Privacy Policy

About Runflow

Runflow is a digital service operated and managed by BETTERGROUP HOLDING INC ("Runflow"). For the purposes of this Policy, references to "Runflow" shall pertain to the digital service provided by BETTERGROUP HOLDING INC. All matters related to Runflow, including this Privacy Policy, are governed by the laws of the United States and the State of Delaware.

Controller and Representatives

Data Controller: BETTERGROUP HOLDING INC ("Runflow")

Contact for privacy matters: gdpr@bettergroup.io

Registered office: 1111B S Governors Ave, STE 37790 Dover Delaware 19904 United States

EU Representative (GDPR Article 27)

Name: Ria Pardeep

Email: ria@workstreet.com

Acts as our representative in the EU for GDPR-related inquiries from individuals and supervisory authorities.

UK Representative (UK GDPR Article 27)

Name: Daniel June

Email: daniel@workstreet.com

Acts as our representative in the UK for UK GDPR-related inquiries from individuals and the ICO.

1. Scope and Definitions

Scope. This Personal Data Protection Policy (the "Policy") describes Runflow's internal rules for personal data processing and protection. The Policy applies to Runflow, including Runflow employees and contractors ("we", "us", "our", "Runflow"). The management of each entity is ultimately responsible for the implementation of this policy, as well as to ensure, at entity level, there are adequate and effective procedures in place for its implementation and ongoing compliance.

Privacy Manager. Privacy Manager is an employee of Runflow responsible for personal data protection compliance within Runflow (the "Privacy Manager"). The Privacy Manager is in charge of performing the obligations imposed by this Policy and supervising other employees regarding their adherence to this Policy. The Privacy Manager must be involved in all projects at an early stage in order to take personal data protection aspects into account.

Definitions

Competent Supervisory Authority means a public authority that is responsible for regulating and supervising personal data protection with regards to activities of Runflow.

Data Breach means a breach of the security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Processor means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the data controller.

Data Protection Laws mean any laws and legal rules on personal data use and protection applicable to the activities of Runflow, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018.

Data Subject Request (DSR) means any request from the Data Subject and concerning their personal data and/or data subject rights.

Data Subject means a natural person, whose Personal Data we process. Data Subjects include but are not limited to users, website visitors, employees, contractors, and partners of Runflow.

Personal Data means any information relating to an identified or identifiable Data Subject; a Data Subject can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or the combination of factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.

Processing means any operation or set of operations which is performed by Runflow on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Standard Contractual Clauses means the European Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU).

Third Party means a natural or legal person, who accesses the Personal Data for further processing and is not an employee, member or corporate affiliate of Runflow.

User means a Data Subject who uses our services provided on Runflow's website.

2. Data Processing Principles

2.1 Runflow's processing activities must be in line with the principles specified in this Section. The Privacy Manager must make sure that Runflow's compliance documentation, as well as data processing activities, are compliant with the data protection principles.

2.2 We must process the Personal Data in accordance with the following principles:

• -Lawfulness, fairness and transparency. We shall always have a legal ground for the processing, collect the amount of data adequate to the purpose and legal grounds, and we make sure the Data Subjects are aware of the processing.
• -Purpose limitation. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• -Data minimization. Adequate, relevant and limited to what is necessary for the purposes for which they are processed.
• -Accuracy. Accurate and, where necessary, kept up to date. Data Subjects can ask us for a correction of the Personal Data.
• -Storage period limitation. Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
• -Confidentiality, integrity, and availability. Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.

2.3 Accountability

We shall be able to demonstrate our compliance with Data Protection Laws (accountability principle). In particular, we must ensure and document all relevant procedures, efforts, internal and external consultations on personal data protection including:

• -The fact of appointing a person responsible for Runflow's data protection compliance;
• -Where necessary, a record of a Data Processing Impact Assessment;
• -Developed and implemented notices, policies, and procedures;
• -The fact of staff training on compliance with Data Protection laws;
• -Assessment, implementation, and testing organizational and technical data protection measures.

The Privacy Manager must maintain Runflow's Records of processing activities, prepared in accordance with Art. 30 of the GDPR.

3. Access to Personal Data. Legal Grounds and Purposes

3.1 Legal Grounds

Each processing activity must have one of the lawful grounds specified in this Section to process the Personal Data. If we do not have any of the described, we cannot collect or further process the Personal Data.

Performance of the contract. Where Runflow has a contract with the Data Subject, e.g. website's Terms of Use or the employment contract, and the contract requires the provision of personal data from the Data Subject.

Consent. To process the personal data based on the consent, we must obtain the consent before the Processing and keep the evidence of the consent. The consent must be freely given, in the form of an active indication, with clearly articulated purposes.

Legitimate interests. We have the right to use personal data in our 'legitimate interests'. The interests can include the purposes that are justified by the nature of our business activities, such as the marketing analysis of personal data.

Legal Compliance and Public Interest. We might be requested by the laws of the European Union or laws of the EU Member State to process Personal Data of our Users.

3.2 Access to Personal Data

Employees must have access to the personal data on a "need-to-know" basis. The data can be accessed only if it is strictly necessary to perform one of the activities specified in the Records of processing activities.

All employees accessing personal data shall keep strict confidentiality regarding the data they access. When an employee detects or believes there is suspicious activity, data breach, or non-compliance, the employee must report such activity to the Privacy Manager.

4. Third Parties

Before sharing personal data with any person outside of Runflow, the Privacy Manager must ensure that this Third Party has an adequate data protection level and provide sufficient data protection guarantees in accordance with Data Protection Laws.

An employee can share personal data with third parties only if and to the extent that was directly prescribed by the manager and specified in the Records of processing activities.

If we are required to delete, change, or stop the processing of the Personal Data, we must ensure that the Third Parties, with whom we shared the Personal Data, will fulfill these obligations accordingly.

5. International Transfers

If we have employees, contractors, corporate affiliates, or Data Processors outside of the EEA, and we transfer Personal Data to them for processing, the Privacy Manager must make sure Runflow takes all necessary and appropriate safeguards in accordance with Data Protection Laws.

As a part of the information obligations, Runflow must inform the Data Subjects that their Personal Data is being transferred to other countries, as well as provide them with the information about the safeguards used for the transfer.

UK transfers. For transfers from the United Kingdom, we rely on approved UK transfer tools such as the UK Addendum to the EU Standard Contractual Clauses or the UK International Data Transfer Agreement (IDTA), as appropriate.

6. Rights of Data Subjects

6.1 Our Responsibilities

Privacy Manager is ultimately responsible for handling all DSR received by Runflow. All DSRs from Users must be addressed at and answered from: gdpr@bettergroup.io.

The responsible employee must answer to the DSR within one (1) month from receiving the request. If complying with the DSR takes more than one month, the Data Subject must be informed about the prolongation for up to two (2) additional months.

6.2 The right to be informed

Runflow must notify each Data Subject about the collection and further processing of the Personal Data. The information includes: the name and contact details of Runflow; purposes and lawful basis for data collection; categories of Personal Data collected; recipients; retention periods; and information about data subject rights.

6.3 The right to access the information

A Data Subject has the right to:

• -Learn if we process the Data Subject's Personal Data;
• -Obtain disclosure regarding aspects of the processing, including purposes, categories, recipients, retention periods, and rights;
• -Obtain a copy of the Personal Data undergoing processing upon request.

6.4 The right to rectification

If we reveal that the Personal Data is inaccurate or the Data Subject requests us to do so, we must ensure that we correct all mistakes and update the relevant information.

6.5 The right to restrict processing

This right applies when the Data Subject contests the accuracy of the Personal Data, believes that we process the Personal Data unlawfully, or objects against the processing.

6.6 The right to withdraw consent

For the activities that require consent, the Data Subject can revoke their consent at any time. The withdrawal of consent does not affect the lawfulness of the processing done before the withdrawal.

6.7 The right to object against processing

If we process the information in our legitimate interests, e.g., for direct marketing emails or for our marketing research purposes, the Data Subject can object against the processing.

6.8 Right to erasure / to be forgotten

The Data Subjects have the right to request us to erase their Personal Data if:

• -Personal Data is no longer necessary for the purposes of collection;
• -The Data Subject revokes consent or objects to the processing and there is no other legal ground;
• -We process the Personal Data unlawfully or its erasure is required by applicable legislation.

6.9 Data portability

Data Subjects can ask us to transfer all the Personal Data and/or its part in a machine-readable format to a third party. This right applies when personal data was collected for the purpose of provision of our services or based on consent.

How to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

• -EU: Your local Data Protection Authority.
• -UK: The Information Commissioner's Office (ICO).

Automated Decision-Making and Profiling

We do not make decisions about you based solely on automated processing that produce legal effects or similarly significant effects within the meaning of GDPR/UK GDPR. We use machine learning to process AI inference requests, but these processes do not determine rights or obligations about you.

Children's Privacy

Our Service is not directed to children, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at gdpr@bettergroup.io so we can take appropriate action.

7. New Data Processing Activities

7.1 Notification to Privacy Manager

Before introducing any new activity that involves the processing of personal data, an employee responsible for its implementation must inform the Privacy Manager.

7.2 Data Processing Impact Assessment

To make sure that our current or prospective processing activities do not violate the Data Subjects' rights, Runflow must, where required by Data Protection Laws, conduct the Data Processing Impact Assessment (DPIA). A DPIA is required when:

• -The processing involves the use of new technologies that creates certain legal, economic or similar effects to the Data Subject;
• -We systematically assess and evaluate personal aspects of Data Subjects based on automated profiling;
• -We process on a large scale sensitive data;
• -We collect or process Personal Data from publicly accessible area or public sources on a large scale;
• -The Supervisory Authority requires conducting a DPIA for a certain type of activity.

8. Data Retention

8.1 General Rule

The Privacy Manager must make sure that Runflow clearly defined the data storage periods and/or criteria for determining the storage periods for each processing activity. After the storage period ends, the personal data must be removed or destroyed completely, including from back-up copies and other media.

8.2 Specific Retention Periods for User Data

Input Data: Input data uploaded to our Service is stored for up to 1 year to enable re-processing and provide customer support. Users may request instant deletion via the user interface or API.

Processed AI Models: AI models created from user data are stored for up to 3 years. These models are encrypted at rest and non-reusable across different accounts.

Output Data: Generated outputs from our Service are stored for up to 3 years and can be deleted upon request at any time.

Customer Account Data: Customer data including email addresses, account information, and metadata are stored as long as the account remains active and deleted within 90 days after a full account deletion request is processed.

Data Location: Primary customer data storage is in the EU (Frankfurt region). Some customer data is stored in the US using secure data centers. GPU processing may occur in EU/US data centers, with all data encrypted in transit and at rest.

8.3 Exemptions

Business needs. Data retention periods can be prolonged, but no longer than 60 days, in the case that the data deletion will interrupt or harm our ongoing business. The Privacy Manager must approve any unforeseen prolongation.

Anonymization. If we anonymize the Personal Data, the restrictions and requirements of Data Protection Laws no longer apply to the anonymized data. To consider the data anonymous, it must be impossible to reidentify the Data Subject from the data set.

9. Data Breach

Runflow must report to the competent Supervisory Authority about any data breach that poses a risk to Data Subjects within 72 hours after becoming aware of such a breach. Where possible, Runflow must also notify the affected Data Subjects without undue delay.

The Privacy Manager must maintain a record of all data breaches, including facts, effects, and remedial actions taken.

10. Changes to This Policy

Runflow reserves the right to make changes to this Policy at any time by notifying its Users on this page. We strongly recommend checking this page often, referring to the date of the last modification listed at the top. If a User objects to any of the changes to the Policy, the User must cease using Runflow and can request that we remove the Personal Data.