Privacy Policy

The data controller for personal data processed in connection with deepsnow.tech is SnowLabs Limited (CRO No. 799095), a private company limited by shares registered in Ireland, with its registered office at Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Co. Cork, T23 AT2P, Ireland. Where context requires, references to "DeepSnow", "we", "us", and "our" in this policy include affiliates within the DeepSnow group acting as joint or independent controllers for specific processing activities.

You may contact our Data Protection point of contact via the contact form on the homepage (Topic: Privacy / GDPR), by email to privacy@deepsnow.tech, or by post at the address above marked "Data Protection". We do not currently have a designated Data Protection Officer; we will appoint one if and when our processing meets the thresholds in Article 37 GDPR. The lead supervisory authority for our processing is the Irish Data Protection Commission ("DPC"), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland; www.dataprotection.ie.

This Policy describes how we process personal data collected through the Site (deepsnow.tech and any subdomain we operate), the Investor Portal, our public forms (pilot-request, contact, newsletter), our email correspondence, our physical post, and our analytics and security tooling. It does not cover personal data processed in the context of an executed commercial agreement (such as a pilot agreement, licensing agreement, or supplier contract); those are governed by the data-protection clauses of that specific agreement and, where applicable, a separate data-processing agreement.

We do not intentionally collect or process any special category of personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, or data concerning a natural person’s sex life or sexual orientation). You should not submit any such data to us through the Site. If you inadvertently submit special-category data, you consent to its limited processing solely for the purpose of safely deleting it or, where it is legally necessary to retain (for example, as evidence in a regulatory or judicial proceeding), to that retention on the legal basis that applies.

We do not subject you to any decision based solely on automated processing — including profiling — that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Where we use AI or machine-learning tools internally (for example, to assist our polymer-discovery research, to triage inbound enquiries, or to evaluate Pilot Programme submissions), a qualified human reviews and is responsible for any decision that materially affects an individual or organisation.

We use a small number of carefully selected sub-processors. Each is bound by a written data-processing agreement that includes the EU Standard Contractual Clauses (where the sub-processor is located outside the EEA) and the security and audit obligations required by Article 28 GDPR.

Some of our sub-processors process personal data outside the European Economic Area — primarily in the United States. Where this occurs, the transfer is governed by appropriate safeguards under Chapter V of the GDPR, including: (a) European Commission adequacy decisions where available (for example, the EU-U.S. Data Privacy Framework where the relevant sub-processor is certified); (b) the European Commission Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914); and (c) supplementary technical, organisational, and contractual measures (including encryption in transit and at rest, pseudonymisation where feasible, strict access controls, and contractual prohibitions on disclosure to non-EEA government authorities except as legally required).

We have conducted Transfer Impact Assessments (TIAs) for each non-EEA sub-processor and will provide a redacted copy to data subjects on reasonable request through the privacy contact above.

To exercise any right above, contact us at privacy@deepsnow.tech or via the contact form on the homepage (Topic: Privacy / GDPR). We may need to verify your identity before responding, particularly where the request relates to sensitive data or could result in disclosure of personal data to a third party — we will request the minimum information necessary for verification (typically confirmation of an email address already on file, or a single matching identifier). We respond to requests within one month of verified receipt; we may extend this period by a further two months where the request is complex or where we have received a number of requests from you, and we will inform you of any extension within the first month with reasons. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act).

We send the DeepSnow newsletter only to subscribers who have opted in via the footer signup or another explicit opt-in mechanism. Each newsletter contains an unsubscribe link that withdraws your consent immediately on click. We will not use your email for direct marketing of third-party products and we do not sell, rent, or share email lists. We do not engage in cross-context behavioural advertising or use cookies to build advertising profiles.

We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, accidental loss, and destruction. These measures include: TLS 1.2+ for all data in transit; encryption at rest for production storage layers; role-based access controls with multi-factor authentication on every administrative account; least-privilege provisioning; regular review of access logs; periodic third-party penetration testing once we cross the relevant scale threshold; centralised secrets management with rotation; secure software-development lifecycle with peer-reviewed code changes; and a documented incident-response process.

No system can be guaranteed impenetrable. We will notify affected individuals and the Irish Data Protection Commission of any personal data breach in accordance with Articles 33 and 34 GDPR. We will notify affected individuals without undue delay and, where feasible, no later than 72 hours after becoming aware of a breach that is likely to result in a high risk to their rights and freedoms.

The Site is directed to professional audiences — resort operators, investors, licensees, scientific collaborators, regulators, and journalists — and is not directed to children under the age of sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us via the privacy form (Topic: Privacy / GDPR) and we will delete it.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights with respect to your personal information. These include rights to know what categories of personal information we have collected about you and the sources and purposes of collection; to delete personal information subject to certain exceptions; to correct inaccurate personal information; to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined under the CCPA); to limit the use of "sensitive personal information" (we do not knowingly collect such information); and not to be discriminated against for exercising your rights. To exercise California rights, contact us through the privacy form.

We may update this Policy from time to time to reflect changes in our processing activities, our sub-processor list, or applicable law. Material changes will be highlighted at the top of this page and, where the change affects an active consent (for example, a new processing purpose or sub-processor), we will re-prompt for consent. The "Last updated" date at the top of this page is the date this Policy became effective. Continued use of the Site after a revision constitutes acceptance of the revised Policy except where applicable law requires us to obtain renewed consent.

Privacy enquiries: privacy@deepsnow.tech or the contact form on the homepage (Topic: Privacy / GDPR). For postal correspondence: SnowLabs Limited, attn. Data Protection, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Co. Cork, T23 AT2P, Ireland.