PRIVACY POLICY

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

• Legal name: Media Rex Alliance B.V.
• Trading name: Media Rex Alliance
• Chamber of Commerce (KvK): 92981682
• Registered address: Barbara Strozzilaan 201, 1083HN Amsterdam, The Netherlands
• Privacy contact: privacy@mediarexalliance.com

Data Protection Officer:We have not appointed a Data Protection Officer as this is not mandatory under our current processing activities. Privacy enquiries should be directed to the contact above.

2. What Personal Data We Collect

We collect the following categories of personal data depending on how you interact with our platform:

• Identity data: first name, last name, company name, VAT number
• Contact data: email address, phone number, billing address, shipping address
• Account data: login credentials, authentication tokens (OAuth), account preferences
• Financial data: payment method type, transaction history (full payment card data is processed by our PCI-compliant payment processor and is not stored by us)
• Usage data: platform activity, features used, session data, AI prompt inputs and generated outputs
• Technical data: IP address, browser type and version, device identifiers, operating system, referring URLs
• Content data: images and files uploaded by you or your customers for print product creation
• Communications data: support enquiries, AI assistant chat logs, email correspondence

We do not knowingly collect or process special category data (Art. 9 GDPR) such as health data, biometric data, or data revealing racial or ethnic origin. If you become aware that such data has been submitted inadvertently, please contact us immediately.

3. How We Use Your Data and Our Legal Bases

We process personal data only where we have a lawful basis under Art. 6 GDPR. The table below sets out our main processing activities:

3.1 Contract Performance (Art. 6(1)(b) GDPR)

To deliver the services you have contracted with us:

• Creating and managing your account
• Providing access to the AI print editor platform
• Processing and fulfilling print product orders
• Managing subscription plans and billing
• Providing customer support

3.2 Legal Obligation (Art. 6(1)(c) GDPR)

To comply with our legal obligations under Dutch and EU law:

• Retaining financial records and invoices for 7 years (Art. 52 AWR — Dutch fiscal law)
• Responding to lawful requests from regulatory authorities
• Complying with anti-money laundering requirements where applicable

3.3 Legitimate Interests (Art. 6(1)(f) GDPR)

Where our legitimate interests are not overridden by your rights and interests:

• Security and fraud prevention: monitoring for suspicious activity, protecting our platform and users
• Platform improvement: analysing usage patterns (in aggregated and anonymised form where possible) to improve our services
• B2B marketing: sending relevant product updates and service communications to existing business clients

3.4 Consent (Art. 6(1)(a) GDPR)

Where you have given us explicit consent:

• Marketing communications (newsletters, promotional offers) to new contacts
• Non-essential analytics and tracking cookies (see our Cookie Policy)
• Marketing/retargeting cookies (Facebook Pixel)

You may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal (Art. 7(3) GDPR). To withdraw consent, contact us at the address in Section 1 or use the unsubscribe link in any marketing email.

4. Sub-Processors and International Transfers

We use the following third-party service providers ("sub-processors") to deliver our services. Where sub-processors are located outside the European Economic Area (EEA), transfers are protected by Standard Contractual Clauses (SCCs) adopted under Art. 46 GDPR, or by the EU-US Data Privacy Framework (EU-US DPF) adequacy decision where applicable.

• Amazon Web Services (AWS): Cloud infrastructure and file storage — EU/US regionsAWS GDPR Centre
• Vercel Inc.: Website hosting and edge delivery (US) — EU-US DPF / SCCs
• Anthropic PBC: AI language model processing (US) — SCCs — Anthropic Privacy Policy
• OpenAI LLC: AI processing (US) — SCCs — OpenAI Privacy Policy
• PostHog Inc.: Product analytics (US/EU Cloud) — SCCs or EU Cloud region — PostHog Privacy Policy
• Google LLC (Google Analytics 4): Analytics (US) — EU-US DPF — Google Privacy Policy. We have configured GA4 with IP anonymisation enabled and advertising features disabled, consistent with Autoriteit Persoonsgegevens guidance.
• Meta Platforms Ireland Ltd. (Facebook Pixel): Marketing analytics (EEA and US) — SCCs — Meta Privacy Policy. Requires your consent.
• Payment processor: Stripe

You may request a copy of the relevant transfer mechanism by contacting us at the address in Section 1.

5. Data Retention

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:

• Financial records and invoices: 7 years from the end of the financial year (Art. 52 AWR)
• Contract and account data: Duration of the business relationship plus 5 years (limitation period under Art. 3:310 BW)
• Marketing data: Until you withdraw consent or opt out
• Security and access logs: 90 days
• Support communications: 3 years from last contact
• Uploaded print images:Deleted within 60 days of order fulfilment to allow reprints for registered users. Deleted within 10 days for guest checkouts.
• AI prompt and output data:NA

6. Your Rights

As a data subject, you have the following rights under the GDPR. Please visit our Data Subject Rights page for full details on how to exercise each right and our response process.

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure — "right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21), including to direct marketing (which is absolute)
• Rights in relation to automated decision-making (Art. 22)
• Right to withdraw consent at any time (Art. 7(3))

7. Automated Decision-Making and AI

Our platform uses artificial intelligence to generate design assets and product recommendations based on text prompts. This process does not constitute automated decision-making with significant legal or similarly significant effects on you within the meaning of Art. 22 GDPR — it is a creative tool that requires human review and approval before any order is placed.

In accordance with Art. 50 of the EU AI Act (applicable from August 2026), we will ensure that end-users are informed when they are interacting with an AI system.

8. Business Clients — Data Processing Agreements

When you use our platform as a business client, and your end-users interact with the platform, we act as a data processoron your behalf in respect of your end-users' personal data, and you act as the data controller. This relationship is governed by a Data Processing Agreement (DPA) as required under Art. 28 GDPR. To request a DPA, please contact us at the address in Section 1.

9. How to Contact Us

For any questions about this privacy policy or to exercise your rights, please contact:

• Email: privacy@mediarexalliance.com
• Post: Barbara Strozzilaan 201, 1083HN Amsterdam, The Netherlands

We will respond to your request within one calendar month of receipt (Art. 12(3) GDPR).

10. Right to Lodge a Complaint

You have the right to lodge a complaint with the Dutch supervisory authority at any time:

• Autoriteit Persoonsgegevens (AP)
• PO Box 93374, 2509 AJ The Hague, Netherlands
• Website: autoriteitpersoonsgegevens.nl
• Phone: +31 (0)70 888 8500 (weekdays 09:00–13:00)

We encourage you to contact us first so we can address your concerns directly.