This Privacy Policy (the "Policy") describes how we (as defined below) collect, share and use any information which, used alone or in combination with other information, relates to you ("Personal Data") when you ("you" and "your", "User") create an account and access the intelligent assistant ("Tooli") made available to you on the website www.tooli.be.

Please take the time to read this Policy carefully. If you have any questions or comments, please contact our data protection officer at the following address: gdpr@buildwise.be.

For the purposes of this Policy, Buildwise, which has its registered office at Kleine Kloosterstraat 23, 1932 Zaventem, registered with Banque-Carrefour des Entreprises de Belgique (Belgian Crossroads Bank for Enterprises) under number 0407.695.057, ("Buildwise", "we", "our") operates Tooli together with its partner organisations (Embuild, Bouwunie and Constructiv, the "Partners").

Depending on the nature of the User's query and the User's access rights, Tooli can activate a Partner’s Module and automatically routes the request to the most relevant module. When a partner module is used, the User's query is processed by the relevant Partner module within the Tooli environment, and the response is displayed transparently as coming from that module.

Buildwise and the Partners jointly determine the purposes and means of the processing of Personal Data carried out through Tooli and therefore act as Joint Controllers within the meaning of article 26 GDPR. Their respective roles are set out in a joint controllership arrangement. Buildwise acts as the single point of contact for data subjects (gdpr@buildwise.be), but Data subjects may exercise their GDPR rights against any joint controller.

All processing is governed by the Tooli Promise. The Tooli Promise is a set of commitments made by Buildwise and the Partners regarding how User data is handled within Tooli, including data protection, security and the ethical use of AI. It notably provides that User data is secured, not used to train AI models nor shared with third parties.

In addition, the User acts as Data Controller for the content the User enters into Tooli (prompts, documents, questions and any other input), and Buildwise acts as Processor under article 28 GDPR for such content, in accordance with the data processing agreement between the User and Buildwise.

This Policy sets out Buildwise's commitments regarding data protection and the measures implemented to ensure the security and confidentiality of your personal data. It also specifies the rights you have in this regard and the practical procedures for exercising them with us.

The types of Personal Data that we collect, and the reasons why weprocess them include:

If we were to request other Personal Data not mentioned above, wewould clearly indicate to you, at the time of collection, the nature of theinformation requested and the reasons for such request.

Some Personal Data may also be obtained indirectly, for examplewhen a User associates you with their account in order to allow you to accesstheir space.

Furthermore, we may automatically collect certain technicalinformation relating to your device. This may include your IP address, the typeof device used, unique identifiers, browser type, approximate location (countryor city) as well as other technical data. We may also collect informationrelating to your interaction with Tooli, such as pages viewed or linksselected. This data helps us to better understand the profile of Tooli Users,where they come from and the content that is of interest to them. It is usedfor internal analysis purposes and to improve the relevance and overallexperience of Tooli.

Some of this information may be collected by means of cookies orsimilar technologies, in accordance with our Cookie Notice available at https://help.tooli.be/en/legal/cookie-policy.

Generally speaking, the Personal Data collected is used only forthe purposes described in this Policy or those brought to your attention at thetime of collection. We may however process it for other purposes, provided thatthey are compatible with the purposes initially communicated and authorised bythe applicable Data Protection Law.

We may forward your Personal Data to the following categories ofrecipients:

• Technical service providers and processors: developers, hosting providers, providers of analysis or support tools, acting under strict instructions from Buildwise. We require these processors to process Personal Data and act strictly in accordance with our instructions and to take appropriate measures to ensure that Personal Data remains protected.
• Authorities or public bodies: to any competent law enforcement body, regulator, government agency, court, or other third party, where we believe that disclosure is necessary pursuant to applicable laws or regulations, or in order to establish or defend our rights, or in order to protect your vital interests or those of any other person.
• External advisers: auditors, advisers, legal representatives and similar agents in connection with the advisory services they provide to us and subject to confidentiality undertakings.
• Authorised third parties: to any other person where you have given your prior consent to the disclosure.

In accordance with this Policy, we shall process Personal Data as follows:

a) Fairness: Personal Data shall be processed fairly and transparently. We undertake to provide clear information on the processing methods and to act in accordance with the legislation in force.
b) Lawfulness: No processing shall be carried out without a valid legal basis; any use of Personal Data shall be based on a lawful basis.
c) Purpose limitation: Personal Data shall only be collected and processed for specified, explicit and legitimate purposes. It shall not be subject to any subsequent use incompatible with these initial purposes.
d) Data minimisation : seules les données nécessaires sont traitées.d) Data minimisation: The data is adequate, relevant and limited to what is necessary with regard to the purposes for which it is processed.
e) Accuracy: We shall implement reasonable measures to ensure that Personal Data is accurate, complete and, if necessary, regularly updated. However, you remain obliged to notify us without delay of any modification or inaccuracy in order to maintain the accuracy of your information.
f) Integrity and confidentiality: Personal Data is processed in a manner ensuring its security, including protection against unauthorised access, unlawful processing, loss, destruction or accidental damage, by means of appropriate technical and organisational measures.
g) Accountability: Buildwise assumes responsibility for compliance with these principles and is able to demonstrate, at any time, the compliance of the processing implemented, in particular through the maintenance of adequate documentation, the establishment of internal procedures and the carrying out, where required, of impact assessments or compliance audits.

We use appropriate technical and organisational measures to protect the Personal Data that we collect and process about you. The measures that we use are designed to provide a level of security appropriate to the risk of processing your Personal Data. The security measures that we implement include in particular:

• Encryption of data in transit and at rest: All communications are protected by HTTPS/TLS (TLS 1.3, with support for TLS 1.2 if necessary). Data is encrypted at rest.
• IStrict environment isolation (tenant isolation): Each organization’s data (conversations, configurations, user accounts, audit logs, MCP connections) is logically isolated and protected against any inter-tenant access.
• Strict environment isolation (tenant isolation): Each organization’s data (conversations, configurations, user accounts, audit logs, MCP connections) is logically isolated and protected against any inter-tenant access.
• Strengthened authentication and short-lived sessions: Short-lived access tokens and rotating refresh tokens are used to reduce risks. We support local authentication, Buildwise SSO, Google Authentication, and Azure AD / Entra ID.
• Access controls and the principle of least privilege: Each user, agent, or tool can operate only within the permissions explicitly granted to them. No internal mechanism allows to bypass authorization constraints making use of AI.
• Auditability and structured logging: We record all security-relevant events: authentication attempts, permission changes, suspicious activity, data access, agent/tool executions, and migrations. All sensitive data is automatically masked.
• Operational protection and abuse prevention: Rate-limiting mechanisms protect against abusive automated use or attacks.
• Ephemeral data processing by model providers: When an external model (Azure, AWS Bedrock, Google) is used, data is processed only in memory and is never stored or reused for training.
• External intrusion test: An independent intrusion test was performed in November 2025, and all identified critical vulnerabilities have been fixed.

Your Personal Data may be transferred to and processed incountries other than the one in which you reside. These countries may have dataprotection laws which differ from the laws of your own country and in certaincases, be less protective.

Morespecifically, our servers are located within the European Economic Area (EEA).

However, it is possible that some of our service providers orsuppliers (for example, IT or hosting solutions) are established outside theEuropean Economic Area (EEA) or process data from a third country. In thiscase, we ensure that these transfers are governed in accordance with Chapter Vof the GDPR and that an adequate level of protection is guaranteed.

To this end, we use one or more of the following mechanisms: anadequacy decision of the European Commission; the standard contractual clausesadopted by the European Commission, together with, where appropriate,supplementary measures; any other appropriate safeguard provided for by GDPR.

We do not transfer any data outside the EEA without havingimplemented these safeguards and without ensuring that Data subjects haveenforceable rights and effective remedies.

We retain the Personal Data that we collect from you where we have a legitimate business need (for example in order to provide you with a service that you have requested or to comply with applicable legal requirements).

Therefore, we retain Personal Data for the following periods:

• For the creation and management of your user account: up to 2 years from the last activity;
• For statistical analysis of usage and growth: upto 2 years from the last activity.

Where we no longer have a legitimate business need to process yourPersonal Data, we anonymise it, or we delete it or if this latter action is notpossible (for example, your Personal Data has been stored in backup archives),we retain it securely and isolate it from any further processing until deletionis possible.

You have the following data protection rights, which you may exercise by contacting us at the address gdpr@buildwise.be.

1. Right of access, rectification, updating and erasure: you may request to access your Data, to correct it if it is inaccurate, to update it or to request its deletion.
2. Right to object, restriction and portability: in certain circumstances, you may object to the processing of your Data, request the restriction of its use or seek the portability of your Data to you or to a third party.
3. Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time. This withdrawal shall not affect the legality of processing carried out prior thereto, nor processing based on other legal grounds (such as contract or legal obligation).
4. Right to lodge a complaint: if you have concerns regarding the manner in which we process your Data, we invite you to contact us in the first instance. If you consider that your request has not been sufficiently addressed, you have the right to lodge a complaint with the competent supervisory authority, such as the Belgian Data Protection Authority
   • Rue de la Presse 35, 1000 Bruxelles
   • Tél. : +32 (0)2 274 48 00
   • Courriel : contact@apd-gba.be
   • Site : www.autoriteprotectiondonnees.be

Data subjects may exercise theirGDPR rights against any joint controller: gdpr@Buildwise.be - privacy@embuild.be - privacy@constructiv.be

We respond to all requests that we receive from individualswishing to exercise their rights relating to the protection of their PersonalData in accordance with the applicable Data Protection Laws.

We may revise this Policy from time to time in order to reflect changes in legal, technical or organisational requirements. In the event of a material amendment, we shall take appropriate steps to inform you thereof, depending on the nature and impact of the changes.

The date of the last update appears at the top of this Policy and allows you to verify the most recent version.

If you have any questions regarding the processing of your Personal Data or if you wish to exercise your rights, please contact us by email at the address gdpr@buildwise.be.