Last updated: 5 September 2025 Who we are: PE Artem Syzonenko (trading as ProductPathPro) Address: 149/100 Kalynova Str., Dnipro, Ukraine Contact: [email protected] Terms of Use: https://www.productpathpro.com/terms‒of‒use DPA: https://www.productpathpro.com/dpa 1) Scope This policy explains how we handle personal data for: Site visitors & account holders of productpathpro.com and related pages (we act as a controller). End users recorded by our customers through our session/screen-recording script (we act as a processor / service provider under the DPA). If anything here conflicts with a customer contract, the DPA and Terms of Use control. 2) Roles and responsibility For Customer Data captured via our recording snippet: Customer is the controller (decides what to collect, legal basis, retention). ProductPathPro is the processor and processes only on the customer’s instructions (per the DPA). Customers must provide notices/consents, configure masking/suppression, avoid prohibited data, and honor end-user rights requests. For our own website/app accounts (billing/contact info, login, service emails), we are the controller. 3) What we collect

A. When we are the controller (site & account) Account & profile: name, email, password hash, role, team/project associations. Service & usage: login timestamps, feature use, plan/credits balance, support tickets, limited telemetry (e.g., error logs). Transactional communications: necessary service emails via Postmark (ActiveCampaign, LLC). Payment/billing (if/when enabled): payer details and transaction metadata from our processor; we don’t store full card numbers. Device/network: IP address, browser/OS, pages viewed, referrer, server/CDN logs, and country-level geolocation derived from IP for security and sanctions/geo-restriction enforcement. Cookies/local storage: see Section 7. B. When we are the processor (recordings for customers) Interaction data: clicks, scrolls, viewport, page URLs/titles, timestamps, device/browser metadata, session IDs; video/image frames of the page; optional keystroke metadata (not content) if enabled. Customer-defined fields: IDs or attributes the customer passes to us. Sensitive data is not intended: customers must configure masking/suppression to prevent capture (see Section 4). 4) Prohibited or sensitive data Our Service is not intended to collect, and customers must not intentionally collect: Special categories of personal data (e.g., health/PHI, biometric templates, sexual orientation, political/religious beliefs, trade-union membership). Government IDs, financial/PCI data, passwords or authentication secrets, precise geolocation of minors, or children’s data without required verifiable consent. Customers must configure masking/suppression and avoid placing the snippet on pages that display such data. 5) Why we use data (purposes) and legal bases As controller (site & account) We process data to: Provide the Service (create/manage accounts, authenticate, show credit balance, send transactional emails). Operate, secure, and improve the Service (troubleshooting, debugging, analytics, preventing abuse, rate limiting). Compliance and enforcement (including sanctions/export-control and eligibility rules). Comply with law (tax, accounting, legal requests). Legal bases (EEA/UK): performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in operating and securing our Service and enforcing eligibility; and legal obligation (Art. 6(1)(c)). Where required, we’ll seek consent for optional cookies. As processor (recordings for customers) We process solely to provide the Service under the customer’s instructions and DPA. 6) Sharing and disclosures Subprocessors (core): Linode (Akamai) — US hosting/compute/storage; Cloudflare, Inc. — global CDN/WAF/DDoS/proxy caching; Postmark (ActiveCampaign, LLC) — US transactional email. Professional services: legal, accounting, and similar advisers bound by confidentiality. Legal & safety: to comply with law or protect rights, safety, and security, including sanctions/export-control compliance with competent authorities. We do not sell or share your personal data (as defined by CPRA). 7) Cookies and similar technologies We use cookies and similar storage primarily for essential operations and security; also limited first-party analytics/performance and preferences. Your choices: browser controls let you block or delete cookies (the Service may not function properly without essential cookies). Where required, we will show a cookie notice and obtain consent for optional cookies. 8) International transfers Data may be processed in the United States and other countries where our providers operate. For EEA/UK personal data, transfers rely on the EU SCCs (Controller→Processor, Module 2) and the UK Addendum incorporated into our DPA (https://www.productpathpro.com/dpa). 9) Security We maintain reasonable technical and organizational measures (TLS in transit; access controls/least privilege; MFA for admin access; logging/monitoring; vulnerability management; backups and recovery; incident response). No method is 100% secure. 10) Retention Recordings & raw events (processor role): default 30 days, then scheduled deletion; backups per standard cycles. Aggregated analytics derived from recordings: 30 days. Account & service records (controller role): kept for the account lifetime and then a reasonable period (typically up to 24 months) for security, audit, and legal purposes. Compliance logs (sanctions/geo-restriction): up to 24 months (or longer if required by law). Support communications: typically 24 months. We may retain data longer if required by law or to resolve disputes. Self-service export isn’t currently available. 11) Your privacy rights If you are a site visitor or account user (we are the controller) Subject to law, you may have rights to access, correct, delete, restrict, port, or object. Contact [email protected] . If you are an end user recorded by a customer (we are the processor) Please contact that customer (the website/app where the recording occurred). We will support the customer’s response under the DPA. California (CPRA) notice We act as a service provider to customers for Customer Data. For our own site/account data, you may have rights to know, delete, and correct; we do not sell or share personal information; and we use sensitive personal information only for permitted service purposes. Submit requests to [email protected]. 12) Children Our Service is not directed to children, and customers must not use it to record users known to be children without meeting all legal requirements (e.g., verifiable parental consent). We do not knowingly collect personal data from children as a controller. 13) Third-party links Our site may link to third-party sites or services we don’t control. Their privacy practices govern those properties. 14) Changes to this policy We may update this policy from time to time. We’ll post the new version with a new “Last updated” date and, if changes are material, provide additional notice. Continued use means you accept the updated policy. 15) Contact us Questions, requests, or complaints: [email protected]. You may also lodge a complaint with your local data protection authority.