PRIVACY POLICY

SoafAii Sextant

Effective date: 30 April 2026

1. Introduction

This Privacy Policy describes how Business Innovation Solutions WLL, a company organized under the laws of the Kingdom of Bahrain ("BIS", "we", "our", or "us"), collects, uses, stores, and discloses personal information when you use the SoafAii Sextant browser extension (the "Extension") and related services (collectively, the "Service").

This Privacy Policy applies to all users of the Service. By installing, accessing, or using the Service, you acknowledge that you have read and understood this Privacy Policy.

BIS is the data controller for personal information processed in connection with the Service. Our contact details are provided in the "Contact Us" section at the end of this document.

2. Information We Collect

We collect different categories of information depending on how you use the Service. We deliberately collect as little personal information as possible.

2.1 Information stored locally in your browser

The Extension stores the following categories of information in your browser's local storage. This information remains on your device and is not transmitted to BIS unless you explicitly invoke a feature that does so:

• Conversation metadata you create within the Extension, including chat titles, project names, custom labels, status flags, tags, and links you attach to conversations.

• Personal notes you write within the Extension.

• Your interface preferences such as cockpit width, sort order, filters, and pinned items.

• Read-only references to chats and projects in your Anthropic account, retrieved through your authenticated browser session with claude.ai. The Extension does not store your Anthropic credentials.

• AI-state indicators derived from observing the claude.ai interface during your active sessions.

2.2 Information transmitted to third-party AI providers

When you invoke an AI-powered feature within the Extension, the content you provide for that feature is transmitted to the relevant AI provider (Anthropic for Claude features) using your own API credentials or your authenticated claude.ai session. This includes:

• Prompts you compose within the research panel of the Extension.

• Context the Extension assembles to support your prompt, drawn from the local information described in section 2.1, only with your explicit invocation.

BIS does not have access to the content of these transmissions. They occur directly between your browser and the AI provider.

2.3 Information transmitted to BIS infrastructure

When you use certain Extension features, your browser may transmit data to Cloudflare Workers operated by BIS:

• Subscription status checks: the Extension queries our subscription server to verify your active subscription. This transmits an identifier associated with your subscription account.

• Optional research and proxy features: when explicitly invoked, your prompts may be routed through a BIS-operated proxy to the AI provider. The proxy does not retain prompt content.

We do not maintain server-side logs of your conversation content. We do retain operational metadata necessary for billing and abuse prevention, including subscription identifiers, timestamps of subscription events, and aggregate usage statistics that do not identify individual interactions.

2.4 Information collected for billing

When you purchase a subscription to the Service, your payment is processed by Paddle.com Market Limited ("Paddle"), which acts as our Merchant of Record. Paddle collects and processes the following information directly from you:

• Your name and billing address.

• Your email address.

• Your payment method details, which Paddle stores securely on PCI-compliant infrastructure. BIS does not have access to your full payment method details.

• Your tax identification number, where applicable, for VAT-reverse-charge processing.

Paddle's privacy practices are governed by Paddle's Privacy Notice, available at paddle.com/legal/privacy. We receive limited information from Paddle necessary to associate your subscription with your use of the Service.

2.5 Information we do NOT collect

To make our practices transparent, the following categories are explicitly NOT collected by BIS:

• We do not use analytics services that track your behavior within the Extension.

• We do not use third-party tracking cookies.

• We do not collect or process your IP address for tracking or profiling purposes.

• We do not sell, rent, or trade personal information to third parties.

• We do not use your data to train AI models.

3. How We Use Information

We use the limited information we collect for the following purposes:

• To operate the Service: providing the cockpit interface, AI-state indicators, and other Extension features.

• To process and verify your subscription, including authentication of subscription status and entitlement to paid features.

• To respond to your support requests and communicate with you about the Service.

• To detect and prevent fraudulent or abusive use of the Service.

• To comply with legal obligations applicable to BIS.

We do not use your personal information for marketing communications without your explicit opt-in consent.

4. Legal Basis for Processing (EU/UK Users)

If you are located in the European Union or the United Kingdom, our legal bases for processing your personal information under the General Data Protection Regulation (GDPR) and the UK GDPR are as follows:

• Contract performance: processing necessary to provide the Service to you under our Terms of Service.

• Legitimate interests: processing necessary for fraud prevention, security, and improvement of the Service, balanced against your privacy rights.

• Legal obligation: processing required to comply with applicable laws, such as tax reporting and accounting requirements.

• Consent: processing for any purpose that requires your explicit opt-in, which you may withdraw at any time.

5. How We Share Information

We share personal information only with the following categories of recipients:

• Paddle, our Merchant of Record, for payment processing, tax compliance, and subscription management.

• Cloudflare, our infrastructure provider, which hosts the Workers that handle subscription verification and optional proxy features. Cloudflare processes information solely to provide infrastructure services to BIS.

• Anthropic, when you explicitly invoke AI-powered features that route through Anthropic's API. Your interactions with Anthropic are governed by Anthropic's Terms of Service and Privacy Policy.

• Legal authorities, where required by applicable law or court order, or to protect the rights, property, or safety of BIS, our users, or the public.

We do not sell your personal information. We do not share your personal information with advertisers or marketing networks.

6. International Data Transfers

BIS is established in the Kingdom of Bahrain. The personal information we collect may be transferred to and processed in jurisdictions other than the one in which you reside, including Bahrain, the European Union, the United States, and other countries where our service providers operate.

Where personal information is transferred from the European Economic Area or the United Kingdom to jurisdictions not subject to an adequacy decision, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and supplementary measures where required.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law:

• Information stored locally in your browser is retained until you uninstall the Extension or clear your browser storage.

• Subscription billing records are retained by Paddle and BIS for the period required by applicable tax and accounting laws, typically seven years.

• Support communications are retained for two years following the resolution of your inquiry.

You may request deletion of your account and associated data at any time, subject to our retention obligations under applicable law.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of access: request confirmation of whether we process your personal information and obtain a copy of that information.

• Right of rectification: request correction of inaccurate or incomplete information.

• Right of erasure: request deletion of your personal information, subject to legal retention obligations.

• Right to restrict processing: request that we limit our processing of your information in certain circumstances.

• Right to data portability: receive your personal information in a structured, machine-readable format.

• Right to object: object to processing based on legitimate interests.

• Right to withdraw consent: withdraw any consent you previously provided.

• Right to lodge a complaint: file a complaint with your local data protection authority.

To exercise any of these rights, contact us at the email address provided in the "Contact Us" section. We will respond within thirty days, or as required by applicable law.

8.1 California Consumer Privacy Act (CCPA)

If you are a California resident, you have additional rights under the CCPA, including the right to know what personal information we have collected, the right to delete your personal information, and the right to opt out of the sale of your personal information. As stated above, we do not sell personal information.

9. Security of Your Information

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, and destruction. These measures include encryption of data in transit, secure infrastructure provided by Cloudflare and Paddle, and access controls limiting personnel access to personal information.

No security measure is perfect. While we strive to protect your information, we cannot guarantee its absolute security.

10. Children's Privacy

The Service is not directed to children under the age of sixteen. We do not knowingly collect personal information from children under sixteen. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to delete that information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective date" at the top of this Policy and, where appropriate, providing additional notice through the Service or by email.

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the updated terms.

12. Contact Us

If you have questions, comments, or requests regarding this Privacy Policy or our processing of your personal information, please contact us at:

Business Innovation Solutions WLL

Attention: Data Protection Officer

Manama, Kingdom of Bahrain

Email: francois@businessinnovationsolutions.com

For inquiries from the European Economic Area or the United Kingdom, please mark your communication "GDPR Inquiry" in the subject line.

— END OF PRIVACY POLICY —