SAFER EXPERIENCE (SE-CMMG), registered in Luxembourg under RCS A46893 ("SAFER EXPERIENCE," "SE-CMMG," "we," "our," or "us"), operates the website saferexperience.com (the "Site") and provides process safety engineering and technology services. SAFER EXPERIENCE is dedicated to protecting the confidentiality and privacy of information entrusted to it. As part of this fundamental obligation, we are committed to the appropriate protection and use of personal information (sometimes referred to as "personal data," "personally identifiable information," or "PII") that we collect online and in the course of our business relationships.

This Privacy Policy ("Privacy Statement") explains how we collect, use, share, store, and protect personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Luxembourg data protection law, and applicable ePrivacy rules.

This document contains two distinct notices:

• Part A — Website Users Privacy Notice, which applies to visitors of saferexperience.com.

• Part B — Client Privacy Notice, which applies to clients, prospective clients, and their representatives in the course of our business relationship.

Data Controller

The data controller responsible for personal data processed under this Privacy Policy is:

SAFER EXPERIENCE (SE-CMMG)
67, Rue de la Vallée, L-2661 Luxembourg
RCS: A46893 | TVA: LU37339338
Email: info@saferexperience.com

PART A — WEBSITE USERS PRIVACY NOTICE

1. Collection and Use of Personal Information

Generally, our intent is to collect only the personal information that is provided voluntarily by online visitors so that we can respond to inquiries, offer information about our services, or discuss potential engagements. Please review this notice to learn more about how we collect, use, share, and protect the personal information we obtain through the Site.

1.1 What Information We Collect

We obtain personal information about you if you choose to provide it — for example, when you submit our contact form, email us directly, or request a demo or consultation. The information we collect may include:

• Your name and surname

• Business email address

• Company name and job title

• Phone number (if provided)

• The content of your message and any additional information you choose to share

• Country or region (if provided)

We do not require you to create an account to access the Site. We do not use single sign-on (SSO) providers such as LinkedIn or Google for Site access.

When you submit personal information through the Site, we will use it in the manner described in this notice. Your personal information will not be used for other purposes unless we obtain your permission, or unless otherwise required or permitted by law.

1.2 The Legal Grounds We Have to Use Your Personal Information

SAFER EXPERIENCE generally collects only the personal information necessary to fulfill your request. Where additional, optional information is sought, you will be notified at the point of collection.

European data protection law allows us to process personal information only when we have a valid legal ground. When we process your personal information, we will rely on one of the following legal bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)): when processing is necessary to take steps at your request prior to entering into a contract, or to perform our obligations under a contract to which you are a party.

• Legal obligation (Art. 6(1)(c)): when we are required to process your personal information to comply with a legal obligation, such as keeping records for tax or regulatory purposes, or responding to lawful requests from public authorities.

• Legitimate interests (Art. 6(1)(f)): when processing is necessary for our legitimate interests in running a lawful business, provided these interests are not overridden by your rights and freedoms.

• Your consent (Art. 6(1)(a)): when we ask for specific permission to process your personal information. You may withdraw your consent at any time by contacting us at info@saferexperience.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Examples of the legitimate interests referred to above include:

• Responding to inquiries submitted through the Site.

• Preventing fraud or unauthorized access and safeguarding our IT systems.

• Improving the performance, usability, and effectiveness of the Site.

• Engaging in limited, relationship-based business communication with existing clients about services relevant to them.

• Exercising our fundamental rights, including the freedom to conduct a business.

We do not process special categories of personal data (as defined in Article 9 of the GDPR), such as data revealing racial or ethnic origin, political opinions, religious beliefs, or health data, in connection with the Site.

1.3 Automatic Collection of Personal Information

In some instances, SAFER EXPERIENCE and its service providers use limited technical tools to automatically collect certain types of information when you visit the Site. This enables us to deliver and secure the Site and to measure basic usage trends.

1.3.1 IP Addresses

An IP address is a number assigned to your computer or device when you access the internet. IP addresses from which visitors appear to originate are recorded by our hosting provider for IT security, system diagnostics, and abuse prevention. Where technically feasible, IP addresses are anonymized. This information is typically used in aggregate form for website trend and performance analysis and is not used to identify individual visitors.

1.3.2 Cookies

Cookies are small text files placed on your computer or internet-enabled device when you visit a website. They allow the Site to remember your device and serve a number of purposes.

SAFER EXPERIENCE uses only strictly necessary cookies required for the Site to function (e.g., session management, load balancing, security). These cookies do not require your consent under the ePrivacy Directive because they are essential to delivering the service you have requested.

We do not use:

• Performance or analytics cookies (including Google Analytics)

• Functionality or preference cookies beyond those strictly required

• Targeting, advertising, or behavioral tracking cookies

• Cross-site tracking technologies

If this changes in the future (for example, if we decide to add analytics), we will update this notice, display a cookie consent banner, and obtain your prior consent where required.

Below is a summary of the categories of cookies that may be used on our Site:

You can configure your browser to refuse cookies or to notify you when cookies are being sent. Further information about managing cookies can be found in your browser's help file or through websites such as www.allaboutcookies.org. Please note that disabling strictly necessary cookies may affect Site functionality.

1.3.3 Web Beacons and Tracking Pixels

SAFER EXPERIENCE does not use web beacons, tracking pixels, or similar technologies in email communications or on the Site to monitor recipient actions such as open rates or click-through rates.

1.3.4 Location-Based Tools

SAFER EXPERIENCE does not collect or use precise geolocation data from your computer or mobile device.

1.4 Social Media Widgets and Applications

The Site may include links to our presence on social media platforms (such as LinkedIn). We do not embed social sharing widgets (such as Facebook Like or X share buttons) that collect personal information from visitors to the Site.

If you choose to follow a link from the Site to a social media platform, your interaction with that platform will be governed by the privacy policy of the platform operator, over whom we have no control.

1.5 Children

SAFER EXPERIENCE understands the importance of protecting children's privacy. The Site and our services are not intentionally designed for or directed at children under the age of 16. It is our policy never to knowingly collect or maintain information about anyone under the age of 16. If we become aware that we have inadvertently collected such information, we will delete it promptly.

2. Sharing and Transfer of Personal Information

We do not sell, rent, or trade your personal information. We share personal information only as necessary for our legitimate professional and business needs, to carry out your requests, and/or as required or permitted by law.

2.1 Transfers to Service Providers and Partners

We transfer personal information to trusted third-party service providers when necessary to operate our business. These may include:

• Hosting providers: our Site is hosted by Framer B.V. (Netherlands, with US-based infrastructure), which processes technical data necessary to deliver the Site.

• Cloud infrastructure providers: Amazon Web Services (AWS), used for our platform services, operates under its own data protection commitments and is bound by Data Processing Agreements. AWS Bedrock (our AI processing service) does not store, log, or use query data for model training, as guaranteed by the AWS Bedrock Service Terms.

• Email and productivity tools: standard business tools used to communicate with you.

• Accounting and fiduciary services: in Luxembourg, for the purposes of billing, tax compliance, and statutory record-keeping.

SAFER EXPERIENCE works with such providers only when they meet appropriate standards on data processing and security. We share only the personal information necessary for them to provide their services, and we require them to process personal data in accordance with our instructions and applicable law.

2.2 Transfers to Courts, Regulators, and Authorities

We will disclose personal information in order to respond to lawful requests from courts, tribunals, government or law enforcement agencies, or where it is necessary or prudent to comply with applicable laws, court or tribunal orders, or government or professional regulations.

2.3 Business Transfers

In the event of a reorganization, merger, acquisition, or sale of assets, personal information may be disclosed in connection with the transaction. We will take reasonable steps to ensure that any successor organization honors the commitments made in this Privacy Policy, and we will notify affected individuals before their data becomes subject to a different privacy policy.

2.4 International Data Transfers

As we operate internationally and use certain service providers based outside the European Economic Area (EEA), your personal information may be transferred to countries that do not provide a level of data protection equivalent to the EEA.

Where such transfers occur, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).

• Adequacy decisions adopted by the European Commission, where applicable.

• Supplementary technical and organizational measures (such as encryption in transit and at rest) where required to address the risks identified in the Schrems II judgment.

If you wish to obtain a copy of the appropriate safeguards in place, you can contact us at carlosmgalvez89@gmail.com.

SAFER EXPERIENCE will not transfer the personal information you provide to any third parties for their own direct marketing use.

3. Choices

In general, you are not required to submit any personal information to SAFER EXPERIENCE. However, we will require you to provide certain personal information to respond to your inquiries or to deliver services you have requested.

If you subscribe to any communications from us in the future, you will be able to unsubscribe at any time by following the instructions included in each communication or by contacting us directly. If you choose to unsubscribe, we will remove your information from the relevant distribution list promptly.

As described in Section 1.3.2 (Cookies), you may also configure your browser to refuse cookies; however, some parts of the Site may not function properly if you do so.

4. Your Rights

If SAFER EXPERIENCE processes personal information about you, you have the following rights under the GDPR:

• Right of access (Art. 15): obtain confirmation of whether we process your personal data and request a copy of it. This is sometimes called a "Subject Access Request." Before providing personal information to you, we may ask for proof of identity and sufficient information to locate your records.

• Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.

• Right to erasure (Art. 17): request deletion of your personal data where there is no compelling reason for continued processing (the "right to be forgotten").

• Right to restriction of processing (Art. 18): request that we limit processing in certain circumstances.

• Right to object (Art. 21): object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

• Right to data portability (Art. 20): receive your personal data in a structured, commonly used, and machine-readable format, or request that we transmit it to another organization where technically feasible.

• Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

• Rights related to automated decision-making (Art. 22): SAFER EXPERIENCE does not engage in automated decision-making that produces legal or similarly significant effects.

You can make a request or exercise these rights by contacting us at info@saferexperience.com. We will make all reasonable efforts to comply with your request, consistent with applicable law. We will respond to legitimate requests within one (1) month. This period may be extended by two (2) additional months where necessary, considering the complexity and number of requests, in accordance with Article 12(3) of the GDPR.

5. Data Security and Integrity

SAFER EXPERIENCE has implemented reasonable technical and organizational security measures designed to protect personal information from unauthorized loss, misuse, alteration, or destruction. These measures include:

• Encryption of data in transit (TLS/HTTPS)

• Access controls limited to authorized personnel on a strict need-to-know basis

• Regular review of security practices and supplier arrangements

• Use of reputable infrastructure providers with documented security standards

Despite our best efforts, security cannot be absolutely guaranteed against all threats. Access to your personal information is limited to those who have a legitimate need to know, and those individuals are bound by confidentiality obligations.

We retain personal information only for as long as:

• (i) the information is necessary to comply with your request or to deliver services to you;

• (ii) it is necessary to comply with legal, regulatory, or internal record-keeping requirements; or

• (iii) until you request that the information be deleted.

Subject to these requirements, personal information will not generally be retained for more than five (5) years after the end of our last interaction with you. Specific retention periods are set out below:

When data is no longer required, it is securely deleted or anonymized.

6. Links to Other Sites

The Site may contain links to external websites, including partner sites, standards bodies, or references. These sites are not governed by this Privacy Policy. We encourage users to review the privacy policy of each website visited before disclosing any personal information. SAFER EXPERIENCE is not responsible for the privacy practices or content of third-party sites.

7. Changes to This Statement

SAFER EXPERIENCE may modify this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we modify this Privacy Policy, we will post the updated version on saferexperience.com with an updated "Last Updated" date. Where changes are material, we will take reasonable steps to notify affected individuals by appropriate means.

Your continued use of the Site after changes are posted constitutes your acceptance of the updated policy.

8. Policy Questions and Enforcement

SAFER EXPERIENCE is committed to protecting the privacy of your personal information. If you have questions or comments about how we handle your personal information, please contact us at carlosmgalvez89@gmail.com. You may also use this address to communicate any concerns you may have regarding compliance with this Privacy Policy.

We will acknowledge your communication within fourteen (14) days and seek to resolve your concern within one (1) month of receipt. Where the concern is complex or involves a significant volume of information, we will notify you that resolution will take longer than one month and will seek to resolve it within three (3) months of first being raised. We may accept your concern and implement an appropriate remedy, or we may reject the concern on legitimate grounds and explain our reasoning.

In any event, you always have the right to lodge a complaint with the Luxembourg supervisory authority:

Commission nationale pour la protection des données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
Website: https://cnpd.public.lu

PART B — CLIENT PRIVACY NOTICE

The purpose of this Client Privacy Notice is to explain how SAFER EXPERIENCE processes personal data of clients, prospective clients, and their representatives, in its capacity as data controller in the course of our business relationship.

We are dedicated to protecting the confidentiality and privacy of the information entrusted to us. As a general rule, we collect personal data directly from you. In some cases, we may also collect personal data from publicly accessible sources (e.g., company websites, LinkedIn), or receive it from your employer or another third party authorized to share it with us.

The following describes how we collect, process, and share your personal data in the context of our services. You will also find information on how to exercise your rights.

1. Processing Activities

1.1 Client Relationship Management (CRM) and Service Delivery

1.1.1 Description of the purpose. We process your personal data to manage our business interactions with you, including:

• Contact management and communication

• Accounting and financial management, including invoicing and billing for our services

• Preparation and execution of proposals, quotations, and service agreements

• Delivery of consulting services and digital products (WSH Knowledge, simulators, AI platforms)

• Internal record-keeping, project management, and audit trails

• Post-engagement relationship management

1.1.2 Categories of personal data. We will collect and process the following personal data:

• Professional contact details (first name, surname, business email, phone number)

• Job title and employer (company, position, department)

• Emails and meeting notes (traffic data and content relevant to the engagement)

• Invoicing details (billing address, VAT number, purchase order references)

• Any other relevant data you share with us in connection with our services

1.1.3 Legal basis. The processing of your personal data is based on:

• Our legitimate interest in providing efficient, high-quality services and in managing the administrative and commercial elements of our engagements (Art. 6(1)(f) GDPR); and

• The performance of a contract with you or with the entity you represent, including pre-contractual steps taken at your request (Art. 6(1)(b) GDPR).

If you do not provide the personal data we reasonably request, we may be unable to fulfill our obligations to you or to your employer.

1.1.4 Retention period. Personal data in the CRM system is retained for the duration of the business relationship. After the end of the relationship, contact records are archived and retained for up to five (5) years if no further activity is linked to them. Emails and project correspondence related to contractual obligations are retained for ten (10) years in compliance with Luxembourg commercial and tax law.

1.2 Use of the Safety Knowledge Platform and Digital Products

1.2.1 Description of the purpose. Where you or your employer has subscribed to our digital products (Safety Knowledge, AI Safety Assistant, Consequence Simulators, eLearning Suite), we process personal data to:

• Provide secure, authenticated access to the Service

• Deliver AI-synthesized answers in response to your queries

• Operate, maintain, and improve the Service

• Monitor for abusive usage patterns (e.g., systematic extraction attempts in breach of our terms)

• Generate usage reports for invoicing purposes

1.2.2 Categories of personal data. Depending on the configuration, we may process:

• Authentication data (username, hashed credentials, session tokens)

• Usage metadata (query counts, timestamps, IP address, session duration)

• Optionally, query content itself (only under the Standard data processing model — see below)

1.2.3 Legal basis. Performance of a contract with the subscribing organization (Art. 6(1)(b) GDPR) and our legitimate interest in securing and improving the Service (Art. 6(1)(f) GDPR).

1.2.4 Data processing models. Our Service Agreements provide two data handling models:

• Standard Data Processing: queries are processed in real time. Anonymized query logs (question text, timestamps, performance metrics) may be retained for up to twelve (12) months for service improvement, security monitoring, and billing purposes. No personal data of individual end users is used for profiling or marketing.

• Zero Data Retention: where selected in the Service Agreement, no query text is stored, logged, or retained after the response is delivered; no answers are cached; no conversation history is maintained between sessions; only aggregate usage counts for billing are retained.

For Client-Hosted deployments, SAFER EXPERIENCE has zero access to query data by architecture, because all processing occurs entirely within the Client's own cloud infrastructure. In this scenario, SAFER EXPERIENCE is neither a controller nor a processor of the query data.

1.2.5 AI sub-processor guarantees. Where AWS Bedrock is used for AI inference, query data is processed in accordance with the AWS Bedrock Service Terms, which provide that query data is not stored, logged, or used for model training.

1.2.6 Retention period. As set out in the applicable Service Agreement and Order Form. Authentication records are retained for the duration of access plus up to twelve (12) months, unless Zero Data Retention has been selected.

1.3 Direct Communication and Business Development

1.3.1 Description of the purpose. We may occasionally send you relevant information about our services, publications, or events related to process safety in steel and mining.

1.3.2 Categories of personal data. Professional contact details and job title.

1.3.3 Legal basis.

• Your consent (Art. 6(1)(a) GDPR) if you are not yet a client; or

• Our legitimate interest (Art. 6(1)(f) GDPR) in keeping you informed of developments directly relevant to the services provided, where you are an existing client or a representative of an existing client.

1.3.4 Retention period. We will remove your details from any distribution list upon your first request or if you cease to be a client. You may unsubscribe at any time.

1.4 Legal, Tax, and Regulatory Compliance

1.4.1 Description of the purpose. We process personal data as required to comply with our legal obligations, including:

• Tax and accounting obligations under Luxembourg law

• Statutory record-keeping requirements

• Responses to legitimate requests from public authorities

1.4.2 Categories of personal data. Invoicing details, contractual data, correspondence, and any other data required by applicable law.

1.4.3 Legal basis. Legal obligation (Art. 6(1)(c) GDPR).

1.4.4 Retention period. Ten (10) years from the end of the relevant financial year, in accordance with Luxembourg commercial and tax law.

2. Who Has Access to Your Personal Data?

2.1 We have implemented appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. The number of persons with access to your personal data is limited on a strict "need to know" basis.

2.2 We may share your personal data with carefully selected suppliers and partners that carry out services on our behalf, such as hosting providers (Framer, AWS), accounting and fiduciary services, and professional advisors. These suppliers process data only under our instructions and under appropriate contractual safeguards, including Data Processing Agreements where required.

2.3 As we operate internationally, the delivery of our services may involve limited transfers of personal data to third countries outside the EEA. In such cases, we implement appropriate safeguards as described in Section 2.4 of Part A (International Data Transfers).

2.4 We do not sell or rent your personal data to any third party.

3. Your Rights

You have the same rights under the GDPR as set out in Section 4 of Part A, including the rights of access, rectification, erasure, restriction, objection, data portability, and withdrawal of consent.

You can make a request or exercise these rights by contacting us at info@saferexperience.com. We will make all reasonable efforts to comply with your request, consistent with applicable law. If you are not satisfied with the way we handle your personal data, you have the right to file a complaint with the Luxembourg supervisory authority (CNPD) as described in Section 8 of Part A.

4. Changes

If any changes are made concerning the processing of your personal data, we will inform you by publishing an updated version of this Privacy Policy on saferexperience.com. Where required, we will also notify affected clients directly.

5. Contact Us

Data controller:

SAFER EXPERIENCE (SE-CMMG)
67, Rue de la Vallée, L-2661 Luxembourg
RCS: A46893 | TVA: LU37339338
Email: info@saferexperience.com