Terms &
Conditions.

1. Subject Matter and Scope of Services

Description of Services

The Provider operates Truffle, a cloud-based, read-only business intelligence platform ("Platform" or "Services") that enables customers to monitor and measure the visibility of their brands, products, and domains in the outputs of generative artificial intelligence systems, including (without limitation) large language model-based chatbots and AI-powered search engines.

The core functionality of the Services comprises:

• Automated dispatch of synthetic, AI-generated marketing queries to AI model providers via an API gateway;
• Collection and storage of AI-generated response data containing brand mentions and visibility signals;
• Computation and display of brand visibility scores, trend analyses, competitive benchmarking, and actionable recommendations via a web-based dashboard;
• Optional integration with the Customer's existing Google Search Console and Google Analytics accounts for supplementary SEO data ("Google Integration");
• Access to additional analytics modules as made available by the Provider from time to time.

The Services are strictly observational and analytical in nature. The Provider does not influence, modify, optimise, or otherwise interact with the outputs of any third-party AI system. No personal data relating to the Customer's end-consumers is collected, processed, or transmitted in the course of providing the Services.

The Provider reserves the right to modify, enhance, or discontinue features of the Services, provided that the core functionality as described above is not materially impaired. Material changes will be communicated to the Customer with reasonable advance notice.

2. Conclusion of Contract

2.1 Parties

These Terms govern business-to-business (B2B) relationships exclusively. The Services are offered solely to legal persons under public or private law, partnerships with legal capacity, and natural persons acting in the exercise of their commercial or professional activity at the time of conclusion of the contract.

2.2 Registration

The use of the Service requires creating an account ("Account"). By creating an Account, the Customer submits a binding offer to conclude an Agreement for the use of the Services.

The contract is concluded upon the Provider's acceptance of the Customer's offer, communicated by means of a written (including electronic) confirmation or by activating the Customer's account and granting access to the Services.

The Provider reserves the right to decline registration requests without giving reasons.

2.3 Contract Language and Documentation

The contract shall be concluded in English. The contractually agreed text shall be stored by the Provider and made accessible to the Customer on request.

The Provider may require the Customer to execute a separate Data Processing Agreement (DPA) in accordance with Article 28 GDPR before or upon commencement of the Services. Where personal data within the meaning of the GDPR is processed by the Provider on behalf of the Customer, the DPA shall form an integral part of the contractual relationship.

3. Availability

The Provider shall endeavour to make the Platform available on a commercially reasonable basis. The Provider does not guarantee uninterrupted or error-free access, as availability may be affected by scheduled maintenance, necessary emergency interventions, or circumstances outside the Provider's reasonable control, including failures of third-party infrastructure and force majeure events. Planned maintenance will be communicated to the Customer in advance where reasonably practicable. Temporary unavailability does not constitute a defect unless it is attributable to a material breach of the Provider's obligations under Section 8.

4. Obligations of the Customer

4.1 Account Security

The Customer is responsible for maintaining the confidentiality of all account credentials (usernames, passwords, API keys, and OAuth tokens) associated with its account. The Customer shall ensure that access to the account is restricted to authorised users only.

The Customer shall notify the Provider immediately in writing (including by email) if it becomes aware or suspects that any account credentials have been compromised, used without authorisation, or lost. The Provider shall not be liable for any loss or damage arising from the Customer's failure to comply with this obligation. The Customer shall not share account credentials with third parties who are not authorised users of the Customer's organisation. Access is personal to the Customer's organisation and may not be transferred.

4.2 Lawful Use

The Customer shall use the Services exclusively for lawful purposes and in accordance with these Terms, applicable law, and any usage guidelines published by the Provider.

The Customer shall not use the Services to:

• Circumvent, reverse-engineer, decompile, or disassemble the Platform or any component thereof;
• Introduce malware, viruses, trojans, or other malicious code into the Platform or the Provider's infrastructure;
• Conduct automated attacks, denial-of-service attacks, or attempts to gain unauthorised access to the Provider's systems or data;
• Reproduce, sublicense, sell, resell, transfer, assign, or otherwise commercially exploit the Services or any output thereof beyond the scope expressly permitted under Section 5;
• Monitor competitors' brands or domains in a manner that infringes third-party intellectual property rights or constitutes an unfair commercial practice under applicable competition law;
• Misrepresent the source or nature of the data outputs, including presenting AI visibility metrics as endorsements by third-party AI providers.

4.3 Accuracy of Information

The Customer shall ensure that all information provided to the Provider in connection with registration, project configuration, and billing is accurate, complete, and kept up to date. The Customer shall notify the Provider promptly of any changes to its contact, billing, or legal entity details.

4.4 Third-Party Integrations

Where the Customer connects third-party accounts to the Platform (including Google Search Console or Analytics via OAuth), the Customer represents and warrants that it has the authority and all necessary consents to grant the Provider read-only access to the relevant data for the purposes of the Services. The Customer remains solely responsible for compliance with the Terms of Service of any third-party service it connects to the Platform.

4.5 Buyer Persona Data

Buyer personas created by the Customer within the Platform are fictitious marketing constructs and must not incorporate real personal data relating to identified or identifiable natural persons. The Customer is responsible for ensuring that buyer persona definitions comply with applicable data protection law.

5. Granting of Rights and Intellectual Property

5.1 Licence Grant

Subject to the Customer's compliance with these Terms and timely payment of all fees, the Provider grants the Customer a non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use the Platform and its features during the term of the contract, solely for the Customer's internal business purposes and within the scope of the agreed service package.

This licence does not include the right to:

• Access the Platform's source code, underlying algorithms, or proprietary methodologies;
• Create derivative works based on the Platform or its components;
• Use the Platform or its outputs for the purpose of developing a competing product or service;
• Grant sublicences or transfer access rights to third parties outside the Customer's organisation.

5.2 Customer Data and Output Rights

The Customer retains all rights to the brand data, domain names, and project configurations it inputs into the Platform ("Customer Input Data"). The Provider acquires no ownership rights over Customer Input Data.

The dashboard outputs, visibility scores, trend reports, and analytics data generated by the Platform on the basis of the Customer's configurations ("Output Data") are made available to the Customer for its internal business use during the term of the contract.

The Customer may export, reproduce, and use Output Data for internal reporting, client presentations, and business decisions. The Customer may not publish, sell, or commercially distribute Output Data to third parties without the Provider's prior written consent.

5.3 Provider's Intellectual Property

All rights in and to the Platform, including its software, algorithms, methodologies, databases, trademarks, and documentation, remain exclusively with the Provider or its licensors. Nothing in these Terms shall be construed as transferring any intellectual property rights to the Customer.

Feedback, suggestions, or improvement requests submitted by the Customer to the Provider may be freely used by the Provider for product development without any obligation of compensation, attribution, or confidentiality towards the Customer.

6. Fees, Payment, and Invoicing

6.1 Pricing and Service Packages

The fees for the Services are based on the pricing agreed between the parties at the time of contract conclusion, as set out in the applicable order form, quotation, or pricing page. The Services are invoiced on a monthly subscription or per-brand-monitored basis as specified in the applicable quote.

The Provider reserves the right to adjust its pricing with effect from the next renewal period, provided that the Customer is notified in writing at least 30 days in advance. If the Customer does not object within 14 days of such notification, the adjusted pricing shall be deemed accepted. The Customer's right to terminate the contract in accordance with Section 7 is unaffected.

6.2 Invoicing and Payment Terms

The Customer agrees to pay the fees for the Platform and any applicable Services in accordance with the applicable quote. The Customer will be billed dependent on their subscription term as stated in the applicable quote document. The Customer authorises the Provider to conduct payments by direct debit or as stated in the quote documents. Electronic invoices will be sent to the Customer.

Payment shall be made via the method chosen by the Customer during the registration process. Where payment by direct debit is agreed, the Customer shall ensure that sufficient funds are available in the designated account.

All amounts and fees are exclusive of taxes, duties, levies, tariffs, and other governmental charges ("Taxes"). The Customer shall be responsible for payment of all Taxes and any related interest and/or penalties resulting from any payments made hereunder, other than taxes based on the Provider's net income.

6.3 Late Payment

If the Customer fails to make payment by the due date, the Provider may, without prejudice to any other rights and remedies available under this contract or applicable law:

• Charge default interest at the statutory rate established by Ley 3/2004, de 29 de diciembre, de medidas de lucha contra la morosidad en las operaciones comerciales (implementing EU Directive 2011/7/EU on combating late payment in commercial transactions), currently calculated as the European Central Bank reference rate for its most recent main refinancing operation plus eight (8) percentage points, as published semi-annually by the Spanish Ministry of Finance (Ministerio de Hacienda). Default interest shall accrue automatically from the day following the payment due date without the need for prior notice or formal demand, in accordance with Article 5 of Ley 3/2004;
• Suspend access to the Platform until all outstanding amounts, including accrued interest, have been settled in full, following written notice of suspension with a cure period of seven (7) calendar days. Suspension under this clause shall not constitute a breach of the Provider's obligations under Section 3;
• Engage a debt collection service or initiate legal proceedings before the competent Spanish courts to recover outstanding amounts, costs, and any reasonable expenses of recovery, including legal fees, in accordance with Article 8 of Ley 3/2004, which entitles the creditor to claim a fixed minimum compensation of forty (40) euros per invoice in addition to interest and recovery costs.

6.4 Disputed Invoices

If the Customer disputes an invoice, it must notify the Provider in writing within 5 business days of the invoice date, setting out the reasons for the dispute in reasonable detail. Undisputed portions of an invoice remain payable by the original due date.

7. Term and Termination

7.1 Contract Term

The contract commences on the date of account activation and, unless agreed otherwise in writing, runs for an initial term of 12 months ("Initial Term"). Thereafter, the contract shall automatically renew for successive periods of 12 months ("Renewal Term") unless terminated by either party.

7.2 Ordinary Termination

Either party may terminate the contract by providing written notice 30 days before the end of the then-current Initial Term or Renewal Term. If notice is not given in time, the contract shall renew for a further Renewal Term.

7.3 Extraordinary Termination

Either party may terminate the contract for good cause with immediate effect in writing. Good cause for termination by the Provider shall include in particular:

• The Customer's material or repeated breach of these Terms, including non-payment, if the breach has not been remedied within 14 days of written notice;
• The Customer's insolvency, filing for insolvency proceedings, or appointment of a receiver or administrator;
• The Customer's use of the Services in a manner that is unlawful, fraudulent, or causes material harm to the Provider or third parties;
• The Customer providing materially false information at the time of registration.

Good cause for termination by the Customer shall include in particular:

• A material and persistent failure by the Provider to deliver the core functionality of the Services, where such failure has not been remedied within 30 days of written notice;
• A material adverse change to these Terms imposed by the Provider without the Customer's consent.

7.4 Consequences of Termination

Upon termination of the contract for any reason: (a) the licence granted under Section 5.1 shall immediately cease; (b) the Customer's access to the Platform shall be deactivated; and (c) the Customer shall cease using any Output Data for commercial purposes beyond internal archiving.

Following termination, the Provider shall retain Customer data for a post-termination period as specified in the Privacy Policy, after which it shall be deleted or anonymised. The Customer may request export of its project data prior to or promptly following termination.

Termination shall not affect any accrued payment obligations or any rights and remedies that have arisen prior to the effective date of termination.

8. Warranty

The Services deliver observational analytics derived from querying third-party AI systems. The accuracy, completeness, and consistency of AI-generated outputs are inherently variable and are not within the Provider's control. The warranty provisions below must be read in this technical context.

8.1 Mutual Warranties

Each party represents and warrants to the other that: (a) it is duly incorporated, validly existing, and in good standing under the laws of its jurisdiction of formation; (b) it has full authority to enter into and perform this contract, and all necessary internal approvals have been obtained; (c) this contract constitutes a valid and legally binding obligation of that party, enforceable in accordance with its terms; and (d) entering into and performing this contract does not conflict with or result in a breach of any other agreement, obligation, or applicable law by which that party is bound.

8.2 Platform Performance Warranty

The Provider warrants that, during the term of the contract, the Platform will in all material respects perform as described in the then-current service documentation made available to the Customer ("Documentation"), and that the Provider will not materially reduce the overall functionality of the Services during the term ("Performance Warranty").

If the Customer believes the Provider is in breach of the Performance Warranty, it shall submit a written notice identifying the alleged breach in reasonable detail. The Provider shall then use commercially reasonable efforts to remedy the breach within thirty (30) days of receiving a compliant notice. If the breach cannot be remedied within that period, either party may terminate the contract with immediate effect. In that event, the Provider shall refund any prepaid fees attributable to the unused portion of the remaining term. The remedies set out in this clause constitute the Customer's sole remedy and the Provider's entire liability for breach of the Performance Warranty.

8.3 Legal Compliance Warranty

The Provider warrants that its provision of the Services will comply with all laws and regulations applicable to the Provider in its capacity as a SaaS operator and data processor.

8.4 Warranty Exclusion

The Performance Warranty and Legal Compliance Warranty in Sections 8.2 and 8.3 do not apply where the issue or defect arises from: (a) data, configurations, or instructions provided by the Customer; (b) misuse, unauthorised modification, or use of the Platform other than in accordance with the Documentation; (c) the behaviour, unavailability, or changes to third-party AI providers or external platforms on which the Services depend; (d) use of the Services during a free trial, evaluation period, or beta access; or (e) the Customer's failure to fulfil its obligations under Section 4.

8.5 Disclaimer

EXCEPT AS EXPRESSLY PROVIDED IN SECTIONS 8.1, 8.2, AND 8.3, THE PROVIDER PROVIDES ITS SERVICES ON AN "AS IS" AND "AS AVAILABLE" BASIS AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, GRANTS NO WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE WITH RESPECT TO ITS SERVICES (INCLUDING ALL CONTENT CONTAINED THEREIN), INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. THE PROVIDER DOES NOT REPRESENT OR WARRANT THAT (A) ITS SERVICES WILL BE UNINTERRUPTED, SECURE, OR ERROR FREE, (B) ANY DEFECTS OR ERRORS IN ITS SERVICES WILL BE DISCOVERED OR CORRECTED, OR (C) THAT ANY CONTENT OR INFORMATION THE CUSTOMER OBTAINS ON OR THROUGH THE PROVIDER'S SERVICES WILL BE ACCURATE, COMPLETE, CURRENT OR APPROPRIATE FOR THE CUSTOMER'S PURPOSES.

The Customer acknowledges that (a) the Platform and its outputs constitute analytical data only and do not amount to legal, financial, marketing, or any other form of professional advice; (b) data derived from third-party AI systems may be incomplete, inconsistent, or subject to error, and should not be treated as authoritative; (c) the Customer bears sole responsibility for critically assessing all outputs, scores, and recommendations generated by the Services before making any business decision; and (d) given the rapid and ongoing development of generative AI technologies, the Provider cannot guarantee continued compatibility with any specific AI provider, model version, or third-party platform.

Data derived from third-party AI systems — including but not limited to OpenAI, Google Gemini, Anthropic Claude, and Perplexity — may be incomplete, inconsistent, probabilistic, or subject to error. Such outputs reflect the state of the relevant AI system at the time of querying and do not constitute endorsements, recommendations, or verified factual statements by those AI providers or by the Provider. AI-generated brand visibility scores are retrospective and probabilistic in nature; they do not constitute forecasts or guarantees of future AI behaviour, market performance, or commercial outcomes, and must not be used as the sole basis for any commercial, investment, regulatory, or strategic decision.

8.6 EU AI Act Disclaimer

The Provider operates the Platform in a manner consistent with its obligations under Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (the "EU AI Act") as its provisions become applicable according to the Act's phased implementation schedule. The parties acknowledge and agree as follows:

The Platform functions as a read-only monitoring and analytics tool that submits synthetic queries to third-party AI model providers and analyses their outputs. The Provider considers the Platform to constitute a tool that interacts with general-purpose AI models (GPAI models) within the meaning of Article 3(63) of the EU AI Act, but does not itself constitute a high-risk AI system within the meaning of Article 6 and Annex III of the EU AI Act as currently in force. The Provider makes no representation as to the classification, compliance status, or conformity assessment of the underlying third-party AI models or AI systems whose outputs are monitored through the Platform.

The Customer is solely responsible for assessing whether its own use of the Platform's outputs — and any decisions made on the basis of those outputs — complies with the EU AI Act, any applicable sectoral AI regulation, and any guidance issued by the Spanish AI Supervision Authority (Agencia Española de Supervisión de la Inteligencia Artificial — AESIA) or the European AI Office.

The Customer covenants that it will not use the Platform's outputs as an automated decision-making tool without meaningful human oversight, and acknowledges that the outputs are designed to inform human decision-making processes rather than to replace them. This covenant is given in recognition of the fundamental principle of human oversight established under Article 14 of the EU AI Act.

8.7 No Reliance Covenant

The Customer affirmatively covenants and agrees that it will not rely on any Output Data, visibility score, trend analysis, or recommendation generated by the Platform as the sole or primary basis for any commercial, financial, legal, regulatory, or strategic decision. The Customer further covenants that, in any regulated industry context, it will apply all sector-specific requirements governing the use of AI-generated data independently of and in addition to the terms of this contract.

9. Limitation of Liability

9.1 Exclusion of Consequential Damages

Except where a claim constitutes an Excluded Claim as defined in Section 9.3, neither party nor its sub-processors, suppliers, or licensors shall bear any liability arising out of or in connection with this contract for loss of use, loss of revenue, loss of profit, loss or corruption of data, failure of security mechanisms, business interruption, loss of goodwill, or any indirect, special, incidental, reliance-based, or consequential loss or damage of any nature, even where that party has been advised of the possibility of such loss or damage in advance.

This exclusion applies to the fullest extent permitted by applicable Spanish law. In accordance with Articles 1101 and 1107 of the Spanish Código Civil, liability under this contract is limited to damages that were foreseeable at the time of contracting as a probable consequence of non-performance. Nothing in this Section 9.1 shall be construed to exclude or limit liability for damages caused by the Provider's wilful misconduct (dolo) or fraud, which cannot be excluded in advance by contractual agreement pursuant to Article 1102 of the Código Civil, nor liability for damages caused by gross negligence (culpa grave).

9.2 Aggregate Liability Cap

Except where a claim constitutes an Excluded Claim, the total aggregate liability of either party — and of its respective sub-processors, suppliers, and licensors — arising out of or in connection with this contract, whether in contract, tort, or otherwise, shall not exceed the total fees paid or payable by the Customer to the Provider in the twelve (12) months immediately preceding the date on which the event giving rise to the relevant claim first occurred.

Nothing in this Section 9.2 shall be construed to cap or limit: (a) liability for damages caused by wilful misconduct (dolo) or fraud; (b) liability for personal injury or death caused by negligence; (c) either party's indemnification obligations under Section 10 to the extent they constitute Excluded Claims; or (d) liability for unlawful processing of personal data under Article 82 GDPR and Article 43 LOPDGDD.

9.3 Excluded Claims

For the purposes of Sections 9.1 and 9.2, "Excluded Claims" means: (a) either party's breach of the confidentiality obligations under Section 12, excluding however any claims relating to the Customer's own data; and (b) either party's indemnification obligations under Section 10.

9.4 Scope and Survival

The exclusions and limitations set out in this Section 9 apply regardless of the legal basis or form of the claim, whether arising in contract, tort, strict liability, or otherwise. They shall remain in full force and continue to apply even where any limited remedy provided elsewhere in this contract is found to have failed of its essential purpose.

10. Indemnification

10.1 Indemnification by the Provider

The Provider shall defend, indemnify, and hold harmless the Customer against any damages and costs awarded against the Customer by a court of competent jurisdiction, or agreed by the Provider in a written settlement, arising from a third-party claim alleging that the Platform, when used by the Customer in strict accordance with this contract and the Documentation, infringes or misappropriates a third party's patent, copyright, trademark, or trade secret registered or enforceable within the European Union or any member state thereof.

10.2 Indemnification by the Customer

The Customer shall indemnify and hold harmless the Provider and, at the Provider's written request, shall defend the Provider against any third-party claim — including any damages, costs, and reasonable legal fees awarded or agreed in settlement — to the extent that such claim: (a) alleges facts that, if proven, would constitute a breach by the Customer of its obligations under Section 4 of this contract; or (b) arises from the Customer's business practices, its use of Output Data, or content it submits to or generates through the Platform.

10.3 Procedures

The indemnifying party's obligations under this Section 10 are conditional upon the indemnified party: (a) providing prompt written notice of the claim upon becoming aware of it, without undue delay; (b) granting the indemnifying party exclusive authority to control, direct, and settle the investigation and defence of the claim; and (c) providing all reasonably necessary cooperation, information, and assistance, with the indemnifying party bearing the indemnified party's reasonable out-of-pocket costs incurred in doing so. The indemnifying party may not conclude any settlement that requires the indemnified party to take or refrain from taking any action, make any admission of liability, or incur any financial obligation, without the indemnified party's prior written consent.

10.4 Mitigation

Where an actual or reasonably anticipated third-party claim relates to alleged infringement or misappropriation of intellectual property rights in connection with the Platform, the Provider may, at its sole election and as an alternative to or in connection with any settlement or injunction: (a) procure the rights necessary for the Customer's continued use of the affected functionality; (b) modify or replace the allegedly infringing component of the Platform in a manner that eliminates the alleged infringement without materially reducing overall functionality; or (c) where neither option (a) nor (b) is commercially practicable, terminate this contract and refund to the Customer any prepaid fees attributable to the unused portion of the remaining term.

10.5 Exceptions

The Provider's obligations under Section 10.1 shall not apply where the alleged infringement or misappropriation arises from or is attributable to: (a) any modification of the Platform made by or on behalf of the Customer, or use of the Platform in combination with data, software, or third-party services not provided or approved by the Provider; (b) use of the Platform other than in accordance with the Documentation or this contract; (c) the Customer having concluded a settlement or made any admission of liability in respect of the claim without the Provider's prior written consent; or (d) access to or use of the Platform under a free trial, evaluation licence, or beta arrangement.

10.6 Exclusive Remedy

Save as required by mandatory applicable law, this Section 10 sets out the Customer's sole and exclusive remedy, and the Provider's entire liability, with respect to any third-party claim of infringement or misappropriation of intellectual property rights in connection with the Platform or the Services.

11. Data Protection

11.1 General Compliance

Each party shall comply with its respective obligations under the following data protection framework, which constitutes the applicable legal regime governing the processing of personal data in connection with this contract:

At EU level: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation — GDPR), which is directly applicable in all EU member states including Spain.

At Spanish national level: Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD), which supplements and particularises the GDPR in Spain. The LOPDGDD shall be the primary national implementing legislation governing the Provider's processing activities, given that the Provider is established in Spain and the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) is the Provider's lead supervisory authority pursuant to Article 56 GDPR.

11.2 Data Processing Agreement

To the extent that the Provider processes personal data on behalf of the Customer in its capacity as a data processor within the meaning of Article 28 GDPR, the parties shall enter into a Data Processing Agreement ("DPA") on terms fully compliant with Article 28 GDPR and, where the Customer is established in Spain or processes data of Spanish residents, additionally compliant with the requirements of the LOPDGDD and any guidance issued by the AEPD. The DPA shall form an integral part of this contract. In the event of any conflict between the DPA and these Terms with respect to the processing of personal data, the DPA shall prevail.

11.3 Provider's Role as Independent Controller

With respect to account data and usage data collected by the Provider for the purpose of operating and administering the Platform, the Provider acts as an independent data controller. Such processing is governed by the Provider's Privacy Policy. The Privacy Policy does not form part of these Terms and does not create additional contractual obligations, but the Provider undertakes that such processing shall at all times comply with the GDPR and the LOPDGDD as applicable.

11.4 Technical and Organisational Measures

The Provider shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR and, where applicable, the security standards referenced in the LOPDGDD and AEPD guidance. The Customer shall implement equivalent measures within its own systems and shall ensure that all authorised users are informed of and comply with applicable data protection requirements.

11.5 Data Subject Rights

Where the Customer receives a request from a data subject exercising rights under Chapter III GDPR — including the rights of access, rectification, erasure, restriction, portability, and objection — that relates to personal data processed by the Provider on the Customer's behalf, the Customer shall promptly notify the Provider. The Provider shall assist the Customer in fulfilling such requests within the timeframes prescribed by the GDPR and, where the data subject is resident in Spain, within any additional procedural requirements published by the AEPD.

11.6 Unlawful Processing Instructions

Where the Customer instructs the Provider to process personal data in a manner that the Provider reasonably considers to constitute a violation of the GDPR, the LOPDGDD, or any other applicable data protection law, the Provider shall be entitled to refuse such instruction and shall notify the Customer in writing without undue delay, setting out the grounds for its refusal. Refusal of an unlawful instruction shall not constitute a breach of this contract by the Provider.

12. Confidentiality

Each party ("Receiving Party") undertakes to keep strictly confidential all Confidential Information disclosed by the other party ("Disclosing Party") in connection with the contract and not to disclose it to any third party without the Disclosing Party's prior written consent. "Confidential Information" means all non-public technical, commercial, financial, and operational information, including pricing, source code, algorithms, customer data, and business strategies, that is designated as confidential or that the Receiving Party knew or should have known to be confidential.

The confidentiality obligation shall not apply to information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was already lawfully known to the Receiving Party before disclosure; (c) is independently developed by the Receiving Party without use of the Disclosing Party's information; or (d) is required to be disclosed by applicable law, court order, or regulatory authority, provided that the Receiving Party gives the Disclosing Party reasonable prior notice (where lawfully permitted) and assists in seeking a protective order.

The confidentiality obligation shall survive the termination of the contract for a period of three (3) years.

13. Final Provisions

13.1 Governing Law

This contract and all non-contractual obligations arising out of or in connection with it shall be governed by the law of the Kingdom of Spain. The application of the United Nations Convention on Contracts for the International Sale of Goods (CISG) is expressly excluded. Where the Customer is established in Germany or another EU member state, the choice of Spanish law shall not deprive the Customer of the protection afforded by mandatory provisions of the law of the country in which it is established that cannot be derogated from by agreement, pursuant to Article 3(3) of Regulation (EU) 593/2008 (Rome I). EU regulations having direct effect — including the GDPR — apply in all member states regardless of the governing law choice.

13.2 Jurisdiction

The parties submit to the non-exclusive jurisdiction of the courts of Barcelona, Spain, as the primary forum for the resolution of all disputes arising out of or in connection with this contract. Where the Customer is domiciled in another EU member state, the Provider acknowledges that the courts of the Customer's place of domicile shall have concurrent jurisdiction pursuant to Articles 4 and 7 of Regulation (EU) 1215/2012 (Brussels I Recast).

13.3 Written Form

Amendments or supplements to these Terms, including any waiver of this written-form requirement itself, require written form to be effective. Declarations in text form (e.g., email) shall be sufficient unless expressly stated otherwise.

13.4 Amendments to the Terms

The Provider reserves the right to amend these Terms at any time with effect for existing contractual relationships, provided that: (a) the Customer is notified of the amendments in text form (e.g., by email or in-platform notification) with at least 30 days advance notice; and (b) the Customer does not object within 14 days of the notification. In the notification, the Provider shall draw the Customer's attention to its right to object and the consequences of failure to object.

If the Customer objects to the amended Terms, either party may terminate the contract with effect from the date on which the amended Terms would have entered into force, by providing written notice within the objection period.

Notwithstanding the above, the Provider may implement amendments to these Terms with a reduced notice period, or with immediate effect where regulatory deadlines require it, in particular where an amendment is necessary to comply with the EU AI Act (Regulation (EU) 2024/1689) or any implementing regulation, delegated act, or guidance issued thereunder.

13.5 Severability

If any provision of these Terms is found to be invalid, void, or unenforceable under applicable Spanish law, the remaining provisions shall continue in full force and effect and shall not be affected by such invalidity. The parties shall negotiate in good faith a replacement provision that most closely approximates the economic and commercial intent of the original.

13.6 No Waiver

The failure or delay of either party to exercise or enforce any right, remedy, or provision under these Terms on any occasion shall not constitute a waiver of that right, remedy, or provision on any future occasion, nor shall it be construed as an implied modification of this contract or as acceptance of a breach. A waiver shall only be effective if made expressly and confirmed in writing or in a durable text form by the waiving party.

13.7 Assignment

The Customer may not assign, transfer, novate, subcontract, or otherwise dispose of any of its rights or obligations under this contract, in whole or in part, without the Provider's prior written consent. Any purported assignment in breach of this clause shall be void and of no legal effect.

The Provider may assign this contract without the Customer's prior consent only in the following circumstances: (a) to an affiliate or subsidiary within the same corporate group, provided that the assignee assumes all obligations under this contract in writing; or (b) to a successor entity arising from a merger, acquisition, asset sale, or corporate restructuring, provided that the successor assumes all obligations under this contract in writing and the Customer is notified in writing no later than thirty (30) days before the assignment takes effect.

13.8 Entire Agreement

These Terms, together with any applicable order form, Data Processing Agreement, and Privacy Policy, constitute the entire agreement between the parties with respect to their subject matter and supersede all prior negotiations, statements, representations, warranties, and agreements between the parties, whether written or oral, relating to that subject matter.

The general terms and conditions of the Customer shall not form part of this contract, regardless of whether they are referenced in any purchase order, acceptance notice, or other communication issued by the Customer.

14. Scope and Binding Effect

These General Terms and Conditions ("Terms") govern all contractual relationships between ZDS Zander Digital Services S.L. ("Provider") and its business customers ("Customer") in connection with access to and use of the Truffle platform and all associated services. By registering for or using the Services, the Customer agrees to be bound by these Terms. Deviating, conflicting, or supplementary Terms and conditions of the Customer shall not form part of the contract unless the Provider has expressly agreed to their applicability in writing.

15. Contact

Provider: ZDS Zander Digital Services S.L.

Address: c/ Rosselló 188 4C, 08008 Barcelona, Spain
Email: hello@runtruffle.com
Web: runtruffle.com