Terms ClinicalAID — AI:Dental

General terms and conditions

Effective as of 1.9.2023.

1. INTRODUCTORY PROVISIONS

1.1. These GTC are terms and conditions within the meaning of Section 273 of Act No. 513/1991 Coll., as amended (the “Commercial Code”) and apply to all relations between the Provider and the Customer.

1.2. The Customer acknowledges that the Platform shall not be accessed and used for any purpose other than the Customer’s testing and evaluation of the Platform (the “Purpose”), unless specified otherwise in these GTC.

1.3. By accessing and using the Platform, you agree to be bound by these GTC.

2.DEFINITIONS

Other than the terms defined in the body of these GTC, these terms have the following meaning:

“Affiliate”	means any entity under the control of either the Provider or the Customer, where “control” means ownership of or the right to direct greater than 50% of the voting securities of such entity;
“Confidential Information”	means technical and non-technical information including patents, copyright, trade secrets, proprietary information, techniques, sketches, drawings, models, inventions, know-how, processes, apparatus, equipment, algorithms, software programs, software, source documents, and formulas related to the current, future and proposed products and services, research, experimental work, development, design details and specifications, engineering, and information marked “confidential” or “proprietary” or which the recipient knows or has reason to know that the information shall be deemed confidential; for the avoidance of doubt, this term does not include any information that the receiving party may demonstrate by its written records: (a) was known to it prior to its disclosure by the disclosing party; (b) is or has become known through no wrongful act of the receiving party; (c) has been rightfully received from a third party authorised to make such disclosure; (d) has been independently developed by the receiving party; (e) has been approved for release with the written authorisation of the disclosing party; or (f) has been disclosed by court order or as otherwise required by law, provided that the party required to disclose the information provides prompt notice to enable the other party to seek a protective order or otherwise prevent such disclosure;
“Consumer”	means a natural person, who is acting outside the scope of an economic activity (trade, business, craft, liberal profession);
“Contractor”	means an independent contractor or consultant of the Customer who is not a competitor of the Provider;
“Customer”	means the entity or a natural person accessing and using the Platform;
“Customer Data”	means any data of any type that is submitted to the Services by or on behalf of the Customer, including without limitation data submitted, uploaded, or imported to the Services by the Customer (including from Third-Party Platforms);
“DPA”	means the data processing addendum attached hereto as Exhibit A.
“Feedback”	means comments, questions, suggestions, or other feedback relating to the Services, but excluding any Customer Data;
“GTC”	means these Demonstration General Terms and Conditions;
“Intellectual Property Rights”	include all valid patents, trademarks, copyrights, trade secrets, moral rights, feedback, and other intellectual property rights, as may exist now or hereafter come into existence, and all renewals and extensions thereof, and all improvements to any of the foregoing, regardless of whether any of such rights arise under the laws of any state, country, or other jurisdiction;
“Laws”	mean all applicable local, state, federal, and international laws, regulations, and conventions;
“Permitted User”	means an employee or a Contractor of the Customer or its Affiliate who is authorized to access the Services;
“Personal Data”	means any information about an identified or identifiable natural person (“Data Subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Platform”	means the Provider’s demonstration website, demonstration application or any other demonstration product developed by the Provider to which these GTC applies;
“Provider”	means AID s.r.o., a limited liability company, identification number: 51 852 683, with its registered office at Námestie SNP 3, Bratislava - mestská časť Staré Mesto 811 06, registered in the Commercial Register maintained by the District Court Bratislava I, section Sro, insert no. 130255/B;
“Services”	mean the Provider's proprietary software-as-a-service solution, including all products, services, and software provided by the Provider to the Customer based on these GTC within the Platform;
“Third-Party Platform”	means any software, software-as-a-service, data sources or other products or services not provided by the Provider that are integrated with or otherwise accessible through the Services;
“User Account”	means the account created by the Customer or created for the Customer in order to access and use the Platform.

3. PLATFORM USE CONDITIONS

3.1. Access to the Platform.

3.1.1 The Customer needs to create a User Account to access and use the Platform. The User Account may be deleted by the Customer at any time with the effect set out in section 11 (Termination and Discontinuation).

3.1.2 The Customer may access the Platform and use the Services solely for the Purpose and in accordance with these GTC, the technical user documentation provided with the Services, and any scope of use restrictions designated in these GTC.

3.1.3 The Customer may permit its Affiliates and Contractors to serve as Permitted Users, provided the Customer remains responsible for their compliance by such individuals with all the terms and conditions of these GTC, and all use of the Services by such individuals is for the sole benefit of the Customer.

3.1.4 The Customer must have an compatible operating system, compatible web browser and an internet connection to access and use the Services. The cost of the internet connection shall be borne by the Customer in accordance with the contractual relationship between the Customer and its telecommunications operator.

3.1.5 If Customer is given API keys or passwords to access the Services on the Provider's systems, the Customer is solely responsible for and will require that all Permitted Users keep API keys, user ID and password information strictly confidential and not share such information with any unauthorized person. User IDs are granted to individual, named persons, and may not be shared. If the Customer is accessing the Services using credentials provided by a third party (e.g., Google), then the Customer will comply with all applicable terms and conditions of such third-party regarding provisioning and use of such credentials. The Customer will be responsible for all actions taken using its User Account and passwords.

3.1.6 If a Permitted User who has access to a user ID is no longer an employee or a Contractor of the Customer, then the Customer will promptly delete such user ID or otherwise terminate such Permitted User's access to the Services.

3.1.7 Customer is solely responsible for and shall promptly notify the Provider of any actual or reasonably suspected unauthorized use of Customer’s User Account, API keys or passwords, or any other violation or suspected violation of these GTC of which they become aware.

3.1.8 The Customer shall promptly notify the Provider in the event that the Customer becomes aware of or suspects any outage or malfunction of the Platform. The Customer shall provide all necessary assistance to the Provider in repairing the outage or malfunction.

3.2. Protection of the Platform. In relation to the Platform, the Customer shall:

3.2.1 refrain from recording, uploading and transmitting content that is contrary to Laws, good morals or principles of decent behavior;

3.2.2 use the Platform in a manner that does not interfere with its operation, in particular the distribution of malicious code, files, scripts or programs;

3.2.3 use the Platform in a manner that does not cause a burden to other users or the Platform;

3.2.4 use the Platform in accordance with Laws.

3.3. General Restrictions.In relation to the Platform, the Customer will not (and will not permit any third party to):

3.3.1 rent, lease or provide access to the Platform;

3.3.2 sublicense the use of the Services to a third party;

3.3.3 use the Platform to provide, or incorporate the Services into, any product or service provided to a third party;

3.3.4 reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code or non-public APIs to the Services, except to the extent expressly permitted by Laws (and then only upon advance notice to the Provider);

3.3.5 copy or modify the Platform or any documentation, or create any derivative work from any of the foregoing;

3.3.6 remove or obscure any proprietary or other notices contained in the Platform (notices on any reports or data printed from the Platform); or

3.3.7 publicly disseminate information regarding the performance of the Platform.

4. PROVIDER’S APIs

4.1. If the Provider makes access to any APIs available as part of the Services, the Provider may monitor the Customer's usage of such APIs and limit the number of calls or requests Customer may make if the Provider believes that the Customer's usage is in breach of these GTC or may negatively affect the security, operability or integrity of the Services (or otherwise impose liability on the Provider).

5. APPLICATIONS

5.1. To the extent the Provider provides applications for use with the Services (the “Apps”), subject to all the terms and conditions of these GTC, the Provider grants to the Customer a limited, non-transferable, non-sublicensable, non-exclusive license to use the object code form of the Apps internally, but only for the Purpose of these GTC and in accordance with the technical user documentation provided with the Services and these GTC.

6. CUSTOMER DATA

6.1. Data Processing by the Provider. All data processing activities within the Platform will be governed by the DPA, unless otherwise specified in these GTC.

6.2. Rights in Customer Data. As between the parties, the Customer will retain all right, title, and interest (including all Intellectual Property Rights) in and to the Customer Data as provided to the Provider. Subject to the terms of these GTC, the Customer hereby grants to the Provider a non-exclusive, worldwide, royalty-free right to use, copy, store, transmit, modify, and display the Customer Data solely to the extent necessary to provide the Services to the Customer.

6.3. Storage of Customer Data. The Provider does not provide an archiving service and expressly disclaims any obligations with respect to storage.

7. CUSTOMER OBLIGATIONS

7.1 The Customer is solely responsible for the accuracy, content, and legality of all Customer Data. The Customer represents and warrants to the Provider that the Customer has all necessary rights, consents, and permissions to collect, share, and use all Customer Data as contemplated in these GTC (including granting the Provider the rights in Section 6.2 (Rights in Customer Data) and that no Customer Data will violate or infringe (i) any third party Intellectual Property Rights or publicity, privacy, or other rights, (ii) any Laws, or (iii) any terms of service, privacy policies or other agreements governing Customer's User Account with any Third-Party Platforms. The Customer further represents and warrants that all Customer Data complies with these GTC. The Customer will be fully responsible for all Customer Data submitted to the Services by any Permitted User as if it was submitted by the Customer.

7.2 The Customer agrees to comply with all Laws in its use of the Services. Without limiting the generality of the foregoing, the Customer will not engage in any unsolicited advertising, marketing, or other activities using the Services, including without limitation any activities that violate the Laws.

7.3 The Customer will defend the Provider from and against any claim arising from or relating to any Customer Data, Customer's use of a Third Party Platform, or Customer's use of the Services in violation of Laws and will indemnify and hold the Provider harmless from and against any damages and costs awarded against the Provider or agreed in settlement by the Customer (including reasonable attorneys' fees) resulting from such claim, provided that the Customer will have received from the Provider: (i) prompt written notice of such claim (but in any event notice in sufficient time for the Customer to respond without prejudice); (ii) the exclusive right to control and direct the investigation, defense and settlement (if applicable) of such claim; and (iii) all reasonably necessary cooperation of the Provider (at the Customer's expense). Notwithstanding the foregoing sentence, (a) the Provider may participate in the defense of any claim by counsel of its own choosing, at its cost and expense; and (b) the Customer will not settle any claim without the Provider's prior written consent, unless the settlement fully and unconditionally releases the Provider and does not require the Provider to take any action or admit any liability.

7.4 Notwithstanding anything to the contrary herein, the Customer agrees that the Provider may obtain and aggregate technical or other data about Customer's use of the Services, including data derived from the Customer Data, that is non-personally identifiable with respect to the Customer and Customer Data (“Aggregated Anonymous Data”), and the Provider may use the Aggregated Anonymous Data to analyze, improve, support, and operate the Services for any business purpose, including without limitation to generate industry benchmark or best practice guidance, recommendations, or similar reports for distribution to and consumption by the Customer and other the Provider customers. For clarity, this Section 7.4 does not give the Provider the right to identify the Customer as the source of any Aggregated Anonymous Data.

8. THIRD-PARTY INTEGRATIONS

8.1. The Services may support integrations with certain Third-Party Platforms. To enable the Services to access and receive Customer's information from a Third-Party Platform, the Customer may be required to input its credentials for such Third-Party Platform. By enabling use of the Services with any Third-Party Platform, the Customer authorizes the Provider to access Customer's accounts with such Third-Party Platform for the purposes described in these GTC. The Customer is responsible for complying with any relevant terms and conditions of the Third-Party Platform and for maintaining appropriate accounts in good standing with the providers of the Third-Party Platforms.

8.2. Customer acknowledges and agrees that the Provider has no responsibility or liability for any Third-Party Platform or how a Third-Party Platform uses or processes Customer Data after such is exported to a Third-Party Platform and Customer, by enabling integration with Third Party Platform, consents to such sharing of Customer Data with Third Party Platform. The Provider cannot ensure that the Services will maintain integrations with any Third-Party Platform and the Provider may disable integrations of the Services with any Third-Party Platform at any time with or without notice to the Customer. For clarity, these GTC govern Customer's use of and access to the Services, even if accessed through an integration with a Third-Party Platform. TO THE EXTENT THE CUSTOMER USES FEATURES IN THE SERVICES THAT INTEGRATE WITH A THIRD-PARTY PLATFORM AND THE CUSTOMER REQUESTS THAT THE PROVIDER INTEGRATE WITH SUCH THIRD-PARTY PLATFORM'S BETA OR PRE-RELEASE FEATURES (the “THIRD-PARTY BETA RELEASES”), THE PROVIDER WILL HAVE NO LIABILITY ARISING OUT OF OR IN CONNECTION WITH THE PROVIDER'S PARTICIPATION IN SUCH THIRD-PARTY BETA RELEASES OR CUSTOMER'S USE OF SUCH INTEGRATED FEATURES.

9. OWNERSHIP

9.1. The Customer acknowledges that it is obtaining only a limited right to the Services and that irrespective of any use of the words “purchase”, “sale”, or like terms in these GTC, no ownership rights are being conveyed to the Customer.

9.2. The Customer agrees that the Provider or its suppliers retain all right, title, and interest (including all Intellectual Property Rights) in and to the Services and all technical user documentation provided with the Services and all related and underlying technology and documentation and any derivative works, modifications or improvements of any of the foregoing, including Feedback (collectively, the “Provider's Technology”).

9.3. Except as expressly set forth in these GTC, no rights in the Services are granted to the Customer.

9.4. Subject to all the terms and conditions in these GTC, the Provider grants to the Customer a limited, non-transferable, non-sublicensable, non-exclusive license to use the Platform solely for the evaluation and testing purposes.

9.5. The Customer may, from time to time, submit Feedback to the Provider. The Provider may freely use or exploit Feedback in connection with the Services and may also disclose such Feedback to third party. The Provider shall not disclose the name of the Customer in any use or exploitation of the Feedback.

9.6. Provider does not monitor what information other Customers upload in the Platform. In the event that the Customer believes that any content found in the Platform infringes their Intellectual Property Rights, the Customer shall notify Provider together with information proving their claim, namely:

9.6.1. identification and contact details of the Customer;

9.6.2. description of the work, the Intellectual Property Rights that the Customer claims to have infringed;

9.6.3. description of where infringing content is located in the Platform, and;

9.6.4. identification of the person who infringes Intellectual Property Rights (to the extent known to the Customer).

9.7. If the Provider determines that Intellectual Property Rights are being infringed, Provider will remove the infringing content from the Platform or prevent access thereto at its discretion.

10. FEES & PAYMENT

10.1. The access to Platform and use of Services are provided to Customer at no charge.

11.TERMINATIONAND DISCONTINUATION

11.1. The Customer may terminate the contractual relationship established between the parties governed by these GTC at any time by deleting its User Account.

11.2. The Provider may terminate the contractual relationship established between the parties in the event of any breach of the provisions of these GTC by the Customer by deleting Customer’s User Account .

11.3. The Provider may discontinue the provision of the Services in whole or in part at any time by notifying the Customers.

11.4. Upon termination or discontinuation of the Services pursuant to this section 11, the Customer shall cease all use of the Services, and shall promptly return all copies of Provider's Technology or otherwise destroy those copies and provide assurances (signed by an officer of the Customer) to the Provider that it has done so if requested by the Provider.

12.CONFIDENTIAL INFORMATION

12.1. Each party (as “Receiving Party”) agrees that all code, inventions, know-how, business, technical and financial information it obtains from the disclosing party (the “Disclosing Party”) constitute the confidential property of the Disclosing Party (the “Confidential Information”), provided that it is identified as confidential at the time of disclosure or should be reasonably known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure.

12.2. Any Provider's Technology, performance information relating to the Services, and the terms and conditions of these GTC will be deemed Confidential Information of the Provider without any marking or further designation. Except as expressly authorized herein, the Receiving Party will (1) hold in confidence and not disclose any Confidential Information to third parties and (2) not use Confidential Information for any purpose other than fulfilling its obligations and exercising its rights under these GTC.

12.3. The Receiving Party may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know (including the Provider's Affiliates and the subcontractors referenced in Section 15.7 (Subcontractors), provided that such representatives are bound to confidentiality obligations no less protective of the Disclosing Party than this Section 12 and that the Receiving Party remains responsible for compliance by any such representative with the terms of this Section 12.

12.4. The Receiving Party's confidentiality obligations will not apply to information that the Receiving Party can document: (i) was rightfully in its possession or known to it prior to receipt of the Confidential Information; (ii) is or has become public knowledge through no fault of the Receiving Party; (iii) is rightfully obtained by the Receiving Party from a third party without breach of any confidentiality obligation; or (iv) is independently developed by employees of the Receiving Party who had no access to such information.

12.5. The Receiving Party may make disclosures to the extent required by law or court order, provided the Receiving Party notifies the Disclosing Party in advance and cooperates in any effort to obtain confidential treatment, unless such a notification is prohibited by the Laws.

12.6. The Receiving Party acknowledges that disclosure of Confidential Information would cause substantial harm for which damages alone would not be a sufficient remedy, and therefore that upon any such disclosure by the Receiving Party the Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law. This confidentiality obligation applies for 5 (five) years following the initial date of disclosure of Confidential Information.

13. DISCLAIMER OF WARRANTIES, LIMITATION OF LIABILITY AND INDEMNIFICATION

13.1. THE PLATFORM AND THE SERVICES ARE PROVIDED “AS IS.” EXCEPT TO THE EXTENT PROHIBITED BY LAW, THE PROVIDER, ITS AFFILIATES AND PROVIDER’S SUBCONTRACTORS MAKE NO WARRANTIES (EXPRESS, IMPLIED, STATUTORY OR OTHERWISE) WITH RESPECT TO THE PLATFORM OR SERVICES AND DISCLAIM ALL WARRANTIES INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY AND NON-INFRINGEMENT. THE PROVIDER DOES NOT WARRANT THAT THE PLATFORM WILL BE ACCURATE, ERROR FREE, AND THE USE OF THE PLATFORM UNINTERRUPTED, OR THAT ANY CONTENT WILL BE SECURE OR NOT LOST OR ALTERED.

13.2. NEITHER PARTY (NOR ITS AFFILIATES) SHALL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THE AGREEMENT GOVERNED BY THE GTC FOR ANY LOSS OF USE, LOST DATA, LOST PROFITS, FAILURE OF SECURITY MECHANISMS, INTERRUPTION OF BUSINESS, OR ANY INCIDENTAL, PUNITIVE, EXEMPLARY, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. IF THE CUSTOMER IS IN THE EUROPEAN ECONOMIC AREA, REFERENCES TO “INCIDENTAL, PUNITIVE, EXEMPLARY, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES” SHALL ALSO MEAN ANY LOSSES OR DAMAGES WHICH: (A) WERE NOT REASONABLY FORESEEABLE BY BOTH PARTIES; (B) WERE KNOWN TO THE CUSTOMER BUT NOT TO THE PROVIDER; OR (C) WERE REASONABLY FORESEEABLE BY BOTH PARTIES BUT COULD HAVE BEEN PREVENTED BY THE CUSTOMER SUCH AS, FOR EXAMPLE, LOSSES CAUSED BY VIRUSES, MALWARE, OR OTHER MALICIOUS PROGRAMS, OR LOSS OF OR DAMAGE TO CUSTOMER DATA.

13.3. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PROVIDER, ITS AFFILIATES AND ITS SUBCONTRACTORS SHALL NOT BE LIABLE TO THE CUSTOMER FOR ANY EXPENSES, COSTS, CLAIMS OR FINES ARISING FROM OR CONNECTED TO THE AGREEMENT GOVERNED BY THE GTC, REGARDLESS OF THE FORM OF ACTIO N, WHETHER IN CONTRACT, TORT OR OTHERWISE AND REGARDLESS OF THE THEORY OF LIABILITY. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF THE PROVIDER, ITS AFFILIATES AND PROVIDER’S SUBCONTRACTORS EXCEED ONE HUNDRED EUROS (EUR 100.00).

13.4. The Customer shall defend and fully indemnify the Provider, Provider’s Affiliates, and Provider’s Sub-processors against all costs, expenses, damages and losses, including any interest, fines, legal and other professional fees and expenses arising from or connected to the Customer’s breach of the agreement governed by the GTC.

14.ADDITIONAL TERMS AND CONDITIONS APPLICABLE TO CONSUMERS

14.1. The additional terms and conditions . These additional terms and conditions set out in this section 14 of these GTC shall apply when the Platform is used by Consumer. The other terms and conditions contained in these GTC shall apply only to the extent that they do not conflict with this section 14 and any Laws, including, but not limited to the consumer protection legislation.

14.2. Data processing.The protection and processing of Consumer’s Personal Data is subject to Provider’s Privacy Policy, which is available in the Platform.

14.3. Heirs and Assigns.The contractual relationship established between the Provider and a Customer that is a Consumer governed by these GTCs terminates upon the death of the Consumer.These GTC will not inure to the benefit of, and will not be enforceable by, Consumer’s administrators of last will, successors and heirs.

14.4. Contractual relationship. The Consumer is entering into a contractual relationship with the Provider by creating a User Account and accepting these GTC in the Platform.

14.5. Right towithdraw. The Consumer is entitled to withdraw from the contractual relationship with the Provider within fourteen (14) days following the day of the conclusion of the contractual relationship. The Consumer may withdraw from the contractual relationship with the Provider by sending the withdrawal to hallo@aidental.ai. A sample withdrawal form is attached hereto as Exhibit B.

14.6. Access to the Platform. Only natural persons over the age of 18 are entitled to create a User Account. By creating a User Account, the Consumer declares that:

14.6.1. the Personal Data that Consumer provides when creating a User Account are true, accurate, current and complete in all respects;

14.6.2. Consumer will promptly notify the Provider of any changes to the Personal Data by changing the Personal Data in the User Account or by sending an email to consent@aidental.ai ;

14.6.3. Consumer will not impersonate another person or entity or use a false name or a name that Consumer is not authorized to use;

14.6.4. Consumer does not intent to create User Account to harm the Provider (e.g. by using its knowledge of the Platform with a competitor or by creating a similar product).

14.7. In accordance with Article 14 of EU Regulation 524/2013 on online dispute resolution for consumer disputes, amending EC Regulation 2006/2004 and Directive 2009/22/EC, the Consumer has the right to exercise his or her rights and claims under these GTC with the Provider through online alternative dispute resolution (“ODR”). ODR is provided through a platform operated by the European Commission. The Customer, who is a Consumer, is entitled to use the ODR platform for dispute resolution in the language of their choice. The ODR platform is accessible online at https://webgate.ec.europa.eu/odr/main/index.cfm?event=main.home.chooseLangu

14.8. The Consumer may resolve their disputes in accordance with EU Directive 2013/11/EU on alternative dispute resolution for consumer disputes and amending Regulation (EC) 2006/2004 and Directive 2009/22/EC (“ADR”). You can find your country's dispute resolution body here: https://ec.europa.eu/consumers/odr/main/?event=main.adr.show2&lng=EN

14.9. The Consumer has the right to contact the Provider for redress if he or she is dissatisfied with the manner in which the Provider has handled his or her complaint, or if the Consumer believes that the Provider has violated his or her rights, by sending an email to consent@aidental.ai .

14.10. The Consumer also has the right to file a complaint with the Slovak Trade Inspection or other relevant authority which can be found here: https://ec.europa.eu/consumers/odr/main/?event=main.adr.show2 .

15. FINAL PROVISIONS

15.1. Assignment. These GTC will bind and inure to the benefit of each party's permitted successors and assigns. Neither party may assign these GTC without the advance written consent of the other party, except that either party may assign these GTC in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of such party's assets or voting securities. Any attempt to transfer or assign these GTC except as expressly authorized under this Section 15.1 will be null and void.

15.2. Severability. If any provision of these GTC will be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision will be limited to the minimum extent necessary so that these GTC will otherwise remain in effect.

15.3. Governing Law and Dispute Resolution.

15.3.1. These GTC are construed and governed by the Laws of the Slovak Republic and without reference to applicable jurisdiction's conflict of laws principles.

15.3.2. All disputes arising out of or in connection with these GTC, including disputes concerning the existence, validity or termination of these GTC or the consequences of its invalidity, shall be decided exclusively by the competent courts in the Slovak Republic in Bratislava.

15.4. Notices.Any notice or communication required or permitted under these GTC will be in writing and sent to, in case of the Customer, to the email address connected to the User Account of the Customer; and, in the case of the Provider to hallo@aidental.ai . The notice will be deemed to have been received by the next business day after transmission.

15.5. Amendments; Waivers.Provider may, at its sole discretion, issue a new version of these GTC. The Provider shall notify the Customer by publishing the amended version of these GTC on the Platform or by emailing it to the Customer. The amended GTC shall come into effect by no later than thirty (30) days after such notification is given. If the Customer continues to use the Services, the Customer is deemed to have accepted the amended GTC. No waiver will be implied from conduct or failure to enforce or exercise rights under these GTC, nor will any waiver be effective unless in a writing signed by a duly authorized representative on behalf of the party claimed to have waived.

15.6. Entire Agreement. The agreement governed by these GTC constitutes the entire agreement between parties with respect to the subject matter hereof and supersedes all previous proposals, both oral and written, negotiations, representations, commitments, writings and all other communications between the parties.

15.7. Subcontractors.The Provider may use the services of subcontractors and permit them to exercise the rights granted to the Provider in order to provide the Services under these GTC, provided that the Provider remains responsible for (i) compliance of any such subcontractor with the terms of these GTC, (ii) for the overall performance of the Services as required under these GTC and (iii) compliance with the terms of the DPA.

15.8. Force Majeure. Neither party will be liable to the other for any delay or failure to perform any obligation under these GTC (except for a failure to pay fees) if the delay or failure is due to unforeseen events that occur after the signing of these GTC and that are beyond the reasonable control of such party, such as a strike, blockade, war, act of terrorism, riot, natural disaster, failure or diminishment of power or telecommunications or data networks or services, or refusal of a license by a government agency. The following events shall always be considered Force Majeure with respect to Provider: (i) power failure; (ii) natural disaster; (iii) failure or delay of telecommunications networks, internet, hosting, hardware, software; (iv) damage Provider's systems and infrastructure, including viruses and cyber attacks.

15.9. Independent Contractors. The parties to these GTC are independent contractors. There is no relationship of partnership, joint venture, employment, franchise, or agency created hereby between the parties. Neither party will have the power to bind the other or incur obligations on the other party's behalf without the other party's prior written consent.

Exhibit A

Data processing addendum

( “DPA”)

1. INITIAL PROVISIONS

This Data Processing Agreement with its Exhibits (the “DPA”) are entered into by and between the Customer (the “Controller”) and the Provider (the “Processor”).

(The Controller and the Processor jointly hereinafter referred to also as the “Parties” and individually as the “Party”)

The "Effective Date" of this DPA is the date when Customer initially accesses to any Services based on the GTC, whereas the DPA is an integral part of GTC.

2. DEFINITIONS

For the purposes of this DPA, capitalized terms not otherwise defined shall have the meaning given to them in the GTC.

These terms have the following meaning:

"CCPA" means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this DPA. Terms "business", "service provider" and "sale" have the same meaning given to it under the CCPA.

"Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by The Provider under this DPA.

"Data Protection Legislation" means, as applicable to a party and its Processing of Personal Data: (i) EU Data Protection Law (ii) UK Data Protection Law, (iii) CCPA and any national data protection laws made under the CCPA, (iv) any other law applicable for the provision of the Services.

"EU Data Protection Laws" mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR") and the EU e-Privacy Directive (Directive 2002/58/EC). Terms "Controller", "Processor", "Process", "Processing", and "Data Subject" shall have the same meanings given to them under the GDPR.

"Restricted Transfer" means a transfer of Personal Data from the European union/EEA to any other country which is not subject based on adequacy regulations pursuant to Article 45 of Regulation (EU) 2016/679.

“Sensitive Personal Information” means any of the following: (i) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act (“HIPAA”), if applicable; or (ii) any other personal data of an EU citizen deemed to be in a “special category” (as identified in the GDPR or EU Data Protection Laws).

"Sub-processor" means any third party engaged by the Provider to assist in fulfilling its obligations with respect to providing the Services and that processes Personal Data as Processor.

"Standard Contractual Clauses" means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the "EU SCC"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCC").

“Swiss Data Protection Law” means in respect to Switzerland (i) the Swiss Federal Act of June 1992 on Data Protection (“FADP”), the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993 and (iii) the revised FADP from the point the revised FADP enters into force.

"UK Data Protection Law" means: (i) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the " UK GDPR "); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case, as may be amended or superseded from time to time.

3. PROVIDER'S OBLIGATIONS

3.1. Roles. For the purposes of the GDPR and similar Data Protection Legislation, Customer (or third party on whose behalf Customer is authorized to instruct the Provider) is the Controller of Customer Data that are Personal Data, and the Provider shall process Personal Data as a Processor (or sub-Processor, as applicable to Customer's use of the Services); and for the purposes of the CCPA (to the extent the CCPA is applicable), Customer is the business and the Provider is the service provider.

3.2. Permitted Purposes. The Provider shall Process Personal Data for the purposes described in Annex A and in accordance with Customer's documented lawful instructions included in this DPA ("Permitted Purposes"), except where otherwise required by laws that are compatible with applicable Data Protection Legislation. In particular and to the extent the CCPA is applicable, Customer's transfer of Personal Data to the Provider is not a sale, and the Provider provides no monetary or other valuable consideration to Customer in exchange for Personal Data. To the extent required by Data Protection Legislation, this Section 3.2 constitutes the certification from the Provider to the Processing instructions herein. The Provider is obliged at all times to process Personal Data in compliance with Data Protection Legislation and fulfil all its obligations arising out of Data Protection Legislation.

3.3. Processing Instructions. The Provider shall inform Customer if it becomes aware that Customer's processing instructions infringe Data Protection Legislation. If the Provider is unable to process Personal Data in accordance with the Customer's documented lawful instructions, the Provider is obliged to promptly notify Customer of its inability to comply.

3.4. Security Measures. The Provider shall implement and maintain appropriate technical and organizational measures to protect all Customer Data, including Personal Data, against Data Breaches and to ensure its security, integrity, and confidentiality. In determining the appropriateness of such measures, the Provider shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risk to the rights and freedoms of natural persons, considering the likelihood and severity of such risks. At a minimum, the Provider shall implement the measures set out in Annex C of this DPA.

3.5. Access and Confidentiality. The Provider shall ensure that any person authorised by the Provider to process the Personal Data (including the Provider's staff, agents and sub-processors) ("Personnel") is subject to appropriate confidentiality obligations (whether contractual or statutory), has received proper training and is informed of the confidential nature of the Personal Data and their related obligations. Personnel shall only have access to Personal Data on a need-to-know basis. The Provider shall ensure that Personnel process the personal data only as necessary for the Permitted Purposes.

3.6. Data Returns and Deletion. Upon the Customer's written request and upon termination or discontinuation of the Services under the GTC, the Provider will make every effort to destroy all Customer Data in accordance with the conditions defined in the GTC. The Customer acknowledges and agrees that any data that cannot be returned, destroyed or deleted will remain confidential, in accordance with the terms of this DPA and the GTC.

4. AUDIT RIGHTS

4.1. Right to conduct audits. The Customer shall have the right to conduct an audit to verify the Provider's compliance with the obligations set out in Article 28 of the GDPR (if applicable) and in this DPA. The Provider shall allow the Customer to carry out the audit if: (i) the Customer requests the audit in writing at least 30 days in advance; (ii) the Customer specifies the audit agenda in the request; (iii) the audit takes place no more than once a year; (iv) the Customer reimburses the Provider for all associated costs and expenses on demand; and (v) the audit lasts no longer than the equivalent of one working day (eight hours) for a Provider representative. At the Customer's request, the Provider will provide an estimate of the costs it expects to incur during the audit, according to the agenda specified by the Customer. During the audit, the Provider will only provide the Customer with information and access relating solely to their personal data. The Customer undertakes to comply with all security and organisational instructions given by the Provider, and to enter into a non-disclosure agreement (NDA) with the Provider for audit purposes.

4.2. Independent Auditor. If the Customer requests an audit by an independent third party, the Provider may object to an auditor appointed by the Customer if, in the Provider's reasonable opinion, the auditor is not suitably qualified or independent, is a competitor of the Provider, or is otherwise manifestly unsuitable. In this case, the Customer must appoint another auditor. The conditions set out in clause 4.1 also apply to the independent auditor, and the Customer undertakes to ensure compliance with these restrictions.

5. CUSTOMER’S OBLIGATIONS

5.1. Customer’s Processing of Personal Data. When using the Services, the Customer must process personal data in accordance with Data Protection Legislation and other relevant legislation. The Customer is solely responsible for the accuracy, quality and legality of the Personal Data processed, including how it was acquired and provided to the Provider.

5.2. Customer’s Compliance. The Customer agrees that: (i) it shall comply with its obligations as a controller under Data Protection Legislation in respect of its processing of Personal Data and any processing instructions it issues to the Provider; (ii) it has provided notice and obtained (or shall obtain) all consents or any other necessary authorisations (as applicable) for the Provider to process Personal Data for the permitted purposes. (iii) it is responsible for providing any notices required by Data Protection Legislation and other relevant legislation to its Permitted users and other relevant data subjects regarding the processing of their Personal Data by the Provider; (iv) it has fulfilled (or shall fulfil) all registration or notification obligations under Data Protection Legislation and other relevant legislation; (v) it is responsible for the integrity, security, maintenance and appropriate protection of Personal Data under its control.

5.3. Technical and Organizational Measures. The Customer is responsible for the secure use of the Services, including securing user IDs and passwords, and protecting the security of Personal Data when it is being sent to and from the Services. The Customer is also responsible for the use of the Services by any person authorised by the Customer to access or use the Services, and by any person who gains access to Personal Data or the Services as a result of the Customer's failure to use reasonable security precautions, even if the Customer did not authorise such use. The Customer agrees to notify the Provider immediately upon becoming aware of any unauthorised use of the Services or any other security breach involving the Services.

6. COOPERATION

6.1. Data Subject Rights. If the Customer is unable to access the relevant Personal Data within the Services independently, the Provider shall provide assistance, taking into account the nature of the processing, in order to reasonably cooperate with the Customer to: (i) respond to any requests from a data subject seeking to exercise any of their rights under Data Protection Legislation (including their rights of access, correction, objection, erasure and data portability, as applicable); (ii) respond to any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data (collectively 'Correspondence').

If any Correspondence is sent directly to the Provider, the Provider shall promptly notify the Customer and shall not respond directly unless legally compelled to do so. If the Provider is required to respond to such Correspondence, they shall promptly notify the Customer and provide them with a copy of the request, unless they are legally prohibited from doing so.

6.2. Data Protection Impact Assessment. To the extent required by the Data Protection Legislation, the Provider will cooperate reasonably with the Customer to enable them to carry out data protection impact assessments or prior consultations with the data protection authorities, as required by the Data Protection Legislation. The Provider shall provide assistance in accordance with the previous sentence if the Customer does not already have access to the information required to perform a data protection impact assessment.

6.3. Request for Disclosure. The Provider must promptly notify the Customer of any legally binding request for disclosure of Personal Data by a judicial or regulatory authority, unless prohibited by law, such as the obligation under criminal law to preserve the confidentiality of a judicial inquiry and assist the Customer accordingly (at the Customer's expense).

7. SECURITY INCIDENTS

7.1. Data Breach. Upon becoming aware of a Data Breach, the Provider shall promptly notify the Customer and shall provide any information or cooperation that the Customer reasonably requires to fulfil their data breach reporting obligations under Data Protection Legislation. This includes information about the type of data affected and the identity of the affected person(s), as soon as this information becomes available to the Provider.

7.2. No acknowledgement. The Parties agree that any notification provided by the Provider to the Customer in relation to a Data Breach shall not be construed as an acknowledgement of fault or liability.

7.3. Further Conduct. The Provider shall use commercially reasonable efforts to remediate or mitigate the effects of any Data Breach and shall provide the Customer with periodic updates on significant developments relating to such Data Breach, provided it is reasonably practicable and permitted by applicable law.

7.4. Cooperation. If a Data Breach is caused or materially contributed to by the Customer, the Provider will cooperate with the Customer in investigating the Data Breach, provided that the Customer compensates the Provider for its expenses and costs.

8. SUB-PROCESSING

8.1. Authorized Sub-processors. The Customer provides a general authorization for the Provider to engage Sub-processors to process Personal Data on Customer's behalf. The Sub-processors currently engaged by the Provider are listed in Annex B .

8.2. New Sub-processors. The Provider shall provide the Customer with at least ten (10) days' written notice of the engagement of any new sub-processor, including details of the processing and location.

8.3. Objections. If the Customer has a reasonable and substantiated objection to the appointment of a new sub-processor, it shall notify the Provider in writing at consents@aidental.ai within ten (10) calendar days of receipt of the Provider’s notice regarding such sub-processor. The Parties shall engage in good faith discussions to resolve the objection. If no resolution is reached, the Customer may, as its sole and exclusive remedy, terminate the applicable Services under the GTC with respect only to the Services impacted by the new sub-processor, provided that (a) such termination is based on objectively reasonable grounds directly related to data protection concerns, and (b) the Customer shall not be entitled to any refund of fees paid or payable prior to the effective date of termination. Failure to provide a written objection within the aforementioned period shall constitute the Customer’s deemed consent to the engagement of the new sub-processor and a waiver of any right to object.

8.4. Liability for sub-processors. The Provider shall remain responsible for the performance of its obligations under this DPA, including in relation to the acts, errors, or omissions of its Sub-processors in accordance with the terms herein. Any such liability shall be subject exclusively to the limitations and exclusions of liability set forth in Section 10 of this DPA and the GTC, including any applicable aggregate financial cap. For clarity, Section 13 of the GTC (DISCLAIMER OF WARRANTIES, LIMITATION OF LIABILITY AND INDEMNIFICATION) shall not apply to the extent inconsistent with this DPA, and no broader liability shall arise beyond the scope expressly provided herein.

9. DATA TRANSFERS

9.1. International Data Transfers. The Provider shall implement appropriate safeguards, in accordance with applicable Data Protection Legislation, to facilitate the lawful processing and transfer of Personal Data to territories outside the jurisdiction in which such Personal Data was initially collected, to the extent required under such legislation.

9.2. Application of Standard Contractual Clauses. The Parties agree that, to the extent that the transfer of Personal Data from the Customer to the Provider constitutes a Restricted Transfer under EU Data Protection Laws or UK Data Protection Laws, and such laws require the implementation of appropriate safeguards, the transfer shall be governed by the EU SCC and/or UK SCC, which shall be incorporated by reference into and form an integral part of this DPA.

9.3. EU Data. For the purposes of Personal Data that is subject to the EU Data Protection Laws ("EU Data"):

a) Where the Customer is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where the Customer is a Processor acting on behalf of third-party Controllers, Module 3 (Processor to Processor Clauses) will apply;

b) in Clause 7 (Docking Clause), the optional docking clause will apply;

c) in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 8.2 of this DPA and the period for notification of objections in Section 8.3 of this DPA;

d) in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;

e) in Clause 17 (Governing Law), Option 1 will apply, and the EU SCC will be governed by Slovak law;

f) in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Slovak Republic.

9.4. UK Data. For the purposes of Personal Data that is subject to the UK Data Protection Laws ("UK Data"), the EU SCC will also apply in accordance with paragraphs 9.3.a) to 9.3.d) above, with the following modifications:

a) references to "Regulation (EU) 2016/679" shall be interpreted as references to UK GDPR;

b) references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK GDPR;

c) references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to the "UK" and "UK law";

d) the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK from the possibility of suing for their rights in their place of habitual residence (i.e., the UK);

e) Clause 13(a) of the EU SCC and Part A3 of Annex A of the DPA are not used and the "Supervisory authority" is the UK Information Commissioner's Office;

f) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales";

g) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales; and

h) with respect to transfers to which UK GDPR apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts",

i) unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer Personal Data in compliance with the UK GDPR, the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Annexes A, B and C (as applicable).

9.5. Swiss Data. For the purposes of Personal Data that is subject to the Swiss Data Protection laws, the EU SCC will also apply in accordance with paragraphs 9.3.a) to 9.3.d) above, with the following modifications:

a) Now therefore, for transfers from Switzerland, references to the GDPR will mean the Swiss Federal Act on Data Protection, references to the EU or Member States will mean Switzerland, and references to a supervisory authority will mean the Federal Data Protection and Information Commissioner (FDPIC). To the extent any Transfer or processing of Personal Data by Provider takes place in any other country (except if in an Adequate Country) and is subject to Swiss Data Protection Law, the Parties agree that, with respect to the transfer of Personal Data from Switzerland by Provider, the EU SCCs set forth above to this DPA will apply in respect of that processing and Provider is the 'data importer' and will comply with the obligations of the 'data importer' accordingly and Customer is the 'data exporter' and will comply with the obligations of the' data exporter' accordingly.

b) References to the “EU”, “Union”, “Member State” and “Member State Law” shall be interpreted as references to Switzerland and Swiss Law as the case may be and references to data subjects shall include data subjects in Switzerland who are not excluded from the possibility of exercising their rights in Switzerland in accordance with 18(c) of the EU SCCs.

c) References to “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection Information”.

10. LIMITATION OF LIABILITY

10.1. Limitation of Liability. The liability of each Party, including its affiliates and subcontractors, under this DPA shall be subject to the limitations and exclusions of liability, including any aggregate financial cap, as set forth in the GTC. For the avoidance of doubt, nothing in the GTC or this DPA shall be construed to expand either Party’s liability beyond what is required under the Standard Contractual Clauses, where and to the extent they are applicable, nor shall this DPA create any additional third-party beneficiary rights for data subjects beyond those expressly granted under applicable law.

11. FINAL PROVISIONS

11.1. Third-Party Beneficiaries. Data Subjects are the sole third-party beneficiaries to the Standard Contractual Clauses, and there are no other third-party beneficiaries to this DPA, unless specified to the contrary in the GTC.

11.2. Acknowledgement. The Customer acknowledges and agrees that, in connection with the provision of Services under the GTC, the Provider may process Customer Data for its own legitimate purposes, including but not limited to service improvement, AI learning, monetization, and scientific research, relying on an appropriate legal basis under applicable Data Protection Legislation, including the consent of Data Subjects where required. Such processing may be carried out by the Provider acting as an independent data controller, or, where applicable, in a joint controllership arrangement with a third party. The Parties acknowledge that this additional processing falls outside the scope of this DPA and shall be governed solely by the Provider’s privacy policy or the applicable privacy notice of the relevant third party. The Provider shall remain solely responsible for such processing to the extent it acts as a data controller.

11.3. Severability. If any provision of this DPA is deemed unenforceable or invalid by a court of competent jurisdiction, it will be amended to the minimum extent necessary to ensure that the remainder of the DPA remains enforceable.

11.4. Governing Law and Jurisdiction. This DPA shall be governed by and construed with governing law and jurisdiction provisions in the GTC, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.

11.5. Scope of this DPA. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this DPA.

11.6. Amendments and Waivers. No supplement, modification or amendment to this DPA will be binding unless it is in writing and signed by an authorised representative of each Party to this DPA. No waiver will be implied from conduct or failure to enforce or exercise rights under the DPA. No waiver will be effective unless it is in writing and signed by an authorised representative of the Party claimed to have waived the right. No provision of any purchase order or other business form used by the Customer, including SCCs, will take precedence over the terms and conditions of this DPA.

11.7. Term. This DPA shall remain in force for the duration of the contractual relationship between the Parties, as set out in the GTC, plus the period from the termination of this relationship or the discontinuation of the Services, as set out in section 11 (Termination and Discontinuation) of the GTC, until the Provider ceases to process Personal Data on behalf of the Customer.

Annex A
Description of the Processing Activities / Transfer

Annex A(1) List of Parties:

Data Exporter	Data Importer
Name: Customer, as identified in the GTC	Name: Provider, as identified in the GTC
Address: As identified in the GTC and provided by the Customer	Address: Námestie SNP 3, 811 06 Bratislava, Slovakia
Contact details: As provided by the Customer in line with GTC	Contact details: privacy@aidental.com
Activities relevant to the transfer: See Annex A(2) below	Activities relevant to the transfer: See Annex A(2) below
Role: Controller	Role: Processor

Annex A(2) Description of Transfer

	Description
Categories of data subjects:	Customers, Permitted Users, third parties whose Personal Data is uploaded to the Platform by the Customer (e.g. patients)
Categories of personal data:	Name, surname and e-mail of Customer and its Permitted User Pseudonymized health related data including scans of the oral cavity, diagnoses, age, gender, ethnicity and other personal data of third parties provided by the Customer while using the Services The identification number assigned to the third party by the Customer or Permitted User while using the Services
‌ Sensitive data:	Biometric data, health data (oral cavity scans and diagnoses), information about ethnicity
Frequency of the transfer:	Transfers are ongoing, depending on the Customer's use of the Services.
‌Nature and subject matter of processing:	The Personal Data may be subject to the following processing activities that are necessary for the Provider to provide the Services (including technical support provided on a case-by-case basis) to the Customer: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure/dissemination, restriction, erasure or destruction.
Duration of the processing:	During the existence of the contractual relationship between the Parties, as set out in the GTC, and for a longer period if required by applicable law.
Purpose(s) of the data transfer and further processing:	Personal data will be processed for the purposes of cooperation between the Parties and the provision of the Services by the Provider to the Contractor under the GTC.
Retention period:	Personal data will be retained until the cooperation between the Parties is terminated or until the Provider ends the provision of Services, whichever is longer, unless otherwise required by the applicable law.

Annex A(3): Competent supervisory authority

With respect to EU Data the competent supervisory authority is The Office for Personal Data Protection of the Slovak Republic (the "Supervisory Authority").

Annex B
Approved Sub-processors

Microsoft Corporation Inc., seated at Redmond, Washington, USA	Hosting the Provider, cloud services for the Provider, analytical tools
Büro Milk s.r.o., seated at Klemensova 4 811 09 Bratislava - Staré Mesto, Slovakia	Marketing services and personalized content creation
PS: Digital, s.r.o., seated at Šustekova 5 851 04 Bratislava – Petržalka, Slovakia	Marketing services, personalized content and other marketing distribution
khn, s.r.o., seated at Fraňa Kráľa 23, 811 05 Bratislava - Staré Mesto, Slovakia	Design and survey services
Aston ITM, spol. s r.o., seated at nám. SNP 3 811 06 Bratislava, Slovakia	IT support and development services
Curaden AG, Amlehnstrasse 22, 6010 Kriens, Switzerland	Provision of access to dental student associations.
CVAT .ai Corporation 268 Bush Street, Suite 350, San Francisco, CA 94104, USA	Data annotation, labelling and collaboration across AI Development team.
Kempelen Institute of Intelligent Technologies Sky Park Offices, Bottova 2A, 811 09, Bratislava, Slovakia	Data science services, consultancy of AI models training and development support.

Annex C
Technical and Organizational Measures

The technical and organisational measures implemented by the Provider to ensure an appropriate level of security, while taking into account the nature, scope, context, and purposes of the processing, and the risks to the rights and freedoms of individuals, are as follows:

Type of measure	Implemented measure
Measures of pseudonymisation and encryption of personal data	All personal data should be encrypted during transmission and while at rest. The Provider should use pseudonymization and anonymization techniques to protect the data. These techniques can remove or replace identifiers to render the data less identifiable.
Measures for ensuring ongoing confidentiality of processing systems and the Services	Role-Based Access Control (RBAC): System access limited to authorized users via roles based on job functions, enhancing data confidentiality.
Measures for ensuring ongoing integrity of processing systems and the Services	Data Integrity Checks: Regular data validation and checksum techniques deployed to detect and correct any inaccuracies, preserving the consistency and accuracy of data over its entire lifecycle. System Update and Patch Management: Regular system updates and patches applied promptly to fix vulnerabilities, ensuring the integrity and secure functioning of all processing systems and services.
Measures for ensuring ongoing availability and resilience of processing systems and the Services	Redundancy and Backup Systems: Data regularly backed up and systems designed with redundancy to ensure continuous availability and quick recovery in case of system failures. Disaster Recovery Plan: A robust disaster recovery plan in place to restore systems and services swiftly in the event of a significant disruption, ensuring ongoing availability and resilience.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Regular Security Audits: Conducting frequent security audits assesses the effectiveness of the technical and organizational measures, ensuring ongoing security of data processing. Penetration Testing: Regular penetration testing evaluates the strength of the security measures, simulating potential attacks to identify vulnerabilities in the processing system.
Measures for user identification and authorization	Access control: Only authorized and authenticated users have access to the system. Periodic Access Reviews: Regularly reviewing user access rights and privileges ensures that only authorized personnel have access to personal data, strengthening security measures.
Measures for the protection of Data during storage	Secure Storage Infrastructure: Utilizing secure and certified data centers or cloud storage providers with stringent security protocols protects stored data from physical and cyber threats.
Measures for ensuring physical security of locations at which personal data are processed	Access Control Systems: Physical access control systems in place at data processing locations to prevent unauthorized entry and protect data from physical threats. Surveillance Systems: Utilization of surveillance systems, such as CCTV cameras, in data processing locations enhances physical security by monitoring and recording activities.
Measures for internal IT and IT security governance and management	IT Security Policies: Establishing comprehensive IT security policies to guide staff in maintaining a secure environment and adhering to data protection regulations. Security Awareness Training: Providing regular security awareness training to employees, ensuring they understand their roles and responsibilities in maintaining IT security and data protection.
Measures for ensuring data minimization	Data Minimization Policies: Policies ensuring only necessary data is collected and stored, limiting the exposure of personal data and reducing potential risks. Regular Data Reviews: Regular reviews and audits of stored data to identify and remove unnecessary or outdated personal data, ensuring data minimization.
Measures for ensuring data quality	Data Validation Procedures: Implementing robust data validation procedures to check for inaccuracies and inconsistencies, ensuring high quality of data. Regular Data Cleansing: Periodic data cleansing routines to identify and correct or remove any errors, maintaining the integrity and quality of data.
Measures for ensuring limited data retention	Data Retention Policy: Establishing a clear data retention policy that specifies the duration for which data can be stored and when it should be deleted.
Measures for ensuring accountability	Data Protection Officer (DPO): Appointing a DPO who oversees data protection strategies, ensuring compliance with regulations and maintaining accountability. Documentation and Record-Keeping: Keeping thorough records of data processing activities, audits, and policy updates to demonstrate compliance and accountability in data handling.
Measures for allowing data portability and ensuring erasure	Data Erasure Protocols: Implementing clear protocols for securely erasing personal data upon request or after the retention period, respecting user's rights and privacy regulations.

Exhibit B

Model withdrawal form

(complete and return this form only if you wish to withdraw from the contract)

— To [here the trader’s name, geographical address and, where available, his fax number and e-mail address are to be inserted by the trader]:

— I/We (*) hereby give notice that I/We (*) withdraw from my/our (*) contract of sale of the following goods (*)/for the provision of the following service (*),

— Ordered on (*)/received on (*),

— Name of consumer(s),

— Address of consumer(s),

— Signature of consumer(s) (only if this form is notified on paper),

— Date