Last updated: 5 September 2025 Who we are: PE Artem Syzonenko (trading as ProductPathPro) Address: 149/100 Kalynova Str., Dnipro, Ukraine Contact: [email protected] Terms of Use: https://www.productpathpro.com/terms‒of‒use 1) Scope This policy explains how we handle personal data for: Site visitors & account holders of productpathpro.com and related pages (we act as a controller). End users recorded by our customers through our session/screen-recording script (we act as a processor / service provider under the DPA). If anything here conflicts with a customer contract, the DPA and Terms of Use control. 2) Roles and responsibility For Customer Data captured via our recording snippet: Customer is the controller (decides what to collect, legal basis, retention). ProductPathPro is the processor and processes only on the customer’s instructions (per the DPA). Customers must provide notices/consents, configure masking/suppression, avoid prohibited data, and honor end-user rights requests. For our own website/app accounts (billing/contact info, login, service emails), we are the controller. 3) What we collect

A. When we are the controller (site & account) Account & profile: name, email, password hash, role, team/project associations. Service & usage: login timestamps, feature use, plan/credits balance, support tickets, limited telemetry (e.g., error logs). Transactional communications: necessary service emails via Postmark (ActiveCampaign, LLC). Payment/billing (if/when enabled): payer details and transaction metadata from our processor; we don’t store full card numbers. Device/network: IP address, browser/OS, pages viewed, referrer, server/CDN logs, and country-level geolocation derived from IP for security and sanctions/geo-restriction enforcement. Cookies/local storage: see Section 7. B. When we are the processor (recordings for customers) Interaction data: clicks, scrolls, viewport, page URLs/titles, timestamps, device/browser metadata, session IDs; video/image frames of the page; optional keystroke metadata (not content) if enabled. Customer-defined fields: IDs or attributes the customer passes to us. Sensitive data is not intended: customers must configure masking/suppression to prevent capture (see Section 4). 4) Prohibited or sensitive data Our Service is not intended to collect, and customers must not intentionally collect: Special categories of personal data (e.g., health/PHI, biometric templates, sexual orientation, political/religious beliefs, trade-union membership). Government IDs, financial/PCI data, passwords or authentication secrets, precise geolocation of minors, or children’s data without required verifiable consent. Customers must configure masking/suppression and avoid placing the snippet on pages that display such data. 5) Why we use data (purposes) and legal bases As controller (site & account) We process data to: Provide the Service (create/manage accounts, authenticate, show credit balance, send transactional emails). Operate, secure, and improve the Service (troubleshooting, debugging, analytics, preventing abuse, rate limiting). Compliance and enforcement (including sanctions/export-control and eligibility rules). Comply with law (tax, accounting, legal requests). Legal bases (EEA/UK): performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in operating and securing our Service and enforcing eligibility; and legal obligation (Art. 6(1)(c)). Where required, we’ll seek consent for optional cookies. As processor (recordings for customers) We process solely to provide the Service under the customer’s instructions and DPA. 6) Sharing and disclosures Subprocessors (core): Linode (Akamai) — US hosting/compute/storage; Cloudflare, Inc. — global CDN/WAF/DDoS/proxy caching; Postmark (ActiveCampaign, LLC) — US transactional email. Professional services: legal, accounting, and similar advisers bound by confidentiality. Legal & safety: to comply with law or protect rights, safety, and security, including sanctions/export-control compliance with competent authorities. We do not sell or share your personal data (as defined by CPRA). 7) Cookies and similar technologies We use cookies and similar storage primarily for essential operations and security; also limited first-party analytics/performance and preferences. Your choices: browser controls let you block or delete cookies (the Service may not function properly without essential cookies). Where required, we will show a cookie notice and obtain consent for optional cookies. 8) International transfers Data may be processed in the United States and other countries where our providers operate. For EEA/UK personal data, transfers rely on the EU SCCs (Controller→Processor, Module 2) and the UK Addendum incorporated into our DPA. 9) Security We maintain reasonable technical and organizational measures (TLS in transit; access controls/least privilege; MFA for admin access; logging/monitoring; vulnerability management; backups and recovery; incident response). No method is 100% secure. 10) Retention Recordings & raw events (processor role): default 30 days, then scheduled deletion; backups per standard cycles. Aggregated analytics derived from recordings: 30 days. Account & service records (controller role): kept for the account lifetime and then a reasonable period (typically up to 24 months) for security, audit, and legal purposes. Compliance logs (sanctions/geo-restriction): up to 24 months (or longer if required by law). Support communications: typically 24 months. We may retain data longer if required by law or to resolve disputes. Self-service export isn’t currently available. 11) Your privacy rights If you are a site visitor or account user (we are the controller) Subject to law, you may have rights to access, correct, delete, restrict, port, or object. Contact [email protected] . If you are an end user recorded by a customer (we are the processor) Please contact that customer (the website/app where the recording occurred). We will support the customer’s response under the DPA. California (CPRA) notice We act as a service provider to customers for Customer Data. For our own site/account data, you may have rights to know, delete, and correct; we do not sell or share personal information; and we use sensitive personal information only for permitted service purposes. Submit requests to [email protected]. 12) Children Our Service is not directed to children, and customers must not use it to record users known to be children without meeting all legal requirements (e.g., verifiable parental consent). We do not knowingly collect personal data from children as a controller. 13) Third-party links Our site may link to third-party sites or services we don’t control. Their privacy practices govern those properties. 14) Changes to this policy We may update this policy from time to time. We’ll post the new version with a new “Last updated” date and, if changes are material, provide additional notice. Continued use means you accept the updated policy. 15) Contact us Questions, requests, or complaints: [email protected]. You may also lodge a complaint with your local data protection authority.

Data Processing Addendum (DPA)

Effective date: 5 September 2025 Parties: (1) Customer (controller) and (2) PE Artem Syzonenko, trading as ProductPathPro (processor). Contact (processor): [email protected] 1. Scope & roles 1.1 This DPA applies to ProductPathPro’s processing of Customer Data (as defined in the Terms of Use) that includes personal data subject to Applicable Data Protection Laws (e.g., GDPR, UK GDPR, CCPA/CPRA). 1.2 For such personal data, Customer is the controller, and ProductPathPro is the processor (EU/UK) and service provider (California). 1.3 The Terms of Use (the “Agreement”) remain in force. This DPA prevails over conflicting terms solely for processing of personal data. 2. Customer instructions 2.1 ProductPathPro will process personal data only on documented instructions from Customer: (a) to provide, secure, and support the Service; (b) as configured or initiated by Customer via the Service; and (c) as required by law. 2.2 If an instruction violates applicable law, ProductPathPro will notify Customer (unless legally prohibited). 2.3 Sanctions carve-out. Notwithstanding any instruction, ProductPathPro may decline or suspend processing that would reasonably cause a violation of EU/UK/U.S./UN/Ukraine sanctions or export-control laws, and will notify Customer where legally permitted. 3. Confidentiality ProductPathPro ensures personnel with access to personal data are bound by confidentiality obligations. 4. Security measures ProductPathPro maintains reasonable technical and organizational measures appropriate to risk, including: encryption in transit (TLS), access control/least privilege, authentication (including MFA for administrative access), network segmentation, logging and monitoring, vulnerability management, secure development practices and reviews, backups and recovery procedures, and incident response processes. Details appear in Annex II. 5. Personal data breaches Upon becoming aware of a personal data breach affecting Customer Data, ProductPathPro will notify Customer without undue delay and in any event within 72 hours, and provide information reasonably available to assist Customer in meeting its obligations. 6. Subprocessors 6.1 Customer authorizes ProductPathPro to engage subprocessors to deliver the Service, subject to written contracts imposing data-protection obligations no less protective than this DPA. Current core subprocessors are listed in Annex III. 6.2 ProductPathPro will provide 30 days’ prior notice before adding a materially new subprocessor. If Customer reasonably objects, Customer may terminate the affected Service before the change takes effect. 7. International transfers 7.1 EU/EEA: Where ProductPathPro processes personal data subject to GDPR on behalf of Customer and a restricted transfer occurs, the EU Standard Contractual Clauses (SCCs) — Controller→Processor, Module 2 — are incorporated by reference between Customer (data exporter) and ProductPathPro (data importer). Annex I/II/III of the SCCs are completed by the Annexes to this DPA. 7.2 UK: For UK GDPR, the UK Addendum to the EU SCCs is incorporated with tables completed in Annex I-UK. 7.3 If another transfer mechanism becomes applicable, the parties may adopt it. 8. Assistance ProductPathPro will provide reasonable assistance (taking into account the nature of processing and information available) with: (a) data subject requests; (b) security, breach notifications; (c) data-protection impact assessments and prior consultations, to the extent required by law and proportionate to the Service. 9. Audits & information Upon written request (no more than annually and subject to confidentiality), ProductPathPro will provide information reasonably necessary to demonstrate compliance (e.g., policy summaries). On-site audits occur only where required by law, upon reasonable notice, limited to relevant controls, and at Customer’s expense. 10. Return & deletion At termination of the Agreement (or upon Customer’s written request), ProductPathPro will delete personal data within the timelines in the Agreement and this DPA. Self-service export is not currently provided. Backups are deleted per standard cycles. 11. California (CPRA) service provider terms For California “personal information,” ProductPathPro: (a) acts as a service provider; (b) processes solely to provide and improve the Service for Customer, not for any other purpose; (c) does not sell or share personal information; (d) will not combine personal information with data from other sources except as permitted by CPRA; (e) will assist Customer with consumer requests as required; (f) will notify Customer if it can no longer meet its obligations; and (g) grants Customer the right to take reasonable and appropriate steps, including requesting information or audits, to ensure ProductPathPro’s CPRA compliance. 12. Liability & precedence The parties’ respective liability and limitations are governed by the Agreement. In the event of conflict, this DPA controls for processing of personal data. 13. Customer responsibilities (summary reminder) Customer is solely responsible for notices/consents, lawful basis, and correct configuration of masking, suppression, and exclusions to avoid capturing prohibited or sensitive data (e.g., special categories, credentials, government IDs, financial data, health/PHI, precise geolocation of minors). The Service is not intended to record children absent verifiable consent and full compliance with applicable law. 14. Term This DPA becomes effective on the Effective date above and remains in force for as long as ProductPathPro processes personal data for Customer under the Agreement. Annex I — Description of processing (SCCs Annex I, Sec. A & B) A. Parties Exporter (controller): Customer (contact: as provided in Customer’s account) Importer (processor): PE Artem Syzonenko (ProductPathPro), 149/100 Kalynova Str., Dnipro, Ukraine; contact: [email protected] B. Description Subject matter: Provision of session/screen recording and analytics services for Customer’s websites/apps. Duration: Term of the Agreement; standard retention 30 days for recordings/events; backups per cycles. Nature & Purpose: Collection and processing of web/app interaction data (events, session/recording frames), diagnostics, metrics, and derived analytics to provide, maintain, secure, and improve the Service. Categories of data subjects: End users of Customer’s sites/apps; Customer’s staff/authorized users. Categories of personal data: Interaction events (clicks, scrolls, keystroke metadata), page URLs/titles, timestamps, device/browser metadata, IP-address-derived data, session identifiers, Customer-provided identifiers or user attributes, audio/video frame data if enabled. Not intended to collect special-category or other prohibited data; Customer must configure masking/suppression accordingly. Sensitive data: Not intended / contractually prohibited. Frequency: Continuous as initiated by Customer’s integration/configuration. Retention/erasure: As per Section 10 and Agreement (default 30 days). Competent Supervisory Authority (EU): Exporter’s lead supervisory authority where applicable. C. Authorized subprocessors: See Annex III. Annex II — Technical & organizational measures (SCCs Annex II) Information security program: Governance & risk: Documented security policies; periodic risk assessment; least-privilege access model. Access control: Unique accounts; MFA for administrative access; role-based permissions; session timeouts; logging of privileged actions. Physical & network: Provider data centers (Linode/Cloudflare); network segmentation; DDoS protections via CDN; firewalls; secure remote access. Encryption: TLS for data in transit; encryption at rest where supported by underlying services; key management per provider capabilities. Application security: Secure SDLC, code review, dependency scanning, vulnerability management and patching. Monitoring & logging: Centralized logs, anomaly detection, alerting. Backup & recovery: Regular backups; restore testing; geo-redundancy per provider services. Incident response: Documented plan; investigation, containment, eradication, recovery; post-incident review. Personnel: Background/eligibility checks where lawful, confidentiality agreements, security training. Data minimization & masking: Controls for field suppression/masking; configuration guidance to prevent capture of sensitive fields. Supplier management: Subprocessor due diligence and contractual controls. Business continuity: Redundancy and recovery procedures proportionate to scale. Annex III — Subprocessors Linode (Akamai) — US: hosting/compute/storage Cloudflare, Inc. — Global: CDN, WAF, DDoS mitigation, proxy caching Postmark (ActiveCampaign, LLC) — US: transactional email delivery Annex I-UK — UK Addendum tables (summary) Table 1 (Parties): Exporter = Customer; Importer = PE Artem Syzonenko (ProductPathPro), contact [email protected] Table 2 (Selected SCCs): EU SCCs (Controller→Processor, Module 2) Table 3 (Annexes): Annex I/II/III as above Table 4 (Ending): Neither party may vary the Addendum beyond permitted formatting; governing law for SCCs = Ireland (for interpretation of EU SCCs) Acceptance & countersignature Click-through acceptance: This DPA applies automatically under the Terms. Countersigned PDF: If needed, email [email protected] for a signable PDF (Customer → Company name, signatory, title, date; ProductPathPro → PE Artem Syzonenko, proprietor).