The data controller for personal data processing is Fenix S.r.l., with registered office at Via Casilina 3, Porta Maggiore, 00182 Rome (RM), Italy, VAT IT03097500601 (hereinafter "FenixTrace", "we" or "the Company"). For any matter relating to personal data processing, you can contact us at: privacy@fenixtrace.fenixsoftwarelabs.com.

We only collect data necessary to provide our services. This may include wallet addresses (which may qualify as personal data under the GDPR), usage data related to subscription and access interactions, and local preferences stored in your browser. • Blockchain wallet address (required for authentication and transactions) • Subscription and plan data (plan type, expiry date) • Company name and logo (voluntarily provided during registration) • Authorized delegate addresses • Product data voluntarily uploaded by the user • Access logs and platform usage data • Language and interface theme preferences (localStorage)

We process personal data in accordance with the General Data Protection Regulation (GDPR), based on the following legal grounds: • Your consent (Art. 6(1)(a) GDPR), for features like local storage and UI customization • Performance of a contract (Art. 6(1)(b) GDPR), when providing access to our SaaS • Legitimate interest (Art. 6(1)(f) GDPR), to ensure security, integrity, and proper functioning of the platform • Legal obligation (Art. 6(1)(c) GDPR), for retention of fiscal and billing data Failure to provide necessary data (e.g., wallet address) may prevent access to platform services.

We use essential cookies for site functionality and preference cookies to remember your settings. We do not use third-party tracking cookies. For detailed information about cookies used, their purposes and duration, please refer to our dedicated Cookie Policy.

Files uploaded to FenixTrace may be stored on the InterPlanetary File System (IPFS), a decentralized storage protocol. These files are referenced via unique content hashes. No personal data is stored on IPFS by default. Users are advised not to upload sensitive or personally identifiable information to decentralized networks. IMPORTANT: Data published on IPFS is inherently immutable and distributed. Once uploaded, complete removal from the network cannot be guaranteed. Users are responsible for ensuring that uploaded data does not contain sensitive personal information. FenixTrace is not responsible for personal data voluntarily published by the user on the IPFS network.

FenixTrace operates on the IOTA L1 blockchain. The following information is recorded on-chain and is publicly accessible: • Product registration transaction hashes • Notarization transaction hashes • Wallet addresses associated with transactions • Operation timestamps • IPFS hashes of product metadata • DID (Decentralized Identity) information This data is immutable by nature of blockchain technology and cannot be modified or deleted. Wallet addresses are considered pseudonymized data under the GDPR.

FenixTrace uses the following third-party services: • IOTA Foundation (IOTA L1 blockchain network) — for transaction registration and verification • Pinata Cloud (IPFS pinning) — for decentralized storage of product metadata. Companies use their own Pinata API keys • SMTP Services (Zoho Mail) — for sending transactional email communications Each third-party provider operates under their own privacy policies. Users are advised to review their respective policies.

Personal data is retained for the time necessary to achieve the purposes for which it was collected: • Subscription data: for the duration of the subscription + 12 months after expiry • Billing data: 10 years as required by Italian tax law • Access data and logs: 12 months • localStorage preferences: until deleted by the user • Blockchain and IPFS data: permanent (by nature of the technology) Upon expiry of the retention period, data is deleted or anonymized, except for data recorded on blockchain which is immutable.

We use browser local storage to save your preferences and improve performance. This data remains on your device.

We implement advanced security measures including end-to-end encryption, secure authentication and regular audits to protect your data. • Encrypted communications via HTTPS/TLS protocol • Authentication via cryptographic wallet signature (no passwords stored) • Role-based access (owner, delegate, admin, red flagger) • No private key data is ever transmitted or stored by the server • Continuous monitoring and periodic security updates

You have the right to access, correct, or delete your personal data at any time. You may also withdraw consent or object to data processing under certain conditions. To exercise your rights, contact us at privacy@fenixtrace.fenixsoftwarelabs.com. Under the GDPR (Articles 15-22), users have the right to: • Access their personal data • Rectification of inaccurate data • Erasure of data ("right to be forgotten"), within the limits of blockchain technology • Restriction of processing • Data portability • Objection to processing • Withdrawal of consent at any time To exercise these rights, contact: privacy@fenixtrace.fenixsoftwarelabs.com Users also have the right to lodge a complaint with the competent supervisory authority (Garante per la protezione dei dati personali).

FenixTrace is not intended for children under 16 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor without parental consent, we will take immediate steps to delete it.

We reserve the right to modify this policy at any time. Changes will be published on this page with an updated "last updated" date. In case of substantial changes, users will be notified via a notice on the platform. Continued use of the platform after publication of changes constitutes acceptance thereof.