PRIVACY AND SECURITY POLICY

Berlek processes personal data with the highest level of diligence, applying appropriate technical and organizational measures in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), as well as any other applicable regulations.

IDENTITY OF THE DATA CONTROLLER

In accordance with the GDPR, users are informed that the personal data processed through the website, App, and channels associated with Berlek will be processed by:

Data Controller:

  • BERLEK INCORPORATED, a company incorporated under the laws of the United States of America (hereinafter, “Controller”), with registered office at 6911 Alder Dr Houston Texas (United States)
  • Tax identification number 37-2116077
  • Email: support@Berlek.com
  • Privacy email: privacy@Berlek.com
  • Website: www.Berlek.com

COMMITMENT TO PRIVACY AND TRUST

User trust is an essential element in the design and operation of Berlek. Accordingly:

  • Berlek only accesses the data strictly necessary to provide the service.
  • The principle of data minimization is applied to all processing activities.
  • Internal access to personal data is limited, controlled, and audited.
  • Personnel with access to systems are subject to confidentiality obligations, specific training in data protection, and reinforced authentication systems.

Berlek will not use personal data for purposes incompatible with the provision of the service unless there is a valid and sufficient legal basis for doing so.

CATEGORIES OF DATA PROCESSED

Depending on how the service is used, Berlek may process the following categories of data:

Data provided directly by the user

  • Name, email address, telephone number, and account data.
  • Tasks, reminders, lists, notes, and instructions.
  • Files, images, and documents uploaded by the user.
  • Third-party contact data, when the user requests interactions or reminders addressed to such third parties.

The content entered by the user is private and is processed for the purpose of enabling the provision of the Service.

As a general rule, such content is processed automatically.

Berlek does not generally access content or systematically monitor it. Access to such data by authorized personnel is limited to strictly necessary cases, such as the resolution of technical incidents, the provision of support, or compliance with legal obligations, and is carried out under strict control and confidentiality measures.

Data derived from use of the service

  • History of interactions with Berlek.
  • Preferences, settings, and usage habits.
  • Technical records, identifiers, and activity logs.

Data obtained from integrations

  • When the user connects third-party services, such as calendars, email, or productivity tools, Berlek may access only the data necessary to carry out the functionality authorized by the user.

AUTOMATED PROCESSING AND PROFILING

In the context of providing the Service, Berlek may use automated technologies, including artificial intelligence-based systems, for the purpose of processing the information provided by the user and generating outputs such as reminders, content organization, suggestions, or the automation of actions.

Furthermore, data processing may involve basic profiling based on information such as use of the Service, preferences, settings, or interaction patterns, exclusively for the purpose of:

  • Improving the functionality of the Service
  • Personalizing the user experience
  • Optimizing the relevance of the results generated

Such processing is generally carried out in an automated manner, without direct human intervention in the individualized analysis of content, except where strictly necessary for:

  • The resolution of technical incidents
  • The provision of support
  • Compliance with legal obligations

Under no circumstances does this processing involve automated decision-making that produces legal effects or similarly significant effects for the user within the meaning of Article 22 GDPR.

Berlek applies appropriate technical and organizational measures to ensure that this processing is carried out in accordance with the principles of:

  • Data minimization
  • Purpose limitation
  • Proportionality
  • Security

PURPOSES OF PROCESSING

Personal data will be processed for the following purposes:

  • Managing user registration and the provision of the service.
  • Creating, storing, organizing, and executing reminders, lists, notes, and automated actions.
  • Synchronizing calendars, emails, and other authorized integrations.
  • Allowing the management of files and information relevant to the user.
  • Sending functional communications related to the service.
  • Improving the quality, security, performance, and usability of the platform.
  • Addressing queries, incidents, and support requests.
  • Complying with applicable legal obligations.

LEGAL BASIS FOR PROCESSING

The legal bases for the processing are as follows:

  • Performance of the contractual relationship or the application of pre-contractual measures, in accordance with Article 6(1)(b) GDPR.
  • The data subject’s consent, in accordance with Article 6(1)(a) GDPR, for those functionalities or integrations that require it.
  • The Controller’s legitimate interest, in accordance with Article 6(1)(f) GDPR, in relation to security, fraud prevention, service improvement, and defense against claims.
  • Compliance with legal obligations, where applicable, in accordance with Article 6(1)(c) GDPR.

INFRASTRUCTURE AND SECURITY

Berlek adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among others:

  • Encryption of data in transit and at rest
  • Secure management of credentials and passwords
  • Access control based on need-to-know
  • Multi-factor authentication for sensitive internal access
  • Monitoring, traceability, and access auditing
  • Resilience, availability, and recovery measures.

PAYMENTS AND PCI COMPLIANCE

If paid services are contracted, Berlek may rely on duly certified external payment providers. Payment data will be processed directly by such providers, so Berlek will not store full card data in its own systems unless this is strictly necessary and fully compliant with applicable regulations.

DATA DISCLOSURE AND DATA PROCESSORS

Personal data may be disclosed or made accessible to third parties where necessary for the provision of the Berlek service, as detailed below:

Service providers (data processors)

Berlek may engage third-party providers acting as data processors, as necessary for the provision of the service, including, among others:

  • Cloud infrastructure and storage providers
  • Messaging services (for example, WhatsApp, Telegram, or others)
  • Email providers
  • Integration services with calendars and productivity tools
  • Analytics and monitoring platforms
  • Technical support and customer service providers
  • Payment processing providers

These providers will process the data exclusively in accordance with Berlek’s documented instructions and will be subject to data processing agreements in accordance with Article 28 GDPR.

Interaction with integrated third-party services

Berlek allows the user to integrate and operate with third-party services (such as messaging applications, email, calendars, or other digital services).

In these cases:

  • The use of such services will be subject to their own privacy policies and terms.
  • Berlek will act as a technical intermediary, without responsibility for the processing carried out directly by such third parties.
  • Third parties may receive personal data as a result of actions initiated by the user (for example, sending reminders or communications).

The user acknowledges and accepts that such integrations involve data flows to third parties outside Berlek’s control.

Third-party data provided by the user

The user may enter personal data of third parties (for example, contacts, reminder recipients, or persons with whom the user interacts).

In these cases:

  • The user represents that they have a sufficient legal basis for the disclosure of such data.
  • Berlek will process such data as a data processor, acting on the user’s behalf in carrying out the requested functionalities.
  • Berlek will not use such data for its own purposes other than the provision of the service.

Involvement of Berlek HQ, S.L.

Certain operational, technical, development, support, and platform management services may be provided by Berlek HQ, S.L., an entity affiliated with the Berlek group.

Depending on the specific activity carried out, Berlek HQ, S.L. may act as a data processor, accessing personal data only to the extent necessary for:

  • The development, maintenance, and improvement of the platform
  • The technical management of infrastructure and systems
  • The provision of support and user assistance services
  • The execution of service functionalities

In such cases, Berlek HQ, S.L. will be subject to a data processing agreement, with the safeguards required by Article 28 GDPR, including:

  • Processing in accordance with documented instructions
  • A duty of confidentiality
  • Implementation of appropriate technical and organizational measures
  • Limited and controlled subcontracting
  • Assistance in the exercise of data subject rights
  • An obligation to erase or return the data at the end of the services

Without prejudice to the foregoing, where Berlek HQ, S.L. jointly determines with Berlek Inc. the purposes and means of the processing, both entities may act as joint controllers, in which case the corresponding internal arrangements will be established in accordance with Article 26 GDPR.

INTERNATIONAL DATA TRANSFERS

Where the provision of the service involves international data transfers outside the European Economic Area, Berlek will ensure the implementation of the appropriate safeguards set out in Articles 44 et seq. GDPR, including, where appropriate, the execution of Standard Contractual Clauses approved by the European Commission.

DATA RETENTION

Personal data will be retained while the account remains active and, thereafter, for the periods necessary to comply with legal obligations or address liabilities, and certain data may be kept in blocked form.

RIGHTS OF DATA SUBJECTS

The user may exercise the following rights at any time:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to object
  • Right to restriction of processing
  • Right to data portability
  • Right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.

To exercise these rights, the user may contact the Controller at: privacy@Berlek.com

In addition, the user will have the right to lodge a complaint with the competent supervisory authority.

PRIVACY BY DESIGN AND BY DEFAULT

Berlek applies the principles of privacy by design and by default, ensuring that the processing of personal data is configured from the outset in accordance with criteria of data minimization, necessity, proportionality, and security.

USE OF THIRD-PARTY DATA

When the user provides personal data of third parties, the user represents and warrants that they have a sufficient lawful basis to do so and, where necessary, that they have complied with the corresponding duty to inform.

REGULATORY COMPLIANCE

Berlek states its commitment to compliance with applicable data protection legislation, including the GDPR and any other national or sector-specific regulations that may apply depending on the territories in which it operates.

CHANGES TO THIS POLICY

Berlek may update this Privacy Policy to adapt it to legislative, case law, technical, or functional changes. In the event of material changes, it will inform users by reasonable means.

Last updated: 17.06.2026