Privacy Policy

Effective Date: April 15, 2026

Last Updated: April 15, 2026

This Privacy Policy describes how RightSize HVAC ("we," "us," or "our") collects, uses, and protects your information when you use

our mobile application and website (collectively, the "Service").

By using the Service, you agree to the collection and use of information as described in this policy.

Contact: team@rightsizehvac.com

---

1. Information We Collect

Information You Provide

Account Information (required):

- Email address

- Password (encrypted, never stored in plain text)

- Full name

Profile Information (optional):

- Business name

- Phone number

- Contractor license number

- Business address

- Website URL

- Brand color preference

- Default location for climate data

Information Collected Automatically

Device Information:

- A unique device identifier generated by the app and stored securely on your device

- Device name (e.g., "John's iPhone")

This information enables single-device login enforcement for account security.

Usage Information:

- We do not use third-party analytics services

- We do not track your behavior within the app

Project Data

All HVAC project data—including floor plans, building specifications, and calculation results—is stored locally on your device

only. This data is never uploaded to or stored on our servers.

Payment Information

When you purchase a subscription:

- App Store purchases: Apple processes all payment information. We receive only transaction identifiers and subscription status.

- Website purchases: Stripe processes all payment information. We receive only transaction confirmations and subscription status.

We do not collect, store, or have access to your credit card numbers or payment details.

---

2. How We Use Your Information

We use your information to:

- Provide the Service: Create and manage your account, authenticate logins, and manage subscriptions

- Communicate with you: Respond to support requests and send service-related notices

- Ensure security: Enforce single-device login and detect unauthorized access

- Improve the Service: Understand usage at an aggregate level to fix bugs and improve features

We do not:

- Sell your personal information

- Share your information with third parties for marketing purposes

- Use your information for advertising

---

3. Legal Basis for Processing (EEA/UK Users)

If you are in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

- Contract: Processing necessary to provide the Service you requested (account management, subscriptions)

- Legitimate Interest: Processing for security purposes (device tracking, fraud prevention) and service improvement

- Consent: Where you have provided optional profile information

You may withdraw consent at any time by deleting optional information from your profile or contacting us.

---

4. Third-Party Services

We use the following services to operate the Service:

Supabase — Authentication and database hosting

Your account and profile data are stored on Supabase infrastructure in the United States.

Apple — App Store and In-App Purchases

Processes subscriptions purchased through iOS. Apple handles all payment information.

Stripe — Website payment processing

Processes subscriptions purchased through our website. Stripe handles all payment information.

We do not share your personal information with any other third parties.

---

5. Data Storage and Security

- Account and profile data are stored on secure servers provided by Supabase

- Project data remains on your device and is never transmitted to our servers

- Sensitive credentials are stored in your device's secure keychain

- All data transmitted between your device and our servers is encrypted using TLS

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee

absolute security.

---

6. Data Retention

- Active accounts: Data retained while your account remains active

- Deleted accounts: Profile data is permanently deleted 30 days after you request deletion

- Project data: Stored on your device under your control; not subject to our retention policies

- Subscription records: Retained as necessary for legal and accounting purposes

---

7. International Data Transfers

Our servers and service providers are located in the United States. If you access the Service from outside the United States, your

information will be transferred to, stored, and processed in the United States.

For EEA/UK users: These transfers are conducted pursuant to Standard Contractual Clauses approved by the European Commission, or

other valid transfer mechanisms.

By using the Service, you consent to these transfers.

---

8. Your Privacy Rights

All Users

You have the right to:

- Access your personal information within the app (Settings → Profile)

- Update your information at any time

- Export your project data as files

- Delete your account (Settings → Account → Delete Account)

European Economic Area and UK Users (GDPR)

You additionally have the right to:

- Rectification: Correct inaccurate personal data

- Erasure: Request deletion of your personal data

- Restriction: Request we limit processing of your data

- Portability: Receive your data in a structured, machine-readable format

- Object: Object to processing based on legitimate interest

- Withdraw consent: Where processing is based on consent

- Lodge a complaint: With your local data protection supervisory authority

California Users (CCPA)

You have the right to:

- Know what personal information we collect and how it is used

- Delete your personal information

- Non-discrimination: We will not discriminate against you for exercising your rights

Do Not Sell My Personal Information: We do not sell your personal information to third parties.

To exercise any of these rights, contact us at team@rightsizehvac.com.

---

9. Children's Privacy

The Service is intended for use by HVAC professionals and is not directed at children under 16. We do not knowingly collect

personal information from children under 16. If you believe a child has provided us with personal information, please contact us

immediately and we will delete it.

---

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

- Update the "Last Updated" date at the top of this policy

- Notify you via email or prominent notice within the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. If you do not agree

with changes, you may delete your account.

---

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices,

RightSize HVAC

Email: team@rightsizehvac.com

For EEA/UK users: RightSize HVAC acts as the data controller for your personal information.