Privacy Policy · Circli

1. Introduction

The privacy of our users and of the people whose data they share is of utmost importance to us. This platform (the "Platform" or "Circli") is operated by Circli Servicios Tech S.A.S., a company duly registered with the Public Registry of the Province of Mendoza under File N° eSAS-000542, with registered office in the City of Mendoza, Argentina. This Privacy Policy describes what personal data we process, for what purposes, with whom we share it, and what rights you have over your information, in accordance with Argentine Law 25,326 on Personal Data Protection and other applicable legislation. By using the Platform, you accept the practices described in this policy.

2. Roles and responsibilities

Circli may act as either a controller or a processor of your personal data, depending on the context: (a) When you create an account directly at circli.app, browse the site, or contact us, Circli is the controller of that data. (b) When you use Circli as part of an event organized by a third party (such as a fair, congress or conference), the event organizer is the controller of the data generated within that event, and Circli acts as a processor on behalf of the organizer. In these cases: • The organizer defines the purposes of the processing within the event. • Circli processes the data following the organizer's documented instructions, under a Data Processing Agreement signed with each organizer. • To exercise your rights regarding event-generated data, your first point of contact is the event organizer. Circli cooperates with the organizer to respond to your request. • The organizer maintains its own privacy notice describing the event-specific uses. We recommend you read it. (c) For aggregated and anonymous technical data (usage metrics, fraud prevention), Circli maintains its own responsibility for limited purposes related to operating the Platform securely.

3. Limitation of liability for organizer's uses

When Circli acts as a processor on behalf of an event organizer, Circli is not liable for: • The organizer's use of the data outside the Circli Platform (e.g., exports, post-event communications, organizer's own integrations). • Obtaining the data subject's consent for purposes the organizer defines on its own. • Leaks, unauthorized access or improper uses of the data occurring in the organizer's infrastructure, devices or processes, or in those of third parties contracted by the organizer. • Compliance with laws applicable to the organizer in its own jurisdiction and regarding its own uses. This limitation does not apply when the incident occurs within Circli's infrastructure or results from Circli's failure to follow the organizer's documented instructions.

4. Personal data we collect

We collect only the personal data necessary to provide the service, in the following categories: • Account data: mobile phone number (used for WhatsApp authentication and interaction), name or alias, and optionally email. • Event data (when you use Circli as part of an event): name, company, professional role or category, optional profile photo, connections generated with other attendees, and activity records within the event. • Contact data voluntarily shared by you: name and phone number of third parties you choose to add to your circle on the Platform. • Technical data: IP address and user-agent, always processed via salted hash as a pseudonymization and security measure. These are never stored in plaintext. • Cookies and similar technologies: see dedicated section below.

5. Purpose and use of data

We use the personal data collected for the following purposes: • Service provision: enabling you to create your circle, manage your contacts and participate in events using the Platform. • Operating events for organizers who contract the Platform, always in accordance with the organizer's documented instructions. • Security and fraud prevention: detecting abusive uses, protecting service integrity. • Service communications: operational notifications, technical support, notices about changes to this policy or terms. • Compliance with legal obligations: responding to requirements from competent authorities or fulfilling applicable regulations. • Aggregated and anonymous product improvement: statistical analysis that does not allow identification of individual users. We do not use your data for our own commercial purposes other than the above. We do not sell, lease or transfer your data to third parties.

6. Processors and sub-processors

To operate the Platform we use the following technology providers as sub-processors. Each processes data in its specific role under contractual agreements imposing confidentiality, security and purpose-limitation obligations equivalent to ours: • Meta Platforms, Inc. (WhatsApp Business Cloud API) — messaging with users — United States. • Vercel, Inc. — application hosting — United States. • Supabase, Inc. — database and storage — United States / Singapore. • OpenAI, L.L.C. — natural-language processing for bot queries, under enterprise/business terms with no opt-in to training — United States. • Google LLC (Google Analytics, Google Ads) — optional advertising measurement, only if you explicitly enable it via cookie consent — United States. • Meta Platforms, Inc. (Pixel, Conversions API) — optional advertising measurement, only if you explicitly enable it via cookie consent — United States. The up-to-date list is available on the Sub-processors page.

7. Cookies and similar technologies

The Platform uses cookies and similar technologies in three categories: • Essential: necessary for site operation and session. They do not require your consent. • Analytics: help us understand how the site is used. We do not activate them before you accept via the cookie banner. • Marketing: used to measure and optimize advertising campaigns. We do not activate them before you accept. You can change your preferences at any time via the "Cookies" link in the footer.

8. Use of artificial intelligence

We use third-party artificial-intelligence services to process natural-language queries and categorize content from the bot. Data sent to these services is processed under enterprise/business terms that prohibit its use for model training. You may request human review of any automated response at any time by contacting us.

9. Events as a special context

When an organizer contracts the Platform to run an event, certain visitor data is shared with that organizer (for example: name, company, professional category, connections generated during the event). The organizer is the controller of that data. Each event has its own complementary privacy notice with event-specific uses. We recommend you read it when you join an event. Professional events with Exhibitors. When you take part in an event that features Exhibitors (for example, a fair with booths run by wineries, brands or companies) and you scan an Exhibitor's booth QR code, you authorize your contact and professional profile data (name, company, role, email, WhatsApp, scan history and any other data you have entered in your event profile) to be made available to the Event Organizer through the Organizer Panel. The Organizer is responsible for delivering that data to the Exhibitor whose booth you scanned, exclusively so that the Exhibitor may contact you commercially in relation to the interest you expressed. The onward delivery from the Organizer to the Exhibitor is governed by the contract between them: the Exhibitor becomes an independent controller for any subsequent processing, pursuant to Article 11 of Argentine Law 25,326. Circli does not deliver your data directly to Exhibitors. You retain at all times the rights of access, rectification, deletion, opposition and consent revocation, which you may exercise with the Event Organizer or, subsidiarily, with privacidad@circli.app.

10. Minimum age and responsible communication

The Platform is intended for individuals over eighteen (18) years of age. If you declare you are under 18, you cannot use it. When an event involves the promotion of alcoholic beverages, we apply the requirements of Argentine Law 24,788 on responsible communication, including age gates and applicable legal disclaimers.

11. Storage and international transfers

Personal data is stored in infrastructure located in the United States (Vercel and Supabase) and, for some services, also in regional caches. Neither the United States nor Singapore appear on the Argentine list of countries with adequate protection. As a consequence, international transfers are made under the safeguards provided by AAIP Disposition N° 60/2016 (model contractual clauses). We maintain agreements with each sub-processor that impose confidentiality, security, purpose-limitation and return/destruction obligations substantially equivalent to those required by Argentine law. By using the Platform you expressly authorize this international transfer.

12. Data retention

We retain personal data only for the time necessary to fulfill the purposes described or as required by law. Typical periods: • Active account data: until you close your account. • Event data (activated profile): up to twenty-four (24) months post-event, with the organizer's authorization under art. 25 inc. 2 of Law 25,326. • Pre-registered users who did not activate a profile: automatic anonymization within seven (7) calendar days after the event closes. • Technical logs: twelve (12) months. • Backups: thirty (30) days. After these periods, data is destroyed or irreversibly disassociated, except where legal obligations require its retention.

13. Your rights over your data

Under Argentine Law 25,326 you have the following rights over your personal data: • Access: request and receive information about the data we process. • Rectification: ask us to correct inaccurate or outdated data. • Erasure: ask for deletion of your data when applicable. • Objection: object to processing in certain circumstances. • Confidentiality: have your data treated with privacy. • Withdrawal of consent: withdraw your consent when it is the basis of processing. How to exercise them: • If your data was generated within an event operated on the Platform → contact the event organizer first; they are the controller of that data. Circli cooperates with the organizer. • If your data was generated by direct use of the landing or app outside an event → contact us at privacidad@circli.app. We will respond within legal timeframes (typically ten business days). You also have the right to file complaints with the Agency for Access to Public Information (AAIP). If you reside in the European Union, you may exercise equivalent rights under the GDPR.

14. Data security

We implement reasonable technical and organizational measures in line with AAIP Resolution N° 47/2018 and industry best practices, including: • Encryption in transit (HTTPS/TLS) and at rest. • Access controls with multi-factor authentication and the principle of least privilege. • Salted hashing of IP and user-agent (never plaintext). • Encrypted backups with 30-day retention. • Confidentiality obligations signed by our personnel with access to personal data. In the event of a security incident affecting your personal data, we commit to notifying within seventy-two (72) hours of reasonable confirmation, in line with international best practices.

15. Registration and supervisory authority

We maintain our personal-data databases in accordance with AAIP regulations. Registration with the National Registry of Personal Data Bases is in process. The Agency for Access to Public Information (AAIP) is the body overseeing compliance with Law 25,326 in the Republic of Argentina. You have the right to file complaints with it.

16. Privacy in Circli Networks

If you participate in a private Circli Networks circle (a paid-membership community), these additional rules apply: • Dual controllership. The network owner is the controller of the data you complete in the application form (motives, context, answers to the questionnaire) — that data is visible to the network's council and is not exposed to the public. Circli is the controller for cross-cutting data (WhatsApp identity, payment data, audit logs, subscriptions) and acts as processor when operating the platform on the owner's behalf. • Visibility default: members-only. Your network profile (display name, photo, headline, bio) is visible only to active members of the same network. To appear as a public card on open surfaces (the founding-council landing, for example), you must opt in explicitly. The setting is two-state — public or members-only. No per-field configuration in v1. • Confidentiality — Chatham House. Anything that circulates inside the network (posts, weekly brief, intro threads, concierge messages) you may use as information but may not attribute without permission. This is a community norm, not a legal obligation, but breaking it may lead to council sanctions. • Double-opt-in introductions. The warm-intro flow is designed so that your contact information is NOT revealed until both you and the other member have accepted. A record of the introduction is retained in our systems for audit. • Deletion. You may request deletion of your network data by writing to privacidad@circli.app. We delete your profile, posts and participation in intro threads. Invoices and audit logs are retained as legally required (AFIP — up to ten years). Operational detail in the Circli Networks Member Handbook.

17. Changes to this policy

This Policy may be updated to reflect regulatory changes, new functionality, or improvements in our practices. When changes are substantial, we will notify you through the usual channels (website, app, email or WhatsApp). The date of last update appears at the top of the document.

18. Contact

For inquiries, complaints or to exercise rights over your data, write to privacidad@circli.app. You may also reach us via the contact form on the site. Controller: Circli Servicios Tech S.A.S., City of Mendoza, Argentina.