We collect information that you or your organization ("Customer") directly provides when using the Service, including but not limited to:

• Account Information: Business name, contact names, email addresses, phone numbers, business addresses, and billing information
• User Credentials: Usernames, passwords (encrypted), and authentication data
• Account Settings: User preferences, notification settings, workflow configurations, customization options, display preferences, integration settings, and any other account configuration data
• Account Legal Templates: Customized legal documents, exchange agreements, contract templates, disclosure forms, standardized correspondence, and any legal or compliance templates created, modified, or stored within the Service
• Exchange Transaction Data: Information related to 1031 exchanges including exchanger details, property information, transaction dates, exchange amounts, and related documentation
• Communications: Messages, support requests, feedback, and correspondence with us
• Uploaded Content: Documents, files, contracts, closing statements, and other materials uploaded to the Service

When you use the Service, we may automatically collect, including but not limited to:

• Usage Data: Access times, features used, pages viewed, links clicked, search queries, interaction patterns, session duration, feature adoption metrics, and any other behavioral or usage information
• Device Information: IP address, browser type and version, operating system, device identifiers, hardware information, screen resolution, language settings, time zone, and any other device-related information
• Log Data: Server logs, error reports, system activity records, API calls, database queries, performance metrics, and any other system or application logs
• Cookie Data: Information collected through cookies and similar tracking technologies (see Section 8)
• Location Information: General geographic location based on IP address or other identifiers
• Performance Data: Application performance metrics, load times, error rates, and system health indicators

We may receive information from third-party services you integrate with the Service, including but not limited to payment processors, identity verification services, business intelligence tools, authentication providers, and any other third-party applications or services.

We may derive or infer additional information based on the data we collect, including but not limited to user behavior patterns, preferences, tendencies, and other analytical insights.

• Providing, operating, maintaining, and improving the Service
• Processing and managing 1031 exchange workflows
• Facilitating communication between QIs, exchangers, and other parties
• Storing and organizing exchange documentation and transaction records
• Generating reports, analytics, and compliance documentation
• Customizing user experience based on preferences and usage patterns
• Managing and storing account settings and legal templates

• Creating and managing user accounts
• Processing payments and billing
• Providing customer support and responding to inquiries
• Sending administrative notifications and service updates
• Conducting internal analytics and service improvement
• Training machine learning models and improving algorithms
• Developing new features and services
• Benchmarking and performance analysis

• Complying with legal obligations and regulatory requirements
• Enforcing our Terms of Service and other policies
• Detecting, preventing, and addressing fraud, security issues, or technical problems
• Protecting the rights, property, and safety of our Company, users, and the public
• Responding to law enforcement requests and legal processes
• Conducting audits and investigations
• Establishing, exercising, or defending legal claims

• Sending promotional communications about new features, services, or offerings
• Conducting surveys and market research
• Analyzing market trends and customer needs

• Any other purpose disclosed to you at the time of collection
• Any other purpose with your consent
• Any other lawful business purpose

We do not sell, rent, or trade personal information or Customer Data to third parties for their marketing purposes.

We may share information with third-party service providers who perform services on our behalf, including but not limited to:

• Cloud hosting and infrastructure providers
• Payment processors and billing services
• Customer support platforms
• Email delivery services
• Analytics providers
• Security and fraud prevention services
• Data backup and disaster recovery services
• Marketing and advertising platforms
• Professional advisors (attorneys, accountants, consultants)

These providers are contractually obligated to protect your information and use it only for specified purposes.

If we are involved in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of assets, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or governmental requests
• Enforce our agreements, policies, and Terms of Service
• Respond to claims that content violates third-party rights
• Protect the rights, property, or safety of our Company, users, or the public
• Prevent or investigate possible wrongdoing, fraud, or security issues

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for any purpose, including but not limited to research, marketing, analytics, and industry benchmarking.

We may share information with third parties when you explicitly consent to such sharing or at your direction.

We access Google user data only when you explicitly connect your Gmail or Google account through our OAuth flow. We use the following Google APIs and scopes:

• Gmail API (gmail.readonly, gmail.send): To read email messages (headers and body) and to send emails on your behalf when you use the "Send from my email" feature
• Google Calendar API (calendar.events): To create, read, update, and delete calendar events (for example, syncing reminders to your Google Calendar)
• Google OAuth (userinfo.email): To obtain your email address for account identification

We use Google user data solely to:

• Email tracking: Sync and display email exchanges between you and your contacts within the Service
• Send emails: Send emails from your Gmail account when you choose to use your connected email for correspondence
• Calendar reminders: Create, update, and delete reminder events in your Google Calendar
• Account management: Identify and associate your connected Gmail account with your Service account

We do not use Google user data for advertising, and we do not use it for purposes unrelated to the features described above.

We store:

• OAuth tokens: Encrypted access and refresh tokens to maintain your connection to Gmail and Google Calendar
• Email content and metadata: Message headers (From, To, Cc, Subject, Date) and body content that we sync from Gmail, stored in our database to display email exchanges within the Service
• Calendar event identifiers: References to calendar events we create so we can update or delete them when reminders change

Stored data is retained in accordance with Section 8 (Data Retention) and is protected by the security measures described in Section 7 (Data Security).

We do not sell Google user data. We may share Google user data only as described in Section 5 (Information Sharing and Disclosure), including with service providers who assist in operating the Service (e.g., cloud hosting, infrastructure) and who are contractually bound to protect your data. We do not share Google user data with third parties for their marketing purposes.

You may disconnect your Gmail or Google account at any time through Settings → Email & Calendar Sync. Upon disconnection, we will stop accessing new Google user data. We will retain previously synced email content and metadata according to our data retention policy unless you request deletion.

We implement industry-standard technical and organizational security measures to protect information, including but not limited to:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege
• Network Security: Firewalls, intrusion detection systems, and regular security monitoring
• Security Testing: Regular vulnerability assessments and penetration testing
• Incident Response: Documented incident response procedures and breach notification protocols
• Employee Training: Security awareness training for all personnel with data access
• Physical Security: Secure data centers with restricted access
• Audit Logging: Comprehensive logging of system access and changes

No method of transmission or storage is 100% secure. While we strive to protect your information using commercially reasonable measures, we cannot guarantee absolute security. You acknowledge and accept the inherent risks of transmitting and storing information electronically. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

In the event of a data breach that we determine, in our sole discretion, compromises personal information, we will notify affected users and applicable regulatory authorities as required by law, typically within 72 hours of discovery. We reserve the right to determine the timing, method, and content of such notifications in accordance with applicable law and our business judgment.

We retain information for as long as necessary to:

• Provide the Service and fulfill the purposes described in this Policy
• Comply with legal, regulatory, tax, accounting, or reporting requirements
• Resolve disputes and enforce our agreements
• Maintain backup and disaster recovery systems
• Protect our legal rights and interests
• Any other legitimate business purpose

• Exchange Transaction Data: Retained for minimum of 7 years after transaction completion or as required by IRS regulations and applicable state laws
• Account Information: Retained during active subscription and for 3 years after termination, or longer if required
• Account Settings and Legal Templates: Retained during active subscription and for 7 years after termination for compliance and legal purposes
• Usage Logs: Retained for 12-24 months unless required longer for security, legal, or business purposes
• Financial Records: Retained for 7 years for tax and accounting purposes
• Backup Systems: Information may persist in backup systems for up to 12 months

Upon termination of your account or upon your request, we will delete or anonymize your information within a reasonable timeframe (typically 90 days), except where retention is required or permitted by law, legitimate business purposes (including but not limited to outstanding disputes, security investigations, fraud prevention, audit requirements, or enforcement of agreements), or technical limitations of backup systems.

We may use cookies, web beacons, pixels, local storage, and similar tracking technologies, including but not limited to:

• Essential Cookies: Required for Service functionality (authentication, security, session management)
• Functional Cookies: Enable enhanced features and personalization
• Analytics Cookies: Help us understand Service usage and performance
• Advertising Cookies: Used for marketing purposes (with consent where required)
• Third-Party Technologies: Technologies operated by third-party partners for analytics, advertising, or other purposes

You can control cookies through your browser settings. Disabling certain cookies may limit Service functionality. We respect Do Not Track signals where technically feasible and legally required.

You may access and export your information through your account settings or by contacting us. We will provide access in accordance with applicable law.

You may correct or update your account information at any time through the Service or by contacting us.

You may request deletion of your information, subject to our retention obligations and legal rights. Some information may be retained in backup systems for up to 12 months or as otherwise permitted by law.

You may object to certain processing activities or request restriction of processing in specific circumstances where permitted by law.

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

You may opt out of marketing emails by clicking "unsubscribe" in any marketing message or adjusting your account preferences.

To exercise any of these rights, contact us at privacy@vectorqi.com. We will respond within the timeframe required by applicable law (typically 30-45 days). We reserve the right to verify your identity before processing requests and may deny requests that are unreasonable, excessive, or prohibited by law.

We operate globally and may transfer, store, and process information in countries other than where you reside, including but not limited to the United States. These countries may have different data protection laws that may not provide the same level of protection as your home country.

For transfers from the EEA, UK, or Switzerland to countries without adequate protection determinations, we may implement appropriate safeguards including but not limited to:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules
• Other legally approved transfer mechanisms
• Reliance on derogations for specific situations

By using the Service, you consent to the transfer of your information to countries outside your country of residence.

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Categories and specific pieces of personal information collected, sources, purposes, and third parties with whom shared
• Right to Delete: Deletion of personal information, subject to exceptions
• Right to Correct: Correction of inaccurate personal information
• Right to Opt-Out: Opt-out of sale or sharing of personal information (note: we do not sell personal information)
• Right to Limit: Limit use of sensitive personal information
• Right to Non-Discrimination: Equal service and pricing regardless of privacy rights exercise

In the preceding 12 months, we may have collected the following categories of personal information: identifiers, commercial information, internet/network activity, geolocation data, professional information, and inferences.

California residents may request information about disclosure of personal information to third parties for direct marketing purposes.

California residents may exercise these rights by emailing privacy@vectorqi.com. We will verify your identity before processing requests and respond within 45 days (with possible 45-day extension).

For data processed through the Service, Customer acts as the data controller and we act as a data processor. Customer is solely responsible for:

• Ensuring lawful collection and processing of exchanger information
• Obtaining necessary consents from exchangers and third parties
• Complying with applicable privacy laws in their jurisdiction
• Responding to data subject requests related to their exchangers
• Determining the purposes and means of processing Customer Data
• Ensuring accuracy and legality of all uploaded content and templates

Our processing of Customer Data is governed by our Data Processing Agreement (DPA), which includes Standard Contractual Clauses where applicable.

We process Customer Data only in accordance with Customer's documented instructions, as set forth in our Terms of Service and DPA, except where otherwise required by applicable law.

Customer agrees to indemnify and hold us harmless from any claims arising from Customer's data practices, including but not limited to violations of privacy laws, unauthorized data collection, or failure to obtain required consents.