Privacy Policy

This Privacy Policy describes how Attlock Systems Inc. ("Attlock", "we", "us", or "our") collects, uses, discloses, and protects information when you use our websites, mobile applications, web portals, APIs, and related services (collectively, the "Services"). By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

1. Scope and Roles

Attlock provides a business-to-business workforce management and security operations platform for security companies, facility managers, and enterprise customers. In most cases:

• The customer organization (your employer or contracting entity) is the data controller for workforce and operational records submitted to the Services.
• Attlock acts as a data processor/service provider and processes customer data strictly under the customer's documented instructions and applicable law.
• For data we collect about our own website visitors, prospects, billing contacts, and account administrators, Attlock is the data controller.

References to "your employer" in this Privacy Policy refer to the entity that has entered into a service agreement with Attlock, whether you are an employee, consultant, or contractor of that entity.

2. What Is Our Relationship with Your Employer?

Attlock has entered into a Master Services Agreement or similar agreement with your employer ("Customer Agreement") to grant you access to the Services. We process your personal information on behalf of your employer and in accordance with the Customer Agreement and their lawful instructions.

If you wish to access, correct, or delete your personal information, or if you no longer want your employer to use the Services to process your data, please contact your employer directly. We will assist your employer in fulfilling valid data subject requests in accordance with applicable law.

3. Information We Collect

We collect information from four primary sources: (a) information you provide directly; (b) information provided by your employer; (c) information collected via our mobile applications; and (d) information collected automatically.

A. Information You Provide

• Account & Identity Data: Name, business email, phone number, job title, account credentials, and profile information.
• Authentication Data: Credentials and tokens from single sign-on providers (e.g., Google OAuth profile and email scopes), multi-factor authentication details.
• Communication Data: Information you include in correspondence with us, support tickets, feedback forms, and survey responses.
• Payment Data: Billing contact information and payment method details processed through our PCI-compliant payment processor.

B. Information Provided by Your Employer

Your employer may provide us with information about you when creating your user profile or during the course of using the Services, including:

• Name, company email address, company phone number, job title, level of seniority, department, and primary work location.
• Employee or contractor identifiers, work start date, assigned sites, scheduling preferences, and role-based access permissions.
• Licensing, certification, and qualification records required for security operations.

C. Information Collected via Mobile Applications

Our mobile applications may request device permissions to access specific capabilities. You must grant these permissions before the respective data can be collected. You may revoke permissions at any time through your device settings, though doing so may limit certain features.

D. Information Collected Automatically

• Log & Device Data: IP address, browser type and version, operating system, device identifiers, app version, crash reports, and diagnostic data.
• Usage Analytics: Pages visited, features used, click patterns, session duration, referring URLs, and interaction metrics.
• Cookies & Similar Technologies: We use cookies, pixels, and local storage for security, session management, performance optimization, analytics, and preference retention. See our Cookie Policy for detailed information and opt-out mechanisms.

4. How We Use Information

We take steps to ensure that only personnel who require access to personal information to fulfill their duties may access it. We use information for the following purposes:

• Service Delivery: Provide, operate, maintain, and improve the Services, including dispatch, scheduling, reporting, real-time monitoring, and compliance workflows.
• Authentication & Security: Verify user identities, manage access controls, detect and prevent fraud, abuse, and unauthorized access.
• Customer Support: Respond to inquiries, provide technical support, and resolve issues.
• Analytics & Improvement: Understand usage trends and preferences to improve the Services and develop new features and functionality.
• Communication: Send product updates, service notifications, billing information, and legal notices.
• Contractual Obligations: Carry out obligations arising from the Customer Agreement, including generating reports and audit trails for your employer.
• Legal Compliance: Comply with applicable laws, regulations, legal processes, and enforceable governmental requests.

5. Legal Bases for Processing

Where required by applicable law (including GDPR, UK GDPR, and PIPEDA), we rely on one or more of the following legal bases:

• Contract Performance: Processing necessary to perform our obligations under the Customer Agreement or Terms of Service.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving the Services, preventing fraud, and ensuring network security, provided these interests are not overridden by your rights.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.
• Consent: Where we have obtained your explicit consent for specific processing activities, which you may withdraw at any time.

6. How We Share Information

We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising. We may share information in the following circumstances:

• Customer Organizations: With your employer and their authorized administrators in accordance with the Customer Agreement.
• Affiliates: Within our corporate family, including parent companies, subsidiaries, and entities under common ownership, for purposes consistent with this Privacy Policy.
• Service Providers & Subprocessors: With trusted third-party providers who assist with hosting, infrastructure, authentication, communications, analytics, customer support, and payment processing. These providers are contractually bound to use personal information only as directed by us and in compliance with this Privacy Policy.
• Emergency Services: With emergency service providers when necessary to protect the safety of individuals.
• Legal & Regulatory: With regulators, courts, law enforcement, or other parties where required by law, legal process, or to protect our rights, property, or safety.
• Business Transfers: With an acquirer, successor, or assignee in connection with a merger, acquisition, debt financing, sale of assets, reorganization, or similar transaction, as well as in the event of insolvency or bankruptcy, provided the recipient commits to privacy protections substantially consistent with this Policy.
• Aggregated & De-identified Data: We may share non-personally identifiable, aggregated, or de-identified data with third parties for analytics, benchmarking, and reporting purposes.

7. Subprocessors and Third-Party Services

Attlock engages a limited number of third-party subprocessors to assist in providing the Services. We maintain an up-to-date list of subprocessors and their processing activities. Enterprise customers may request a copy of our current subprocessor list by contacting support@attlock.com.

We evaluate each subprocessor's security practices and require contractual commitments to data protection standards consistent with this Privacy Policy. We notify customers of material changes to our subprocessor list in accordance with the Customer Agreement.

8. International Transfers

Personal information may be processed in Canada, the United States, and other jurisdictions where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal information from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission.
• Data Processing Agreements with contractual commitments to equivalent protections.
• Other legally recognized transfer mechanisms as applicable.

9. Data Retention

We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, provide the Services, comply with legal and regulatory obligations, resolve disputes, and enforce our agreements.

Customer data is retained in accordance with the customer's subscription terms and documented retention instructions. Following termination of a Customer Agreement, we will delete or render inaccessible all customer data within ninety (90) days, unless retention is required by applicable law. A data deletion confirmation will be provided to the customer upon request.

If you would like further information regarding data retention periods applicable to your personal information, please contact us as set forth in the "Contact Us" section.

10. Security

Attlock maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of personal information. Our security measures include:

• Encryption: Data encrypted in transit via TLS/SSL and at rest using industry-standard encryption algorithms.
• Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege across all systems.
• Infrastructure Security: Secure cloud hosting with network segmentation, firewalls, intrusion detection, and continuous monitoring.
• Organizational Measures: Employee security training, background checks, confidentiality agreements, and documented security policies and procedures.
• Incident Response: Documented incident response procedures with defined escalation paths and notification protocols.
• Regular Assessments: Periodic vulnerability assessments and security reviews to identify and remediate risks.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you believe your personal information has been compromised, please contact us immediately at support@attlock.com.

11. Data Breach Notification

In the event of a security breach involving personal information, we will notify affected customers and individuals in accordance with applicable laws and our contractual obligations. Notifications will include the nature of the breach, categories of data affected, measures taken to address the breach, and recommended steps to mitigate potential harm.

12. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal and contractual retention requirements.
• Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
• Restriction: Request restriction of processing under certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdrawal of Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.

If you are an end user of a customer organization, please direct your request to your employer first, as they are the data controller for your operational data. Attlock will support customers in fulfilling valid data subject requests in accordance with applicable law.

To exercise your rights directly with Attlock, email support@attlock.com. We will respond to verified requests within the timeframes required by applicable law. We will not discriminate against you for exercising any of your privacy rights.

U.S. State Privacy Notices

Where U.S. state privacy laws apply (including those of California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, and other states with comprehensive privacy legislation), you may have additional rights to:

• Know what personal information we collect and how it is used.
• Access, correct, and delete your personal information.
• Opt out of the sale or sharing of personal information (Attlock does not sell personal information).
• Opt out of targeted advertising and certain profiling activities.
• Appeal decisions regarding your privacy rights requests.

Canadian Privacy Rights (PIPEDA)

If you are located in Canada, you have the right to access your personal information held by Attlock and to challenge its accuracy. You may also file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

13. Data Processing Agreements

Enterprise customers who require a Data Processing Agreement (DPA) or Data Processing Addendum may request one by contacting support@attlock.com. Our DPA addresses:

• Processing scope, purpose limitation, and duration of processing.
• Subprocessor management and notification obligations.
• Data subject rights assistance and cooperation.
• Security measures, audit rights, and breach notification commitments.
• Data return and deletion procedures upon agreement termination.

14. Children's Privacy

The Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16 without verifiable parental consent. If you are under 16 years of age, please do not use or access the Services. If we learn that personal information has been collected from a child under 16 without appropriate consent, we will take prompt steps to delete that information. Parents or guardians who believe their child has provided personal information may contact us at support@attlock.com.

15. Third-Party Sites and Services

The Services may contain links to third-party websites, platforms, or services that are not operated or controlled by Attlock. This Privacy Policy does not apply to those third-party services. We are not responsible for their privacy practices, data handling procedures, or content. We encourage you to review the privacy policies of any third-party services before providing personal information.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. Material changes will be communicated by posting the updated Privacy Policy on this page with a revised "Last Updated" date, and where required, by notifying you via email or through the Services.

We encourage you to review this Privacy Policy periodically. Your continued use of the Services following the posting of changes constitutes your acknowledgment of the updated Privacy Policy.

17. Contact Us

If you have any questions, comments, or complaints about this Privacy Policy or our data practices, or if you wish to exercise any of your applicable rights, our Privacy Officer can be reached using the following contact information: