GDPR Policy

Large Call to Action Headline

Effective Date: 16th February, 2026

1. Introduction to GDPR Compliance

1.1 Commitment to GDPR Rebellion Digital, operating under the brand name SayZio, is committed to protecting personal data and respecting the privacy rights of individuals. We strive to comply with the principles and requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) where applicable. This includes implementing appropriate technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently. Our data protection practices are designed to: Ensure lawful processing of personal data Maintain data accuracy and integrity Limit data collection to what is necessary Protect personal data against unauthorized access or misuse Support data subject rights 1.2 Applicability to EU/EEA Users The GDPR applies to the processing of personal data of individuals located in the European Union (EU) and the European Economic Area (EEA), where such processing relates to: Offering services to individuals in the EU/EEA Monitoring behavior within the EU/EEA If you are located in the EU or EEA and access or use the SayZio platform, your personal data may be processed in accordance with GDPR requirements. Where GDPR applies, we provide additional safeguards and rights as outlined in our Privacy Policy and GDPR-specific documentation. 1.3 Role of Rebellion Digital as Data Controller and Data Processor Depending on the context of data processing, Rebellion Digital may act as either a Data Controller or a Data Processor under GDPR. As Data Controller We act as a Data Controller when we determine the purposes and means of processing personal data, including: Account registration data Subscription and billing information Support communications Website visitor data Security monitoring data In this role, we are responsible for ensuring lawful processing and protecting data subject rights. As Data Processor We act as a Data Processor when we process personal data on behalf of our users, including: CRM data uploaded by users Customer contact information Marketing campaign data Business and transaction data AI-processed data within user accounts In this capacity: We process data only in accordance with user instructions We implement appropriate security measures We support users in fulfilling their GDPR obligations Users who upload or manage personal data within the platform are responsible for ensuring they have a lawful basis for processing such data.

2. Scope of This GDPR Statement

This GDPR Statement outlines how Rebellion Digital, operating under the brand SayZio, complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) where applicable. 2.1 Applicability to EU/EEA Users This GDPR Statement applies to individuals located in the European Union (EU) and the European Economic Area (EEA) whose personal data is processed by SayZio in connection with: Accessing or using the SayZio platform Creating or managing an account Subscribing to SaaS plans Interacting with AI-powered features Engaging with White Label implementations If you are located in the EU/EEA and use the Service, your personal data may be processed in accordance with GDPR requirements, including applicable rights and safeguards. 2.2 Applicability to SaaS Accounts For standard SaaS users: Rebellion Digital acts as a Data Controller for account registration data, billing information, support communications, and platform security monitoring. Rebellion Digital acts as a Data Processor for customer data uploaded by users into CRM systems, automation workflows, marketing tools, or AI modules. This GDPR Statement applies to all personal data processed within the SaaS environment where GDPR is applicable. 2.3 Applicability to White Label Accounts For White Label accounts: White Label account holders act as independent Data Controllers for their end customers. Rebellion Digital acts as a Data Processor providing infrastructure, hosting, automation, and AI capabilities. This GDPR Statement applies to the processing activities carried out by Rebellion Digital as a Data Processor for White Label users. White Label Users remain responsible for: Establishing a lawful basis for processing Providing GDPR-compliant disclosures to their customers Handling data subject rights requests 2.4 Coverage of AI-Powered Data Processing This GDPR Statement also applies to personal data processed through AI-powered features within the platform. AI-related processing may include: Analysis of user-submitted prompts Processing of CRM or business data for automation Generation of AI-based content Automated workflow execution Analytical insights and recommendations Where AI processing involves personal data of EU/EEA individuals: Processing is conducted under a lawful basis Appropriate technical and organizational safeguards are applied Cross-border transfer protections are implemented where required Automated processing conducted within the platform does not produce legally binding decisions affecting individuals without user oversight.

3. Data Controller and Data Processor Roles

Under the General Data Protection Regulation (GDPR), the classification of a party as a Data Controller or Data Processor depends on the context of the data processing activity. Rebellion Digital, operating under the brand SayZio, may act as either a Data Controller or a Data Processor depending on the nature of the data and the purpose for which it is processed. 3.1 When SayZio Acts as a Data Controller SayZio acts as a Data Controller when it determines the purposes and means of processing personal data. This includes processing related to: Account registration and user identity information Subscription and billing details Payment processing coordination Customer support communications Website usage analytics Security monitoring and fraud prevention Compliance with legal obligations Marketing communications sent directly by SayZio In these cases, SayZio: Determines why and how personal data is processed Ensures a lawful basis for processing Implements appropriate security safeguards Responds to data subject rights requests Maintains transparency obligations under GDPR 3.2 When SayZio Acts as a Data Processor SayZio acts as a Data Processor when it processes personal data on behalf of its users (who act as Data Controllers). This includes processing related to: CRM data uploaded by users Customer contact information stored within accounts Lead data and marketing campaign information Automation workflows Sales and transaction records AI-generated content based on user-submitted data Analytics conducted within user accounts In this role, SayZio: Processes data solely in accordance with user instructions Does not determine the independent purpose of such processing Implements technical and organizational security measures Assists users in fulfilling GDPR obligations where applicable Does not claim ownership of user-uploaded data Users remain responsible for ensuring they have a lawful basis for processing personal data uploaded into the platform. 3.3 White Label Data Controller Responsibilities For White Label accounts: White Label users act as independent Data Controllers for their end customers. They determine the purposes and means of processing data collected under their branded platform. White Label Users are responsible for: Providing GDPR-compliant privacy notices to their customers Establishing a lawful basis for processing personal data Obtaining valid consent where required Responding to data subject access, correction, deletion, or portability requests Ensuring compliance with marketing and communication regulations Managing cross-border data transfers in accordance with applicable laws SayZio acts as a Data Processor providing platform infrastructure and AI-enabled tools for White Label users. If a data subject of a White Label account submits a GDPR request, such requests must be directed to the relevant White Label Data Controller.

4. Lawful Basis for Processing (Article 6 GDPR)

In accordance with Article 6 of the General Data Protection Regulation (GDPR), SayZio processes personal data only where a valid legal basis exists. Depending on the context of processing, one or more of the following lawful bases may apply. 4.1 Contractual Necessity Article 6(1)(b) GDPR We process personal data where it is necessary for the performance of a contract or to take steps prior to entering into a contract. This includes processing required to: Create and manage user accounts Provide access to the SayZio SaaS platform Deliver AI-powered features Enable automation workflows Process subscription payments Provide customer support Enforce our Terms and Conditions Without this processing, we would be unable to provide the requested services. 4.2 Legitimate Interests Article 6(1)(f) GDPR We may process personal data where it is necessary for our legitimate business interests, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject. Legitimate interests may include: Improving platform functionality and performance Enhancing AI model efficiency and automation capabilities Ensuring platform security and preventing fraud Monitoring system stability and detecting misuse Conducting internal analytics and business reporting Developing new features and services Where we rely on legitimate interests, we conduct appropriate balancing assessments to ensure that data subject rights are respected. 4.3 Consent Article 6(1)(a) GDPR We rely on consent where required by law, including for: Marketing communications Optional cookies and tracking technologies Certain AI-related features (where applicable) Participation in surveys or promotional campaigns Consent must be freely given, specific, informed, and unambiguous. Data subjects have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn. 4.4 Legal Obligation Article 6(1)(c) GDPR We may process personal data where necessary to comply with legal obligations, including: Tax and accounting regulations Regulatory reporting requirements Lawful requests from public authorities Court orders or legal proceedings Anti-fraud and compliance obligations Where processing is required by law, we limit such processing strictly to what is legally necessary. 4.5 Processor-Based Processing Where SayZio acts as a Data Processor, the lawful basis for processing personal data is determined by the relevant Data Controller (SaaS user or White Label account holder). In such cases: SayZio processes data solely under documented instructions The Data Controller remains responsible for establishing the lawful basis under Article 6 GDPR

5. Categories of Personal Data Processed

In the course of providing the SayZio platform and related AI-powered services, we may process various categories of personal data, depending on how the Service is used. The categories outlined below apply where GDPR is applicable. 5.1 Account Information When users register for or use the platform, we may process personal data such as: Full name Business name Email address Phone number Billing address Account credentials (encrypted) Subscription plan details Transaction and billing records This data is processed primarily for account management, contractual performance, billing administration, and service delivery. 5.2 Business and CRM Data Users may upload or generate business-related data within the platform, including personal data of their customers, leads, or contacts. This may include: Customer names Contact information Lead information Sales records Marketing campaign data Communication history Appointment or booking information Transaction data In this context, SayZio typically acts as a Data Processor, and the user (SaaS or White Label account holder) acts as the Data Controller. Users are responsible for ensuring that such data is collected and processed in accordance with applicable GDPR requirements. 5.3 AI Inputs and Outputs As an AI-powered platform, SayZio may process personal data included within: Prompts submitted to AI tools Business data used for AI analysis Automated workflow triggers AI-generated responses and recommendations AI outputs are generated automatically based on system algorithms and user-provided inputs. Where personal data is included in AI processing: Processing is limited to what is necessary to provide requested functionality Appropriate safeguards are implemented Cross-border transfer protections apply where required Users remain responsible for reviewing AI-generated outputs before use. 5.4 Usage Data We may process technical and behavioral data automatically collected through platform usage, including: IP address Device type Browser type and version Operating system Login timestamps Feature usage patterns Error logs Session duration Usage data is primarily used for security monitoring, system improvement, fraud prevention, and performance optimization. 5.5 Communication Data We may process personal data contained in communications between users and SayZio, including: Support tickets Email correspondence Chat communications Feedback submissions Complaint or dispute information Such data is processed to respond to inquiries, provide assistance, resolve issues, and maintain service quality.

6. Purpose of Data Processing

SayZio processes personal data only for specified, explicit, and legitimate purposes in accordance with Article 5 and Article 6 of the GDPR. The purposes of processing may include the following: 6.1 Service Delivery We process personal data to provide and maintain the SayZio SaaS platform, including: Account creation and management Subscription administration Feature access control CRM and automation functionality Customer support services System configuration and personalization Without such processing, we would be unable to deliver the contracted services. 6.2 AI Automation As an AI-powered platform, SayZio processes personal data to enable: AI-driven content generation Automated workflow execution Intelligent lead categorization Campaign optimization Business data analysis Recommendation systems AI processing may analyze user inputs and stored data to generate outputs requested by the user. AI automation is designed to support business operations and does not independently make legally binding decisions affecting individuals without user oversight. 6.3 Payment Processing We process personal data to: Manage subscription billing Process recurring payments Maintain transaction records Prevent payment fraud Comply with accounting and tax regulations Payment processing may involve secure third-party providers operating under contractual data protection obligations. 6.4 Security and Fraud Prevention We process personal data to: Monitor account activity Detect unauthorized access Prevent misuse or abuse of the platform Investigate suspicious behavior Protect system integrity Enforce contractual terms Security-related processing may include automated monitoring systems and log analysis. 6.5 Analytics and Platform Improvement We process personal data and usage information to: Improve platform performance Enhance AI functionality Identify feature enhancements Analyze system reliability Optimize user experience Develop new services Where possible, analytics data is aggregated or anonymized to minimize identification risks.

7. AI and Automated Decision-Making

SayZio incorporates artificial intelligence (“AI”) and automated processing features to enhance business automation, analytics, and operational efficiency. This section explains how such processing aligns with Article 22 of the GDPR. 7.1 Explanation of AI Usage AI-powered features within the platform may include: Content generation tools Automated workflow execution Lead scoring or categorization Business analytics and reporting Intelligent recommendations Automated campaign triggers AI systems operate based on algorithms and machine learning models that analyze user inputs, stored business data, and system parameters to generate outputs. Processing may occur automatically once initiated by the user. 7.2 No Fully Automated Legal or Similarly Significant Decisions In accordance with Article 22 GDPR: SayZio does not engage in fully automated decision-making that produces legal effects or similarly significant effects on individuals without human involvement. The platform: Does not independently approve or deny financial services Does not make legally binding eligibility determinations Does not execute employment, credit, or insurance decisions Does not impose penalties or legal consequences on individuals AI-generated outputs are assistive tools designed to support business users. 7.3 Human Oversight Responsibility Users retain full control over: Reviewing AI-generated content Approving automated communications Configuring automation workflows Acting upon AI recommendations All AI outputs require user implementation or configuration before they affect third parties. Users are responsible for: Verifying accuracy of AI-generated content Ensuring compliance with applicable laws Reviewing automated processes before activation SayZio does not independently supervise user decision-making processes. 7.4 Article 22 GDPR Considerations Where automated processing involves personal data of individuals in the EU/EEA: Processing is conducted under a lawful basis under Article 6 GDPR Data subjects retain the right to object to processing based on legitimate interests Users acting as Data Controllers are responsible for ensuring compliance when configuring automated workflows If a user implements automated processes that could significantly affect individuals, the user must ensure: Appropriate transparency disclosures Lawful basis for processing Safeguards allowing human intervention where required 7.5 Safeguards and Transparency To align with GDPR principles, SayZio: Provides transparency regarding AI functionality Implements technical and organizational security measures Limits processing to what is necessary for service delivery Enables user control over automation features AI systems are designed to support user decision-making, not replace it.

8. Data Retention

SayZio retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including compliance with contractual, legal, regulatory, and legitimate business obligations. Retention practices are designed to comply with Article 5(1)(e) of the GDPR (storage limitation principle). 8.1 Retention During Active Subscription During an active subscription period, we retain personal data necessary to: Provide access to the platform Deliver SaaS functionality Enable AI-powered features Maintain CRM and automation workflows Process payments and manage billing Provide customer support Maintain system security and integrity This includes account information, business and CRM data, AI inputs and outputs, usage logs, and communication records. Retention during the active period is based on contractual necessity under Article 6(1)(b) GDPR. 8.2 Post-Termination Retention Following subscription cancellation or account termination: Account data may be retained for a limited period to allow reactivation, dispute resolution, or operational continuity. Backup systems may temporarily retain data in accordance with standard backup cycles. AI interaction data associated with the account may be retained as part of stored account data. After the applicable post-termination retention period: Data may be permanently deleted or anonymized. Deletion may not be immediate due to technical or backup constraints. Users are responsible for exporting any required data before account closure. 8.3 Legal Compliance Retention Certain personal data may be retained beyond account termination where required for: Tax and accounting compliance Regulatory reporting obligations Fraud prevention investigations Enforcement of contractual rights Legal claims or dispute resolution Such retention is based on Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR (legitimate interests). Data retained for legal compliance purposes is limited to what is necessary and stored securely. 8.4 Anonymization and Aggregation Where possible, data that is no longer required for identifiable processing may be: Anonymized Aggregated Used for statistical analysis Used for platform improvement Anonymized data is no longer considered personal data under GDPR. 8.5 White Label Accounts For White Label implementations: White Label Users determine retention policies for their end-customer data. SayZio retains such data only in accordance with the instructions of the White Label Data Controller and applicable agreements. White Label Users remain responsible for ensuring GDPR-compliant retention policies for their customers.

9. Data Sharing and Sub-Processors

In order to provide and maintain the SayZio platform, we may engage trusted third-party service providers (“Sub-Processors”) to process personal data on our behalf. All Sub-Processors are carefully selected and are contractually obligated to implement appropriate technical and organizational safeguards in accordance with Article 28 GDPR. 9.1 Categories of Sub-Processors We may engage Sub-Processors in the following categories: Cloud Hosting Providers To host application servers, databases, storage systems, and backup infrastructure necessary to operate the platform securely and reliably. Payment Processors To process subscription payments, manage billing transactions, prevent payment fraud, and maintain financial compliance records. Payment processors operate under their own privacy and security policies and are subject to contractual data protection obligations. Messaging and Communication Providers To facilitate: Transactional email delivery System notifications Account verification messages Automated communication workflows Messaging integrations These providers process data solely for message transmission purposes. AI Service Providers To enable AI-powered functionality, including content generation, automation triggers, data analysis, and intelligent recommendations. This may include providers such as OpenAI or similar AI infrastructure services. When AI services are used: User inputs may be transmitted securely to AI providers AI-generated outputs are returned to the platform Data is processed only to generate requested functionality Infrastructure and Technical Vendors To support: Monitoring and logging systems Security tools Performance optimization services Development and maintenance operations 9.2 Sub-Processor Safeguards We ensure that Sub-Processors: Process data only under documented instructions Implement appropriate security controls Maintain confidentiality obligations Comply with applicable data protection regulations Enter into written data processing agreements where required Where personal data is transferred outside the EU/EEA, appropriate transfer safeguards are implemented. 9.3 Sub-Processor List A current list of Sub-Processors engaged by SayZio may be made available upon request. Users may request this information by contacting: support@sayzio.app We reserve the right to update Sub-Processors as necessary to support business operations and platform functionality. 9.4 Responsibility Allocation Where SayZio acts as a Data Processor: Sub-Processors are engaged in accordance with Article 28 GDPR. The primary Data Controller (SaaS user or White Label account holder) remains responsible for ensuring lawful data collection and processing within their accounts.

10. International Data Transfers

SayZio operates using cloud-based infrastructure and third-party service providers that may be located in multiple jurisdictions. As a result, personal and business data may be processed, stored, or accessed in countries outside your country of residence. 10.1 Cross-Border Processing Data may be transferred internationally for purposes including: Cloud hosting and infrastructure management Payment processing Email and messaging delivery Analytics services AI-powered functionality Technical support operations These transfers are necessary to provide and maintain the Service. 10.2 Legal Basis for Transfers Where applicable, international data transfers are conducted in accordance with relevant data protection laws. Depending on jurisdiction, safeguards may include: Contractual agreements with service providers Data processing agreements Standard contractual protections Technical and organizational security measures 10.3 User Consent By accessing or using the Service, you acknowledge and consent to the transfer, processing, and storage of your information in jurisdictions outside your country of residence, where data protection laws may differ from those in your jurisdiction. 10.4 AI-Related International Transfers When AI features are used: User inputs may be transmitted to third-party AI providers located in other countries AI-generated responses may be processed through infrastructure outside your jurisdiction Such transfers occur solely to deliver requested functionality and are subject to reasonable security safeguards. 10.5 Risk Acknowledgment While we implement reasonable measures to protect data during international transfers, users understand that data protection laws in other jurisdictions may not offer the same level of protection as those in their home country.

11. Data Subject Rights (Under GDPR)

In accordance with Articles 15–22 of the General Data Protection Regulation (GDPR), individuals located in the European Union (EU) or European Economic Area (EEA) may have the following rights regarding their personal data. These rights apply where SayZio acts as a Data Controller. Where SayZio acts as a Data Processor, requests should be directed to the relevant Data Controller (e.g., the SaaS user or White Label account holder). 11.1 Right to Access (Article 15 GDPR) You have the right to: Obtain confirmation as to whether your personal data is being processed Access the personal data we hold about you Receive information regarding the purposes of processing Obtain details about categories of data processed Receive information about recipients or categories of recipients Request information about retention periods Receive a copy of your personal data Requests may be subject to identity verification. 11.2 Right to Rectification (Article 16 GDPR) You have the right to request: Correction of inaccurate personal data Completion of incomplete personal data Certain account information may be corrected directly within your account settings. 11.3 Right to Erasure (“Right to be Forgotten”) (Article 17 GDPR) You may request deletion of your personal data where: The data is no longer necessary for its original purpose You withdraw consent (where processing is based on consent) You object to processing and there are no overriding legitimate grounds The data has been unlawfully processed Erasure is required to comply with legal obligations This right is not absolute and may be limited where retention is required for legal compliance, dispute resolution, or legitimate business purposes. 11.4 Right to Restrict Processing (Article 18 GDPR) You may request restriction of processing where: You contest the accuracy of personal data Processing is unlawful but deletion is not requested We no longer need the data but you require it for legal claims You have objected to processing pending verification of legitimate grounds During restriction, data may be stored but not actively processed except under limited circumstances. 11.5 Right to Data Portability (Article 20 GDPR) You have the right to: Receive your personal data in a structured, commonly used, and machine-readable format Transmit that data to another controller where technically feasible This right applies where processing is based on consent or contractual necessity and carried out by automated means. 11.6 Right to Object (Article 21 GDPR) You may object to processing where it is based on: Legitimate interests Direct marketing purposes If you object to direct marketing, we will cease processing your personal data for that purpose. Where processing is based on legitimate interests, we will assess whether compelling legitimate grounds override your rights and freedoms. 11.7 Rights Related to Automated Decision-Making (Article 22 GDPR) You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects. SayZio does not engage in fully automated decision-making that produces legal or similarly significant effects without human involvement. Where automated tools are used within the platform: Users retain control over configuration and approval AI outputs are assistive in nature No legally binding decisions are made by the system independently If you believe automated processing affects you significantly, you may request human review where applicable. 11.8 How to Submit a Data Subject Request Requests related to GDPR rights may be submitted to: Email: support@sayzio.app Company: Rebellion Digital Brand: SayZio To protect user privacy and security, we may require verification of identity before responding to any request. We will respond within the timeframes required under GDPR (generally within one month), subject to complexity and legal requirements.

12. Data Security Measures

Rebellion Digital, operating under the brand SayZio, implements appropriate technical and organizational measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk associated with personal data processing. Security measures are designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. 12.1 Technical Safeguards We implement technical controls designed to protect system infrastructure and stored data, which may include: Secure cloud-based hosting environments Network segmentation and firewall protections Secure application architecture Regular system updates and patch management Backup and disaster recovery systems Infrastructure is monitored to detect vulnerabilities and maintain system resilience. 12.2 Encryption We use encryption mechanisms to safeguard personal data, including: Encryption of data in transit using secure protocols such as HTTPS/TLS Encryption or hashing of authentication credentials (including passwords) Encryption of sensitive data where appropriate Encryption helps prevent unauthorized access during transmission and storage. 12.3 Access Controls Access to personal data is restricted to authorized personnel and systems on a need-to-know basis. Access control measures may include: Role-based access control (RBAC) Multi-factor authentication where applicable Strong password policies Logging of administrative access Internal access authorization procedures Personnel with access to personal data are subject to confidentiality obligations. 12.4 Monitoring and Logging Systems We maintain monitoring and logging mechanisms to: Detect unauthorized access attempts Identify suspicious activity Monitor system integrity Track administrative actions Investigate security incidents Security logs may be retained for auditing, compliance, and incident response purposes. 12.5 Risk Mitigation Procedures We implement risk-based security management practices, including: Regular risk assessments Evaluation of potential vulnerabilities Incident response planning Business continuity planning Backup management and recovery testing Where appropriate, security measures are reviewed and updated to address evolving threats and technological developments. 12.6 Sub-Processor Security Where we engage Sub-Processors: We assess their security standards We enter into data processing agreements We require appropriate technical and organizational safeguards However, independent third-party providers operate under their own security frameworks. 12.7 Limitation of Absolute Security While we implement reasonable and appropriate safeguards, no system can guarantee absolute security. Users acknowledge that: Internet-based services carry inherent security risks No transmission or storage system can be entirely immune to threats In the event of a personal data breach, we will follow applicable GDPR notification requirements.

13. Data Breach Notification

Rebellion Digital, operating under the brand SayZio, maintains incident response procedures designed to detect, investigate, and respond to personal data breaches in accordance with Articles 33 and 34 of the GDPR. 13.1 Definition of a Personal Data Breach A personal data breach refers to a security incident that results in: Accidental or unlawful destruction of personal data Loss of personal data Alteration of personal data Unauthorized disclosure of personal data Unauthorized access to personal data 13.2 Notification to Supervisory Authorities (Article 33 GDPR) Where SayZio acts as a Data Controller and becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals: We will notify the relevant supervisory authority without undue delay. Where feasible, notification will occur within 72 hours of becoming aware of the breach. If notification is not made within 72 hours, reasons for the delay will be documented. 13.3 Notification to Affected Individuals (Article 34 GDPR) Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals: Affected data subjects will be informed without undue delay. Notifications will include relevant information about the nature of the breach, potential consequences, and measures taken to mitigate risks. Notification may not be required where: Data was encrypted or otherwise protected, rendering it unintelligible to unauthorized parties; or Subsequent measures eliminate the likelihood of high risk; or Notification would involve disproportionate effort (in which case public communication may be used where appropriate). 13.4 Processor Obligations Where SayZio acts as a Data Processor: We will notify the relevant Data Controller without undue delay upon becoming aware of a personal data breach. The Data Controller remains responsible for assessing supervisory authority and data subject notification obligations. 13.5 Incident Response Measures Our breach response procedures may include: Immediate containment of the incident Investigation and risk assessment Remediation and corrective action Documentation of breach details Review and enhancement of security controls

14. Children’s Data

SayZio is a business-oriented SaaS platform and is not intended for use by individuals under the age of 18. 14.1 Not Intended for Minors The Service is designed for: Businesses Entrepreneurs Agencies Professional users It is not directed toward children or minors. 14.2 No Intentional Collection of Children’s Data We do not knowingly: Collect personal data from individuals under 18 years of age Allow minors to register for accounts Provide services directly to children Users must ensure that they meet the minimum age requirement and are legally capable of entering into binding agreements. 14.3 Inadvertent Collection If we become aware that personal data of a minor has been collected without appropriate authorization: We will take reasonable steps to delete such information. Access to the associated account may be restricted or terminated. If you believe that personal data of a minor has been processed through the Service, please contact: support@sayzio.app

15. Updates to This GDPR Statement

Rebellion Digital, operating under the brand SayZio, reserves the right to update, amend, or modify this GDPR Statement at any time to reflect changes in legal requirements, regulatory guidance, operational practices, or technological developments. 15.1 Right to Update We may revise this GDPR Statement to address: Changes in GDPR interpretation or supervisory authority guidance Updates to platform functionality, including AI features Modifications to data processing practices Changes in Sub-Processors or infrastructure providers Enhancements to security or compliance frameworks All updates will be made in accordance with applicable data protection laws. 15.2 Publication of Revised Versions When revisions are made: The updated version will be published on the official website. The effective date will be updated to reflect the most recent revision. Where required by law or where changes materially affect user rights: Additional notice may be provided through email or platform notifications. 15.3 Continued Use Continued use of the Service after the publication of an updated GDPR Statement constitutes acknowledgment of the revised terms, to the extent permitted by law. Users are encouraged to review this GDPR Statement periodically to remain informed about how personal data is processed and protected.

16. Contact Information for GDPR Requests

If you have questions regarding this GDPR Statement or wish to exercise your rights under the General Data Protection Regulation (GDPR), you may contact us using the details below. Company Name: Rebellion Digital Brand Name: SayZio GDPR Contact Email: support@sayzio.app 16.1 Submitting a GDPR Request To submit a GDPR-related request, please send an email to: support@sayzio.app Your request should include: Your full name The email address associated with your account (if applicable) A clear description of your request (e.g., access, correction, deletion, restriction, objection, portability) Any relevant details to help us identify your data 16.2 Identity Verification To protect personal data and prevent unauthorized disclosure: We may require verification of your identity before processing your request. Additional information may be requested where necessary to confirm identity. Requests cannot be processed without sufficient verification. 16.3 Response Time We will respond to valid GDPR requests: Without undue delay Generally within one (1) month of receipt In cases of complex or multiple requests, the response period may be extended in accordance with Article 12 GDPR. You will be informed if an extension is required. 16.4 White Label Accounts If your personal data is processed through a White Label implementation of SayZio: The relevant White Label account holder acts as the Data Controller. You should contact the White Label provider directly for GDPR-related requests. SayZio may assist White Label Data Controllers in responding to requests where required under applicable agreements.