Paddock Privacy Policy

Controller: On Your Marks B.V., Essenstraat 1, 5616 LG Eindhoven, The Netherlands
Contact: aimy@onyourmarks.agency

Introduction

This privacy policy describes how On Your Marks B.V. collects, uses, and shares personal data of business users of Paddock and of visitors to our websites that refer to this policy. This policy applies to personal data we collect through the Site and the Services and to personal data you provide to us directly. By using the Site or the Services, you agree to this policy. Do not use the Site or the Services if you do not agree with it.
Paddock is a business platform. For each customer organization, there is an owner who can invite team members and assign access to apps within Paddock.

Scope and roles

For service data that we determine and use for, among other things, security, billing, support, analytics, and product improvement, we act as the controller.
For customer content that we process only to provide the Services to your organization, we act as a processor and your organization acts as the controller. This processing is governed by the data processing agreement with your organization.

Personal data we collect

Depending on your use and your communications with us, we may process the following data:

• User content in Paddock apps: prompts, context, and files you upload, such as PDF files, images, and text files, plus the generated output.
• Data you actively provide: product feedback, support requests, form submissions, event registrations, correspondence.
• General identifiers: name, business email address, organization, role or job title, assigned app permissions, owner or team member status.
• Online identifiers and usage data: username, login times, IP address, device and browser information, operating system, screen resolution, language settings, referring URL, session duration, pages visited, features used, storage and traffic volumes, error and performance logs.
• Commercial information: billing details, payment status, subscription level and usage limits, communication preferences.
• Professional information: employer, team, work-related context.
• Audio, electronic, and visual data: with your consent, support calls or webinars may be recorded. Visits to our location may be subject to camera surveillance.
• Third-party data: information from your organization administrator who invites you, integrations with external tools, or public sources you connect.
• Automatic collection: we use cookies, web beacons, pixels, and server logs to operate and improve the Site and Services. See section 6.

How we use your personal data and legal bases

We process personal data for the following purposes:

Providing the Services and personalization

• Verify identity, authenticate and authorize, including role assignment by the owner
• Provide functionality, handle requests, and provide customer service
• Personalize relevant content and the product experience
  Legal basis: performance of the contract and our legitimate interest

Communication

• Service messages about account, security, changes, and transactions
• Marketing and product updates where permitted. You can opt out
  Legal basis: performance of the contract for service messages, legitimate interest, or consent for marketing

Research and development

• Analyze and improve the Services, our Site, and our operations
• Create and use aggregated or anonymized data
  Legal basis: legitimate interest

Compliance and protection

• Comply with laws and regulations and lawful requests
• Secure accounts and infrastructure, prevent and investigate abuse, fraud, or incidents, enforce terms
  Legal basis: legal obligation and legitimate interest

Use of AI and model training

We do not use your personal data to train generic AI models.
Prompts, context, and files are used only to generate output, detect abuse, and provide support. Where the provider offers options to limit storage and retention, we configure these to the minimum.
Any fine-tuning or tuning at the organization level happens solely on the instructions of your organization and in accordance with contractual agreements.

Cookies and similar technologies

• Functional cookies: necessary for sessions, security, and basic functionality.
• Analytics cookies: insights into use of the Site and Services to improve them. Where possible anonymized or with consent.
• Optional cookies: for example for marketing or integrations, only with consent where required.
  Management: you can set cookie preferences via the cookie banner and your browser. If you disable cookies, some functions may not work. More info: https://www.allaboutcookies.org/.

How we share your personal data

We may share all categories of personal data described in this policy with:

Affiliates within the On Your Marks group

• Purposes: shared infrastructure and systems, security, product development and analytics, customer service and account management, billing and administration, compliance and internal reporting.
• Roles: depending on the purpose, as processor, joint controller, or independent controller. For marketing by an affiliate, we rely on consent or legitimate interest with an opt-out option.
• Safeguards: intra-group data agreements, Standard Contractual Clauses for transfers outside the EEA where needed, uniform security measures, need-to-know access.

External service providers and AI model providers
These parties process data on our behalf to deliver the Services and may not use your data for their own purposes. Examples:

• Amazon Web Services. Use: hosting and infrastructure. Privacy: https://aws.amazon.com/privacy/
• OpenAI. Use: AI inference for chat and generative features. Privacy: https://openai.com/policies/privacy-policy
• Google Gemini. Use: AI inference for chat and generative features. Privacy: https://policies.google.com/privacy
• Anthropic Claude. Use: AI inference for chat and generative features. Privacy: https://www.anthropic.com/legal/privacy
• Perplexity. Use: AI inference for chat and generative features. Privacy: https://www.perplexity.ai/nl/hub/legal/privacy-policy
• Mistral. Use: AI inference for chat and generative features. Privacy: https://mistral.ai/terms#terms-of-service
• xAI (Grok). Use: AI inference for chat and generative features. Privacy: https://x.ai/legal/privacy-policy

We enter into data processing agreements with all of these parties and apply appropriate safeguards. An up-to-date list of subprocessors is available upon request or will be published on our website.

Professional advisers
Lawyers, accountants, bankers, and other advisers in connection with the services they provide.

Business reorganization
In the event of a merger, acquisition, financing, sale, or restructuring, personal data may be transferred. The acquiring party will assume the obligations under this policy.

Other disclosures
If disclosure is reasonably necessary for a legal investigation, to comply with laws or orders, to protect our rights or property, or to investigate or prevent violations of law, this policy, or our terms of service.

With your consent
Where you give separate consent for this or as explained to you at the time of collection.
We do not sell your personal data.

International transfers

Some of the service providers listed above are established outside the EEA or process data in multiple regions. For transfers outside the EEA, we use valid transfer mechanisms such as the EU Standard Contractual Clauses and appropriate supplementary measures. Where possible, we choose EEA data centers and data residency options. You can request more information or a copy of relevant safeguards from us.

Retention periods

• Account and contract data: as long as your organization is a customer and thereafter in accordance with statutory retention periods.
• Log and security data: generally 31 days, unless longer is needed for security or legal purposes.
• User content and prompts: according to your organization’s retention policy and settings and to the extent necessary to provide the Services and support. Deleted data may remain briefly in backups.

Security

We implement appropriate technical and organizational measures such as encryption in transit and at rest, access control and role-based authorization, least privilege, monitoring and logging, backups, vulnerability scans, and incident procedures. No method is completely secure, but we strive for reasonable protection.

Your choices and rights

• Email communications: you can opt out of marketing via the unsubscribe link in our emails or by contacting us. Service messages may still be sent.
• Cookies: manage via the cookie banner and browser settings. Disabling cookies may limit functionality.
• Rights under the GDPR: depending on your situation, you have the right of access, rectification, erasure, restriction, data portability, and objection. You can withdraw consent where we rely on it. Submit your request via paddock@onyourmarks.agency. We verify your identity and generally respond within 30 days. You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Children

Paddock is intended for business users and is not designed for children. We do not knowingly collect personal data from children. If you think we have collected data from a minor, contact us so we can take appropriate measures.

Do Not Track

We currently do not support Do Not Track settings and do not respond to them. For more information see https://www.allaboutdnt.com.

Third-party websites and services

Our Site or Services may contain links to third-party websites or services. Once you click such a link, you leave our environment. We have no control over these websites, their content, or their privacy practices.

Updates to this privacy policy

We may change this policy. For material changes, we post the revised version on our website and update the effective date. Unless stated otherwise, changes take effect upon publication.

Contact

On Your Marks B.V.
Essenstraat 1
5616 LG Eindhoven
The Netherlands
Email: aimy@onyourmarks.agency