Exposure Watch Privacy Policy

Effective date: June 15, 2026

Company: Exposure Watch, Inc.

Contact: privacy@exposurewatch.co or alerts@exposurewatch.co

This Privacy Policy explains how Exposure Watch collects, uses, discloses, and protects personal information when you visit our websites, use our application, request a free exposure check, create an account, receive alerts, communicate with us, or purchase our services.

Exposure Watch is a B2B service for organizations. It is not intended for personal, household, child, patient, resident, or clinical use.

1. Scope

This Policy applies to personal information we process for our own business purposes, including website, account, sales, support, billing, security, marketing, and product operations.

When we process personal information on behalf of a customer inside the Service, we generally act as a processor or service provider under applicable privacy laws, and our Data Processing Addendum and customer agreement also apply.

This Policy does not apply to protected health information under HIPAA. The standard Exposure Watch Service is not designed to collect or process PHI.

2. No PHI, patient records, or clinical data

Do not submit PHI, patient records, resident names, resident identifiers, medical information, clinical information, diagnoses, treatment information, payment-for-care information, or other sensitive health data to Exposure Watch. If we learn that such information has been submitted, we may delete or quarantine it and suspend the relevant account.

3. Personal information we collect

We may collect the following categories of personal information:

1. **Identifiers and contact information:** name, work email, work phone, mobile number if text alerts are enabled, job title, organization, and account identifiers.
2. **Account and authentication information:** account role, login events, magic-link delivery records, authentication logs, access permissions, and security settings.
3. **Organization and facility selections:** organization name, selected state, facility list, public facility identifiers, and related account configuration. Facility records are generally business/public records, but contact names or notes may contain personal information if provided by Customer.
4. **Alert-recipient and notification settings:** email addresses, phone numbers, alert preferences, digest preferences, acknowledgments, opt-in/opt-out status, and delivery logs.
5. **Commercial and billing information:** subscription plan, monitored facility count, transaction records, invoices, billing contact information, and payment status. Payment card data is processed by our payment processor and is not stored by Exposure Watch except limited tokens or payment status data.
6. **Usage, device, and log information:** IP address, browser, device identifiers, operating system, pages viewed, actions taken, timestamps, referral URLs, diagnostic logs, app events, crash reports, and security logs.
7. **Communications:** emails, support tickets, form submissions, call notes, feedback, and survey responses.
8. **Cookies and similar technologies:** cookies, local storage, pixels, tags, analytics identifiers, and similar technologies as described in our Cookie Policy.
9. **Inferences:** limited inferences about product usage, account health, preferences, or likely customer needs.

We do not intentionally collect sensitive personal information unless necessary for security, legal compliance, or another permitted business purpose. We do not intentionally collect information from children under 18.

4. Sources of personal information

We collect personal information from:

1. you and your organization;
2. account administrators and other authorized users;
3. public records and public data sources;
4. service providers such as hosting, analytics, payments, email, SMS, security, and support vendors;
5. event, marketing, and business-development interactions; and
6. automated technologies used on our websites and applications.

5. How we use personal information

We use personal information to:

1. provide, operate, maintain, secure, and improve the Service;
2. run free exposure checks and create accounts;
3. send alerts, sign-in links, service messages, support responses, invoices, and administrative notices;
4. process payments and manage subscriptions;
5. configure customer facility monitoring and notification settings;
6. troubleshoot, debug, test, analyze, and improve performance;
7. protect against fraud, misuse, security incidents, and legal risk;
8. comply with law and enforce our agreements;
9. communicate about products, updates, and events, subject to opt-out rights; and
10. create aggregated or de-identified information.

6. How we disclose personal information

We may disclose personal information to:

1. **Service providers and subprocessors** that host, process, secure, transmit, analyze, bill, support, or help operate the Service.
2. **Customer administrators** who manage the organization account.
3. **Other authorized users** in the same customer account, such as alert recipients or administrators, based on account settings.
4. **Payment processors** for billing and payment processing.
5. **Email, SMS, and communications providers** to deliver alerts and account messages.
6. **Professional advisers** such as lawyers, accountants, auditors, insurers, and security advisers.
7. **Authorities, regulators, or third parties** when required by law, subpoena, court order, legal process, or to protect rights, safety, security, and property.
8. **Business transaction parties** in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets.

We do not sell personal information for money. We do not share personal information for cross-context behavioral advertising unless we first update this Policy and provide required opt-out mechanisms.

7. Cookies and analytics

We use required technologies to operate the website, app, sign-in, security, and checkout. We may use optional analytics technologies to understand website and product usage. See the Cookie Policy for more details.

We use Google Analytics on public website, SEO, legal, and funnel pages to measure page views, referral information, browser and device information, approximate location, and site usage. Google Analytics may set or read analytics cookies and identifiers as described in the Cookie Policy.

The Cookie Policy describes the cookies and similar technologies currently used by the website and Service.

8. Legal bases for processing, where applicable

Where laws such as the GDPR or UK GDPR apply, our legal bases may include performance of a contract, legitimate interests, consent, compliance with legal obligations, and protection of rights and security. Where we process customer personal data as a processor, our customer is responsible for determining the legal basis for processing.

9. Retention

We retain personal information for as long as necessary to provide the Service, maintain business records, comply with legal obligations, resolve disputes, enforce agreements, preserve security logs, and maintain backup records. Retention periods vary by data type.

Typical retention defaults:

• Account and billing records: for the account term plus legally required tax/accounting period.
• Security logs: typically 12 to 24 months unless needed longer for investigation.
• Alert and acknowledgment records: as configured in the Service or Order.
• Marketing contacts: until opt-out plus suppression-list retention.
• Backups: overwritten on normal backup cycles.

10. Security

We use administrative, technical, and organizational safeguards designed to protect personal information. No internet service is completely secure. You are responsible for securing your account, devices, email, networks, and access credentials.

Report suspected security issues to security@exposurewatch.co.

11. Privacy rights

Depending on where you live, you may have rights to request access, correction, deletion, portability, restriction, objection, opt-out of certain processing, or appeal of a privacy-rights decision. To submit a request, contact privacy@exposurewatch.co.

We may need to verify your identity and authority before fulfilling a request. If your information is controlled by one of our customers, we may direct you to that customer or help the customer respond.

12. Marketing choices

You may opt out of marketing emails by using the unsubscribe link or contacting us. You will still receive transactional, security, legal, billing, and service messages.

For text alerts, reply STOP where supported or use account settings. Text alert opt-out does not cancel the subscription or stop other service communications.

13. California and other U.S. state privacy notice

This section supplements the Policy for residents of states with comprehensive privacy laws, where applicable.

Categories collected: identifiers, customer records, commercial information, internet or network activity, geolocation-related facility/public data where applicable, professional or employment-related information, inferences, and communications. We do not intentionally collect sensitive personal information for purposes that require a right to limit sensitive-information use.

Business purposes: providing the Service, security, billing, support, analytics, communications, legal compliance, internal operations, and product improvement.

Disclosures: service providers, customer administrators, communications providers, payment processors, professional advisers, authorities, and business transaction parties.

Sale/share: We do not sell personal information for money. We do not share personal information for cross-context behavioral advertising unless we first update this Policy and provide required opt-out mechanisms.

14. International transfers

Exposure Watch is based in the United States or uses U.S.-based infrastructure unless otherwise stated. If you access the Service from outside the United States, your information may be processed in the United States and other countries that may have different data-protection laws.

15. Children

The Service is not directed to children under 18. We do not knowingly collect personal information from children.

16. Changes

We may update this Policy from time to time. The effective date will show the latest version. Material changes will be notified as required by law.

17. Contact

Privacy contact: privacy@exposurewatch.co

Operational contact: alerts@exposurewatch.co

Company location: Exposure Watch, Inc., Delaware, United States