GENERAL TERMS AND CONDITIONS

Version 2026.03.23

Provider: Webili, SRL, registered with the Crossroads Bank for Enterprises (BCE/KBO) under number 0779541389, with its registered office at 6 chemin du Cyclotron, 1348 Louvain-la-Neuve, Belgium. Hereinafter referred to as "the Provider".

These General Terms and Conditions (hereinafter "GTC" or "Agreement") govern access to and use of the Solution by any natural or legal person (hereinafter "the Client") who has created an account on the Provider's platform.

The Provider and the Client being hereinafter referred to individually as a "Party" and collectively as the "Parties".

1. Preamble

1.1. The Provider develops a SaaS AI voice agent solution for real estate agencies, capable of qualifying the caller, transferring calls, answering callers' questions 24/7 about properties (sale/rental), recording viewing appointments, with mechanisms designed to reduce no-shows. The roadmap includes the addition of agentic functionalities such as automated outbound calls (administrative compliance, lead follow-up, satisfaction surveys, stock replenishment), automated email management and real estate prospecting. The mention of the roadmap in this Article is provided for information purposes only and does not constitute a commitment of the Provider to develop, deliver or maintain any specific feature or timeline.

1.2. The Client wishes to use the Solution and accepts that it may be imperfect, evolving, and that it may produce inaccurate, incomplete responses, or malfunctions.

1.3. These GTC are intended exclusively for Clients acting in a professional capacity (B2B). The Client represents and warrants that it is acting in the course of its professional or business activity when using the Solution. Any person acting primarily for purposes outside their trade, business, craft or profession is not authorised to use the Solution and must not create an account.

2. Definitions

"Property(ies)": the Client's real estate properties (sale/rental) integrated into the Solution.
"Client Data": data provided by the Client or generated on behalf of the Client via the Solution (including Call Data and, where applicable, persisted Conversation Data).
"Call Data": data relating to the call event and its telephony processing, regardless of the content of what is said, including in particular: (i) call identifiers (call ID), calling/called number (or equivalent identifier), (ii) metadata (date/time, duration, status, attempts, pickup, transfer, termination), (iii) telephony/routing data (SIP, queues, redirections, carrier, telecom errors), (iv) operational outcome data (e.g. creation/modification/cancellation of an appointment, time slot, agency/agent, status), and (v) billing data related to the Meter. Exclusion: transcription and analysis fall under Conversation Data.
"Conversation Data": data relating to the content of exchanges during the call and/or any reproduction of such content, including: (i) the Transcription (if enabled), (ii) the Analysis (if enabled), which comprises a summary of the conversation and may include derived data extracted/structured from the conversation (e.g. intent, search criteria, budget, location, reasons, information provided by the caller), (iii) the Audio Recording (if enabled), as well as (iv) where applicable, messages generated by the Solution during the call (AI responses) when they are persisted.
"Transcription": text generated by speech recognition from all or part of the conversation, according to Settings.
"Audio Recording": a digital file (e.g. MP3, WAV) containing the sound recording of the conversation (caller's voice and virtual agent's voice).
"Analysis": a summary generated from the conversation, which may include structured extracted fields (e.g. intent, criteria, contact details, availability, next action), according to Settings.
"Transient Data": data required for real-time processing (e.g. ephemeral audio stream, tokens, temporary prompts/contexts, buffers, intermediate results) not intended for retention and automatically deleted/overwritten within short timeframes depending on the architecture, excluding Technical Logs.
"Technical Logs": technical operational and security records (e.g. timestamps, errors, traces, performance metrics, technical identifiers) retained for diagnostics, security, fraud/abuse prevention and billing, pursuant to Article 10.3.c.
"Persistence Mode": the choice made by the Client in the Solution defining the categories of Conversation Data to be retained (Transcription, Analysis, Audio Recording) and their respective retention periods.
"Settings": configurations made by the Client in the Solution (including in particular: Persistence Mode, enabling/disabling of Transcription, Analysis and/or Audio Recording features, retention periods, enabling/disabling of External Notifications, recipient, integrations).
"External Notifications (Analysis)": an optional feature enabling the sending of a call Analysis to external channels designated by the Client (e.g., email, Slack, CRM, SMS), according to Settings.
"Service Hours": billable time measured by the Meter pursuant to Article 5.5.
"Solution": the Provider's SaaS service (interfaces, APIs, dashboards, AI components, phone number and any present or future component).
"Support": "best effort" assistance pursuant to Article 6.2.
"Meter": the mechanism for measuring Service Hours (timestamped logs / dashboard).
"Sub-processor": a subcontractor of the Provider within the meaning of the GDPR.
"Credits": prepaid units corresponding to Service Hours, purchased by the Client from the Provider and consumed as the Solution is used according to the Meter.
"Credit Balance": the quantity of Credits remaining available in the Client's account, as displayed in the Solution (dashboard), where applicable broken down by batch corresponding to each Activation Date to enable the application of the FIFO rule (Article 5.5).
"Credit Purchase": an operation by which the Client prepays a specified volume of Credits, pursuant to the terms of Article 5.
"Top-up": an additional Credit Purchase made by the Client (manual or automatic if provided), to replenish the Credit Balance.
"Activation Date": the date on which Credits become available after effective receipt of payment by the Provider.
"Credit Validity Period": the period during which Credits may be consumed, as defined in Article 5.7.
"Consumption": any use of the Solution deducted from the Credit Balance, including in particular initiating a call, testing the AI via the trial button, or using the AI agent.
"Inactivity": the absence of any Consumption during a continuous period.

3. Purpose

The Agreement sets out the conditions of access to the Solution, the respective obligations of the Parties, the financial terms, the rules on confidentiality, security and GDPR, as well as the terms of cessation and reversibility.

4. Scope of the Solution

4.1. Description of the Solution and Features. The Solution, accessible by call forwarding to a dedicated phone number, provides: a) Call Handling and Qualification: Automated response to questions about Properties (synchronised from the URL provided by the Client) and qualification of the enquiry; b) Appointment Management: Proposal and booking of viewing appointments according to the rules communicated and on supported connected calendars; c) Notifications and Anti No-show: Sending notifications (email/SMS/calendar/CRM depending on features) including confirmation SMS allowing the caller to modify or cancel their appointment, as well as features designed to reduce no-shows (reminders/confirmations/rescheduling depending on available features); d) Administration: A web interface enabling the Client to configure the Solution, trigger a manual synchronisation of Properties (an automatic synchronisation being carried out periodically only when calls are present), and consult the call log (including duration and, depending on Settings, Transcription, Analysis and/or Audio Recording). Any other interaction channel or any integration not expressly provided for in this Agreement is out of scope and requires prior written agreement of the Parties (accepted quote and/or amendment).

4.2. Persistence at the Client's Choice via Settings: a) Choice of persisted data categories (Transcription, Analysis, Audio Recording); b) Choice of the respective retention periods, within the framework of available options and subject to limitations imposed by the Provider for legal compliance (Article 7.7.e); c) Enabling/disabling of External Notifications (Analysis), and configuration of the recipient.

4.3. 24/7: the Solution is designed to operate 24/7, subject to the limits and exclusions of Article 8.

4.4. Limits / exclusions: a) No obligation of result (leads, appointments, reduction of no-shows, conversion, satisfaction); b) No identity verification of callers; c) No contractual commitment: Responses provided verbally by the AI are purely indicative. The Client acknowledges that the AI does not have the authority to commit the Client contractually (e.g. promise of sale/rental, acceptance of application, validation of price) and that it is the Client's responsibility to confirm any transaction through a written or human channel; d) Responses depend, among other things, on Client Data and Settings: the Provider is not liable for errors arising from inaccurate/outdated/incomplete information provided by the Client; e) Telecom operators and third-party providers may impact the service without liability of the Provider (cf. Article 8.2); f) Persistence choices, retention periods, External Notifications and, more generally, Settings are the Client's responsibility (cf. Articles 7.7 and 10).

4.5. New requirements. The Client may submit additional requirements, change requests or adjustments. The Provider may study, on an exploratory basis, their technical and/or economic feasibility. The integration of these new requirements into the Solution is not guaranteed, except by written agreement of the Parties (accepted quote and/or amendment).

5. Financial Terms

5.1. Prepay principle. Access to and use of the Solution is carried out exclusively on the basis of prepaid Credits. The applicable rates are those displayed on the Provider's platform at the time of the Credit Purchase. Any applicable tax, in particular VAT, is payable in addition in accordance with applicable regulations.

5.2. Credit Purchase – terms. a) The Client purchases a volume of Credits (expressed in Service Hours) via the Provider's platform or by any other means accepted by the Provider. b) Credits are made available on the Activation Date. c) Unless otherwise agreed in writing, a Credit Purchase does not confer any right of exclusivity in favour of the Client.

5.3. Advance payment. a) Payment is due in advance and constitutes a condition for Activation of Credits. b) Payment is made by the payment methods accepted by the Provider and displayed on the platform. c) The Provider provides the Client with the legally required accounting documents.

5.4. Rate changes. The Provider reserves the right to change rates at any time. New rates apply to Credit Purchases made from the date of their publication on the platform. Credits already acquired are not affected by a rate change.

5.5. Credit metering and consumption. a) Consumption is calculated in accordance with this Article 5.5 (AI pickup → end of call), with rounding to the second per call. b) Each call decrements the Credit Balance accordingly. c) The Meter shall be authoritative for Credit consumption, except in the case of a demonstrated manifest error.

5.6. Insufficient Balance – Alerts and Call Management. a) Alerts. The Solution automatically notifies the Client by email (i) when the Credit Balance reaches a predefined low threshold (preventive alert), and (ii) when the Balance is exhausted or negative. b) During a call (Overshoot). If the Balance is exhausted during a call, the Provider reserves the right to terminate the ongoing call as soon as the Balance becomes negative. However, the Provider may, at its sole discretion, endeavour to maintain the call until its completion. Any negative balance noted shall be automatically deducted from the Client's next Credit Purchase (the Balance available after Top-up shall equal the amount purchased minus the prior deficit). c) Subsequent calls (Suspension). Once the Balance is exhausted, new calls are no longer handled by the AI. They are redirected to a voice announcement of technical unavailability ("Technical problem, please call back later"). d) Liability. The Provider is not liable for the consequences of an insufficient Balance (missed calls, error messages, loss of opportunity). The Client is solely responsible for topping up their account in advance.

5.7. Validity – non-refund – expiration. a) Credits are valid for a period of three (3) months from their respective Activation Date. The oldest Credits are consumed first (FIFO rule – First In, First Out). Credits not consumed upon expiration of their Validity Period are definitively forfeited, without compensation or refund. b) Purchased Credits are non-refundable. The Client acknowledges and accepts that this exclusion of refunds is an essential component of the economic balance of the Service, justified by the fact that Credits are primarily used to prepay services from third-party providers (notably telecom operators and AI model providers) who do not always refund the Provider. Accordingly, no refund shall be due, including in the event of cessation of the Service or deletion of the account, regardless of the reason, except where mandatory provisions require otherwise or in the event of cessation due to the exclusive and proven fault of the Provider (Art. 14.1).

5.8. Verification and Time-barring. a) The Client acknowledges having real-time access, via the Solution's interface, to detailed call logs allowing verification of Meter debits. The Client shall verify their consumption at least once a month. b) Consequently, any dispute relating to the Meter and/or Credit consumption must be notified in writing, specifying the calls concerned (call ID), no later than thirty (30) calendar days following the date of the disputed call. c) After this deadline, no claim shall be admissible; the Meter records and associated logs shall be deemed definitively accurate, accepted by the Client, and may no longer be the subject of any request for adjustment or refund. d) In the event of a proven error reported within the deadlines, the sole remedy shall consist, at the Provider's choice, of a Credit Balance adjustment (re-credit) or any equivalent measure.

5.9. Out-of-scope services / By quote. Any assistance or service not expressly included in the Service (as defined in particular in Article 10.5.6.b for GDPR) is provided upon prior quote accepted by the Client.

6. Provider's Commitments

6.1. Access. The Provider provides the Client with access to the Solution, subject to (i) the existence of a positive Credit Balance, and (ii) compliance with the Agreement. The Provider may suspend access in the event of an insufficient Balance in accordance with Article 5.6.

6.2. Support: "Best effort" Support. The Provider shall endeavour to acknowledge receipt of blocking incident reports as soon as possible, with an indicative target of four (4) business hours, without such timeframe constituting an obligation of result. The Provider may modify the organisation of Support at any time.

6.3. Fixes / updates: a) Legal compliance. The Provider may fix, modify, add or remove features at its discretion where necessary to ensure compliance with applicable law (in particular European regulations). No correction timeline is guaranteed. b) Other changes. In the absence of a legal obligation, the Provider may fix, modify, add or remove features at its discretion, without substantially altering the purpose of the Solution as described in Article 4.1. c) Substantial alteration. Where a modification would substantially alter the purpose of the Solution as described in Article 4.1 and is not required by a legal obligation, the Provider shall notify the Client with at least three (3) months' prior notice by email. The Client may cease using the Solution before the modification takes effect and request the export of its Client Data in accordance with Article 13.

6.4. Right of technical suspension: the Provider may suspend/limit all or part of the Solution for technical reasons, security, compliance, maintenance, overload, suspected abuse or attack, without compensation.

6.5. Suspension for breach. a) Serious breach. In the event of a serious breach by the Client (including, without limitation, fraud, use of the Solution for unlawful purposes, infringement of the Provider's intellectual property rights, breach of Article 7.7, or any act threatening the security or integrity of the Solution or its infrastructure), the Provider may suspend or terminate the Client's access immediately and without prior notice, without prejudice to any other right or remedy. b) Other breaches. In the event of any other breach of these GTC, the Provider shall notify the Client in writing, specifying the nature of the breach. If the Client fails to remedy the breach within fifteen (15) calendar days of receipt of such notice, the Provider may suspend or terminate the Client's access, without prejudice to any other right or remedy.

6.6. Discontinuation of the Service. The Provider reserves the right to permanently discontinue the Service, subject to notifying the Client with thirty (30) calendar days' notice by email. The provisions relating to reversibility (Article 13) and the fate of Credits (Article 5.7) shall apply.

7. Client's Commitments

7.1. Data and instructions: the Client provides accurate and up-to-date Property Data, appointment rules, scripts and instructions, and notifies any changes. The Client ensures that the behavioural or tone instructions it transmits are not likely to cause the Solution to generate content that is unlawful, discriminatory, insulting or contrary to public policy. The Client warrants that it holds all necessary rights and authorisations over the URLs, data sources and materials it provides to the Provider, and indemnifies the Provider against any third-party claim arising from the collection, extraction or processing of data from such sources.

7.2. Prerequisites: the Client sets up the necessary redirections/routing, integrations and access. The Client has the option of configuring, at its telecom operator level, a failover redirect rule to a voicemail or internal line, which will automatically activate in the event of non-response or technical unavailability of the Solution's number. In the absence of such configuration, the Provider shall not be held liable for calls lost in the event of an incident. The Client maintains its own systems (telephony, CRM, calendar).

7.3. Use in real conditions: the Client uses the Solution in a live environment and accepts the inherent limitations of an evolving solution.

7.4. Commercial responsibilities: the Client remains solely responsible for: a) validating the information communicated to callers; b) confirming and tracking appointments (duplicates, cancellations, no-shows); c) commercial qualification, lead follow-up, and decisions made based on the Solution's outputs. The Client acknowledges that this responsibility rests entirely with them because, although the interaction is automated via the AI, the AI acts exclusively as a technical executor of the data and instructions defined by the Client, without autonomous judgement or the ability to legally bind the Provider.

7.5. Settings / persistence / external notifications / caller information – Client's responsibility: a) Settings. The Client configures and maintains the necessary Settings (including Persistence Mode, retention periods, External Notifications, recipient, integrations) and ensures that these Settings are consistent with its legal obligations, internal policies, and confidentiality/security requirements. The Client is solely responsible for the Settings it defines. b) Persistence and retention. The Client determines via Settings: (i) whether a Transcription is persisted; (ii) whether an Analysis is persisted; (iii) whether an Audio Recording is persisted; and (iv) the respective retention periods for such data. The Client is solely responsible for the compliance of the retention periods it sets, particularly with regard to the principles of data minimisation and storage limitation, as well as the corresponding information obligations. c) External Notifications (Analysis). If the Client enables External Notifications (Analysis), it is solely responsible for: (i) the recipient (address, list, shared mailbox, channel, workspace), the relevance and legitimacy of access; (ii) the security of the receiving channels on the Client's side (e.g., email, messaging, CRM) (account management, passwords, MFA, internal access, retention, automatic forwarding, archiving); (iii) configuration errors resulting in sending to a wrong recipient or channel; (iv) informing the caller and, where applicable, obtaining required consents for such transfer; (v) the adequacy of the use of Analyses sent to external channels with regard to its internal needs and its obligations (in particular limiting recipients and preventing uncontrolled forwarding/archiving). The Client may disable the feature at any time if it considers the level of detail inappropriate. d) Caller information / telecom and personal data compliance. The Client is solely responsible for the applicable legal notices and obligations, in particular: (i) informing the caller about the use of AI; (ii) informing the caller when the Client enables the persistence of all or part of the Conversation Data (Transcription, Analysis and/or Audio Recording); (iii) informing the caller when the Client enables External Notifications (Analysis) and, more generally, any transfer of Conversation Data to external channels; (iv) providing the required information (purposes, retention periods, recipients/categories of recipients, procedures for exercising rights, etc.) and obtaining any required consent where applicable; (v) compliance of scripts, privacy policies, and any prospecting. The Solution enables the communication of certain information to the caller via an opening message configured by the Client; the Provider may provide examples without guarantee of compliance. For any enabled feature that leads to the persistence of Conversation Data (in particular Audio Recording) and/or the sending of an Analysis to external channels, the Client undertakes either: (i) to inform the caller at the beginning of the call (e.g. "This call may be recorded"), by means of an appropriate opening message, and to provide, where applicable, the additional information required, or: (ii) to disable the relevant feature(s). The Provider assumes no responsibility in the event of failure to inform or failure to disable, nor for the consequences resulting therefrom. Furthermore, the Provider reserves the right, without this constituting a monitoring obligation, to technically impose the broadcasting of a pre-recorded voice message informing the caller of processing by AI and/or the recording of the conversation, where the Settings defined by the Client involve persistence of Conversation Data. The Client shall not circumvent or attempt to conceal this information mechanism when activated by the Provider.

e) Regulatory changes and European legal compliance. The Provider reserves the right to modify the persistence and retention options available in the Solution, as well as to impose minimum or maximum retention periods, where necessary to comply with applicable European law (in particular GDPR, European directives and regulations on data protection, decisions of supervisory authorities). The Provider shall inform the Client of such changes by email with reasonable notice, except in cases of regulatory urgency where the change may be applied immediately with information provided afterwards. The Client acknowledges that such changes are necessary for legal compliance and undertakes to comply with them. In the event of changes to retention periods imposed by the Provider, existing data shall be processed in accordance with the new rules within the reasonable timeframes necessary for their technical implementation.

7.6. Enhanced obligation of means of the Client: the Client maintains an alternative system (e.g. forwarding to a human, voicemail, form) and does not rely exclusively on the Solution for its business.

7.7. Acceptable Use. The Client shall not use the Solution, directly or indirectly, to: (i) engage in any activity that is unlawful, fraudulent, deceptive or harmful; (ii) harass, threaten, intimidate or harm any person, including callers; (iii) transmit content or instructions that are discriminatory, defamatory, obscene or contrary to public policy; (iv) interfere with, disrupt or attempt to gain unauthorised access to the Solution, its infrastructure or any third-party system; (v) generate excessive or artificial call volumes (e.g. spam calls, automated load testing) without prior written authorisation from the Provider; (vi) use the Solution, its outputs or any data derived therefrom to develop, train or improve a product or service that competes with the Solution; or (vii) facilitate or permit any third party to do any of the foregoing. Any breach of this Article constitutes a serious breach within the meaning of Article 6.5.a.

8. Service Levels and Limits

8.1 Availability target. The Solution is provided with a target availability of 99% (excluding planned maintenance). This target is an obligation of means and not of result. The Provider does not guarantee uninterrupted availability. No penalty, discount, service credit or compensation is due in the event of failure to achieve this target.

8.2 Exclusions. Without limitation, the Provider shall not be liable for unavailability/degradation related in particular to telecom operators, routing/redirections/SIP, the Internet, hardware, the Client's systems and integrations, third-party providers, abnormal volumes, fraud/spam/attacks, or Client Data and Settings.

8.3 Sole remedy. The Client's sole remedy under this Article is to report the incident to Support. The provisions of this Article apply subject to the exceptions provided for in Article 14.7.

8.4 Capacity and Fair Use. The Solution is designed to handle a volume of simultaneous calls corresponding to normal usage for a real estate agency. Unless specifically agreed in writing (custom sizing), the processing capacity is limited to ten (10) simultaneous calls redirected to the Solution's number. Beyond this limit: (i) additional calls may be rejected, queued or forwarded to the Client's default voicemail, without this constituting an unavailability of the Service; (ii) the Provider reserves the right to temporarily suspend access in the event of abnormal spikes threatening the stability of the overall infrastructure.

9. Intellectual Property

9.1 Ownership of the Solution. The Solution, together with all of its components (software, interfaces, APIs, models, algorithms, standard configurations, knowledge bases, documentation, trademarks, trade names) and their developments, are and remain the exclusive property of the Provider and/or its licensors. This Agreement does not entail any transfer of intellectual property rights.

9.2 Licence of use. Subject to compliance with the Agreement and prior payment of Credits (and, where applicable, agreed additional services), the Provider grants the Client a non-exclusive, non-transferable and non-assignable licence to access the Solution and use it solely for its internal needs and for the purposes of its business, by its authorised users. This licence is granted for the duration of the Client's use of the Solution.

9.3 Data and content provided by the Client. Client Data remains the property of (or under the control of) the Client. The Client represents and warrants that it holds all necessary rights and authorisations over the data, content and materials provided to the Provider (in particular information relating to Properties) to permit their processing in the context of the Service. The Client indemnifies the Provider against any third-party claim based on such materials.

9.4 Limited licence to the Provider over Client Data. The Client grants the Provider, for the duration of use of the Solution, a non-exclusive licence over Client Data, limited solely to the needs of performing the Service, its administration, maintenance and security, in accordance with the Agreement, the DPA and the Client's Settings.

9.5 Results generated for the Client (outputs). The Client is authorised to use, reproduce and exploit for its internal needs the results generated on its behalf via the Solution (in particular analyses, structured information and appointment data). However, this authorisation does not extend to any fragments of code, system instructions (system prompts), technical configurations or elements constituting the Provider's know-how that may be accidentally revealed or revealed through reverse engineering in the outputs. Such elements remain the exclusive and confidential property of the Provider, and the Client shall refrain from using or disclosing them.

9.6 No model training (No Training). a) Provider's commitment. The Provider expressly undertakes not to use Client Data (including Call Data and Conversation Data) to train, educate or improve artificial intelligence models (training or fine-tuning). The use of Client Data by the Provider is strictly limited to the performance of the Service in accordance with the Agreement. b) Third-party AI model providers. The Provider selects third-party AI model providers that, as of the effective date of this Agreement, represent that they do not use data submitted via their API for training their models in the default configuration or in the configuration adopted by the Provider. However, the Client acknowledges and accepts that: (i) the Provider cannot guarantee the internal data processing practices of third-party AI model providers (in particular OpenAI), which are governed by their own terms of service and privacy policies; (ii) such providers may unilaterally modify their terms and practices, including with respect to data retention and use for model improvement; (iii) the Provider undertakes to deploy commercially reasonable efforts to: (a) select and configure services so as to minimise exposure of Client Data (opting out of training where available, Zero Data Retention where technically possible), (b) monitor changes to its providers' policies and inform the Client within a reasonable timeframe, and (c) evaluate alternatives if a provider were to substantially change its practices regarding training; (iv) the commitment under this Article does not constitute a guarantee of result as to the actual practices of third-party model providers, and the Provider shall not be held liable for a failure by such providers to comply with their own commitments.

9.7 Feedback. The Client may provide the Provider with feedback, suggestions, ideas or bug reports ("Feedback"). The Client grants the Provider a free, non-exclusive, worldwide right for the duration of legal protection, to use the Feedback to improve the Solution, without any obligation of development, remuneration or exclusivity, subject to not disclosing the Client's confidential information.

9.8 Restrictions. Unless authorised in writing by the Provider, the Client shall not: (i) reproduce, copy, decompile, disassemble, reverse-engineer or attempt to access the source code or models; (ii) circumvent technical protection measures, limitations or quotas; (iii) systematically extract content from the Solution; (iv) use the Solution to provide a service to third parties, or for the benefit of a third party, whether for payment or free of charge; (v) use the Solution in any manner not in accordance with the scope of the Agreement.

9.9 Third-party components and services. The Solution may integrate or rely on third-party components or services. Such elements remain subject to their respective licence or use terms; the Provider retains (or holds under licence) the rights necessary for their provision within the framework of the Solution.

9.10 Reservation of rights. All rights not expressly granted to the Client under this Article are reserved to the Provider.

10.1. Roles: Client = Data Controller; Provider = Data Processor.

10.2. Processing / instructions: The Provider processes Call Data and, where applicable, Conversation Data (Transcription, Analysis and/or Audio Recording), for the following purposes: response/qualification/appointments/reminders, administration, security, maintenance, and operation of the Service, in accordance with the Client's documented instructions, as evidenced by: a) the Agreement and its Annexes; and b) the Settings made by the Client in the Solution (including Persistence Mode, retention periods, External Notifications and recipient, integrations).

10.3. Retention: a) Conversation Data: the retention periods for Transcription, Analysis and/or Audio Recording are defined by the Client via Settings, subject to limitations and obligations imposed by the Provider pursuant to Article 7.5.e. The Client is solely responsible for the compliance of the periods chosen within the available options. b) No persistence: if the Client does not select persistence for a data category, no copy is retained by the Provider, subject to Transient Data strictly necessary for technical operation and technical logs. c) Technical logs / security / Credit consumption tracking. The Provider retains technical logs necessary for security, fraud/abuse prevention, diagnostics and tracking of Credit consumption (Meter) for a maximum period of 12 months, unless a longer legal obligation applies.

10.4. Sub-processors / hosting / transfers: listed in the DPA Annex. Hosting: DigitalOcean with VPS in EU/EEA. Transfers outside the EEA are governed by the DPA Annex.

10.5. Assistance (GDPR) – scope, limits, billing

10.5.1. Principle. The Provider assists the Client, in its capacity as processor, only to the extent required by Article 28 of the GDPR and within a reasonable limit, taking into account (i) the information at its disposal, (ii) the technical means available.

10.5.2. Scope of assistance. The Provider's assistance may cover, upon written request from the Client: a) the provision of available technical elements enabling the Client to respond to a data subject rights request (access, erasure, restriction, objection, portability) concerning Client Data processed via the Solution; b) the provision of general information on security measures and Sub-processors (as described in the Agreement/Annex 1); c) the provision of available and reasonable information to enable the Client to carry out a data protection impact assessment (DPIA) where required, without the Provider substituting for the Client in its performance; d) assistance in the event of a personal data breach, limited to information and actions within the Provider's scope (qualification, technical corrective measures, available evidence).

10.5.3. Exclusions. The following are expressly excluded from assistance, unless separately agreed in writing: a) any legal advice, compliance, or drafting of policies/notices (caller information, consents, scripts); b) any analysis of legal basis, balancing of interests, or qualification of roles (Controller/Joint Controller) other than as defined in the Agreement; c) any intervention on the Client's or third-party systems (CRM, calendar, telecom operators, SMS/email sending tools); d) any complex data retrieval or reconstruction beyond standard export functions; e) any obligation of result as to acceptance by the supervisory authority or satisfaction of the data subject.

10.5.4. Procedure. Any assistance request must be sent to rgdp@webili.eu and specify: (i) the subject, (ii) the relevant identifiers (call ID, dates, request reference), (iii) the desired timeframe, (iv) the factual basis. The Provider may request additional information before acting.

10.5.5. Timeframes. The Provider acts on a best effort basis, without commitment to timeframes, unless a timeframe is imposed by law and applicable to the Provider as processor. The Client remains responsible for meeting its legal deadlines vis-à-vis data subjects and authorities.

10.5.6. Included scope and billing. a) Standard Assistance (Included): Assistance is included in the Service insofar as it concerns the provision of standard documentation, email responses to common compliance questions, and the use of native export/deletion features. b) Custom Assistance (By quote): Any specific request requiring ad hoc work (e.g. completion of complex security questionnaires, dedicated meetings with the Client's DPO, specific documentary audits, assistance with DPIA beyond standard documentation) shall be subject to a prior quote submitted for the Client's written acceptance. In the absence of an accepted quote, the Provider is not required to perform such services.

10.5.7. Priority. Requests related to a data breach or a proven security risk are treated as a priority, subject to available information and service continuity.

10.5.8. Liability. The Provider is only liable for breaches of its obligations as processor. The Client remains solely responsible for: (i) responses to data subjects, (ii) declarations/notifications to the supervisory authority, (iii) informing callers, and (iv) the overall compliance of its processing.

10.6. DPA: Annex 1 (DPA) prevails in the event of a contradiction.

11. Confidentiality

11.1 Definition. "Confidential Information" means all information, documents, data or materials communicated by one Party to the other, in any form whatsoever, in the context of the Agreement, including in particular: (i) Client Data; (ii) commercial, financial, pricing and contractual information; (iii) technical information (architecture, settings, documentation, specifications, security, roadmaps); and (iv) more generally any element whose confidential nature arises from its nature or the context of its communication.

11.2 Obligations. Each Party undertakes to: (i) protect the other Party's Confidential Information with a level of care at least equivalent to that it applies to its own confidential information, and at a minimum with reasonable care; (ii) use it only for the purposes of performing the Agreement; and (iii) not disclose it to third parties, except under the conditions of Article 11.3.

11.3 Authorised disclosures. Disclosure is authorised only: (i) to employees, officers and advisers of a Party, and where applicable to its affiliates, who need to know for the performance of the Agreement; and (ii) to authorised subcontractors and service providers, subject to their being bound by confidentiality obligations at least equivalent. Each Party remains responsible for compliance with this Article by the persons to whom it grants access.

11.4 Exclusions. The following shall not constitute Confidential Information where the receiving Party can demonstrate that: (i) it was already lawfully known to it before its communication; (ii) it is or becomes public without breach of the Agreement; (iii) it was lawfully received from a third party not bound by a confidentiality obligation; or (iv) it was independently developed without use of the Confidential Information.

11.5 Compelled disclosure. In the event of a legal, regulatory or judicial obligation to disclose, the Party required to disclose shall inform the other Party to the extent permitted by law, and shall limit disclosure to what is strictly necessary, seeking where possible protective measures (confidentiality, closed session, redaction).

11.6 Duration. The obligations of this Article shall apply for the entire duration of the Agreement and for five (5) years after its cessation, for whatever cause. For Confidential Information constituting trade secrets, the obligation shall continue for as long as such information retains this character under applicable law.

11.7 Return / deletion. Upon cessation of the Agreement, each Party shall return or delete, upon written request from the other Party, the other Party's Confidential Information in its possession, subject to: (i) legal retention obligations; (ii) routine IT backups (deletion according to usual cycles); and (iii) the specific rules on reversibility and deletion of Client Data provided for in Article 13.

11.8 Remedy. Any breach of this Article is likely to cause irreparable harm. The injured Party may seek any interim measure or injunction, including in summary proceedings, without prejudice to any damages.

12. Security

12.1 Security measures (obligation of means). The Provider implements reasonable and appropriate technical and organisational measures commensurate with the risks, in order to protect Client Data against destruction, loss, alteration, unauthorised disclosure or unauthorised access. These measures include, as appropriate: access controls and authorisations, logging, encryption in transit and at rest, backups, vulnerability management and environment segregation. It is noted that no measure guarantees absolute security and that the Provider assumes only an obligation of means.

12.2 Client's responsibilities. The Client is responsible for the security of its own systems, accounts, email addresses, terminals, networks, integrations and settings, as well as the management of its users' access (passwords, MFA, authorisations), and bears the consequences of a compromise or misconfiguration of its environment.

12.3 Security incident / data breach. In the event of a security incident affecting Client Data, the Provider shall inform the Client without undue delay after becoming aware of it and, to the extent information is available, communicate the nature of the incident, the data potentially affected, the measures already taken and the recommended actions. The Parties shall cooperate in good faith to limit the impacts.

12.4 No performance commitment. This Article does not constitute a service level or security performance commitment and does not give rise to any penalty, discount or service credit.

13. Reversibility / Data Restitution

13.1. Export of Client Data: CSV/JSON (appointments, and where applicable persisted Transcriptions and/or Analyses) and Audio files (if persisted) pursuant to Article 13.2 and subject to the Client's Settings.

13.2. Availability deadline: 30 business days after request.

13.3. Assistance. Beyond the standard export, assistance is provided on a "best effort" basis, without commitment to timeframe/result, and billed in accordance with the rate provided for in Article 5.9. The Provider is not liable for difficulties in data migration related to the Client's or third-party systems.

13.4. Deletion and technical/legal exceptions. Upon expiry of the reversibility period (or earlier upon request, subject to technical timeframes), the Provider shall proceed with the deletion of Client Data. However, the Client acknowledges and accepts that certain data cannot be fully erased and will be retained by the Provider for legitimate reasons: a) Accounting and legal obligations: Data relating to orders, payments, billing and Credit consumption are retained for the legally required period to justify the accounting and meet tax and administrative obligations. b) Technical integrity (Foreign keys): For reasons of technical architecture and database reliability (in particular maintaining referential integrity via foreign keys), certain data linked to financial transactions or execution history cannot be technically deleted without compromising the integrity of the overall database. Such data shall be retained in the database for as long as their presence is technically required for system stability. Wherever technically possible, data thus retained shall be anonymised or pseudonymised to limit the impact on privacy.

14. Solution Provided "As Is" – Disclaimer of Warranty – Limitation of Liability

14.1. Solution "as is". The Client acknowledges that the Solution is provided "as is" and "as available" (Article 8), and may generate errors, hallucinations, omissions, unavailability, and variable results, and agrees to bear the consequences within the limits of the law.

14.2. Disclaimer of warranties: to the fullest extent permitted by applicable law, the Provider excludes all express or implied warranties, including fitness for a particular purpose, absence of errors, availability, performance, accuracy of responses, and non-infringement (for content provided by the Client).

14.3. Specific exclusions: the Provider is not liable for: a) telephone routing, line quality, carrier outages, caller identification; b) appointments (validity, duplicates, cancellations, no-shows) and their commercial impacts; c) erroneous/incomplete information related to Client Data, instructions, or missing updates; d) unavailability/acts of third parties, as referred to in Article 8.2; e) any non-compliant or out-of-scope use; f) consequences related to the Client's Settings (cf. Article 7.5); g) the data processing practices implemented by third-party artificial intelligence model providers (in particular with respect to retention, use for training or improvement of models), provided that the Provider has implemented the commercially reasonable efforts referred to in Article 9.6.b.

14.4. Excluded damages: to the fullest extent permitted by law, all indirect/consequential damages are excluded, including in particular loss of revenue, margin, opportunity, clientele, reputational damage, internal costs, loss of data not directly attributable to the Provider.

14.5. Cap. The Provider's total liability, all causes combined, is strictly capped at the total amount excl. VAT paid by the Client to the Provider under this Agreement during the twelve (12) months preceding the triggering event.

14.6. Contractual time-bar: any claim must be notified in writing within 30 days of the occurrence or knowledge of the facts, except where mandatory provisions provide otherwise.

14.7. Exceptions: these limitations do not apply in the event of gross negligence/wilful misconduct, bodily injury, or mandatory rules that cannot be excluded.

14.8. Client's liability for caller information, persistence and external transfers: The Client indemnifies the Provider against any consequence (claims, sanctions, compensation demands, costs) related to: a) failure to inform/obtain consent from callers regarding the use of the Solution, the persistence of a Transcription and/or an Analysis, and/or the sending of an Analysis to external channels; b) retention periods set by the Client; c) recipients, the security of the external channels (email, messaging, CRM) on the Client's side, and any Settings error. The Client assumes all liability vis-à-vis authorities and third parties on these points.

14.9. IP indemnification. Notwithstanding Article 14.2, the Provider indemnifies the Client against any infringement action brought by a third party relating to the proprietary code of the Solution specifically developed by the Provider (expressly excluding third-party AI models, open-source models even if fine-tuned by the Provider, open-source components and generated content), subject to the Client: (i) notifying the claim in writing without delay; (ii) granting the Provider exclusive control of the defence and any settlement; and (iii) providing all reasonable assistance. In the event of a final judgement or settlement, the Provider shall bear the damages (or the settlement amount) charged to the Client, as well as the related defence costs, all within the cumulative limit of the overall liability cap provided for in Article 14.5. This Article defines all of the obligations and liabilities of the Provider (and the Client's sole remedy) in respect of intellectual property infringement.

14.10. Duty to mitigate. The Client shall take all reasonable measures to mitigate any damage resulting from an incident affecting the Solution, in particular by activating the alternative system referred to in Article 7.6. Failure to mitigate shall reduce the Provider's liability accordingly.

15. Term – Inactivity – Account Deletion

15.1. Term. The Agreement is concluded for an indefinite period. It takes effect on the date the Client creates an account and accepts these GTC.

15.2. Inactivity and account deletion. In the event of Inactivity by the Client for a continuous period of three (3) months, the Provider reserves the right to delete the Client's account and all associated Client Data. The Provider shall send the Client a warning email prior to deletion. Credits not consumed at the time of deletion are definitively forfeited in accordance with Article 5.7.

15.3. Voluntary cessation by the Client. The Client may cease using the Solution at any time. It may request the export of its Client Data in accordance with Article 13 and the deletion of its account.

15.4. Effects of cessation. Upon cessation of the Agreement, for whatever cause: a) access is terminated (subject to reversibility); b) the Client may request standard export under the conditions of Article 13; c) the fate of the Credit Balance is governed by Article 5.7; d) survival of clauses (IP, confidentiality, GDPR, liability, jurisdiction).

16. Commercial References

16.1 Authorisation. The Client authorises the Provider, free of charge and on a non-exclusive basis, from one (1) month after the Client's first Consumption and until one (1) month after the Client's last Consumption, for the purposes of promoting the Solution and/or the Provider, to: a) use the Client's name and logo as a commercial reference; b) publish any testimonial (quote, review, feedback) only if the Client has provided or approved it in writing; c) produce and publish an anonymised case study relating to the project (without identifying the Client or its employees).

16.2 Confidentiality and data. The uses authorised under this Article must not disclose confidential information, trade secrets or personal data.

16.3 Withdrawal. Any authorisation granted under this Article may be withdrawn at any time by the Client, by written notification. The Provider shall cease the relevant uses and remove the content from media under its control within a reasonable timeframe, subject to media already distributed or printed for which no recall is required.

17. Governing Law and Jurisdiction (Belgium)

17.1. Governing law: Belgian law, subject to any applicable mandatory provisions.

17.2. Jurisdiction: exclusive jurisdiction of the courts of the judicial district of Brussels (Belgium), including in summary proceedings and in the event of multiple defendants.

17.3. Language: the English version of these GTC shall prevail.

18. General Provisions

18.1 Force majeure. Neither Party shall be held liable for any failure or delay in the performance of its obligations resulting from a force majeure event, understood as any event reasonably beyond the control of the Party invoking it, unforeseeable at the time of conclusion of the Agreement and the effects of which cannot be avoided by appropriate measures (e.g. natural disaster, fire, flood, war, riots, general strikes, acts of public authority, widespread network failures, major and widespread unavailability of telecommunications services or cloud infrastructure). The affected Party shall inform the other Party without undue delay, specifying the nature of the event, its foreseeable effects and, to the extent possible, its estimated duration. The affected obligations are suspended for the duration of the force majeure event. If the force majeure event continues for more than thirty (30) calendar days, each Party may terminate the Agreement by written notice, without compensation, subject to mandatory provisions and the provisions relating to reversibility, confidentiality, GDPR and payments already due.

18.2 Assignment / transfer – subcontracting. Neither Party may assign, transfer or contribute, in whole or in part, the Agreement and/or all or part of its rights and obligations under the Agreement, whether for payment or free of charge, without the prior written consent of the other Party. By way of derogation, the Provider is authorised to assign or transfer the Agreement (i) to one of its Affiliates (any entity controlling, controlled by, or under common control with the Provider), or (ii) in the context of a reorganisation, merger, demerger, partial contribution of assets, change of control or transfer of business/line of activity, subject to informing the Client in writing and the transferee assuming the Provider's obligations under the Agreement. The Provider may use subcontractors/service providers for the performance of the Service. It remains responsible for the performance of the Agreement and ensures that such third parties are subject to appropriate confidentiality and security obligations. For the processing of personal data, the conditions for the use of sub-processors are governed by Annex 1 (DPA).

18.3 Notifications / addresses for service. Any notification or communication required under the Agreement shall be made in writing and sent to the contact details provided by the Client when creating its account (or to any other address notified by one Party to the other). Operational notifications (e.g. routine exchanges) may be made by email. Formal notifications (in particular formal notice, litigation) shall be validly made (i) by registered letter (or any equivalent traceable mail method) addressed to the registered office of the Party concerned, and (ii) with a copy by email to the following address: law@webili.eu for the Provider, and to the email address provided by the Client when creating its account. Unless proven otherwise: (a) a notification by email is deemed received on the business day of its sending, provided it does not result in a delivery failure message; (b) a notification by registered mail is deemed received on the date of first presentation.

18.4 Contractual hierarchy – entirety. The Agreement (including its annexes) constitutes the entire agreement between the Parties and supersedes any prior agreement, exchange or proposal relating to its subject matter. Without prejudice to Article 10.6, in the event of a contradiction between documents, the order of priority is as follows: (i) the body of the Agreement; (ii) Annex 1 (DPA) for everything relating to personal data protection.

18.5 Amendments to the GTC. The Provider reserves the right to modify these GTC. The Provider shall notify the Client by email of any modification at least thirty (30) calendar days before its effective date, specifying the nature of the changes and the date on which the modified GTC will take effect. If the Client does not accept the modified GTC, it may terminate the Agreement by written notice sent before the effective date of the modification; in such case, by way of derogation from Article 5.7.b, any unused prepaid Credits shall be refunded to the Client on a pro rata basis within thirty (30) calendar days of the effective date of termination, and the provisions of Article 13 (Reversibility) shall apply. Continued use of the Solution after the effective date constitutes acceptance of the modified GTC.

18.6 Severability. If any provision of the Agreement is declared null, invalid or unenforceable, it shall be deemed unwritten without affecting the validity of the other provisions. The Parties shall endeavour to replace it with a valid provision as close as possible to the original economic intent.

19. Acceptance

These General Terms and Conditions are accepted by the Client when creating their account, by means of a checkbox constituting an electronic signature and contractual commitment. The Client declares having read these GTC in their entirety, including Annex 1 (DPA), and accepts them without reservation.

20. Annexes

Annex 1: DPA / GDPR Clauses (processing)

1) Purpose and Duration

This DPA governs the processing of Personal Data by the Provider, acting as Processor, on behalf of the Client, Data Controller, in the context of the Service, and for the duration of the Agreement, plus the reversibility period provided for in Article 13.

2) Description of Processing

2.1 Categories of Data Subjects

Callers / prospects;
(possibly) Client's employees (administration, accounts).

2.2 Categories of Data

Phone number (or identifier) and call metadata (timestamp, duration, routing);
Data relating to appointments (time slot, status, agent/agency, etc.);
Conversation Data: Transcription, Analysis and/or Audio Recording only if enabled and persisted according to Settings;
Technical and security data (logs).

2.3 Purposes

Responding to callers' enquiries;
Qualifying the enquiry;
Proposing and booking appointments;
Operation, administration, security, maintenance of the Service;
Fraud/abuse prevention and technical improvement of the Service (to the extent necessary for operation).
External Notifications (Analysis): sending an Analysis to external channels only if enabled by the Client via Settings.

2.4 Instructions

The Provider processes data only on documented instructions from the Client, as evidenced by the Agreement and the Client's Settings/orders in the Solution.

3) Obligations of the Provider (Processor)

Ensure the confidentiality of persons authorised to process data;
Implement appropriate security measures (obligation of means);
Notify personal data breaches to the Client without undue delay;
Bind Sub-processors with equivalent obligations;
Upon termination of the Agreement: restitution/deletion pursuant to Article 13.

4) Sub-processors (List and Location)

The Client grants the Provider a general authorisation within the meaning of Article 28(2) of the GDPR to engage Sub-processors, under the conditions of this Article.

The Client authorises the engagement of the following Sub-processors:

Hosting / Infrastructure: DigitalOcean – servers located in Europe.
Telephony / routing: Twilio Ireland Limited (and affiliates) – Log hosting in Ireland (IE1) if configured, global processing under DPF.
AI / Transcription / Analysis: OpenAI Ireland Limited / OpenAI OpCo, LLC – Processing primarily in Europe, or US under DPF.
Transactional email sending: Sendgrid configured Data Residency for Email (EU) or Scaleway (EU).
Calendar Management (Client's Third-Party Services): Google (Google Calendar) and Microsoft (Outlook/Teams) via API. Nature: These services are subscribed to directly by the Client. The Provider acts here solely as a technical interface to transmit data on the Client's instructions. The Client remains solely responsible for its contractual relationship with these providers and for the security of its own accounts (passwords, access). The transfer is covered by the Client's contract with these providers (generally under DPF).

Changes to sub-processors: the Provider may add, replace or remove Sub-processors and update the above list, subject to:

informing the Client with fifteen (15) calendar days' notice before taking effect (by any written means, in particular email);
imposing on the Sub-processor obligations at least equivalent to those of this DPA;
and, if the Sub-processor is located outside the EEA and/or involves a transfer outside the EEA, putting in place appropriate safeguards (e.g. Standard Contractual Clauses) and/or equivalent contractual mechanisms, typically via a DPA.

The Client may only object by notifying, within the notice period, a written and reasoned objection based on a proven and documented risk to data protection (within the meaning of the GDPR) related to the proposed Sub-processor.

It is expressly agreed that an objection shall not be considered legitimate, and shall not give rise to cessation of the Agreement, if the Provider demonstrates that the new Sub-processor provides data protection and security guarantees substantially equivalent to or greater than those of the replaced Sub-processor (in particular in terms of geographic location of data and security certifications).

In the absence of an admissible objection within this period, the Client is deemed to have accepted the change and waives the right to reproach the Provider, or to base a claim, on the sole fact of the addition, replacement or removal of a Sub-processor carried out in accordance with this Article.

In the event of an admissible objection, the Parties shall seek a good faith solution; in the absence of a solution within a reasonable timeframe, the Client's sole remedy under this Article is to cease using the Solution and request the deletion of its account, without compensation other than as expressly provided for in the Agreement and within the limits of the law.

5) Location / Transfers outside the EEA

Hosting principle: Data is hosted primarily on servers located in the European Union (DigitalOcean, and EU zones of providers where available).
Transfers to the United States: The Client acknowledges and accepts that the use of the Provider's services (OpenAI, Twilio) as well as the use of connectors to its own services (Google, Microsoft) involve data transfers to the United States. These transfers are governed by:
1. The EU-US Data Privacy Framework (DPF) to which the relevant entities adhere (notably OpenAI OpCo, LLC, Twilio Inc, Google LLC and Microsoft Corp); or failing that
2. The European Commission's Standard Contractual Clauses (SCCs) for the Provider's sub-processors.

6) Retention

a) Conversation Data: Transcription, Analysis and/or Audio Recording retained only if the Client has enabled their persistence. Retention periods are defined by the Client via Settings. b) No persistence: no copy is retained for unselected categories (excluding Transient Data). c) Technical logs / security / billing: retention as defined in 10.3(c), except where a legal obligation or evidential need applies.

Pursuant to Article 28 of the GDPR, the Provider assists the Client, in its capacity as processor, on a "best effort" basis and within a reasonable limit, in particular for: (i) responding to data subject rights requests; (ii) providing available information for conducting a data protection impact assessment (DPIA) and, where applicable, prior consultation; (iii) managing personal data breaches; and (iv) providing general information on security measures and Sub-processors. The practical arrangements (channel, information to be provided, limits, no timeframe commitment, included quota and billing beyond) are those defined in Article 10.5 of the Agreement.

8) Data Subject Rights

The Client manages requests (access/erasure/objection). The Provider provides, on a best effort basis, exports/deletions within the Solution, according to the "Assistance" procedure.

9) Security (Obligation of Means)

Minimum measures: access control, logging, encryption in transit, backups, vulnerability management, environment segregation. No guarantee of absence of incidents.

10) Data Breaches

Notification to the Client without undue delay with available information (nature, scope, measures).

11) Fate of Data upon Termination

Reversibility (standard exports) then deletion pursuant to Article 13, subject to technical logs retained pursuant to Section 6.c.

12) Audit ("Documentary" Option)

Audit limited to documentation/certifications/questionnaires; no on-site audit or access to code, unless required by mandatory law. If an on-site audit is required by a mandatory legal provision, it shall be carried out at the Client's exclusive expense, by appointment (minimum 30 days' notice), and in a manner that does not disrupt the Provider's operations.

13) Governing Law

This DPA is governed by the law specified in Article 17.1 of the Agreement.