Prefixbox AI Services — Privacy Policy

Depending on how the Services are configured and used, Prefixbox may process the following categories of personal data:

Chat Session Data: When end users interact with the AI functionality, we process:

• messages and prompts submitted by users;
• AI-generated responses;
• files or structured data uploaded by Customer;
• identifiers voluntarily provided within the chat session.

By default, user display names within chat sessions are system-generated pseudonyms.

Session and Contextual Information: To operate the Services, we process limited session-related and contextual data, including:

• chat session identifiers;
• timestamps;
• request identifiers;
• model version identifier;
• latency measurements;
• error codes;
• the URL of the webpage currently viewed by the end user (while the Service is active).

If the AI assistant recommends a product, we may process whether the recommended product link was clicked.

Prefixbox does not store or log IP addresses.

Prefixbox does not store or process token counts.

Webpage Content Processing: Webpage content is continuously retrieved by the Service in the background. This content is transmitted to and processed by the AI model only where the end user makes an explicit request that requires it, such as requesting a summary or analysis of the webpage.

This functionality may operate independently of whether a chat session has been manually initiated.

Depending on the nature of the webpage, such content may contain personal data.

Web Content Extraction: Where Customer uploads or provides URLs for use by the Service, or where an end user submits a query through the chat interface that requires retrieval of publicly accessible webpage content, Prefixbox may transmit the relevant URLs to a web content extraction provider (Zyte API) to retrieve the corresponding webpage content. Only the relevant URLs and the retrieved webpage content are transmitted to Zyte API for this purpose.

Depending on the nature of the webpage, such content may contain personal data.

Administrative and Account Data: For the operation of the Services, Prefixbox processes limited administrative data, including:

• administrator name and work email;
• authentication and access control identifiers;
• role and permission information;
• contractual and billing records.

When acting as a processor on behalf of Customer, Prefixbox processes personal data solely to:

• provide AI chat session and agent functionality;
• generate contextual responses and summaries;
• retrieve and process webpage content as requested;
• enable integrations configured by Customer;
• maintain the security, availability, and performance of the Services;
• detect misuse or technical issues;
• provide technical support.

When acting as an independent controller (limited to service-administration data), Prefixbox processes personal data to:

• administer and manage customer accounts;
• authenticate users and manage access controls;
• manage contractual and billing relationships;
• maintain service security and compliance;
• comply with legal obligations.

Prefixbox processes Customer Content only for the purposes described in this Policy and does not use it for unrelated purposes.

Legal Bases: Where Prefixbox acts as processor on behalf of Customer, the legal basis for processing personal data is determined by the Customer.

Where Prefixbox acts as an independent controller (limited to service-administration data), processing is based on:

• performance of a contract;
• compliance with legal obligations; and
• Prefixbox's legitimate interests in maintaining and securing the Services, except where such interests are overridden by the rights and freedoms of individuals.

Nature of AI Responses: The Services use artificial intelligence models to generate responses. AI-generated outputs are probabilistic in nature and may vary based on input and context. Responses may be incomplete, outdated, or inaccurate. The Services are designed to assist users and should not be relied upon as professional, legal, medical, or financial advice.

Transparency Toward End Users: Customers must ensure that end users are informed when they are interacting with AI-generated functionality and that AI-generated content is not misrepresented as human-authored.

Customers are responsible for implementing appropriate notices and safeguards within their own environments, including reasonable measures to prevent the submission of prohibited content.

Human Review and Access Controls: Access to chat session data within Prefixbox is restricted through role-based access controls.

Prefixbox personnel may access chat session data only where necessary to provide support, troubleshoot technical issues, or maintain the security of the Services, and only where Customer has granted appropriate access rights.

No Model Training: Prefixbox does not use Customer Content, chat session data, webpage content, or contextual inputs to train or improve any large language model.

AI model inference is performed through Microsoft Azure OpenAI Service under enterprise data protection terms. Customer data processed through the Services is not used to train foundation models.

Automated Decision-Making: The Services are not designed to make automated decisions that produce legal or similarly significant effects concerning individuals.

Children: The Services are not intended for use by children.

Prohibited Content: The Services are not intended for the processing of Sensitive Personal Information, unless expressly agreed in writing and appropriate safeguards are implemented. Customers are responsible for configuring the Services and implementing appropriate safeguards to prevent the submission of such data.

Prefixbox engages carefully selected subprocessors to provide specific components of the Services.

Prefixbox currently engages the following subprocessors for the provision of the Services:

• Microsoft Azure — cloud hosting and infrastructure services (EU regions, including Sweden and West Europe);
• Microsoft Azure OpenAI Service — AI model inference services (EU regions);
• Zyte API — web content extraction services (Ireland-based entity).

Subprocessors are contractually bound to implement appropriate technical and organisational measures to protect personal data and to process personal data only on documented instructions from Prefixbox.

Prefixbox remains responsible for its subprocessors in accordance with applicable data protection law and the applicable Contract.

Data Processing Location and Transfers: Customer Content is processed primarily within the European Union, including Microsoft Azure regions located in Sweden and West Europe. Certain subprocessors, such as web content extraction providers, may operate globally. Where personal data is processed outside the European Union, Prefixbox ensures appropriate safeguards are implemented in accordance with Article 46 GDPR, including Standard Contractual Clauses or equivalent mechanisms where required.

No Selling: Prefixbox does not sell personal data.

No Third-Party Analytics: Prefixbox does not use third-party advertising networks or marketing analytics providers within the Services.

Prefixbox implements appropriate technical and organisational measures designed to protect personal data processed through the Services.

Security measures include, among others:

• Encryption of data in transit and at rest;
• Hosting within Microsoft Azure data centers;
• Environment segregation and access isolation;
• Role-based access control (RBAC);
• Centralised logging and monitoring;
• Vulnerability management and patch management procedures.

Where required by applicable law, Prefixbox will notify Customer of personal data breaches without undue delay.

Chat Session and Customer Data: Chat session data and related Customer Content are retained in live systems for up to 12 months from creation, unless a shorter retention period is agreed in the applicable Contract.

Operational Logs: Operational and security logs (including latency measurements and error codes) are retained for up to 30 days.

Backups: Encrypted backups are maintained within Microsoft Azure infrastructure with a rolling retention period of up to 7 days. Backup data is automatically overwritten in the normal course of operations and is not separately accessed except for disaster recovery purposes.

Deletion Upon Termination: Upon termination or expiry of the applicable Contract, Customer Content will be deleted from live systems within 30 days, unless otherwise agreed in writing. Residual data contained in system backups will be automatically overwritten within the standard backup retention cycle.

Legal retention: Prefixbox may retain limited personal data where required to comply with applicable law or to establish, exercise, or defend legal claims.

The Services (including the Admin Console and embedded AI functionality) use limited browser storage mechanisms to support core functionality.

Local Storage for Session Continuity: Local storage is used solely to maintain session continuity and to distinguish between active and new chat sessions. This storage supports the proper technical operation of the Services and does not store chat content.

Service Operation: No advertising or marketing cookies are deployed within the Services.

Aggregated Usage Metrics: Prefixbox may generate aggregated, non-identifiable usage statistics (such as average response times or system performance metrics) for internal performance monitoring and service improvement purposes.

Where Prefixbox Acts as Processor: For personal data processed by Prefixbox on behalf of a Customer (including chat session data and related service data), data subjects should contact the relevant Customer, who acts as controller. Prefixbox will assist Customers, where required under applicable law and the applicable Contract, in responding to requests to exercise data subject rights.

Where Prefixbox Acts as Controller: For personal data processed by Prefixbox as an independent controller (limited to service-administration data), individuals may contact Prefixbox at support@prefixbox.com.

Applicable Rights: Subject to applicable law, individuals may have the right to request access to, rectification or erasure of personal data, restriction of processing, objection to processing, and data portability, as well as the right to lodge a complaint with a supervisory authority.

If you are located in Hungary, the competent supervisory authority is: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), H-1055 Budapest, Falk Miksa utca 9-11., https://naih.hu.

Processing of personal data by Prefixbox on behalf of Customer is governed by the applicable Contract between Prefixbox and Customer, including the Data Processing Addendum (Annex B to the Terms of Service), where applicable.

In the event of any conflict between this Privacy Policy and the applicable Contract or Data Processing Addendum, the Contract or Data Processing Addendum shall prevail.

This Privacy Policy is intended to provide a general overview of processing activities and does not amend or replace the terms of the applicable Contract.

Prefixbox may update this Privacy Policy from time to time to reflect changes in the Services, applicable law, or security practices.

For material changes that significantly affect the processing of personal data, Prefixbox will provide advance notice (for example, via email), unless earlier changes are required for legal or security reasons.

The updated version will indicate its effective date.

For convenience, we provide a template end-user privacy notice for the AI Assistant in Annex A. The template is provided "as is" and does not constitute legal advice. Customer must adapt it to reflect its actual processing, notices, and local law (including cookie/consent practices) and remains responsible for compliance and accuracy. Use of the template creates no privity or obligations between Prefixbox and People.

Disclaimer (Template): This annex is a sample end-user privacy notice provided for convenience only. It must be adapted by [Customer Name] to reflect actual practices, configurations, and applicable local law. [Customer Name] remains solely responsible for compliance and accuracy.

Who we are: This AI functionality (the "Assistant") is operated by [Customer Name] on [Customer Site/App]. [Customer Name] acts as controller for personal data processed through the Assistant. Prefixbox Zrt. provides the Assistant as a service provider and acts as processor on behalf of [Customer Name].

What Data Is Processed: When you interact with the Assistant, we may process:

• Messages and prompts you submit;
• AI-generated responses;
• Files or information you voluntarily provide;
• The URL of the webpage you are viewing;
• Technical session information such as timestamps and session identifiers.

Depending on the content of your interaction or the webpage viewed, such data may contain personal data.

Webpage Context & Summaries: Webpage content is continuously retrieved by the Service in the background. This content is transmitted to and processed by the AI system only where you make an explicit request that requires it, such as requesting a summary or analysis of the webpage.

AI Model Use: The Assistant uses artificial intelligence models to generate responses. Responses may be incomplete or inaccurate and should not be considered professional advice. Your interactions with the Assistant are not used to train or improve large language models.

Prohibited Content: The Assistant is not intended for the submission of Sensitive Personal Information (such as health data, biometric data, political opinions, or full payment card numbers), unless explicitly permitted by [Customer Name]. Please avoid submitting such information through the Assistant.

Service Providers: The Assistant is hosted within Microsoft Azure data centers located in the European Union. AI model inference is performed using Microsoft Azure OpenAI Service.

Appropriate contractual safeguards are in place where required.

Who might see your data: Our service providers: Prefixbox (processor) and its subprocessors, including Microsoft Azure (hosting infrastructure) and Microsoft Azure OpenAI Service (AI model inference). All service providers are engaged under contractual confidentiality and data protection obligations.

Legal Basis for Processing: [Customer Name] processes personal data submitted through the Assistant in order to provide the requested functionality, respond to inquiries, and maintain service security.

Depending on the context, processing may be based on contract performance, legitimate interests, or consent where required by applicable law.

Retention: Chat session data is retained for up to 12 months unless otherwise specified by [Customer Name].

Technical logs are retained for up to 30 days.

Encrypted backups are maintained for up to 7 days for disaster recovery purposes.

International Transfers: The Assistant is hosted within Microsoft Azure data centers located in the European Union. Where service providers operate globally, personal data may be processed outside your country. Where required by applicable law, appropriate safeguards are implemented.

Your Rights: Depending on applicable law, you may have the right to request access to, correction or deletion of your personal data, restriction of processing, objection to processing, and data portability.

To exercise your rights, please contact: [Customer Contact Email].

Children: The Assistant is not intended for use by children.