Privacy Policy

OVERVIEW

This Privacy Policy, as updated from time to time (the “Policy”), describes how CivicNexus Inc., a Delaware corporation (referred to herein as “Company,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal data about you (“Personal Data”) when you access or use our website, interact with our software, or otherwise engage with us in connection with our services (collectively, the “Services”). This Policy also outlines your data protection rights, which may include the right to object to certain types of processing, as permitted under applicable law.

ARTICLE 1: PERSONAL DATA NOT COVERED UNDER THIS POLICY

1.1 Data Processed on Behalf of Customers

This Privacy Policy does not apply when we process personal data on behalf of our customers in our role as a service provider or processor. This occurs when customers use our services to:

• Offer or sell their own products or services,
• Communicate with third parties, or
• Collect, use, or otherwise process personal data through our platform.

In such cases, the customer is the data controller and determines how personal data is used.

1.2 Contacting the Data Controller

For questions about how a specific customer handles personal data, please contact that customer directly. We are not responsible for the privacy or data security practices of our customers, which may differ from those described in this Policy.

1.3 Third-Party Services and Links

Our services may include links to third-party websites, applications, or platforms, including social media pages we manage. These third parties operate independently and are governed by their own privacy policies. We encourage you to review those policies to understand how your personal data may be collected and used.

1.4 Requirement for Data Processing

In some cases, we need certain personal data to provide you with specific products or services. If you choose not to provide this data, it may limit or prevent your access to those features.

ARTICLE 2: INFORMATION COLLECTION AND USE

2.1 Information You Provide Directly

We collect personal data that you provide when you contact us, use our services, sign up for communications, register for events, or submit content. This may include your name, contact details, account credentials, and any other information you choose to provide.

We may also request verification of your identity in certain cases (e.g., account recovery or legal compliance).

2.2 Information Collected Automatically

When you use our services, we automatically collect technical information, including your IP address, browser type, operating system, and usage data such as downloads and interactions with our platform.

We may use tracking technologies (like cookies or web beacons) to understand user behavior, measure engagement, and improve our services. You may opt out of marketing emails or adjust your browser settings to limit cookie use.

2.3 Information from Third-Party Services

We may receive personal data from third-party sources, including service providers, social media platforms, and public records. This may include contact details, professional or demographic information, or information related to your use of third-party tools integrated with our services.

2.4 Use of Information

We use the information we collect to:

• Provide and improve our services,
• Communicate with you,
• Ensure security and prevent fraud,
• Comply with legal obligations, and
• Send relevant marketing, if legally permitted.

We may use anonymized and aggregated user interaction data to improve our algorithms and recommendation systems, such as by refining how we match legislation to your interests based on feedback.

2.5 Your Responsibility When Providing Data

If you provide personal data about someone else, you must have the authority to do so and ensure they are aware of our privacy practices.

2.6 Personal Data of Children

Our websites and Services are not directed at children. We do not knowingly collect Personal Data from children.

The minimum age for valid consent varies by jurisdiction:

• In the United States, we do not knowingly collect data from children under 13 years of age, in accordance with the Children’s Online Privacy Protection Act (COPPA).
• In the European Economic Area (EEA), the age of digital consent is 16, unless a lower age is specified by national law (not below 13).

If you are a parent or guardian and believe your child has provided us with Personal Data without your consent, please contact us and we will take steps to delete their Personal Data from our systems.

2.7 Cookies and Similar Technologies

As with most websites, Company and its partners use cookies, web beacons, pixels, tags, JavaScript, and other technologies to collect information about users’ activities to make our website work as well as to learn more about our users.

“Cookies” are small text files stored by your web browser when you use websites. Cookies and similar technologies help us improve our services and your experience, see which areas and features of our services are popular, and count visits. The type of information a cookie collects includes the date and time you visited, your browsing history, your preferences, and your username.

We use both session-based and persistent cookies on our websites. Session-based cookies exist only during a single session and disappear from your device when you close your browser or turn off the device. Persistent cookies remain on your device after you close your browser or turn your device off.

“Web beacons” are bits of programming code that may be included in our web pages or emails and help deliver cookies, count visits, and understand usage and campaign effectiveness.

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject cookies. Note that if you choose to remove or reject cookies, this could affect the availability and functionality of our services.

We use both essential and analytics cookies. Essential cookies are required for basic functionality; analytics cookies help us understand how users interact with our services.

If you are located in the European Economic Area (EEA), United Kingdom, or any jurisdiction requiring prior consent for non-essential cookies, we will request your consent before placing such cookies. You may adjust your preferences through our Cookie Settings banner or by modifying your browser settings.

2.8 Social Media Features

Our services may include social media features, such as sharing buttons (e.g., “X” or LinkedIn) or embedded content. These features may allow you to share content or interact with our pages on external platforms.

Some features are hosted by third-party platforms and may collect data such as your IP address, the pages you visit, and may link that data to your social media profile if you’re logged in. We may also allow sign-in through social platforms, which may share your name, email address, or other basic profile information with us.

Your interactions with these features are governed by the privacy policies of the respective platforms.

2.9 Telephony Log Information

If you use certain features of our services on a mobile device, we may also collect telephony log information (like phone numbers, time and date of calls, duration of calls, SMS routing information and types of calls), device event information (such as crashes, system activity, hardware settings, browser language), and location information (through IP address, GPS, and other sensors that may, for example, provide us with information on nearby devices, Wi-Fi access points and cell towers).

Geolocation data is collected in a generalized form (e.g., IP-based region) unless you have explicitly granted permission through your device or browser to access precise location data.

2.10 Use of Collected Information

We use your personal data for the following purposes, based on your consent where required, or as otherwise permitted by law (e.g., performance of a contract, legal obligation, or our legitimate interests):

• To provide, maintain, and improve our services and website functionality;
• To communicate with you, including responding to inquiries and sending service updates or marketing communications;
• To manage user accounts, registrations, and participation in events, programs, or promotions;
• To process payments and fulfill contractual obligations;
• To enhance security, prevent fraud, and ensure proper use of our services;
• To conduct research, surveys, and analytics to improve user experience;
• To meet legal and regulatory obligations, including cooperation with authorities;
• To manage internal operations such as quality assurance, training, and capacity planning;
• To support diversity initiatives where information is voluntarily provided in accordance with applicable data protection laws.

When relying on legitimate interests as a legal basis, we evaluate and balance those interests against your rights and freedoms, as required by law.

2.11 Sharing of Personal Data

Why we may need to share your personal Data:

Our customer privacy is of paramount importance. Because of this, CivicNexus takes many steps to ensure that your data is both secure and private. We investigate all our vendors and prioritize ones that have strict data privacy policies. We take precautions to limit data transfer wherever possible with AI vendors so that your personal data never winds up in a chatGPT response. However there are a number of legitimate reasons we need data sharing terms in our Privacy Policy. These reasons include (but aren’t limited to)

• Using 3rd party cloud infrastructure to host our website and databases so that we do not have to have warehouses with servers.
• Using 3rd party tools to provide basic website functionality like authentication capabilities and analytics.
• Our accounting and other operational services may require us to store some data with vendors
• Etc.

These vendors alone require us to inform our users that we might share their data. Our data sharing policy is meant to be reflective of our transparency with you, not our desire to sell your data.

This is our data sharing policy:

We may share your personal data with:

• Affiliated companies within our corporate group;
• Service providers who process data on our behalf (e.g., hosting, marketing, analytics, payment processing, and fraud prevention);
• Business partners and third parties, research firms, information providers, and platforms, where necessary to support our services or as part of joint activities;
• Legal and regulatory authorities, if required by law, legal process, or to protect our rights, users, or the public;
• Other parties, when you give your consent or direction to do so.

In the event of a merger, acquisition, asset sale, or similar corporate event, personal data may be shared with advisers and transferred to the successor entity.

We may also share aggregated or de-identified information that does not reasonably identify you.

If you post in public areas of our services (e.g., support forums, blog posts, etc.), any personal data you include may be visible to others.

We do not sell personal data. Any sharing of personal data with third parties is done solely to provide our services and never for third-party marketing or resale purposes.

We use third-party service providers such as Amazon Web Services (AWS) and Google Cloud to host and process data on our behalf. These providers do not have direct access to customer data unless authorized or required by law.

Company shares collected information with Google LLC, for use with Google Analytics. You may find Google’s privacy policy here: https://policies.google.com/privacy?hl=en. You may opt out from the use of Google Analytics by downloading and installing the Google Analytics Opt-out Browser Add On here: https://tools.google.com/dlpage/gaoptout.

2.12 Legal Basis for Processing (GDPR Compliance)

Where the General Data Protection Regulation (“GDPR”) applies, we process Personal Data under one or more of the following legal bases, as permitted by Article 6 of the GDPR:

Where consent is the legal basis, you may withdraw your consent at any time without affecting the lawfulness of processing before its withdrawal.

ARTICLE 3: SECURITY AND STORAGE

3.1 Security of Personal Data

We understand that the security of your Personal Data is important. We provide reasonable administrative, technical, and physical security controls to protect your Personal Data. However, despite our efforts, no security controls are 100% effective and Company cannot ensure or warrant the security of your Personal Data.

3.1.1 Data Security Measures

We store all customer data in encrypted storage systems and transmit data using secure protocols such as Transport Layer Security (TLS). While we take reasonable precautions to protect your data, no system is completely secure.

3.2 Cross-Border Data Transfers

We may transfer your Personal Data across national borders to countries outside your jurisdiction, including countries that may not have data protection laws equivalent to those in your home jurisdiction.

For data subjects in the European Economic Area (EEA), we ensure that such transfers are made in compliance with Articles 44–49 of the GDPR, and rely on one or more of the following legal safeguards:

1. Adequacy Decisions issued by the European Commission for certain jurisdictions;
2. Standard Contractual Clauses (SCCs) approved by the European Commission;
3. Binding Corporate Rules (BCRs), where applicable; or
4. Your explicit consent for specific transfers.

You may request additional information regarding cross-border transfers by contacting us using the details provided in this Policy.

3.3 Data Retention Overview

We retain Personal Data for as long as necessary to fulfill the purposes for which it was collected, including to comply with applicable legal, regulatory, contractual, accounting, or operational requirements. For most customers, this means Personal Data will be retained for the duration of the active customer contract. In some cases, we may retain certain data for a longer period where required by law, necessary to protect our legal rights, or to meet ongoing business or operational needs. When determining the appropriate retention period, we consider the nature, volume, and sensitivity of the data; the potential risk of harm from unauthorized use or disclosure; the purposes for which the data is processed and whether those purposes can be achieved through other means; and applicable legal obligations, including relevant statutes of limitation. Unless a longer retention period is legally required or otherwise justified, Personal Data is deleted or anonymized once it is no longer necessary for the purposes for which it was collected.

Important Note on Public Data:

If you request deletion of your personal data, we will delete any information you have submitted to our platform, including notes and positions on legislation. However, we will retain any information acquired from public or government sources, such as public testimony or legislative records, even if it pertains to you.

3.4 Perpetual Licenses and Releases

If you grant or receive a perpetual license from us, or submit model or property releases, we may retain related records indefinitely. This is necessary to manage rights, administer royalties, prevent legal claims, and protect third-party interests associated with perpetual content rights.

3.5 Marketing and Consent-Based Processing

For processing based on your consent (such as marketing), we retain your data until you withdraw consent or opt out. We may retain a record of your opt-out request to ensure we respect your preferences in the future.

3.6 Deletion and Residual Data Handling

Once the applicable retention period has expired, we delete your personal data in a secure manner. If certain data cannot be fully deleted for technical reasons (e.g., stored in backup systems), we take appropriate steps to isolate it and prevent any further use or processing.

ARTICLE 4: PERSONAL DATA RIGHTS

4.1 Overview of Personal Data Rights

You may have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws, these rights may include the right to:

• Access – Request a copy of the personal data we hold about you.
• Information – Learn how we collect, use, and share your data.
• Correction – Request correction of inaccurate or incomplete data.
• Deletion – Request deletion of your personal data.
• Restriction – Request that we limit how we use your data.
• Portability – Request to receive your data in a structured, commonly used format or transfer it to another controller.
• Objection – Object to certain uses of your data, including direct marketing or profiling.
• Opt-Out – Opt out of certain disclosures to third parties, including sales or sharing of personal data, where applicable.
• Youth Privacy – If you are under the age of 18 (or the applicable age of digital consent), additional protections may apply to the sharing of your data.
• Non-Discrimination – You have the right not to be discriminated against for exercising your privacy rights.
• Automated Decision-Making – Request human review of decisions made solely through automated processing that produce legal or similar significant effects.
• Withdraw Consent – Withdraw your consent at any time, where we rely on it for processing.

4.2 How to Exercise Your Rights

To exercise your privacy rights, please contact us at support@civicnexus.com. We may process limited Personal Data to verify your identity and respond appropriately. Requests will be addressed within one (1) month, as required by law, though complex or multiple requests may require additional time. If more information is needed to verify your identity or clarify your request, we will notify you promptly. Please include sufficient details to allow us to verify your identity and understand the nature of your request.

If you are an employee of a Company customer, please contact your employer or system administrator for assistance with updating or correcting your information.

4.3 Self-Service Account Updates

Some registered users may update their user settings, profiles, organization settings, and event registrations by logging into their accounts and editing their settings or profiles.

4.4 Account and Billing Updates

To update your billing information, discontinue your account, or request return or deletion of your Personal Data and other information associated with your account, please contact us.

4.5 Company’s Customer Data

As described above, we may process personal data on behalf of our customers who use our services. In those cases, we act as a data processor, and the customer is the data controller.

If your personal data was submitted to us by or on behalf of a customer (e.g., your employer), and you wish to exercise your data rights, please contact that customer directly. If you contact us instead, please include the name of the relevant customer so we can refer your request to them and support them in responding appropriately.

ARTICLE 5: OPT-OUT

5.1 Use of Information for Marketing

We, and third parties acting on our behalf, may use your personal data to send you marketing messages about our services or related offers.

5.2 Withdrawal of Consent and Direct Marketing Rights

Where we rely on your consent to send marketing communications, you may withdraw that consent at any time. Where we rely on our legitimate interests, you still have the right to opt out of direct marketing or any profiling related to it, at any time, by contacting us.

Withdrawing consent or opting out does not affect the lawfulness of processing prior to your request.

5.3 Email and SMS Preferences

You can manage your marketing preferences by:

• Clicking the “unsubscribe” link in our emails, or
• Replying or texting “STOP” to opt out of SMS messages.

Please note: Opting out of marketing communications does not affect transactional or service-related messages, such as account notices or security alerts.

5.4 Telemarketing Preferences

To be added to our internal Do-Not-Call list, please contact us and include your name, company (if applicable), and the phone number you wish to register.

You can also request not to be contacted again during any telemarketing call.

ARTICLE 6: EUROPEAN UNION NOTICE

6.1 EEA Resident Rights to Lodge Complaints

If you are a resident in the European Economic Area and you believe we are unlawfully processing your Personal Data, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index\_en.htm.

6.2 Switzerland Resident Rights to Lodge Complaints

If you are a resident in Switzerland, the contact details for the data protection authorities are available here: https://www.edoeb.admin.ch/edoeb/en/home.html.

ARTICLE 7: CALIFORNIA RESIDENTS

7.1 Shine The Light Law (California Civil Code Section 1798.83)

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of Personal Data (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared Personal Data in the immediately preceding calendar year.

If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.

7.2 Rights of Minors Under 18

If you are a California resident under the age of 18 and have a registered account with us, you may request removal of personal content that you have publicly posted on our services.

To request removal, contact us with:

• The email address associated with your account, and
• A statement confirming that you are a California resident under 18.

We will take steps to remove the public display of the content, though full deletion from all systems (such as backups) may not be possible.

7.3 CCPA Privacy Notice

7.3.1 Definition of “Resident” Under California Code of Regulations

The California Code of Regulations defines a “resident” as:

1. Every individual who is in the State of California for other than a temporary or transitory purpose; and
2. Every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose.

All other individuals are defined as “non-residents”

If this definition of “resident” applies to you, we must adhere to certain rights and obligations regarding your Personal Data.

7.3.2 Categories of Personal Data Collected

We have collected the following categories of Personal Data in the past twelve (12) months:

CATEGORY

EXAMPLES

COLLECTED

A. Identifiers

Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address and account name

YES

B. Personal information categories listed in the California Customer Records statute

Name, contact information, education, employment, employment history and financial information

YES

C. Protected classification characteristics under California or federal law

Gender and date of birth

NO

D. Commercial information

Transaction information, purchase history, financial details and payment information

YES

E. Biometric information

Fingerprints and voiceprints

NO

F. Internet or other similar network activity

Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems and advertisements

YES

G. Geolocation data

Device location

YES

H. Audio, electronic, visual, thermal, olfactory, or similar information

Images and audio, video or call recordings created in connection with our business activities

YES

I. Professional or employment-related information

Business contact details in order to provide you our services at a business level, job title as well as work history and professional qualifications if you apply for a job with us

YES

J. Education Information

Student records and directory information

NO

K. Inferences drawn from other personal information

Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics

NO

Additional Data Collection Contexts

We may also collect other Personal Data outside of these categories in instances where you interact with us in person, online, or by phone or mail in the context of:

1. Receiving help through our customer support channels;
2. Participation in customer surveys or contests; and
3. Facilitation in the delivery of our Services and to respond to your inquiries.

7.4 Do Not Sell or Share My Personal Information

Under the California Consumer Privacy Act (as amended by the CPRA), California residents have the right to opt out of the sale or sharing of their personal data for cross-context behavioral advertising.

We do not sell your personal data for monetary compensation. However, we may share limited data with third parties (such as analytics or advertising providers) that could be considered a “sale” or “sharing” under California law.

To exercise your right to opt out of such sharing, please click on the link titled “Do Not Sell or Share My Personal Information” located in the footer of our website, or contact us directly at:

Email: support@civicnexus.com

If you enable the Global Privacy Control (GPC) signal in your browser, we will treat that as a valid opt-out request for the device and browser used.

ARTICLE 8: CHANGES TO THIS PRIVACY POLICY

8.1 Updates to the Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. When we make changes, we will update the “Last Updated” date at the top of the policy and post the revised version on our website.

• For new users, the revised policy will be effective upon posting.
• For existing users, material changes will become effective 30 days after posting, unless otherwise required by law.

We encourage you to review this Policy periodically to stay informed about our privacy practices.

8.2 Contact for Questions or Concerns

If you have any questions about this Privacy Policy, our data practices, or would like to exercise your privacy rights, please contact us:

CivicNexus Inc. Email: support@civicnexus.com

If applicable, you may also contact our Data Protection Officer at the same address. We are committed to resolving any concerns regarding your privacy or this Policy.