PRIVACY NOTICE

Brescia, 14/05/2026

PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA
In compliance with EU Regulation 2016/679 (GDPR) — Puzzle S.r.l.

1. DATA CONTROLLER

The Data Controller is Puzzle S.r.l., with registered office at via Orzinuovi n. 20 – 25125 Brescia (BS), Italy, Tax Code/VAT No. 04689200980, PEC: Puzzlelab@pec.it (hereinafter, “Puzzle” or the “Controller”). For any request regarding the processing of personal data, please contact the Controller by writing to the dedicated e-mail address: privacy@puzzlelab.it

2. SUBJECT MATTER OF PROCESSING

The Data Controller processes personal data relating to the data subject and/or relevant personnel (employees or collaborators) and/or shareholders or directors of the company that the data subject represents, to whom this notice must be communicated, such as: first and last name; place and date of birth; e-mail address; residential or domicile address; tax identification code; gender; private and work address; telephone and fax number; billing data; personal data capable of revealing the possible existence of criminal convictions and ongoing criminal proceedings (judicial data); any other data connected to the execution of the activity that is the subject of the existing relationship (for the purposes of this notice, the “personal data” or simply “data”)

3. DATA PROCESSED AND PURPOSES

Through this Site, Puzzle processes exclusively the personal data that the user voluntarily provides (e.g. first name, last name, e-mail address, telephone number, content of messages) when submitting contact requests or requests for information about the services offered. Such data are processed for the following purposes:

❖ to respond to contact requests and manage pre-contractual relationships;

❖ to manage the activity that is the subject of the existing relationship with the data subject / the company that the data subject represents, including the related legal and administrative obligations. The processing of all categories of data indicated may be necessary for compliance with legal obligations to which Puzzle is subject, such as, for example, the requirements of anti-money laundering and anti-terrorism legislation (Art. 6(1)(c) GDPR) and for the execution of the activity that is the subject of the existing relationship and/or the mandate conferred (Art. 6(1)(b) GDPR). The provision of such data is necessary for the execution of said activity, and failure to provide them makes it impossible for Puzzle to carry it out.

❖ they may be used (excluding billing data and any other data connected with the execution of the activity that is the subject of the existing relationship) for communications related to Puzzle’s activities via newsletters, institutional communications and event invitations, by automated and individual means. Such processing is carried out on the basis of the legitimate interest (Art. 6(1)(f) GDPR) of Puzzle in developing relationships with its clients. The provision of data for this purpose is optional and failure to provide them does not affect the execution of the activity that is the subject of the existing relationship. The data subject will always have the option to request that data not be processed for this purpose or, if processing is already underway, to exercise their right to object.

The legal basis for processing is, depending on the case: the performance of pre-contractual measures (Art. 6(1)(b) and (c) GDPR), the consent of the data subject (Art. 6(1)(a) GDPR), or the legitimate interest of the Controller (Art. 6(1)(f) GDPR).

4. USE OF ARTIFICIAL INTELLIGENCE TOOLS (AI)

In performing its activities, Puzzle makes use of, among other applications, technological tools based on artificial intelligence (hereinafter, “AI Tools”) to support its operational activities, including: (i) processing and analysis of internal data; (ii) consultation of external databases via API calls and/or link; (iii) internal profiling activities for research and business development purposes; and (iv) document production and review. The use of such tools is entirely complementary to the activities carried out by Puzzle’s human resources, who in all cases retain responsibility for the decisions made. Puzzle undertakes to use AI Tools in full compliance with applicable regulations, with particular reference to:

❖ Regulation (EU) 2016/679 (GDPR) — principles of data minimisation, purpose limitation and security of processing;

❖ Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act) — with regard to obligations of transparency, non-discrimination and human oversight in the management of AI systems, including those used for profiling activities and for interaction with external databases via API.

In particular, Puzzle adopts adequate technical and organisational measures to ensure, among other things, that: (i) personal data processed through AI Tools are limited to what is strictly necessary in relation to the purposes pursued (principle of data minimisation); (ii) internal profiling activities and queries of external databases are carried out in compliance with applicable regulatory limits and, where required, following notification to or consent of the data subjects; (iii) no decision that produces significant legal effects or that similarly affects the data subject is taken in an exclusively automated manner, without human intervention; (iv) AI Tool providers are selected from among operators that guarantee adequate levels of security and regulatory compliance, with whom specific agreements pursuant to Art. 28 GDPR are concluded.

5. PROCESSING METHODS AND RETENTION RULES

Personal data are processed by electronic means, in compliance with the principles of lawfulness, fairness and transparency, and with the adoption of adequate technical and organisational measures to ensure security and confidentiality. Data is retained for the time strictly necessary to achieve the purposes for which they were collected and, in any case, in compliance with the timeframes provided by applicable legislation. The criteria adopted to determine retention periods take into account the nature of the data, the purpose of processing and applicable legal obligations, including tax, accounting and civil law obligations; upon expiry of such timeframes, data are deleted or irreversibly anonymised.

6. DISCLOSURE TO THIRD PARTIES

Personal data may be disclosed to third parties acting as Data Processors (e.g. IT service providers, cloud platforms, AI Tools), exclusively for the purposes indicated in this Notice and on the basis of specific contractual agreements. Data will not be transferred to third parties for their own commercial purposes, nor disseminated. In this context, no transfer to countries outside the EEA is included.

7. DATA SUBJECTS RIGHTS

The data subject has the right to access their personal data, obtain rectification or erasure thereof, request restriction of processing, object to processing, and exercise the right to data portability, within the cases and limits set out in Arts. 15–22 GDPR. The data subject also has the right to withdraw consent at any time and to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali — www.garanteprivacy.it). Requests may be sent to the Controller at: privacy@puzzlelab.it.

8. PROTECTION

Puzzle undertakes to protect the personal data provided to it and to implement adequate technical and organisational security measures to protect them from possible incidents such as unauthorised or unlawful processing and from accidental loss, destruction or damage, pursuant to Art. 32 et seq. of the GDPR.

9. UPDATES OF THIS PRIVACY NOTE

Should the content of this Notice be subject to modifications and/or changes, Puzzle will take care to update it in order to correctly represent the rules governing the processing of personal data. Last revised: 14 May 2026.