Worxstream Privacy Policy

Last updated: July 3, 2026

This Privacy Policy describes how Atlas Tech Ventures ("Worxstream," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with our websites (including worxstream.ai), our cloud-based order-to-cash software platform, mobile applications, and related services (collectively, the "Services"). This Policy applies to information we collect as a data controller — such as information about visitors to our website, prospective customers, and the business contact information of our customers' Users. It does not govern our processing of Customer Data on behalf of our customers. Important — Customer Data: When our customers (typically HVAC and trades businesses) use the Services to store and manage information about their customers — such as homeowner contact details, estimates, invoices, signed documents, and payment records — Worxstream processes that information as a service provider / data processor on the customer's behalf, under our Terms of Service and Data Processing Addendum. If you are an end customer of a business that uses Worxstream, please direct privacy inquiries to that business; we will refer any request we receive to the relevant business where appropriate.

1. INFORMATION WE COLLECT

1.1 Information You Provide. Account and registration information: name, business name, email address, phone number, job title, username, and password when you create an account or execute an Order Form. Billing information: billing address, payment card or bank details (collected and processed by our third-party payment processors — we do not store full card numbers), tax identifiers, and transaction history. Communications: information you provide when you contact support, request a demo, respond to surveys, participate in webinars or beta programs, or otherwise communicate with us. Marketing information: preferences, interests, and information submitted through forms on our websites. Signature-related information: if you sign a document through WorxSign at the request of one of our customers, we process your name, email address, signature, IP address, and audit trail data (timestamps, device information) on behalf of that customer to create a completion record.

1.2 Information Collected Automatically. When you use the Services or visit our websites, we automatically collect: Usage data: features accessed, pages viewed, actions taken, time spent, click paths, and interactions with AI Features. Device and connection data: IP address, browser type and version, operating system, device identifiers, screen resolution, and language settings. Log data: access times, error logs, and referring URLs. Cookies and similar technologies: as described in Section 7. Approximate location: derived from IP address, used for security, fraud prevention, and regional customization. We do not collect precise GPS location unless you enable a feature that requires it (such as job-site mapping in mobile apps), in which case we will request permission first.

1.3 Information from Third Parties. We may receive information from: Third-party integrations you connect to the Services (e.g., accounting software, payment processors, calendar and email providers, mapping and solar data APIs), limited to the scopes you authorize. Service providers and partners, such as analytics providers, marketing platforms, and lead enrichment services. Publicly available sources, such as business directories and company websites, for sales and marketing purposes.

2. HOW WE USE INFORMATION

We use personal information to: Provide and operate the Services, including account creation, authentication, order-to-cash workflows, e-signature processing, payments facilitation, and customer support; Process transactions and send related information, including invoices, receipts, and renewal notices; Communicate with you, including service announcements, security alerts, technical notices, and administrative messages; Market our Services, including sending promotional communications (subject to your opt-out rights) and personalizing content and advertising; Improve and develop the Services, including analyzing usage trends, debugging, and developing new features; Power AI Features, such as the Operator intelligence layer, estimate intelligence, and anomaly detection — using aggregated and de-identified data for model improvement as described in our Terms of Service; Ensure security and prevent fraud, including monitoring for unauthorized access, abuse, and violations of our Terms; Comply with legal obligations, including tax, accounting, and regulatory requirements; and Enforce our agreements and protect our legal rights.

Where required by law (such as under the GDPR for users in the EEA or UK), we rely on the following legal bases: performance of a contract, legitimate interests, consent, and compliance with legal obligations.

3. HOW WE SHARE INFORMATION

We do not sell personal information for money. We share personal information only as follows: Service providers: vendors that perform services on our behalf, including cloud hosting and storage providers, payment processors, SMS and email delivery providers, analytics providers, customer support tools, and security services. These providers are contractually bound to use information only to provide services to us. Third-party integrations: when you or your organization connects a third-party service to Worxstream, we share information with that service as directed by you. The third party's own privacy policy governs its use of that information. Within your organization: account administrators may access information about Users under their account, including usage activity. Business transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred, subject to standard confidentiality protections. Legal requirements: when required by law, subpoena, or legal process, or when we believe disclosure is necessary to protect rights, safety, or property, or to investigate fraud or security issues. With your consent: in any other case where you direct or consent to the sharing.

We may share aggregated or de-identified information that cannot reasonably be used to identify you, for any purpose, including benchmarking and industry analytics.

4. SMS AND TELEPHONE COMMUNICATIONS

If you provide your mobile number, we may send you service-related text messages (such as verification codes and account alerts) and, with your consent, marketing messages. Message and data rates may apply. You may opt out of marketing texts at any time by replying STOP.

No sharing of SMS opt-in data: Mobile phone numbers and SMS opt-in consent collected for our own messaging programs are not shared with third parties or affiliates for their marketing purposes.

When our customers use the Services to send SMS messages to their customers, the business sending the message is responsible for obtaining recipient consent, as described in our Terms of Service.

5. DATA RETENTION

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, including: Account information: for the duration of your subscription and for a reasonable period thereafter for legal, tax, and audit purposes; Customer Data: for the Subscription Term plus a thirty (30) day export window following termination, after which it is deleted from active systems (backup copies are purged on a rolling basis), except as required by law; Signed documents and audit trails: retained per our customers' instructions and legal requirements applicable to executed agreements; Marketing data: until you opt out or the data is no longer needed; Log and security data: typically twelve (12) to twenty-four (24) months.

Retention periods may be extended where required for legal claims, investigations, or regulatory compliance.

6. DATA SECURITY

We maintain administrative, physical, and technical safeguards designed to protect personal information, including: Encryption of data in transit (TLS) and at rest; Logical tenant isolation within our multi-tenant architecture; Role-based access controls and least-privilege access for personnel; Continuous monitoring, logging, and vulnerability management; Vendor security assessments for subprocessors.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and for activity under your account. If we become aware of a breach affecting your personal information, we will notify you as required by applicable law.

7. COOKIES AND TRACKING TECHNOLOGIES

We and our partners use cookies, pixels, local storage, and similar technologies to: Operate the Services (essential cookies for authentication, session management, and security); Remember preferences (functional cookies); Analyze usage (analytics cookies, such as measuring feature adoption and website traffic); and Market our Services (advertising cookies used for retargeting and campaign measurement on our public websites).

You can manage cookies through your browser settings and, where available, our cookie consent banner. Disabling essential cookies may impair the Services. We currently do not respond to "Do Not Track" browser signals, but we honor Global Privacy Control (GPC) signals where required by law.

8. YOUR PRIVACY RIGHTS

Depending on your jurisdiction, you may have the right to: Access the personal information we hold about you; Correct inaccurate or incomplete information; Delete your personal information; Port your data in a structured, machine-readable format; Object to or restrict certain processing; Withdraw consent where processing is based on consent; Opt out of targeted advertising and certain sharing; and Not be discriminated against for exercising your rights.

To exercise your rights, email [email protected] or use the settings within your account. We will verify your identity before fulfilling requests and respond within the timeframes required by applicable law. You may designate an authorized agent to submit requests on your behalf where permitted.

Note: If your personal information is contained in Customer Data controlled by a business using Worxstream, we will refer your request to that business, as we process that data on its behalf.

8.1 California Residents (CCPA/CPRA). California residents have the rights to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. We do not sell personal information for money; however, the use of certain advertising cookies on our public websites may constitute "sharing" under California law — you can opt out via our cookie banner or a GPC signal. We do not use or disclose sensitive personal information for purposes requiring a right to limit. We do not knowingly sell or share the personal information of minors under 16.

8.2 EEA, UK, and Swiss Residents (GDPR). If you are in the European Economic Area, United Kingdom, or Switzerland, you have the rights listed above plus the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are described in Section 2.

8.3 Other U.S. State Laws. Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Texas, Virginia, and others) may exercise the applicable rights above. Where a request is denied, you may appeal by replying to our decision or emailing [email protected] with "Appeal" in the subject line.

9. INTERNATIONAL DATA TRANSFERS

Worxstream is based in the United States, and the Services are hosted in the United States. If you access the Services from outside the U.S., your information will be transferred to, stored, and processed in the U.S. and other jurisdictions where our service providers operate. Where required, we implement appropriate safeguards for international transfers, such as Standard Contractual Clauses.

10. CHILDREN'S PRIVACY

The Services are intended for business use and are not directed to individuals under 18. We do not knowingly collect personal information from children under 13 (or the applicable age of digital consent). If we learn we have collected such information, we will delete it promptly. If you believe a child has provided us personal information, contact [email protected].

11. THIRD-PARTY SITES AND SERVICES

The Services may contain links to third-party websites and integrate with third-party services (including payment processors, e-signature recipients' email providers, mapping services, and accounting platforms). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you use.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Policy with a revised "Last Updated" date and, where appropriate, by email or in-product notice at least thirty (30) days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

13. CONTACT US

Atlas Tech Ventures

Attn: Privacy

Email: [email protected]

Legal inquiries: [email protected]

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us and we will respond promptly.