Privacy Policy of CREATUM GmbH

1. Scope

(1) This privacy policy applies to:

• the use of our website
• the initiation and execution of business relationships
• participation in workshops, consulting engagements, and projects
• the deployment and operation of AI-based solutions and agents

(2) It supplements our General Terms and Conditions (GTC) and forms part of our contractual collaboration.

2. Principles of Data Processing

(1) We process personal data exclusively:

• for defined purposes
• limited to what is necessary
• in compliance with applicable data protection laws

(2) Our goal is to combine technical innovation with responsible data handling.

3. Data Processing on Our Website

(1) When you visit our website, technical information is automatically collected (e.g. IP address, browser, time of access) in order to:

• ensure the stability and security of the website
• enable technical operation

(2) Contact enquiries are stored for processing and communication purposes.

4. Data Processing in the Context of Business Relationships

(1) In the context of enquiries, proposals, and projects, we process personal data such as:

• Name and contact details
• Company affiliation
• Communication content
• Project-related information

(2) Processing is carried out for:

• Contract initiation
• Project execution
• Communication with contact persons

5. Workshops and Consulting

(1) In the context of workshops (e.g. for identifying AI use cases), we process data provided by participants or generated during the workshop.

(2) This may include:

• Process descriptions
• System landscapes
• Organisational workflows

(3) This data is used exclusively for the delivery and documentation of the respective service.

6. Use of AI Agents and AI Systems

(1) As part of our services, we develop and operate AI-based systems, in particular AI agents for the automation of business processes.

(2) The following principles apply:

• Processing preferably takes place within the client's infrastructure
• Data remains within the client's sphere of control (e.g. own tenant, cloud environment, or on-premise)
• No use of client data for our own training purposes without an explicit agreement

7. Data Processing on Behalf of the Client

(1) Where we process personal data on behalf of a client, this is done on the basis of a data processing agreement pursuant to Art. 28 GDPR.

(2) In this case:

• the client acts as the data controller
• we act as the data processor

8. Disclosure of Data

(1) Personal data is disclosed only:

• for the fulfilment of the contract
• on the express instruction of the client
• where required by law

(2) Data is not shared with third parties for our own purposes.

9. Hosting and Infrastructure

(1) We use external service providers for the operation of our website and, where applicable, technical components.

(2) This may involve the processing of personal data (e.g. IP addresses).

(3) All service providers used are contractually obliged to comply with data protection requirements.

10. Retention Period

(1) Personal data is stored only as long as:

• it is necessary for the respective purpose
• statutory retention obligations apply

(2) Project-related data is handled after completion in accordance with the contractual agreement.

11. Data Security

(1) We employ appropriate technical and organisational measures to protect data, in particular against:

• unauthorised access
• loss
• manipulation

12. Rights of Data Subjects

(1) Data subjects have the right to:

• access
• rectification
• erasure
• restriction of processing
• data portability
• objection

13. Right to Lodge a Complaint

(1) You have the right to lodge a complaint with a data protection supervisory authority.

14. Amendments

(1) We reserve the right to update this privacy policy as needed, in particular in the event of changes to our services or legal requirements.

As of: January 2026