1. Information We Collect

Account Information

When you create an account on ControlCom Connect, we collect your name, email address, organization name, and role. If you enable SMS-based multi-factor authentication (MFA), we also collect your phone number.

IoT and Device Data

Our platform collects and processes data from IoT devices connected to your organization's account, including sensor readings, telemetry data, device state information, alarm configurations, and historical data points. This data is scoped to your organization and is necessary to provide our monitoring and alerting services.

Mobile App Data

When you use the ControlCom Connect mobile app, we collect device push notification tokens (to deliver alarm alerts), device platform information (iOS or Android), and device trust tokens (to remember trusted devices for MFA). Push notification tokens are only collected with your explicit permission.

Authentication Data

We use JSON Web Tokens (JWT) for session management, MFA verification codes (delivered via email or SMS), and trusted device cookies (stored for up to 30 days) to secure your account. Passwords are hashed using bcrypt and are never stored in plain text.

Usage and Log Data

We automatically collect standard log data when you interact with our services, including IP addresses, browser type, device type, pages visited, timestamps, and referring URLs. This data is used for security monitoring, troubleshooting, and service improvement.

Cookies

Our web platform uses cookies for authentication session management, device trust verification, and user preference storage (such as theme settings). We do not use cookies for advertising or third-party tracking.

2. How We Use Your Information

We use the information we collect to:

• Operate and maintain the ControlCom Connect platform and mobile app
• Deliver real-time alerts, alarm notifications, and push notifications about your infrastructure
• Authenticate your identity and secure your account via MFA and device trust
• Process and display IoT sensor data, dashboards, and historical reports
• Provide multi-tenant organization management and role-based access control
• Improve our services, fix bugs, and develop new features
• Communicate with you about your account, service updates, and security notices
• Comply with legal obligations and enforce our terms of service

3. Data Storage and Security

Your data is stored on Amazon Web Services (AWS) infrastructure located in the United States. We implement industry-standard security measures including:

• Encryption at rest and in transit (TLS/SSL)
• Multi-tenant data isolation — each organization's data is logically separated
• Role-based access control (Administrator, Editor, View roles)
• Hashed passwords and encrypted authentication tokens
• Secure credential storage on mobile devices using platform-native secure storage

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

4. Third-Party Services

We use the following third-party services to operate our platform. These providers may process your data as described:

• Amazon Web Services (AWS) — Cloud hosting, data storage (S3), IoT device management (IoT Core), serverless computing (Lambda), and monitoring (CloudWatch)
• Twilio — SMS delivery for multi-factor authentication codes
• Apple Push Notification Service (APNs) — Delivery of push notifications to iOS devices

Each third-party service operates under its own privacy policy. We only share the minimum data necessary for these services to function.

5. Data Sharing

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

• Service providers: With third-party vendors who assist in operating our platform (as described in Section 4), bound by confidentiality obligations
• Organization members: Account and IoT data is shared with other members of your organization based on their assigned role and permissions
• Legal requirements: When required by law, court order, or governmental regulation
• Safety: To protect the rights, safety, or property of ControlCom, our users, or the public

6. Data Retention

• Account data is retained for as long as your account is active or as needed to provide services
• IoT and sensor datais retained according to your organization's configured retention settings
• Push notification tokens are automatically deactivated when a device unregisters or a token becomes invalid
• Trusted device records expire after 30 days and are then removed
• MFA codes are temporary and expire after 15 minutes

7. Your Rights

General Rights

Regardless of your location, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to the conditions in Section 8)
• Withdraw consent for optional data processing (such as push notifications)

European Economic Area (EEA) Residents — GDPR

If you are in the EEA, you additionally have the right to:

• Data portability — receive your data in a structured, machine-readable format
• Restriction of processing
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection authority

Our legal basis for processing includes: performance of a contract (providing the platform), consent (push notifications, SMS MFA), legitimate interests (security, service improvement), and legal compliance.

California Residents — CCPA

If you are a California resident, you have the right to:

• Know what personal information is collected and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights

8. Data Deletion

If you are a ControlCom Connect customer and wish to have your data deleted from our platform, you may request data removal by contacting us at support@controlcomtech.com.

Please note that data deletion requests can only be processed if no data has been sent to the ControlCom Connect platform in the past 30 days. This requirement ensures data integrity and allows us to complete any pending processing or compliance obligations. Once your request is verified and the 30-day condition is met, we will proceed with the removal of your data from our systems.

9. Push Notifications

The ControlCom Connect mobile app may send push notifications for alarm alerts and system events. Push notifications require your explicit opt-in consent. You can disable push notifications at any time through your device's system settings. Disabling notifications will not affect other functionality of the app.

10. Children's Privacy

Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@controlcomtech.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on our website and updating the effective date. For significant changes, we may also notify you via email or through the ControlCom Connect platform.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

• Email: support@controlcomtech.com
• Website: www.controlcomtech.com