This policy describes the methods by which AI KOSMO SRL processes the personal data provided by you or otherwise transmitted by you through the website www.aikosmo.com (the "Site"). Our commitment is to ensure maximum transparency and to protect your rights in compliance with Regulation (EU) 2016/679 ("GDPR") and Legislative Decree 196/2003 as subsequently integrated and amended by Legislative Decree 101/2018 ("Privacy Code"). The processing carried out by the Data Controller will be based on the principles of lawfulness, fairness, transparency, purpose limitation and storage limitation, data minimisation, accuracy, integrity, and confidentiality.

1. DATA CONTROLLER. The Data Controller is AI KOSMO SRL, with registered office in via Monte Mulat, 38 – 38037 Predazzo (TN), VAT no. 02754510226 (hereinafter the "Controller").

2. PERSONAL DATA SUBJECT TO PROCESSING. The Controller processes the following categories of personal data:

Data voluntarily provided by the user:

• Demo booking form: name, surname, hotel name, hotel website, telephone number, email address;
• Call booking form: name, email address, and any other information requested in the booking form to arrange the meeting;
• Contact form: name, surname, hotel name, hotel website, email address;
• Contact via WhatsApp: telephone number and any other information the user chooses to share during the conversation;
• Interaction with the Intelligent Chatbot "KOSMO": text of conversations, questions asked, and information voluntarily provided by the user during interaction with the virtual assistant. The Intelligent Chatbot allows you to formulate information requests regarding the services offered on the Site and to receive answers generated based on the information available on the Site itself. The interaction initially takes place through an LLM artificial intelligence system; however, the intervention of the Controller's personnel is foreseen in the event of your explicit request or if the Intelligent Chatbot is unable to provide exhaustive answers. We kindly ask you not to include your own or third-party Personal Data during the interaction with the Intelligent Chatbot, unless strictly necessary for managing the request.
• To the contact addresses present on the Site.

Should you provide third-party Personal Data when using the Site, you must ensure that the processing is based on an appropriate legal basis pursuant to Article 6 of the Regulation, which legitimises the processing of the Personal Data in question.

Navigation Data: The computer systems and software procedures used to operate this Site acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses, domain names of the computers used by users, URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, and other parameters relating to the operating system and the user's IT environment. This data is used solely to obtain anonymous statistical information on the use of the Site, to check its correct functioning, and to identify anomalies and/or abuses, and is deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against AI KOSMO SRL or third parties.

Cookies and other tracking systems: The Site uses technical, analytical, and profiling cookies. For detailed information on the nature and purposes of the cookies used, please refer to the specific Cookie Policy, which supplements this privacy policy.(Hereinafter, the "Personal Data")

3. 3. PURPOSES OF PROCESSING, LEGAL BASES AND STORAGE PERIODS. Personal Data is processed for the following purposes, based on the following lawful conditions, and is stored for the period indicated below:

a) Management of contact requests, demo booking, and call booking

• Data Processed: Identifying and contact data provided via form, WhatsApp, or Calendly.
• Legal Basis: Execution of pre-contractual measures requested by the data subject.
• Storage Period: Time necessary to achieve the purpose and, in case of service request, maximum 24 months.

b) Provision of assistance and navigation service via the "KOSMO" chatbot

• Data Processed: Identifying and contact data, content of conversations.
• Legal Basis: Execution of pre-contractual/contractual measures (as indicated in the document).
• Storage Period: Time necessary to manage the request.

c) Training of artificial intelligence algorithms

• Data Processed: Content of conversations, navigation data, and other collected information.
• Legal Basis: Legitimate interest of the Controller in improving AI services.
• Storage Period: Time strictly necessary for service improvement; thereafter, data is aggregated and anonymised as soon as technically possible.

d) Soft spam

• Data Processed: Contact data (email, telephone).
• Legal Basis: Legitimate interest of the Controller and Art. 130, paragraph 4, Privacy Code.
• Storage Period: Until the opt-out is exercised, maximum 24 months in any case.

e) Compliance with legal, accounting, and tax obligations

• Data Processed: Personal, contact, and tax data.
• Legal Basis: Legal obligation to which the Controller is subject.
• Storage Period: According to the timeframes provided by law (e.g., 10 years for accounting obligations) and for possible legal defence..

f) Security and correct functioning of the site

• Data Processed: Navigation data (e.g., IP addresses).
• Legal Basis: Legitimate interest of the Controller in protecting company assets and the security of the site and users.
• Storage Period: For the time necessary for the purpose.

For further information regarding the storage periods of Personal Data and the criteria used to determine these periods, please contact: daniele@aikosmo.com.

4. PROCESSING METHODS AND SECURITY MEASURES. The processing of Personal Data is carried out using manual, computer, and electronic tools, with logic strictly related to the indicated purposes and, in any case, in such a way as to guarantee the security and confidentiality of the data itself. In accordance with the principles of data protection by design and by default (Art. 25 GDPR) and security obligations (Art. 32 GDPR), the Controller adopts adequate technical and organisational measures to ensure a level of security appropriate to the risk. Such measures include, where appropriate, the pseudonymisation and encryption of personal data.

5. RECIPIENTS AND TRANSFERS OF PERSONAL DATA. Your Personal Data may be transmitted to the following recipients:

• Persons authorised to process data pursuant to Art. 29 GDPR within the scope of their duties, and who have committed to confidentiality or have an adequate legal obligation of confidentiality (e.g., employees, collaborators);

• Data Processors pursuant to Art. 28 GDPR, who process Personal Data on behalf of the Controller and by virtue of a contract with the latter, such as (i) providers of hosting services, IT maintenance, appointment scheduling platforms (e.g., Calendly), communication platforms (e.g., WhatsApp), and providers of artificial intelligence platforms;

• Autonomous Data Controllers, such as companies and professionals for administrative and legal management;

• Subjects, entities, or authorities, to whom it is mandatory to communicate your Personal Data by virtue of legal provisions or orders from authorities.

Some of your Personal Data is shared with recipients who may be located outside the European Economic Area, particularly to the United States. In such a case, the Controller ensures that the transfer will take place in compliance with the applicable legal provisions (Arts. 44 et seq. GDPR), by stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission or verifying the provider's adherence to certification mechanisms such as the Data Privacy Framework. To receive further information regarding the processing by third parties and the transfer of your Personal Data, you may contact: daniele@aikosmo.com.

6. YOUR RIGHTS. As a data subject, you may exercise the rights provided for in Articles 15-22 of the GDPR at any time, and in particular:

• Right of access (Art. 15): to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the data and information relating to the processing;

• Right to rectification (Art. 16): to obtain the correction of inaccurate personal data. With specific reference to AI systems, the Controller provides tools to request and obtain the correction of data processed inaccurately in content generation;

• Right to erasure ("right to be forgotten," Art. 17): to obtain the erasure of personal data, where technically possible and one of the conditions provided for by the rule applies;
• Right to restriction of processing (Art. 18): to obtain the restriction of processing in certain hypotheses;
• Right to data portability (Art. 20): to receive the personal data concerning you in a structured, commonly used, and machine-readable format;
• Right to object (Art. 21): to object at any time to the processing of personal data for direct marketing purposes and for processing based on the Controller's legitimate interest, such as algorithm training.

Requests can be addressed to the Controller at: daniele@aikosmo.com. In any case, you always have the right to lodge a complaint with the competent Supervisory Authority (in Italy: Garante per la Protezione dei Dati Personali), pursuant to Art. 77 of the Regulation, if you believe that the processing of your Personal Data is contrary to the applicable personal data protection legislation. We also inform you that you may revoke consent to the processing of your Personal Data at any time for all processing that is additional and not necessary for the provision of services. In particular, you have the right to exercise the opt-out regarding the receipt of promotional communications at any time by clicking on the unsubscribe link at the bottom of each of our emails, or by writing to the email address: daniele@aikosmo.com. It should be noted, however, that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal, as provided for in Art. 7(3) of the Regulation.

7. USE OF ARTIFICIAL INTELLIGENCE SYSTEMS. The KOSMO Intelligent Chatbot service uses artificial intelligence technologies, specifically LLM. In line with the principles of transparency established by the European AI ACT, GDPR, and national legislation L. 132/2025, we wish to provide you with the following information:

• Obligation of transparency: We inform you that you are interacting with a system that uses AI components. This system has been designed to assist AIKOSMO personnel in interpreting and sorting your requests.

• System operation and logic: The AI system analyses the text of your requests to understand their content and purpose and to direct them to the relevant department.

• Human supervision and absence of automated decisions: We guarantee that the AI system operates as a support tool for our personnel. No decision that produces legal effects or similarly significantly affects you (pursuant to Art. 22 of the GDPR) is made exclusively by automated means. Every complex request, charge, or relevant decision is subject to review and validation by a human operator.

• Accuracy and non-discrimination: The AI systems have been developed and are periodically monitored to minimise the risk of errors and discriminatory effects, in line with best practices and regulatory requirements.

8. MODIFICATIONS. AI KOSMO SRL reserves the right to modify or simply update the content of this policy, also due to changes in applicable legislation. You will be informed of such changes through their publication on the Site. AI KOSMO SRL therefore invites you to visit this section regularly to view the most recent and updated version of the privacy policy.

Last updated date: November 2025