Ontoworks Privacy Policy

This Privacy Policy explains how Ontoworks GmbH ("Ontoworks", "we", "us", "our") collects and processes personal data when:

• you visit our websites (including ontoworks.ai and related pages),
• you use the Ontovision software platform, plug-ins and APIs,
• you interact with us as a business contact, supplier, partner, or job applicant.

Ontovision is an AI-powered video post-production platform that analyses and semantically tags video footage, suggests rough cuts, and can generate or assist in creating video content using generative AI components.

This Policy is designed to comply with:

• the EU General Data Protection Regulation (GDPR),
• corresponding national data protection laws of EU/EEA Member States,
• the UK GDPR and Data Protection Act (for UK users),
• and widely recognised international data protection standards for cross-border transfers.

Where we act as a data processor (for example, processing our customers' video assets on their instructions), this Policy describes our general practices. The detailed obligations are governed by our Data Processing Agreement (DPA) with each customer.

Where we act as a data controller (for example, for your account data, website usage, marketing, support requests, and our own AI model improvement), this Privacy Policy applies directly.

Under Articles 13 and 14 GDPR, controllers must provide clear information about their identity, purposes, legal bases, recipients, transfers, retention, and users' rights^[1][2]. This Policy is intended to fulfil those obligations.

Controller:

Ontoworks GmbH

Weißenseestraße 10

81539 München

Germany

Email: contact@ontoworks.ai

Website: https://www.ontoworks.ai

If we are required to appoint a Data Protection Officer (DPO) under applicable law, the DPO's contact details will be published here and in our imprint.

For users in the UK, Ontoworks may appoint a UK representative where required; details will be provided in the UK-specific section of our website.

Depending on how you interact with Ontovision and our services, we may process the following categories of data:

We process personal data only where we have a valid legal basis under GDPR, UK GDPR, and comparable laws. For each main purpose we rely on one or more of the following:

• Performance of a contract (Art. 6(1)(b) GDPR): To create and manage user accounts, provide Ontovision functionality, process payments where applicable, deliver support, and fulfil our contractual commitments.
• Legitimate interests (Art. 6(1)(f) GDPR): For security and fraud prevention, service monitoring, product improvement, aggregated analytics, B2B relationship management, and limited B2B marketing where appropriate, while always respecting your rights and expectations.
• Consent (Art. 6(1)(a) GDPR): For optional marketing communications, certain cookies/trackers, and—where required by law—for specific types of AI model training or sharing of example content. You may withdraw your consent at any time.
• Legal obligations (Art. 6(1)(c) GDPR): For accounting, tax, record-keeping, compliance with supervisory authorities, and responding to lawful requests.
• Vital interests / public interest (Art. 6(1)(d)/(e) GDPR): Only in rare, clearly defined cases (e.g. if required to help protect an individual from serious harm, or for certain regulatory duties), usually not relevant to typical Ontovision use.

If we ever need to rely on legitimate interests as a basis for AI model development or deployment, we will follow the European Data Protection Board (EDPB) guidance and perform a careful balancing test^[3][4].

For account data, usage data, marketing, support, and our own AI R&D where we determine the purposes and means, Ontoworks acts as a data controller.

For video assets, project data, and customer content uploaded to Ontovision in the context of your productions, we generally act as a data processor, and your organisation is the data controller.

As processor, we:

• process data only on documented instructions from the controller,
• implement appropriate technical and organisational measures for security,
• assist controllers in fulfilling data subject rights requests,
• support DPIAs and regulatory contacts where appropriate,
• use sub-processors only under written contracts with equivalent protections.

These obligations are detailed in our Data Processing Agreement (DPA), signed with each customer.

Our websites and applications may use cookies and similar technologies to:

• maintain sessions and security (strictly necessary),
• collect usage statistics and improve usability (analytics),
• support marketing and communications.

Where required by law, we obtain consent via a cookie banner for non-essential cookies. You can withdraw consent or adjust settings at any time via the interface or your browser settings.

We share personal data only where necessary, under confidentiality and data protection agreements, with:

• Hosting and infrastructure providers, primarily within the EU/EEA (e.g. cloud providers such as Hetzner, OVH or equivalent European providers).
• AI infrastructure and model providers, where we rely on external models under data protection compliant contracts (including SCCs where relevant), and with restrictions on use of your data for their own purposes.
• Analytics, monitoring, and logging providers, used to maintain performance and security.
• Professional advisers, such as law firms and auditors, where needed for compliance (e.g. IP, data protection, and media law).
• Payment service providers, if applicable, for billing and transaction processing.
• Event and communication service providers, for webinars, newsletters, and CRM.
• Public authorities or courts, where required by law or to protect our rights or those of third parties.

We do not sell personal data to third parties.

Ontovision is designed as an EU-hosted, GDPR-aligned platform with core processing taking place within the EU/EEA. However, some service providers or support functions may be located outside the EEA (for example, in the UK, Switzerland, or other countries).

Where personal data is transferred outside the EU/EEA or UK, we ensure that one of the following applies:

• an adequacy decision by the European Commission or UK authorities,
• Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms,
• additional technical and organisational safeguards (encryption, access controls, minimisation) as necessary.

You may request further information on specific transfer mechanisms and safeguards via the contact details above.

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law. Typical retention periods include:

• Account and contract data: for the duration of the contract plus statutory limitation periods (usually 3–10 years, depending on national law).
• Project and video content: for the duration of the subscription and any agreed post-termination period, or as otherwise specified in your DPA or contract. Content may be deleted earlier at your organisation's instruction.
• Logs and technical data: for short to medium periods (typically 30–365 days), depending on the purpose (security, troubleshooting, audit).
• Marketing data: until you withdraw consent or object, subject to limited archiving where needed to demonstrate compliance.
• Recruitment data: usually up to 6 months after the end of the process, unless you consent to longer retention or a longer period is required by law.

If we cannot specify a precise period, we use objective criteria (e.g. contract duration, statutory limitation periods, and relevance to security or compliance).

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in line with GDPR's security requirements and sector best practice^[6][7]. Measures include:

• Encryption of data in transit (TLS) and at rest where appropriate,
• Role-based access control, least-privilege principles, and logging,
• Segregation of customer data by workspace and environment,
• Secure development lifecycle and regular vulnerability management,
• Backup and disaster-recovery procedures,
• Staff confidentiality obligations and security training.

For AI components, we also aim to:

• reduce the risk of unintended model memorisation of personal data,
• prevent AI from generating outputs that reveal identifiable personal data from other users' content,
• conduct periodic privacy and security reviews of model behaviour^[3][4].

Ontovision uses algorithmic analysis and profiling to:

• classify and tag footage (e.g. scenes, characters, locations, moods),
• suggest narrative structures and rough cuts,
• propose variants for different formats or platforms.

These forms of profiling are used to support creative decision-making, not to make legal or similarly significant decisions about individuals (such as credit scoring or employment decisions). Users maintain control and can accept, reject, or modify AI suggestions.

If in the future any functionality were to involve decisions based solely on automated processing with legal or similarly significant effects, we would:

• provide specific prior notice,
• explain the logic and consequences in clear language^[2],
• ensure appropriate safeguards including the right to human intervention, to express your point of view, and to contest decisions.

Subject to applicable law, you have the following rights regarding your personal data:

• Right of access: to obtain confirmation whether we process your personal data and receive a copy.
• Right to rectification: to have inaccurate or incomplete data corrected.
• Right to erasure: to request deletion of your data where certain grounds apply (e.g. no longer needed, withdrawal of consent, unlawful processing).
• Right to restriction: to request limitation of processing in specific circumstances.
• Right to data portability: to receive data you provided in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
• Right to object: to object at any time to processing based on legitimate interests, especially for direct marketing.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
• Right not to be subject to certain automated decisions: as described above.

To exercise these rights, contact us at contact@ontoworks.ai or using the contact details in Section 2. For data where we act as a processor (e.g. your personal data inside a customer's projects), we may need to forward your request to the relevant controller (your employer or production company) and support them in responding.

Ontovision and our services are aimed at professional users in the media and creative industries and are not directed at children under the age of 16 (or lower age where permitted by national law, but never below 13). We do not knowingly collect personal data directly from children for our own purposes.

If you believe we have collected personal data about a child contrary to this Policy, please contact us and we will take appropriate steps.

Where Ontoworks' internal teams use external AI tools (for example, coding assistants or productivity tools), and such tools could involve processing personal data, we:

• assess the privacy implications in line with GDPR,
• configure tools to minimise personal data sharing,
• prohibit uploading of sensitive or customer content except under explicit contractual safeguards,
• disclose the use of such tools in our internal registers and contracts, and reflect any relevant processing in this Privacy Policy where it impacts you^[5][8].

We may update this Privacy Policy from time to time to reflect:

• changes in our services (e.g. new Ontovision features),
• developments in law or regulatory guidance (including GDPR, the EU AI Act, and national implementations),
• improvements in our privacy and security practices.

The latest version will always be available on our website. Material changes (especially regarding AI usage, training practices, or new purposes) will be notified to you in an appropriate manner (e.g. via email, in-app notification, or banner).

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of personal data, please contact:

Ontoworks GmbH

Weißenseestraße 10

81539 München

Germany

Email: contact@ontoworks.ai

Website: https://www.ontoworks.ai

If you are a user acting on behalf of a customer organisation, you may also contact your organisation's data protection contact, who may coordinate with us as controller or processor.

This document is a template tailored to Ontovision's described business model (EU-hosted AI video SaaS with generative and analytic components) and aligned with current GDPR and AI guidance. It must be:

• reviewed and, if necessary, adapted by qualified legal counsel in Germany and any other key jurisdictions where you operate,
• harmonised with your Terms of Service and Data Processing Agreement,
• kept current as laws and services evolve.

This Privacy Policy does not constitute legal advice. Ontoworks recommends consulting with a data protection lawyer to ensure full compliance with all applicable obligations.