Privacy Policy

1. Introduction and Scope

Praethos LLC and its subsidiaries, affiliates, and related entities, including but not limited to ERP Solar, ProGreen Solar LLC, Kenyon Consulting, and their respective officers, directors, employees, agents, successors, and assigns (collectively, "Company," "we," "us," or "our") are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, disclose, and safeguard information when you access or use the Solar ERP platform, including the website at erpsolar.com, any associated application programming interfaces (APIs), mobile applications, customer portals, and related services (collectively, the "Service").

Data Controller and Data Processor Roles. For the purposes of applicable data protection laws, the Company acts as the data controller with respect to account information, usage analytics, and other data that we collect and determine the purposes and means of processing. When you input, upload, or otherwise submit data about your own customers, employees, contractors, or other third parties into the Service ("Your Data"), the Company acts as a data processor on your behalf. In that capacity, you are the data controller for Your Data, and you are responsible for ensuring that you have obtained all necessary consents and legal bases to provide that data to us for processing.

Scope. This Privacy Policy applies to all users of the Service, including account holders, authorized team members, administrators, and any individual who interacts with the Service. It covers data collected through the erpsolar.com website, our APIs, any mobile or desktop applications we may offer, customer-facing portals generated through the Service, and all communications between you and the Service.

Relationship to Terms of Service. This Privacy Policy is incorporated into and forms part of our Terms of Service. Capitalized terms used but not defined in this Privacy Policy have the meanings assigned to them in the Terms of Service. In the event of any conflict between this Privacy Policy and the Terms of Service regarding data handling practices, this Privacy Policy shall control.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with the practices described herein, you must discontinue use of the Service immediately.

2. Information Provided by You

We collect information that you voluntarily provide when you register for an account, configure your organization, use the Service's features, or communicate with us. The categories below describe the types of information you may submit.

2.1 Account Registration

When you create an account, we collect your full name, email address, phone number, organization name, your role or title within the organization, and a password. If you are invited to join an existing organization, the inviting administrator provides your email address, and you supply the remaining information during the onboarding process.

2.2 Organization Profile

Account administrators provide organizational details such as company legal name, doing-business-as name, physical address, phone number, website URL, contractor license numbers, Employer Identification Number (EIN), and any other business identifiers required to configure the platform for your operations.

2.3 Business Operations Data

The Service is designed to manage your solar business operations. You may enter information related to customer accounts, sales pipeline records, project details, work orders, service tickets, proposals, contracts, change orders, inspection records, permit applications, and related operational data. This information is stored within your organization's tenant and is treated as Your Data.

2.4 Financial Data

You may enter or synchronize financial information, including invoices, payment records, accounts receivable, accounts payable, expense records, and chart of accounts data. If you connect QuickBooks or another accounting integration, financial data may be imported and synchronized bidirectionally. Subscription billing information (payment method, billing address) is collected and processed by our payment processor, Stripe.

2.5 Employee and Contractor Data

If you use the HR and compliance features, you may enter employee and contractor information, including full names, contact details, mailing addresses, compensation rates, pay frequency, payment records, bank routing information (for reference only), W-9 form data (including the last four digits of Social Security Numbers or Taxpayer Identification Numbers), and 1099-NEC filing records. This is sensitive information, and you are responsible for ensuring you have the legal authority and consent to submit it.

2.6 Customer Personally Identifiable Information

You may store personally identifiable information about your own customers within the Service. This includes customer names, home and mailing addresses, email addresses, phone numbers, utility account numbers, property details (roof type, square footage, electrical panel specifications), site survey data, and any notes or records associated with their projects. As the data controller for this information, you are responsible for complying with all applicable privacy laws governing its collection and use.

2.7 Inventory and Asset Data

You may track equipment, materials, vehicles, and other assets within the Service. This includes product names, manufacturers, model numbers, serial numbers, quantities, warehouse locations, purchase costs, condition status, fleet vehicle details, maintenance records, and GPS-based location data for field assets.

2.8 Communications

We collect the content of messages you send through the Service, including conversations with the AI assistant, work order chat messages, internal notes, feedback submissions, feature requests, and support inquiries. These communications are stored within your organization's tenant and may be reviewed to provide customer support or improve the Service.

2.9 Documents and Files

You may upload files to the Service, including photographs, site survey documents, engineering plans, architectural drawings, signed agreements, permit documents, inspection reports, utility interconnection applications, proposal PDFs, and other business documents. Uploaded files are stored in your tenant's isolated file storage and are subject to the same access controls as all other data.

2.10 Calendar and Scheduling

If you use the scheduling features, you may create calendar events, appointments, installation schedules, inspection dates, and availability windows. If you connect Google Calendar, event data is synchronized according to your authorization settings. Calendar data may include event titles, descriptions, locations, attendees, and time ranges.

3. Information Collected Automatically

When you access or use the Service, certain information is collected automatically through standard web technologies and server-side logging. This information helps us maintain, secure, and improve the Service.

3.1 Usage and Analytics Data

We collect data about how you interact with the Service, including the pages and features you visit, actions you perform (such as creating records, generating reports, or configuring integrations), session duration, click patterns, navigation paths, and feature adoption metrics. This data is collected in aggregate and is used to understand usage patterns and improve the platform.

3.2 Device and Browser Information

We automatically collect information about the device and browser you use to access the Service, including browser type and version, operating system, device type (desktop, tablet, mobile), screen resolution, display language, and timezone settings.

3.3 Network Information

We collect your Internet Protocol (IP) address, which may be used to determine your approximate geographic location (city or region level). We may also collect information about your Internet service provider (ISP) and connection type. IP addresses are stored in server logs and are used for security monitoring, rate limiting, and fraud prevention.

3.4 Log Data

Our servers automatically record information in log files each time a request is made. Log data includes access timestamps, the URL of the page or API endpoint requested, referring URLs (the page you visited before arriving at the Service), HTTP status codes, response sizes, error messages, and request metadata such as HTTP headers and query parameters.

3.5 Audit Trail

The Service maintains a comprehensive audit trail that records create, read, update, and delete (CRUD) operations across all data entities. Audit records include the type of operation performed, the timestamp, the authenticated user ID, the affected record or entity, and the specific fields that were changed (including before and after values where applicable). Audit trails are essential for compliance, accountability, and security monitoring.

3.6 Performance Metrics

We collect performance-related data to maintain and improve the reliability of the Service. This includes page load times, API response times, error rates, uptime metrics, and resource utilization statistics. Performance data is collected in aggregate and does not identify individual users.

4. Information from Third-Party Sources

When you connect third-party services to the platform, we receive information from those services based on the permissions you grant. Below is a description of the data received from each supported integration.

4.1 QuickBooks (Intuit)

When you authorize the QuickBooks integration via OAuth 2.0, we may receive and synchronize customer records, vendor records, invoices, payments, credit memos, estimates, chart of accounts data, tax rates, and company profile information. Data flows bidirectionally based on your synchronization settings.

4.2 Enphase Energy

When you connect Enphase monitoring, we receive solar energy production data, battery charge/discharge telemetry, system alerts and fault notifications, microinverter status, equipment serial numbers, and historical performance data for systems associated with your Enphase account.

4.3 SolarEdge

The SolarEdge integration provides monitoring data including site-level energy production, inverter performance metrics, optimizer-level data, equipment status, alert notifications, and environmental benefit calculations for systems registered under your SolarEdge account.

4.4 Tesla

When you connect Tesla energy products, we receive Powerwall battery status data, energy production and consumption metrics, battery state of charge, grid import/export data, and system configuration information for Tesla energy systems associated with your Tesla account.

4.5 OpenSolar

The OpenSolar integration allows import of solar system designs, customer proposals, system configurations (panel layouts, inverter selections, battery sizing), estimated production figures, pricing information, and associated customer contact details from your OpenSolar account.

4.6 Google Calendar

When you authorize Google Calendar via OAuth 2.0, we access calendar events, event details (title, description, location, attendees, time), scheduling availability, and calendar metadata. This integration enables two-way synchronization of appointments and scheduling data.

4.7 Stripe

Stripe processes subscription payments for the Service. Through the Stripe integration, we receive payment confirmation data, billing address information, the last four digits of payment card numbers, card brand, expiration date, transaction amounts, and payment status. We do not receive or store full credit card numbers, CVV codes, or complete bank account numbers. All sensitive payment data is handled directly by Stripe in accordance with PCI DSS requirements.

4.8 Resend

Resend provides transactional email delivery for the Service. We receive delivery receipts, bounce notifications, email open tracking data (if enabled), click tracking data (if enabled), and error/failure reports. Resend processes the email addresses and names of message recipients on our behalf.

4.9 Anthropic

The AI assistant feature uses Anthropic's Claude API for natural language processing. We transmit conversation messages and optional file attachments to Anthropic for processing. Anthropic returns generated responses and conversation processing metadata (such as token counts and model identifiers). Per Anthropic's commercial API terms, conversation data transmitted through the API is not used to train Anthropic's models.

5. Cookie and Tracking Technology Taxonomy

This section provides a comprehensive overview of the cookies, local storage mechanisms, and tracking technologies used by the Service.

5.1 Strictly Necessary Cookies

These cookies are essential for the operation of the Service and cannot be disabled. They include:

• Session Cookies: Maintain your authenticated session as you navigate the platform.
• CSRF Tokens: Protect against cross-site request forgery attacks by validating that form submissions originate from the Service.
• Supabase Authentication Cookies: Store encrypted authentication tokens issued by Supabase Auth, enabling secure, stateless authentication across requests.
• Cookie Consent Preferences: Record your cookie consent choices so that your preferences are respected on subsequent visits.

5.2 Functional Cookies

Functional cookies enhance your experience by remembering your preferences and settings. These include:

• Language and Locale: Remember your preferred language and regional formatting settings.
• UI State: Preserve user interface preferences such as sidebar collapse state, selected dashboard views, theme preferences, and table column configurations.
• Recently Viewed Items: Track recently accessed records, pages, or search queries to enable quick navigation.

5.3 Performance and Analytics

If we implement analytics, we use only privacy-respecting solutions that do not track users across websites and do not build user profiles for advertising purposes. Any analytics data is collected in aggregate to understand feature usage and improve the Service.

5.4 Cookies We Do NOT Use

To be clear about the boundaries of our tracking practices:

• We do not use advertising or retargeting cookies.
• We do not use cross-site tracking cookies.
• We do not embed social media tracking pixels (Facebook Pixel, LinkedIn Insight Tag, or similar).
• We do not participate in ad networks or real-time bidding exchanges.
• We do not use any cookie or tracking technology for the purpose of behavioral advertising.

5.5 Local Storage and Session Storage

In addition to cookies, the Service may use browser local storage and session storage to persist UI preferences, cache temporary data for performance, and store non-sensitive application state. Data stored in local storage and session storage remains on your device and is not automatically transmitted to our servers.

5.6 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies, view which cookies are stored, and manage your preferences. Please note that disabling strictly necessary cookies will impair the functionality of the Service, and you may not be able to access certain features or maintain an authenticated session.

6. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data only when we have a valid legal basis under the General Data Protection Regulation (GDPR) or equivalent local law. The legal bases we rely on include the following.

6.1 Performance of a Contract

Processing is necessary to perform our obligations under the Terms of Service, including providing the platform, managing your account, synchronizing data with connected integrations, generating reports, and delivering the features you have subscribed to. Without this processing, we cannot provide the Service to you.

6.2 Legitimate Interests

We process certain data based on our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:

• Security and Fraud Prevention: Monitoring access patterns, detecting unauthorized activity, and preventing abuse of the Service.
• Service Improvement: Analyzing usage patterns in aggregate to improve features, fix bugs, and enhance the user experience.
• Analytics and Reporting: Understanding how the Service is used to make informed decisions about product development.
• Customer Support: Responding to your inquiries and resolving technical issues.

6.3 Consent

For certain processing activities, we rely on your explicit consent. These include sending marketing communications, placing non-essential cookies, and processing data through the AI assistant feature. You may withdraw your consent at any time by adjusting your account settings or contacting us. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

6.4 Legal Obligation

We may process your data when necessary to comply with legal obligations, including tax reporting requirements (such as IRS regulations for 1099-NEC and W-9 data retention), responding to valid legal process (subpoenas, court orders), regulatory compliance, and law enforcement requests.

6.5 Balancing Test

Where we rely on legitimate interests as the legal basis, we conduct a balancing test to ensure that our interests do not override your rights and freedoms. We consider the nature of the data, the purpose of processing, the potential impact on you, and the safeguards we have in place. Records of these assessments are maintained and are available to supervisory authorities upon request.

7. How We Use Your Information

We use the information we collect for the following purposes. Each purpose is tied to one or more of the legal bases described in Section 6.

7.1 Service Delivery

To provide, operate, and maintain the Service, including all core features such as CRM, project management, work order scheduling, inventory tracking, fleet management, financial operations, solar system monitoring, HR and compliance tools, and customer portal generation.

7.2 Account Management

To create, authenticate, and manage your account; enforce role-based access controls; process invitations and team management; and handle account-level settings and preferences.

7.3 Third-Party Synchronization

To synchronize data with third-party services that you have authorized and connected, including QuickBooks, Enphase, SolarEdge, Tesla, OpenSolar, Google Calendar, and others. Data synchronization occurs at your direction and according to your configuration settings.

7.4 Reporting and Analytics

To generate reports, dashboards, and analytics within your organization's tenant. Reports are scoped to your organization only, and no data from other tenants is included in your reports. Analytics features help you understand your business performance, track key metrics, and make data-driven decisions.

7.5 Transactional Communications

To send transactional emails and notifications related to your use of the Service, including work order assignments, project status updates, system alerts, appointment reminders, integration sync notifications, and account security alerts. These communications are delivered through Resend and are essential to the operation of the Service.

7.6 AI-Powered Features

To power the AI assistant and other AI-driven features using Anthropic's Claude language models. When you interact with the AI assistant, your conversation messages and any attached files are transmitted to Anthropic for processing. The AI assistant provides business insights, answers questions, helps draft communications, and assists with operational tasks.

7.7 Security Monitoring

To monitor for and respond to security threats, unauthorized access attempts, suspicious activity, and potential abuse of the Service. This includes analyzing access patterns, validating authentication tokens, enforcing rate limits, and maintaining audit logs.

7.8 Service Improvement

To analyze aggregated, de-identified usage data to understand how the Service is used, identify areas for improvement, prioritize feature development, fix bugs, and optimize performance. Individual users are not identified in this analysis.

7.9 Customer Support

To respond to your support requests, troubleshoot technical issues, and provide assistance with the Service. Support interactions may be logged for quality assurance and training purposes.

7.10 Legal Compliance

To comply with applicable laws, regulations, and legal processes; to respond to lawful requests from governmental authorities; and to enforce our Terms of Service and other agreements.

7.11 Aggregated and De-Identified Analytics

We may create aggregated and de-identified datasets derived from usage data for the purpose of understanding platform trends, benchmarking performance, and producing industry insights. Once data has been aggregated and de-identified, it cannot be used to identify individual users or organizations, and we commit to not attempting to re-identify such data.

7.12 Tax Compliance Tools

To provide tools that assist with tax compliance activities, including generating 1099-NEC forms, managing W-9 records, calculating payment totals, and tracking filing deadlines. These tools are provided for your convenience, and we do not provide tax advice. You remain solely responsible for the accuracy and completeness of all tax filings.

8. Multi-Tenant Data Isolation

The Service operates on a multi-tenant architecture in which multiple organizations share the same infrastructure while maintaining strict logical separation of data. This section describes how data isolation is enforced.

8.1 Row-Level Security (RLS)

All database tables that contain tenant-specific data are protected by row-level security policies enforced at the PostgreSQL database level. Every query executed against the database is automatically filtered to return only rows belonging to the authenticated user's organization. These policies are enforced by the database engine itself, not by application code, providing a robust defense against accidental or intentional cross-tenant data access.

8.2 No Cross-Organization Access

Users within one organization cannot access, view, modify, or delete data belonging to another organization under any circumstances through the Service's user interface or API. This isolation applies to all data entities, including customer records, projects, work orders, financial data, employee records, documents, AI conversations, and audit logs.

8.3 Administrative Operations

Certain platform-level administrative operations (such as database migrations, account provisioning, and system maintenance) may require elevated privileges that bypass row-level security. These operations are strictly limited to authorized system processes, are performed exclusively through controlled administrative tooling, and are comprehensively logged in the audit trail. No human operator can access tenant data through the Service's user-facing interface without proper authentication within that tenant.

8.4 Tenant ID Enforcement

Every record in the database is associated with a tenant identifier (organization ID). This identifier is set at the time of record creation and cannot be changed. All application-layer queries, API endpoints, and server-side functions include tenant ID filtering as a mandatory parameter, providing defense in depth beyond the database-level RLS policies.

9. Data Sharing and Disclosure

We take the protection of your data seriously and limit sharing to the circumstances described below.

9.1 We Do NOT Sell Personal Information

We do not sell, rent, or lease your personal information to third parties. This commitment applies to all categories of personal information we collect, and it applies under all applicable state and federal privacy laws, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). "Sell" as used here has the meaning defined under applicable law, including the exchange of personal information for monetary or other valuable consideration.

9.2 We Do NOT Share for Cross-Context Behavioral Advertising

We do not share personal information for the purpose of cross-context behavioral advertising. We do not participate in advertising networks, data exchanges, or similar programs that use personal information to target advertisements across different websites, applications, or services.

9.3 Service Providers and Sub-Processors

We engage third-party service providers (sub-processors) to help us operate the Service. These providers are contractually bound by data processing agreements (DPAs) that restrict their use of your data to the purposes of providing their services to us and require them to maintain appropriate security measures. See Section 10 for the complete sub-processor list.

9.4 At Your Direction

When you connect a third-party integration (QuickBooks, Enphase, SolarEdge, Tesla, OpenSolar, Google Calendar), you authorize the Service to exchange data with that third-party service on your behalf. Data shared with these services is governed by their respective privacy policies and terms of service. You may revoke integration authorizations at any time through the Service's settings.

9.5 Within the Corporate Family

We may share information within the Praethos LLC corporate family, including its subsidiaries and affiliates such as ERP Solar, ProGreen Solar LLC, and Kenyon Consulting, for purposes of administration, service delivery, consolidated support, and internal operations. All entities within the corporate family are bound by the same data protection obligations described in this Privacy Policy.

9.6 Legal Requirements

We may disclose your information when we believe in good faith that disclosure is required or permitted by applicable law, regulation, or legal process. This includes responding to subpoenas, court orders, discovery requests, governmental investigations, and other lawful requests from public authorities, including to meet national security or law enforcement requirements.

9.7 Protection of Rights

We may disclose your information when we believe it is necessary to protect the rights, property, or safety of the Company, our users, or the public; to investigate or prevent fraud, security issues, or illegal activity; or to enforce our Terms of Service or other agreements.

9.8 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar corporate transaction involving all or a portion of our business, your information may be transferred to the acquiring entity. We will provide notice of any such transfer and any choices you may have regarding your information, either by email to your registered account address or through a prominent notice within the Service.

9.9 De-Identified and Aggregated Data

We may share aggregated, de-identified data that cannot reasonably be used to identify any individual or organization. Such data may be used for industry analysis, benchmarking, or research purposes.

9.10 With Your Consent

We may share your information in other circumstances where you have provided your explicit, informed consent to such sharing.

10. Sub-Processor List

The following table lists the third-party sub-processors that process personal data on our behalf as part of delivering the Service. Each sub-processor is bound by a data processing agreement (DPA) that imposes obligations consistent with this Privacy Policy and applicable data protection laws.

New Sub-Processor Notification. We will provide at least thirty (30) days' advance notice before engaging any new sub-processor that will process personal data. Notice will be provided via email to account administrators or through an in-app notification. If you object to a new sub-processor, you may terminate your account in accordance with the Terms of Service.

Data Processing Agreements. All sub-processors are bound by DPAs that require them to process personal data only for the purposes specified by us, implement appropriate technical and organizational security measures, assist with data subject rights requests, notify us of data breaches, and delete or return personal data upon termination of the relationship.

11. AI Assistant Data Handling

The Service includes an AI-powered assistant that uses Anthropic's Claude language models. This section describes how data is handled in connection with the AI assistant feature.

11.1 Data Transmitted to Anthropic

When you interact with the AI assistant, your conversation messages are transmitted to Anthropic's API for processing. If you attach files (documents, images, spreadsheets) to a conversation, the content of those files may also be transmitted. The AI assistant processes your current conversation context to generate responses; it does not have direct access to your full database or all records within your organization.

11.2 No Model Training

Per Anthropic's commercial API terms of service, data transmitted through the API is not used to train, improve, or fine-tune Anthropic's language models. Your conversations remain confidential and are not incorporated into Anthropic's training datasets.

11.3 Tenant-Isolated Storage

AI conversation histories are stored within your organization's tenant-isolated database. Conversations are subject to the same row-level security policies, access controls, and data isolation measures that apply to all other data in the Service. Users in other organizations cannot access your AI conversation history.

11.4 Retention

AI conversation data is retained for the duration of your account plus thirty (30) days following account termination, consistent with the retention schedule described in Section 14. You may request deletion of specific AI conversations by contacting us.

11.5 Role-Based Access

Access to the AI assistant and the capabilities available to it may vary based on your assigned role within the organization. Administrators can configure which roles have access to AI features and which model tiers are available to each role.

11.6 Data Minimization

The AI assistant operates on a principle of data minimization. Only the current conversation context (your messages and the assistant's responses within the active thread) and any files you explicitly attach are transmitted to Anthropic. The assistant does not have access to your full database, other users' conversations, or data from other tenants.

12. Customer Portal Privacy

The Service enables you to generate customer-facing portals that display project information to your customers. This section describes the privacy practices applicable to those portals.

12.1 Minimal Visitor Data Collection

Customer portals collect only minimal data from visitors. Standard server logs record the visitor's IP address, user agent string (browser and device information), timestamps of page requests, and the pages viewed. This data is retained in accordance with our server log retention policy (90 days) and is used solely for security monitoring and aggregate analytics.

12.2 No Authentication Required

Customer portals are accessed via unique URLs and do not require visitors to create accounts, log in, or provide personal information. No registration or authentication data is collected from portal visitors.

12.3 Displayed Information Controlled by You

The information displayed on customer portals is determined entirely by you as the account holder. This typically includes project status, system specifications, installation timeline, and customer-facing notes. You are responsible for reviewing the information displayed on your portals and ensuring it is appropriate for your customers to view.

12.4 No Non-Essential Cookies

Customer portals do not set advertising, analytics, or functional cookies. Only strictly necessary cookies (if any are required for page rendering) are used. No tracking technologies beyond standard server logs are employed on portal pages.

12.5 Your Responsibility as Data Controller

When you publish customer information through a portal, you act as the data controller for that content. You are responsible for ensuring that you have obtained any necessary consents from your customers before displaying their personal information on a portal, and for complying with all applicable privacy laws with respect to that disclosure.

13. Data Security Measures

We implement a comprehensive set of technical and organizational security measures designed to protect the confidentiality, integrity, and availability of your data. While no system can guarantee absolute security, the following controls represent our commitment to safeguarding your information.

13.1 Encryption in Transit

All data transmitted between your browser (or API client) and our servers is encrypted using Transport Layer Security (TLS) version 1.2 or higher. This applies to all web traffic, API calls, webhook communications, and email delivery.

13.2 Encryption at Rest

All data stored in our database and file storage systems is encrypted at rest using AES-256 encryption. This includes all tenant data, uploaded files, backups, and audit logs.

13.3 Authentication and Password Security

User authentication is managed through Supabase Auth. Passwords are hashed using bcrypt with appropriate salt rounds, ensuring that plaintext passwords are never stored. Multi-factor authentication (MFA) is supported and can be enforced at the organization level for additional security.

13.4 Row-Level Security

As described in Section 8, row-level security policies are enforced at the database level to ensure strict tenant data isolation. These policies are tested as part of our development process and are verified during security reviews.

13.5 Role-Based Access Control (RBAC)

The Service implements granular role-based access controls that determine which features, data, and operations each user can access. Roles include owner, admin, executive, sales manager, sales representative, installer, inventory specialist, and other configurable roles. Permissions are enforced at both the user interface and API levels.

13.6 Audit Logging

All significant data operations are recorded in audit logs, including record creation, modification, and deletion; user authentication events; role and permission changes; integration connections and disconnections; and administrative actions. Audit logs are immutable and are retained for three years.

13.7 OAuth 2.0 Token Management

Third-party integrations that use OAuth 2.0 are managed with secure token storage and automatic token refresh. Access tokens are stored encrypted, and refresh tokens are rotated according to each provider's recommended practices. Users can revoke integration authorizations at any time.

13.8 Webhook Verification

Incoming webhooks from third-party services are verified using HMAC-SHA256 signature validation. This ensures that webhook payloads are authentic and have not been tampered with in transit.

13.9 Managed Infrastructure

The Service is deployed on Vercel's managed hosting platform with Supabase providing managed database and authentication infrastructure. Both providers maintain SOC 2 Type II compliance, implement their own security programs, and handle infrastructure-level security including patching, network security, and physical security.

13.10 Principle of Least Privilege

Access to production systems, databases, and infrastructure is restricted to the minimum set of permissions necessary for each function. Administrative access is limited to authorized personnel, requires multi-factor authentication, and is logged.

13.11 Incident Response

We maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. See Section 16 for details on our data breach notification practices.

13.12 No Absolute Guarantee

While we implement industry-standard security measures and continuously work to improve our security posture, no method of electronic storage or data transmission over the Internet is completely secure. We cannot guarantee the absolute security of your information. In the event of a security incident, we will notify affected parties in accordance with applicable law and our breach notification procedures.

14. Data Retention Schedule

We retain different categories of data for different periods, based on the nature of the data, the purpose of its collection, and applicable legal requirements. The following table summarizes our data retention practices.

Deletion Process. When a retention period expires, or when you request deletion, data is removed from our primary systems. Encrypted backups containing the deleted data may persist for up to ninety (90) days after primary deletion, after which they are purged. Some data may be retained beyond the standard retention period where required by law, regulation, or legal process.

Data Export. Before account termination, you may export your data through the Service's built-in export features or by contacting us. We support export in structured formats such as CSV. We will make commercially reasonable efforts to accommodate export requests during the thirty (30) day post-termination window.

15. International Data Transfers

The Service is hosted and operated in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country or jurisdiction.

15.1 EEA and United Kingdom Transfers

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom (UK) to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) as adopted on June 4, 2021, under Commission Implementing Decision (EU) 2021/914. For UK transfers, we use the International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office (ICO). These contractual safeguards ensure that your personal data receives a level of protection substantially equivalent to that provided under EU and UK data protection law.

15.2 Swiss Transfers

For transfers of personal data from Switzerland, we rely on the Standard Contractual Clauses (SCCs) as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC). We apply any necessary modifications to account for the requirements of the Swiss Federal Act on Data Protection (FADP).

15.3 Supplementary Measures

In addition to the contractual safeguards described above, we implement supplementary technical and organizational measures to protect transferred data. These include encryption of data in transit (TLS 1.2+) and at rest (AES-256), strict access controls, role-based permissions, audit logging, and regular security assessments.

15.4 Data Privacy Framework

To the extent applicable and as our business qualifies, we may participate in the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as administered by the U.S. Department of Commerce. Participation details and certification status, if applicable, will be published on our website.

15.5 Consent to Transfer

By accessing or using the Service from outside the United States, you acknowledge and consent to the transfer, storage, and processing of your information in the United States in accordance with this Privacy Policy. If you do not consent to such transfer, you should not use the Service.

16. Data Breach Notification

We take data security incidents seriously and maintain procedures for detecting, investigating, containing, and remediating security breaches. In the event of a data breach involving personal data, we will follow the notification procedures described below.

16.1 Detection and Assessment

We aim to detect and assess potential data breaches within twenty-four (24) hours of becoming aware of a security incident. Our incident response team evaluates the nature and scope of the breach, the categories and approximate number of individuals affected, the categories and approximate number of records involved, and the likely consequences of the breach.

16.2 Supervisory Authority Notification

Where required under the GDPR, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons (GDPR Article 33). The notification will include the nature of the breach, categories and approximate number of data subjects affected, the name and contact details of our data protection officer, the likely consequences of the breach, and the measures taken or proposed to address the breach.

16.3 Individual Notification

Where required by applicable law, we will notify affected individuals without undue delay. Under the GDPR (Article 34), this applies when the breach is likely to result in a high risk to the rights and freedoms of natural persons. Under the Colorado Privacy Act and similar state laws, notification will be provided within thirty (30) days of determining that a breach has occurred. Notifications will be sent via email to the registered account address and, where appropriate, through in-app notifications.

16.4 Content of Notification

Breach notifications will include the following information, to the extent known at the time of notification:

• A description of the nature of the breach
• The categories of personal data affected
• The approximate number of individuals and records affected
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
• Contact information for obtaining further details

16.5 Law Enforcement Delay

If a law enforcement authority directs us to delay notification because notification would impede a criminal investigation, we will delay notification in compliance with such request. We will notify affected individuals as soon as the law enforcement authority advises that notification will no longer impede the investigation.

16.6 Breach Documentation

We maintain documentation of all personal data breaches, including the facts surrounding the breach, its effects, and the remedial actions taken. This documentation is retained for a minimum of five (5) years and is available to supervisory authorities upon request.

17. Automated Decision-Making and Profiling

This section addresses how the Service uses automated processing and your rights in relation to automated decisions.

17.1 AI Recommendations Only

The AI assistant and other automated features within the Service provide recommendations, suggestions, and informational responses. These outputs are intended to assist human decision-makers and do not constitute automated decisions that produce legal effects or similarly significant effects on any individual. All business decisions remain under human control.

17.2 No Solely Automated Decision-Making

The Service does not engage in solely automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you, as described in GDPR Article 22. No automated process within the Service makes decisions about employment, credit, insurance, housing, or access to essential services without human review and oversight.

17.3 Right to Object

You have the right to object to any profiling or automated processing carried out in connection with your use of the Service. To exercise this right, contact us at legal@erpsolar.com. We will review your objection and, where the processing is based on legitimate interests, cease the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

17.4 Right to Explanation

If any automated processing produces a recommendation or output that affects you, you have the right to request a meaningful explanation of the logic involved, the significance, and the envisaged consequences of such processing. We will provide such explanation within thirty (30) days of your request.

17.5 Algorithmic Transparency

The AI features in the Service are powered by Anthropic's Claude language models. We do not train custom machine learning models on your data. The AI assistant uses general-purpose language models provided by Anthropic under their commercial API terms. We do not use your data to create proprietary algorithms, scoring models, or predictive tools that are applied to other customers or sold to third parties.

18. Your Privacy Rights (General)

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal information. Sections 19 through 22 provide additional details about jurisdiction-specific rights.

18.1 Right of Access

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of the personal data we hold about you, along with information about how it is processed.

18.2 Right to Rectification

You have the right to request that we correct inaccurate personal data or complete incomplete personal data concerning you.

18.3 Right to Erasure

You have the right to request that we delete your personal data (sometimes referred to as the "right to be forgotten"). This right is subject to exceptions, including where retention is required by law, necessary for the performance of a contract, or needed for the establishment, exercise, or defense of legal claims.

18.4 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data, when the processing is unlawful but you oppose erasure, or when we no longer need the data but you require it for legal claims.

18.5 Right to Data Portability

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. The Service supports data export in CSV and other structured formats for applicable data categories. You have the right to transmit this data to another service provider without hindrance.

18.6 Right to Object

You have the right to object to the processing of your personal data that is based on our legitimate interests or on the performance of a task in the public interest. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

18.7 Right to Withdraw Consent

Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal. You can withdraw consent by adjusting your account settings or by contacting us.

18.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your jurisdiction if you believe our processing of your personal data violates applicable data protection law. While we encourage you to contact us first so that we can address your concern, this right exists regardless of whether you have contacted us.

18.9 How to Exercise Your Rights

To exercise any of the rights described above, you may contact us by:

• Emailing legal@erpsolar.com with a description of your request
• Submitting a request through our contact form

We will respond to your request within thirty (30) days. If the request is complex or we receive a large number of requests, we may extend this period by an additional sixty (60) days, in which case we will notify you of the extension and the reasons for it within the initial thirty-day period.

18.10 Identity Verification

To protect your privacy and security, we may need to verify your identity before fulfilling your request. Verification may involve confirming information associated with your account, such as your email address or account details. We will not request sensitive personal information (such as government-issued ID numbers) for verification unless required by applicable law.

18.11 Authorized Agents

You may designate an authorized agent to submit a privacy rights request on your behalf. Authorized agents must provide written permission signed by you, along with verification of the agent's identity. We may contact you directly to verify that you authorized the agent to act on your behalf.

18.12 No Retaliation

We will not discriminate against you, deny you service, charge different prices, provide a different quality of service, or otherwise retaliate against you for exercising any of your privacy rights under applicable law.

19. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). This section provides the disclosures required under California law.

19.1 Categories of Personal Information Collected

We collect the following categories of personal information, as defined by the CCPA:

• Identifiers: Name, email address, phone number, IP address, account name, and organization name.
• Commercial Information: Records of products or services purchased, subscription history, invoices, payment records, and transaction data.
• Internet or Other Electronic Network Activity Information: Browsing history within the Service, search history, feature usage, click patterns, and interaction data.
• Professional or Employment-Related Information: Job title, role, organization affiliation, and (if entered by you) employee and contractor records.
• Geolocation Data: Approximate geographic location derived from IP address (city or region level).
• Sensitive Personal Information: Social Security Number (last four digits only, as entered by you for W-9/1099-NEC purposes), account login credentials (email and password hash), and financial account information (as entered for payment processing).

19.2 Business Purpose for Each Category

Each category of personal information is collected and used for the business purposes described in Section 7 of this Privacy Policy, including providing the Service, managing accounts, enabling integrations, generating reports, sending transactional communications, providing AI features, monitoring security, improving the Service, providing support, and complying with legal obligations.

19.3 Categories of Sources

We collect personal information from the following categories of sources: directly from you (account registration, data entry, file uploads); automatically from your use of the Service (usage data, log data, device information); and from third-party services you connect (QuickBooks, Enphase, SolarEdge, Tesla, OpenSolar, Google Calendar, Stripe, Resend).

19.4 Categories Shared with Third Parties

We share personal information with the categories of third parties described in Section 9 and Section 10, including cloud infrastructure providers (Vercel, Supabase), email delivery providers (Resend), AI processing providers (Anthropic), payment processors (Stripe), document signing providers (eSignatures.io), and third-party integrations connected at your direction.

19.5 Your California Privacy Rights

As a California resident, you have the right to:

• Right to Know / Access: Request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information.
• Right to Delete: Request that we delete the personal information we have collected about you, subject to the exceptions permitted under the CCPA.
• Right to Correct: Request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. Regardless, you may submit an opt-out request, and we will honor it.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of your sensitive personal information to the purposes necessary to perform the Service. We use sensitive personal information only for these necessary purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

19.6 Shine the Light (California Civil Code Section 1798.83)

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

19.7 Retention

For information about how long we retain each category of personal information, please refer to the data retention schedule in Section 14 of this Privacy Policy.

19.8 No Financial Incentives

We do not offer financial incentives, price differences, or service differences in exchange for the retention, sale, or sharing of personal information.

19.9 Annual Metrics

In accordance with CCPA regulations, we will publish annual metrics regarding the number of consumer requests received, complied with, denied, and the median response time. These metrics will be made available on our website following each calendar year.

20. Colorado Privacy Rights (CPA)

If you are a Colorado resident, you have specific rights under the Colorado Privacy Act (CPA), which became effective on July 1, 2023. As a Colorado-based company, we are committed to complying with the CPA.

20.1 Applicability

The CPA applies to entities that conduct business in Colorado or produce products or services targeted to Colorado residents and that meet certain processing thresholds. Regardless of whether we meet those thresholds, we voluntarily extend CPA rights to all Colorado residents who use our Service.

20.2 Your Colorado Privacy Rights

As a Colorado resident, you have the right to:

• Access: Confirm whether we are processing your personal data and access that data.
• Correct: Correct inaccuracies in your personal data.
• Delete: Request deletion of your personal data.
• Data Portability: Obtain a copy of your personal data in a portable and readily usable format.
• Opt-Out: Opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

20.3 Global Privacy Control Recognition

We recognize and honor the Global Privacy Control (GPC) signal as a valid opt-out request under the Colorado Privacy Act. If your browser or device sends a GPC signal, we will treat it as a request to opt out of any applicable processing for targeted advertising or sale of personal data.

20.4 Consent for Sensitive Data

Under the CPA, we will obtain your consent before processing sensitive personal data, including data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data.

20.5 Appeal Process

If we decline your privacy rights request, you have the right to appeal our decision. To submit an appeal, email legal@erpsolar.com with the subject line "CPA Appeal." We will respond to your appeal within forty-five (45) days. If your appeal is denied, you have the right to file a complaint with the Colorado Attorney General at coag.gov.

21. Additional State Privacy Rights

In addition to California and Colorado, several other states have enacted comprehensive privacy laws. We respect the rights of residents of these states and provide the following information about applicable laws.

21.1 Connecticut (CTDPA)

The Connecticut Data Privacy Act (CTDPA) became effective on July 1, 2023. Connecticut residents have the right to access, correct, and delete their personal data; obtain a copy in a portable format; and opt out of the processing of personal data for targeted advertising, sale, or profiling. To exercise these rights, contact legal@erpsolar.com. If we deny your request, you may appeal, and we will respond within sixty (60) days. You may also file a complaint with the Connecticut Attorney General.

21.2 Virginia (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) became effective on January 1, 2023. Virginia residents have the right to access, correct, and delete their personal data; obtain a copy in a portable format; and opt out of the processing of personal data for targeted advertising, sale, or profiling. To exercise these rights, contact legal@erpsolar.com. If we deny your request, you may appeal within thirty (30) days, and we will respond within sixty (60) days. You may also file a complaint with the Virginia Attorney General.

21.3 Utah (UCPA)

The Utah Consumer Privacy Act (UCPA) became effective on December 31, 2023. Utah residents have the right to access and delete their personal data, obtain a copy in a portable format, and opt out of the processing of personal data for targeted advertising or sale. To exercise these rights, contact legal@erpsolar.com.

21.4 Texas (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) became effective on July 1, 2024. Texas residents have the right to access, correct, and delete their personal data; obtain a copy in a portable format; and opt out of the processing of personal data for targeted advertising, sale, or profiling. To exercise these rights, contact legal@erpsolar.com. If we deny your request, you may appeal within thirty (30) days, and we will respond within sixty (60) days. You may also file a complaint with the Texas Attorney General.

21.5 Oregon (OCPA)

The Oregon Consumer Privacy Act (OCPA) became effective on July 1, 2024. Oregon residents have the right to access, correct, and delete their personal data; obtain a copy in a portable format; opt out of the processing of personal data for targeted advertising, sale, or profiling; and obtain a list of specific third parties to whom their data has been disclosed. To exercise these rights, contact legal@erpsolar.com. If we deny your request, you may appeal within thirty (30) days, and we will respond within forty-five (45) days. You may also file a complaint with the Oregon Attorney General.

21.6 Montana (MCDPA)

The Montana Consumer Data Privacy Act (MCDPA) became effective on October 1, 2024. Montana residents have the right to access, correct, and delete their personal data; obtain a copy in a portable format; and opt out of the processing of personal data for targeted advertising, sale, or profiling. To exercise these rights, contact legal@erpsolar.com. If we deny your request, you may appeal within thirty (30) days, and we will respond within sixty (60) days. You may also file a complaint with the Montana Attorney General.

Ongoing Compliance. Privacy law is evolving rapidly across the United States. We monitor new state privacy laws as they are enacted and take effect, and we will update this Privacy Policy to reflect new requirements as they become applicable. If you reside in a state with a comprehensive privacy law not listed above, please contact us at legal@erpsolar.com to inquire about your rights.

22. EEA, UK, Switzerland (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the following additional provisions apply to our processing of your personal data under the General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP).

22.1 Applicability

The GDPR and UK GDPR apply when we process personal data of individuals located in the EEA or UK, regardless of where we are established. The FADP applies when we process personal data of individuals in Switzerland. We comply with these laws to the extent they apply to our processing activities.

22.2 Data Protection Officer

For data protection inquiries, you may contact our designated point of contact at legal@erpsolar.com. This contact serves as the point of communication for data protection matters, including requests from data subjects and inquiries from supervisory authorities.

22.3 Legal Bases

Our legal bases for processing your personal data are described in Section 6 of this Privacy Policy. For each processing activity, we identify and document the applicable legal basis in accordance with GDPR Articles 6 and 9.

22.4 Your GDPR Rights

Under the GDPR and UK GDPR, you have the following rights:

• Right of Access (Article 15): Request a copy of the personal data we hold about you and information about our processing activities.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): Request deletion of your personal data when the data is no longer necessary, you withdraw consent, you object to processing, or the data was unlawfully processed.
• Right to Restriction of Processing (Article 18): Request restriction of processing when you contest the accuracy, the processing is unlawful, we no longer need the data, or you have objected pending verification.
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Article 21): Object to processing based on legitimate interests or public interest, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
• Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, as described in Section 17.

22.5 Lodging a Complaint

If you believe our processing of your personal data violates the GDPR or UK GDPR, you have the right to lodge a complaint with a supervisory authority. In the EEA, you may complain to the authority in your Member State of residence, place of work, or place of the alleged infringement. In the UK, the supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk. In Switzerland, the authority is the Federal Data Protection and Information Commissioner (FDPIC).

22.6 International Data Transfers

For information about the safeguards we apply when transferring personal data outside the EEA, UK, or Switzerland, please refer to Section 15 of this Privacy Policy.

22.7 Data Retention

For information about how long we retain each category of personal data, please refer to the data retention schedule in Section 14 of this Privacy Policy.

22.8 EU/UK Representative

If required under GDPR Article 27 or UK GDPR Article 27, we will appoint a representative in the EEA and/or UK. If and when a representative is appointed, their contact information will be published on this page and communicated to the relevant supervisory authorities.

23. Children's Privacy (COPPA)

We take the privacy of children seriously and comply with the Children's Online Privacy Protection Act (COPPA) and similar laws worldwide.

23.1 Not Intended for Minors

The Service is a business-to-business platform designed for use by solar installation companies and their authorized employees. It is not intended for use by individuals under the age of eighteen (18). By using the Service, you represent that you are at least eighteen (18) years of age.

23.2 Not Directed at Children Under 13

The Service is not directed at children under the age of thirteen (13). We do not target, market to, or knowingly solicit information from children under 13. The features, content, and functionality of the Service are designed exclusively for adult business users.

23.3 No Knowing Collection

We do not knowingly collect personal information from children under the age of thirteen (13). If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete that information from our systems.

23.4 Parental Rights

If you are a parent or guardian and believe that your child under the age of 13 has provided personal information to us, you have the right to: review the personal information collected from your child; request that we delete your child's personal information; and refuse further collection or use of your child's information.

23.5 Reporting Mechanism

If you believe a child under the age of 13 has provided personal information to us, please contact us immediately at legal@erpsolar.com or through our contact form. We will investigate and delete any such information promptly.

24. Do Not Track and Global Privacy Control

24.1 Do Not Track (DNT)

"Do Not Track" (DNT) is a privacy preference that users can set in their web browsers. We honor the DNT signal. Because we do not engage in cross-site tracking, the Service's behavior is already consistent with the intent of the DNT signal. We do not track your activity across third-party websites, and we do not serve targeted advertisements based on your browsing history.

24.2 Global Privacy Control (GPC)

The Global Privacy Control (GPC) is a browser-based signal that communicates a user's privacy preferences to websites. We recognize and honor the GPC signal as a valid opt-out request under all applicable state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and other state laws that recognize GPC.

When we detect a GPC signal from your browser or device, we will treat it as an opt-out of any applicable processing for targeted advertising and the sale or sharing of personal information. Because we do not sell personal information or use it for cross-context behavioral advertising, the GPC signal serves as additional confirmation of our existing practices.

25. CAN-SPAM Compliance

We comply with the CAN-SPAM Act of 2003 (15 U.S.C. 7701 et seq.) and related Federal Trade Commission (FTC) regulations governing commercial email messages.

25.1 Opt-In for Commercial Communications

We only send commercial email communications (such as newsletters, product announcements, and promotional content) to individuals who have explicitly opted in to receive them. We do not purchase email lists or send unsolicited commercial emails.

25.2 Unsubscribe Mechanism

Every commercial email we send includes a clear, conspicuous, and functional unsubscribe mechanism. You can opt out of commercial emails at any time by clicking the unsubscribe link in any such email or by contacting us at legal@erpsolar.com.

25.3 Transactional Emails

Transactional and relationship emails, such as work order assignments, project status updates, system alerts, security notifications, account verification messages, and password reset emails, are not considered commercial messages under CAN-SPAM and cannot be opted out of while your account is active. These messages are necessary for the operation of the Service and the performance of our contract with you.

25.4 Unsubscribe Processing

We will process all unsubscribe requests within ten (10) business days of receipt. Once processed, you will no longer receive commercial email communications from us. Your unsubscribe preference will be honored unless and until you re-subscribe.

25.5 Honest Subject Lines

We do not use deceptive or misleading subject lines in our email communications. The subject line of each email accurately reflects the content of the message.

25.6 Physical Address

In compliance with CAN-SPAM requirements, all commercial email communications include the physical mailing address of Praethos LLC, located in Longmont, Colorado.

26. Third-Party Links and Services

26.1 External Links

The Service may contain links to third-party websites, applications, or services that are not owned or controlled by us. This includes links to integration partner websites, industry resources, government agencies, and other external sites. We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party websites you visit.

26.2 Third-Party Integrations

When you connect third-party integrations (such as QuickBooks, Enphase, SolarEdge, Tesla, OpenSolar, Google Calendar, or Stripe), data exchanged with those services is governed by their respective privacy policies and terms of service in addition to this Privacy Policy. We recommend reviewing the privacy practices of each integration before connecting it. Your authorization of a third-party integration constitutes your consent to the data exchange described in the integration's configuration within the Service.

26.3 Limitation of Liability

The inclusion of a link to a third-party website or the availability of a third-party integration does not imply endorsement of that third party's practices. We are not liable for any loss or damage arising from your use of, or reliance on, any third-party website, service, or integration.

27. Changes to This Privacy Policy

27.1 Material Changes

If we make material changes to this Privacy Policy (such as changes to the categories of data collected, the purposes of processing, the categories of third parties with whom data is shared, or your rights), we will provide you with at least thirty (30) days' advance notice before the changes take effect. Notice will be provided via email to the address associated with your account and/or through a prominent in-app notification. Material changes include any modification that meaningfully affects your rights or our obligations under this Privacy Policy.

27.2 Non-Material Changes

Non-material changes (such as corrections of typographical errors, updates to formatting, or clarifications that do not change the substance of the policy) may be posted without advance notice and will be effective upon posting. We encourage you to review this Privacy Policy periodically.

27.3 Version History

The "Effective Date" at the top of this Privacy Policy indicates the date of the most recent revision. We maintain an internal version history of all changes to this Privacy Policy.

27.4 Continued Use

Your continued use of the Service after the effective date of any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you must discontinue use of the Service before the new effective date and may request deletion of your account and data in accordance with Section 18.

28. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us using any of the methods below.

28.1 Privacy Inquiries

For all privacy-related inquiries, including data subject rights requests, questions about our data handling practices, and concerns about this Privacy Policy:

Email: legal@erpsolar.com

28.2 Mailing Address

Praethos LLC
Longmont, Colorado
United States

28.3 Contact Form

You may also reach us through our online contact form at erpsolar.com/contactus.

28.4 Data Protection Officer

For data protection matters, including GDPR and UK GDPR inquiries, data subject access requests, and communications from supervisory authorities, please contact our designated data protection point of contact at legal@erpsolar.com.

28.5 Response Time

We aim to respond to all privacy-related inquiries within thirty (30) calendar days of receipt. For complex requests or during periods of high volume, we may extend the response period by an additional sixty (60) days, in which case we will notify you of the extension and the reasons within the initial thirty-day period.