We collect information that you or your organization ("Customer") directly provides when using the Service, including but not limited to:

• Account Information: Business name, contact names, email addresses, phone numbers, business addresses, and billing information
• User Credentials: Usernames, passwords (encrypted), and authentication data
• Account Settings: User preferences, notification settings, workflow configurations, customization options, display preferences, integration settings, and any other account configuration data
• Account Legal Templates: Customized legal documents, exchange agreements, contract templates, disclosure forms, standardized correspondence, and any legal or compliance templates created, modified, or stored within the Service
• Exchange Transaction Data: Information related to 1031 exchanges including exchanger details, property information, transaction dates, exchange amounts, and related documentation
• Communications: Messages, support requests, feedback, and correspondence with us
• Uploaded Content: Documents, files, contracts, closing statements, and other materials uploaded to the Service

When you use the Service, we may automatically collect, including but not limited to:

• Usage Data: Access times, features used, pages viewed, links clicked, search queries, interaction patterns, session duration, feature adoption metrics, and any other behavioral or usage information
• Device Information: IP address, browser type and version, operating system, device identifiers, hardware information, screen resolution, language settings, time zone, and any other device-related information
• Log Data: Server logs, error reports, system activity records, API calls, database queries, performance metrics, and any other system or application logs
• Cookie Data: Information collected through cookies and similar tracking technologies (see Section 8)
• Location Information: General geographic location based on IP address or other identifiers
• Performance Data: Application performance metrics, load times, error rates, and system health indicators

We may receive information from third-party services you integrate with the Service, including but not limited to payment processors, identity verification services, business intelligence tools, authentication providers, and any other third-party applications or services.

We may derive or infer additional information based on the data we collect, including but not limited to user behavior patterns, preferences, tendencies, and other analytical insights.

• Providing, operating, maintaining, and improving the Service
• Processing and managing 1031 exchange workflows
• Facilitating communication between QIs, exchangers, and other parties
• Storing and organizing exchange documentation and transaction records
• Generating reports, analytics, and compliance documentation
• Customizing user experience based on preferences and usage patterns
• Managing and storing account settings and legal templates

• Creating and managing user accounts
• Processing payments and billing
• Providing customer support and responding to inquiries
• Sending administrative notifications and service updates
• Conducting internal analytics and service improvement
• Training machine learning models and improving algorithms, using de-identified or aggregated data from which personally identifiable information, taxpayer identification numbers, and direct client identifiers have been removed prior to use
• Developing new features and services
• Benchmarking and performance analysis

• Complying with legal obligations and regulatory requirements
• Enforcing our Terms of Service and other policies
• Detecting, preventing, and addressing fraud, security issues, or technical problems
• Protecting the rights, property, and safety of our Company, users, and the public
• Responding to law enforcement requests and legal processes
• Conducting audits and investigations
• Establishing, exercising, or defending legal claims

• Sending promotional communications about new features, services, or offerings
• Conducting surveys and market research
• Analyzing market trends and customer needs

• Any other purpose disclosed to you at the time of collection
• Any other purpose with your consent

We do not sell, rent, or trade personal information or Customer Data to third parties for their marketing purposes.

We may share information with third-party service providers who perform services on our behalf, including but not limited to:

• Cloud hosting and infrastructure providers
• Payment processors and billing services
• Customer support platforms
• Email delivery services
• Analytics providers
• Security and fraud prevention services
• Data backup and disaster recovery services
• Professional advisors (attorneys, accountants, consultants)

These providers are contractually obligated to protect your information and use it only for specified purposes.

If we are involved in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of assets, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or governmental requests
• Enforce our agreements, policies, and Terms of Service
• Respond to claims that content violates third-party rights
• Protect the rights, property, or safety of our Company, users, or the public
• Prevent or investigate possible wrongdoing, fraud, or security issues

We may use and share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for the following purposes: operating, maintaining, and improving the Service; industry benchmarking and statistical research; developing new features and services; and generating analytical insights. We will not sell such data to third parties in identifiable form, disclose your identifiable data to other customers, or use such data to develop services specifically marketed to your competitors, consistent with our Terms of Service.

We may share information with third parties when you explicitly consent to such sharing or at your direction.

We access Google user data only when you explicitly connect your Gmail or Google account through our OAuth flow. We use the following Google APIs and scopes:

• Gmail API (gmail.readonly, gmail.send): To read email messages (headers and body) and to send emails on your behalf when you use the "Send from my email" feature
• Google Calendar API (calendar.events): To create, read, update, and delete calendar events (for example, syncing reminders to your Google Calendar)
• Google OAuth (userinfo.email): To obtain your email address for account identification

We use Google user data solely to:

• Email tracking: Sync and display email exchanges between you and your contacts within the Service
• Send emails: Send emails from your Gmail account when you choose to use your connected email for correspondence
• Calendar reminders: Create, update, and delete reminder events in your Google Calendar
• Account management: Identify and associate your connected Gmail account with your Service account

We do not use Google user data for advertising, and we do not use it for purposes unrelated to the features described above. Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We store:

• OAuth tokens: Encrypted access and refresh tokens to maintain your connection to Gmail and Google Calendar
• Email content and metadata: Message headers (From, To, Cc, Subject, Date) and body content that we sync from Gmail, stored in our database to display email exchanges within the Service
• Calendar event identifiers: References to calendar events we create so we can update or delete them when reminders change

Stored data is retained in accordance with Section 8 (Data Retention) and is protected by the security measures described in Section 7 (Data Security).

We do not sell Google user data. We may share Google user data only as described in Section 5 (Information Sharing and Disclosure), including with service providers who assist in operating the Service (e.g., cloud hosting, infrastructure) and who are contractually bound to protect your data. We do not share Google user data with third parties for their marketing purposes.

You may disconnect your Gmail or Google account at any time through Settings → Email & Calendar Sync. Upon disconnection, we will stop accessing new Google user data. We will retain previously synced email content and metadata according to our data retention policy unless you request deletion.

We maintain a security program designed to protect information against unauthorized access, disclosure, alteration, and destruction. Our program is risk-based and may include measures such as:

• Encryption: Encryption of data in transit and at rest using industry-standard protocols
• Access Controls: Controls to limit access to information based on role and need
• Network Security: Technical measures to monitor and protect our network infrastructure
• Security Testing: Periodic assessments to identify and address vulnerabilities
• Incident Response: Procedures for identifying and responding to security incidents
• Personnel Controls: Security awareness practices for personnel with access to information
• Audit Logging: Logging of system access and material changes

The measures described above represent the general nature of our security program and are subject to change as technology, threats, and our business evolve. These descriptions do not constitute warranties, guarantees, or representations regarding any specific security outcome, certification, or level of protection. No security program eliminates all risk.

No method of transmission or storage is 100% secure. While we strive to protect your information using commercially reasonable measures, we cannot guarantee absolute security. You acknowledge and accept the inherent risks of transmitting and storing information electronically. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

In the event of a confirmed security incident that has materially compromised Customer Data in our systems, we will notify the affected Customer within a commercially reasonable timeframe to allow Customer to fulfill its own breach notification obligations under applicable law. As set forth in our Terms of Service (Section 16), Customer is solely responsible for determining whether notification to data subjects, regulatory authorities, or other parties is required, and for preparing, sending, and bearing all costs of such notifications. Our notification to Customer does not constitute an admission of liability or a determination that any legal notification obligation has been triggered.

We retain information for as long as necessary to:

• Provide the Service and fulfill the purposes described in this Policy
• Comply with legal, regulatory, tax, accounting, or reporting requirements
• Resolve disputes and enforce our agreements
• Maintain backup and disaster recovery systems
• Protect our legal rights and interests
• Any other legitimate business purpose

• Exchange Transaction Data: Retained for minimum of 7 years after transaction completion or as required by IRS regulations and applicable state laws
• Account Information: Retained during active subscription and for 3 years after termination, or longer if required
• Legal Templates: Exchange agreements, disclosure forms, and compliance templates retained during active subscription and for 7 years after termination for compliance and legal purposes
• Account Settings: General configuration, preferences, and workflow settings retained during active subscription and for 1 year after termination
• Usage Logs: Retained for 12-24 months unless required longer for security, legal, or business purposes
• Financial Records: Retained for 7 years for tax and accounting purposes
• Backup Systems: Information may persist in backup systems for up to 12 months

Upon termination of your account, you have 30 days to export your data in accordance with our Terms of Service (Section 12.5). Following that export window, we will delete or anonymize your information within 90 days of account termination, except where retention is required or permitted by law, legitimate business purposes (including but not limited to outstanding disputes, security investigations, fraud prevention, audit requirements, or enforcement of agreements), or technical limitations of backup systems. For deletion requests submitted during an active account, we will process the request within 90 days subject to the same exceptions.

We may use cookies, web beacons, pixels, local storage, and similar tracking technologies, including but not limited to:

• Essential Cookies: Required for Service functionality (authentication, security, session management)
• Functional Cookies: Enable enhanced features and personalization
• Analytics Cookies: Help us understand Service usage and performance
• Advertising Cookies: Used for marketing purposes (with consent where required)
• Third-Party Technologies: Technologies operated by third-party partners for analytics, advertising, or other purposes

You can control cookies through your browser settings. Disabling certain cookies may limit Service functionality. We respect Do Not Track signals where technically feasible and legally required.

You may access and export your information through your account settings or by contacting us. We will provide access in accordance with applicable law.

You may correct or update your account information at any time through the Service or by contacting us.

You may request deletion of your information, subject to our retention obligations and legal rights. Some information may be retained in backup systems for up to 12 months or as otherwise permitted by law.

You may object to certain processing activities or request restriction of processing in specific circumstances where permitted by law.

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

You may opt out of marketing emails by clicking "unsubscribe" in any marketing message or adjusting your account preferences.

To exercise any of these rights, contact us at privacy@vectorqi.com. We will respond within the timeframe required by applicable law (typically 30-45 days). We reserve the right to verify your identity before processing requests and may deny requests that are unreasonable, excessive, or prohibited by law.

We operate globally and may transfer, store, and process information in countries other than where you reside, including but not limited to the United States. These countries may have different data protection laws that may not provide the same level of protection as your home country.

For transfers from the EEA, UK, or Switzerland to countries without adequate protection determinations, we may implement appropriate safeguards including but not limited to:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules
• Other legally approved transfer mechanisms
• Reliance on derogations for specific situations

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Categories and specific pieces of personal information collected, sources, purposes, and third parties with whom shared
• Right to Delete: Deletion of personal information, subject to exceptions
• Right to Correct: Correction of inaccurate personal information
• Right to Opt-Out: Opt-out of sale or sharing of personal information (note: we do not sell personal information)
• Right to Limit: Limit use of sensitive personal information
• Right to Non-Discrimination: Equal service and pricing regardless of privacy rights exercise

Sale and Sharing of Personal Information. We do not sell personal information for monetary consideration. We do not engage in cross-context behavioral advertising. If this changes, we will update this Policy and provide California residents with the ability to opt out as required by the CPRA. To exercise your opt-out rights or for questions about our data practices, contact us at privacy@vectorqi.com.

In the preceding 12 months, we may have collected the following categories of personal information: identifiers, commercial information, internet/network activity, geolocation data, professional information, and inferences.

California residents may request information about disclosure of personal information to third parties for direct marketing purposes.

California residents may exercise these rights by emailing privacy@vectorqi.com. We will verify your identity before processing requests and respond within 45 days (with possible 45-day extension).

The Service involves both controller and processor relationships:

Customer Data (exchanger and transaction data uploaded by Customer): Customer acts as the data controller and we act as a data processor. Customer is solely responsible for:

• Ensuring lawful collection and processing of exchanger information
• Obtaining necessary consents from exchangers and third parties
• Complying with applicable privacy laws in their jurisdiction
• Responding to data subject requests related to their exchangers
• Determining the purposes and means of processing Customer Data
• Ensuring accuracy and legality of all uploaded content and templates

Account and Usage Data (data about Customer's employees and their use of the Service): We act as the data controller and process this data for the purposes described in Section 3. Individuals may exercise their rights under this data directly with us using the contact information in Section 18.

Our processing of Customer Data is governed by our Data Processing Agreement (DPA), which includes Standard Contractual Clauses where applicable.

We process Customer Data only in accordance with Customer's documented instructions, as set forth in our Terms of Service and DPA, except where otherwise required by applicable law.

Customer agrees to indemnify and hold us harmless from any claims arising from Customer's data practices, including but not limited to violations of privacy laws, unauthorized data collection, or failure to obtain required consents.