PRIVACY POLICY

This Privacy Policy describes how Saifion ApS (“Saifion”, “we”, “us”, “our”), CVR 46208145, collects, uses, stores and shares personal data in connection with the Saifion platform and associated services. This policy applies to all users of our website (saifion.com) and platform.

We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven), the EU AI Act (Regulation (EU) 2024/1689), and all other applicable data protection laws.

1. Data Controller and Data Processor

1.1 When Saifion is data controller

Saifion is the data controller for personal data we collect directly from you in connection with your use of our website and platform, including account registration, customer support, marketing and website analytics. As data controller, we determine the purposes and means of processing your personal data.

1.2 When Saifion is data processor

When Saifion processes data on behalf of a customer (for example, data from the customer's Shopify integration, supplier contacts, or shipment documentation), Saifion acts as a data processor. In such cases, the customer is the data controller, and the processing is governed by a separate Data Processing Agreement (DPA), available at saifion.com/dpa.

Saifion does not determine the purposes or means of processing Customer Data from integrations — the customer does. Saifion only processes such data in accordance with the customer's documented instructions and the DPA. The DPA is accepted electronically when the customer accepts the Terms of Service and this Privacy Policy; no separate signature is required. This electronic acceptance satisfies the written-form requirement of GDPR Article 28(9). Enterprise customers that require a bilateral, individually negotiated DPA may request one by contacting legal@saifion.com before activating the Platform.

1.3 Data shared with Shipping Agents

When the Customer uses Saifion's freight brokerage services, certain data (shipment details, contact information, goods descriptions) is shared with independent Shipping Agents to facilitate transport. In this context, the Shipping Agent is an independent data controller for the data it receives and processes in connection with the freight services. The Customer should review the Shipping Agent's own privacy policy. Saifion is not responsible for the Shipping Agent's data processing practices.

1.4 Data Protection Officer

Given the current size and nature of our operations, Saifion has not yet appointed a formal Data Protection Officer (DPO) under GDPR Article 37. However, data protection inquiries are handled by our management team, who can be reached at contact@saifion.com. Saifion will appoint a DPO if and when required by law or as the scope of data processing expands.

1.5 Contact information

Saifion ApS
CVR: 46208145
Email: contact@saifion.com
Website: saifion.com

2. Personal Data We Collect

Payment card numbers and bank account details are handled exclusively by our payment provider and are never stored by Saifion. We do not collect special categories of personal data (GDPR Art. 9), end-consumer data from customer webshops, or data from individuals under 18.

3. Purpose and Legal Basis for Processing

Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You may request details of any such balancing test by contacting us.

4. AI and Automated Decision-Making

4.1 How we use AI

The Saifion Platform uses artificial intelligence and automated systems, primarily Anthropic's Claude (including Claude Code) and Google's Gemini, to:

• Process import documents and extract relevant data automatically
• Calculate landed costs based on freight data, duties and fees
• Analyze inventory and suggest reorder timing
• Assist with supplier communication and document collection
• Generate cost-breakdowns for freight services
• Classify goods with HS codes and estimate duties
• Calculate CO₂ emissions for shipments
• Analyze freight rates and suggest optimal shipping routes

4.2 Human oversight

Our AI systems are designed as tools that assist — not replace — human decision-making. In accordance with GDPR Art. 22 and the EU AI Act, you have the right to:

• Be informed that you are interacting with an AI system
• Receive a meaningful explanation of AI-generated recommendations and calculations
• Request human review of any AI-generated decision that significantly affects your business
• Object to decisions based solely on automated processing
• Receive information about the general logic behind our AI systems

No solely automated decision that produces legal effects or similarly significantly affects data subjects is made without the possibility of human review and intervention.

4.3 AI transparency

Our AI systems are classified and documented in accordance with the EU AI Act risk framework. We have conducted a Data Protection Impact Assessment (DPIA) under GDPR Article 35 for all AI processing activities. The DPIA is reviewed annually or when processing changes materially. We maintain records of our AI systems, their intended purpose, risk classification and the measures taken to ensure compliance. The following information is available upon request:

• The categories of data processed by each AI system
• The general logic and decision-making criteria used
• The measures taken to ensure accuracy and prevent bias
• The human oversight mechanisms in place
• Risk classification documentation under the EU AI Act

4.4 Data minimization for AI

Our AI systems are configured to access only the data necessary for the specific task. We apply the principle of data minimization to all AI processing and document why each data field is required. Where feasible, personally identifiable information is stripped or pseudonymized before transmission to AI providers.

4.5 Profiling

Saifion's AI systems may analyse Customer import patterns, order frequency and shipment history to generate recommendations (e.g. optimal shipping routes, reorder timing). This constitutes profiling under GDPR Article 4(4). However, no such profiling produces legal effects or similarly significantly affects you as defined in Art. 22(1). All AI-generated recommendations are advisory and require your active decision before any action is taken. You may object to profiling at any time under Art. 21 by contacting us.

5. Sharing of Personal Data

5.1 Sub-processors

We share personal data with the following categories of sub-processors, each bound by a signed Data Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses (SCCs) and a Transfer Impact Assessment (TIA):

A complete and up-to-date list of sub-processors is available upon request. We provide at least 30 days' notice before adding new sub-processors. If you object to a new sub-processor, you may terminate the agreement in accordance with our Terms of Service.

5.2 Shipping Agents

When you use our freight brokerage services, we share relevant shipment and contact data with the Shipping Agent assigned to your shipment. The Shipping Agent is an independent data controller for the data it processes in connection with the freight services. Saifion is not responsible for the Shipping Agent's data processing practices.

5.3 International data transfers

Several of our sub-processors are established outside the EU/EEA or may process data outside the EU/EEA. Specifically, Anthropic Claude (AI processing), Google Gemini (AI processing), Clerk (authentication), and Convex (database) may process data in the United States. We ensure an adequate level of data protection for all international transfers through:

• EU Commission Standard Contractual Clauses (SCCs) signed with all non-EU sub-processors, using the appropriate module (Module 2: controller-to-processor, or Module 3: processor-to-processor)
• Transfer Impact Assessments (TIAs) documenting the data protection level in each destination country, including an assessment of US surveillance laws (FISA 702, Cloud Act, Executive Order 14086) and their practical impact on the transferred data
• The EU-US Data Privacy Framework (where applicable and as supplementary basis)
• Supplementary technical measures: encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymization of data before AI processing where feasible, role-based access controls, and logging of all cross-border transfers

You have the right to request a copy of the SCCs and TIAs for any specific data transfer by contacting us.

5.4 AI processing and data retention

When your data is sent to Anthropic's Claude models or Google's Gemini models for AI processing (document generation, HS code classification, cost analysis), the following safeguards apply:

• AI providers do not store Customer Data after processing (zero-retention policy)
• Customer Data sent via API is not used for model training by either Anthropic or Google
• Only data necessary for the specific AI task is transmitted (data minimization)
• Where feasible, personally identifiable information is stripped or pseudonymized before transmission
• All API calls are logged with timestamp, data categories and purpose for GDPR Art. 30 compliance
• Data Processing Agreements are in place with both Anthropic and Google specifying security obligations and audit rights

5.5 Data transfers to Asian suppliers

When you use our freight brokerage services, certain shipment and contact data may be shared with Shipping Agents and suppliers located in Asian countries (including China, Vietnam, Bangladesh and others). These transfers are made on your instruction as data controller and are subject to:

• Standard Contractual Clauses where applicable
• Data minimization: only data necessary for the specific shipment is shared (order specifications, contact person)
• Awareness that Asian countries, particularly China (under PIPL), may have different data protection regimes

You may request a copy of the relevant transfer safeguards by contacting us.

5.6 Mandatory disclosure

We may disclose personal data to authorities when required by law, including to the Danish Customs Authority (Toldstyrelsen), the Danish Tax Authority (Skattestyrelsen), the Danish Data Protection Agency (Datatilsynet), law enforcement authorities, or as required by court order. We will not disclose personal data beyond what is strictly required by the applicable legal obligation.

5.7 Other disclosures

We do not sell, rent, or trade personal data to third parties. We may share anonymized and aggregated data (which does not identify any individual) with third parties for analytical, statistical, or research purposes.

6. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. When the retention period expires, personal data is securely deleted or anonymized.

7. Your Rights

Under the GDPR and the Danish Data Protection Act, you have the following rights regarding your personal data:

• Right of access (Art. 15): You can obtain confirmation of whether we process your personal data and receive a copy of the data, including information about the purposes of processing, the categories of data, and the recipients.
• Right to rectification (Art. 16): You can have inaccurate or incomplete data corrected without undue delay.
• Right to erasure (Art. 17): You can request deletion of your data, unless we have a legal obligation to retain it (e.g., bookkeeping requirements) or another overriding legal basis.
• Right to restriction (Art. 18): You can request that we restrict processing in certain circumstances, for example while we verify the accuracy of your data.
• Right to data portability (Art. 20): You can receive your data in a structured, commonly used and machine-readable format (JSON or CSV) and transmit it to another controller.
• Right to object (Art. 21): You can object to processing based on legitimate interest. For direct marketing, you can always object, and we will cease processing without undue delay.
• Right regarding automated decisions (Art. 22): You can object to decisions based solely on automated processing and request human review. See Section 4 for details on our AI systems.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.

7.1 How to exercise your rights

To exercise your rights, contact us at contact@saifion.com. We will verify your identity before processing any request. We will respond within 30 days. In complex cases or where we receive a large number of requests, this may be extended by 60 days with notice to you.

There is no fee for exercising your rights. However, if requests are manifestly unfounded or excessive (in particular due to their repetitive character), we may charge a reasonable fee or refuse to act on the request, in accordance with GDPR Article 12(5).

7.2 Right to lodge a complaint

You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) if you believe that our processing of your personal data violates the GDPR or the Danish Data Protection Act:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Email: dt@datatilsynet.dk
Website: datatilsynet.dk

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Role-based access control and least-privilege principles
• Multi-factor authentication for employee access to systems containing personal data
• Regular security monitoring, vulnerability scanning, and logging
• Automated weekly backups to EU/EEA-based infrastructure
• Regular review and testing of security measures
• Employee security awareness training and confidentiality obligations
• Incident response procedures and data breach notification protocols
• Secure disposal of data when no longer needed

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Danish Data Protection Agency (Datatilsynet) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33
• Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, in accordance with GDPR Article 34
• Provide a description of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach
• Document all personal data breaches, including their effects and remedial actions taken, regardless of whether they are reported to the supervisory authority

Where Saifion acts as data processor, we will notify the data controller (the Customer) without undue delay after becoming aware of a personal data breach, and provide all information necessary for the controller to fulfill its notification obligations.

Saifion maintains a detailed Data Breach Response Plan with defined roles, escalation procedures and sub-processor-specific response protocols. The plan is tested annually through tabletop exercises.

10. Cookies and Tracking Technologies

For detailed information about cookies used on the Saifion Platform, please refer to our separate Cookie Policy available at saifion.com/cookies. The Cookie Policy is an integral part of this Privacy Policy.

10.1 Strictly necessary cookies

These cookies are required for the Platform to function and do not require consent:

• Session cookies for authentication (via Clerk)
• Security cookies (CSRF protection)
• Preference cookies for language and display settings

10.2 Analytics cookies

We use analytics cookies to understand and improve the use of the Platform. These cookies are only placed with your prior consent via our cookie banner. We ensure equal prominence of “Accept” and “Decline” buttons - no dark patterns are used. Our cookie consent mechanism complies with the Danish Cookiebekendtgørelsen and the ePrivacy Directive.

10.3 Marketing cookies

Saifion does not currently use marketing or advertising cookies. If this changes in the future, we will update our Cookie Policy and obtain prior consent before placing any marketing cookies.

10.4 Your choices

You can manage your cookie preferences at any time through our cookie banner or by contacting us. You can also block cookies through your browser settings, though this may affect the functionality of the Platform. You have the right to withdraw your cookie consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

11. Children's Privacy

The Saifion Platform is a B2B service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations. Material changes will be communicated by email at least 30 days before they take effect. The latest version is always available on our website. We encourage you to review this Policy periodically.

For the avoidance of doubt, changes to the categories of personal data we collect, the purposes of processing, the legal basis for processing, the categories of recipients, or international data transfers are always considered material changes requiring prior notice.

13. Contact

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data processing practices:

Saifion ApS
CVR: 46208145
Email: contact@saifion.com
Website: saifion.com

Supervisory authority: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, dt@datatilsynet.dk, datatilsynet.dk