FORTIS Technologies, LLC ("FORTIS," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your information when you use the FORTIS construction management platform and related services (the "Service"). This policy should be read in conjunction with our Terms of Service.

1. Data Collection and Use

1.1 Categories of Data Collected

In the course of providing the Service, FORTIS collects and processes the following categories of data:

• Account Information: Name, email address, phone number, company name, job title, and billing information.
• Project Data: Construction project details, schedules, budgets, expense records, documents, photographs, plans, permits, inspection records, and related project management information you enter into the Service.
• Usage Data: Information about how you interact with the Service, including features used, pages viewed, session duration, device information, IP address, browser type, operating system, and general geographic location (city/state level).
• Communication Data: Messages, notifications, and communications sent through the Service.
• Device and Technical Data: Device identifiers, crash logs, performance data, and diagnostic information.
• AI Interaction Data: Queries, prompts, and interactions with FORTIS AI features, including the AI agent, document Q&A, and forecasting tools. AI interaction data is processed to provide responses and improve AI model performance.

1.2 Purposes of Data Collection

We collect and use your data for the following purposes:

• Providing, maintaining, and improving the Service
• Processing transactions and sending related notices
• Providing customer support and responding to inquiries
• Sending administrative messages, updates, and security alerts
• Analyzing usage patterns to improve Service functionality and user experience
• Generating Anonymized and Aggregated Data (as defined in Section 2)
• Displaying advertisements and sponsored content to Ad-Supported Tier users (as described in Section 3)
• Complying with legal obligations and enforcing our Terms
• Detecting, preventing, and addressing fraud, abuse, and security issues

1.3 Legal Bases for Processing

We process your personal data based on one or more of the following legal bases:

• Your consent (which you may withdraw at any time as described in Section 5)
• Performance of our contract with you (our Terms of Service)
• Our legitimate business interests, where not overridden by your rights
• Compliance with legal obligations

2. Data Monetization — Anonymized and Aggregated Data

2.1 Definitions

"Anonymized Data" means data that has been processed using industry-standard de-identification techniques such that the data cannot reasonably be used to identify, relate to, describe, or be linked back to any individual user, company, project, or specific transaction. Anonymization methods include, but are not limited to: removal of all direct identifiers (names, email addresses, phone numbers, company names, project names, addresses); generalization of data points to categorical ranges; suppression of unique or rare data values that could enable re-identification; application of differential privacy techniques where appropriate; and k-anonymity measures ensuring no individual record is distinguishable from at least k-1 other records.

"Aggregated Data" means Anonymized Data that has been combined across multiple users, companies, or projects into statistical summaries, benchmarks, averages, trends, or indices such that no individual data point is recoverable or attributable to any specific source.

"Personal Data" has the meaning ascribed to it under applicable state and federal privacy laws, including but not limited to the Texas Data Privacy and Security Act (TDPSA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and equivalent definitions under the laws of Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Utah, Virginia, and any successor federal legislation.

2.2 What We May Do with Anonymized and Aggregated Data

Subject to the limitations set forth in this Section 2, FORTIS may create, use, and commercialize Anonymized and Aggregated Data derived from the Service for the following purposes:

• Industry Benchmarking: Creating and publishing construction industry benchmarks, including but not limited to average project costs per square foot by region and building type, labor cost trends, material price indices, project timeline averages, and seasonal construction activity patterns.
• Market Intelligence Reports: Producing and selling reports on construction market trends, regional activity levels, subcontractor availability indices, and related industry analytics.
• Product Improvement: Using aggregated usage patterns and feature engagement data to improve the Service, develop new features, and optimize performance.
• Academic and Research Partnerships: Sharing Aggregated Data with academic institutions or research organizations for construction industry research, subject to written agreements requiring the recipient to maintain the data in anonymized and aggregated form.
• Advertising Optimization: Using Aggregated Data to improve the relevance and effectiveness of advertisements shown to Ad-Supported Tier users, without sharing any Personal Data with advertisers (see Section 3).

2.3 What We Will Never Do

FORTIS will NOT, under any circumstances:

• Sell, license, or share your Personal Data or identifiable project data with any third party for their own marketing, advertising, or commercial purposes
• Provide any third party with data that identifies you, your company, your projects, your clients, your subcontractors, or any individual associated with your account
• Attempt to re-identify Anonymized Data or allow any third party to do so
• Share raw, un-anonymized project data, financial records, bid amounts, or contract terms with competitors, vendors, or any third party
• Use your data to provide competitive advantages to any other user of the Service
• Sell or share data with foreign adversary nations as defined under the Protecting Americans' Data from Foreign Adversaries Act (PADFAA)

2.4 Anonymization Standards and Safeguards

FORTIS employs the following safeguards to ensure proper anonymization:

• Technical Controls: All anonymization is performed using automated processes that strip or hash all direct and quasi-identifiers before any data leaves the FORTIS production environment. No employee or contractor has access to a process that maps anonymized data back to its source.
• Minimum Aggregation Thresholds: No data set will be published or shared externally unless it aggregates data from a minimum of fifty (50) distinct source entities (users or companies). This threshold prevents inference attacks in niche markets or regions with few active users.
• Re-identification Prohibition: FORTIS contractually prohibits all recipients of Anonymized or Aggregated Data from attempting to re-identify any individual, company, or project. Violation of this prohibition constitutes a material breach of any data-sharing agreement.
• Regular Audits: FORTIS will conduct annual reviews of its anonymization processes to ensure they remain effective against current re-identification techniques and comply with evolving legal standards.
• Data Protection Impact Assessments: Before introducing any new data monetization product or sharing arrangement, FORTIS will conduct a Data Protection Impact Assessment (DPIA) as required by applicable state privacy laws including the TDPSA (§541.105), CCPA/CPRA, and equivalent provisions in other applicable state laws.

2.5 Your Rights Regarding Data Monetization

You have the following rights regarding FORTIS's use of your data for monetization purposes:

• Opt-Out: You may opt out of having your data included in Anonymized and Aggregated Data sets at any time by contacting us at privacy@pro-fortis.com or through the in-app privacy settings. Opting out will not affect your access to or use of the Service.
• Transparency: You may request a summary of the categories of Anonymized and Aggregated Data products FORTIS has created and the categories of recipients to whom such data has been provided.
• No Penalty: FORTIS will not discriminate against you, restrict your access to the Service, or charge you a different price for exercising your opt-out right, except that you may not be eligible for certain data-derived features (such as industry benchmarking comparisons) if you opt out of data inclusion.

3. Advertising and Sponsored Content

3.1 Ad-Supported Tier

Users who subscribe to an Ad-Supported Tier will see third-party advertisements and sponsored content within the Service interface. By selecting an Ad-Supported Tier, you consent to the display of such advertisements as a condition of the reduced subscription rate.

3.2 Types of Advertising

FORTIS may display the following types of advertising within Ad-Supported Tiers:

• Display Advertisements: Banner ads, interstitial ads, and sidebar ads from third-party advertisers, including construction material suppliers, equipment vendors, insurance providers, and other industry-relevant businesses.
• Sponsored Listings: Promoted listings within vendor directories, material catalogs, or similar sections of the Service, clearly labeled as "Sponsored" or "Ad."
• Geo-Fenced Advertisements: Location-relevant advertisements displayed based on the general geographic region (city, metro area, or state level) associated with your projects or account. FORTIS does not use precise GPS coordinates for ad targeting. Geographic targeting is based on project zip codes or city-level location data you provide.

3.3 Advertising Data Practices

FORTIS adheres to the following principles regarding advertising:

• No Personal Data Sharing with Advertisers: FORTIS does not share your name, email, phone number, company name, project details, financial information, or any other Personal Data with advertisers. Advertisers receive only aggregated performance metrics (impressions, click-through rates, conversion counts).
• No Behavioral Profiling for Third Parties: FORTIS does not create behavioral profiles of individual users for sale to or use by third-party advertisers. Ad targeting is based on broad, non-identifying categories (e.g., "general contractor in Texas," "commercial construction," "residential builder").
• No Cross-Platform Tracking: FORTIS does not deploy third-party tracking pixels, cookies, or SDKs that enable advertisers to track your activity outside the FORTIS platform.
• Ad Labeling: All advertisements and sponsored content within the Service will be clearly and conspicuously labeled as "Ad," "Sponsored," or "Promoted" in compliance with FTC guidelines on endorsements and advertising disclosures.

3.4 Advertising Opt-Out and Upgrade

If you are on an Ad-Supported Tier, you may:

• Upgrade to an Ad-Free Tier at any time through your account settings. Upon upgrade, advertisements will be removed within 24 hours.
• Report inappropriate, misleading, or offensive advertisements using the in-app reporting feature.
• Adjust your advertising preferences (e.g., categories of ads you prefer to see or not see) through the in-app privacy settings, subject to availability.

4. Data Security

FORTIS implements and maintains administrative, technical, and physical safeguards designed to protect your data, including:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Access controls limiting employee and contractor access to Personal Data on a need-to-know basis
• Regular security assessments and penetration testing
• Incident response procedures with notification to affected users within the timeframes required by applicable law (72 hours under the TDPSA; "expeditiously" under the CCPA/CPRA; and as otherwise required by applicable state breach notification laws)
• Employee training on data handling and privacy compliance
• Secure cloud infrastructure hosted within the United States (AWS US regions)

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. In the event of a data breach affecting your Personal Data, FORTIS will notify you and applicable regulatory authorities in accordance with the breach notification requirements of all applicable state and federal laws.

5. Your Privacy Rights

FORTIS respects your privacy rights under all applicable state and federal laws. This section provides a comprehensive summary of your rights. Where state laws provide additional or differing rights, the broadest applicable right will be honored for all users regardless of their state of residence.

5.1 Rights Available to All Users

All FORTIS users, regardless of location, have the following rights:

• Right to Know / Access: You may request confirmation of whether FORTIS processes your Personal Data and obtain a copy of that data in a portable, commonly used format.
• Right to Delete: You may request deletion of your Personal Data, subject to certain exceptions (e.g., data required for legal compliance, contract performance, or fraud prevention).
• Right to Correct: You may request correction of inaccurate Personal Data.
• Right to Opt-Out of Data Sales: You may opt out of the sale of your Personal Data. Note: FORTIS does not sell Personal Data as defined under any applicable state law. We only monetize Anonymized and Aggregated Data as described in Section 2. However, we honor opt-out requests as they relate to inclusion in anonymized data sets.
• Right to Opt-Out of Targeted Advertising: You may opt out of targeted advertising. Ad-Supported Tier users may adjust advertising preferences or upgrade to an Ad-Free Tier.
• Right to Non-Discrimination: FORTIS will not discriminate against you for exercising any of your privacy rights.

5.2 State-Specific Rights

Texas (TDPSA)

Texas residents have the rights listed in Section 5.1 above. Additionally:

• FORTIS will respond to verified consumer requests within 45 days, with one 45-day extension if reasonably necessary.
• You may appeal a denial of your request by contacting privacy@pro-fortis.com. FORTIS will respond to appeals within 60 days.
• If your appeal is denied, you may file a complaint with the Texas Attorney General at texasattorneygeneral.gov.
• FORTIS recognizes universal opt-out mechanisms (e.g., Global Privacy Control signals) as valid opt-out requests as required by TDPSA §541.055.

California (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know the categories and specific pieces of Personal Data collected, the sources of collection, the business purposes, and the categories of third parties with whom data is shared.
• Right to limit the use and disclosure of Sensitive Personal Information.
• Right to opt out of "sharing" of Personal Data for cross-context behavioral advertising. Note: FORTIS does not engage in cross-context behavioral advertising.
• FORTIS will not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature in connection with the collection of Personal Data.
• FORTIS will respond to verified consumer requests within 45 days, with one 45-day extension if reasonably necessary.
• You may designate an authorized agent to submit requests on your behalf.

Colorado, Connecticut, Virginia, and Other Comprehensive State Laws

Residents of states with comprehensive privacy laws — including but not limited to Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Utah, and Virginia — are entitled to the rights described in Section 5.1 and the following:

• Right to appeal: If FORTIS denies your privacy request, you may appeal. FORTIS will respond to appeals within the timeframe required by your state's law (generally 45–60 days).
• Data Protection Impact Assessments: FORTIS conducts and maintains data protection impact assessments for processing activities that present a heightened risk of harm, including data monetization and targeted advertising, as required by applicable state laws.
• Universal opt-out mechanisms (such as Global Privacy Control) are honored where required by applicable state law.

5.3 Federal Privacy Compliance

FORTIS monitors and complies with applicable federal privacy and data protection laws, including:

• FTC Act (Section 5): FORTIS does not engage in unfair or deceptive acts or practices in the collection, use, or disclosure of data.
• Protecting Americans' Data from Foreign Adversaries Act (PADFAA): FORTIS does not sell, transfer, or share Personal Data or Aggregated Data with entities controlled by or located in foreign adversary nations (as defined in 10 U.S.C. §4872(d)).
• CAN-SPAM Act: Any commercial email communications comply with CAN-SPAM requirements, including accurate headers, clear identification as advertising, and a functional unsubscribe mechanism.
• COPPA: The Service is not directed at children under 13. FORTIS does not knowingly collect Personal Data from children under 13. If we become aware that a child under 13 has provided Personal Data, we will promptly delete it.
• Proposed Federal Legislation: FORTIS actively monitors proposed federal privacy legislation, including the SECURE Data Act (H.R. 8413, introduced April 2026), and will update this Privacy Policy as necessary to comply with any enacted federal privacy framework.

5.4 How to Exercise Your Rights

You may exercise any of the rights described in this Section 5 by:

• Emailing privacy@pro-fortis.com with the subject line "Privacy Rights Request"
• Using the in-app Privacy Settings panel (Settings > Privacy > My Data Rights)
• Calling our privacy line at (832) 608-1081

FORTIS will verify your identity before processing any request. We may ask you to confirm your account email address or provide other verification information. We will not require you to create an account solely to submit a privacy request.

5.5 Universal Opt-Out Mechanisms

FORTIS recognizes and honors browser-based and device-based universal opt-out signals, including the Global Privacy Control (GPC), as valid opt-out requests for the sale of Personal Data and targeted advertising, as required by the TDPSA, CCPA/CPRA, Colorado Privacy Act, Connecticut Data Privacy Act, and other applicable state laws that mandate recognition of such signals.

6. Data Retention and Deletion

FORTIS retains your Personal Data for as long as your account is active or as needed to provide the Service. Upon account termination or deletion request:

• Personal Data will be deleted or anonymized within 30 days, except where retention is required by law, necessary for fraud prevention, or needed to resolve disputes.
• Project data you have entered into the Service will be available for export for 30 days following account termination. After 30 days, project data will be permanently deleted from active systems.
• Anonymized and Aggregated Data derived from your data prior to your deletion request will be retained, as such data is no longer Personal Data and cannot be traced back to you. This is consistent with the TDPSA, CCPA/CPRA, and other applicable state law exemptions for de-identified data.
• Backup copies of deleted data may persist in encrypted backup systems for up to 90 days before being permanently purged.

7. Third-Party Sharing and Processors

7.1 Categories of Third-Party Recipients

FORTIS may share data with the following categories of third parties, and only for the purposes described:

• Cloud Infrastructure Providers: Amazon Web Services (AWS), for hosting and data storage. Data is stored in US-based data centers.
• Payment Processors: For processing subscription payments. Payment processors receive only the data necessary to process transactions and are PCI-DSS compliant. FORTIS currently uses Stripe for payment processing.
• Accounting Integration Partners: For users on Tier 3 (Pro) who enable QuickBooks sync, FORTIS integrates with Intuit QuickBooks Online to synchronize financial data between the Service and the user's QuickBooks account. Intuit receives only the data necessary to perform the sync as authorized by the user. This integration is governed by Intuit's own Terms of Service and Privacy Policy.
• Analytics Providers: For understanding usage patterns and improving the Service. Analytics providers receive anonymized or pseudonymized data only.
• Advertising Partners (Ad-Supported Tiers only): For serving advertisements within the Service. Advertising partners receive only Aggregated Data (impression counts, click-through rates by broad category). They do NOT receive any Personal Data.
• Data Monetization Customers: Purchasers of Anonymized and Aggregated Data reports and benchmarks. These customers receive only data that meets the anonymization standards described in Section 2.4.
• Legal and Regulatory: Law enforcement or regulatory authorities, but only when required by valid legal process (subpoena, court order, or statutory obligation). FORTIS will notify you of such requests unless prohibited by law.

7.2 Data Processing Agreements

All third-party processors who handle Personal Data on behalf of FORTIS are bound by written Data Processing Agreements (DPAs) that require them to:

• Process data only as instructed by FORTIS and only for the purposes specified
• Implement appropriate technical and organizational security measures
• Not sub-process data without FORTIS's prior written consent
• Assist FORTIS in responding to consumer privacy rights requests
• Delete or return all Personal Data upon termination of the processing relationship
• Not attempt to re-identify any Anonymized or Aggregated Data

8. Cross-Border Data Transfers

FORTIS stores and processes all data within the United States using AWS infrastructure located in US regions. We do not transfer Personal Data outside the United States. If this practice changes in the future, we will update this Privacy Policy and provide appropriate safeguards as required by applicable law.

In compliance with the Protecting Americans' Data from Foreign Adversaries Act (PADFAA), FORTIS does not sell, license, or otherwise make available Personal Data or Aggregated Data to any entity that is controlled by a foreign adversary nation, as defined under 10 U.S.C. §4872(d).

9. Changes to This Privacy Policy

FORTIS reserves the right to modify this Privacy Policy at any time. We will provide notice of material changes by:

• Posting the updated Privacy Policy on our website with a revised "Last Updated" date
• Sending an email notification to the address associated with your account
• Displaying a prominent notice within the Service

For material changes affecting data monetization practices (Section 2), advertising practices (Section 3), or privacy rights (Section 5), FORTIS will provide at least 30 days' advance notice before the changes take effect. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

10. Contact Information

For questions about this Privacy Policy, privacy practices, or to exercise your data rights:

FORTIS Technologies, LLC
Email: privacy@pro-fortis.com
General Inquiries: info@pro-fortis.com
Legal: legal@pro-fortis.com
Phone: (832) 608-1081
Address: 6422 Rolla St, Houston, TX 77055

Appendix A: State Privacy Law Compliance Matrix

The following table summarizes FORTIS's compliance posture across all 20 states with active comprehensive privacy laws as of May 2026. This appendix is for reference and does not modify the Privacy Policy above.

State (Law)	Effective Date	Key Thresholds	FORTIS Compliance
California (CCPA/CPRA)	Jan 2020 / Jan 2023	$25M+ rev or 100K consumers	Full compliance; GPC honored
Colorado (CPA)	Jul 2023	100K consumers or 25K + revenue from data sales	Full compliance; GPC honored
Connecticut (CTDPA)	Jul 2023	100K consumers or 25K + revenue from data sales	Full compliance; GPC honored
Delaware (DPDPA)	Jan 2025	35K consumers or 10K + 20% revenue	Full compliance
Florida (FDBR)	Jul 2024	$1B+ rev (specific digital businesses)	Monitored; below threshold
Indiana (ICDPA)	Jan 2026	100K consumers or 25K + 50% revenue	Full compliance
Iowa (ICDPA)	Jan 2025	100K consumers or 25K + 50% revenue	Full compliance
Kentucky (KCDPA)	Jan 2026	100K consumers or 25K + 50% revenue	Full compliance
Maryland (MODPA)	Oct 2025	35K consumers or 10K + revenue	Full compliance
Minnesota (MCDPA)	Jul 2025	100K consumers or 25K + 25% revenue	Full compliance
Montana (MCDPA)	Oct 2024	50K consumers (no revenue test)	Full compliance
Nebraska (NDPA)	Jan 2025	All businesses processing NE consumer data	Full compliance
New Hampshire (NHPA)	Jan 2025	35K consumers or 10K + 25% revenue	Full compliance
New Jersey (NJDPA)	Jan 2025	100K consumers or 25K + revenue	Full compliance
Oregon (OCPA)	Jul 2024	100K consumers or 25K + 25% revenue	Full compliance; GPC honored
Rhode Island (RIDPA)	Jan 2026	35K consumers or 10K + 20% revenue	Full compliance
Tennessee (TIPA)	Jul 2025	$25M+ rev and 175K consumers	Full compliance
Texas (TDPSA)	Jul 2024	No revenue threshold; applies broadly	Full compliance; GPC honored; TRAIGA compliant
Utah (UCPA)	Dec 2023	$25M+ rev and 100K consumers or 25K + 50% revenue	Full compliance
Virginia (VCDPA)	Jan 2023	100K consumers or 25K + 50% revenue	Full compliance

Appendix B: Data Monetization Transparency Report Template

In accordance with our commitment to transparency (Section 2.5), FORTIS will publish an annual Data Monetization Transparency Report containing the following information:

• Categories of Anonymized and Aggregated Data products created during the reporting period
• Number of distinct data product offerings
• Categories of recipients who purchased or received Aggregated Data
• Number of consumer opt-out requests received and honored
• Summary of Data Protection Impact Assessments conducted
• Summary of anonymization audit results
• Any material changes to data monetization practices

The first Transparency Report will be published within 12 months of the launch of any data monetization product.