Introduction

By using this online learning platform, and/or by contacting AXIALENT, we inform you that your personal data, as a user of the service, will be collected and processed by the company. The purpose of this Privacy Policy is to regulate the processing of data mentioned above.

AXIALENT is firmly committed to respecting and protecting your privacy and the integrity of your data, as well as to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), adopting all the necessary and reasonable technical and organisational security measures to protect said personal data.

From now on, AXIALENT informs you of the following data in order to provide the interested party with complete, clear and accessible information:

By enrolling in a course, using an AI-powered tool, or completing an assessment, you acknowledge that your data will be processed as described herein, including for research and insights purposes where your consent has been obtained.

1. Identification of the Controller of Your Data

AXIALENT GLOBAL, S.L. (hereinafter, "AXIALENT")

• CIF: B88622782
• Postal address: PASEO CASTELLANA, 18 – 7, 28046 28, Madrid (Spain)
• Email: [email protected]

2. Purposes of Data Processing

AXIALENT collects and processes personal data to conduct internal research using fully anonymized and aggregated data, where explicit consent has been obtained by the interested party, as well as to be able to contact them and respond to queries and requests that we may receive through the platform. Finally, personal data may be collected for the timely delivery of information on the activities promoted by AXIALENT, which may be of interest to the owner, once their express consent for these purposes has been obtained.

In addition to the above, and in the context of Axialent's digital learning platform, AI tools, and assessments, personal data is also processed for the following purposes:

• Creating and managing learner accounts on the Thinkific platform
• Delivering online courses, learning materials, and completion records
• Tracking learning progress and engagement
• Providing AI-supported coaching and chatbot interactions
• Processing assessment responses to generate individual and team development reports

3. Source and Category of Data

The personal data processed by AXIALENT are collected directly from the interested party, whose express consent has also been collected for this purpose. The interested party must provide AXIALENT with truthful and up-to-date information that does not contain errors. To this end, the interested party must communicate, as soon as possible, any modification and change that occurs in their personal data, to AXIALENT at the following email address: [email protected].

In the context of the learning platform and assessments, the following additional categories of data may also be collected:

Data Category	Examples	Source
Professional context	Job title, organization, industry	Provided by participant
Learning data	Course progress, quiz results, completions	Generated by platform activity
Assessment responses	Survey answers, behavioral self-ratings	Provided by participant
AI interaction data	Chatbot queries and responses	Generated during tool use
Technical data	IP address, browser type, session logs	Automatically collected
Aggregated & anonymized data	Cross-client insights, benchmarks	Derived — no individual identifiable

4. Data Storage Periods

The personal data provided will be kept for the time necessary to be able to provide the service and for as long as the purpose for which they were collected remains in force, or failing that, until the interested party requests their deletion.

Likewise, AXIALENT informs that once the relationship and the current purpose cease to be so, the data will be blocked for the legally established time to purify any type of responsibility derived from the processing of said data, in accordance with the provisions of article 32 of the LOPDGDD.

For data processed through the learning platform, AI tools, and assessments, the following indicative retention periods apply:

Data Type	Retention Period
Learner account and course data	Duration of active account + 5 years after last activity
Assessment and diagnostic data	Duration of engagement + 10 years
AI conversation memory	Duration of engagement + 5 years
AI interaction logs (LangSmith traces)	14 days from interaction date (default)
Traces flagged for issue investigation	Retained only during investigation, then discarded
Marketing consent records	Until consent is withdrawn + 3 years
Anonymized research data	Indefinite (no individual identifiable)

User-requested deletion. You may request deletion of your data at any time by emailing [email protected]. We will process the request and confirm completion within 30 days.

Urgent removal of accidentally shared sensitive information. If you inadvertently share sensitive personal data during an AI interaction or assessment, contact [email protected] with the subject line "URGENT: Data Removal Request". We will expedite the removal of the specific conversation or response containing the sensitive information.

5. Legitimacy of Data Processing

Below is a list of the purposes for which your data is processed associated with the bases of legitimation in accordance with the provisions of the GDPR:

Purpose	Basis of Legitimacy
The sending of commercial communications, publications, events, newsletters, as well as advertising communications.	Consent pursuant to Article 6(1)(a) of the GDPR, where you have given us your consent to use your personal data for one or more permitted purposes related to the receipt of marketing communications.
So that AXIALENT can extract, store data and carry out marketing studies to adapt the Content offered to the User, as well as improve the quality, operation and navigation of the platform.	Existence of a Legitimate Interest on the part of AXIALENT, in accordance with article 6.1.f) of the GDPR, to adapt the content and operation of the platform for a better user experience.
Use of fully anonymized and aggregated data from learning, assessment, and AI interactions for internal research, benchmarking, and thought leadership.	Consent pursuant to Article 6(1)(a) of the GDPR. Participation in research use is voluntary. Consent may be withdrawn at any time with prospective effect.
Operation, monitoring, and security of AI-supported coaching and assessment tools (including content moderation of AI inputs/outputs).	Legitimate Interest pursuant to Article 6(1)(f) of the GDPR, to ensure safe, lawful, and high-quality AI service delivery.

6. Compliance Architecture: Trusted Sub-Processors

AXIALENT's compliance approach relies on the principle of trusted sub-processors: every component that processes, stores, or transmits customer data runs on providers certified under SOC 2 Type II and/or ISO 27001. AXIALENT's own information security policies are designed against ISO 27001 controls and SOC 2 trust criteria (Security, Availability, Confidentiality), and are available upon request under a non-disclosure agreement.

The sub-processors supporting Axialent's learning platform, AI tools, and assessments are:

Sub-Processor	Function	Certifications
Vultr	Hosting and infrastructure	SOC 2 Type II, ISO 27001, ISO 20000, PCI-DSS, CSA Star
OpenAI	Large Language Model API	SOC 2 Type II, ISO 27001 — contractual no-training commitment
Anthropic	Large Language Model API	SOC 2 Type II, ISO 27001 — contractual no-training commitment
GetZep (Zep)	Conversational memory storage	SOC 2 Type II, GDPR-ready, end-to-end encryption
LangSmith	LLM monitoring and traceability	Vendor compliance verified
Thinkific	Learning Management System	SOC 2 Type 2 (ISAE 3402), GDPR, CCPA
Brilliant Assessments	Assessment platform	SOC 2 Type 2

Sub-processor certifications are reviewed and re-verified at least annually. Updates to this list will be reflected in subsequent versions of this Policy.

7. Data Recipients (I): International Data Transfers

The User's personal data will not be shared with anyone. However, if it is necessary to be able to provide the service correctly, sharing them with third parties will be immediately communicated with the User or Data Subject. Your personal data will not be transferred outside the European Economic Area (EEA), however, in the event that the Data Controller intends to transfer personal data to a third country or international organisation, the Regulation itself provides for a number of exceptions that allow this type of transfer to be carried out provided that the receiving country guarantees an adequate level of protection. Specifically, the transfer is allowed when any of the following conditions are met:

• Adequacy decision: When the destination country has been declared by the European Commission as a guarantor of an adequate level of protection, allowing the transfer of data without the need for additional authorisations.

In the absence of adequacy decisions, other guarantees recognised by the GDPR are offered, such as:

• Standard Contractual Clauses (SCC): Standard contracts approved by the European Commission that bind the data exporter in the EU to the data importer in a third country, obliging both parties to respect the fundamental principles of data protection.
• Binding Corporate Rules (BCR): Internal policies adopted by large business groups to ensure an adequate level of protection, duly approved by the competent supervisory authority.
• Other valid mechanisms, such as codes of conduct, certification mechanisms or legally binding instruments between public authorities or bodies.

In any case, the Data Controller must, at the time the User's personal data is obtained, inform about the third country or international organisation, as well as the measures taken to guarantee an adequate level of protection. In the case of AXIALENT GLOBAL, due to its global presence, it has several offices outside the European Economic Area, including:

• Argentina, a country declared to have an adequate level of protection by the European Commission, on June 3, 2003 (Commission Decision 2003/490/EC).
• United Kingdom, country declared with an adequate level of protection by the European Commission, on June 28, 2021 (Decision of 28 June 2021).
• United States, declared to have an adequate level of protection by the European Commission, on July 10, 2023, in accordance with the EU-U.S. Data Privacy Framework.

In particular, Axialent USA LLC complies with the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework. Our Data Privacy Framework commitments are explained in more detail below. In the case of those entities that are part of the AXIALENT group, or third-party providers, that have not been declared as countries with adequate guarantees, Axialent Global will formalize Standard Contractual Clauses (SCC) to bind the data exporter in the EU with the data importer in a third country, obliging both parties to respect the fundamental principles of data protection.

Data Privacy Framework Commitments. Axialent USA LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Axialent USA LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. Axialent USA LLC has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework Program and to view our certification, please visit https://www.dataprivacyframework.gov/.

With respect to personal data received or transferred pursuant to the DPF Program, Axialent USA LLC is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Access

Pursuant to the DPF Program, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States in reliance on the DPF Program should direct their query to [email protected]. If requested to remove data, we will respond within a reasonable timeframe.

Choice

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to [email protected].

Onward Transfer Liability

If you are an EU or Swiss individual, where we transfer your personal data to third-party service providers who perform services for us or on our behalf, we are responsible for the processing of that data by them and shall remain liable if they process your personal data in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Dispute Resolution Process

In compliance with the DPF Principles, Axialent USA LLC commits to resolve DPF Principles-related complaints about your privacy and our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our handling of personal data in reliance on the DPF should first contact us at [email protected].

Additionally, we have further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by us, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for more information on this process.

8. Data Recipients (II): Disclosure of Personal Data to Third Parties

AXIALENT informs the interested party that we do not transfer personal data to third parties unless there is a legal obligation to do so or it is strictly necessary to manage and maintain the commercial and professional relationship with the interested party.

Data processors — service providers and business partners — may have access to personal data for the performance of their duties. The processors who access personal data are mainly engaged in the IT systems, AI, and technology sectors. Please note that AXIALENT may also be required to disclose an individual's personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

In the context of the learning platform and digital services, the processors listed in Section 6 may access personal data under contractual and security safeguards (Data Processing Agreements aligned with Article 28 GDPR).

9. Your Rights

AXIALENT informs data subjects that they have the following rights under the GDPR:

• Right of access to your personal data.
• Right to rectify your data.
• Right to delete ("right to be forgotten").
• The right to request the restriction of the processing of your personal data.
• Right to object to processing.
• Right to data portability.
• Rights related to automated decision-making and profiling (Article 22 GDPR). AXIALENT does not subject participants to automated decision-making with legal or similarly significant effects; AI outputs are reviewed and interpreted by qualified consultants before any consequential decision is made (see Section 16).

To exercise the above rights, the request may be made by electronic means by sending an email to [email protected], or by post to PASEO CASTELLANA, 18 – 7, 28046 Madrid (Spain), indicating your identification details and the right you wish to exercise. If you do not wish to receive further information about our services, you can unsubscribe at [email protected], indicating in the subject line "Do not send emails".

In the event that you consider that your rights have been violated with regard to the protection of your personal data in accordance with the GDPR, especially when you have not obtained satisfaction in the exercise of your rights, you can lodge a complaint with the competent Data Protection Supervisory Authority via its website: https://www.aepd.es/

AXIALENT guarantees the interested parties that the exercise of these rights will be free, except in those cases in which the requests are unfounded or excessive, especially repetitive ones, in which case the data controller may charge a fee to compensate for the administrative costs of responding to the request or refuse to act. These fees will not represent additional income for the data controller; they will correspond effectively to the real cost of processing the request.

9.1 California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including:

• The right to know what personal information we collect, use, disclose, and share.
• The right to delete personal information.
• The right to correct inaccurate personal information.
• The right to opt-out of the sale or sharing of personal information — AXIALENT does not sell your personal information.
• The right to non-discrimination for exercising these rights.

To exercise these rights, contact [email protected].

10. Children's Privacy

AXIALENT's services, including the learning platform, AI-powered tools, and assessments, are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact [email protected] so that we may delete the information.

---

11. Data Processing in Diagnostic and Assessment Services

Axialent may process employee feedback, survey responses, interview data, and behavioral patterns to support organizational diagnostics and individual leadership development.

In addition, Axialent may use aggregated, anonymized, and de-identified data derived from multiple engagements to develop cross-client insights, benchmarks, and internal research. Such use:

• Does not identify any client, participant, or organization
• Does not include confidential strategies or identifiable details
• Is solely for research, learning, and thought leadership purposes
• Is subject to explicit prior consent from the participant or client organization

12. Anonymization and Aggregation Practices

• Anonymous participation by default in large-scale diagnostics
• No individual traceability in standard configurations
• Aggregated reporting and segmented insights without individual identification

Axialent applies technical and organizational measures to ensure that anonymized data cannot be re-identified. Once data is irreversibly anonymized, it falls outside the scope of the GDPR and may be retained and used for research purposes indefinitely.

13. Processing Modes

Axialent operates under two data processing modes depending on the engagement:

• Default mode: Anonymous data only. No individual is identifiable in outputs or reports.
• Exceptional mode: Identifiable data processed with explicit safeguards, participant consent, and alignment with the applicable client agreement.

14. Use of Artificial Intelligence

Axialent's AI-supported tools (including coaching chatbots and assessment analysis) operate under the following principles and safeguards:

14.1 No Training on Customer Data

AXIALENT does not use participant conversations, assessment responses, or interaction data to train AI models. Our LLM providers — OpenAI and Anthropic — contractually commit, under their API terms, not to use data submitted through their API to train or improve their models.

14.2 Conversational Memory

AI conversational memory (used to provide continuity across coaching sessions) is stored with GetZep, a SOC 2 Type II–certified processor, with:

• End-to-end encryption of memory data
• Strict per-user memory isolation (no cross-user access)
• Retention aligned with active course access; deletion at cohort/contract end with 30-day prior notice (see Section 4)

14.3 Monitoring and Traceability

AI interactions are monitored via LangSmith for quality assurance, prompt evaluation, and incident investigation:

• Default trace retention: 14 days
• Traces flagged for issue investigation are retained only during the investigation and then discarded
• No customer data is used for model fine-tuning or LLM training

14.4 Content Moderation and Guardrails

All AI inputs and outputs are subject to automated content moderation. AXIALENT applies guardrails to detect and block unsafe, off-purpose, or policy-violating content. Inputs and outputs are scoped to learning, leadership development, and coaching purposes.

14.5 Human Oversight, No Automated Decision-Making

AI tools support analysis functions such as pattern detection, content summarization, and personalized learning responses. Human consultants review and interpret AI-generated outputs. No automated decision-making with legal or similarly significant effects is applied to individual participants (Article 22 GDPR).

14.6 Data Minimization in AI Use

Participants are advised to avoid sharing unnecessary personal or sensitive information not required for the learning or coaching purpose. If sensitive information is inadvertently shared, see the urgent removal protocol in Section 4.

15. Aggregated Insights Use

Axialent may include data in aggregated, anonymized, and de-identified form in periodic insights reports, benchmarks, or thought leadership publications. Such use shall:

• Not identify the client, its employees, or any individual participants
• Not disclose confidential information, strategies, or sensitive initiatives
• Exclude all personally identifiable information (PII)
• Be used solely for cross-client insights, internal research, and learning

Participation is voluntary and declining consent has no impact on service delivery. The client or participant may withdraw consent at any time with prospective effect by contacting [email protected].

16. Third-Party Platforms

• Thinkific. Axialent's online learning platform is hosted and operated via Thinkific. Axialent acts as data controller and Thinkific acts as data processor under a Data Processing Agreement. For Thinkific's own data practices, see https://www.thinkific.com/privacy-policy/.
• Brilliant Assessments. Used to deliver Axialent's diagnostic assessments. See https://www.brilliantassessments.com/privacy-policy.
• OpenAI / Anthropic. LLM API providers. Used as data processors under their respective DPAs. No training on customer data via API.
• GetZep. Conversational memory storage. SOC 2 Type II, GDPR-ready, end-to-end encryption.
• LangSmith. LLM monitoring and traceability for quality assurance.
• Vultr. Hosting infrastructure. SOC 2 Type II, ISO 27001, PCI-DSS.

17. Data Minimization and Security

• Only data necessary for the stated purpose is collected and processed.
• Encryption. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256.
• Authentication. Authentication uses OAuth 2.0 SSO via the learning platform — AXIALENT does not store or transmit passwords.
• Key management. API keys for AI and storage providers are managed via secure environment variables, rotated regularly, and access-logged.
• No public APIs. AXIALENT exposes no public APIs. All integrations with third-party AI and storage services occur server-side under contractual and security safeguards, with all access logged and monitored.
• Tenant isolation. Strict per-user memory and data isolation is enforced; no cross-user access to conversation history or assessment data.
• Third-party platforms and AI tools operate under contractual and security safeguards (Data Processing Agreements aligned with Article 28 GDPR).
• Participants are advised to avoid sharing unnecessary personal or sensitive information not required for the learning or assessment purpose.

18. Human Oversight

All AI-generated and diagnostic outputs are reviewed and validated by qualified Axialent consultants before delivery to clients or participants. Axialent does not rely on automated outputs without human interpretation.

19. Alignment with Client Agreements

All data processing practices described in this Addendum are aligned with applicable non-disclosure agreements, client data processing agreements, and relevant data protection laws. Where a client agreement provides stricter terms, those terms shall prevail.

Last updated: April 2026. AXIALENT may update this Privacy Policy from time to time; significant changes will be notified by posting the updated policy on our website and, where appropriate, by email.