Privacy Policy

1. Scope

This Privacy Policy applies to EDSA.dev, associated subdomains, hosted applications, client portals, support workflows, communications, and digital products offered by EDSA, including Revenue Acceleration Suite (RAS) and EDSA CORE offerings. It also applies to information collected when users request access, contact EDSA, use hosted features, or interact with EDSA software deployed by or for clients, except where a separate written agreement or product-specific notice governs.

2. Roles and responsibilities

Depending on the service model, EDSA may act as a business, controller, service provider, processor, vendor, or similar operational role under applicable law. For the public EDSA website and EDSA-operated account, billing, support, and platform functions, EDSA generally determines the purposes and means of processing. For certain client-configured workflows, hosted modules, or self-hosted deployments, the client may be the party that determines the purposes of processing, while EDSA provides technology, implementation, support, or hosting services pursuant to contract.

Where a client uses self-hosted or client-controlled deployments of CORE or related EDSA software, the client is generally responsible for its own privacy notices, legal bases, permissions, configurations, and downstream processing decisions within its environment.

3. Information we collect

EDSA may collect the following categories of information, depending on the products and services in use:

• Contact and identity data, such as name, business email, company, role, phone number, and similar account or inquiry details
• Account and portal data, such as login identifiers, user role assignments, invitations, password reset events, multi-factor authentication events, session data, trusted-device tokens, and account preferences
• Commercial and billing data, such as subscription selections, plan names, module entitlements, invoices, transaction metadata, billing status, renewal dates, tax-related details, and payment processor references
• Technical and device data, such as IP-related metadata, browser type, device type, operating system, approximate location inferred from network signals, viewport size, site keys, domain data, cookie identifiers, session identifiers, and log information
• Support and communication data, such as emails, implementation notes, support requests, access requests, and related business communications
• Product and usage data generated through RAS and CORE modules, including configuration records, analytics events, workflow activity, experiment data, loyalty events, session replay metadata, feedback submissions, replay/heatmap interaction data, and similar operational records
• Client-provided business data processed through CORE, Marketplace, or RAS features where EDSA acts on behalf of the client

4. Sensitive and restricted information

EDSA does not intend to store full payment card numbers through RAS billing workflows and uses third-party payment processors, such as PayPal, for payment handling. Session replay and similar behavior products are designed to support masking and exclusion controls. EDSA seeks not to store raw passwords, full payment card details, CVV values, or other fields intentionally masked or excluded by platform rules. However, clients remain responsible for configuring their sites and deployments appropriately, especially where they control page markup, field labeling, masking attributes, or self-hosted infrastructure.

5. How we collect information

EDSA collects information directly from users, clients, and administrators; automatically through websites, portals, APIs, logs, cookies, and scripts; from service providers such as payment platforms and email vendors; and from client-side integrations where RAS or CORE modules are installed.

6. How we use information

EDSA may use information to:

• Provide, secure, maintain, and improve the website, RAS, CORE, and related offerings
• Create and administer accounts, invitations, role assignments, and access controls
• Process subscriptions, entitlements, renewals, invoices, and operational billing events
• Provide customer service, onboarding, support, implementation, diagnostics, and troubleshooting
• Operate analytics, experimentation, loyalty, behavior, recovery, and optimization features requested or configured by clients
• Monitor reliability, prevent abuse, detect fraud, enforce policies, and protect systems, users, clients, and third parties
• Comply with legal obligations, enforce agreements, investigate disputes, and establish or defend legal claims
• Send service communications, policy notices, alerts, and other operational messages
• Send marketing communications where permitted by law and subject to user preferences or opt-out rights

7. Cookies, scripts, and similar technologies

EDSA and its products may use cookies, local storage, scripts, pixels, session tokens, and similar technologies to authenticate users, remember preferences, secure sessions, measure usage, assign experiments, enforce module behavior, and improve site and product performance. Some features may not function properly if certain technical storage mechanisms are disabled. Where legally required, EDSA or its clients may present consent or choice mechanisms.

8. RAS module-specific processing

RAS includes modular capabilities such as Voice of Customer, JourneyLens session replay and heatmaps, Abandonment Recovery, Optimize experimentation, Loyalty Engine, and related program modules. These modules may process event data, session identifiers, page URLs, conversion metadata, reward activity, or client-defined configuration data. Clients are responsible for selecting which modules to enable, which sites and domains to connect, what business logic to deploy, and what notices they provide to their own end users where required by law.

9. CORE-specific processing

CORE offerings may process business and operational data related to product management, content workflows, tasks, commerce functions, or internal operations. Where CORE is hosted by EDSA, EDSA may process account, system, and operational data needed to run the environment. Where CORE is deployed in a client-controlled environment, the client typically controls the processing within that environment, and EDSA may have limited or no access except as agreed for support, implementation, or maintenance.

10. Legal bases and applicable frameworks

Where applicable law requires a legal basis, EDSA may process information on the basis of consent, contract performance, legitimate interests, legal obligation, protection of rights and security, or other lawful grounds recognized under applicable law. Privacy rights and obligations may vary based on jurisdiction, relationship, and service model.

11. Disclosures to third parties

EDSA may disclose information to hosting providers, infrastructure vendors, payment processors, email providers, support tools, professional advisors, affiliates, contractors, and service providers that help operate the website, products, and business. EDSA may also disclose information where required by law, to protect rights or security, in connection with a merger, acquisition, financing, or business transfer, or with the direction or authorization of the client or user.

EDSA does not sell personal information in the ordinary sense of exchanging personal information for money. If any activity is later determined to constitute a sale, sharing, or targeted-advertising-related disclosure under applicable law, EDSA will address such obligations through updated notices and controls as appropriate.

12. International processing

EDSA may process and store information in the United States or in other jurisdictions where EDSA or its service providers operate. By using EDSA services, users understand that information may be transferred to and processed in jurisdictions that may have different data protection rules than those in their place of residence, subject to applicable legal safeguards where required.

13. Data retention

EDSA retains information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide services, maintain records, enforce agreements, meet security and compliance requirements, resolve disputes, and satisfy legal obligations. Retention periods may vary by product, module, account status, contract, jurisdiction, and client configuration. Some modules, including privacy and replay-related products, may support configurable retention and deletion workflows.

14. Security

EDSA uses administrative, technical, and organizational safeguards intended to protect information against unauthorized access, disclosure, alteration, and destruction. However, no website, application, transmission, or storage system can be guaranteed to be completely secure. Clients using self-hosted or client-managed environments are responsible for the security, access control, infrastructure hardening, and lawful configuration of those environments.

15. Individual rights

Depending on applicable law, individuals may have rights to request access to personal information, correction of inaccurate information, deletion, portability, restriction, objection, opt-out of certain disclosures or uses, and non-discrimination for exercising applicable privacy rights. EDSA may take reasonable steps to verify identity and authority before acting on a request. Some requests may be limited or denied where permitted by law, including to protect security, comply with legal obligations, or preserve the rights of others.

16. California-specific disclosures

If California law applies, California residents may have rights that include the right to know, delete, correct, opt out of sale or sharing, limit certain sensitive personal information uses, and not be discriminated against for exercising applicable rights. EDSA may also honor qualifying browser-based or device-based preference signals where required by law and technically applicable to the relevant processing context.

17. Client and administrator responsibilities

Clients and administrators are responsible for the lawful use of EDSA products in their own environments, including proper notice, consent where required, data minimization, access control, configuration of masking or exclusions, module activation choices, and response to requests from their own end users where they act as controller or business. EDSA products may provide tooling that supports these obligations, but the client remains responsible for how such tooling is configured and used.

18. Children

EDSA products and services are intended for business and professional use and are not directed to children. EDSA does not knowingly collect personal information from children in a manner requiring separate treatment under applicable law through its business-oriented website or platform offerings.

19. Changes to this Privacy Policy

EDSA may update this Privacy Policy from time to time. The current version will be posted on this page with the updated effective date. Continued use of EDSA websites or services after an update becomes effective constitutes acknowledgment of the revised policy, subject to any further consent requirements imposed by law.

20. Contact

Questions, requests, or concerns regarding this Privacy Policy may be directed through the contact methods published by EDSA on its website, including the Contact page or other designated privacy channels.

Effective date: April 30, 2026