Effective Date: 20 February 2026  |  Last Updated: 20 February 2026

1. Introduction and Identity of the Controller

1.1. Hyperscout ("we," "us," or "our") is committed to protecting the personal data of individuals whose information is processed in connection with the operation of our platform at https://www.hyperscout.io. We provide an AI-driven matchmaking service connecting fashion brands with retailers, and our processing activities encompass data collected directly through our website and platform, as well as data obtained indirectly from third-party sources and publicly accessible websites.

1.2. The data controller responsible for the processing described in this Privacy Policy is:

Hyperscout, Bazarstraat 44, The Hague, the Netherlands.

Email: privacy@hyperscout.io.

Hyperscout is registered in the Netherlands, currently transitioning from a sole proprietorship to a besloten vennootschap met beperkte aansprakelijkheid (BV). Under Article 3(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), the processing activities described herein fall within the scope of the GDPR by virtue of being carried out in the context of our EU establishment.

1.3. Hyperscout has not appointed a Data Protection Officer at the date of this Policy. All privacy inquiries, data subject requests, and complaints should be directed to privacy@hyperscout.io.

2. Scope and Application

2.1. The present Policy applies to the following categories of data subjects: (a) representatives and employees of brands that subscribe to the Platform ("Brand Users"); (b) representatives and employees of retailers whose profiles appear on the Platform ("Retailer Contacts"); (c) buyers at retail organisations whose contact details are obtained through third-party enrichment tools ("Buyers"); (d) visitors to the Hyperscout website; and (e) individuals who communicate with us by email or other channels.

2.2. Where we act as a data processor on behalf of a client or reseller partner, the processing shall be governed by a separate Data Processing Agreement concluded in accordance with Article 28 GDPR. In all other respects, we act as an independent controller, and the provisions of this Policy shall apply.

3. Categories of Personal Data We Process

3.1. Depending on the category of data subject, we may process some or all of the following personal data:

Brand Users and Platform Subscribers: Full name, business email address, telephone number, job title, company name, account credentials, and billing information.

Retailer Contacts: Name, business address, business telephone number, business email address, and job title, as extracted from publicly accessible pages of the retailer's own website (typically footer, contact, or "about" pages).

Buyers (Indirectly Obtained Data): Full name, professional email address, business telephone number, LinkedIn profile URL, job title, and employing organisation. Categories of data obtained via third-party enrichment providers are set forth in Section 7 below.

Website Visitors: IP address, browser type, operating system, referring URL, pages visited, duration of visit, and cookie identifiers (further described in our Cookie Policy).

Correspondents: Name, email address, and the content of communications directed to us.

4. Purposes and Legal Bases for Processing

4.1. We process personal data for the purposes set out below, together with the corresponding legal basis under Article 6(1) GDPR:

4.1.1. Performance of the matchmaking service and contract administration (Article 6(1)(b) GDPR): Processing of Brand User account data, subscription management, invoicing, and delivery of platform features. Where a contractual relationship exists between Hyperscout and the data subject's organisation, and processing is necessary for the performance of that contract, Article 6(1)(b) provides the applicable basis.

4.1.2. Compilation of retailer profiles and generation of Retailer DNA Outputs (Article 6(1)(f) GDPR): Collection and structuring of publicly available retailer information, including brand portfolio, location, and contact details from the retailer's own website, in order to build and maintain the retailer database and to generate our proprietary Retailer DNA profiles. Our legitimate interest lies in operating and improving a matchmaking platform that serves the commercial fashion sector. We have determined, through our Legitimate Interest Assessment, that this processing is necessary for the pursuit of our commercial objectives, that it involves only business contact data already made public by the retailer itself, and that the impact on data subjects is minimal given the professional and public nature of the information. The reasonable expectation of a retailer that publishes its contact details on a public-facing website is that such information may be accessed and used for legitimate business purposes.

4.1.3. Buyer contact enrichment and disclosure to brand clients (Article 6(1)(f) GDPR): Retrieval of buyer identity and professional contact details via third-party enrichment providers (currently Apollo, with Lusha as a backup), and subsequent provision of such data to subscribing brands through the Platform. Our legitimate interest is to facilitate direct business connections between brands and prospective retail buyers, which constitutes the core value proposition of the Service. Safeguards include data minimisation (only professional contact data is processed), the availability of an opt-out and objection mechanism, and the operation of a suppression list to prevent re-enrichment of individuals who have objected. Additional detail for Buyers is provided under the Article 14 notice in Section 7 below.

4.1.4. Website operation, analytics, and security (Article 6(1)(f) GDPR for analytics; consent under Article 6(1)(a) for non-essential cookies): Maintenance and monitoring of the website, protection against misuse and unauthorised access, and analysis of visitor behaviour for the purpose of improving the user experience. Further detail is set out in our Cookie Policy.

4.1.5. Compliance with legal obligations (Article 6(1)(c) GDPR): Where processing is necessary to comply with Dutch tax law, anti-money laundering requirements, or other legal obligations binding upon us.

4.1.6. Communications and enquiries (Article 6(1)(f) GDPR or Article 6(1)(b) GDPR, depending on context): Responding to enquiries submitted via our website contact form, email, or other channels. Where the enquiry relates to the performance of an existing or prospective contract, Article 6(1)(b) applies; in all other cases, our legitimate interest in responding to business correspondence constitutes the applicable basis.

5. Sources of Personal Data

5.1. We collect personal data from the following sources:

Directly from data subjects: Information provided upon account creation, subscription, or correspondence.

From publicly accessible sources: Business contact information scraped from the contact pages, footer sections, and public directories of retailer websites, using our proprietary scraper built with Python and Playwright.

From third-party enrichment providers: Buyer professional contact details obtained from Apollo (primary provider) and Lusha (backup provider). Both providers maintain their own data sourcing practices; we do not control or direct the methods by which Apollo or Lusha originally obtain the data they supply to us.

From reseller partners: Where a reseller partner (such as Pitti Immagine) provides us with lists of retailers or trade show participant information.

6. Recipients and Disclosures

6.1. We may share personal data with the following categories of recipients:

Subscribing brands: Retailer profiles, Retailer DNA Outputs, and (where applicable) buyer contact details are disclosed to brand clients as part of the platform's matchmaking functionality. Once a brand receives buyer contact data, that brand acts as an independent controller for any further use of the data.

Reseller partners: Retailer profiles (name, location, website, brand portfolio) are shared with authorised resellers, including trade show operators, for the purpose of extending our platform's reach. As of the date of this Policy, contact data of exhibitors and visitors are not shared with resellers without the data subject's consent.

Third-party service providers: Cloud hosting providers, payment processors, and analytics tools that process data on our behalf under written data processing agreements.

Professional advisors and authorities: Legal counsel, auditors, or public authorities to the extent required for the establishment, exercise, or defence of legal claims, or to comply with binding legal obligations.

7. Notice for Indirectly Obtained Buyer Data (Article 14 GDPR)

7.1. In accordance with Article 14 of the GDPR, this Section provides specific information to Buyers whose personal data has not been obtained directly from them.

7.2. Controller identity and contact: Hyperscout, Bazarstraat 44, The Hague, the Netherlands; privacy@hyperscout.io.

7.3. Purposes and legal basis: Your professional contact data is processed for the purpose of facilitating business-to-business matchmaking between fashion brands and retail buyers. The legal basis is Article 6(1)(f) GDPR (legitimate interest). Our legitimate interest consists in enabling brands to identify and contact appropriate buying professionals at retail organisations, thereby advancing commercial relationships in the fashion industry.

7.4. Categories of personal data concerned: Full name, professional email address, business telephone number, LinkedIn profile URL, job title, and employing organisation.

7.5. Source of the data: Your data was obtained from third-party business intelligence providers, namely Apollo.io and/or Lusha.com, which compile professional contact information from publicly accessible sources and their proprietary databases. Where applicable, certain business contact details may also have been extracted from the publicly accessible pages of your employer's website.

7.6. Recipients: Your data may be disclosed to subscribing brand clients of the Hyperscout platform for the purpose of direct professional outreach. Once a brand receives your contact data, that brand becomes an independent controller for any subsequent processing.

7.7. International transfers: Where a subscribing brand is established outside the European Economic Area (EEA), disclosure of your data to that brand constitutes an international transfer. Hyperscout takes measures to ensure that appropriate safeguards are in place for such transfers, including the execution of Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR, supplemented by a transfer impact assessment conducted in accordance with the recommendations of the European Data Protection Board (Recommendations 01/2020, as adopted on 18 June 2021).

7.8. Retention: Hyperscout does not retain enriched buyer contact data in its own database after delivery to the subscribing brand. However, a hashed identifier of individuals who have exercised their right to object is maintained on a suppression list for the purpose of preventing re-enrichment and repeated disclosure. General platform records that may reference the fact that a disclosure was made are retained for a period not exceeding thirty-six (36) months, for audit and accountability purposes.

7.9. Your rights: You have the right to: (a) request access to your personal data (Article 15 GDPR); (b) obtain rectification of inaccurate data (Article 16 GDPR); (c) request erasure of your data (Article 17 GDPR); (d) object to processing based on legitimate interest, at which point we shall cease processing unless compelling legitimate grounds override your interests (Article 21 GDPR); (e) request restriction of processing pending the resolution of a dispute regarding the lawfulness of processing (Article 18 GDPR); and (f) receive your data in a structured, commonly used, and machine-readable format (Article 20 GDPR), where technically applicable. To exercise any of these rights, contact us at privacy@hyperscout.io.

7.10. Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. If you are based in the Netherlands, the competent authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), Bezuidenhoutseweg 30, 2594 AV The Hague, the Netherlands. If you are based in Italy, the competent authority is the Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma, Italy. You may also lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.

7.11. Timing of notice: In accordance with Article 14(3) GDPR, this notice is provided: (a) at the point at which your contact data is first revealed to a subscribing brand through the Platform interface; (b) at the latest upon our first communication to you, if any; or (c) within one month of obtaining the data, whichever is earliest. A stable version of this notice is permanently accessible at https://www.hyperscout.io/privacy and is incorporated by reference into any contact data export or disclosure made through the Platform.

8. Suppression List and Objection Handling

8.1. We maintain a suppression list containing cryptographically hashed identifiers of individuals who have exercised their right to object under Article 21 GDPR or who have otherwise requested that their data not be processed. The suppression list is checked before any enrichment request is executed or any disclosure is made to a subscribing brand.

8.2. Upon receipt of a valid objection, we shall: (a) add the individual's hashed identifier to the suppression list within five (5) business days; (b) cease any pending disclosure to brands; and (c) notify the data subject that the objection has been recorded. Where we are unable to verify the identity of the requestor, we may request additional information sufficient to confirm that the request originates from the data subject or their authorised representative.

9. International Transfers

9.1. Personal data processed in connection with the Platform may be transferred to recipients outside the EEA. As of the date of this Policy, Hyperscout provides access to at least one client established in Australia. No adequacy decision by the European Commission currently applies to Australia within the meaning of Article 45 GDPR.

9.2. Where transfers are made to recipients in countries lacking an adequacy decision, we rely on Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), supplemented by a documented transfer impact assessment. Technical safeguards applied to such transfers include access controls, encryption in transit and at rest, and logging of all data export events.

9.3. Copies of the Standard Contractual Clauses and the transfer impact assessment summary are available upon request by writing to privacy@hyperscout.io.

10. Data Security

10.1. We implement technical and organisational measures appropriate to the risk level of the processing, in accordance with Article 32 GDPR. Current measures include: encryption of personal data at rest and in transit; access restricted to authorised personnel through private key authentication; hosting on cloud infrastructure with documented security certifications; and periodic access review procedures.

10.2. In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we shall notify the Autoriteit Persoonsgegevens without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 GDPR. Affected data subjects shall be notified where the breach is likely to result in a high risk, as required by Article 34 GDPR.

11. Retention

11.1. We retain personal data only for so long as is necessary for the purposes for which it was collected or as required by applicable law. The following retention periods apply:

Brand User account data: Retained for the duration of the subscription and for a period of thirty-six (36) months following account termination, for audit, billing reconciliation, and legal claims purposes.

Retailer profile data: Retained for as long as the retailer remains active in our database and is periodically reviewed for accuracy. Profiles may be deleted or anonymised upon request.

Buyer enrichment data: Not retained in the Hyperscout database after delivery to the subscribing brand. Suppression list entries are maintained indefinitely, unless the data subject requests removal from the suppression list.

Website visitor data and cookies: Retained for the periods specified in our Cookie Policy.

Correspondence: Retained for twenty-four (24) months from the date of the last communication, unless a longer period is required for legal purposes.

12. Your Rights

12.1. All data subjects whose personal data we process, regardless of the category to which they belong, are entitled to exercise the rights afforded by Chapter III of the GDPR, subject to the conditions and exceptions set forth therein. A summary of these rights is provided in Section 7.9 above, which applies mutatis mutandis to all data subjects.

12.2. Requests may be submitted by email to privacy@hyperscout.io. We shall respond to all valid requests without undue delay and in any event within one (1) month of receipt, in accordance with Article 12(3) GDPR. Where requests are complex or numerous, the response period may be extended by a further two (2) months, and we shall inform the data subject of any such extension and the reasons for it within one (1) month of receipt of the initial request.

12.3. Requests are handled free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee based on administrative costs or refuse to act on the request, as permitted by Article 12(5) GDPR.

13. Italian Regulatory Considerations

13.1. Clients using buyer contact data obtained through the Platform for the purpose of direct marketing communications directed at recipients in Italy should be aware that Article 130, paragraphs 1 and 2, of the Italian Personal Data Protection Code (Decreto legislativo 30 giugno 2003, n. 196, as amended by Decreto legislativo 10 agosto 2018, n. 101) requires prior opt-in consent for unsolicited electronic communications, including email, SMS, MMS, fax, and automated calling systems, regardless of whether the recipient is a natural person or a legal person. The so-called "soft opt-in" exception under Article 130, paragraph 4, applies only where the sender has obtained the email address in the context of a prior sale of a similar product or service, and the data subject was informed and given the opportunity to object.

13.2. Hyperscout does not authorise, facilitate, or assume responsibility for the use of buyer contact data for unsolicited promotional outreach into Italy or any other jurisdiction in breach of applicable direct marketing rules. Clients are independently responsible for ensuring compliance with all electronic marketing legislation applicable in the recipient's jurisdiction before initiating any outreach.

14. Automated Decision-Making and Profiling

14.1. Our Retailer DNA profiling uses algorithmic analysis to classify and score retailers based on attributes such as brand portfolio composition, price point positioning, aesthetic alignment, and market segment. The output of this profiling is a computed score or classification used to recommend potential brand-retailer matches. No decision with legal effects or comparably significant effects on any individual is made solely on the basis of automated processing, within the meaning of Article 22(1) GDPR. Human review is involved in the final stages of any matchmaking recommendation delivered to brands.

15. Changes to this Privacy Policy

15.1. We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or supervisory guidance. Material changes shall be communicated by email to registered Platform users and through a prominent notice on our website. The "Last Updated" date at the top of this Policy indicates the most recent revision. Continued use of the Platform after notification of a material change constitutes acknowledgement of the updated Policy.

16. Contact

16.1. For all privacy-related enquiries, data subject requests, or complaints, please contact:

Hyperscout

Bazarstraat 44, The Hague, the Netherlands

Email: privacy@hyperscout.io

Website: https://www.hyperscout.io