SCELTA CUSTOMS INC. PRIVACY POLICY

We manage personal information in line with the privacy principles embedded in PIPEDA, which include: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and the ability to challenge our compliance.

In practical terms, that means:

• We are responsible for personal information under our control.
• We tell people why we collect personal information and limit collection to what is reasonably necessary.
• We only use and disclose personal information for those purposes (or closely related ones), unless we get additional consent or are required by law.
• We protect personal information with safeguards appropriate to its sensitivity.
• We are open about our privacy practices and respond to access and correction requests.

The personal information we collect depends on how you interact with us and which Services you use. Typical categories include:

Client and user identification details

• Name, business title, company name
• Business contact details (email, phone number, mailing address)
• Role and relationship to a project (e.g., site supervisor, estimator, owner)

Account and authentication information

• Login identifiers (e.g., username, business email)
• Passwords or other credentials (stored in encrypted form)
• Account preferences and settings

Service usage and interaction data

• How you use our Services (features accessed, clicks, navigation, timestamps)
• System logs, device and browser information, IP address, general location (e.g., city/region)
• Support requests, emails, and other communications with us

Portal and collaboration information

• Information you submit or view in Portals or RealTime (e.g., comments, messages associated with your name and role)
• Contact information of people you invite to view or collaborate in a portal

Marketing and communication information

• Newsletter subscriptions, event registrations, and marketing preferences
• Information you provide when you respond to surveys or participate in demos or pilot programs

We generally do not collect sensitive personal information (such as health or biometric data) as part of our Services, and we do not target or serve consumer health providers. If we ever handle such information in a specific context, we will comply with additional legal requirements, including any applicable provincial health privacy laws.

We use personal information for purposes that a reasonable person would consider appropriate in the circumstances, including to:

1. Provide and operate the Services

• Create and manage user accounts
• Configure and maintain COS, SiteKick, 360s, Branding, RealTime, and Portals for your projects
• Authenticate users and authorize access

2. Support and improve the Services

• Respond to support requests, questions, and feedback
• Diagnose technical issues and maintain system security and performance
• Analyze usage patterns to refine workflows and interfaces

3. Communicate with you

• Send service-related notices (e.g., updates, downtime notices, changes to terms)
• Communicate about new features, pilot programs, or training opportunities (you can opt out of marketing communications at any time)

4. Manage our business relationship

• Administer contracts, billing, and collections
• Conduct forecasting, planning, and internal reporting

5. Meet legal and regulatory obligations

• Respond to lawful requests and court orders
• Maintain records required by law or professional standards
• Investigate and prevent fraud, abuse, or security incidents

We will not use personal information for purposes that are materially different from those described in this Policy without informing you and obtaining additional consent where required.

We collect, use, and disclose personal information with your knowledge and consent, except where the law allows or requires otherwise.

Consent may be:

• Express, such as when you sign an agreement, click "I agree", or clearly opt-in to communications; or
• Implied, such as when you or your employer use the Services and it is reasonably obvious from the context that we need to process certain information to provide them.

You may withdraw your consent to certain uses or disclosures of personal information, subject to legal or contractual restrictions and reasonable notice. For example, you can opt out of marketing emails by using the unsubscribe link in those messages or by contacting us.

If you withdraw consent for uses that are essential to providing the Services (such as basic account and contact information), we may not be able to continue providing those Services.

We do not sell or rent personal information.

We may share personal information in the following limited ways:

1. With your organization

If you use the Services as part of an organization (e.g., an employer, contractor, or client), information about your use of the Services may be visible to that organization and its administrators, in line with that organization's internal policies.

2. Service providers (processors)

We use carefully selected third-party service providers (for example, hosting providers, email delivery services, analytics tools, and customer support platforms) to help deliver and support the Services. These providers are only allowed to use personal information to perform services for us and must protect it in a way that is consistent with this Policy and with PIPEDA.

3. Business transactions

If we are involved in a merger, acquisition, financing, or sale of all or part of our business, personal information may be disclosed as part of that transaction, subject to appropriate confidentiality protections and applicable law.

4. Legal and safety reasons

We may disclose personal information if we believe it is reasonably necessary to:

• Comply with a law, regulation, legal process, or valid government request;
• Protect the rights, property, or safety of Scelta, our clients, users, or the public; or
• Detect, prevent, or address fraud, security issues, or technical problems.

5. With your consent

We may share personal information with other third parties in ways not described above, but only with your consent.

Our service providers may be located outside of the province or country where you are located, including in the United States or other jurisdictions. As a result, personal information may be processed and stored in countries that have different privacy laws than Canada.

When personal information is transferred outside Canada, we remain responsible for it and will use contractual and other safeguards to ensure it continues to receive protection consistent with Canadian privacy requirements. Individuals should be aware that, in some cases, foreign governments, courts, or law enforcement agencies may be permitted to access personal information under the laws of those jurisdictions.

We keep personal information only as long as reasonably necessary to:

• Provide the Services to you and your organization;
• Meet the purposes described in this Policy; and
• Satisfy legal, accounting, or reporting obligations.

Retention periods may vary depending on the type of information and the context. For example, we may retain records of important decisions or transactions for a longer period to comply with legal or audit requirements. PIPEDA expects organizations to define and follow retention guidelines and to retain information used to make decisions about individuals long enough for them to access it.

When personal information is no longer needed, we will delete it, anonymize it, or securely destroy it, subject to any legal requirements to retain it longer.

We use physical, organizational, and technical safeguards designed to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

Examples include:

• Limiting access to personal information to staff and service providers who need it to perform their duties
• Role-based access controls and authentication measures
• Encryption in transit and at rest for appropriate systems
• Secure development and change-management practices
• Training employees on privacy and confidentiality obligations
• Procedures for securely disposing of or anonymizing personal information when it is no longer required

While we take reasonable steps to protect personal information, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

If we become aware of a breach of security safeguards that poses a real risk of significant harm, we will notify affected individuals and the appropriate privacy regulator, as required by law.

Our websites and online Services may use cookies and similar technologies to:

• Remember your preferences and settings
• Help keep your session secure
• Understand how visitors use our websites (for example, pages visited, time on site)
• Improve the performance and usability of our sites

You can adjust your browser settings to refuse cookies or to alert you when cookies are being sent. However, some features of our websites or Services may not function properly without certain cookies.

Under PIPEDA, you have the right to request access to personal information we hold about you and to request corrections if you believe it is inaccurate or incomplete.

Access requests

You may request:

• Confirmation of whether we hold personal information about you
• A description of the types of information we hold and how we use it
• Access to that information, subject to limited exceptions (for example, information that would reveal personal information about another individual, or information that cannot be disclosed for legal or security reasons)

We may ask for enough information to confirm your identity and locate the records. Where we must refuse access, we will explain the reasons, unless we are prevented from doing so by law.

Correction requests

If you demonstrate that personal information we hold about you is inaccurate or incomplete, we will correct or update it as appropriate. Where reasonable, we will also send the corrected information to any third parties that have received it from us.

Marketing communications

You can opt out of marketing emails by using the unsubscribe links in those messages or by contacting us. We may still send you important service-related messages even if you opt out of marketing.

Our Services are designed for use by businesses and adults in a work context. They are not intended for minors, and we do not knowingly collect personal information from individuals under the age of 18 without appropriate parental or guardian consent.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

When we make material changes, we will update the "Effective date" at the top of this Policy and may also provide additional notice (for example, by email or through our websites or Services).

Your continued use of the Services after an updated Privacy Policy takes effect means you accept the changes. If you do not agree with the updated Policy, you should stop using the Services.

We are responsible for personal information under our control and have designated a person to be accountable for our compliance with this Policy and with Canadian privacy law.

If you have any questions, concerns, or complaints about how we handle personal information, or if you wish to exercise your privacy rights, please contact:

We will investigate and respond to complaints and inquiries in a timely manner.

If you are not satisfied with our response, you may have the right to contact:

• The Office of the Privacy Commissioner of Canada, which oversees compliance with PIPEDA; and/or
• The Information and Privacy Commissioner of Ontario, if your concern relates to matters within its jurisdiction.

Their current contact details are available on their official websites.