OÜ Alignment Technology (“Handhold,” “we” “us” or “Company;” for contact details see the end of this privacy policy) is committed to respecting your privacy and protecting your personal data.

This privacy policy explains how we collect, use, store, share, and otherwise process your personal data when you visit our website https://www.handhold.io (“Website”), when you use or interact with Handhold, our cloud-based AI-powered agentic product demonstration and onboarding journey application (“Application”), and in the context of providing our services or communicating with you more generally. This policy is divided into three sections:

• Website Visitors – personal data we process when you access or use our Website, including cookies and similar technologies;
• Application Users and Application Interaction Data – data processing in connection with the use of the Handhold Application, covering both (a) personnel of our customers (“Customers”) who configure, manage, or otherwise use the Application, and (b) the Customers’ end customers (“End Customers”) whose data is processed in connection with product demonstrations and onboarding journeys delivered through our Application.
• General Information – data security, international transfers, your rights under data protection laws, and how to contact us.

DATA PROCESSING WITH REGARD TO VISITING AND USING OUR WEBSITE

Who is Responsible for Processing Your Personal Data

We are the data controller in relation to the personal data processed when you visit and use our Website. This means that we determine the purposes and means of the processing. Our contact details can be found at the end of this privacy policy.

Persons Affected by Data Processing, Types of Personal Data Processed

This section and the relevant data processing applies to persons who visit and use our Website.

We may process personal data that we collect automatically (including through third-party tools) when you access or interact with our Website. This includes information about your device, browser, usage patterns, IP address, and general location. Typical data collected includes:

• pages visited and time spent on each page;
• interactions with elements of the Website;
• IP address, browser type and version, device type, operating system;
• referral URL and usage statistics.

We may also process personal data that you voluntarily provide through the Website, for example, when you book a demo, sign up for marketing communications, contact us, or interact with any other feature. This may include:

• name, email address, phone number;
• employer and job title;
• any communications or content you submit (e.g. via forms or chats).

Where certain information is required to use a Website feature (e.g. booking a demo), we will indicate which fields are mandatory. If you choose not to provide required data, we may not be able to respond to your request or deliver the relevant feature.

We may combine information you provide with information we collect automatically.

Purposes and Lawful Basis for Personal Data Processing

We process the personal data described in this chapter above for the following purposes and on the following legal bases:

Purpose	Lawful Basis
To operate, maintain, and secure the Website	Our legitimate interest in providing a functional and secure Website
To analyse usage and improve Website performance and design	Our legitimate interest in understanding and enhancing the user experience
To respond to your requests (e.g. demos, enquiries, commercial discussions)	Taking steps prior to entering into a contract, or our legitimate interest in business development
To send you marketing communications if you have opted in	Your consent, which you may withdraw at any time via the unsubscribe link in our messages

We may also convert personal data into aggregated or anonymised information that can no longer be linked to any individual and is not therefore considered personal data. We may use or share such data to help us analyse trends, improve features, and develop new services.

Personal Data Retention

We retain personal data only as long as necessary to fulfil the purposes described above or to comply with applicable legal requirements. The following retention periods apply:

• Personal data collected via cookies and analytics tools is retained for a period of up to 1 year;
• Personal data you provide in contact forms or requests (e.g. demo bookings) is retained for up to 3 years to manage our relationship with you and respond to any follow-up queries.

Personal data may be retained longer if required to resolve disputes, protect our rights, or comply with a legal obligation. Personal data may also be deleted earlier upon data subject request, in accordance with applicable legal acts. Please note that such data deletion requests may result in us being unable to continue the provision of all or part of our services.

Some personal data may be stored in secure backup systems for a limited time, strictly for integrity and disaster recovery purposes or as required under applicable law or compliance requirements and deleted once no longer needed.

Cookies and Tracking

We use cookies and similar technologies to distinguish you from other users, enhance Website functionality, understand usage patterns, and support relevant advertising. We use the following categories of cookies:

• Necessary cookies – essential cookies required for the operation of our Website. Cannot be disabled;
• Analytical cookies – help us understand how users interact with the Website, e.g. page visits and user flows;
• Functionality and performance cookies – enable enhanced features and customisation, such as remembering your preferences;
• Third-party cookies – set by third parties to enable analytics or advertising.

Non-essential cookies are used only with your consent, which you can manage through our cookie tool available on our Website or through your browser preferences. Disabling certain cookies may impact your experience on our Website.

For more detailed information regarding cookies we use, please refer to our cookie policy.

DATA PROCESSING WITH REGARD TO USING THE HANDHOLD APPLICATION

Who is Responsible for Processing Your Personal Data

The Handhold Application is accessible via our Website and governed by our Agreement, comprising the Service Terms, and other documents, terms, and policies, as applicable.

When providing the Handhold Application, we may act both as a data controller and a data processor, depending on the type of data and the purpose of processing, as described below.

• With respect to the contact details and other personal data relating to our Customers’ authorised users and representatives (e.g. personnel who configure or manage the Application) (“Customer Personnel Data”), we act as a data controller.
• With respect to the personal data that is transmitted, input, or otherwise made available via the Handhold Application in connection with product demonstrations or onboarding journeys delivered by our Customers (“Application Interaction Data”), we act as a data processor. Application Interaction Data may be provided by our Customers, directly submitted by external users interacting with the Application, or generated through their use of the Application (e.g. interaction transcripts, interaction log). Our Customers act as the data controllers of such Application Interaction Data and are responsible for determining the purposes and legal basis of processing.

Persons Affected by Data Processing, Types of Personal Data Processed

(a) Customer Personnel Data

This refers to authorised users and representatives of the Customer who access or manage the Handhold Application, such as account administrators or other personnel responsible for configuring or overseeing product demonstrations and onboarding journeys. The data we may process includes:

• name, email address, phone number, job title, and affiliated organisation;
• usage and activity logs within the Handhold Application;
• billing, invoicing, and account-related information.

(b) Application Interaction Data

This refers to natural persons who engage with product demonstrations or onboarding journeys delivered via the Handhold Application. Application Interaction Data may include:

• name, email address, job title, affiliated organisation, and other contact information;
• text or other content submitted by the individual during their interaction with the Application;
• transcripts or logs automatically generated during the interaction;
• outputs generated by the AI components of the Application (e.g. responses, suggestions, or guidance presented to the End Customer’s representative);
• any other personal data voluntarily submitted by the individual or provided by the Customer in connection with the interaction.

We do not process any special categories of personal data (as defined under Article 9 GDPR), and the Handhold Application is not intended to collect or analyse biometric or otherwise sensitive data. If any such data is inadvertently submitted, the Customer remains responsible for ensuring a lawful basis exists.

Purposes and Lawful Basis for Personal Data Processing

We process the personal data described in this chapter above for the following purposes and on the following legal bases:

Data	Role	Purpose	Lawful Basis
Customer Personnel Data	Controller	Customer relationship and account management, service provision, support, billing and invoicing, contract performance and enforcement, dispute resolution, protection of our legitimate interests	Contract performance and our legitimate interests (e.g. relationship management, debt recovery)
Application Interaction Data	Processor	Enabling Customers to deliver and manage product demonstrations and onboarding journeys via the Handhold Application	Processing on behalf of and under the documented instructions of the Customer, pursuant to the data processing agreement

As a controller, we may also irreversibly anonymise Application Interaction Data as such that the resulting data is not linked to any identifiable individual, and process such resulting data indefinitely to maintain and improve the performance of the Handhold Application, develop new features, enhance AI functionality, and carry out statistical or quality-related analysis. This processing is based on our legitimate interest in improving and developing our services.

Personal Data Retention

We retain personal data only for as long as necessary to fulfil the relevant purposes or comply with legal requirements. The following retention periods apply:

• Customer Personnel Data is retained for the duration of the customer relationship and up to 3 years thereafter;
• Application Interaction Data is retained for the duration of the customer agreement and deleted within 3 months after termination, unless otherwise agreed with the customer or required by applicable law;
• Certain data (e.g. for accounting or tax purposes) may be retained for up to seven years.

Personal data may also be deleted earlier upon customer request or data subject request, in accordance with the data processing agreement. Please note that such data deletion requests may result in us being unable to continue the provision of all or part of our services.

Some personal data may be stored in secure backup systems for a limited time, strictly for integrity and disaster recovery purposes or as required under applicable law or compliance requirements and deleted once no longer needed.

GENERAL REGULATION

Storing and Transferring Your Personal Data

We implement appropriate technical and organisational measures to protect personal data, including Customer Personnel Data and Application Interaction Data, against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. This includes encryption of data in transit and at rest, and strict access controls.

All data we process is hosted on secure infrastructure within the European Union. As of the date of this policy, we do not transfer personal data outside the EU/EEA. Should such transfers become necessary, we will implement appropriate safeguards and shall ensure that such transfers are carried out in compliance with Chapter V of the GDPR and on the basis of an adequacy decision by the European Commission or Standard Contractual Clauses approved by the European Commission.

If you would like further information about such safeguards, you may contact us using the details below.

Recipients

We may share personal data with trusted third-party service providers that perform services for us or on our behalf. These services include data hosting and infrastructure providers, communication and customer support platforms, AI tools (including large language models and transcription tools), analytics, security, and fraud prevention services.

Our list of current subprocessors is available here.

We may also disclose personal data if required by law, such as in response to court orders or requests from data protection authorities. In doing so, we will ensure that such disclosure is based on a valid legal basis.

Additionally, we may share personal data in the context of investigating suspected contract breaches or unlawful conduct, or in connection with the legitimate exercise or defence of legal rights. In such cases, data may be disclosed to legal advisors, law enforcement, or other appropriate authorities.

If we are involved in a merger, acquisition, reorganisation, asset sale, funding or financing round, personal data may be shared with parties to the transaction and their professional advisors, subject to appropriate confidentiality arrangements and strictly to the extent required for achieving the good faith purpose of any of the transactions described above, as relevant.

Your Rights Concerning the Processing of Your Personal Data

To the extent that we act as a data controller in connection with your personal data, you have the following rights under applicable data protection laws:

• Right to Information: you have the right to obtain clear and transparent information about how we process your personal data, including the purposes for the processing and the lawful basis;
• Right of Access: you may request access to your personal data processed by us, including a copy of such data;
• Right to Data Portability: you may request that we provide your personal data in a structured, commonly used, and machine-readable format, or that we transfer your data directly to another controller, where technically feasible;
• Right to Rectification: if your personal data is inaccurate or incomplete, you have the right to request correction or completion of the data held by us;
• Right to Restrict Processing: you may request the restriction of processing in certain circumstances, such as when you contest the accuracy of the data, the processing is unlawful, or when you need the data for legal claims, and we no longer require it for processing purposes;
• Right to Object: you have the right to object to the processing of your personal data based on our legitimate interests or for direct marketing purposes. In such cases, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights or if the processing is required for legal claims;
• Right to Erasure: you may request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful. This right is subject to exceptions, such as where processing is required to comply with legal obligations or to establish, exercise, or defend legal claims;
• Right to Withdraw Consent: if our processing of your personal data is based on your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
• Right to Lodge a Complaint: if you believe we have not complied with applicable data protection laws, you have the right to lodge a complaint with your local data protection authority.

Where we act as a processor (e.g. for Application Interaction Data), data subject rights should be exercised directly against the relevant Customer (the data controller). We will assist the Customer in responding to any such requests in accordance with our data processing agreement.

Amendments to the Privacy Policy

We may update this privacy policy from time to time. If we make material changes, we will provide reasonable notice (e.g. via our Website or by email). The effective date will always be shown at the top of this policy. We encourage you to review this page periodically.

Contacting Us

If you have any questions, comments, or requests regarding this privacy policy or our processing of your personal data, please contact us at:

• OÜ Alignment Technology
• Estonian commercial register code: 16718998
• Registered address: Valukoja tn 8/1, 11415 Tallinn, Estonia
• e-mail address: support@handhold.io

Our supervisory authority is the Estonian Data Protection Inspectorate (www.aki.ee).