PRIVACY STATEMENT

Labmatisse B.V.

Last updated: March 2026

1. Introduction

This Privacy Statement explains how Labmatisse B.V., registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under registration number 74032682, with its registered office at Zwanensingel 129, 6601GE. Wijchen, Netherlands (“Labmatisse”, “we”, “us”, “our”), processes personal data in connection with the Matisse Platform.

The Matisse Platform includes the website, web application, mobile applications (including iOS applications), and related APIs and services.

2. Our Role

2.1 When We Act as Controller

Labmatisse acts as data controller with respect to account holders, website visitors, business contacts, prospective customers, billing and subscription data, and support communications.

2.2 When We Act as Processor

Labmatisse acts as data processor with respect to patient data uploaded by Users. In this context, the User is the data controller and processing is governed by the Data Processing Agreement.

3. Categories of Personal Data Processed (Controller Activities)

3.1 Account and Registration Data

We process the following personal data:

• First and last name
• Email address
• Company name
• Company address (if provided)
• Telephone number (if provided)
• Username
• Encrypted password
• Subscription information

Legal basis: Article 6(1)(b) and 6(1)(c) GDPR.

3.2 Technical and Usage Data

• IP address
• Device and browser information
• Login logs
• Security logs
• Platform usage data

Legal basis: Article 6(1)(f) GDPR (legitimate interest – platform security and integrity).

3.3 Billing and Payment Data

We process billing contact details, subscription type, and transaction references. Payment card data is processed by Stripe, which may act as an independent controller.

Legal basis: Article 6(1)(b) and 6(1)(c) GDPR.

3.4 Communication and Support Data

We process personal data to provide onboarding assistance, service communications, support responses, and platform updates.

Legal basis: Article 6(1)(b) and 6(1)(f) GDPR.

4. Patient Data (Processed as Processor)

The Platform enables Users to upload photographs of teeth for generating reference (colour) codes. Labmatisse processes such data solely as processor on behalf of the User.

• Photographs of teeth
• Generated reference codes
• Project identifiers
• Upload metadata

5. Anonymised Data and AI Development

Labmatisse may apply irreversible anonymisation techniques. Once data is irreversibly anonymised in accordance with Recital 26 GDPR, it no longer constitutes personal data.

• Improving and training AI models
• Quality assurance and analytics
• Product development and research
• Creation of aggregated datasets

6. Data Sharing and Sub-Processors

We may engage trusted service providers, including:

• Cloud infrastructure providers (e.g., AWS)
• Authentication providers (e.g., Auth0)
• Payment providers (e.g., Stripe)
• Communication providers (e.g., Intercom)

We do not sell personal data.

7. International Data Transfers

Where personal data is transferred outside the EEA, appropriate safeguards are applied, including Standard Contractual Clauses or adequacy decisions.

8. Data Retention

Account data is retained during the subscription period.

Deleted projects remain in a 'Trash' state for up to 30 days before permanent deletion.

Certain data may be retained to comply with legal obligations or defend legal claims.

9. Security Measures

We implement appropriate technical and organisational measures under Article 32 GDPR, including encryption, access controls, secure hosting, and monitoring systems.

10. Your Rights Under GDPR

• Access (Article 15)
• Rectification (Article 16)
• Erasure (Article 17)
• Restriction (Article 18)
• Objection (Article 21)
• Data portability (Article 20)
• Withdraw consent (where applicable)
• Lodge a complaint with the Dutch Data Protection Authority

Requests may be submitted to: info@matisse.ai

11. Mandatory Provision of Data

Providing certain personal data is necessary to create and maintain an account. Failure to provide required data may prevent use of the Platform.

12. Automated Decision-Making

Labmatisse does not engage in automated decision-making producing legal or similarly significant effects.

13. Changes to This Privacy Statement

We may update this Privacy Statement periodically. The most recent version will always be available on our website.