) Email and communications providers. d) Monitoring and analytics providers. e) Professional advisers and auditors. f) Competent authorities where required by law. Subprocessor information is published at /legal/subprocessors. 9. International Transfers Where personal data is transferred outside the UK and/or EEA, transfer safeguards are applied where required by law. These may include adequacy mechanisms and contractual safeguards, including UK IDTA, UK Addendum, and/or SCC-based arrangements, as applicable. 10. Data Retention Personal data is retained for no longer than necessary for the purposes in this Policy, subject to legal/compliance, accounting, security, and dispute requirements. Current draft operational windows: a) Document records/content: up to 365 days unless earlier deletion or contractual override applies. b) Chat records: up to 180 days. c) Security/usage logs: up to 90 days, unless legal or security obligations require longer. d) Billing/accounting records: up to 6 years where required. e) Opt-out/suppression records: retained as necessary to enforce communication and consent preferences. 11. Security We apply technical and organisational measures proportionate to risk, including access controls, encryption in transit, encryption at rest where applicable, monitoring, and incident response procedures. No online service can guarantee absolute security. 12. Rights of Individuals and Consumers Subject to applicable law, users may have rights to: a) Access personal data. b) Correct inaccurate data. c) Request deletion, including the UK/EU right to erasure (often referred to as the right to be forgotten), subject to legal exceptions. d) Restrict or object to certain processing. e) Request portability. f) Withdraw consent where consent is the legal basis. Where US state law applies, rights may also include: g) Opt out of sale/sharing. h) Opt out of targeted advertising. i) Opt out of certain profiling/automated decision activities. j) Appeal a denied request where required by law. 12A. Right to Be Forgotten and Deletion Limitations UK and EU/EEA users may request erasure under GDPR Article 17 where legal grounds apply, including where data is no longer necessary, consent is withdrawn (where consent is the basis), or processing is unlawful. US users in applicable states may request deletion of personal data, subject to statutory scope and exceptions under the law of their state of residence. Deletion requests may be refused in whole or in part where retention is required or permitted by law, including for legal claims, security/fraud prevention, compliance obligations, accounting/tax records, freedom of expression/information rights, or other statutory exceptions. Where we cannot fully delete data, we will explain the legal basis for refusal or partial refusal where required by law. 13. Rights Request Channels and Timelines Rights requests may be submitted to privacy@aieasypdf.com. Alternative contact for assistance: support@aieasypdf.com. Subject lines: Data Rights Request (UK/EU/general) US Privacy Request (US state requests) Response timelines: a) UK/EU rights requests: generally within one month, subject to lawful extension of up to two additional months where permitted. b) US state requests: generally within 45 days, subject to lawful extension (typically up to an additional 45 days where permitted). Identity verification may be required before fulfillment. Where required by US state law, users may appeal a denied request using the same privacy contact channel. Additional process information is available at /legal/data-rights-requests. 14. Sale, Sharing, and Targeted Advertising Statement AiEasyPDF does not sell personal data for monetary consideration in the ordinary commercial sense. However, certain third-party technologies may be classified as sale, sharing, or targeted advertising under specific US state statutory definitions. Where required, users are provided with opt-out controls through preference settings and request channels. California residents may have additional rights under CCPA/CPRA, including rights related to sensitive personal information and opt-out rights for sharing for cross-context behavioral advertising. 15. Automated Processing and AI The Service uses automated and AI-assisted processing to analyze uploaded content and generate responses. Users should independently review outputs before relying on them, especially for legal, regulatory, financial, medical, employment, or other high-impact decisions. The Service is not a substitute for regulated professional advice. 16. Cookies and Similar Technologies The Service uses strictly necessary cookies and optional technologies, subject to legal requirements and user choices. Further details are provided in the Cookie Policy at /legal/cookie-policy. 17. Children The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13 without lawful authorization. 18. Personal Data Breaches Where a personal data breach occurs, we assess and perform notification obligations under applicable law. For UK GDPR and EU GDPR contexts, notifiable breaches are reported to the competent authority without undue delay and, where required, within statutory timelines including 72-hour notification rules. Affected individuals are notified where required by law. 19. Complaints and Supervisory Authorities Users may contact privacy@aieasypdf.com regarding privacy concerns. UK users may lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/. EU/EEA users may lodge a complaint with their local supervisory authority (see https://edpb.europa.eu/about-edpb/about-edpb/members_en). US users may submit complaints to their state attorney general or other competent authority where applicable. 20. Changes to This Policy This Policy may be amended from time to time. Updated versions will include a revised Last Updated date. Material changes will be communicated where required by law. 21. Legal Status of This Document Final legal obligations are determined by applicable law and binding contractual documents in force between the parties.