Privacy Statement – trybTest

Effective Date: February 24, 2026 Last Updated: February 24, 2026

This Privacy Statement explains how trybTest ("we," "us," or "our") collects, uses, stores, and discloses personal data when you ("User" or "Venturist") use our AI-Generated Business platform and related services (the "Service") within the jurisdiction of the Netherlands. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and relevant Dutch implementing legislation.

Definitions

For the purpose of clarity and compliance, the following terms shall have the meanings ascribed to them in this Privacy Statement, consistent with the GDPR:

"Personal Data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes, but is not limited to, registration details, usage analytics data, and correspondence data.

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. All Processing activities undertaken by trybTest must adhere to the principles laid out in Article 5 of the GDPR.

"Data Controller" for the purposes of this Statement, is trybTest, responsible for determining the purposes and means of the Processing of Personal Data. Our primary establishment is situated in the Netherlands, subjecting us to the primary oversight of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

"Usage Analytics Data" specifically refers to the non-identifiable or pseudonymized data collected regarding how the User interacts with the AI platform, including prompt complexity, speed of task completion, frequency of engagement with generated artifacts (e.g., Business Plans, MVP structures), and feature utilization rates, utilized strictly for service improvement and optimization of our Freemium/Subscription Hybrid Model.

Scope of Service

This Privacy Statement exclusively governs the Processing of Personal Data collected through the utilization of the trybTest platform, which offers an "AI-Generated Business" service via a natural language prompt input mechanism. The scope encompasses data collected during registration, subscription management under our hybrid model, the generation and delivery of AI artifacts, and subsequent interaction with our high-trust marketplace connecting Venturists with scaling professionals ("Makers").

The Service is provided on a B2C basis, primarily targeting solopreneurs and the creator economy. We process data necessary to fulfill the contractual obligation to generate comprehensive business ecosystems quickly. This includes input prompts which may inadvertently contain sensitive data—Users are expressly warned against inputting specific categories of sensitive personal data (e.g., health data, biometric data) as defined under Article 9 GDPR, as the Service is not designed or warranted for such specialized Processing.

Our Service explicitly includes the facilitation of connections between Venturists and third-party Makers. While trybTest acts as a conduit, once Personal Data (such as contact details or project scope requiring Maker expertise) is shared or transferred to a Maker for scaling purposes, the Maker assumes the role of an independent Data Controller. We implement contractual safeguards requiring Makers to adhere to GDPR standards, but this Statement does not extend to the Processing activities conducted independently by these external scaling professionals post-transfer.

Data Processing and Legal Basis (Netherlands Focus)

All Processing of Personal Data by trybTest is founded upon a lawful basis as stipulated by Article 6 of the GDPR. For the core functionality—the generation of business artifacts based on user input—the legal basis is primarily Contractual Necessity (Article 6(1)(b) GDPR), as the data is required to deliver the requested service (the AI-Generated Business). This includes analyzing the input prompt to structure the Business Plan, Marketing Strategy, and legal documentation components.

Furthermore, Processing related to service maintenance, security monitoring, and fraud prevention is conducted based on Legitimate Interests (Article 6(1)(f) GDPR), provided such interests do not override the fundamental rights and freedoms of the Data Subject. Specifically, the collection of Usage Analytics Data falls under this legitimate interest, as it is crucial for optimizing the proprietary multi-agent AI orchestration system and ensuring the technical viability of the platform for all users in the Netherlands. We conduct balancing tests to ensure proportionality before relying on this basis.

For marketing communications, including information regarding new features or subscription tier upgrades, we require explicit, affirmative Consent (Article 6(1)(a) GDPR). Users maintain the unequivocal right to withdraw this consent at any time through mechanisms provided within the user interface or via written notice to our Data Protection Officer, without prejudice to the lawfulness of Processing based on consent before its withdrawal. Compliance with Dutch regulations regarding electronic commercial communications (e.g., the Telecommunications Act, if applicable to unsolicited commercial electronic communications) is strictly maintained.

Data Retention and Security Measures

trybTest retains Personal Data only for as long as necessary to fulfill the purposes outlined in this Statement, or as required by applicable Dutch law, including fiscal record-keeping obligations. For active subscribers, data necessary for account management and service continuity is retained throughout the subscription period. Upon termination of an account, Personal Data is securely deleted or anonymized within a commercially reasonable period, typically not exceeding six (6) months, unless a legal obligation (e.g., for contractual disputes under Dutch Civil Code) mandates a longer retention period, which shall be no longer than the statutory limitation periods prescribed under Dutch law.

To safeguard the confidentiality, integrity, availability, and resilience of the Processing systems and services, we implement appropriate technical and organizational measures, adhering to Article 32 GDPR. These measures include, but are not limited to, pseudonymization where feasible, end-to-end encryption for data in transit (TLS 1.3), restricted access controls based on the principle of least privilege, and regular penetration testing of our infrastructure hosted within the European Economic Area (EEA).

In the event of a Personal Data Breach, as defined by Article 4(12) GDPR, trybTest will take immediate steps to secure the data and, where required, notify the Autoriteit Persoonsgegevens within seventy-two (72) hours of becoming aware of the breach, as mandated by the GDPR. If the breach poses a high risk to the rights and freedoms of the Venturist, individual notification will follow without undue delay.

User Rights Under Dutch and EU Law

As a data subject residing in the Netherlands, you possess specific rights concerning your Personal Data under the GDPR, which trybTest fully respects and facilitates:

1. Right of Access (Article 15 GDPR): You have the right to obtain confirmation as to whether or not Personal Data concerning you are being Processed, and, where that is the case, access to the Personal Data and specific supplementary information regarding the Processing activities.
2. Right to Rectification (Article 16 GDPR): You may request the immediate correction of inaccurate Personal Data concerning you or the completion of incomplete Personal Data.
3. Right to Erasure ("Right to be Forgotten") (Article 17 GDPR): You may request the erasure of your Personal Data without undue delay, subject to exceptions provided under Article 17(3) GDPR (e.g., where Processing is necessary for compliance with a legal obligation).
4. Right to Restriction of Processing (Article 18 GDPR): You may request the restriction of the Processing of your data under certain circumstances, such as when contesting the accuracy of the data.
5. Right to Data Portability (Article 20 GDPR): You have the right to receive the Personal Data concerning you, which you have provided to a Controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another Controller without hindrance.

To exercise any of these rights, Users must submit a verifiable request in writing to our designated Data Protection Officer (DPO) via the contact details provided below. We will respond to such requests within the statutory one-month period required by the GDPR, reserving the right to extend this period by two further months where necessary, taking into account the complexity and number of requests.

International Data Transfers

Given that trybTest utilizes cloud infrastructure that may involve data storage or Processing outside the European Economic Area (EEA), we confirm that any transfer of Personal Data outside the EEA will only occur if adequate safeguards are in place, in compliance with Chapter V of the GDPR.

Transfers outside the EEA are primarily secured through the use of the European Commission's Standard Contractual Clauses (SCCs), as updated following the Schrems II decision, ensuring that the level of protection afforded to Personal Data is not undermined. Before such transfers, we conduct a Transfer Impact Assessment (TIA) to evaluate the recipient country's legal framework concerning access by public authorities, particularly government surveillance, aligning with guidance from the European Data Protection Board (EDPB).

For transfers to jurisdictions deemed adequate by the European Commission (e.g., UK adequacy decision), the SCCs or binding corporate rules may not be the primary mechanism, but compliance with those existing adequacy frameworks is strictly maintained. Users will be notified of any significant change in the jurisdiction where their primary data storage occurs.

Contact and Complaints Procedure

If you have any questions regarding this Privacy Statement, our data Processing practices, or wish to exercise your Data Subject Rights, please contact our Data Protection Officer (DPO) at:

Data Protection Officer (DPO): Email: privacy@trybtest.com Address (for formal correspondence):

Should you believe that our Processing of your Personal Data violates the GDPR or other applicable Dutch privacy legislation, you have the right to lodge a complaint with the supervisory authority responsible for data protection in the Netherlands.

Supervisory Authority: Autoriteit Persoonsgegevens (AP) Bezuidenhoutseweg 33 2594 AM Den Haag The Netherlands

Lodge a complaint via the AP's official channels. trybTest encourages Users to first contact our DPO to seek resolution before escalating matters to the Authority.