3 DEFINITIONS

The capitalised words in this Privacy Statement have the meanings ascribed to here. Below are some key terms relevant to this Privacy Statement, with other terms defined within the sections and highlighted in bold font:

‘Business Customer’: The legal entity that has a direct contractual relationship with Summa, or a contractual relationship with Summa partners. In the context of this Privacy Statement, this is in most cases your employer.

‘Data Controller’: Natural or legal entity that determines the purposes and means for the processing of Personal Data. In the context of this Privacy Statement, this is in most cases your employer, or Summa as an independent Data Controller when we process your Personal Data for our own legitimate business operations, not related to the processing purposes of your employer.

‘Data Processor’: Natural or legal entity processing Personal Data on behalf of the Data Controller. In the context of this Privacy Statement, this is in most cases Summa as the provider of the App or Device.

‘Data Protection Legislation’: Data Protection Legislation refers to the applicable laws that govern the protection of Personal Data and privacy. This includes the legislation applicable to the processing of Personal Data in the EU, such as the General Data Protection Regulation (‘GDPR’) and the ePrivacy Directive, as well any national laws implemented in connection with the aforementioned legislation.

‘Data Subject’: Natural person(s) whose Personal Data is processed, specifically in this case, the End User.

‘End User’: Data Subject(s) whose Personal Data is processed while using the App or Device, in most cases, the employees of the Business Customer.

‘Personal Data’: Any information directly or indirectly relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

‘Sensitive Personal Data’: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a Data Subject’s sex life or sexual orientation.

‘Sub-Data Processor(s)’: A legal or natural person that Processes Personal Data on behalf of the Data Processor, based on the instructions of the Data Controller.

4 FUNCTIONS OF THE APP

4.1  Prerequisites for using the App or Device

The functions of the App or Device can only be used in conjunction with an Summa backend/cloud, for which your employer i.e., the Business Customer has purchased a subscription and configured it for you. The App or Device functions will only be available after authentication and synchronisation of the data with the corresponding service.

4.2  Artificial intelligence

We use and develop artificial intelligence (‘AI’) to take advantage of the benefits associated with this technology, such as simplifying processes and increasing customer satisfaction. For example, End Users can access a recording and transcription feature through the App. Doing so, End Users can engage an in-app bot, powered by a third-party large language model (‘LLM’), to process the transcription, including but not limited to generating summaries or translations, which are presented in the App.

No Personal Data is used to train or improve the LLM. We use AI responsibly and attach great importance on ensuring that its use adheres to established ethical guidelines.

5 WHAT PERSONAL DATA WE PROCESS, HOW AND WHY

We process the Personal Data identified in this Privacy Statement to deliver the App and/or Device and ultimately for the purposes determined by the Business Customer. We only collect Personal Data that is necessary in accordance with the Data Protection Legislation.

Our intention is to not collect Sensitive Personal Data through the App or Device. We therefore ask that you do not provide any type of Sensitive Personal Data. If you do wish to provide Sensitive Personal Data for any reason, Summa accepts your explicit consent to use that Sensitive Personal Data in the ways described in this Privacy Statement or as described at the point where you choose to provide us with such data.

Personal Data obtained via the App or Device is used only in the ways described in this Privacy Statement. Summa makes every effort to avoid any excessive or irrelevant collection of Personal Data.

5.1 How do we collect your Personal Data?

We may collect Personal Data directly from you or indirectly through the Business Customer. The way we collect your Personal Data differs depending on your relationship with us:

• Directly from End Users: Personal Data may be directly collected from you via the App or Device. If you choose not to provide Personal Data to us, you may experience limited or no functionality in your desired service, function, or technical assistance.

• Indirectly from Business Customers: Personal Data may also be collected indirectly through the Business Customer, i.e., your employer. When your employer has provided us with your Personal Data, we operate under the assumption that they have obtained the necessary valid legal basis to collect and pass such Personal Data on to us. For details on such legal basis, you should refer to the privacy statements/notices of your employer, our Business Customer.

5.2  On what legal ground do we rely?

5.2.1  When acting as a Data Processor on behalf of the Business Customer

We do not control the purposes and means for the collection of your Personal Data when providing our service on behalf of the Business Customer and are therefore not responsible for it. We only process the data to the extent necessary for downloading the App on your hardware and for other technical purposes related to the availability, development, and usage of the App or Device.

As a Data Processor we only process your Personal Data when there is a legal basis for doing so, such as:

• The legal ground(s) established by the Business Customer: Your Personal Data may be processed based on a valid legal basis determined by your employer, in compliance with the Data Protection Legislation. The Business Customer is responsible to ensure the Personal Data has been collected in a legitimate way.

• Your consent: You may be asked to consent to the processing of your Personal Data for specific purposes. Consent will be requested whenever processing relies on it as a legal basis. You have the right to revoke your consent at any time.

5.2.2   When acting as an independent Data Controller for our own legitimate purposes

We may also process your Personal Data for our own business purposes as the provider of the App or Device. The legal basis for this processing is our legitimate interest, which allows us to use your Personal Data in a manner that is necessary and proportionate to our legitimate business objectives. We ensure that such processing is conducted in compliance with the Data Protection Legislation.

Summa legitimate business objectives consist of the following:

• Improving the core functionality of the App or Device and customer experience;
• Answering to business queries;
• Providing the communication service with external and internal parties; and
• Rating and billing of communication services.

5.3  What categories and elements of Personal Data do we process?

5.3.1   As a Data Processor on behalf of the Business Customer and based on the legal ground(s) established by the Business Customer

We process the following categories of Personal Data:

• Mandatory user information: When downloading the App, the information required for proper functioning of the App is transferred to the respective online marketplace. This data consists of your username, email address and the customer number of your account, time of download, payment information and individual device ID. When you log into the App, we will process the user information provided by the Business Customer, i.e., your employer, connected to your profile. This data consists of your username and password.
• Traffic data: When using the App or Device, traffic data will be processed. This data is required to facilitate communication. Traffic data is generated and processed automatically when End Users communicate via the App or Device and consists of information about the participants, calling and called number, the connected IP address, the date, the time, the duration of the call, the amount of data used, and when roaming, the network that was used.
• Chat information: When using the messaging functionality within the App, we will process the data necessary to facilitate communication. This data consists of IP addresses, login data, chat messages, chat partner, status of the chat messages, and transmitted files. The data is collected in the App and then synchronized with the corresponding server on which the Summa software is installed to the extent necessary to provide the relevant functions. Only you as the End User or your corresponding chat party(ies) have access to the chat data stored solely in the App. Your employer, as the Business Customer and the corresponding party that have provided you with access to the App, has access to the data located on the server.
• CRM data: We may also process data contained in your Customer Relationship Management (CRM) system based on the access rights provided by the Business Customer. The App seamlessly integrates with your CRM system and our operating platform, allowing End Users to push notes, call logs, and access CRM information effortlessly. Additionally, through the backend function, your CRM data can be synchronized daily into a designated third-party Computer Telephony Integration (CTI) server. This allows End Users to search for and access CRM information within the App.

• Voice data and call transcriptions: We may process voice data generated during App or Device usage, including real-time call recording and transcriptions. We may process this data when End Users activate the call recording function within the App themselves or when configured by the administrator on request of your employer. When this feature is enabled, depending on the jurisdiction and the configuration set up by your employer, all participants may be notified via an automated message that the call is being recorded. The call is automatically transcribed, and both the recording and the transcription are stored on our servers. When processing this data our role is limited to providing the technical infrastructure for recording, transcription, and access to bot-based processing tools.

5.3.2   As a Data Processor on behalf of the Business Customer and based on your consent

We process the following categories of Personal Data:

• Contracts: When you make use of certain App features, we ask you for your consent to use your contacts. We will not use this data if you do not consent. However, be aware that if you do not consent you may not be able to use all functions of our App. You may subsequently grant or withdraw your consent at any time by changing the settings in the App or your operating system.

If you do consent, your data will be accessible from the App, and in some cases used to enrich data, for example your call history. This will only be synchronised and enhanced locally on the device you use. Additionally, when using the desktop version of the App you can add a contact to your personal “Contact” phonebook.

• Photos and media: When you make use of certain features, we ask you for your consent to use your photos and related media. We will not use this data if you do not consent. However, be aware that if you do not consent you may not be able to use all functions of our App. You may subsequently grantor withdraw your consent at any time by using the settings in the App or your operating system.

5.3.3   As an independent Data Controller based on our own legitimate interest

We process the following categories of Personal Data:

• Contact information: If you want to contact us via email or via our contact form, we will process the information required to answer your query. This data consists of your email address and, if provided, your name and telephone number.
• Usage statistics: We collect anonymous usage data to determine usage-related statistical indicator that we can use for business intelligence purposes to improve our App or Device and make it more attractive for you as an End User. The data is anonymized from the outset and cannot be associated with an identified or identifiable person at any time (Data Subject).

5.3.4   Sensitive Personal Data

In our capacity as a Data Processor or independent Data Controller, we do not actively collect Sensitive Personal Data for any of the purposes described in this Privacy Statement.

5.3.5   Anonymous information

We may create anonymous, aggregated, or de-identified data from your Personal Data. We do this by excluding information that makes the data personally identifiable to you.

6 HOW AND WHERE DO WE STORE AND RETAIN YOUR PERSONAL DATA

Personal Data is only retained to the extent and for the duration covered by the relevant  legal basis, as identified by Section 5 above. Personal Data is stored as long as necessary to fulfil collection purposes, legal obligations, and reporting requirements. All data is stored on servers within the European Economic Area (‘EEA’).

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and whether we can achieve the purposes through other means.

Personal Data may be anonymised rather than being deleted. In this event, the anonymised data will no longer be traceable to you and is no longer considered Personal Data.

Uninstalling the App permanently deletes all data in the App; however, it does not delete the data stored in the backend/cloud. The data stored in the backend/cloud will be either deleted or anonymised based on legal requirements, after your employer i.e., the Business Customer has cancelled the subscription. Due to this we have no influence over, and are therefore not responsible for, the duration for which data is stored on the backend/cloud.

7 WITH WHOM WE MIGHT SHARE YOUR PERSONAL DATA

If we deem it necessary for the abovementioned processing purposes, your Personal Data may be shared with one or more third parties, regardless of whether the third party is affiliated with the Enreach Group, for the purpose of processing Personal Data in accordance with our instructions.

When third parties are given access to your Personal Data in line with the above, we undertake required contractual and organisational measures to ensure that your Personal Data are processed only to the extent that such processing is legitimate and necessary.

We may share your Personal Data with trusted third parties as follows:

7.1 Within the Enreach Group

The Enreach Group is composed of a wider group of undertakings with headquarters in the Netherlands, and entities located in the EU, the UK and Serbia. Summa may transfer your Personal Data to or otherwise allow access to such Personal Data by other entities within the Enreach Group, which may use, transfer, and process your Personal Data for the purposes described within this Privacy Statement. We may also share anonymised or aggregated Personal Data about our customers in the form of business intelligence and statistics with members of the Enreach Group.

7.2  With operators

In order to communicate via our App or Device, it is necessary for us to transmit traffic data via any Wi-Fi or IP network operators. Summa uses several European infrastructure providers, and these operators therefore process Personal Data. These operators are independent Data Controllers for the processing of data within their respective networks.  For further information on the operators we use, please reach out to us using the Contact Information above.

7.3  With Data Processors

We may engage certain Data Processors who may process your Personal Data on our instructions. The Data Processors are contractually obliged to implement appropriate technical and organisational measures to ensure that your Personal Data is processed in accordance with our instructions. We may share your Personal Data with such Data Processors in relation to the hosting of your data, the App chat, recording or transcription functionality, business intelligence analyses etc.

We only share your data with Data Processors that can provide sufficient guarantees that they will process your data securely and in accordance with the Data Protection Legislation. Our Data Processors cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organisation apart from us or further sub-processors which must process your Personal Data on precisely the same terms and to the same high standards.

In principle, we aim to process Personal Data within the EEA. However, we reserve the right to engage Sub-Data Processors established outside the EEA. If a Sub-Data Processor is established outside the EEA in a country that does not offer an adequate level of protection as defined in the GDPR, we will make sure that the relevant Sub-Data Processor only receives Personal Data from us if the appropriate safeguards have been provided as required under Chapter V of the GDPR. In such cases, we will enter into an agreement with the relevant Sub-Data Processor based on the EU standard contractual clauses as well as any additional checks and measures where necessary for the international transfer of Personal Data.

7.4  With regulators, authorities, and other relevant third parties

Where necessary for the processing purposes described above or where required by law, your Personal Data may be transferred to regulators, courts and other authorities, independent external advisors, and compliance and investigation teams.

8 HOW DO WE ENSURE THE SECURITY OF YOUR PERSONAL DATA

We attach significant importance to your privacy. We therefore implement appropriate technical and organisational measures to ensure that the processing of your Personal Data is performed in accordance with the Data Protection Legislation, in particular ensuring an appropriate level of security. We implement suitable physical, electronic, and managerial procedures to safeguard and secure your collected Personal Data. The App and Device use TLS encryption for the data and audio connection to the server. The Personal Data is therefore not accessible by third parties.

Summa has implemented generally accepted standards of technology and operational security in order to protect Personal Data from loss, misuse, alteration, or destruction. Only authorised Summa personnel are provided access to Personal Data and are contractually or statutorily obliged to ensure confidentiality of the Personal Data.

9 YOUR RIGHTS

Under the Data Protection Legislation, you have a number of rights regarding the processing of your Personal Data within the App, as below:

9.1  Right to be informed about our collection and use of Personal Data

You have the right to be informed about the categories of Personal Data processed, the purposes of processing, any recipients of the Personal Data as well as the planned storage period.

9.2  Right of access

You have the right to access the information we process about you. Summa does not have access to the Personal Data contained within the App or Device. Within the App or Device, you can view your Personal Data yourself.

9.3  Right to rectification

You have the right to have incorrect, incomplete or outdated Personal Data about yourself corrected). Summa does not have access to the Personal Data contained within the App or Device. Within the App or Device, you can correct Personal Data yourself.

9.4  Right to erasure

In certain cases, you have the right to have your Personal Data deleted, in particular, if the data is no longer required for a legitimate purpose under the GDPR or is being processed unlawfully, or if you have withdrawn your consent or objected to the processing.) Summa does not have access to Personal Data contained within the App or Device. Within the App or Device, you can delete Personal Data yourself.

9.5  Right to restrict processing

In certain cases, you have the right to have the processing of your Personal Data restricted if you contest the accuracy of your Personal Data, you oppose the erasure of the data, the data is no longer required for a legitimate purpose under the GDPR, or you have objected to the processing. If you exercise this right, we may only process your Personal Data with your consent, or for the purpose of establishing, asserting, defending, protecting, a significant public or private interest, except when we process your Personal Data for storage.

9.6  Right to object

In certain cases, such as when your data is processed based on legitimate interests, you have the right to object to our otherwise lawful processing of your Personal Data.

9.7  Right to transfer your Personal Data (data portability)

In certain cases, you have the right to receive a copy of your Personal Data in a structured, commonly used and machine-readable format. You may transmit such Personal Data to another Data Controller).

9.8  Right to withdraw your consent

You have the right to withdraw your consent at any time with effect for the future. Within the App or Device or your system settings you can revoke your consent at any time.

9.9  Rights in relation to automated processing

An automated decision is one that is made by our systems rather than a person. You have the right to express your concerns and object to a decision taken by purely automated means under some laws such as the GDPR. You also have a right to request that a person reviews that decision. This right is unlikely to apply to Summa use of your Personal Data, as any automated processing we carry out is unlikely to make decisions and would include human intervention. If you would like to discuss this in further detail, please contact us as set out above.

9.10  Right to lodge a complaint

You have the right to lodge a complaint with a competent supervisory authority about the Personal Data processing.

As a Data Processor, Summa processes your Personal Data solely based on the instructions of the Data Controller, your employer. You can therefore invoke any of the above rights by reaching out to your employer.

For the Personal Data we process in our capacity as an independent Data Controller, you can invoke the rights above by reaching out to us on the Contact Information provided above. When you submit a request, we will ask you some additional questions to verify your identity. We will respond to your request as soon as possible, but at the latest within one month.

10 QUESTIONS OR COMPLAINTS

In case you have any questions with respect to the processing of your Personal Data as described within this Privacy Statement, you can contact our  and our DPO via the Contact Information above.

11 CHANGES

Summa reserves the right to modify or amend this Privacy Statement at any time. The effective date will be displayed below. It is the user’s responsibility to check this document regularly for changes.

Thank you for taking the time to read our Privacy Statement.

Version 3.0; April 2025