This User Agreement (the "Agreement") governs your access to and use of Simplify Inventory Management System (the "Service") operated by QC Analytics, LLC, a New Jersey limited liability company ("QC Analytics," "we," "us," or "our"). By creating an account, accepting an invitation, or otherwise accessing the Service, you agree to this Agreement. If you do not agree, do not use the Service.

Effective date: 2026-05-28
Version: 3.0

1. Acceptance and authority

If you are using the Service on behalf of an organization (your "Organization"), you represent that you have authority to bind that Organization to this Agreement and that "you" includes that Organization. This Agreement is in addition to, and not in place of, the QC Analytics Privacy Policy and any written master services agreement, order form, or similar contract between QC Analytics and the Organization, which controls in case of conflict.

2. Definitions

• "Customer Data" means data, content, and materials that you, your Organization, or your authorized users submit to or generate through the Service, excluding Aggregated Data and Service-generated metadata.
• "Aggregated Data" means de-identified, aggregated, or statistical data derived by us from Customer Data or other sources, in a form that does not identify you, your Organization, or any individual.
• "Authorized User" means an individual the Organization invites to use the Service, including admins, members, and vendor-portal users.
• "Fees" means amounts owed for the Service under an order form, subscription, or invoice we issue.
• "Education Customer" means an Organization that is a public-school district, charter school, non-public school, board of education, intermediate unit, educational service commission, college, or university, or any other agency or institution subject to the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) or the New Jersey Student Online Personal Information Protection Act (N.J.S.A. 18A:36-35.1 et seq., "NJSOPIPA").
• "Student Information" means any personally identifiable information about a K-12 student that constitutes an "education record" under FERPA or "student personal information" under NJSOPIPA.

3. The Service

We will provide the Service in accordance with this Agreement and the documentation we publish. We may modify, improve, suspend, or discontinue features of the Service from time to time. We will use commercially reasonable efforts to give advance notice of materially adverse changes.

4. Accounts and Authorized Users

You are responsible for: (a) the activity of your Authorized Users; (b) maintaining the confidentiality of credentials; (c) promptly notifying us of any suspected unauthorized access; and (d) ensuring Authorized Users comply with this Agreement.

5. Permitted use

You may use the Service for your internal business operations. You will not, and will not permit any Authorized User to:

• use the Service in violation of law or third-party rights;
• reverse engineer, decompile, or attempt to derive source code from the Service, except to the extent expressly permitted by applicable law;
• resell, sublicense, or make the Service available to third parties outside the Organization;
• introduce malware, scrape at abusive rates, or interfere with the integrity, performance, or security of the Service;
• use the Service to build a competing product or to benchmark for competitive purposes without our prior written consent;
• upload data you do not have the right to share, including payment card numbers, social-security numbers, government IDs, protected health information, K-12 student records (see Section 20), or data of children under 13.

6. Customer Data

6.1 Ownership

As between you and us, you retain all right, title, and interest in Customer Data. You grant QC Analytics a worldwide, non-exclusive license to host, copy, transmit, display, process, and create derivative works of Customer Data solely to (a) provide and improve the Service; (b) prevent or address technical or security issues; (c) comply with law; and (d) generate Aggregated Data.

6.2 Aggregated Data

We may create Aggregated Data and use it for any lawful purpose, including benchmarking, analytics, product development, and training of machine-learning and artificial-intelligence systems, during and after the term. Aggregated Data is not Customer Data and does not include Student Information in any form. We do not train AI or ML systems on identifiable Customer Data and never on Student Information, whether identifiable or aggregated.

6.3 No expectation of privacy in stored data

Customer Data is stored on infrastructure operated by us and our subprocessors and may be accessed by us as needed to operate, secure, and support the Service or to comply with law. You have no expectation of privacy against QC Analytics in Customer Data that you choose to submit to the Service.

6.4 Marketing license

You grant us a limited, non-exclusive, royalty-free license to use the Organization's name and logo to identify you as a customer on our website, in customer lists, and in marketing materials, in accordance with any brand guidelines you provide. You may revoke this license at any time by emailing legal@qcanalytics.com. Education Customers: see Section 20.5 for an additional opt-out.

7. Service levels

We will use commercially reasonable efforts to make the Service available with a target monthly uptime of 99.0%, excluding planned maintenance windows, force majeure events, and issues caused by factors outside our reasonable control (including failures of third-party infrastructure, your network, or your equipment). Unless an order form expressly says otherwise, this target is a service objective and not a service-level commitment that gives rise to credits or refunds.

8. Security

We will maintain administrative, technical, and physical safeguards designed to protect Customer Data in line with current industry practice for software-as-a-service offerings of similar scale. These include transport encryption (TLS 1.2+), encryption at rest by our hosting provider (AES-256 by AWS), role-based access controls, tenant-isolating row-level security in the database, multi-factor authentication for administrative access, least-privilege production access, append-only audit logging, automated dependency vulnerability scanning, secret scanning, and static analysis. We update these safeguards from time to time; we will not materially weaken them during the term.

9. Hosting and data residency

Customer Data is hosted by Supabase, Inc., which operates its production infrastructure on Amazon Web Services in the AWS us-east-1 region (Northern Virginia, United States). All Customer Data, all primary backups, and all routine processing occur within the continental United States. The Service is operated, monitored, and supported from the United States. We will not transfer Customer Data outside the United States without prior written notice to affected Customers.

10. Data-breach notification

If we determine that a security incident has resulted in unauthorized access to or acquisition of Customer Data, we will notify the affected Customer without undue delay and, in any event, within seventy-two (72) hours after we confirm the incident's scope, by email to the Customer's administrative contacts. Our notice will include, to the extent known at the time: a description of the incident, the categories of data and individuals affected, the actions we have taken or plan to take, and any actions we recommend the Customer take. We will cooperate in good faith with the Customer's downstream notification obligations, including those under the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163) and FERPA.

11. Beta and preview features

We may make features available as "beta," "preview," or similar ("Preview Features"). Preview Features are provided AS IS, may be unstable, and may be modified or removed at any time. The service levels in Section 7 and the warranties in Section 15 do not apply to Preview Features.

12. Confidentiality

Each party will protect the other party's non-public business and technical information disclosed under this Agreement ("Confidential Information") using at least the same degree of care it uses for its own confidential information of similar importance, and in any event no less than reasonable care. Confidential Information does not include information that is public through no fault of the receiving party, was independently developed, or was rightfully obtained from a third party.

13. Privacy

Our processing of personal information is described in the Privacy Policy. By using the Service, you agree to that processing.

14. Export and termination

You may export Customer Data at any time during the term using features we provide. Within ninety (90) days after termination, we will delete or return Customer Data, except to the extent retention is required for backups, audit logs, or legal compliance. Backup copies are encrypted and rotated out of storage within thirty-five (35) days in the ordinary course.

15. Disclaimers

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY LAW, QC ANALYTICS DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE, OR THAT DEFECTS WILL BE CORRECTED.

16. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW: (A) NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR FOR LOST PROFITS, LOST REVENUE, LOSS OF GOODWILL, OR LOSS OF DATA; AND (B) EACH PARTY'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE GREATER OF (I) THE FEES YOU PAID OR OWE US UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY OR (II) ONE HUNDRED U.S. DOLLARS (US$100). THESE LIMITATIONS APPLY REGARDLESS OF THE BASIS OF LIABILITY AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

The foregoing limits do not apply to a party's indemnification obligations, breach of confidentiality, fraud, willful misconduct, or amounts you owe under Section 18 (Fees).

17. Mutual indemnification

Each party will defend and indemnify the other against third- party claims to the extent caused by (a) the indemnifying party's gross negligence or willful misconduct, or (b) for QC Analytics, an allegation that the unmodified Service infringes a third party's U.S. intellectual property rights, or, for you, your violation of Section 5 (Permitted Use), Section 6 (Customer Data), or Section 20 (Education Customers). The indemnified party must promptly notify the indemnifying party in writing, cooperate at the indemnifying party's expense, and not settle without prior written consent (which will not be unreasonably withheld).

18. Fees and taxes

Fees are stated on the applicable order form or invoice. Fees are due net thirty (30) days after invoice date unless otherwise agreed. Late amounts accrue interest at 1.0% per month or the highest rate allowed by law, whichever is lower. Fees are exclusive of taxes; you are responsible for all taxes other than taxes on our income. Fees are non-refundable except as expressly stated in this Agreement.

19. Term, termination, and suspension

This Agreement starts when you first accept it and continues until terminated. Either party may terminate for material breach that is not cured within thirty (30) days after written notice. We may suspend the Service immediately if your use poses a security or legal risk to us or our other customers, or if your account is more than thirty (30) days past due. On termination, your access ends, all licenses cease, and the parties' rights to amounts accrued before termination survive.

20. Education Customers (FERPA & NJSOPIPA)

This Section applies in addition to the rest of the Agreement whenever the Organization is an Education Customer. Where this Section conflicts with another provision of the Agreement with respect to Student Information, this Section controls.

20.1 Scope and intent

The Service is designed for facilities, custodial, and procurement workflows. It does not request, require, or display Student Information. The Education Customer agrees not to upload Student Information to the Service except as strictly necessary to perform an operational task (for example, a teacher's name as the occupant of a classroom). If Student Information is nonetheless submitted, the commitments in this Section govern its handling.

20.2 FERPA — school-official designation

To the extent Student Information passes through the Service, QC Analytics acts as a "school official with a legitimate educational interest" for the Education Customer under 34 C.F.R. § 99.31(a)(1)(i)(B), under the direct control of the Education Customer with respect to the use and maintenance of education records. QC Analytics will (a) use Student Information only for the purpose for which the disclosure was made, (b) not re-disclose Student Information to any third party except as permitted by FERPA or expressly authorized by the Education Customer, and (c) comply with reasonable written instructions from the Education Customer regarding the use and protection of Student Information.

20.3 NJSOPIPA — operator commitments

QC Analytics acts as an "operator" within the meaning of NJSOPIPA with respect to any Student Information that passes through the Service. QC Analytics will:

• not engage in targeted advertising to students or to any individual based on information acquired through the Service;
• not use information acquired through the Service to amass a profile about a student except in furtherance of legitimate K-12 purposes for the Education Customer;
• not sell or rent Student Information;
• not disclose Student Information except as expressly permitted by NJSOPIPA or by this Agreement;
• maintain reasonable security procedures and practices appropriate to the nature of Student Information;
• delete Student Information at the Education Customer's request within a reasonable time and in any case within ninety (90) days, except where retention is required by law.

20.4 No advertising

The Service contains no advertising of any kind to any user, and we do not allow our subprocessors to use Customer Data or Student Information for advertising. We will not modify the Service to introduce advertising directed to students.

20.5 Marketing-license carve-out for Education Customers

Notwithstanding Section 6.4, we will not use an Education Customer's name, logo, or any identifying information in marketing materials without that Education Customer's prior written consent, which the Education Customer may revoke at any time by email to legal@qcanalytics.com.

20.6 Aggregated Data and AI

Aggregated Data created from an Education Customer's data does not include Student Information. We do not train AI or ML systems on Student Information in any form, identifiable or otherwise. We do not train AI or ML systems on identifiable Customer Data from any Customer.

20.7 Cooperation with district requests

We will cooperate in good faith with the Education Customer's data-subject requests, audit requests, and similar inquiries from parents or eligible students under FERPA and NJSOPIPA, including by providing access to Customer Data on the Education Customer's written request and within the time required by law.

21. Change of control and assignment

Neither party may assign this Agreement without the other's prior written consent, except that either party may assign without consent to a successor in a merger, acquisition, or sale of substantially all of its assets, provided the successor assumes the obligations of this Agreement. Any other purported assignment is void.

22. Force majeure

Neither party will be liable for delay or failure to perform (other than payment obligations) caused by events beyond its reasonable control, including acts of God, internet or utility outages, labor disputes, government action, war, terrorism, public-health emergencies, and infrastructure failures of third-party providers.

23. Modifications to this Agreement

We may update this Agreement from time to time. For material changes, we will notify you via in-product banner or email at least thirty (30) days before the change takes effect. Continued use after the effective date constitutes acceptance. If you do not agree, you may terminate by ceasing to use the Service.

24. Notices

Notices to QC Analytics must be sent to legal@qcanalytics.com with a copy by certified mail to our principal place of business. We may send you notices through the email associated with your account or via in-product notification, and such notice is deemed given when sent.

25. Governing law, venue, and jury waiver

This Agreement is governed by the laws of the State of New Jersey, excluding its conflict-of-laws principles. The exclusive venue for any dispute is the state or federal courts located in Mercer County, New Jersey, and the parties consent to personal jurisdiction in those courts. Each party waives any right to a jury trial to the maximum extent permitted by law.

26. Electronic signatures and records

Both parties consent to use electronic signatures and to receive records electronically. A click-through, in-product acceptance, or email confirmation constitutes a valid and binding signature.

27. Severability and waiver

If any provision of this Agreement is held invalid or unenforceable, the remaining provisions remain in full force and effect. A failure or delay in enforcing any right is not a waiver of that right.

28. Survival

Sections that by their nature should survive termination — including Sections 6 (Customer Data), 10 (Breach Notification), 12 (Confidentiality), 15 (Disclaimers), 16 (Liability), 17 (Indemnification), 18 (Fees), 20 (Education Customers), 25 (Governing Law), 27 (Severability), and 28 (Survival) — will survive.

29. Entire agreement

This Agreement, together with the Privacy Policy and any order forms or master services agreement we have signed with you, is the entire agreement between the parties on the subject matter and supersedes all prior or contemporaneous understandings. In case of conflict, the order of precedence is: (a) any signed master services agreement, (b) any signed order form, (c) this Agreement, (d) the Privacy Policy.

30. Contact