Privacy Policy

OptAI AG ("Company," "we," "us," "our") is a Swiss-based software company that provides AI-powered website optimization services, including traffic analysis, search engine visibility scoring, and automated content recommendations. This Privacy Policy governs how we collect, process, store, and protect personal data in connection with our services. Scope: This policy applies to all users ("Customers," "you") who: • Use our platform directly (website owners, marketers, business operators) • Operate websites that utilize our DNS redirection service • End visitors to websites using our technology (indirectly) Governing Law: This Privacy Policy is governed by: • Swiss Federal Act on Data Protection (FADP) • EU General Data Protection Regulation (GDPR) – for EU/EEA data subjects • California Consumer Privacy Act (CCPA) – for California residents • Applicable laws of other jurisdictions where you operate Contact: For privacy inquiries, contact us at: • Email: support@optai.com • Address: Altgasse 43, 6340 Baar, Switzerland

Important: OptAI acts in different roles depending on the context: 2.1 When You Are a Customer (Data Controller) When you use OptAI services, you are the data controller. You decide: • What data to collect via our platform • Which websites/visitors to analyze • How to use the insights we provide We are your data processor: We process data on your instructions under a Data Processing Agreement (DPA). 2.2 When Visitors Use Your Website (OptAI as Intermediary) When end visitors access a website using OptAI's DNS redirection, OptAI processes traffic data as a co-processor or joint controller with you (the website owner). The end visitor has rights under GDPR/FADP/CCPA regarding this processing.

We collect the following categories of personal data: 3.1 From Customers (Direct Users) • Account Information: Name, email, company name, phone number, billing address • Payment Information: Credit card details (processed via third-party payment processors; we do not store full card numbers) • Usage Data: Login history, features accessed, dashboard interactions • Communication Data: Support tickets, feedback, emails 3.2 From Website Visitors (Indirect) Via DNS redirection and traffic analysis: • Traffic Source Data: Referrer information, search keywords, geographic location (country/region level) • Session Data: Device type, browser, operating system, approximate visit duration • Website Interaction Data: Pages visited, actions taken (minimal content submissions) • IP Address: Processed to determine geographic location and traffic patterns; typically anonymized or pseudonymized • Cookies: Session cookies for functionality; analytics cookies (see Section 5) Note: We do NOT intentionally collect: • Full browsing history of visitors • Sensitive personal data (health, financial details, etc.) unless explicitly submitted • Data from visitors' devices beyond the website interaction 3.3 Aggregated & Anonymized Data • High-level traffic analytics (e.g., "traffic from Google search increased 15%") • Geographic distribution of visitors • Search keyword popularity trends • Conversion metrics and performance insights This data is aggregated and cannot identify individuals.

4.1 For Customer Data We process your data based on: • Contract: Necessary to provide OptAI services (login, billing, support) • Legitimate Interest: Improving our platform, preventing fraud, ensuring security • Legal Obligation: Compliance with tax and accounting laws (Swiss, EU, CCPA) • Consent: Optional marketing communications (opt-in basis) 4.2 For Website Visitor Data We process visitor data on behalf of website owners based on: • Legitimate Interest: Enabling website optimization and traffic analysis for the website owner • Contract: The website owner has redirected traffic through our DNS, implying consent to use our service for analysis • Consent: Website owners should provide notice to their visitors that OptAI processes their traffic (see Section 7) Your Responsibility as a Customer: You must ensure that your website's privacy notice and terms inform visitors that their traffic is being analyzed by OptAI and that they have the right to opt-out.

5.1 Types of Cookies We Use • Session Cookies: Required for authentication and platform functionality (non-persistent) • Analytics Cookies: To understand how customers and visitors use OptAI (persistent; typically 12 months) • Marketing Cookies: To track campaign performance and retargeting (with consent) 5.2 Third-Party Cookies We use third-party services that may set cookies: • Analytics: Google Analytics, Segment • Payment Processing: Stripe, PayPal • Hosting & Infrastructure: Cloudflare, AWS • Customer Support: Intercom, Zendesk 5.3 Cookie Consent • For Customers: We obtain cookie consent via banner on first visit (EU/CCPA compliance) • For Website Visitors: You (the website owner) are responsible for obtaining consent from your visitors Users can disable cookies in browser settings; however, some platform features may not work optimally.

We share personal data with: 6.1 Legal Requests & Law Enforcement We may disclose data if required by: • Swiss courts or law enforcement • EU data protection authorities • Applicable legal processes (subpoena, warrant) We will notify you of such requests unless legally prohibited.

7.1 Customer Account Data • Active Accounts: Retained as long as your account is active • Closed Accounts: Deleted within 90 days of account closure, unless legal obligations require longer retention • Billing Records: Retained for 7 years (Swiss tax law requirement) 7.2 Website Visitor Traffic Data • High-Level Analytics: Retained for up to 24 months for trend analysis • Session-Level Data: Retained for up to 90 days • IP Addresses: Anonymized or deleted within 30 days 7.3 Backup Data • Backup copies may be retained longer for disaster recovery (up to 12 months) • Backups are encrypted and isolated from production systems

Under GDPR, FADP, and CCPA, you have the right to: 8.1 Right of Access Request a copy of personal data we hold about you. 8.2 Right of Rectification Correct inaccurate or incomplete data. 8.3 Right to Erasure ("Right to be Forgotten") Request deletion of your data, subject to legal retention obligations. 8.4 Right to Data Portability Receive your data in a structured, commonly used format (CSV, JSON). 8.5 Right to Restrict Processing Ask us to limit how we use your data. 8.6 Right to Object Object to processing based on legitimate interest or direct marketing. 8.7 Right to Withdraw Consent Withdraw consent for optional processing (e.g., marketing emails) at any time. 8.8 How to Submit Requests Email: support@optai.com with "Data Subject Request" in the subject line. Include your name, account email, and specific request. We will respond within 30 days (or 45 days for complex requests).

We implement appropriate technical and organizational security measures: • Encryption: Data in transit (TLS 1.2+) and at rest (AES-256) • Access Control: Role-based access; employees access data only as needed • Authentication: Multi-factor authentication (MFA) for customer accounts • Monitoring: Continuous security monitoring and intrusion detection • Audit Logs: All data access is logged and monitored • Data Isolation: Customer data is logically segregated • Regular Testing: Penetration testing and security audits • Incident Response: Documented breach response plan; affected parties notified within 72 hours (GDPR requirement)

10.1 Swiss HQ, Global Operations OptAI is headquartered in Switzerland. Data may be processed in: • Switzerland (primary) • EU/EEA countries (for EU customers, subject to GDPR) • USA (Cloudflare infrastructure; subject to appropriate safeguards) 10.2 Adequacy & Transfers • EU/EEA to Switzerland: Switzerland is deemed adequate by EU (decision 2000/518/EC) • EU/EEA to USA: We rely on Standard Contractual Clauses (SCCs) for data transfers • GDPR Compliance: All transfers include Data Processing Agreements with adequate safeguards 10.3 Your Obligations as a Customer If you collect data from EU/EEA residents, you are responsible for informing them of international transfers and ensuring appropriate legal basis for processing.

OptAI services are not directed at children under 16 years old. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it immediately. Parents/guardians who believe their child's data has been collected should contact us at support@optai.com.

Our platform may contain links to third-party websites and services. We are not responsible for their privacy practices. We recommend reviewing their privacy policies independently.

We may update this Privacy Policy to reflect changes in our services, technology, or legal requirements. Updates will be effective upon posting to our website. Material changes will be communicated via email. Continued use of OptAI after changes constitutes acceptance of the updated policy.

14.1 GDPR (EU/EEA) • Lawful Basis: Contract, legitimate interest, consent • DPA: Customers must sign a Data Processing Agreement • Data Subject Rights: See Section 8 • Data Protection Officer: Not currently appointed; can be requested by regulators 14.2 CCPA (California) • Consumer Rights: Access, deletion, opt-out of sale, non-discrimination • Disclosure: We provide this Privacy Policy as required • Opt-Out Mechanism: Cookie banner includes opt-out options 14.3 Swiss FADP • Lawful Processing: Contract, legitimate interest, consent • Data Subject Rights: Similar to GDPR; subject to Swiss law • Jurisdiction: Swiss courts; disputes resolved under Swiss law

For privacy inquiries, requests, or concerns: OptAI Privacy Contact: • Email: support@optai.com • Address: Altgasse 43, 6340 Baar, Switzerland • Response Time: 30 days Data Protection Authorities (if not satisfied with our response): • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) • EU Member State: Your national Data Protection Authority • California: California Attorney General