Privacy Policy

Last updated: 06. February 2026 Holoai Ltd. (“Holoai”, “we”, “us”) respects your privacy and is committed to protecting personal data in accordance with applicable data protection laws, including the Swiss Federal Act on Data Protection (nDSG) and the EU General Data Protection Regulation (GDPR) where applicable. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our applications, platforms, and services, including the Joaia mobile app, the Joaia Web Solution (including embedded web solutions on thirdparty websites), and the Joaia Guide Studio (collectively, the “Services”).

1. Definitions

• “Personal data” means any information relating to an identified or identifiable individual (also referred to as “personal information” in some jurisdictions).
• “Processing” means any operation performed on personal data (e.g., collecting, storing, using, disclosing, deleting).
• “Controller” means the entity that determines the purposes and means of processing personal data.
• “Processor” means the entity that processes personal data on behalf of a controller.

2. Data controller and contact

2.1 Controller The controller responsible for processing personal data under this Privacy Policy is: Holoai Ltd. Schumacherstr. 1 6037 Root / Switzerland Email: privacy@holoai.ch Holoai acts as controller for personal data processed to operate and secure the Services (for example, account management, basic usage analytics, and service improvement). 2.2 Professional customers and controller roles Professional customers using the Joaia Guide Studio may act as independent controllers for:

• the professional content they upload or connect;
• and analytics and interaction data related to their own guides (within the scope of what the Services make available to them).

Where Holoai processes personal data on behalf of a Professional customer (for example, hosting or providing the Guide Studio functionality for their guides), Holoai may act as a processor for that Professional customer. If applicable, this is typically governed by a separate data processing agreement (DPA) or contractual terms.

3. Scope and users

This Privacy Policy applies to:

• individual users using the Joaia app or other webbased Services;
• Professional Users using the Joaia Guide Studio;
• and end users interacting with Joaia guides via websites or applications (including embedded deployments).

4. Personal data we collect

We collect personal data in three main ways: (A) data you provide, (B) data collected automatically, and (C) data from cookies and similar technologies. 4.1 Data you provide to us Depending on how you use the Services, we may collect: Account information e.g., email address, login credentials (hashed/secured), account settings, authentication data. User content and inputs e.g., questions, chats, prompts, feedback, and any files or content you submit where upload features are available. Travelrelated information and preferences e.g., destinations, dates, interests, saved places, personalization inputs, itinerary preferences. Professional content (Guide Studio) e.g., uploaded documents, connected databases, configuration settings, custom fields, and content used to build professional guides. Communications e.g., support requests, emails, messages, and related metadata. Marketing and subscription preferences e.g., newsletter optin status and communication preferences. Billing and contract data (Professional Users) e.g., company name, billing contact details, invoice information, subscription plan, contract identifiers, and payment status. (Note: payment card details are generally processed by payment providers and are not stored by Holoai in full.) 4.2 Data collected automatically When you use the Services, we may automatically collect certain technical and usage data, such as:

• IP address
• device and browser information
• operating system and app version
• log files and error reports
• usage data (e.g., queries, interactions, clicks, timestamps, feature usage)
• approximate location derived from IP address (e.g., city/region)

4.3 Location data Precise location data (e.g., GPS-level location) is processed only if you explicitly grant permission via your device or browser settings and where the relevant feature requires it. You can withdraw permission at any time through your device settings.

5. Cookies and similar technologies

We currently use essential cookies only, which are necessary for the operation, security, and basic functionality of the Services (for example, authentication, session management, and security features). We do not use marketing cookies or crosssite tracking cookies at this time. We may also use similar technologies (such as local storage) where required for core functionality. If we introduce non-essential cookies in the future, we will provide appropriate notice and choices as required by law.

6. Purposes of processing

We process personal data for the following purposes:

• Providing, operating, and maintaining the Services
• Authenticating users and managing accounts
• Personalising content and recommendations
• Providing customer support and responding to inquiries
• Processing subscriptions, billing, and contractual obligations (Professional Users)
• Analysing usage patterns and improving quality, safety, and user experience
• Ensuring security and preventing abuse, fraud, and misuse
• Communicating service-related information, including product updates and changes to our terms/policies
• Sending newsletters and marketing communications (optin only, where required)
• Complying with legal and regulatory obligations and enforcing our rights

Model training statement: Personal data is not used to train generalpurpose AI models.

7. Legal bases for processing

Where the GDPR applies, we rely on one or more of the following legal bases, depending on context:

• Performance of a contract (e.g., providing the Services, account management, delivering requested features)
• Legitimate interests (e.g., service improvement, security, fraud prevention, basic analytics, and quality assurance), balanced against your rights
• Consent (e.g., newsletters where required, precise location, and any optional features that require consent)
• Legal obligations (e.g., compliance, responding to lawful requests)

Where the Swiss nDSG applies, we process personal data in accordance with its principles, including lawfulness, proportionality, purpose limitation, transparency, and data security.

8. Analytics, AI, and system improvement

We use usage and technical data to:

• monitor system performance and reliability;
• diagnose bugs and improve product quality;
• understand how features are used so we can improve user experience and safety.

Where possible, we use aggregated and/or anonymised analytics. We implement appropriate access controls to limit who can access personal data. Infrastructure location: We operate the Services using EU-based infrastructure for analytics and AI-related processing. We do not intentionally transfer personal data to countries outside the EU/EEA and Switzerland except where required to provide the Services and subject to appropriate safeguards where applicable.

9. Data sharing and service providers

9.1 Service providers (processors) We may share personal data with trusted service providers who support operation of the Services (for example: hosting, infrastructure, analytics, email delivery, customer support tooling, and payment processing). These providers:

• process data only on our instructions;
• use it only for service-related purposes; and
• are subject to contractual confidentiality and security obligations.

9.2 Payment processing Professional subscription payments may be processed by thirdparty payment providers (e.g., Stripe). Holoai does not store full payment card details. 9.3 Professional customers’ access to end-user data Professional customers may access analytics and interaction data related to their own guides within the Guide Studio. IP addresses of end users are not shared with professional customers. 9.4 No sale of personal data We do not sell personal data. 9.5 Legal disclosures We may disclose personal data if we believe it is reasonably necessary to:

• comply with applicable law, regulation, legal process, or governmental request;
• enforce our Terms and protect our rights, privacy, safety, or property; or
• protect users or the public from harm, fraud, or illegal activity.

10. Embedded web solution and transparency

When the Joaia Web Solution is embedded on thirdparty websites:

• transparency information and links to our Terms and this Privacy Policy are made available within the interface; and
• partners embedding the Web Solution are required to inform users that the AI functionality is powered by Holoai.

Please note that thirdparty websites may collect data independently (for example through their own cookies or analytics). Their privacy practices are governed by their own policies.

11. Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including legal, accounting, or reporting requirements. Typical retention periods are:

• Account and content data: retained for the duration of your account
• Deleted accounts: deleted or anonymised within a reasonable period, unless retention is required by law or for legitimate purposes (e.g., security, dispute resolution)
• Logs and security data: typically up to 12 months
• Analytics data: retained in aggregated and/or anonymised form where feasible
• Billing and legal records (Professional Users): retained according to statutory requirements

Retention may vary depending on the nature of the data, operational requirements, and legal obligations.

12. Security measures

We apply appropriate technical and organisational measures to protect personal data, including:

• access controls and least-privilege principles;
• encryption in transit (and, where appropriate, at rest);
• monitoring and logging for security;

• internal policies and procedures for handling personal data.

No system is entirely riskfree. We continuously work to maintain and improve a high level of security.

13. Your rights

Depending on your location and applicable law, you may have the right to:

• access your personal data
• request correction or deletion
• request data portability
• restrict or object to certain processing
• withdraw consent at any time (where processing is based on consent)
• lodge a complaint with a data protection authority

13.1 Exercising your rights Requests can be sent to privacy@holoai.ch. We may request additional information to verify your identity before responding. We will respond within the timeframes required by applicable law. 13.2 Marketing preferences You can unsubscribe from non-essential communications at any time via the unsubscribe link in the message or by contacting us at privacy@holoai.ch.

14. Supervisory authorities

You have the right to lodge a complaint with your local data protection authority. If you are in Switzerland, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC).

15. Children

The Services are not intended for children under the age of 13, and we do not knowingly collect personal data from children under 13.

16. Third-party websites

Our Services may contain links to thirdparty websites or services. We are not responsible for their privacy practices. Please review their privacy policies separately.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version will always be available through the Services, and we will update the “Last updated” date above. If changes are material, we will provide additional notice where required by law.

18. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact: Email: privacy@holoai.ch