Privacy Policy

This Privacy Policy describes how the FIM group of companies — comprising FIM Labs Pte. Ltd. ("FIM Labs," Singapore) and Beijing FIM Network Technology Co., Ltd. ("FIM China"), collectively "FIM," "we," "us," or "our" — collects, uses, and protects your personal information when you visit our websites (fim.ai, one.fim.ai), use FIM One (our enterprise AI agent platform), or interact with our services. The specific entity responsible as the data controller for your personal information depends on where you are located. Please refer to the "Applicable Entity & Data Controller" section below for details. FIM One is available as both a cloud-hosted service and a self-hosted deployment. This policy primarily applies to our cloud services and website. For self-hosted deployments, you retain full control over your data, and the relevant sections of this policy will be noted accordingly. By using our services, you agree to the practices described in this policy. If you do not agree with this policy, please do not use our services.

The FIM entity that acts as the data controller for your personal information, and the applicable data protection law, depend on your location: • If you are located in Singapore, Southeast Asia, the European Economic Area (EEA), the United Kingdom, the United States, or any jurisdiction outside of Mainland China: – Data Controller: FIM Labs Pte. Ltd. ("FIM Labs") – Registered Address: 68 Circular Road, #02-01, Singapore 049422 – Applicable Law: Singapore Personal Data Protection Act (PDPA), supplemented by the EU General Data Protection Regulation (GDPR) for EEA/UK data subjects and the California Consumer Privacy Act (CCPA) for California residents. • If you are located in Mainland China: – Data Controller: Beijing FIM Network Technology Co., Ltd. ("FIM China") – Registered Address: T3-2112, Damei Center, Chaoyang District, Beijing, China – Applicable Law: Personal Information Protection Law of the People's Republic of China (PIPL), Cybersecurity Law, Data Security Law, and related regulations. Both entities apply the same data protection standards described in this Policy. You may contact our Data Protection Officer at privacy@fim.ai regardless of location — your request will be routed to the appropriate controller.

We may collect the following types of information: • Contact information you provide through our forms (name, email address, company name, phone number, job title) • Account information when you register for FIM One cloud services (email address, password, organization details) • Technical information automatically collected during website visits (IP address, browser type and version, device information, operating system, pages visited, access times, referring URL) • Usage data from FIM One when deployed through our cloud services (feature usage patterns, workflow configurations, performance metrics) • Communication records when you contact our support team (support tickets, emails, chat logs) • Marketing preference data (subscription status, consent records, communication history)

We process your personal data on the following lawful bases in accordance with GDPR Article 6: • Consent: We rely on your explicit consent for sending marketing communications (such as product updates and newsletters via email) and for setting non-essential cookies (analytics). You may withdraw your consent at any time. • Contract Performance: Processing is necessary to provide our services to you, including account management, technical support, and delivery of FIM One cloud services as agreed in our service terms. • Legitimate Interests: We process certain data based on our legitimate interests, where those interests are not overridden by your rights. This includes maintaining the security and integrity of our services, detecting and preventing fraud, improving our products and user experience, and conducting internal analytics. We carefully balance our interests against your privacy rights in each case. • Legal Obligations: We may process your data to comply with applicable legal requirements, including tax regulations, financial reporting obligations, and responses to lawful government requests.

We use collected information for the following purposes: • Arranging product demos and responding to inquiries • Providing, maintaining, and improving FIM One cloud services • Providing technical support and customer service • Improving our products, services, and website experience • Sending relevant product updates, security advisories, and announcements (with your consent) • Analyzing website traffic and usage patterns through our self-hosted analytics platform • Ensuring the security and proper functioning of our services • Complying with legal obligations and protecting our rights

We do not sell your personal information to third parties. We may share information with: • Service providers who assist in operating our website and services, bound by data processing agreements and confidentiality obligations • Legal authorities when required by law or to protect our legal rights • Business partners, only with your explicit consent All third-party service providers are contractually required to protect your data and may only process it for the specific purposes we have engaged them for. See the "Third-Party Services" section below for details on our specific service providers.

We use a limited number of third-party services to operate our platform and website. Each is bound by a data processing agreement (DPA) that governs how your data may be handled: • Amazon Web Services (AWS) — Cloud infrastructure provider. Our services are hosted in the AWS Hong Kong region (ap-east-1). AWS maintains comprehensive compliance certifications including SOC 1/2/3, ISO 27001, and GDPR compliance frameworks. • Alibaba Cloud Direct Mail — Email delivery service used for transactional emails and marketing communications. Processes only the email addresses and message content necessary for delivery. • Umami Analytics — We use a self-hosted instance of Umami for website analytics, running on our own server infrastructure. No analytics data is shared with any third party. Umami is privacy-focused by design: it does not use cookies for tracking and does not collect personally identifiable information. We do not use any third-party advertising networks, social media tracking pixels, or external analytics services such as Google Analytics.

We implement appropriate technical and organizational measures to protect your personal information, including: • Encrypted data transmission using TLS/SSL for all communications • Encryption of data at rest for sensitive information • Strict access controls with role-based permissions for internal systems • Regular security assessments and vulnerability testing • Employee training on data protection practices • Incident response procedures for potential security events For self-hosted FIM One deployments, all data remains on your own infrastructure under your complete control. We do not have access to any data in self-hosted environments unless you explicitly grant it for support purposes.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our specific retention periods are: • Active account data: Retained for as long as your account remains active and you continue to use our services. • After account deletion: Personal data is erased from our active systems within 30 days of your deletion request. Anonymized and aggregated usage statistics that cannot be linked back to you may be retained for product improvement purposes. • Support communications: Retained for 24 months after the issue is resolved, to provide context for future support interactions and quality assurance. • Marketing consent records: Retained until you withdraw your consent, plus an additional 6 months to maintain an audit trail demonstrating our compliance with consent requirements. • Server logs: Automatically purged after 90 days. • Billing and transaction records: Retained as required by applicable tax and financial regulations (typically 5–7 years). • Self-hosted deployments: You have full control over all data retention. We do not store any data from self-hosted environments unless you explicitly engage our cloud-based support services.

Our cloud services are hosted in the AWS Hong Kong region. Depending on your location, your data may be transferred to and processed in a jurisdiction different from your own. • For users in the European Union / European Economic Area (EU/EEA): Transfers of personal data outside the EEA are protected by the European Commission's Standard Contractual Clauses (SCCs), supplemented by AWS's compliance certifications and our own technical safeguards. You may request a copy of the applicable SCCs by contacting our Data Protection Officer. • For users in other jurisdictions: We ensure that any cross-border data transfer complies with applicable local data protection laws and is subject to appropriate safeguards. • For self-hosted deployments: All data remains on your own infrastructure in the location of your choosing. FIM does not initiate any cross-border data transfer for self-hosted customers. You maintain complete sovereignty over your data.

Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, you have the following rights regarding your personal data: • Right of Access: You may request a copy of the personal data we hold about you and information about how it is processed. • Right to Rectification: You may request that we correct any inaccurate or incomplete personal data. • Right to Erasure ("Right to be Forgotten"): You may request that we delete your personal data, subject to any legal obligations requiring us to retain it. • Right to Restriction of Processing: You may request that we limit how we process your data in certain circumstances, such as when you contest the accuracy of the data. • Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format, and have it transmitted to another controller where technically feasible. • Right to Object: You may object to the processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds. • Right to Withdraw Consent: Where we rely on your consent for processing, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement if you believe our processing of your personal data violates applicable law. To exercise any of these rights, please contact our Data Protection Officer at privacy@fim.ai. We will respond to your request within 30 days. In certain cases, we may ask you to verify your identity before processing your request.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). • Right to Know: You can request details about the categories and specific pieces of personal information we have collected about you. • Right to Delete: You can request deletion of your personal information, subject to certain exceptions. • Right to Opt-Out: You have the right to opt out of the sale of your personal information. We do not sell personal information. • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. To exercise these rights, contact us at privacy@fim.ai. We will respond to verifiable consumer requests within 45 days.

Our website uses cookies and similar technologies to ensure proper functionality and to understand how visitors interact with our site. When you first visit our website, you will be presented with a cookie consent banner offering two options: • Accept All Cookies: Enables both essential and analytics cookies. • Essential Only: Enables only the cookies strictly necessary for website functionality. Types of cookies we use: • Essential Cookies: These are required for the basic operation of our website (such as session management, language preferences, and security features). They cannot be disabled, as the website would not function properly without them. • Analytics Cookies: We use our self-hosted Umami analytics platform to understand website traffic and usage patterns. Umami is privacy-focused and does not track users across websites or collect personally identifiable information. Analytics cookies are only set if you choose "Accept All Cookies." No data from analytics is shared with any third party. We do not use advertising cookies, social media tracking cookies, or any third-party tracking technologies. You may change your cookie preferences at any time through the cookie settings link in our website footer, or by adjusting your browser settings.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we are committed to the following: • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. • If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, as required by GDPR Article 34. • Breach notifications will include: the nature of the breach, the categories and approximate number of individuals and data records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate potential adverse effects. • We maintain an internal breach register documenting all incidents, their effects, and remedial actions taken, regardless of whether they meet the threshold for notification.

We have designated a Data Protection Officer (DPO) to oversee our data protection practices and ensure compliance with applicable privacy regulations. You may contact our DPO for any privacy-related questions, concerns, or to exercise your data protection rights: Email: privacy@fim.ai Our DPO is responsible for monitoring compliance with GDPR and other data protection laws, advising the company on data protection obligations, cooperating with supervisory authorities, and serving as the point of contact for data subjects regarding all issues related to the processing of their personal data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: • Post the updated policy on our website with a revised "Last updated" date • Notify registered users via email for significant changes • Where required by law, obtain your consent to material changes that affect how your data is processed We encourage you to review this policy periodically. Your continued use of our services after any changes indicates your acceptance of the updated policy.

If you have questions about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us: Data Protection Officer: privacy@fim.ai General Inquiries: hi@fim.ai Singapore Headquarters — FIM Labs Pte. Ltd. 68 Circular Road, #02-01, Singapore 049422 China Office — Beijing FIM Network Technology Co., Ltd. T3-2112, Damei Center, Chaoyang District, Beijing Website: fim.ai