Privacy Policy

1. Document Scope & Controller Identity

This Privacy Policy explains how Terminal34 LLC (“Terminal34,” “we,” “our,” or “us”) collects, uses, discloses, and safeguards Personal Information when individuals (“you” or “User”) access or use the VeciOS homeowners-association management platform (the “Service”).

2. Information We Collect

* “Sensitive Personal Information” (“SPI”) is defined in Cal. Civ. Code §1798.140; we collect SPI only as strictly necessary to provide the Service (e.g., property address for HOA membership).

3. Sources of Personal Information Source Type Typical Data Obtained Purpose / Notes Directly from you (online forms, invite tokens, file uploads) Identifiers, HOA affiliation, ticket descriptions, uploaded documents Core account creation, resident management, ticketing Automatically from your device (server logs, cookies / local storage) IP address, device type, browser, usage events Authentication, security, analytics, troubleshooting Payment Processor – Stripe Transaction ID, subscription status, billing ZIP Subscription billing; Stripe returns tokens only—Terminal34 never stores full card numbers Authentication Platform – Supabase Encrypted password hash, refresh tokens, email-verification status Secure login, role-based access Email Service – Resend Delivery status, bounce logs Delivering invitations, announcements, ticket updates Other Users within your HOA Your email with an invitation token, comments in tickets or polls Collaboration features; governed by HOA’s internal policies No data brokers, social-media APIs, or public-records aggregators are used, and we do not purchase marketing lists. We also do not engage in “sharing” or “selling” Personal Information as those terms are defined in the CPRA.

4. Purposes of Processing & (U.S.) Legal Bases Although U.S. privacy statutes such as the CPRA do not require a “lawful-basis” analysis identical to the GDPR, we set out our internal mapping for transparency. Data Category (see § 2) Primary Purpose(s) U.S. Legal/Business Basis* Identifiers (A) Create & manage user accounts; verify invitations; personalise dashboard; send service e-mails Performance of contract; legitimate interests (identity assurance) Customer Records (B) Process subscription payments; provide invoices; detect fraud Performance of contract; legal obligation (tax, accounting) Commercial Information (D) Maintain subscription history; provide admin billing reports Performance of contract Internet / Device Activity (F) Authenticate sessions; enforce rate-limits; compile aggregate analytics Legitimate interests (security, product improvement) Geolocation (G) Derive regional settings (language, tax); detect anomalous logins Legitimate interests (security, localisation) User File Uploads (H) Store resident documents, ticket images, meeting minutes Performance of contract; legitimate interests (community record-keeping) Inferences (J) Generate dashboard metrics; surface admin alerts Legitimate interests (service optimisation) * “Legitimate interests” reflects our assessment that (a) processing is reasonably expected by U.S. users, (b) it is necessary for security or product improvement, and (c) it does not materially outweigh user privacy expectations.

5. Data-Retention Schedule & Lifecycle Controls Data Category Active Retention Post-Deletion Handling Tooling / Enforcement Account Identifiers & Roles While account is active + 30 days Purged from production DB; backups deleted within 7 days Automated lifecycle rules in Supabase; overseen via Transcend DSAR workflows Subscription & Billing Records 7 years (IRS record-keeping) Archived in cold storage; access strictly limited Stripe data-retention controls; internal finance vault Session & Device Logs 90 days rolling window Aggregated and anonymised; raw logs deleted Cloud logging TTL; verified quarterly Resident Tickets & File Uploads Until HOA admin deletes OR HOA account terminates Destroyed within 24 h of deletion event; backups purged within 7 days Supabase object-storage policies; cron validation Analytics Events 24 months aggregated Aggregates retained; granular events dropped Privacy-mode analytics (no cross-site IDs) Support Correspondence 24 months after ticket close Secure deletion Zendesk auto-purge Retention rules are codified in Terminal34’s internal Data-Lifecycle Standard and monitored with Captain Compliance dashboards. Reviews occur at least annually, and retention periods may change to meet evolving statutory requirements. Where laws conflict (e.g., tax vs. deletion request), statutory obligations prevail.

6. Disclosures, Service Providers & “Sale/Share” Status Recipient Type Examples Purpose of Disclosure CPRA Classification Core Infrastructure Supabase (hosting & auth), AWS (backup), Cloudflare (CDN) Operate and secure the Service Service Provider Payments Stripe, Inc. Subscription billing, refunds, fraud screening Service Provider E-mail Delivery Resend, Inc. Send invites, ticket updates, announcements Service Provider Compliance & Privacy Ops Transcend, Inc.; Captain Compliance, Inc. Automate data-subject requests, retention enforcement, audit logging Service Provider Professional Advisors External accountants, legal counsel Financial reporting, legal compliance, dispute resolution “Disclosure for business purposes” Corporate Events Successor entity in merger, acquisition, or asset sale Continuity of Service “Disclosure for business purposes” No Sale / No Cross-Context Sharing Terminal34 does not “sell” or “share” Personal Information—as those terms are defined in Cal. Civ. Code § 1798.140—for targeted or behavioural advertising. We also abstain from third-party ad networks, social-media plug-ins that track users, and data-broker exchanges. Users may review our full service-provider list or request additional details by emailingprivacy@terminal34.com.

7. Your Privacy Rights & How to Exercise Them Right (U.S. state statutes*) What it means for you How to submit Response time Access / Know Obtain a copy of the Personal Information we hold about you and details about our processing. In-app “Privacy Center → Request Data” or e-mail privacy@terminal34.com. Within 45 days (+ 45 days once with notice) Correction Request that we correct inaccurate Personal Information. Same as above Same timeline Deletion Ask us to delete Personal Information we collected from or about you. Same as above Same timeline Portability Receive your data in a portable (CSV/JSON) format. Same as above Same timeline Opt-out of “Sale” / “Share” Stop any “selling” or “sharing” of Personal Information for cross-context behavioural ads. We do not engage in such practices, but you may confirm your status. Toggle “Do Not Sell/Share” in Privacy Center. Immediate Limit Use of Sensitive PI Restrict use of Sensitive Personal Information to what is strictly necessary. Same as above Immediate No Automated-Decision Profiling We do not make decisions that produce legal or similarly significant effects based solely on automated processing. N/A N/A * California (CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Tennessee (TDPA 2025), Florida (FDPPA 2025), and other materially similar U.S. state laws. Identity verification. For access, deletion, or portability requests we must reasonably verify your identity—typically through your logged-in session or a one-time code sent to your registered e-mail. Agent requests. You may authorise an agent to act on your behalf by providing us with a signed written permission or power of attorney and by verifying your own identity directly with us.

8. Appeals Process (Denials of Privacy Requests) If we deny your privacy request, our response will state the specific reason and provide a link to this appeals process. File an appeal. Within 30 days of our denial, e-mail privacy-appeals@terminal34.com with the subject line “Privacy Request Appeal” and include the original request ID. Review. A member of Terminal34’s compliance leadership (not involved in the initial decision) will review the appeal and all supporting facts. Decision timeline. We will issue a written decision within 45 days of receiving the appeal (extendable once by 15 days with notice). Further recourse. If you reside in a state that designates a regulator for privacy complaints (e.g., Colorado Attorney General), our appeal outcome will include instructions on how to contact that authority should you remain unsatisfied. Appeals are free of charge unless requests are manifestly unfounded or excessive, in which case a reasonable fee may be charged or the appeal refused, consistent with applicable law.

9. Security Measures Terminal34 employs a defence-in-depth model designed to meet or exceed the “reasonable security” expectation under Cal. Civ. Code § 1798.81.5 and similar statutes. Layer Key Controls Transport All browser and API traffic forced over TLS 1.2+ with HSTS. Storage Production databases, file objects, and backups are encrypted AES-256 at rest; keys managed in a cloud HSM with quarterly rotation. Authentication Supabase Auth with bcrypt-hashed passwords, optional TOTP MFA for admins, JWT session tokens scoped by role. Network Cloud-native firewalls, private subnets, VPC peering; CDN (Cloudflare) for DDoS absorption and WAF rule-sets. Application OWASP-aligned secure-coding standards; automated SAST/DAST pipelines; dependency scanning on every build. Monitoring Centralised log aggregation with 90-day retention; anomaly alerts piped to a 24/7 on-call rotation. Incident Response Written plan tested semi-annually; confirmed breaches of unencrypted PI trigger admin notice within 72 hours (sooner if required by law). Vendor & Pen-Testing Annual SOC 2 Type II audit in progress; independent penetration testing at least once per year; vendor assessments under SIG Lite. User Responsibilities Users must secure endpoint devices, enable OS/browser patches promptly, and keep credentials confidential. Terminal34 is not responsible for breaches traceable to end-user negligence. The security programme is overseen by Terminal34’s Chief Security Officer and reviewed by the Board at least annually.

10. Children’s Data VeciOS is not directed to anyone under the age of 18, and we do not knowingly collect Personal Information from children under 13 as defined by the U.S. Children’s Online Privacy Protection Act (“COPPA”). Age Gate. Registration screens require users to confirm they are at least 18 years old before an account can be created. No Intentional Collection. If we learn that we have inadvertently collected Personal Information from a child under 13, we will delete that data and the associated account as quickly as practicable. Parental Inquiries. Parents or legal guardians who believe we may have collected information from a child may contact privacy@terminal34.com. Because the Service is unavailable to EU/EEA residents, GDPR/UK Age-Appropriate Design Code provisions do not apply.

11. Automated Decision-Making & Profiling VeciOS does not employ automated decision-making systems that produce legal or similarly significant effects on users (e.g., credit, employment, or insurance determinations). Operational Metrics Only. The Service uses rule-based logic to tally ticket counts, poll outcomes, and resident-engagement scores displayed to HOA admins. These metrics do not (a) restrict access, (b) alter pricing, or (c) impose penalties on individual residents. Human Review. Any enforcement action—such as account suspension for prohibited conduct—requires human confirmation by Terminal34 staff. Accordingly, rights to opt out of automated profiling under Colorado CPA § 6-1-1309 or similar laws are not invoked by our current processing activities.

11. Limiting the Use of Sensitive Personal Information Under the California Privacy Rights Act (“CPRA”), “Sensitive Personal Information” (“SPI”) includes precise geolocation, racial or ethnic origin, and certain financial data. VeciOS collects SPI only insofar as it is strictly necessary to deliver the Service—for example: SPI Category Typical VeciOS Use Necessary? Precise Address / Unit Number Associating a resident with a specific property in the HOA ✔ Yes Billing ZIP (payment) Fraud screening and tax calculations via Stripe ✔ Yes How to Limit SPI Processing Users may restrict SPI to “necessary-only” purposes by toggling “Limit Sensitive PI” in the in-app Privacy Center or by emailing privacy@terminal34.com. When the toggle is enabled: We cease any optional enrichment or analytics that rely on SPI. SPI fields are excluded from marketing analytics and data exports. No SPI is retained beyond what is required for billing records or legal compliance. Requests are honoured immediately upon toggle activation and confirmed via e-mail.

12. Data-Minimisation Statement Terminal34 adheres to the principle of data minimisation set out in the California Privacy Rights Act and the forthcoming California Delete Act 2026, as well as general U.S. “reasonable-necessity” standards. Commitment Implementation Controls Collect only what we need Each new data-field request must pass a “purpose & proportionality” review by the Privacy Officer. Limit processing to stated purposes Role-based access controls prevent engineers or third-party vendors from querying data outside the authorised scope. Strip or truncate identifiers where feasible IP addresses in analytics logs are truncated to /24 (IPv4) or /48 (IPv6) within 24 hours. Purge data at the earliest lawful moment Automated retention timers (see § 5) delete or anonymise records on expiry. Continuous audits Pandectes privacy-ops software cross-checks data inventories against declared processing purposes and flags drift. We review minimisation rules at least annually, or sooner if statutory changes require. Requests for further information may be directed toprivacy@terminal34.com.

13. Puerto Rico-Specific Notice VeciOS is operated from Puerto Rico and is therefore subject to the Constitution of the Commonwealth of Puerto Rico, Art. II, § 8 (right to privacy) and relevant local consumer-protection statutes. Language Preference. This Privacy Policy is published in English. A courtesy Spanish translation is available on request, but the English version governs in the event of any inconsistency. Regulator Contact. Puerto Rico residents may lodge consumer complaints with the Departamento de Asuntos del Consumidor (DACO) via https://daco.pr.gov/ or by calling (787) 722-7555. Tax Considerations. Billing addresses in Puerto Rico are subject to IVU sales tax; limited billing records are retained for seven years to satisfy Departamento de Hacienda requirements (see § 5). No additional local privacy rights beyond those already described in § 9 are currently recognised under Puerto Rican law; if new legislation is enacted, we will update this Policy accordingly.

14. Changes to This Policy Advance Notice. Material changes (e.g., new data categories, new disclosure types) will be announced at least 15 days before the revised policy takes effect via: An in-app banner on the VeciOS dashboard; and E-mail to the Admin address on file. Effective Date & Versioning. Each version is stamped with an “Effective Date” at the top. Prior versions are archived and available upon written request for at least six years. Continued Use = Acceptance. Your continued use of the Service after the Effective Date constitutes acceptance of the updated terms. If you disagree, you must deactivate your HOA account before the change becomes operative. Minor Edits. Non-material edits (grammar, formatting, clarifications) may be posted without advance notice but will still update the version date.

Effective Date of Current Version: 24 May 2025