EscherBot Privacy Notice v1.0

Effective Date: 1 January 2026

This Privacy & Data Processing Notice (“Notice”) explains how personal data is processed in connection with EscherBot, an AI-enabled chatbot feature made available by Escher.

This Notice supplements Escher’s general privacy policy (https://www.eschergroup.com/privacy/) and applies only to the use of EscherBot.

1. Controller Details

For the purposes of applicable data protection law, the data controller is:

Escher Group Holdings Limited
The Greenway, Ardilaun Court
112–114 St. Stephen’s Green
Dublin 2, D02 TD28
Ireland

Email: compliance@eschergroup.com

Where EscherBot is made available through or supported by another Escher group company, that Escher group company (responsible for processing your data) acts as the controller, as appropriate.

2. Scope of This Notice

This Notice applies to all users of EscherBot, including:

• Escher employees and contractors;
• customers and their authorised users; and
• partners or other business users granted access.

EscherBot is intended for business and internal use only and is not directed at individuals acting in a personal or consumer capacity.

3. What Is EscherBot?

EscherBot is an AI-enabled feature that provides automated, informational responses to user queries relating to Escher products.

EscherBot:

• is designed to assist with access to product-related information;
• does not perform automated decision-making producing legal or similarly significant effects; and
• does not execute system actions or configurations.

Human oversight is required at all times.

4. Categories of Personal Data Processed

Escher processes limited personal data in connection with EscherBot, which may include:

User Profile Data

• name
• business email address
• organisation / company name
• preferred language

Interaction Data

• user queries submitted to EscherBot
• system-generated responses

Usage and Feedback Data

• including aggregated or user-linked usage metrics, interaction patterns, and feedback provided by users through EscherBot or related feedback mechanisms

Users should not submit sensitive or special category personal data, or unnecessary personal data, when using EscherBot.

5. Purposes of Processing

Personal data is processed for the following purposes:

• to provide access to and operate EscherBot;
• to generate automated responses to user queries;
• to ensure system security and integrity;
• to monitor performance and usage;
• to evaluate and improve EscherBot during trial, pilot, beta, or general availability phases; and
• to comply with legal and regulatory obligations.

6. Legal Basis for Processing

Escher processes personal data in connection with EscherBot on the following legal bases:

• Legitimate interests, including:
  • providing and improving Escher’s products and services;
  • ensuring security and preventing misuse; and
  • enabling efficient access to product information; and
• Performance of a contract, where EscherBot is made available under an existing customer, partner, or employment relationship.

7. AI Transparency & Automated Decision-Making

EscherBot is an AI system that generates automated responses. Responses may be probabilistic and may be incomplete or inaccurate.

EscherBot does not:

• make automated decisions producing legal or similarly significant effects; or
• engage in profiling or automated decision-making under applicable data protection law.

EscherBot is not intended for use in high-risk use cases under the EU Artificial Intelligence Act.

8. Data Sources and Processing Environment

EscherBot retrieves information from configured internal knowledge sources, which may include:

• Microsoft SharePoint;
• Microsoft Dataverse;
• Microsoft Teams, Outlook, and OneDrive (via Microsoft Power Automate).

Personal data is processed within Escher’s controlled Microsoft enterprise environment.

9. Use of AI Models and Training

• User inputs and outputs are not used to train public or third-party AI models.
• Escher data and code are not used by third parties for independent model training.
• Escher retains ownership of all EscherBot outputs.

10. Data Recipients and Processors

Personal data may be accessed by:

• authorised Escher personnel on a need-to-know basis; and
• Escher’s technology providers acting as data processors (including Microsoft), subject to contractual safeguards.

Escher does not share personal data processed through EscherBot with independent third parties for their own purposes.

11. International Data Transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, appropriate safeguards are implemented in accordance with applicable data protection law.

12. Data Retention

• User profile data is retained while the user remains active.
• Interaction data may be logged and retained on a limited basis for security, quality assurance, and service improvement purposes.
• Personal data is not retained longer than necessary for the purposes described in this Notice and is periodically reviewed and deleted.

13. Security Measures

Escher implements appropriate technical and organisational measures to protect personal data, including:

• role-based access controls;
• Microsoft enterprise security controls;
• monitoring and logging; and
• periodic review and data cleansing processes.

14. Your Data Protection Rights

Subject to applicable law, users have the right to:

• access their personal data;
• request rectification or erasure;
• object to or restrict processing; and
• lodge a complaint with a supervisory authority.

Requests may be submitted to compliance@eschergroup.com

15. Updates to This Notice

Escher may update this Notice from time to time.

The most current version will be made available within the product.

16. Contact

For privacy-related questions or requests, please contact:

Email: compliance@eschergroup.com