Privacy Policy

RE::DACT Platform and Services

Effective Date: February 14, 2026
Last Updated: February 14, 2026
Version: 1.0 (Beta Testing Phase)

ABOUT THIS POLICY

This Privacy Policy explains how REAI Prosta Spółka Akcyjna and REDACT Inc. (together, "RE::AI", "we", "us", or "our") collect, use, disclose, and protect personal data when you use the RE::DACT platform, SPARK content discovery tool, RE::CORD voice transcription service, and related services (collectively, the „Services”).

Please read this Privacy Policy carefully before using our Services. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use our Services.

Minimum Age: Our Services are intended for users aged 16 and older. We do not knowingly collect personal data from individuals under 16 years of age.

CONTRACTING ENTITIES

FOR USERS IN THE EUROPEAN UNION, EEA, UNITED KINGDOM, AND SWITZERLAND:
REAI Prosta Spółka Akcyjna
Aleja Jana Pawła II 5/6, 64-920 Piła, Poland
NIP: 7642729249 | KRS: 0001218484
Email: contact@reai-strategy.com

FOR USERS IN THE UNITED STATES AND ALL OTHER JURISDICTIONS:
REDACT Inc.
1111B S Governors Ave STE 99573, Delaware, United States
EIN: [PENDING — TO BE COMPLETED]
Email: contact@redact-app.com

Each entity is referred to herein as "RE::AI", "we", "us", or „our”.

TABLE OF CONTENTS

• 1. Scope and Application
• 2. Definitions
• 3. Data Controller / Data Processor
• 4. Categories of Personal Data We Collect
• 5. How We Collect Personal Data
• 6. Legal Bases for Processing (GDPR)
• 7. Purposes of Processing
• 8. AI Processing and Automated Decision-Making
• 9. Source Protection and the Placeholder System
• 10. Audit Trail and Blockchain Logging (Hedera Hashgraph)
• 11. Third-Party Service Providers (Sub-Processors)
• 12. International Data Transfers
• 13. Data Retention
• 14. Your Rights
• 15. California Privacy Rights (CCPA / CPRA)
• 16. Security Measures
• 17. Cookies and Similar Technologies
• 18. Journalistic Exception (GDPR Article 85)
• 19. Children's Privacy
• 20. Changes to This Policy
• 21. Contact and DPO Information

§ 1. SCOPE AND APPLICATION

This Privacy Policy applies to:

a) All users of the RE::DACT platform, including journalists, editors, researchers, and newsroom staff;

b) Users of the SPARK content discovery tool and RE::CORD voice transcription service;

c) Visitors to our websites and web applications operated by RE::AI;

d) Business customers (newsrooms, media organizations, publishers) who have entered into a subscription agreement with RE::AI;

e) Trial and beta users accessing the Services under a free or limited-access arrangement.

This Policy does not apply to:

• Third-party websites or services linked from our platform;
• Data processed by our customers on their own behalf using our Services (in such cases, the customer is the data controller — see Section 3);
• Publicly available information not collected through our Services.

§ 2. DEFINITIONS

"Personal Data" means any information relating to an identified or identifiable natural person ("data subject"), as defined under GDPR Article 4(1) and applicable US privacy laws.

"Source Data" means any personal data relating to journalistic sources, contacts, or third parties entered into the Services by a user in the course of journalistic work, including data stored via the Placeholder System.

"Placeholder" means a pseudonymous identifier created by a user to replace the real identity of a journalistic source within AI-processed content, as described in Section 9.

"Audit Log" means an immutable record of AI-assisted actions performed within the Services, stored on the Hedera Hashgraph distributed ledger, as described in Section 10.

"AI Services" means the artificial intelligence and machine learning features integrated into RE::DACT, including RE::CHECK (fact-checking), RE::SEARCH (research), RE::DOC (document analysis), and RE::CORD (voice transcription).

"Sub-Processor" means any third-party service provider engaged by RE::AI to process personal data on RE::AI's behalf.

"Services" means the RE::DACT platform, SPARK tool, RE::CORD service, and any associated applications, APIs, and websites operated by RE::AI.

"Beta Phase" means the period during which the Services are provided free of charge for testing and evaluation purposes prior to commercial launch.

§ 3. DATA CONTROLLER / DATA PROCESSOR

3.1 RE::AI as Data Controller

RE::AI acts as a data controller with respect to:

f) Account and registration data of users;

g) Usage, analytics, and platform performance data;

h) Billing and payment information;

i) Communications and support data;

j) Cookie and tracking data collected on our websites.

3.2 RE::AI as Data Processor

Where our customers (newsrooms, media organizations, individual journalists operating under an organizational subscription) upload, enter, or generate content containing personal data of third parties within the Services, RE::AI acts as a data processor on behalf of the customer, who is the data controller.

In such cases, processing is governed by our Data Processing Agreement (DPA), available upon request at privacy@redact.ai, which forms part of the agreement between RE::AI and the customer.

3.3 Source Data — Special Status

Source Data entered via the Placeholder System (see Section 9) is treated with the highest level of protection. RE::AI does not access, analyze, or use Source Data for any purpose other than enabling the user's journalistic workflow within the Services. Source Data is never used to train AI models.

§ 4. CATEGORIES OF PERSONAL DATA WE COLLECT

4.1 Account and Registration Data

• Full name
• Email address
• Password (stored in hashed form only)
• Professional role (journalist, editor, researcher, etc.)
• Organization / newsroom affiliation
• Country of residence / billing country

4.2 Billing and Payment Data

• Billing name and address
• Payment method details (processed exclusively by Stripe Inc.; RE::AI does not store full card numbers)
• Transaction history and subscription status
• VAT/tax identification number (for B2B customers)

4.3 Usage and Platform Data

• Login timestamps and session data
• Features accessed and actions performed within the Services
• Document and project metadata (titles, creation dates, word counts)
• AI mode usage (RE::CHECK, RE::SEARCH, RE::DOC, RE::CORD)
• Error logs and crash reports
• Device type, operating system, browser type and version
• IP address (used for geolocation to determine applicable legal entity and for security purposes)

4.4 Content Data

• Text, documents, audio files, and other content uploaded or created by users within the Services
• Transcriptions generated by RE::CORD
• AI-generated outputs (summaries, fact-check results, research notes)

Note: Content Data may incidentally contain personal data of third parties, including journalistic sources. See Section 9 for Source Data protections.

4.5 Source Data (Placeholder System)

• Pseudonymous identifiers (Placeholders) created by users
• Mapping between Placeholders and real identities, stored exclusively in the user's account and never transmitted to AI processing engines in identifiable form
• Contact metadata associated with Placeholders (role, organization, relationship to story) — stored only if entered by the user

4.6 Communications Data

• Content of support requests, bug reports, and feedback submissions
• Email correspondence with RE::AI
• Responses to surveys or research studies (participation voluntary)

4.7 Audit and Compliance Data

• Immutable records of AI-assisted actions stored on Hedera Hashgraph
• Timestamps, action types, AI model identifiers, and content hashes
• Used for EU AI Act compliance and editorial accountability purposes — see Section 10 for full details

§ 5. HOW WE COLLECT PERSONAL DATA

5.1 Directly from You

• When you register for an account
• When you complete your user profile
• When you create, upload, or edit content within the Services
• When you contact our support team
• When you respond to surveys or participate in beta testing programs
• When you enter billing information for a paid subscription

5.2 Automatically Through Your Use of the Services

• Through server logs recording platform activity
• Through session management systems (Firestore authentication tokens)
• Through performance monitoring tools integrated into the platform
• Through cookies and similar technologies (see Section 17)

5.3 From Third-Party Services

• From Stripe Inc., in connection with payment processing and subscription management
• From Google Authentication services, if you use Google Sign-In
• From your organization's identity provider, if your employer has configured Single Sign-On (SSO) access

5.4 Generated Through AI Processing

• AI-generated outputs created in response to your inputs within the Services (these outputs may contain inferences derived from your Content Data)
• Audit log entries automatically generated upon use of AI features

§ 6. LEGAL BASES FOR PROCESSING (GDPR)

This section applies to users in the European Union, EEA, United Kingdom, and Switzerland.

6.1 Performance of a Contract (Article 6(1)(b))

We process account data, usage data, and billing data to the extent necessary to provide the Services under our Terms of Service, including:

• Creating and managing your account
• Providing access to RE::DACT, SPARK, and RE::CORD features
• Processing payments and managing subscriptions
• Providing customer support

6.2 Compliance with Legal Obligations (Article 6(1)(c))

We process certain data to comply with applicable laws, including:

• Tax and accounting obligations under Polish and EU law
• Compliance with EU AI Act transparency and audit requirements
• Responding to lawful requests from competent authorities

6.3 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests, where those interests are not overridden by your rights, including:

• Platform security and fraud prevention
• Improving the reliability and performance of the Services
• Aggregated, anonymized analytics to understand platform usage
• Protection of legal rights and enforcement of our Terms of Service

6.4 Consent (Article 6(1)(a))

Where we rely on consent, we will request it explicitly and separately. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. Consent-based processing includes:

• Non-essential cookies and tracking technologies
• Participation in optional research, surveys, or beta programs
• Marketing communications (if applicable in future)

6.5 Special Categories of Data

RE::AI does not intentionally collect special categories of personal data (Article 9 GDPR) about users. However, users may incidentally include such data in Content Data or Source Data as part of their journalistic work. Such data is subject to the Journalistic Exception described in Section 18 and is treated with enhanced protection.

§ 7. PURPOSES OF PROCESSING

7.1 Service Delivery

Providing, operating, maintaining, and improving the RE::DACT, SPARK, and RE::CORD services; authenticating users; managing sessions; enabling collaboration features within organizational accounts.

7.2 AI Feature Operation

Routing user content to appropriate AI processing engines to deliver requested outputs (fact-checking, research, document analysis, transcription). See Section 8 for full details on AI processing.

7.3 Billing and Subscription Management

Processing payments, managing subscription tiers, issuing invoices, handling refunds, and maintaining financial records as required by law.

7.4 Security and Fraud Prevention

Detecting and preventing unauthorized access, abuse, fraud, and violations of our Terms of Service and Acceptable Use Policy.

7.5 Legal Compliance and Regulatory Obligations

Meeting obligations under GDPR, UK GDPR, EU AI Act, Polish law, US state privacy laws (CCPA/CPRA), and other applicable regulations.

7.6 Audit Trail Maintenance

Creating and preserving immutable records of AI-assisted editorial actions for EU AI Act compliance, editorial accountability, and evidentiary purposes in journalistic workflows.

7.7 Platform Analytics and Improvement

Analyzing aggregated, anonymized usage patterns to improve platform performance, reliability, and user experience. We do not use individual Content Data or Source Data for this purpose.

7.8 Support and Communication

Responding to support requests, providing technical assistance, communicating service updates, planned maintenance, and changes to this Policy or our Terms of Service.

§ 8. AI PROCESSING AND AUTOMATED DECISION-MAKING

8.1 AI Architecture

The Services use a multi-layer AI processing architecture:

Primary AI Provider:
Google Vertex AI (Google Cloud Platform) — Infrastructure located within the European Economic Area (EU regions where available; US-Central1 for non-EU users). Google processes Content Data submitted to AI features on RE::AI's behalf under a Data Processing Agreement.

Fallback AI Providers (activated only when Vertex AI is unavailable):

• Mistral AI S.A.S., Paris, France (EU-based provider) — Processing location: European Union. Activated automatically as first fallback layer.
• OpenAI, L.L.C., San Francisco, California, USA — Activated as secondary fallback when both Vertex AI and Mistral are unavailable. International transfer safeguard: Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46(2)(c).

8.2 What Data Is Sent to AI Providers

When you use AI features within the Services, the following data is transmitted to the relevant AI provider:

• The text or content you submit for processing (your prompt or document content)
• Contextual instructions generated by RE::AI to configure the AI model's behaviour (system prompts)
• Session identifiers for logging and audit purposes

What is NEVER sent to AI providers:

• Your real name or email address
• Billing or payment information
• The real identity behind any Placeholder (see Section 9)
• Source Data in identifiable form

8.3 AI Training — Prohibition

RE::AI does not permit any external AI provider to use your Content Data, Source Data, or personal data for the purpose of training, fine-tuning, or improving their own AI models. All AI provider agreements include explicit contractual prohibitions on training data use by the provider.

During the Beta Phase, RE::AI may use anonymized and aggregated usage data to improve the performance and accuracy of the Services, strictly in accordance with the separate Beta Testing Data consent described in Section 8.6 below.

8.4 Automated Decision-Making

The Services do not make automated decisions that produce legal effects or similarly significant effects concerning you (within the meaning of GDPR Article 22). All AI outputs are presented as assistance tools for human editorial judgment. The journalist or editor retains full responsibility for all published content.

Where AI outputs include confidence scores, source reliability assessments, or factual verification results (RE::CHECK), these are advisory only and require human review before use.

8.5 EU AI Act Compliance

RE::AI treats its AI features as subject to the transparency and documentation obligations of EU Regulation 2024/1689 (EU AI Act). Users are informed when they interact with AI-generated content. AI model identifiers and action records are preserved in the Audit Trail (Section 10). RE::AI maintains technical documentation as required by applicable provisions of the EU AI Act.

8.6 Data Visibility Matrix

The table below sets out exactly which categories of data are accessible to each party — you as the user, RE::AI as the platform operator, and AI providers — as well as what is recorded on the Hedera Hashgraph public ledger. This table is provided in the interest of full transparency.

Data Element            Storage Location    Visible to   Visible to   Visible to AI   On Hedera
                                            User         RE::AI       Provider        Hashgraph
─────────────────────── ─────────────────── ──────────── ──────────── ─────────────── ─────────────────
Prompt content          Firestore +         Yes          Yes          Yes             SHA-256 hash
(text submitted to AI)  BigQuery                                                      only

Response content        Firestore +         Yes          Yes          Yes             SHA-256 hash
(AI-generated output)   BigQuery                                                      only

User identity           Firestore           Yes          No           No              SHA-256 hash
(account credentials)   (encrypted)                                                   only

Source identity         Firestore           Yes          No           No              Salted hash only
(Placeholder mappings)  (encrypted)

Article content         Firestore           Yes          No           No              SHA-256 hash
(full document text)    (encrypted)                                                   only

AI model used           Firestore +         Yes          Yes          Yes             SHA-256 hash
(provider + version)    BigQuery                                                      only

AI ratio                Firestore           Yes          No           No              SHA-256 hash
(human/AI content %)    (encrypted)                                                   only

Merkle root             Hedera HCS          PUBLIC       PUBLIC       PUBLIC          Plaintext hash
(audit tree root hash)

Canary checkpoint       Hedera HCS          PUBLIC       PUBLIC       PUBLIC          Plaintext hash
(integrity marker)

Consensus timestamp     Hedera HCS          PUBLIC       PUBLIC       PUBLIC          aBFT verified
(aBFT verified time)

Key observations from the table above:

• Prompt content and AI response content are the only categories of substantive data visible to RE::AI and to AI providers. This is technically necessary to route your request to the AI model and to log it for audit purposes.
• Your identity, source identities (Placeholder mappings), full article content, and AI usage ratio are encrypted and accessible only to you. RE::AI cannot access this data.
• Data recorded on the Hedera public ledger consists exclusively of cryptographic hashes — mathematical fingerprints of the data. No readable content, personal data, or source information is ever written to the public ledger.
• Three elements are fully public on Hedera: the Merkle root hash (representing the audit tree), canary checkpoints (integrity markers), and consensus timestamps (aBFT-verified time records). None of these contain personal data.

Important — Prompt Content: Because prompt content is visible to RE::AI and to AI providers, you should not include real names of journalistic sources or other sensitive personal identifiers directly in your prompts. Use the Placeholder System (Section 9) to protect source identities before submitting content for AI processing.

§ 9. SOURCE PROTECTION AND THE PLACEHOLDER SYSTEM

9.1 Purpose

The Placeholder System is a core privacy-by-design feature of RE::DACT, specifically engineered to protect journalistic sources when AI processing is used in the editorial workflow.

9.2 How It Works

k) A user creates a Placeholder — a pseudonymous identifier (e.g., [SOURCE_A], [CONTACT_03]) — to represent a real person whose identity must be protected.

l) The Placeholder identifier is used in all content submitted to AI processing engines. The real identity of the source is never included in any AI prompt or transmitted to any AI provider.

m) The mapping between the Placeholder and the real identity is stored exclusively within the user's account in Firestore, encrypted at rest, and accessible only to the account holder.

n) RE::AI personnel do not have access to Placeholder-to-identity mappings under normal operating conditions.

9.3 Legal Basis for Source Data Processing

Processing of Source Data is based on:

• The journalistic exception under GDPR Article 85 and applicable national law implementing that exception (see Section 18);
• The user's explicit configuration of Placeholder associations, constituting informed consent for storage within the Services.

9.4 Source Data Retention

Source Data is retained for as long as the user's account is active or until the user deletes the relevant Placeholder or contact record. Upon account deletion, all Source Data is permanently erased within 30 days, subject to any legal hold obligations.

9.5 Disclosure of Source Data

RE::AI will not disclose Source Data (including Placeholder-to-identity mappings) to any third party except:

o) Where required by a binding legal order from a competent authority with jurisdiction over RE::AI;

p) In such cases, RE::AI will, to the extent permitted by law, notify the affected user prior to disclosure and provide reasonable opportunity to seek legal protection.

RE::AI will not voluntarily cooperate with requests for Source Data that are not legally compelled.

§ 10. AUDIT TRAIL AND BLOCKCHAIN LOGGING (HEDERA HASHGRAPH)

10.1 Purpose

RE::AI maintains an immutable audit trail of AI-assisted actions performed within the Services. This serves:

q) EU AI Act compliance — transparency and accountability obligations;

r) Editorial integrity — enabling newsrooms to reconstruct the AI-assisted history of any published article;

s) Legal evidentiary purposes — providing verifiable records of when and how AI was used in the editorial process.

10.2 What Is Logged

Each audit log entry records:

• Timestamp (UTC)
• User identifier (pseudonymous account ID, not email address)
• Action type (e.g., AI_FACT_CHECK, AI_RESEARCH, AI_TRANSCRIPTION)
• AI model identifier (provider, model name, version)
• Content hash (cryptographic hash of submitted content — NOT the content itself)
• Output hash (cryptographic hash of AI response)
• Session identifier

What is NOT logged in the audit trail:

• The actual content of documents or prompts
• Personal data of sources or third parties
• Placeholder-to-identity mappings
• User email addresses or billing data

10.3 Hedera Hashgraph Storage

Audit log hashes are written to the Hedera Hashgraph public distributed ledger. This means:

t) Log entries, once written, cannot be altered or deleted by RE::AI or any third party;

u) The transaction record is publicly verifiable on the Hedera network using the transaction ID;

v) Only cryptographic hashes are written to the ledger — no personal data or content is published on-chain.

10.4 Legal Basis for Audit Logging

Processing for audit trail purposes is based on:

• Compliance with EU AI Act obligations (Article 6(1)(c) GDPR);
• RE::AI's legitimate interest in maintaining editorial accountability records (Article 6(1)(f) GDPR);
• Contractual obligations to enterprise customers requiring audit trail functionality.

10.5 Retention of Audit Logs

Audit log entries are retained for a minimum of 5 years from the date of creation, in accordance with EU AI Act documentation requirements and standard journalistic evidentiary practices. Hedera on-chain records are permanent by the nature of the distributed ledger and cannot be deleted.

§ 11. THIRD-PARTY SERVICE PROVIDERS (SUB-PROCESSORS)

RE::AI engages the following third-party sub-processors to deliver the Services. All sub-processors are bound by data processing agreements ensuring GDPR-compliant handling of personal data.

Google Cloud Platform (Google LLC) — Purpose: Infrastructure, hosting, Firestore, BigQuery, Vertex AI (primary AI). Location: EU / US. Safeguard: Google Cloud DPA, SCCs.

Mistral AI S.A.S. — Purpose: Fallback AI processing (activated on Vertex AI unavailability). Location: European Union (France). Safeguard: Mistral DPA, EU-based processing.

OpenAI L.L.C. — Purpose: Secondary fallback AI processing (activated when both Vertex AI and Mistral are unavailable). Location: United States. Safeguard: OpenAI DPA, SCCs.

Stripe Inc. — Purpose: Payment processing, subscription management. Location: United States. Safeguard: Stripe DPA, SCCs, PCI-DSS compliance.

Hedera Hashgraph (Swirlds Labs Inc.) — Purpose: Immutable audit log storage (hashes only). Location: Distributed (global network). Safeguard: Public ledger — hashes only, no personal data on-chain.

RE::AI will provide an updated list of sub-processors upon request at contact@reai-strategy.com. We will notify customers of material changes to sub-processors with at least 30 days' notice where required by applicable data processing agreements.

§ 12. INTERNATIONAL DATA TRANSFERS

12.1 Transfers Within the EEA

Data processed by Google Cloud within EU regions and by Mistral AI (France) remains within the European Economic Area and does not require additional transfer safeguards.

12.2 Transfers to the United States

Transfers of personal data to the United States occur in the following circumstances:

w) When Google Cloud routes processing to US-based infrastructure (applicable to non-EU users by default);

x) When the OpenAI fallback is activated;

y) When Stripe processes payment transactions.

Safeguards in place for US transfers:

• Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR;
• Supplementary technical measures including encryption in transit (TLS 1.2+) and encryption at rest (AES-256);
• Contractual prohibitions on use of transferred data for purposes beyond service delivery.

12.3 Transfer Impact Assessments

RE::AI has conducted Transfer Impact Assessments (TIAs) for all US-based sub-processors and has determined that the SCCs, combined with the technical and organizational measures described in Section 16, provide an essentially equivalent level of protection to that guaranteed within the EEA.

12.4 Users in the United Kingdom

For UK users, transfers are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, as applicable, in accordance with UK GDPR requirements.

§ 13. DATA RETENTION

RE::AI retains personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law.

13.1 Retention Schedule

Account and Registration Data: Retained for the duration of the active account, plus 3 years following account deletion (for legal claims and dispute resolution).

Content Data: Retained for the duration of the active account. Users may delete individual documents at any time. Upon account deletion, Content Data is erased within 30 days.

Source Data (Placeholder mappings): Retained until the user deletes the relevant record or closes the account. Deleted within 30 days of account closure.

Billing and Payment Data: Retained for 7 years from the date of the last transaction, in accordance with Polish accounting law (Ustawa o rachunkowości) and applicable tax regulations.

Usage and Analytics Data: Aggregated and anonymized within 12 months of collection. Raw usage logs retained for up to 12 months for security and performance monitoring purposes.

Audit Trail Data (Hedera Hashgraph): Minimum 5 years for off-chain records. On-chain hashes are permanent by the nature of the distributed ledger.

Support and Communications Data: Retained for 3 years from the date of the last communication.

Cookie Data: Session cookies deleted upon browser close. Persistent cookies retained per individual cookie lifetime (see Section 17).

13.2 Deletion Process

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymized. Deletion requests submitted by users are processed within 30 days (see Section 14).

§ 14. YOUR RIGHTS

14.1 Rights Under GDPR (EU, EEA, UK, Switzerland)

If you are located in the EU, EEA, United Kingdom, or Switzerland, you have the following rights with respect to your personal data:

Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how it is processed.

Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure / "Right to Be Forgotten" (Article 17): You have the right to request deletion of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent; you object to processing and there are no overriding legitimate grounds; or the data has been unlawfully processed. Note: This right does not apply to audit log data retained for EU AI Act compliance or data subject to legal retention obligations.

Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, including while we assess an objection you have raised.

Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit that data to another service provider where technically feasible.

Right to Object (Article 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Article 22): As stated in Section 8.4, we do not make solely automated decisions with legal or significant effects. You may request human review of any AI-generated output that has affected you.

Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

14.2 How to Exercise Your Rights

Submit your request by email to: privacy@redact.ai. Include your full name, email address associated with your account, and a description of the right you wish to exercise.

We will respond within 30 days of receipt. We may request verification of your identity before processing the request. In complex cases, the response period may be extended by up to 60 additional days with prior notice.

14.3 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority.

For EU users (primary supervisory authority):
Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland — www.uodo.gov.pl

For UK users:
Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — www.ico.org.uk

You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work.

§ 15. CALIFORNIA PRIVACY RIGHTS (CCPA / CPRA)

This section applies to California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

15.1 Categories of Personal Information Collected

In the preceding 12 months, RE::AI has collected the following categories of personal information from California residents:

• Identifiers (name, email address, IP address, account ID)
• Commercial information (subscription records, payment history)
• Internet or other electronic network activity information (usage logs, features accessed, session data)
• Professional or employment-related information (job title, newsroom affiliation)
• Inferences drawn from the above categories (platform usage patterns — aggregated and anonymized only)

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

15.2 Your Rights Under CCPA/CPRA

Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you.

Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (legal obligations, audit trail retention).

Right to Correct: You have the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing: RE::AI does not sell or share personal information for advertising purposes. No opt-out mechanism is required; however, you may contact us to confirm this at any time.

Right to Limit Use of Sensitive Personal Information: RE::AI does not use sensitive personal information for purposes beyond those permitted under CPRA Section 1798.121.

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

15.3 How to Submit a California Privacy Request

Email: contact@reai-strategy.com — Subject line: "California Privacy Request". We will verify your identity and respond within 45 days. The response period may be extended by an additional 45 days with prior notice.

15.4 Authorized Agent

You may designate an authorized agent to submit a request on your behalf by providing written authorization signed by you. We may require direct verification of your identity even when an authorized agent submits a request.

§ 16. SECURITY MEASURES

RE::AI implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction.

16.1 Technical Measures

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. All API communications with AI providers use encrypted connections.

Encryption at Rest: All data stored in Google Cloud Firestore and BigQuery is encrypted at rest using AES-256 encryption managed by Google Cloud Key Management Service (KMS).

Authentication: User accounts are protected by secure authentication flows. Passwords are hashed using industry-standard algorithms. We support and recommend multi-factor authentication (MFA) for all accounts.

Access Controls: Access to personal data by RE::AI personnel is restricted on a need-to-know basis. Administrative access requires multi-factor authentication and is logged.

Source Data Isolation: Placeholder-to-identity mappings are stored in isolated Firestore collections with strict access control rules, preventing access by RE::AI operational staff under normal circumstances.

16.2 Organizational Measures

• Regular security training for all personnel with access to personal data;
• Data minimization practices — we collect only data necessary for the stated purposes;
• Privacy by design principles applied in product development;
• Regular review of sub-processor security practices;
• Incident response procedures in place for data breach detection, containment, and notification.

16.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, as required by GDPR Article 34.

§ 17. COOKIES AND SIMILAR TECHNOLOGIES

RE::AI uses cookies and similar technologies (local storage, session storage) to operate and improve the Services. We use four categories of cookies: strictly necessary (no consent required), functional, analytics, and third-party service cookies (all three require your prior consent).

For EU, EEA, and UK users, consent is obtained through a Cookie Consent Banner displayed on first visit, in accordance with the ePrivacy Directive (2002/58/EC) and applicable national law. You may withdraw or update your preferences at any time via the "Cookie Settings" link in the platform footer.

RE::AI does not use advertising cookies, retargeting cookies, or social media tracking pixels of any kind.

Full details — including a complete Cookie Register listing every cookie by name, provider, purpose, duration, and legal basis — are set out in our Cookie Policy.

17.2 Cookie Consent

For users in the EU, EEA, and UK, we present a cookie consent banner upon first visit. You may withdraw or update your cookie preferences at any time via the cookie settings link in the platform footer.

17.3 Third-Party Cookies

RE::AI does not permit third-party advertising networks to place cookies on our platform. Any third-party cookies present are limited to essential service providers (e.g., Stripe payment widgets) necessary to deliver the Services.

§ 18. JOURNALISTIC EXCEPTION (GDPR ARTICLE 85)

18.1 Scope

RE::DACT is designed specifically for journalistic workflows. GDPR Article 85 permits EU Member States to provide exemptions from certain GDPR provisions where personal data is processed for journalistic, academic, artistic, or literary purposes, in order to reconcile the right to data protection with the right to freedom of expression and information.

18.2 Application

Where users process personal data of third parties (including public figures, sources, or subjects of investigation) within the Services for journalistic purposes:

z) RE::AI processes such data as a data processor acting on the instructions of the user (journalist or newsroom), who bears responsibility as data controller for compliance with applicable journalistic exemption provisions;

aa) RE::AI provides technical safeguards (the Placeholder System, source encryption, access controls) to assist users in meeting their obligations under Article 85 and applicable national law;

bb) RE::AI does not provide legal advice on the scope of journalistic exemptions applicable in any specific jurisdiction. Users are responsible for ensuring their processing of third-party personal data complies with applicable law.

18.3 Polish Law Implementation

Under Polish law, the journalistic exception is implemented through Article 5 of the Press Law (Prawo prasowe) and Article 2a of the Act on Personal Data Protection. Users based in Poland should ensure their processing of Source Data is consistent with these provisions.

§ 19. CHILDREN'S PRIVACY

The Services are intended for professional use by individuals aged 16 and older. We do not knowingly collect personal data from individuals under 16 years of age.

If we become aware that we have collected personal data from a person under 16 without appropriate consent, we will take immediate steps to delete that data.

If you believe a person under 16 has provided us with personal data, please contact us at privacy@redact.ai.

Note on EU Member State Age Variations: GDPR Article 8 permits Member States to set the age of consent for information society services at any age between 13 and 16. RE::AI applies a uniform minimum age of 16 across all EU/EEA jurisdictions to ensure consistent protection.

§ 20. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

20.1 Notification of Changes

Material changes: We will notify you by email to the address associated with your account and/or by prominent notice within the Services at least 30 days before the change takes effect.

Minor changes (e.g., clarifications, corrections, updated contact information): We will update the "Last Updated" date at the top of this Policy. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.

20.2 Version History

Previous versions of this Privacy Policy are available upon request at contact@reai-strategy.com.

§ 21. CONTACT AND DATA PROTECTION OFFICER INFORMATION

21.1 General Privacy Inquiries

For questions, requests, or concerns regarding this Privacy Policy or our data processing practices:

Email: contact@reai-strategy.com
Response time: Within 5 business days for general inquiries; within 30 days for formal rights requests.

21.2 EU / EEA / UK Representative and DPO

REAI Prosta Spółka Akcyjna
Data Protection Contact
Aleja Jana Pawła II 5/6, 64-920 Piła, Poland
Email: contact@reai-strategy.com

Note: RE::AI will appoint a formal Data Protection Officer (DPO) when required by GDPR Article 37 based on the scale and nature of processing activities. This determination will be reviewed upon commercial launch.

21.3 US Privacy Inquiries

REDACT Inc.
Privacy Team
1111B S Governors Ave STE 99573, Delaware, United States
Email: contact@reai-strategy.com

21.4 Postal Address for Legal Notices

For formal legal notices related to data protection:
REAI Prosta Spółka Akcyjna, Aleja Jana Pawła II 5/6, 64-920 Piła, Poland

END OF PRIVACY POLICY

© 2026 REAI Prosta Spółka Akcyjna / REDACT Inc. All rights reserved.

This document was last reviewed for compliance with: GDPR (EU) 2016/679 | UK GDPR and Data Protection Act 2018 | EU AI Act (EU) 2024/1689 | CCPA as amended by CPRA (California) | Polish Press Law (Prawo prasowe) | Polish Personal Data Protection Act