Privacy Policy

Interpretation

Capitalized terms have the meanings given below. A definition applies in the singular and the plural equally.

Definitions

• Account — a unique record created for You to access the Service or parts of it.
• Business, for purposes of the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), refers to the Company as the entity that determines the purposes and means of processing Consumers' personal information.
• Company (also "We", "Us", "Our") — gexscan, a California sole proprietorship doing business as gexscan.com. For purposes of the European General Data Protection Regulation ("GDPR"), the Company is the Data Controller.
• Consumer, for purposes of the CCPA, means a natural person who is a California resident.
• Cookies — small text files placed on Your Device when You visit a website, used among other things to remember Your preferences and analyze activity.
• Country — the State of California, United States.
• Data Controller, for purposes of GDPR, refers to the Company as the entity that, alone or with others, determines the purposes and means of processing Personal Data.
• Device — any computer, phone, tablet, or other hardware used to access the Service.
• "Do Not Track" (DNT) — a browser signal promoted by the U.S. Federal Trade Commission as a way for users to communicate that they do not wish to be tracked across websites.
• Personal Data — any information that relates to an identified or identifiable individual. Under GDPR, this includes information such as a name, ID number, location data, online identifier, or any factor specific to the individual. Under CCPA, this includes any information that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked (directly or indirectly) with You.
• Sale, for purposes of the CCPA, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a Consumer's personal information to another business or third party for monetary or other valuable consideration.
• Service — the website at gexscan.com and any other product We make available under the name "gexscan."
• Service Provider — any third party that processes data on Our behalf. Under GDPR, Service Providers are Data Processors.
• Usage Data — data generated automatically by the use of the Service or by the Service infrastructure itself, such as IP address, page-view timestamps, and session duration.
• You — the individual using the Service or, where applicable, the entity on whose behalf the individual is using the Service. Under GDPR, You may be referred to as the Data Subject.

Information You give Us directly

• Account details. When You register, Our authentication provider collects Your name, email address, and a password or third-party identity-provider identifier (for example a Google account ID, if You sign in with Google).
• Billing details. When You subscribe, Our payment processor collects and stores Your billing information (cardholder name, billing address, payment- method identifier, last four digits of Your card, brand, and expiration date). We do not store full payment-card numbers on Our servers; Our payment processor handles them under PCI-DSS standards. We receive a limited subset of the data (such as the last four digits, the brand, and the billing ZIP) for use in receipts and dispute handling.
• Communications with Us. When You email Us, request support, or otherwise contact Us, We collect the content of Your message and any contact information You include.
• In-product preferences. Settings You choose (visible columns, layout choices, watchlists, and the like) may be stored on Our servers or in Your browser's local storage.

Information We collect automatically

• Usage Data. Pages viewed, features used, actions taken, timestamps, referrers, queries entered into the Service, performance metrics, and error logs.
• Device and connection information. Your IP address, approximate location inferred from IP, browser type and version, operating system, device type, screen dimensions, language settings, and similar technical identifiers.
• Cookies and similar technologies. See the section on cookies below.

Information We receive from third parties

• From identity providers. If You sign in with Google or another third-party identity provider, We receive Your name, email address, and profile-image URL from that provider via Our authentication vendor.
• From the payment processor. Subscription status, transaction history, and dispute or chargeback events.
• From infrastructure partners. Aggregate technical information about traffic patterns, request latency, error rates, and security events from Our hosting, database, and content-delivery vendors.

We do not knowingly collect government identification numbers, biometric data, precise GPS location, health information, or other special categories of sensitive personal information.

We process Personal Data for the following purposes:

• To run the Service. Provide, operate, maintain, and improve the Service; monitor usage; develop new features; troubleshoot problems.
• To manage Your Account. Verify Your identity, support Your registration, and give You access to features that depend on Your subscription tier.
• To process payments. Handle subscriptions, renewals, refunds, and chargebacks via Our payment processor.
• To contact You. Send transactional and service messages (billing, security, account-related, and service announcements) and, where You have opted in, marketing communications. Unsubscribing from marketing messages does not opt You out of transactional messages.
• To respond to support requests.
• To prevent fraud and abuse. Detect and respond to unauthorized access, automated scraping, and violations of the Terms and Conditions.
• To enforce Our rights. Investigate breaches, defend claims, and comply with legal obligations and lawful requests from public authorities.
• To handle business transfers. Evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets — whether ongoing or as part of a bankruptcy, liquidation, or similar proceeding — in which Personal Data is among the assets transferred.
• For analytics and product research. Understand which features are valuable, measure effectiveness of changes, and improve Your experience.

Legal bases (GDPR)

If You are located in the European Economic Area, the United Kingdom, or Switzerland, We process Personal Data on one or more of the following legal bases: (a) consent You have given for a specific purpose; (b) performance of a contract with You (or in order to take pre-contractual steps at Your request); (c) legitimate interests We (or a third party) have in operating, securing, and improving the Service, except where Your interests or fundamental rights override those interests; (d) legal obligations applicable to Us; and (e) protection of vital interests of You or another natural person, where applicable. We will explain Our specific legal basis for any particular processing on request.

We do not sell or rent Personal Data. We share it only as described in this section.

Service Providers

We use third-party vendors to operate parts of the Service. Each vendor is contractually limited to handling Personal Data only as needed to perform services for Us and is required to protect it appropriately. Vendors currently in use include:

• Authentication and account management — for login, password handling, and identity-provider integrations.
• Payment processing — for subscription billing, recurring charges, and fraud screening; this vendor adheres to PCI-DSS standards as managed by the PCI Security Standards Council and the major card brands.
• Source market data — for the upstream market-data feed that powers the analytics on the Service. This relationship is input-only; We do not share Personal Data with this vendor.
• Frontend hosting and content delivery — for serving the website and its assets to Your browser.
• Backend hosting and database storage — for serving the application API and persisting account data.
• DNS, content delivery, and security — for DNS resolution and protection against denial-of- service and other attacks.
• Transactional and notification email delivery — for sending account, billing, and other service-related email.
• Administrative email — for handling Our support inbox and other operational correspondence.

Each of those vendors processes Personal Data under its own privacy policy and security practices. We may add, remove, or change vendors over time and will update this Privacy Policy if We change the underlying category of vendor We rely on.

Legal disclosures

We may disclose Personal Data when We believe in good faith that disclosure is necessary to: comply with a law, regulation, subpoena, court order, or other legal process; respond to a lawful request from a government authority (including for national security or law-enforcement purposes); enforce Our agreements with You; detect, prevent, or address fraud, security incidents, or technical issues; or protect the rights, property, or safety of Us, Our users, or others.

Business transfers

If We are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of Our assets, Personal Data may be transferred as part of that transaction. We will notify You of any such change in ownership or control of Your Personal Data and give You any choices required by applicable law.

Aggregated or de-identified information

We may share aggregated or de-identified information that cannot reasonably be used to identify You, for any business purpose, including marketing, analytics, research, and partnerships.

We keep Personal Data only as long as necessary to provide the Service, comply with Our legal obligations, resolve disputes, and enforce Our agreements. When We no longer need Personal Data, We delete or anonymize it according to Our internal retention practices. Typical retention windows:

• Account data — kept while Your Account is active, then retained for a reasonable period after closure to handle post-cancellation issues, then deleted or anonymized.
• Payment and tax records — kept for the period required by applicable tax, accounting, and financial regulations (typically seven years in the United States).
• Email correspondence — retained for as long as reasonably needed to handle the matter and any follow-up, then archived or deleted.
• Usage and security logs — retained for a limited period to support analytics, abuse prevention, and security investigations, then aggregated or deleted.
• Backups — may persist longer in encrypted form until they are overwritten in the normal rotation.

We are based in the United States. The information We collect is processed and stored in the United States and, depending on the Service Provider, in other countries where those vendors operate. Data protection laws in those countries may differ from those in the country where You live. By using the Service, You agree that Your Personal Data may be transferred to and processed in those countries. We rely on appropriate safeguards (such as contractual protections) where applicable law requires them.

We take reasonable administrative, technical, and physical measures to protect Personal Data against loss, theft, unauthorized access, disclosure, alteration, and destruction. These include encryption in transit (HTTPS / TLS), payment- card handling by a PCI-DSS-compliant processor, scoped access controls inside Our infrastructure, hashed credentials held by Our authentication vendor, and DDoS and content- delivery protection by Our CDN vendor.

However, no system that connects to the public internet is fully secure. We cannot guarantee absolute security. You are responsible for picking a strong, unique password (or using a strong third-party identity provider), keeping Your credentials confidential, and telling Us immediately if You suspect unauthorized access to Your Account.

The Service uses cookies, local storage, and similar technologies. Categories in use:

• Strictly necessary — for authentication, session management, security, and load balancing.
• Preferences — for remembering Your in-product settings (visible columns, layout, watchlists, etc.).
• Analytics — for understanding how the Service is used so We can improve it.

You can configure Your browser to refuse cookies or to alert You when cookies are being sent. Disabling cookies may break parts of the Service.

Do Not Track. The Service does not currently respond to "Do Not Track" browser signals because no industry standard for honoring them has been finalized. We may revisit this position. Even though We do not respond to DNT, some third-party websites do, and You can enable DNT in Your browser's preferences if You want to send the signal generally.

• Account information. Update Your profile by signing in and editing Your settings, or by emailing Us.
• Marketing emails. Opt out of promotional emails by clicking the unsubscribe link in any such email. Transactional and service emails cannot be opted out of while You maintain an Account.
• Cookies. Configure Your browser to refuse or alert You to cookies.
• Account deletion. Request deletion of Your Account by emailing support@gexscan.com from the address associated with the Account. See the rights sections below for the legal grounds on which We may retain certain information after a deletion request.

If You are within the European Economic Area, the United Kingdom, or Switzerland, the following rights apply to You, and We undertake to respect Your Personal Data and to help You exercise these rights:

• Access. Request a copy of the Personal Data We hold about You and information about how We process it.
• Correction. Have inaccurate or incomplete Personal Data corrected.
• Erasure. Ask Us to delete Personal Data where there is no compelling reason for Us to keep it.
• Restriction. Ask Us to restrict processing of Your Personal Data in certain circumstances.
• Portability. Receive Personal Data You gave Us in a structured, commonly used, machine-readable format, and transmit it to another controller. This right applies to data You provided based on consent or contract and that is processed by automated means.
• Objection. Object to processing where We rely on legitimate interests, including objection to direct marketing.
• Withdrawal of consent. Withdraw any consent You previously gave. Withdrawal does not affect the lawfulness of processing before the withdrawal.

To exercise these rights, email support@gexscan.com from the address associated with Your Account, or otherwise provide enough information for Us to verify Your identity. You may also lodge a complaint with Your local data-protection authority in the EEA.

This section supplements the information above and applies to California residents.

Categories of personal information collected in the past 12 months

Based on the categories defined by the CCPA, We may have collected the following from California residents. Inclusion of a category below reflects Our good-faith view that some data of that type may have been collected; it does not mean every example of that category was collected.

• Category A: Identifiers — name, alias, email address, online identifier, IP address, account identifier. Collected: Yes.
• Category B: California Customer Records statute (Cal. Civ. Code § 1798.80(e)) — name, billing address, telephone, and payment-method identifiers handled by Our payment processor. Collected: Yes.
• Category C: Protected classification characteristics — age (40 or older), race, color, ancestry, national origin, citizenship, religion, marital status, medical condition, disability, sex, sexual orientation, veteran status, genetic information. Collected: No.
• Category D: Commercial information — subscription history, transactions, products considered. Collected: Yes.
• Category E: Biometric information. Collected: No.
• Category F: Internet and similar network activity — interaction with the Service, browsing within the Service, device and browser metadata. Collected: Yes.
• Category G: Geolocation data — only approximate location inferred from IP address; no precise GPS data. Collected: Approximate only.
• Category H: Sensory data (audio, visual, thermal, etc.). Collected: No.
• Category I: Professional or employment information. Collected: No.
• Category J: Non-public education information under FERPA. Collected: No.
• Category K: Inferences drawn from any of the above to create a profile of preferences, characteristics, or behavior. Collected: Limited — We may infer feature preferences from usage but do not build psychological or demographic profiles.

Sources of personal information

• Directly from You — registration forms, account settings, support emails, billing checkout.
• Indirectly from You — observation of Your activity within the Service.
• Automatically — cookies and similar technologies set on Your Device as You navigate the Service.
• From Service Providers — for example, Our payment processor, Our authentication vendor, and Our analytics vendors.

Business and commercial purposes for which information is used

See the section "How We use Personal Data" above for a full description. In CCPA terms, We may use or disclose personal information collected for, among other things: operating the Service; providing support; fulfilling the reasons You provided information; responding to law-enforcement requests and complying with applicable law; internal administrative and auditing purposes; and detecting and preventing fraud, abuse, security incidents, and other illegal activity.

Sale or sharing of personal information

We do not sell personal information as "sell" is defined in the CCPA, and We do not "share" personal information for cross-context behavioral advertising as "share" is defined in the CPRA. We have not sold or shared personal information in the past 12 months. If this ever changes, We will update this Privacy Policy and provide the opt-out mechanism required by law.

Disclosure of personal information for business purposes

We may have disclosed in the past 12 months categories A, B, D, and F (as defined above) for business purposes — to Service Providers under contracts that require them to keep the information confidential and not use it for any other purpose.

Personal information of minors under 16

We do not knowingly collect personal information from minors under 16 through the Service. We do not sell or share the personal information of consumers We actually know to be under 16. If You believe a minor under 13 has provided Us with personal information, please contact Us with enough detail to let Us locate and delete it.

Your rights under the CCPA / CPRA

California residents have the following rights:

• Right to notice — to know the categories of personal information collected and the purposes for which they are used.
• Right to know. Request that We disclose: the categories of personal information We collected; the categories of sources; Our business or commercial purpose for collecting it; the categories of third parties with whom We shared it; and the specific pieces of personal information We hold about You.
• Right to correct. Request correction of inaccurate personal information.
• Right to delete. Request deletion of personal information collected from You, subject to statutory exceptions (for example, where We need it to provide a requested service, to detect fraud, to comply with a legal obligation, or to debug or repair the Service).
• Right to opt out of sale or sharing. Direct Us not to sell or share Your personal information. As stated above, We do not currently sell or share it.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose beyond what is necessary to provide the Service.
• Right to non-discrimination — We will not deny You service, charge You a different price, provide You a different level of service, or otherwise discriminate against You for exercising any of these rights.

Exercising Your CCPA / CPRA rights

To exercise any of these rights, email support@gexscan.com from the email address associated with Your Account. Only You — or a person registered with the California Secretary of State whom You have authorized to act on Your behalf — may make a verifiable request related to Your personal information. We may ask You to verify Your identity before We respond. We will respond within 45 days of receiving a verifiable request and may extend that period by an additional 45 days when reasonably necessary, with notice to You. Any disclosures We provide will cover the 12-month period preceding receipt of the request. For data- portability requests We will provide the data in a readily usable format.

As noted above, We do not respond to "Do Not Track" signals. Some third-party websites do. You can enable DNT in Your browser's preferences if You want to send the signal more broadly.

The Service is intended for adults. We do not knowingly collect personal information from anyone under 18. If You believe a child has provided Us with personal information, email support@gexscan.com and We will take steps to remove it. If We learn that We have collected personal information from a child under 13 without verification of parental consent, We will delete it from Our servers.

California residents who have an established business relationship with Us may request, once a year, information about Our disclosures of personal information to third parties for those third parties' direct-marketing purposes in the preceding calendar year. We do not currently share personal information with third parties for those parties' direct-marketing purposes.

California Business and Professions Code Section 22581 permits California residents under 18 who are registered users of online services to request and obtain removal of content or information they have publicly posted on the service. To make such a request, email Us from the address associated with Your Account. Note that the law does not require complete or comprehensive removal in every case, and that some information may remain in archived backups or where applicable law permits Us to keep it.

The Service may contain links to other websites or services that We do not operate. If You follow a link, You leave the Service. We do not control and have no responsibility for the content, privacy practices, or behavior of any third- party site. We strongly encourage You to read the privacy policy of any third-party site You visit.

We may update this Privacy Policy from time to time. When We do, We will revise the "Last updated" date at the top of this page. For material changes, We will give You reasonable advance notice — for example by email to the address on file or by a prominent notice in the Service — before the change takes effect. Your continued use of the Service after the effective date constitutes Your acceptance of the updated Policy. If You do not agree, stop using the Service and request Account deletion.

Questions about this Privacy Policy or Your Personal Data can be sent to support@gexscan.com.