Privacy Statement

Last updated: May 9, 2026

1. Introduction

EnviroData Solutions, Inc. ("we," "us," "our") is committed to protecting your privacy. This Privacy Statement explains how we collect, use, store, share, and protect your personal data in compliance with applicable privacy laws, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Privacy Act (CTDPA) and other applicable U.S. state privacy laws, the Brazilian Lei Geral de Proteção de Dados (LGPD), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Act 1988.

This Privacy Statement applies to each of our websites, services, and interactions with you that display or link to it.

2. Who Controls Your Data? (Data Controllers & Representatives)

With respect to information submitted via our public websites, EnviroData Solutions, Inc. is the Data Controller of your personal data. With respect to our service offerings, such as our Ecesis Software Solution, the company you work for is the Data Controller and EnviroData Solutions, Inc. is a Data Processor.

The primary means of contacting EnviroData Solutions, Inc. is:

Address: 1499 West 120th Avenue, Suite 110, Westminster, CO 80234

Email: legal@ecesis.net

Phone: (720) 547-5102

For inquiries under Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), or the Australian Privacy Act 1988, the President of EnviroData Solutions, Inc. serves as the designated responsible officer — Encarregado for LGPD purposes (under the small processing agents exemption, ANPD Resolution CD/ANPD No. 2/2022), and Privacy Officer for PIPEDA and Australian Privacy Act purposes. Inquiries may be directed to legal@ecesis.net.

We have appointed Lionheart Squared (Europe) Ltd as our representative in the European Economic Area (EEA):

Address: 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84, Republic of Ireland

Email: ecesis@LionheartSquared.eu

We have appointed Lionheart Squared Limited as our representative in the United Kingdom:

Address: 17 Glasshouse Studios, Fryern Court Road, Fordingbridge, Hampshire, SP6 1QX United Kingdom

Email: ecesis@LionheartSquared.co.uk

3. What Data We Collect And/Or Process

With respect to our public websites, we collect the following types of personal data:

• Identity Data - Name, company name
• Contact Data - Email, phone number
• Technical Data - IP address, browser type, device information
• Usage Data - Interactions with our website and services
• Marketing Data - Preferences for receiving communications

With respect to our service offerings, such as our Ecesis Software Solution, we collect the following types of personal data:

• Identity Data - Name, company name
• Contact Data - Email, phone number, address
• Account Data - Username, password, security questions
• Transaction Data - Payment details, purchase history
• Technical Data - IP address, browser type, device information
• Usage Data - Interactions with our website and services
• Other Data - Data required to perform the services we are contracted to provide

Sensitive or Special Category Personal Data: Where Customers submit Sensitive or Special Category Personal Data (including health information, biometric data, racial or ethnic origin, religious beliefs, sexual orientation, or political opinions) through the Ecesis Software Solution, we apply heightened protection consistent with the High-Risk classification in our internal Data Governance procedure. We do not collect Sensitive or Special Category Personal Data through our public website.

4. How We Use Your Data (Processing Purposes & Legal Basis)

We only process personal data when we have a lawful basis, including:

We do not sell or rent your personal data to third parties.

How Long We Retain Your Data

We retain personal data only as long as necessary for the purposes described above, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Specific retention periods vary by data type and are documented in our internal Data Governance and Records Retention procedure. As a general guide:

• Account and customer data: for the duration of the contract plus 5 years
• Employment records: 3 to 7 years following employment termination, depending on record type
• Audit and security logs: per system retention (typically 30–90 days for cloud platform logs; longer for incident records)
• Tax and accounting records: 7 years

When personal data is no longer needed, we delete or anonymize it in accordance with our retention schedule, except where preserved under a legal hold.

5. How We Share Your Data

We share data with:

• Service Providers (Data Processors) - Third-party companies that help provide services (e.g., payment processors, hosting providers, email services). All service providers are bound by Data Processing Agreements (DPAs). A current list of our sub-processors, including the categories of data each handles, is available on request from legal@ecesis.net and is updated when sub-processors change. Customers receive advance notice of new sub-processor appointments per the Data Processing Addendum.
• Legal Authorities - If required by law, court order, or law enforcement request. Where legally permitted, we will challenge requests we consider unlawful and notify affected Customers before disclosure.
• Business Transfers - If we are acquired, merged, or sell a portion of our business, your personal data may be transferred, with prior notice.

We do not share your personal data with third parties for their own marketing purposes.

Data Security Incidents. In the event of a personal data breach affecting personal data for which EnviroData Solutions, Inc. is the Data Controller, we will notify affected data subjects without undue delay where required by applicable law, and will notify the relevant supervisory authority within 72 hours where required by GDPR Article 33 or analogous provisions. Where EnviroData Solutions, Inc. acts as Data Processor, we will notify the Customer (Controller) without undue delay and within 72 hours of becoming aware of the incident, and will support the Customer's notification obligations as set out in our Data Processing Addendum.

6. Where We Process Your Data & International Transfers

Personal data submitted through the Ecesis Software Solution is primarily processed and stored on Microsoft Azure infrastructure in the United States. We may use Microsoft Azure data centers in other regions for redundancy, disaster recovery, or specific customer-requested data residency. Other categories of personal data (e.g., business correspondence, employee records) are processed in the United States.

When personal data is transferred outside the country of origin, we rely on one or more of the following safeguards as required by applicable law:

• Standard Contractual Clauses (SCCs) (GDPR, UK GDPR, PIPEDA, APPI, LGPD)
• Binding Corporate Rules (BCRs) where applicable
• Adequacy Decisions for countries approved by the EU Commission or UK Information Commissioner

You may request a copy of the safeguards applicable to your data by contacting us at legal@ecesis.net.

7. Your Data Privacy Rights

Under GDPR and UK GDPR, you have the following data subject rights:

• Right to Access - Request a copy of your personal data.
• Right to Rectification - Correct inaccurate or incomplete data.
• Right to Erasure - Request deletion of your data ("Right to be Forgotten").
• Right to Restriction - Request limited data processing.
• Right to Data Portability - Receive your data in a structured format.
• Right to Object - Object to data processing for marketing or legitimate interests.
• Right to Withdraw Consent - Withdraw consent at any time.
• Right to Lodge a Complaint - File a complaint with a Data Protection Authority (DPA).

For residents of U.S. states with comprehensive privacy laws (including California, Colorado, Connecticut, Virginia, and other states that have enacted similar legislation):

• Right to Know - Request what personal data we collect
• Right to Delete - Request deletion of data
• Right to Correct - Correct inaccurate data
• Right to Opt-Out - Prevent the sale, sharing, or targeted advertising use of personal information
• Right to Limit Use of Sensitive Personal Information

For Brazil Residents (LGPD):

• Right to Confirm Processing
• Right to Access
• Right to Correct or Update
• Right to Anonymize, Block, or Delete Excess Data
• Right to Data Portability
• Right to Information about Third-Party Sharing
• Right to Withdraw Consent

For Canada (PIPEDA) & Australia (Privacy Act 1988):

• Right to Access and Correct Information
• Right to Withdraw Consent
• Right to Lodge a Complaint with the relevant Privacy Commissioner

How to Exercise Your Rights: To request access, deletion, correction, or other rights with respect to your data, contact us at legal@ecesis.net or by phone at (720) 547-5102. Data subjects in the EEA and UK may also contact our Representatives identified in Section 2.

Before responding, we may ask you for information sufficient to verify your identity, commensurate with the sensitivity of the data. We will respond within the timeframe required by the law applicable to your request:

• GDPR / UK GDPR: 30 calendar days, extendable up to 60 additional days for complex requests with notice to you
• CCPA / CPRA, Colorado Privacy Act, Virginia CDPA, Connecticut DPA: 45 calendar days, extendable up to 45 additional days with notice
• LGPD (Brazil): 15 days for confirmation of processing; full access response within a reasonable period
• PIPEDA (Canada): 30 days, extendable up to 30 additional days for legitimate reasons with notice
• Australian Privacy Act 1988: a reasonable period, typically 30 days

Responses are provided free of charge, except where a request is manifestly unfounded or excessive — in which case we may charge a reasonable fee or decline, with documented justification.

8. Automated Decision-Making

EnviroData Solutions, Inc. does not engage in automated decision-making, including profiling, that produces legal effects concerning data subjects or similarly significantly affects them within the meaning of GDPR Article 22. If this changes in the future, we will update this Privacy Statement and provide notice as described in Section 11.

9. Children's Privacy

Our services and website are not directed to children under 16, and we do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will delete it promptly. Parents or guardians who believe their child has provided personal data to us may contact legal@ecesis.net to request deletion.

10. Cookies & Tracking Technologies

Cookies are small data files that your browser places on your computer or device. A cookie itself does not contain or collect information. However, when it is read by a server via a web browser it can help a website deliver a more user-friendly service. For more information about cookies and how to manage them, please read our Cookie Policy.

11. Updates to this Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in our practices, applicable law, or services. The "Last updated" date at the top of this Statement reflects the date of the most recent revision.

Where we make material changes — for example, expanded categories of data we collect, new purposes of processing, or changes to your rights — we will provide additional notice through the Ecesis platform (for active customers and users), by email where we have a current address, or by other reasonable means at least 30 days before the change takes effect, except where a shorter period is required by law.

We encourage you to review this Statement periodically. Your continued use of our services after a Privacy Statement update constitutes acceptance of the revised terms, except where additional consent is required by applicable law.

12. Contact Us

If you have questions about this Privacy Statement, contact us at: