This Privacy Policy explains how QC Analytics, LLC ("QC Analytics," "we," "us," or "our"), a New Jersey limited liability company, collects, uses, shares, and protects personal information when you visit our websites, use the Simplify Inventory Management System, or otherwise interact with us. By using the Service you agree to this Policy.

Effective date: 2026-05-28
Version: 3.0

1. Scope

This Policy applies to (a) the Simplify Inventory Management System and any related mobile or vendor portal experience (collectively, the "Service"), (b) marketing websites we operate, and (c) emails, support interactions, and similar communications. It does not govern personal information that you submit on behalf of an organization (a "Customer") that uses the Service — that is Customer Data and is processed under the User Agreement and our written agreements with the Customer.

2. Information we collect

2.1 Information you give us

• Account information: name, work email, role, organization, and (when relevant) phone number.
• Authentication information: password hashes, multi-factor secrets, and session tokens managed by our identity provider.
• Support content: feedback, screenshots, files, and messages you submit through bug reports or support channels.

2.2 Information we collect automatically

• Usage: pages and features used, actions taken, timestamps, and performance metrics.
• Device and log: IP address, browser/OS, device identifiers, referrer, and approximate location derived from IP.
• Cookies and similar technologies: we use strictly-necessary cookies to keep you signed in and to remember preferences; functional cookies for theme and layout; and limited analytics cookies to understand how the Service is used.
• Error telemetry: stack traces and contextual breadcrumbs sent to Sentry to diagnose crashes. We scrub known sensitive fields before transmission.

2.3 Customer Data

Customers submit data to the Service in the ordinary course of inventory and purchasing — product records, supplier details, inventory counts, quote requests, purchase orders, photos, and similar content. We process Customer Data on the Customer's instructions and pursuant to the User Agreement and applicable data-processing terms. Where this Policy conflicts with the User Agreement as to Customer Data, the User Agreement controls.

2.4 What we do not collect

The Service is designed for facilities, custodial, and procurement workflows. It does not request or require, and we do not knowingly collect:

• K-12 student records of any kind (names, identifiers, grades, attendance, schedules, discipline, biometrics, location);
• protected health information ("PHI") subject to HIPAA;
• payment card numbers (we use no card-data processor);
• Social Security numbers, driver's-license numbers, or other government-issued identifiers;
• information from children under 13.

If a Customer inadvertently uploads any of the above, please contact us so we can remove it. See also Section 11 (Use by educational institutions).

3. How we use information

We use information to:

• provide, secure, maintain, and improve the Service;
• create accounts and authenticate users;
• diagnose problems, prevent abuse, and enforce our terms;
• communicate with you about product updates, security advisories, and other transactional messages;
• provide customer support and respond to inquiries;
• generate aggregated, statistical, and de-identified insights that do not identify any individual or Customer;
• comply with legal obligations and exercise legal rights.

4. Aggregated, de-identified, and AI-related uses

We may create aggregated or de-identified data from any information we hold and use it for any lawful purpose, including benchmarking, product development, training of machine-learning and artificial- intelligence systems, and external publication. Such data does not identify you or any Customer and is not personal information. We do not train AI or ML systems on any individual's identifiable personal information, on Customer Data in identifiable form, or on any information we have classified as student personal information.

5. Sharing

We share information only as described in this Policy:

• With your organization: when you use the Service as part of a Customer, administrators of that Customer can see your activity, role, and contributions within their tenant.
• With service providers (subprocessors): we engage trusted vendors to host, secure, and operate the Service under written contracts that restrict their use of personal information to providing services to us. See Section 6.
• For legal reasons: we may disclose information when we have a good-faith belief that disclosure is required to comply with law, valid legal process, or protect rights, property, or safety.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to customary confidentiality protections.

We do not sell personal information for money or other valuable consideration. We do not share personal information for cross-context behavioral advertising. We do not engage in targeted advertising and we do not allow our subprocessors to use Customer Data for advertising of any kind.

6. Subprocessors

We currently use the following subprocessors. We update this list when it changes:

• Supabase, Inc. (Delaware, USA) — managed Postgres database, object storage, and authentication. Supabase operates its production infrastructure on Amazon Web Services, Inc. ("AWS") in the us-east-1 region (Northern Virginia, United States); AWS is therefore a sub-subprocessor for compute, storage, and network services underlying our Postgres instance.
• Netlify, Inc. (California, USA) — application hosting, edge networking, and serverless functions. Netlify operates its production infrastructure on AWS in the United States.
• Twilio SendGrid, Inc. (Colorado/Delaware, USA) — transactional email delivery.
• Functional Software, Inc. d/b/a Sentry (California, USA) — error and performance telemetry, with PII-scrubbing applied client-side before transmission.

All subprocessors named above operate primarily within the United States and Customer Data at rest is stored within the continental United States. A Customer that requires advance notice of a new subprocessor or a change in sub-subprocessor location may request such notice in writing; we will provide at least thirty (30) days' notice where commercially practicable.

7. Hosting and data residency

Customer Data is hosted by Supabase, Inc., which operates its production infrastructure on Amazon Web Services in the AWS us-east-1 region (Northern Virginia, United States). All Customer Data, all primary backups, and all routine processing occur within the continental United States. The Service is operated, monitored, and supported from the United States. We do not move Customer Data outside the United States in the ordinary course; if a future engineering or compliance need ever required cross-border processing, we would update this Policy and notify Customers in advance.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

• transport encryption (TLS 1.2+) for all network traffic;
• encryption of data at rest by our hosting provider (AES-256 by AWS);
• role-based access controls and database row-level security so each Customer's data is isolated by tenant;
• multi-factor authentication for administrative access;
• least-privilege production access for the engineering team;
• append-only audit logging of security-relevant events;
• automated dependency vulnerability scanning, secret scanning, and static analysis on every code change;
• annual review of our security practices and prompt patching of high-severity vulnerabilities.

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

9. Data-breach notification

If we determine that a security incident has resulted in unauthorized access to or acquisition of personal information, we will notify affected Customers without undue delay and, in any event, within seventy-two (72) hours after we confirm the incident's scope. Our notice will include, to the extent known at the time: a description of the incident, the categories of data and individuals affected, the actions we have taken or plan to take, and any actions we recommend the Customer take. We will also notify applicable regulators and individuals where required by law, including under the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163). For Customer Data, we will coordinate downstream notice to data subjects with the affected Customer in accordance with the User Agreement.

10. Data retention

We retain personal information for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Customer Data retention is governed by the User Agreement. When a Customer's account is terminated, we will delete or return Customer Data within ninety (90) days, except to the extent retention is required for backups, audit logs, or legal compliance. Backup copies are encrypted at rest and rotated out within thirty-five (35) days under normal operation.

11. Use by educational institutions (FERPA & NJSOPIPA)

The Service is designed for facilities, custodial, and procurement workflows. It does not solicit or require K-12 student records, and we do not knowingly collect them (see Section 2.4). Some QC Analytics Customers are public-school districts and other educational institutions in New Jersey and elsewhere. The commitments in this Section apply to all such Customers and prevail over any conflicting language elsewhere in this Policy with respect to student personal information.

11.1 FERPA — school-official designation

To the extent any K-12 "education record" within the meaning of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99) ever passes through the Service, QC Analytics acts as a "school official with a legitimate educational interest" for the relevant educational agency or institution under 34 C.F.R. § 99.31(a)(1)(i)(B). In that capacity, we agree to (a) act under the direct control of the educational institution with respect to the use and maintenance of education records, (b) use such records only for the purposes for which the disclosure was made, and (c) not re-disclose such records except as permitted by FERPA or as expressly authorized by the educational institution.

11.2 NJSOPIPA — operator commitments

For New Jersey K-12 districts and any other educational institution to which the New Jersey Student Online Personal Information Protection Act (N.J.S.A. 18A:36-35.1 to -35.6, "NJSOPIPA") applies, QC Analytics acts as an "operator" with respect to any student personal information that may incidentally pass through the Service, and commits to:

• not engage in targeted advertising to students or to any individual based on information acquired through the Service;
• not use information acquired through the Service to amass a profile about a student except in furtherance of legitimate K-12 purposes for the Customer;
• not sell or rent student personal information;
• not disclose student personal information except as expressly permitted by NJSOPIPA;
• maintain reasonable security procedures and practices appropriate to the nature of student personal information;
• delete student personal information at the Customer's request within a reasonable time and in any case within ninety (90) days, except where retention is required by law.

11.3 COPPA

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If an educational institution authorizes use of the Service in a manner that could expose information from children under 13, it represents that it has obtained any consents required by the Children's Online Privacy Protection Act (15 U.S.C. § 6501) and the FTC's COPPA Rule (16 C.F.R. Part 312), including in reliance on the school-consent exception where applicable.

11.4 PPRA and CIPA

We do not administer surveys or collect protected categories of information that would invoke the Protection of Pupil Rights Amendment (20 U.S.C. § 1232h). We do not provide internet-access filtering and do not represent ourselves as a "technology protection measure" under the Children's Internet Protection Act.

12. International transfers

We operate primarily in the United States and store Customer Data in the United States (see Section 7). If you access the Service from outside the U.S., your information will be transferred to and processed in the United States. We use appropriate safeguards (such as Standard Contractual Clauses) where required.

13. Your privacy rights

13.1 Rights under U.S. state laws

If you are a resident of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia, or another U.S. state that grants you privacy rights, you may have the right to:

• request access to the personal information we hold about you;
• request correction of inaccurate personal information;
• request deletion of your personal information, subject to exceptions allowed by law;
• opt out of "sales" or "sharing" for cross-context behavioral advertising (we do not engage in either);
• opt out of certain automated decision-making (we do not engage in profiling that produces legal or similarly significant effects);
• appeal a denial of a request;
• not be discriminated against for exercising these rights.

For Customer Data submitted by your employer or another organization, please direct your request to that organization first; we act as a service provider/processor and will assist them in responding.

13.2 Rights under GDPR / UK GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you may have additional rights including the right to object to processing, the right to data portability, and the right to lodge a complaint with a supervisory authority. Our legal bases for processing are: performance of a contract, our legitimate interests in operating and securing the Service, your consent (where applicable), and compliance with law.

13.3 How to exercise your rights

Submit a request to privacy@qcanalytics.com. We will verify your identity using information already associated with your account and respond within the time required by applicable law (typically 30 to 45 days).

14. Marketing communications

We send transactional and service-related messages to your account email regardless of marketing preferences. You may opt out of marketing messages at any time using the unsubscribe link in any marketing email.

15. Do Not Track

The Service does not respond to Do-Not-Track signals because no consistent industry standard for these signals exists.

16. Changes to this Policy

We may update this Policy from time to time. When we do, we will post the new version with an updated effective date and, for material changes, notify users via in-product banner or email. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

17. Survival

Provisions that by their nature should survive termination of your use of the Service — including provisions on data retention for backups and legal compliance, governing law, and indemnification — will survive termination.

18. Governing law and venue

This Policy is governed by the laws of the State of New Jersey, excluding its conflict-of-laws principles. The exclusive venue for any dispute arising out of or relating to this Policy is the state or federal courts located in Mercer County, New Jersey, and the parties consent to personal jurisdiction in those courts. Each party waives any right to a jury trial to the maximum extent permitted by law.

19. Contact us