Privacy Policy

NanoConduct S.A. ("NanoConduct S.A.", "we", "us") is the data controller responsible for your personal information. We are incorporated under the laws of the Oriental Republic of Uruguay with registered address at Ruta 8, Km 17.500 — Parque Tecnológico del LATU, Montevideo, Uruguay CP 12500.

For privacy-related inquiries, contact our Data Protection Officer:

Email: privacy@nanoconduct.com

Postal: Attn: DPO, NanoConduct S.A., Ruta 8 Km 17.500, Montevideo, Uruguay

We collect information you provide directly and information generated through your use of our services:

Contact & Commercial Data

—Name, job title, company name, business email, phone number

—Inquiry type, product interest, technical requirements

—Quote requests, sample orders, and correspondence records

Technical Data

—IP address, browser type and version, operating system

—Pages visited, time on site, referral source (via server logs)

—Cookie identifiers (see Section 7)

Transaction Data

—Purchase history, invoice records, payment method (not card details — processed by third-party gateway)

—Shipping addresses for sample deliveries

We do not collect special categories of personal data (health data, biometric data, etc.) through this website.

We process your personal data under the following legal bases:

—Contractual necessity: To fulfill product orders, process samples, and deliver customer support

—Legitimate interests: To respond to technical inquiries, prevent fraud, and improve our website

—Legal obligation: To maintain accounting records and comply with export control regulations (DUAL-USE goods)

—Consent: For marketing communications (you may withdraw at any time)

Where our processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of prior processing.

Your information is used strictly for the following purposes:

—Processing and fulfilling product inquiries, quotes, and orders

—Sending technical documentation (TDS, SDS, COA) upon request

—Customer account management and order tracking

—Technical support and after-sales assistance

—Compliance with export regulations and trade compliance (ECCN, EAR, REACH)

—Product safety notifications and SDS updates as required by GHS/OSHA

—Aggregate website analytics (anonymized — no individual profiling)

—Direct marketing communications (only with explicit consent or existing customer relationship)

We do not sell, rent, or trade your personal data. We share data only where necessary:

**Service Providers** (data processors under contract):

—Cloud hosting: AWS (São Paulo region, Brazil)

—CRM platform: Salesforce (with EU Standard Contractual Clauses)

—Email delivery: SendGrid / Twilio

—Payment processing: Stripe (PCI-DSS Level 1 certified)

—Freight and logistics partners (for sample shipments only)

**Legal & Regulatory**:

—Government authorities or courts where required by applicable law

—Export control agencies for shipments classified under dual-use goods regulations

All third-party processors are bound by data processing agreements requiring equivalent protections.

We retain personal data for the minimum period necessary:

After retention periods expire, data is securely deleted or anonymized.

We use a minimal set of cookies:

**Strictly Necessary** (no consent required):

—Session cookie: Maintains form state across page navigation (expires: session)

—CSRF token: Security protection for form submissions (expires: session)

**Analytics** (consent required):

—We use privacy-respecting, self-hosted analytics. No Google Analytics, no Meta Pixel, no cross-site tracking.

You can configure cookie preferences at any time. Disabling strictly necessary cookies may affect form functionality.

Under applicable data protection law (Uruguay Law 18.331 — LPDP; GDPR for EEA contacts), you have the right to:

—Access: Obtain a copy of the personal data we hold about you

—Rectification: Correct inaccurate or incomplete information

—Erasure: Request deletion of your data (subject to legal retention obligations)

—Restriction: Limit how we process your data in certain circumstances

—Portability: Receive your data in a structured, machine-readable format

—Objection: Object to processing based on legitimate interests or for direct marketing

—Withdraw consent: At any time, without penalty

To exercise these rights, email privacy@nanoconduct.com with subject line "Data Rights Request". We will respond within 30 days. Identity verification may be required.

We implement appropriate technical and organizational measures:

—TLS 1.3 encryption for all data in transit

—AES-256 encryption for data at rest

—Role-based access control with principle of least privilege

—Annual penetration testing and quarterly vulnerability scans

—ISO 27001-aligned information security management practices

—Employee data protection training (annual)

—Incident response plan with 72-hour breach notification capability (per GDPR Art. 33)

No method of transmission over the Internet is 100% secure. We continuously improve our security posture.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will notify existing customers of material changes via email at least 30 days before they take effect.

The "Last Updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of our services after the effective date constitutes acceptance of the updated policy.