Privacy Policy.

1. Who we are

The data controller for the personal data processed through this website is:

OrAIsi Tech S.L. (hereafter "OrAIsi", "we", "us")

• CIF: B23823511
• Registered office: Camí de Luna nº 2241, 03139 Elche (Alicante), Spain
• Email: info@oraisi.ai
• Website: https://oraisi.ai
• Platform: https://toxiagent.oraisi.ai

Full Mercantile Registry filing data and the company's corporate purpose are published in our Legal Notice.

Data protection contact. OrAIsi has not formally appointed a Data Protection Officer (DPO) under GDPR Article 37, as appointment is not legally required for a company of this size and processing scope. For any data protection matter, write to info@oraisi.ai with the subject line "Privacy / Data Protection".

2. What this policy covers

This Privacy Policy explains how OrAIsi collects, uses, shares, and protects personal data of:

• Visitors to https://oraisi.ai who interact with the contact form, browse the site, or accept cookies.
• Users of the ToxiAgent platform at https://toxiagent.oraisi.ai (when the SaaS launches commercially).

When OrAIsi processes personal data of clients' end users on the SaaS platform, OrAIsi acts as a data processor on behalf of the client (the data controller). That processing is governed by a separate Data Processing Agreement (DPA) signed at client onboarding. This Policy concerns OrAIsi's own processing as data controller.

3. Personal data we collect

3.1 Contact form (https://oraisi.ai/regulatory-product-file-automation/)

When you submit the contact form on our website, we collect:

• First name, last name (required)
• Email address (required)
• Telephone number (optional)
• Message text (optional, free-form)

3.2 Cookies and similar technologies

The website uses cookies grouped into the following categories, each subject to your consent through the cookie banner displayed on first visit:

• Functional (always active — strictly necessary to provide the service you requested)
• Preferences (remember settings between visits)
• Statistics (aggregate site usage analytics)
• Marketing (advertising profiling, where applicable)

Detailed cookie information (provider, purpose, duration) is disclosed in the cookie consent banner managed by Complianz. The cookie information is consolidated within this Privacy Policy; we do not maintain a separate cookie policy page.

3.3 Anti-spam protection (Google reCAPTCHA v3)

The contact form uses Google reCAPTCHA v3 to detect and prevent automated submissions. reCAPTCHA collects technical data including IP address, browser data, and user interaction patterns. See Google's privacy policy at https://policies.google.com/privacy for full disclosure. This involves a transfer of personal data to Google LLC in the United States; see §6.

3.4 Server logs

Our hosting infrastructure (IONOS, Spain) maintains technical access logs that may include IP addresses, user agent strings, and request timestamps for security and operational purposes.

3.5 ToxiAgent platform (when the SaaS launches commercially)

When the platform launches commercially, OrAIsi will process additional personal data of platform users (account holders): name, email, role, organisation, authentication tokens, audit metadata about platform actions, and free-text content the user enters as part of cosmetic safety assessments. Concentration values and other client-confidential formula data are encrypted in the user's browser and are structurally not readable by OrAIsi, as documented in our security one-pager.

4. Why we process your data and on what legal basis

5. Who we share data with (recipients and sub-processors)

OrAIsi shares personal data only with the following categories of recipients:

We do not sell personal data. We do not share it for the marketing purposes of any third party.

6. International transfers

reCAPTCHA processing involves a transfer of personal data to Google LLC in the United States. We rely on the Standard Contractual Clauses approved by the European Commission under Article 46 of the GDPR as the legal mechanism for this transfer, and on Google's certification under the EU-U.S. Data Privacy Framework where applicable.

When the AI / LLM vendor is selected, if the vendor is established outside the EU/EEA we will ensure that the same Article 46 mechanisms apply, that the vendor offers a zero-retention API mode (the vendor does not retain or train on customer prompts), and that an Article 28 DPA is signed before any production traffic is sent.

7. How long we keep your data

8. Security measures

We apply the following safeguards:

• Browser-side encryption of client-confidential formula data. Concentration values, phase composition, and other classified CUSTOMER_IP fields are encrypted in the user's browser using a key derived from the user's password (Argon2id → key hierarchy → AES-256-GCM with HKDF-SHA256). The server holds only ciphertext for these fields and cannot decrypt them. See our security one-pager (https://oraisi.ai/security/) for details.
• EU-resident hosting infrastructure (IONOS, Spain) under an Art. 28 DPA.
• Encrypted-in-transit communications using TLS for all client traffic.
• Authentication and access controls at the application level; SSO and refresh-token registry implemented as part of the 2026-04 trust-overhaul.
• Regular security review of the codebase and infrastructure.

9. Your rights under GDPR / LOPDGDD

You have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you (Art. 15 GDPR)
• Rectification — correct inaccurate or incomplete data (Art. 16)
• Erasure — request deletion ("right to be forgotten") (Art. 17)
• Restriction — limit how we process your data (Art. 18)
• Portability — receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20)
• Objection — object to processing based on legitimate interest, including direct marketing (Art. 21)
• Withdraw consent at any time, where processing is based on consent (Art. 7.3)
• Lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), https://www.aepd.es, if you consider that we have not complied with applicable data protection law

To exercise any of these rights, write to info@oraisi.ai with the subject line "Privacy / Data Protection". We will respond within one month, extendable to two further months for complex requests, in accordance with GDPR Art. 12.

10. Children

The website and the ToxiAgent platform are intended for professional B2B use by adults working in cosmetic safety, regulatory affairs, and product development. We do not knowingly collect personal data of children under 14 (the threshold under Spanish law). If you believe a child has provided personal data through our services, please contact info@oraisi.ai and we will delete the data.

11. The Continuously Enriched Data System — forward-looking notice

When the SaaS launches commercially, OrAIsi will offer a feature in which evaluator-written justifications (e.g., the rationale a safety assessor writes when classifying an ingredient) and structured decisions (NOAEL selections, exposure assumptions) may be used to improve the platform's regulatory intelligence layer over time and across regulatory geographies.

This processing is opt-in by default. When the feature ships, clients will be presented with an explicit choice during onboarding and within the platform settings. Choosing not to opt in does not affect the core service. Clients who opt in may withdraw consent at any time; withdrawal stops future use of new data but does not affect models trained on previously authorised data.

When this feature becomes active, we will update this Privacy Policy and notify users in advance.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through a banner on oraisi.ai and, where appropriate, by email to active users.

13. Language versions

This Privacy Policy is published in Spanish and English. In case of any conflict between language versions, the Spanish version prevails.