Privacy Policy

This Privacy Policy is provided pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR) and describes how we collect, use, and protect personal data of users who access the Sherlok platform (hereinafter "Platform"). Sherlok is a marketplace that enables buyers and sellers of Italian businesses to connect and initiate negotiations. Sherlok does not participate in transactions between the parties, does not act as an intermediary, does not process payments, and does not earn commissions on sales. The service is limited to providing a technological platform connecting supply and demand. The Platform includes certain mutual-visibility mechanisms between users: (a) advertisers can automatically view the full profile of registered users who visit their listings, at no cost and without any further unlock action; (b) buyer users may, by spending credits, unlock listings, active search mandates, and professional profiles. By registering, the user acknowledges and accepts that visiting a listing automatically makes their profile visible to the advertiser who owns that listing, unless anonymous visibility is enabled from the account settings.

The Data Controller is: Sherlok Treviso, Italy VAT: 05614300266 Email: info@sherlok.it The updated list of data processors pursuant to Art. 28 GDPR is kept at the Data Controller's registered office.

We collect the following categories of data: a) Data voluntarily provided by the user Name, surname, email address, phone number, password (encrypted), company name, and professional profile information. b) Listing data Information about the business listings published, including: title, description, sector, location, asking price, financial data, photographs, and attached documents. c) Browsing data Data automatically collected during navigation: IP address (anonymized), browser type and device, pages visited, session duration, traffic source. This data is processed in aggregate and anonymous form for statistical purposes. d) Cookies For detailed information on cookies used, please consult our Cookie Policy. e) Profile data potentially visible to other users As a consequence of visiting a listing, the following data — if entered by the user in their profile — becomes visible to the advertiser who owns the listing: name and surname, email, phone, company, bio, age range, gender (if declared), approximate location (region/province), acquisition budget, acquisition experience, search motivation, sectors and regions of interest, tier (base / verified / premium). Never shared: password, identity documents, payment data, internal unlock history.

Personal data is processed for the following purposes: | Purpose | Legal basis | |---|---| | Account creation and management | Performance of contract (Art. 6.1.b GDPR) | | Publication and management of listings | Performance of contract (Art. 6.1.b GDPR) | | Recording of listing visits and presentation of the visitor list to the advertiser | Performance of contract (Art. 6.1.b) + Legitimate interest (Art. 6.1.f) | | Automatic visualisation of registered visitors' profiles by the advertiser | Performance of contract (Art. 6.1.b) + Legitimate interest (Art. 6.1.f), subject to the right to object via anonymous visibility | | Algorithmic processing of the buyer profile to send suggestion emails (AI matching) | Performance of contract (Art. 6.1.b) for the chosen tier | | Credit-based unlock of listings, mandates, and professional profiles | Performance of contract (Art. 6.1.b GDPR) | | Service communications (transactional notifications, user messages) | Performance of contract (Art. 6.1.b GDPR) | | Tax and accounting obligations | Legal obligation (Art. 6.1.c GDPR) | | Fraud prevention and platform security | Legitimate interest (Art. 6.1.f GDPR) | | Anonymous statistical analysis and service improvement | Legitimate interest (Art. 6.1.f GDPR) | | Sending promotional communications unrelated to AI matching | Explicit consent (Art. 6.1.a GDPR) |

Mechanism. When a registered user visits a listing page, the Platform records the visit. The advertiser who owns the listing can subsequently access, at no additional cost, the list of visitors with their full profile as detailed in section 3(e). Requirements. Visibility is reserved to advertisers with a registered account and limited to visitors who are themselves registered. Visits from non-authenticated users are shown as anonymous visits with no identifying data. Roles of the parties. From the moment of profile viewing, the advertiser acts as an independent data controller with respect to the data received and must process such data exclusively for the pre-contractual purposes of evaluating the transaction subject of the listing. It is expressly prohibited to use such data for: unauthorized marketing, transfer to third parties, inclusion in CRM or mailing lists, scraping, or contacts unrelated to the listing. Right to object (Art. 21 GDPR). The user may at any time activate anonymous visibility from the account Settings. In this mode, subsequent visits to listings will not expose the profile: the advertiser will only see an anonymous visit with no identifying data. The change takes immediate effect but is not retroactive: advertisers who have already viewed the profile before activation retain the received data as independent controllers. Log retention. Sherlok retains the log of visits and profile visualisations for 5 years for security, audit, and dispute management purposes.

Sherlok processes buyer user profile data (budget, sectors and regions of interest, experience, motivation, deal type) through matching algorithms, including AI-based ones, to identify relevant listings and periodically send suggestion emails. Frequency. The frequency of matching emails depends on the user's tier: base (limited or absent), verified (monthly), premium (weekly). The functionality is part of the contractual service with the user. Nature. Matching is a suggestion tool that does not produce legal effects or significant impacts on the user under Art. 22 GDPR: the user retains full freedom of evaluation and choice. No special categories of data (Art. 9 GDPR) are used. Right to object. The user may disable AI matching emails via the unsubscribe link in each email or by contacting info@sherlok.it.

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected: - Account data: retained until the user deletes their account, and subsequently for the period required by law. - Contractual and tax data: retained for 10 years from the end of the relationship, in compliance with Italian tax regulations. - User communications: retained for 2 years from the date of the last message. - Listing visit and profile visualisation logs: retained for 5 years. - Anonymous browsing data: retained indefinitely in aggregate form. - Cookies: according to the expiration dates indicated in the Cookie Policy.

Personal data may be shared with: - Technical service providers: hosting (Vercel), database (MongoDB Atlas), email services (Resend), file storage (Cloudflare R2), authentication (Google OAuth). These entities act as data processors under Art. 28 GDPR. - Competent authorities: exclusively upon request from judicial or administrative authorities, as required by law. The sharing between users described in section 5 is ontologically distinct from sharing with providers and rests on independent legal bases. Personal data is never sold or transferred to third parties for marketing purposes.

Data is primarily stored on servers located within the European Union. Where processing involves the transfer of data to third countries, such transfer is carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions, in full compliance with Articles 44-49 of the GDPR.

Under Articles 15-22 of the GDPR, users have the right to: - Access (Art. 15): obtain confirmation of the existence of their data and receive a copy. - Rectification (Art. 16): obtain correction of inaccurate or incomplete data. - Erasure (Art. 17): obtain deletion of their data ("right to be forgotten"). - Restriction (Art. 18): obtain restriction of processing in certain cases. - Portability (Art. 20): receive their data in a structured format and transfer it to another controller. - Objection (Art. 21): object to processing based on legitimate interest. In particular, users may object to profile visibility to advertisers by activating anonymous visibility from the account settings. - Withdrawal of consent: withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal. With regard to data that may already have been shared with other users (advertisers) through the visibility mechanism, the user may exercise their rights directly against each independent controller recipient. Upon written request to info@sherlok.it, Sherlok will provide — where technically feasible — the list of advertisers who have viewed the profile within the last 24 months. To exercise these rights, contact: info@sherlok.it We will respond within 30 days of receiving the request, as required by the GDPR.

The Platform is reserved for users aged 18 or older. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will immediately delete it.

We implement appropriate technical and organizational measures to protect personal data, including: encryption of data in transit (TLS/SSL), password hashing, encrypted backups, access controls, and staff training.

We reserve the right to update this Policy. In the event of substantial changes, registered users will be notified via email or a notice on the Platform. The date of the last update is indicated at the top of this document.

Users have the right to file a complaint with the Italian Data Protection Authority: Garante per la protezione dei dati personali Piazza Venezia 11, 00187 Rome www.garanteprivacy.it

For any questions regarding the processing of personal data: Sherlok Email: info@sherlok.it