PRIVACY POLICY – VisitPlus Fortified Security Last Updated: 7/13/2026 Effective Date: 1/1/2026 1. INTRODUCTION Fortified Security ("Company," "we," "us," "our," or "Fortified Security") operates the VisitPlus platform, including our website (visitplus.com), application dashboard, mobile applications, and visitor kiosk/check-in systems (collectively, the "Platform" or "Service"). This Privacy Policy explains how we collect, use, store, protect, and share personal information when you use VisitPlus. This policy applies to all users, including facility administrators, security personnel, visitors, contractors, and other parties interacting with the Platform. **Important:** By accessing or using VisitPlus, you consent to the collection and use of information as described in this Privacy Policy. If you do not agree with our practices, please do not use VisitPlus. This Privacy Policy should be read in conjunction with our Terms and Conditions for VisitPlus. In the event of any conflict, the terms more protective of your privacy will apply. 2. INFORMATION WE COLLECT We collect personal and sensitive information in the following categories: 2.1 Information You Provide Directly - **Name and Contact Information:** First name, last name, email address, phone number, mailing address, organization/company name - **Identification Documents:** Government-issued identification (driver's license, passport, national ID), issue/expiration dates - **Photographs and Biometric Data:** Photos taken at check-in, facial recognition data (where applicable and permitted by law), fingerprints (if used for access control) - **Access Information:** Badge number, access credentials, facility location, visit purpose, host/department - **Communication Data:** Messages sent through VisitPlus, feedback, support inquiries, complaints 2.2 Information Collected Automatically - **Device Information:** Device type, operating system, browser type, device identifiers (UDID, IMEI) - **Network Information:** IP address, MAC address, WiFi network name - **Usage Data:** Pages visited, features used, duration of use, timestamps, click patterns, interaction logs - **Location Data:** Facility location (if captured), GPS coordinates (if enabled on your device) - **SMS/MMS Metadata:** Your phone number, carrier information, date and time of SMS/MMS delivery, message delivery status (sent, delivered, failed) 2.3 Information from Third Parties - **Access Control Systems:** Integration with Gallagher, Lenel, or other access control platforms may share credential data, access history, badge status - **Payment Processors:** Stripe and other payment providers may share transaction status, subscription information - **Video Management Systems:** Integration with Milestone, Avigilon, Genetec, or other VMS platforms may share video metadata and incident alerts - **Background Check Providers:** If your organization uses integrated background screening, we may receive verification status and clearance information - **Facility Systems:** CCTV systems, alarm systems, and other facility infrastructure may log your facility presence 2.4 Sensitive Personal Information We collect and process the following categories of sensitive data: - **Biometric Identifiers:** Facial recognition data, fingerprints, iris scans (collected only where permitted by applicable law) - **Government Identification:** Driver's license numbers, passport information, national ID numbers - **Financial Information:** Credit card details (processed by Stripe; we do not store full card numbers) - **Background Information:** Results of background checks or security clearances (where applicable) - **Health/Safety Information:** Accessibility requirements, emergency contact information, known threats or safety concerns **Biometric Data Specifics:** - Biometric information is collected only where you have provided explicit consent and where permitted by state and federal law (including BIPA in Illinois, Washington State Privacy Act, etc.) - Facial recognition data is used strictly for identity verification and access control - Biometric data is encrypted and stored separately from other personal information - Biometric data is NOT sold, rented, shared for marketing purposes, or disclosed to third parties except as required by law or authorized by you 3. HOW WE USE INFORMATION Information collected through VisitPlus is used for the following purposes: 3.1 Primary Purposes - **Visitor Management:** Check-in/check-out processing, visitor badge generation, facility access logging - **Security & Safety:** Identity verification, threat assessment, incident investigation, emergency response - **Access Control:** Granting or denying facility access, integrating with access control systems, managing credentials - **Communication:** Sending SMS/MMS notifications to users and visitors, alerts, confirmations, account notifications - **Compliance:** Meeting legal obligations, regulatory requirements, audit trails, incident documentation - **Operational Excellence:** System optimization, performance monitoring, feature improvements, analytics 3.2 Secondary Purposes - **Analytics & Insights:** Analyzing visitor patterns, facility utilization, peak times, trend identification (anonymized/aggregated data) - **Customer Support:** Responding to inquiries, resolving issues, providing technical assistance - **Marketing & Updates:** Sending newsletters, product updates, service announcements (only to users who opt-in; SMS opt-in governed separately per Terms & Conditions Section 5) - **Fraud Prevention:** Detecting unauthorized access attempts, identifying suspicious activity, protecting against misuse - **Legal Defense:** Enforcing agreements, defending against claims, cooperating with legal proceedings 3.3 Automated Decision-Making We may use automated systems (including machine learning) to: - Verify identity and prevent fraud - Flag suspicious access attempts - Generate visitor alerts based on risk profiles - Optimize facility operations and predict peak times You have the right to request human review of automated decisions that significantly affect you (e.g., access denial). Contact us per Section 10. 4. DATA SHARING AND THIRD-PARTY SERVICES 4.1 Service Providers We share personal information with third-party service providers who assist in operating VisitPlus and delivering services: | Service Provider | Purpose | Data Shared | |---|---|---| | **Microsoft Azure** | Cloud hosting, data storage, backup | All data (encrypted in transit and at rest) | | **Stripe** | Payment processing, subscription billing | Name, email, billing address, transaction history | | **Twilio / SMS Carrier Partners** | SMS/MMS delivery | Phone number, message content (text alerts only), delivery metadata | | **Email Service Providers** | Sending notifications and communications | Email address, name, notification content | | **Gallagher, Lenel, etc.** | Access control integration | User credentials, access history, badge information | | **Milestone, Avigilon, Genetec** | Video system integration | Visitor photos, incident metadata, facility presence logs | | **Google Analytics** | Website traffic and usage analytics | Anonymized usage data, device type, pages visited | | **Sentry / Error Tracking** | Technical debugging and system monitoring | Limited user data, error logs (may contain IP addresses) | 4.2 Authorized Use by Service Providers All third-party service providers are: - Contractually obligated to use information only as necessary to provide services on our behalf - Required to implement security measures equivalent to our own - Prohibited from using data for their own marketing or commercial purposes - Subject to data processing agreements (DPA) compliant with GDPR, CCPA, and applicable law 4.3 Data Transfers Outside the United States Some of our service providers (particularly Microsoft Azure) operate data centers globally, including outside the United States. When we transfer personal information internationally: - We implement Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms as required by law - We ensure equivalent privacy protections - We comply with GDPR Chapter V requirements for international transfers - Users in restricted jurisdictions may have additional rights (see Section 6) 4.4 No Sale of Personal Information **Fortified Security does NOT sell, rent, lease, or trade your personal information to third parties for their marketing or commercial purposes.** We do not share information for direct marketing by unaffiliated companies. If you are a California resident, this commitment fulfills your CCPA rights under Section 6.2 below. 4.5 Legal Obligations & Law Enforcement We may disclose personal information without notice if required by law or in response to: - Valid legal process (subpoena, court order, warrant) - Government or law enforcement requests - Protecting the safety of individuals or the public - Investigating potential violations of our Terms & Conditions - Protecting our legal rights and property We will disclose information only to the extent required by law, and we will attempt to provide you with notice of such disclosures where legally permissible. 4.6 Business Transfer If Fortified Security is involved in a merger, acquisition, bankruptcy, asset sale, or other business transfer, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information. 5. BIOMETRIC AND IDENTIFICATION DATA 5.1 Collection and Use Biometric information (facial recognition, fingerprints, iris data) is collected only where: - You have provided explicit, informed consent - Permitted under applicable state and federal law (BIPA, WBPA, DCRA, etc.) - Necessary for identity verification or facility access 5.2 Storage and Protection - Biometric data is encrypted using industry-standard encryption (AES-256 or equivalent) - Stored separately from other personal information - Accessed only by authorized system administrators - Not linked to marketing databases or shared with third parties for profiling 5.3 Retention and Deletion Biometric data is retained only as long as necessary for the purposes listed above. Upon your request or upon departure from a facility, biometric data will be securely deleted per Section 5.5 below. 5.4 No Sale or Unauthorized Use Biometric data is **never:** - Sold or licensed to third parties - Used for commercial profiling or targeted advertising - Disclosed to law enforcement without a lawful warrant or court order - Combined with other databases for cross-facility tracking (unless authorized by your organization) 5.5 Deletion of Biometric Data You have the right to request deletion of biometric data. Upon receiving a deletion request, we will: - Permanently delete all biometric records within 30 days - Cease use of biometric templates for any purpose - Notify affected third-party systems (access control, VMS) to delete their copies - Retain only a record of deletion for compliance purposes To request biometric data deletion, email privacy@fortifiedsecurity.com with the subject line "Biometric Data Deletion Request" and include your name, facility, and date of collection. 6. YOUR PRIVACY RIGHTS Your rights depend on your location. This section outlines rights under major privacy laws. 6.1 Universal Rights (All Users) Regardless of location, you have the right to: - **Access:** Request what personal information we hold about you - **Correction:** Update or correct inaccurate information - **Deletion:** Request deletion of your personal information (subject to legal retention requirements) - **Opt-Out of Marketing:** Unsubscribe from marketing communications and newsletters - **Opt-Out of SMS/MMS:** Text STOP to any VisitPlus message to unsubscribe (see Terms & Conditions Section 5.4) - **Portability:** Request a portable copy of your data in a machine-readable format - **Non-Discrimination:** We will not discriminate against you for exercising your privacy rights To exercise any of these rights, contact us per Section 10 below. 6.2 California Residents (CCPA & CPRA) California residents have additional rights: - **Right to Know:** Request specific pieces of personal information we collect, use, and share - **Right to Delete:** Request deletion of personal information we have collected from you (with exceptions for legal obligations) - **Right to Opt-Out:** Opt out of the "sale" or "sharing" of personal information (VisitPlus does not engage in these practices, but you may opt-out for clarity) - **Right to Correct:** Request correction of inaccurate personal information - **Right to Limit:** Limit our use and disclosure of sensitive personal information - **Right to Appeal:** Appeal our decision regarding a privacy rights request **Disclosure for CCPA:** - We collect personal information for business purposes (security, operational efficiency, legal compliance) - We disclose personal information to service providers for business purposes - We do NOT sell personal information as defined by CCPA - We do NOT share personal information for cross-context behavioral advertising To submit a CCPA request, email privacy@fortifiedsecurity.com with: - "CCPA Request" in the subject line - Specify your right (Access, Delete, Correct, Opt-Out, Limit) - Provide verification information (name, email, facility, date range) We will respond within 45 days (extendable by 45 additional days if necessary). **Authorized Agent:** If submitting on behalf of another person, provide a power of attorney or written authorization. 6.3 EU Residents (GDPR) If you are in the European Union, European Economic Area, or UK, GDPR rights apply: - **Access (Article 15):** Obtain a copy of personal data we hold - **Rectification (Article 16):** Correct inaccurate data - **Erasure (Article 17):** Request deletion ("Right to be Forgotten"), subject to exceptions - **Restrict Processing (Article 18):** Limit how we use your data - **Data Portability (Article 20):** Receive your data in a portable, machine-readable format - **Object (Article 21):** Object to processing, including automated decision-making - **Lodge a Complaint (Article 77):** File a complaint with your local data protection authority **Legal Basis for Processing:** - Contract performance (Terms & Conditions agreement) - Legal obligation (building codes, safety regulations) - Legitimate interests (facility security, fraud prevention) - Consent (biometric data, marketing communications) **Data Protection Officer:** While Fortified Security does not currently employ a dedicated DPO, inquiries may be directed to privacy@fortifiedsecurity.com with "DPO Request" in the subject line. **International Transfers:** Data transfers to the US are governed by Standard Contractual Clauses or equivalent mechanisms. You may request a copy of our transfer documentation. To submit a GDPR request, email privacy@fortifiedsecurity.com with: - GDPR Article number (e.g., "Article 17 - Erasure Request") - Verification information (full name, email, facility, date of visit) - Specific description of data requested We will respond within 30 calendar days (extendable to 90 days for complex requests). 6.4 State-Specific Rights (Virginia, Colorado, Connecticut, Utah, Montana, Delaware) Additional state privacy laws provide residents with similar rights to CCPA: | State | Law | Key Rights | |---|---|---| | **Virginia** | VCDPA | Access, Delete, Correct, Opt-Out, Portability | | **Colorado** | CPA | Access, Delete, Correct, Opt-Out, Portability | | **Connecticut** | CTDPA | Access, Delete, Correct, Opt-Out, Portability | | **Utah** | UCPA | Access, Delete, Correct, Opt-Out, Portability | | **Montana** | MCDPA | Access, Delete, Correct, Opt-Out, Portability | | **Delaware** | DPDPA | Access, Delete, Correct, Opt-Out, Portability | To exercise rights under any state privacy law, email privacy@fortifiedsecurity.com with your state and the specific right you're exercising. We will respond within the timeframe required by your state's law (typically 30-45 days). 6.5 Illinois Residents (BIPA) Illinois residents have specific rights regarding biometric information under the Biometric Information Privacy Act: - **Right to Consent:** We will obtain your written consent before collecting biometric data - **Right to Notice:** You will receive notice of our biometric data practices - **Right to Access & Deletion:** Request access to or deletion of biometric data - **Right to Litigation:** Right to bring a private cause of action for violations Biometric data under BIPA includes face geometry, fingerprints, voiceprints, iris/retina scans, and other biological measurements used for identification. To request biometric data deletion under BIPA, email privacy@fortifiedsecurity.com with: - Subject: "BIPA Biometric Data Deletion" - Your full name, email, and facility location - Dates of biometric collection We will delete all biometric records within 3 business days of verification. 6.6 Washington Residents (WBPA) Washington State Biometric Privacy Act (WBPA) grants rights similar to BIPA: - Written consent before collecting biometric data - Notice of collection and use - Access to and deletion of biometric data - Prohibition on sale or third-party sharing without consent Please refer to Section 6.5 procedures for WBPA requests. 7. DATA RETENTION We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, enforce agreements, and satisfy our audit and recordkeeping requirements. 7.1 Data Retention Schedules | Data Category | Retention Period | Legal Basis | |---|---|---| | **Visitor Check-In Records** | 3 years | Facility security, incident investigation, regulatory compliance | | **Access Control Logs** | 5 years | Security audit, breach investigation, compliance (NIST, DoD standards) | | **Photographs/Biometric Data** | Duration of facility access + 1 year | Identity verification, incident investigation, litigation holds | | **SMS/MMS Delivery Records** | 6 months | TCPA compliance, proof of delivery, billing reconciliation | | **Account Information (Active Users)** | Duration of subscription + 1 year | Billing, customer service, dispute resolution | | **Payment Information** | As required by law (typically 7 years) | Tax compliance, financial audit, fraud investigation | | **Email Communications** | 2 years | Customer service history, compliance documentation | | **System Logs / IP Addresses** | 90 days | Security monitoring, fraud detection, system troubleshooting | | **Background Check Results** | 7 years | Compliance with hiring regulations, employment verification | | **GDPR/CCPA Deletion Records** | 3 years | Proof of compliance with deletion requests | 7.2 Data Deletion Upon Account Termination When your VisitPlus account is terminated or you request deletion: - All personal data not subject to legal retention requirements will be deleted within 30 days - Biometric data will be permanently deleted per Section 5.5 - Aggregated, anonymized data may be retained indefinitely for analytics and research - We will retain records necessary for legal compliance and dispute resolution - A deletion certificate will be provided upon request 7.3 Litigation Hold / Legal Holds If we receive notice of litigation, regulatory investigation, or legal hold affecting your data, retention periods may extend until the legal matter is resolved. 8. SECURITY MEASURES We implement reasonable administrative, technical, and physical safeguards to protect personal information from unauthorized access, disclosure, alteration, and destruction. 8.1 Technical Security - **Encryption:** Data encrypted in transit (TLS 1.2+) and at rest (AES-256) - **Access Control:** Role-based access controls (RBAC); least-privilege principle - **Monitoring:** 24/7 security logging, intrusion detection systems, anomaly detection - **Vulnerability Management:** Regular penetration testing, vulnerability scanning, security patching - **Secure Infrastructure:** Hosted on Microsoft Azure with SOC 2 Type II compliance 8.2 Administrative Security - **Employee Training:** Annual privacy and security training for all staff with access to personal data - **Background Checks:** Background screening for employees with data access - **Access Restrictions:** Data access limited to employees with business need-to-know - **Confidentiality Agreements:** All employees and contractors sign confidentiality agreements - **Incident Response:** Written incident response plan; notification procedures per Section 9 8.3 Physical Security - **Facility Access:** Restricted access to offices and servers - **Data Center Security:** Third-party data center with security certifications (SOC 2, ISO 27001) - **Device Security:** Laptops and devices encrypted; remote wipe capability 8.4 Limitations While we implement industry-standard security measures, **no security system is 100% secure.** We cannot guarantee absolute security. You use VisitPlus at your own risk, subject to the liability limitations in our Terms & Conditions. 9. DATA BREACH NOTIFICATION If there is a breach of security resulting in unauthorized disclosure of personal information, we will: 1. **Notify You:** Provide notice without unreasonable delay (within 72 hours where required by law) 2. **Notification Method:** Email to your registered address; notice also posted on VisitPlus (if breach affects 250+ individuals) 3. **Information Included:** Nature of breach, types of data affected, likely consequences, steps you should take, our mitigation efforts, contact information for questions 4. **Regulatory Notification:** Notify relevant regulatory authorities where required (GDPR Article 33, CCPA Section 1798.150) 5. **Credit Monitoring:** If sensitive personal data is affected, we will offer 1-2 years of complimentary credit monitoring **Security Incident Report:** You may request a security incident report by emailing privacy@fortifiedsecurity.com. 10. CHILDREN'S PRIVACY VisitPlus is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we become aware that we have collected information from a child under 13 without parental consent, we will: - Promptly delete such information - Notify the child's parent or guardian - Cease any use of the information for marketing purposes For visitors aged 13-18 (minors), collection is permitted only with parental or guardian consent. Parents/guardians have the right to access, review, and request deletion of a minor's information. If you believe we have collected information from a child under 13, please contact privacy@fortifiedsecurity.com immediately. 11. COOKIES AND TRACKING TECHNOLOGIES 11.1 Cookies VisitPlus uses cookies to: - Maintain session authentication - Remember user preferences - Analyze usage patterns (analytics) - Prevent fraud and abuse **Cookie Types:** | Type | Purpose | Retention | |---|---|---| | **Strictly Necessary** | Session authentication, security | Deleted when session ends | | **Functional** | Remembering preferences, language settings | 1 year | | **Analytics** | Google Analytics (anonymized) | 26 months | | **Marketing** | Remarketing pixels (optional, opt-in only) | 90 days | 11.2 Cookie Management Most browsers allow you to control cookies through settings. You may: - Block all cookies - Block third-party cookies only - Clear cookies after each session - Be notified when a cookie is set **Note:** Disabling strictly necessary cookies may impair VisitPlus functionality. 11.3 Do Not Track (DNT) We do not currently respond to "Do Not Track" signals. However, you may opt out of analytics tracking by adjusting your cookie settings or requesting deletion per Section 6. 12. THIRD-PARTY LINKS AND SERVICES VisitPlus may contain links to third-party websites (payment processors, integrations, etc.). This Privacy Policy applies only to VisitPlus. We are not responsible for third-party privacy practices. When you access third-party services through VisitPlus: - Review their privacy policies independently - We do not control their data practices - We are not responsible for their security or data handling Recommended third-party privacy policies: - [Stripe Privacy Policy](https://stripe.com/privacy) - [Microsoft Azure Privacy](https://privacy.microsoft.com/privacystatement) - [Gallagher Privacy](https://gallaghersecurity.com) 13. POLICY UPDATES We may update this Privacy Policy at any time to reflect: - Changes in our data practices - New legal requirements - Technical improvements - Other operational reasons **Notice of Changes:** - Material changes will be communicated via email and prominent notice on VisitPlus - We will request affirmative consent for significant privacy practice changes - Continued use of VisitPlus after updates constitutes acceptance The "Last Updated" date at the top of this policy indicates when it was last revised. **Archive of Previous Policies:** You may request previous versions of this Privacy Policy by emailing privacy@fortifiedsecurity.com. 14. CONTACT US & PRIVACY INQUIRIES If you have questions, concerns, or wish to exercise your privacy rights, please contact: **Fortified Security Privacy Team** Email: privacy@fortifiedsecurity.com Mailing Address: [YOUR MAILING ADDRESS] Attention: Privacy Officer Phone: [YOUR PHONE NUMBER] **Response Timeframe:** - General inquiries: 5-7 business days - Privacy rights requests (GDPR/CCPA/State Privacy Laws): 30-45 business days - Urgent matters: Please mark email "URGENT - Privacy" in subject line **Authorized Data Protection Contacts:** - Privacy Officer: privacy@fortifiedsecurity.com - Legal Department: legal@fortifiedsecurity.com - Executive Leadership: [executive email if desired] 15. INTERNATIONAL DATA TRANSFERS As VisitPlus operates globally, personal information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States. These countries may not have data protection laws equivalent to your home country. By using VisitPlus, you consent to: - Transfer of your personal information internationally - Processing in the United States and other countries - Application of US law and our Privacy Policy We implement safeguards including: - Standard Contractual Clauses (GDPR Article 46) - Adequacy Decisions (where applicable) - Your explicit consent (where required) EU/EEA/UK residents have specific protections. See Section 6.3 for GDPR-specific information. 16. CALIFORNIA CONSUMER PRIVACY NOTICE **CCPA Opt-Out of Sale or Sharing:** While Fortified Security does NOT sell or share personal information for cross-context behavioral advertising, California law requires this notice. To opt-out of any potential "sale" or "sharing" (as defined by CCPA/CPRA), you may submit a request via: - Email: privacy@fortifiedsecurity.com with subject "CCPA Opt-Out" - Do-Not-Track mechanism (if implemented) We will confirm receipt and provide opt-out confirmation within 45 days. **Personal Information Disclosed for Business Purposes:** Fortified Security discloses the following personal information to service providers for business purposes: - Name, email, phone number (customer service, billing) - Payment information (payment processing via Stripe) - Device & IP information (hosting, security monitoring) - Usage data (analytics, feature improvement) - Photographs & biometric data (identity verification, security) Service providers are contractually bound to use information only to provide services on Fortified Security's behalf. --- **ACKNOWLEDGMENT** By using VisitPlus, you acknowledge that: - You have read and understood this Privacy Policy - You consent to the collection, use, and sharing of information as described - You understand our data retention and security practices - You are aware of your privacy rights under applicable law - You understand that certain data (particularly biometric data) is sensitive and given special protection --- **For more information about your privacy rights, visit:** - CCPA: https://oag.ca.gov/privacy/ccpa - GDPR: https://ec.europa.eu/info/law/law-topic/data-protection_en - FTC (USA): https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy