Privacy Policy

This Privacy Policy explains what personal information we collect, why we collect it, what we do with it, and what rights you have over it. Portal is a B2B construction operations platform, so most of what we describe applies to business contacts and the people who use Portal at work.

A few things up front:

• We do not sell your personal information. Ever.
• You own your data. You can export it any time, and you can request deletion.
• We use a small number of well-known subprocessors (AWS, Google Maps). We disclose them publicly.
• Our marketing site sets no cookies and runs no analytics as of the date above.
• When your business uploads data about your employees, customers, or subcontractors, you are the controller of that data and we are your processor. Privacy requests about that data should go to your business, not to us.

That's the substance. The rest of this document explains it in detail.

Alfil Web Solutions LLC is a Florida limited liability company headquartered in Tampa, Florida, USA. For privacy questions or to exercise the rights described in this Policy, contact us at contactus@alfilwebsolutions.com.

This Privacy Policy applies to:

• The marketing site at alfilwebsolutions.com and its subdomains
• The Portal product, accessible at portal.alfilwebsolutions.com once launched

This Policy does not cover personal data that Portal customers upload about their own employees, customers, subcontractors, or vendors. When a Portal customer uses Portal to manage information about other people, the customer is the data controller and Alfil acts as the data processor on the customer's behalf. See Section 13 below.

4.a Information you give us directly

When you fill out a form on our marketing site or create a Portal account, we collect:

• Contact form: name, email, company, and the message you send us. We use this to reply to your inquiry.
• Partner inquiry form: name, email, brokerage name, optional phone, and an optional client count. We use this to evaluate and onboard partner applications.
• Portal account creation (when Portal launches): username, language preference, profile image (optional), and the company identifier that links you to your employer's Portal tenant.

Authentication is handled by AWS Cognito Hosted UI. Alfil never sees or stores your password.

4.b Information collected automatically

When you use Portal, our infrastructure logs may incidentally capture:

• IP address and user agent at the infrastructure layer (CloudWatch logs and Cognito authentication events). These are used for security, abuse prevention, and operational troubleshooting. They are not stored in the application database.
• Operational telemetry such as request timestamps, response codes, and error rates, used to monitor service health.

We do not use cookies, advertising pixels, or web analytics on the marketing site as of 2026-04-09. If we add any of these, we will update this Policy and notify users via the standard policy-change procedure described in Section 16.

4.c Information your business uploads (Alfil as processor)

When your business uses Portal, the people at your business may upload information about employees, customers, vendors, subcontractors, projects, time entries, and uploaded files. We act as your processor for this data. See Section 13.

4.d Information from third parties

We do not currently receive personal information about you from any third party. If we add third-party data sources in the future, we will update this Policy.

We use the information we collect to:

• Provide and operate Portal
• Authenticate you and protect the security of your account
• Send you transactional emails (signup confirmations, billing receipts, security notices, support replies)
• Respond to your inquiries and provide customer support
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Improve Portal through aggregated and anonymized analytics

We do not use your personal information for advertising or behavioral profiling, and we do not sell or rent it to anyone.

6.a Subprocessors

We share information with a small number of subprocessors who provide infrastructure and supporting services. Our current subprocessors are:

• Amazon Web Services, Inc. — compute, storage, database, authentication, email, networking, and observability. Region: us-east-1 (Northern Virginia, USA).
• Google LLC (Maps Platform) — address autocomplete and map display in Portal. Limited to address fragments entered by users.

The full and current list will be published at alfilwebsolutions.com/subprocessors/. We give at least 30 days' notice before adding a new subprocessor that processes personal data.

6.b Service providers

We may engage additional service providers (e.g., a payment processor, a license verification provider) as Portal grows. Each will be added to the public subprocessor list before processing personal data.

6.c Legal compliance and law enforcement

We may disclose information when required by law, regulation, legal process, or governmental request, or when we have a good-faith belief that disclosure is necessary to comply with legal obligations, protect the safety of any person, address fraud or security issues, or protect Alfil's rights and property.

6.d Business transfers

If Alfil is involved in a merger, acquisition, financing, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will give you notice (via email and a prominent in-app banner) before any transfer of personal information becomes subject to a different privacy policy.

6.e We never sell personal information

We do not sell, rent, or trade personal information to third parties. We do not engage in cross-context behavioral advertising. We do not share personal information for the purpose of targeted advertising.

We retain personal information for as long as your account or business relationship with Alfil is active.

When your subscription terminates:

• Customer data: retained for up to 60 days after termination, then begins deletion. You may request a final export at any time during this 60-day window.
• Backups: backups containing pre-termination data may persist for an additional 30 days through normal backup rotation, after which they are overwritten.
• Operational logs: application logs are retained for 90 days; VPC flow logs for 60 days; security audit logs for at least 365 days.

You may request earlier deletion by emailing contactus@alfilwebsolutions.com. We will honor deletion requests within statutory windows (45 days for California residents under CCPA, 30 days for Florida residents under FDBR), subject to legal exceptions.

We take security seriously, but no system is perfectly secure.

• Encryption in transit: TLS 1.2 or higher, encrypted end-to-end between your browser and our database.
• Encryption at rest: AES-256 encryption for files; KMS-managed encryption for the application database and secrets.
• Multi-tenancy isolation: your data is isolated from other customers at the database level. Every query operates within your company's authenticated context.
• Access controls: authentication handled by a dedicated identity provider; role-based authorization at the application layer; multi-factor authentication required for administrative access to cloud infrastructure.
• Backups: automated, encrypted, retained per the schedule in Section 7.

If we discover a security incident affecting your personal information, we will notify you in accordance with applicable law.

You have the following rights regarding the personal information we hold about you. These rights apply equally to all U.S. residents, regardless of state.

• Access — request a copy of the personal information we hold about you
• Correction — ask us to correct inaccurate information
• Deletion — request that we delete your personal information, subject to exceptions for legal compliance, security, fraud prevention, and similar purposes
• Portability — request your data in a portable, machine-readable format
• Opt out of marketing — when we send marketing emails (we currently don't), you may opt out at any time
• Non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised any of these rights

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected and used, the right to correct inaccurate information, the right to delete personal information, and the right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell personal information and we do not engage in cross-context behavioral advertising, so the opt-out right is satisfied automatically.

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Florida, and other states with comprehensive privacy laws have rights similar to those listed above. We extend the same rights to all U.S. residents regardless of state of residence.

To exercise any of these rights, email contactus@alfilwebsolutions.com. We will respond within the timelines required by applicable law (typically 45 days, with one 45-day extension permitted under CCPA).

As of the "Last Updated" date above, our marketing site:

• Sets no cookies
• Uses no web analytics (Google Analytics, Plausible, etc.)
• Uses no advertising pixels (Meta, LinkedIn, etc.)
• Uses no third-party scripts that track users

Form submissions include a hidden honeypot field for spam prevention; this is not user tracking.

If we add any cookies, analytics, or tracking technologies in the future, we will update this Policy, publish a separate Cookie Disclosure, and (where required) provide a consent mechanism before any non-essential trackers are loaded.

Portal is intended for adults aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected personal information from a minor, we will delete it promptly. If you believe a minor has provided personal information to us, please contact us.

COPPA does not apply to Portal.

Alfil operates Portal from the United States. Our subprocessors store data in AWS us-east-1 (Northern Virginia, USA).

Portal is not directed at residents of the European Union or the United Kingdom. If you access Portal from outside the United States, you understand and consent that your information will be processed in the United States, where data protection laws may differ from those in your country.

When a Portal customer (a construction business) uses Portal to manage information about its own employees, customers, vendors, or subcontractors, the customer is the data controller and Alfil is the data processor acting on the customer's behalf.

This means:

• The customer decides what data to upload, what it is used for, and how long it is retained (subject to Alfil's standard retention policies).
• Privacy questions and rights requests from data subjects (e.g., a contractor's employee asking about their data) should be directed to the customer, not to Alfil.
• If you receive a privacy request that you believe relates to Portal, we will assist the customer in fulfilling it.

We process customer-controlled data only as instructed by the customer and as necessary to provide the Portal service.

Portal customers may upload sensitive documents, including:

• Workers' compensation insurance certificates
• General liability insurance certificates
• W-9 tax forms
• Certificates of insurance
• Contractor license documents
• Signed contracts and liability waivers

These documents may contain sensitive personal identifiers — Social Security numbers, Employer Identification Numbers, dates of birth, license numbers, and similar information.

Portal does not parse, OCR, index, or extract data from these uploaded documents. They are stored as opaque encrypted files in AWS S3 and served only to authorized users at the same customer company through short-lived presigned URLs.

Customers are responsible for redacting or omitting sensitive identifiers they do not want stored. If your business uploads these documents to Portal, you should establish your own internal policy on what gets redacted before upload.

Photos uploaded to Portal — including HEIC, JPEG, PNG, and WebP files — retain their original EXIF metadata. EXIF metadata may include GPS coordinates, device identifiers, capture timestamps, and other information embedded by the camera or phone that took the photo.

Portal does not strip EXIF metadata at upload time as of the "Last Updated" date above. EXIF stripping is on Alfil's product roadmap.

If location data in your photos is sensitive, strip EXIF metadata before uploading. Most smartphones and image editors offer this option.

We may update this Privacy Policy as our practices change. For material changes — for example, adding a new subprocessor, beginning to use cookies or analytics, or changing how we use personal information — we will:

• Send notice via email to active customer admins at least 30 days before the change takes effect
• Display an in-app banner on Portal
• Update the "Last Updated" date at the top of this page

Non-material changes (typo corrections, clarifications, formatting updates) take effect when posted, with the new "Last Updated" date.

Continued use of Portal after the effective date of a material change constitutes acceptance. If you object to a material change, you may cancel before the effective date.

Alfil Web Solutions LLC

• Privacy contact: contactus@alfilwebsolutions.com
• Mailing address: Tampa, Florida, USA — full street address pending registration
• Website: alfilwebsolutions.com

We respond to privacy inquiries within the timelines required by applicable law and within a reasonable time for non-statutory inquiries.