PRIVACY POLICY

TABLE OF CONTENTS

1. Definitions
2. Summary of Key Points (Plain Language)
3. Information We Collect
4. Sources of Information
5. How We Use Information
6. Legal Bases for Processing
7. Cookies, Tracking, and Similar Technologies
8. AI and Generative AI Processing
9. Session Replay, Analytics, and Product Monitoring
10. How We Share Information
11. Subprocessors and Vendor Transparency
12. Data Retention (Detailed Schedule)
13. Data Security
14. Data Breach Notification
15. Your Privacy Rights and Choices
16. California Privacy Rights (CCPA/CPRA)
17. 16B. Mexico Privacy Rights (LFPDPPP)
18. 16C. Other Latin American Jurisdictions
19. International Transfers
20. Children's Privacy
21. Sensitive / Special Category Data
22. Automated Decision-Making and Profiling
23. Data Processing Agreement (DPA) for Business Customers
24. Policy Changes and Notice
25. Complaints, Dispute Resolution, and Jurisdiction
26. 23A. Additional Protections and Disclaimers
27. Contact Us

Appendices:

• Appendix A: Categories of Personal Information (CCPA)
• Appendix B: Retention Schedule
• Appendix C: Subprocessor List Reference
• Appendix D: Cookie Categories and Examples
• Appendix E: AI Providers and Purposes

1. DEFINITIONS

• "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular individual or household.
• "User Content" means the documents, text, images, attachments, and data you create, upload, or store in the Service (including invoices, quotes, proposals, and related assets).
• "Account Owner" means the person or entity that registers and controls an account.
• "Authorized User" means a team member or user invited under a business account.
• "Subprocessor" means a third party authorized to process Personal Information on our behalf.

2. SUMMARY OF KEY POINTS (PLAIN LANGUAGE)

• We collect account data (like name and email), Service usage data (like pages used), and document data you choose to store in the Service.
• We use this information to run the Service, bill subscriptions, provide customer support, improve product features, detect fraud, and comply with law.
• We use third-party providers for payments, email delivery, hosting, analytics, monitoring, and AI features.
• We use cookies and similar technologies. Where required, we request consent for non-essential cookies.
• We may offer AI-assisted features. You must confirm an AI notice before using AI features.
• Session replay tools capture interactions like clicks and scrolling for quality, troubleshooting, and platform functionality. Session replay and analytics are mandatory — there is no opt-out option. If you do not agree, do not use the Service.
• When recipients view shared documents (quotes, invoices, proposals), we track their viewing behavior (pages viewed, time spent, downloads). This tracking is mandatory and essential to the Service.
• You have rights depending on your location, including access, deletion, correction, portability, and opt-out of certain processing.
• We maintain retention periods. Some records (like billing) are kept longer due to legal obligations.
• We use safeguards like encryption in transit, access controls, and monitoring. No system is 100% secure.

3. INFORMATION WE COLLECT

We collect the following categories of Personal Information.

3.1 Account and Identity Information

We collect:

• name (first and last name where provided);
• email address;
• authentication credentials (password hashes and authentication tokens);
• profile preferences (language, theme, UI preferences);
• onboarding and acceptance records (terms acceptance date/time, version accepted, and related audit records).

3.2 Business and Billing Information

We collect:

• business name and related account details (where provided);
• billing status, plan type, trial status, subscription history;
• billing metadata received from payment processors (e.g., subscription state, last four digits, expiration month/year, billing country, and identifiers).

We do not store full payment card numbers. Payment card data is processed by our payment processor.

3.3 User Content

We collect and process User Content that you create or upload, including:

• invoices, quotes, proposals, templates, and drafts;
• logos, images, and attachments you upload;
• document configuration details and document usage analytics.

Important: User Content may include third-party personal data (for example, your clients' names, addresses, or emails). If you upload such data, you are responsible for having a lawful basis to do so.

3.4 Device, Network, and Technical Data

We collect:

• device type and browser type;
• operating system and app version;
• IP address (and approximate location derived from IP);
• timestamps of activity, last login, and security logs.

3.5 Usage and Interaction Data

We collect:

• feature usage, page views, clicks, scroll depth, time spent, document views;
• performance diagnostics and error logs;
• aggregated analytics metrics.

3.6 Communication Data

We collect:

• customer support messages and related metadata;
• transactional email delivery data (delivery status, bounces);
• marketing email engagement data (opens and clicks) where permitted.

3.7 Cookie and Similar Technology Data

We collect information via cookies, local storage, SDKs, tags, and pixels as described in Section 7.

3.8 Session Replay Data (Where Enabled and Where Permitted)

If session replay is enabled and permitted, we collect:

• interaction events such as clicks, scrolling, and navigation;
• interface context required to diagnose UX issues.

We exclude passwords and payment fields from capture. We also apply controls designed to reduce accidental capture of sensitive data, but you should avoid entering highly sensitive information into free-text fields unless necessary.

3.9 AI Feature Inputs and Outputs (When You Use AI Features)

When you use AI tools:

• we collect and process the text you submit as prompts or instructions;
• we process relevant context necessary to generate output;
• we generate and return AI outputs to you.

See Section 8 for AI-specific disclosures and controls.

4. SOURCES OF INFORMATION

We collect information from:

• you (directly through forms, uploads, and account settings);
• your device/browser (automatically);
• third-party providers you use with the Service (e.g., payment processors and email providers);
• analytics and monitoring providers used to operate the Service.

5. HOW WE USE INFORMATION

We use Personal Information to:

5.1 Provide and Operate the Service

• create and manage accounts;
• provide core features (creating and managing documents);
• enable collaboration features (where applicable);
• provide onboarding flows and user preferences.

5.2 Subscription, Billing, and Account Administration

• start free trials and manage trial status;
• process subscriptions and billing events;
• detect billing fraud and prevent abuse;
• provide invoices and billing confirmations.

5.3 Customer Support

• respond to requests;
• resolve technical issues;
• provide troubleshooting assistance.

5.4 Improve, Debug, and Maintain the Service

• measure feature adoption and usability;
• diagnose errors and performance issues;
• test improvements and product changes.

5.5 Security, Fraud Prevention, and Abuse Detection

• monitor suspicious activity;
• enforce rate limits and prevent unauthorized access;
• maintain audit trails.

5.6 Marketing and Promotions (Where Permitted)

• send promotional emails (where you opt in or where permitted by law);
• measure engagement and improve communications;
• honor unsubscribe requests and maintain suppression lists.

5.7 Compliance and Legal Obligations

• comply with applicable laws, lawful requests, and legal processes;
• enforce our Terms and Conditions;
• maintain records for tax, accounting, and dispute resolution.

6. LEGAL BASES FOR PROCESSING

We process Personal Information based on the following legal grounds:

• Contract Performance: To provide the Service, including account creation, document generation, and billing.
• Legitimate Interests: To improve the Service, ensure security, prevent fraud, and maintain business operations.
• Consent: For non-essential cookies, marketing communications, session replay (where required), and AI features.
• Legal Obligation: To comply with applicable laws, tax requirements, and lawful requests.

For specific legal bases applicable to your jurisdiction, see the relevant regional sections below (California, Mexico, Latin America).

7. COOKIES, TRACKING, AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies (local storage, SDKs, pixels) to operate and improve the Service and measure marketing effectiveness.

7.1 Cookie Categories

We use the following categories:

1. Essential Cookies (required) — Used for authentication, security, session management, and core functionality.
2. Functional Cookies — Used for preferences such as language, theme, and UI settings.
3. Analytics Cookies — Used to understand usage patterns, feature adoption, and performance.
4. Marketing Cookies / Pixels (where applicable) — Used to measure marketing campaign performance and email conversions.

7.2 Consent Management

Where required by law, we provide cookie consent mechanisms that:

• display a cookie notice;
• allow you to accept or manage non-essential cookies;
• store and honor your consent preferences;
• allow you to update cookie choices later via your browser settings.

7.3 Do Not Track (DNT)

Some browsers provide "Do Not Track" signals. Because there is no uniform standard, we do not respond to DNT signals in a consistent way. You can manage tracking through cookie preferences.

7.4 Email Tracking

Marketing emails may include tracking pixels and link tracking to measure opens and clicks. You can opt out of marketing emails at any time. Transactional emails are necessary for the Service.

See Appendix D for examples.

8. AI AND GENERATIVE AI PROCESSING

8.1 AI Providers and Purposes

We use AI providers to deliver AI-assisted features, such as generating, improving, summarizing, or rewriting content used in invoices, quotes, and proposals.

Our AI provider:

• Google Gemini: AI text generation and refinement for proposals, quotes, and invoices

8.2 AI Notice and User Confirmation

Before you use AI features, we present a clear notice stating:

• AI output may be inaccurate, incomplete, or inappropriate;
• AI output is not legal, financial, accounting, or professional advice;
• you must review and verify AI outputs before using them;
• AI processing may involve sending your inputs to an AI provider.

You must affirmatively confirm this notice before using AI tools.

8.3 AI Inputs, Retention, and Training

AI providers may process your inputs to generate outputs. Our use of AI providers is governed by our agreements with them.

Important: AI providers may have their own policies regarding retention and model improvement. Where available, we configure and contractually limit AI processing consistent with Service needs. For additional details, see the vendor policies linked in our Subprocessor List and Appendix E.

8.4 Automated Decision-Making

AI features are intended to assist with content generation. We do not use AI to make solely automated decisions that produce legal effects or similarly significant effects about you without appropriate safeguards. If this changes, we will update this Policy and provide required rights and explanations under applicable law.

8.5 AI Training Data Transparency (California AB 2013 Compliance)

We do not use your User Content or AI inputs to train our AI models or the AI models of our providers.

Specifically:

• Your Inputs: Text, prompts, and document content you submit to AI features are processed solely to generate outputs for you. We do not use your inputs to train, improve, or fine-tune AI models.
• Provider Training: We contractually prohibit our AI providers from using your inputs or outputs for training their models. See our agreements with AI providers in Appendix E.
• Opt-Out: Because we do not use your data for AI training, no opt-out is required. If this changes, we will obtain your consent before using your data for training purposes.

8.6 Third-Party AI Provider Documentation

For detailed information about how our AI providers handle data, including their training practices and privacy policies, see:

• Our Third-Party Licenses page
• Appendix E of this Policy
• Google Privacy Policy

8.7 AI Output Accuracy and Privacy Disclaimer

AI-generated outputs may contain inaccuracies, including incorrect or fabricated information. If you use AI features to generate content containing personal information (such as client names, addresses, or contact details), you are solely responsible for:

• verifying the accuracy of all AI-generated content before use;
• ensuring that any personal information in AI outputs is correct;
• obtaining necessary consents before distributing content containing others' personal information.

The Company is not liable for any privacy violations or harm resulting from AI-generated content that you publish, distribute, or rely upon.

9. SESSION REPLAY, ANALYTICS, AND PRODUCT MONITORING

9.1 Tools Used

We use product analytics and monitoring tools, including:

• Google Analytics: Marketing website analytics
• PostHog: Application analytics and user experience monitoring within the platform

9.2 What Session Replay Captures

Session replay may capture:

• clicks, scrolls, navigation paths;
• interactions with interface elements;
• error states and performance diagnostics.

Session replay is not intended to capture:

• passwords;
• full payment card details;
• security codes.

9.3 Analytics as Condition of Service Use

Session replay and analytics tracking (including document viewing analytics) are integral to the Service and CANNOT be disabled. By using the Service, you consent to this tracking.

This tracking is necessary for:

• Platform functionality (read receipts, engagement metrics)
• Fraud prevention and security
• Technical troubleshooting and product improvement

If you do not agree to analytics tracking, you should not use the Service.

9.4 Retention and Access Controls

• Session replay retention is strictly 30 days (unless a longer period is required for security investigations or legal obligations).
• Access is limited to authorized personnel for support, security, and quality assurance.

9.5 No Opt-Out Available

Session replay and analytics (including document viewing analytics) are mandatory components of the Service. There is no opt-out option.

If you do not agree to this tracking, your only option is to discontinue use of the Service.

9.5A Document Viewing Analytics (Mandatory)

When recipients view documents shared through the Service (quotes, invoices, proposals), we automatically collect analytics about their viewing behavior. This tracking:

(a) Is MANDATORY and cannot be disabled — it is essential for core platform functionality including read receipts, engagement metrics, and fraud prevention.

(b) Records ONLY interactions within the document viewer component:

• Which pages or sections were viewed
• Time spent on each section
• Whether the document was downloaded or printed
• Navigation within the document

(c) Does NOT capture:

• Full screen recordings or screenshots
• Content from other browser tabs or applications
• The actual content of your documents (amounts, names, addresses)
• Any personal information beyond viewing behavior

(d) Is retained for up to 30 days.

By using the Service, you accept this tracking as an integral part of the platform.

10. HOW WE SHARE INFORMATION

We do not sell Personal Information.

We share Personal Information only as described below:

10.1 Service Providers (Subprocessors)

We share Personal Information with vendors who help us provide the Service, including payments, hosting, AI processing, email, analytics, and monitoring.

10.2 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

10.3 Legal and Safety

We may disclose information to:

• comply with law, regulation, legal process, or lawful requests;
• protect rights, property, or safety of the Company, users, and others;
• enforce our Terms and prevent fraud or abuse.

10.4 Integrations Chosen by You

If you connect the Service with third-party tools, we share information needed to enable that integration. Your use of third-party tools is governed by their privacy policies.

When you use built-in stock photo search features, your search queries are sent to third-party providers (such as Unsplash and Pexels) to retrieve results.

11. SUBPROCESSORS AND VENDOR TRANSPARENCY

We maintain a list of subprocessors on our Third-Party Licenses page.

Last Updated: January 22, 2026

The list includes, for each subprocessor where appropriate:

• name;
• location/processing region (high level);
• purpose;
• categories of data processed.

11.1 Notice of Material Changes

We will provide at least 30 days' notice of material changes to subprocessors.

11.2 Objection Right

Where applicable, you may object to new subprocessors within 14 days of notice. If we cannot reasonably accommodate your objection, you may terminate your account according to our Terms.

12. DATA RETENTION (DETAILED SCHEDULE)

We retain Personal Information only as long as necessary to fulfill the purposes described in this Policy, unless a longer period is required by law.

Detailed retention schedule is in Appendix B. Key periods include:

• session replay: strictly 30 days;
• terminated accounts: retention up to 30 days then deletion (subject to legal holds);
• billing and tax records: typically up to 7 years (or as required by law);
• logs and security records: typically 30 days unless required longer.

Backups may persist for limited periods for disaster recovery.

13. DATA SECURITY

We maintain reasonable safeguards designed to protect Personal Information, including:

• encryption in transit (TLS);
• encryption at rest (where feasible);
• access controls and least-privilege principles;
• logging and monitoring for abuse detection;
• secure backup practices;
• vendor risk management and contractual protections with subprocessors.

No system can be guaranteed 100% secure. You are responsible for safeguarding your credentials and limiting sensitive data included in free-text fields.

14. DATA BREACH NOTIFICATION

If we confirm a data breach involving Personal Information:

• we will notify affected users without unreasonable delay;
• where required by law, we will notify within 72 hours of becoming aware of the breach;
• we will provide notice via email and/or in-app notification to the registered contact;
• notifications will include, when available: nature of breach, likely consequences, and steps taken or recommended.

We may also notify regulators when required.

15. YOUR PRIVACY RIGHTS AND CHOICES

Your rights depend on where you live. We honor applicable rights including:

15.1 Access / Right to Know

You may request access to Personal Information we hold about you.

15.2 Correction

You may request correction of inaccurate Personal Information.

15.3 Deletion

You may request deletion of your Personal Information, subject to legal exceptions (for example, tax and security obligations).

15.4 Portability

You may request a portable copy of certain data in machine-readable format (CSV/JSON) where feasible.

15.5 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting prior processing.

15.6 Marketing Preferences

• You can opt out of marketing emails by clicking "unsubscribe" in any marketing email.
• Transactional emails are required for account administration and Service operation.
• We maintain suppression lists to honor opt-out requests.

15.7 How to Submit Requests

Submit requests via:

• Email: [email protected] with subject "Privacy Request"
• Postal mail: 13762 W State Road 84 #272, Davie, FL 33325

15.8 Identity Verification

We may verify your identity before fulfilling a request. Verification may include confirming access to the registered email account and/or additional information needed to prevent fraud.

15.9 Timelines

• California (CCPA/CPRA): we respond within 45 days, extendable once by 45 days with notice.
• Mexico (LFPDPPP): we respond within 20 business days.
• Other jurisdictions: we respond within a reasonable timeframe required by law.

15.10 Denials and Appeals

If we deny a request, we will provide an explanation (subject to legal limits). Where required, we provide appeal methods.

16. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

If you are a California resident, you may have these rights:

16.1 Notice at Collection

At or before the point of collection, we disclose the categories of Personal Information collected and purposes. See Appendix A.

16.2 Right to Know

You may request:

• categories of Personal Information collected;
• sources of collection;
• purposes of use;
• categories of third parties disclosed to;
• specific pieces of Personal Information collected.

16.3 Right to Delete

You may request deletion of Personal Information, subject to exceptions (e.g., completing transactions, security, compliance).

16.4 Right to Correct

You may request correction of inaccurate Personal Information.

16.5 Right to Opt Out of Sale or Sharing

We do not sell Personal Information. If we engage in "sharing" for cross-context behavioral advertising, we provide opt-out mechanisms via our cookie consent tool and settings.

16.6 Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information for purposes requiring a "limit" right, except as necessary to provide the Service (if applicable).

16.7 Non-Discrimination

We will not discriminate against you for exercising CCPA/CPRA rights.

16.8 Exercising Rights

Use the request methods in Section 15. We may ask for verification. Authorized agents may submit requests with proper proof of authorization.

16.9 CCPA Metrics (If Required)

If required by law, we publish annual metrics regarding privacy requests.

16.10 Opt-Out Confirmation (Effective January 1, 2026)

When you submit an opt-out request, we will provide visible confirmation that your request has been honored. This may include:

• an "Opt-Out Request Honored" message or badge;
• a toggle or indicator in your account settings showing opt-out status;
• confirmation email acknowledging your opt-out request.

16.11 Privacy Risk Assessments

We conduct privacy risk assessments for data processing activities that may present significant risk to consumer privacy, including:

• targeted advertising;
• sale or sharing of Personal Information;
• processing of Sensitive Personal Information.

We comply with CPPA risk assessment submission requirements as applicable.

16.12 Global Privacy Control (GPC) Signal

We recognize and honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser:

• we treat it as a valid opt-out request for the sale or sharing of Personal Information;
• we apply the opt-out to the browser or device from which the signal originated;
• if you are logged in, we may apply the opt-out to your account.

To enable GPC, visit globalprivacycontrol.org for compatible browsers and extensions.

16B. MEXICO PRIVACY RIGHTS (LFPDPPP)

If you are located in Mexico, the Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares - LFPDPPP) applies.

16B.1 ARCO Rights

Under Mexican law, you have the following ARCO rights:

• Access (Acceso): request access to your Personal Information we hold;
• Rectification (Rectificación): request correction of inaccurate or incomplete data;
• Cancellation (Cancelación): request deletion of your Personal Information; and
• Opposition (Oposición): object to the processing of your Personal Information for specific purposes.

16B.2 How to Exercise ARCO Rights

Submit ARCO requests to: [email protected] with subject line "ARCO Request - Mexico"

Your request must include:

• your name and contact information;
• clear description of the Personal Information involved;
• documents proving your identity; and
• any other information required to locate your data.

We will respond within 20 business days of receiving your complete request.

16B.3 Consent and Revocation

Where your consent is required for processing, you may revoke it at any time by contacting us. Revocation does not affect lawfulness of prior processing.

16B.4 Complaints

If you believe your privacy rights under Mexican law have been violated, you may file a complaint with the Ministry of Anti-Corruption and Good Government (Secretaría de Anticorrupción y Buen Gobierno) or the relevant authority.

16C. OTHER LATIN AMERICAN JURISDICTIONS

16C.1 Argentina

Argentina has received an adequacy determination from the European Commission, meaning data transfers from the EU to Argentina meet GDPR standards. If you are an Argentine resident, you have rights similar to those under GDPR, including access, rectification, deletion, and objection. Complaints may be filed with the Agencia de Acceso a la Información Pública (AAIP).

16C.2 Colombia

If you are a Colombian resident, your Personal Information is protected under Law 1581 of 2012 (Ley de Protección de Datos Personales). You have rights to access, update, rectify, and delete your data. We comply with registration requirements with the Superintendence of Industry and Commerce (SIC) where applicable. Complaints may be filed with the SIC.

16C.3 Chile

If you are a Chilean resident, your data is protected under Law 19,628 on the Protection of Private Life. You have rights to access, correct, and delete your Personal Information. Note that Chile has enacted new data protection legislation (Law 21,719) that will introduce enhanced protections; we will update our practices accordingly.

16C.4 Other Jurisdictions

If you reside in another Latin American country with data protection laws, we will honor your local privacy rights to the extent required by applicable law. Contact [email protected] to exercise your rights.

17. INTERNATIONAL TRANSFERS

We are based in the United States. Your data may be transferred to and processed in the U.S. and other locations where our subprocessors operate.

17.1 Safeguards

We implement reasonable safeguards to protect your data during transfers, including:

• encryption in transit and at rest;
• contractual restrictions with subprocessors;
• access controls and security monitoring.

17.2 Transfer Necessity

Certain transfers are necessary for Service delivery (hosting, billing, support, security). Optional transfers (marketing and some analytics) are controlled via consent tools where required.

18. CHILDREN'S PRIVACY

The Service is not intended for individuals under 18.

If we learn that we collected Personal Information from a minor, we will delete it. If you believe a minor provided data, contact [email protected].

19. SENSITIVE / SPECIAL CATEGORY DATA

We do not intentionally collect sensitive personal data, such as:

• racial or ethnic origin;
• religious beliefs;
• health data;
• genetic or biometric identifiers for identification purposes;
• sex life or sexual orientation.

You should not upload special category data into the Service unless strictly necessary and lawfully permitted. If you upload such data, you are responsible for ensuring lawful processing.

20. AUTOMATED DECISION-MAKING AND PROFILING

We may use automated processing for:

• fraud detection and abuse prevention;
• security monitoring;
• feature personalization (where applicable);
• subscription and billing management;
• detecting Terms of Service violations.

20.1 Your Rights Regarding Automated Decisions

Where required by law, you may have the right to:

• request human review of automated decisions;
• contest a decision and provide additional information;
• request explanation of the logic involved in automated decisions;
• opt out of certain profiling for advertising or marketing purposes.

20.2 No Significant Automated Decisions Without Safeguards

We do not make solely automated decisions that have legal or similarly significant effects on you without appropriate safeguards. Specifically:

• account suspension or termination decisions are reviewed by a human within 5 business days;
• you may appeal automated decisions by contacting [email protected];
• we provide explanation of significant automated decisions upon request.

20.3 Profiling for Marketing (Opt-Out Available)

We may analyze usage patterns to personalize your experience and provide relevant recommendations. You may opt out of profiling for marketing purposes by:

• adjusting your preferences in Account Settings;
• using Global Privacy Control (GPC) signals (see Section 16.12); or
• contacting us at [email protected].

Opting out may result in less personalized recommendations and communications.

20.4 Automated Decision-Making Technology (ADMT) Pre-Disclosure

When we use automated decision-making technology that may significantly affect you, we will:

• provide pre-use notice describing the technology and its purpose;
• explain the general logic involved;
• describe your rights regarding the decision; and
• provide opt-out or appeal mechanisms where required by law.

20.5 AI-Assisted Behavioral Analysis

We may use AI to analyze aggregated user behavior patterns to improve the Service. This includes:

• calculating engagement scores based on document viewing patterns;
• identifying common behavior patterns to improve user experience;
• generating insights about feature usage and adoption.

This analysis is used for product improvement and does not result in decisions that produce legal or similarly significant effects. You may request information about any profiling that affects you by contacting [email protected].

21. DATA PROCESSING AGREEMENT (DPA) FOR BUSINESS CUSTOMERS

If you use the Service as a business and process personal data of individuals (for example, your clients), you may be a "controller" and we may act as a "processor."

A Data Processing Agreement (DPA) is available at:

• Contact [email protected] to request a Data Processing Agreement

We provide a DPA automatically for customers processing EEA/UK personal data where required, and upon request for eligible customers.

22. POLICY CHANGES AND NOTICE

We may update this Policy.

22.1 Material Changes

For material changes, we will provide notice at least 30 days in advance via:

• email to the registered contact and/or
• in-app notification.

22.2 Version History

We maintain a version history or changelog upon request or on our website where applicable.

23. COMPLAINTS, DISPUTE RESOLUTION, AND JURISDICTION

23.1 Complaints and Regulators

You may lodge a complaint with:

• the U.S. Federal Trade Commission (FTC) where applicable;
• your state Attorney General;
• for Mexico: the relevant privacy authority;
• for other Latin American countries: your local data protection authority.

23.2 Governing Law

Privacy-related disputes are governed by the laws of Florida, unless applicable privacy laws require otherwise.

23.3 Arbitration and Class Action Waiver

Disputes arising under this Privacy Policy, including disputes regarding your privacy rights, are subject to the dispute resolution provisions in our Terms and Conditions, including binding arbitration and class action waiver, to the maximum extent permitted by applicable law.

Note: Certain privacy claims may not be subject to arbitration under applicable law (e.g., CCPA private right of action for data breaches). Where arbitration is prohibited by law, you retain your right to pursue claims in court.

23.4 Limitation on Privacy-Related Damages

To the maximum extent permitted by applicable law, our total liability for any privacy-related claims shall not exceed the greater of:

• the fees paid by you in the 12 months preceding the claim; or
• $500 (for paid and free trial accounts).

This limitation does not apply to claims arising from our gross negligence, willful misconduct, or violations of applicable data protection laws that do not permit such limitations.

23A. ADDITIONAL PROTECTIONS AND DISCLAIMERS

23A.1 Third-Party Data Indemnification

If you upload or process Personal Information of third parties (such as your clients, employees, or contacts) through the Service:

• you represent and warrant that you have obtained all necessary consents and have a lawful basis to process such data;
• you are responsible for complying with all applicable privacy laws regarding such data;
• you agree to indemnify and hold harmless the Company from any claims, damages, or penalties arising from your processing of third-party Personal Information.

23A.2 User-Directed Disclosures

If you direct us to share, export, or transfer your data to third parties (including through integrations, data exports, sharing features, or APIs):

• such disclosure is made at your request and direction;
• we are not responsible for the privacy practices of third parties to whom you direct us to transfer your data;
• you should review the privacy policies of any third parties before directing data transfers.

23A.3 Data Accuracy

We rely on the accuracy of information you provide. We are not responsible for errors, omissions, or consequences resulting from inaccurate, incomplete, or outdated information you submit. You agree to keep your account information current and accurate.

23A.4 Subprocessor Changes

To receive notice of subprocessor changes:

• ensure your account email is current;
• we will send notice at least 30 days before material subprocessor changes.

To object to a new subprocessor, email [email protected] with subject line "Subprocessor Objection" within 14 days of our notice. If we cannot reasonably accommodate your objection, you may terminate your account without penalty per our Terms.

23A.5 Regulatory Inquiries

If we receive a subpoena, court order, or regulatory inquiry that may require disclosure of your data:

• we will notify you unless legally prohibited from doing so;
• we will provide you with a reasonable opportunity to challenge such requests where permitted;
• we will limit disclosure to what is legally required.

23A.6 Insurance

We maintain commercially reasonable cyber liability insurance appropriate for our data processing activities.

23A.7 Force Majeure

We are not liable for delays or failures in responding to privacy requests due to circumstances beyond our reasonable control, including natural disasters, government actions, cyberattacks by third parties, or technical failures. We will resume processing requests as soon as reasonably practicable.

23A.8 No Waiver of Your Statutory Rights

Nothing in this Policy is intended to limit any rights you have under applicable privacy laws that cannot be waived or limited by contract. Where this Policy conflicts with applicable law, the requirements of applicable law will prevail.

24. CONTACT US

Waco3.io, LLC

13762 W State Road 84 #272, Davie, FL 33325

Email: [email protected]

APPENDIX A: CCPA CATEGORY DISCLOSURES (NOTICE AT COLLECTION)

We collect the following categories of Personal Information (examples):

1. Identifiers: name, email, account ID, IP address
2. Commercial information: subscription history, billing status
3. Internet activity: usage data, analytics events, device info
4. Geolocation data: approximate location derived from IP
5. Professional information: business name and related account fields (if provided)
6. Inferences: feature usage patterns and preferences derived from activity

We disclose Personal Information to subprocessors for business purposes such as hosting, payments, communications, analytics, security, and AI processing.

APPENDIX B: RETENTION SCHEDULE (DETAILED)

Unless a legal hold or law requires otherwise:

• Account profile and settings: retained while account active; deleted within 30 days after termination
• User Content: retained while active; deleted within 30 days after termination; backups may persist for limited recovery periods
• Session replay: strictly 30 days (unless required for security investigations)
• Billing and tax records: typically up to 7 years (or as required by law)
• Logs and security records: typically 30 days unless required longer for investigations
• Marketing preferences and suppression lists: retained as long as necessary to honor preferences

APPENDIX C: SUBPROCESSOR LIST REFERENCE

A current list of subprocessors is available on our Third-Party Licenses page.

Categories of subprocessors include:

• Cloud hosting and infrastructure
• Payment processing (Stripe)
• Email delivery (SendGrid)
• Analytics and monitoring (Google Analytics, PostHog)
• Cloud logging (Better Stack)
• AI processing (Google Gemini)
• Customer support tools
• Security and fraud prevention

APPENDIX D: COOKIE CATEGORIES AND EXAMPLES

APPENDIX E: AI PROVIDERS AND PURPOSES

For current AI provider policies, see the vendor links in our Subprocessor List.