Privacy Policy

RetailedAgent — A Product of Palm Beach Tech, LLC

Effective Date: March 18, 2026 Last Updated: March 18, 2026

Palm Beach Tech, LLC ("Company," "we," "us," or "our") operates the RetailedAgent application and platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web-based platform.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

---

1. Information We Collect

1.1 Account Information

- Business owner/operator data: Name, email address, phone number, business name, business address, and billing information (processed via third-party payment processors). - Employee data: Name, email address, phone number, employee role, and clock-in/clock-out records.

1.2 Video and Image Data

- CCTV camera feeds: The Service connects to your on-premises network video recorders (NVRs) and IP cameras (e.g., Reolink devices) to access live and recorded video streams. - Video clips (pending): 60-second video clips are generated and temporarily stored when the AI system detects notable activity. Pending clips are automatically deleted after 24 hours unless a user marks them as "kept." - Video clips (kept): Clips that a user explicitly saves are retained for 30 days from the date they are kept. - Snapshots: Still images may be captured from camera feeds for event documentation and AI analysis. - AI analysis metadata: Our system uses computer vision models (including YOLO for person detection and vision-language models for behavior analysis) to generate threat assessments (green/yellow/red levels), gesture recognition data, and behavioral annotations. These AI-generated metadata are derived from video feeds and stored alongside clips.

1.2.1 AI Processing of Video Data

Video data is processed using the following third-party AI services: - YOLO (on-device or server-side): Person detection and object recognition in camera frames. - Google Gemini API: Vision-language analysis for behavior interpretation and threat-level assessment. - NVIDIA AI endpoints: Accelerated inference for video frame analysis. - Moonshot Kimi K2.5: Supplemental vision-language model for behavioral annotation and context generation.

Camera snapshots and video frames may be transmitted to these third-party AI providers for processing. Only the minimum necessary visual data is sent, and no persistent storage of your video data occurs on third-party provider infrastructure beyond transient processing. Each provider's own privacy policy governs their handling of data during processing. See Section 3.1 for details.

1.3 Point-of-Sale (POS) Data

- Transaction data: Sales totals, transaction timestamps, product categories, payment method types (cash/credit/debit — we do not store full card numbers), and shift summaries sourced from Verifone Commander POS systems. - Fuel sales data: Fuel grade, volume dispensed, pump number, and transaction amounts. - Inventory data: Product stock levels, reorder alerts, and supplier information.

1.4 Location Data

- Employee GPS data: When employees clock in or clock out, the Service collects precise GPS coordinates to verify the employee is within a designated geofenced area around the business location. Location data is collected only at the moment of clock-in/clock-out events, not continuously. - Business location data: Store addresses and geofence coordinates configured by the business owner.

1.5 Device and Usage Data

- Device information: Device type, operating system version, unique device identifiers, and push notification tokens. - Usage data: Feature usage patterns, session duration, screens viewed, and interaction logs. - Crash and performance data: Error logs, crash reports, and performance metrics.

1.6 Push Notification Data

- Notification tokens: Device-specific tokens for delivering security alerts, inventory alerts, and operational notifications.

---

2. How We Use Your Information

We use the information we collect to:

| Purpose | Legal Basis (GDPR) | |---|---| | Provide and maintain the Service | Performance of contract | | Process and display CCTV feeds and AI-generated security alerts | Legitimate interest (security) | | Generate threat-level assessments from video analysis | Legitimate interest (security) | | Record employee clock-in/clock-out with location verification | Performance of contract / Legitimate interest | | Aggregate and display sales and inventory data from POS systems | Performance of contract | | Send push notifications for security events and operational alerts | Consent / Legitimate interest | | Process subscription payments | Performance of contract | | Improve and optimize the Service | Legitimate interest | | Comply with legal obligations | Legal obligation | | Detect and prevent fraud or unauthorized access | Legitimate interest |

---

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

3.1 Service Providers

We share data with third-party service providers who perform services on our behalf: - Cloud infrastructure providers (e.g., AWS, Google Cloud) for data storage and processing. - AI/ML model providers for video analysis processing, specifically: - Google (Gemini API) — receives camera snapshots/frames for vision-language behavioral analysis. Governed by [Google's API Terms of Service](https://ai.google.dev/terms) and [Privacy Policy](https://policies.google.com/privacy). - NVIDIA (AI endpoints) — receives video frames for accelerated computer vision inference. Governed by [NVIDIA's Privacy Policy](https://www.nvidia.com/en-us/about-nvidia/privacy-policy/). - Moonshot AI (Kimi K2.5) — receives camera snapshots for supplemental behavioral annotation. Governed by Moonshot AI's terms of service and privacy policy. - Payment processors for subscription billing (e.g., Stripe, Apple In-App Purchase, Google Play Billing). - Push notification services (Apple Push Notification Service, Firebase Cloud Messaging). - Analytics providers for usage analytics.

Important: When video frames or snapshots are sent to third-party AI providers, the data is used solely for real-time inference and is not retained by these providers beyond the duration of the API request, per their respective terms. We do not grant these providers any rights to use your video data for model training.

3.2 Within Your Organization

Business owners and authorized managers can view all data associated with their business location(s), including employee clock-in/clock-out records and associated location data.

3.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, including to: - Comply with a subpoena, court order, or similar legal process. - Respond to a request from law enforcement or other government agencies. - Protect the rights, property, or safety of Palm Beach Tech, LLC, our users, or the public.

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service before your information becomes subject to a different privacy policy.

---

4. Data Storage and Security

4.1 Storage

- Video clips and snapshots are stored in encrypted cloud storage. - POS data and employee records are stored in encrypted databases. - GPS location data from clock-in/clock-out events is stored alongside the corresponding time records.

4.2 Security Measures

We implement industry-standard security measures including: - Encryption in transit (TLS 1.2+) and at rest (AES-256). - Role-based access controls. - Regular security audits and vulnerability assessments. - Secure API authentication using tokens and API keys. - Network isolation for data processing services.

4.3 Data Residency

Data is primarily stored and processed in the United States. If you are accessing the Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States.

---

5. Data Retention

We retain data according to our [Data Retention Policy](./data-retention-policy.md):

| Data Type | Retention Period | |---|---| | Video clips — pending (60-second) | 24 hours | | Video clips — kept (60-second) | 30 days | | AI-generated snapshots | 30 days | | AI threat metadata | 90 days | | POS transaction data | 2 years | | Employee clock-in/clock-out records | 1 year | | Employee GPS coordinates | 90 days | | Account information | Duration of account + 30 days | | Crash/analytics data | 1 year |

After retention periods expire, data is permanently deleted or anonymized.

---

6. Your Privacy Rights

6.1 All Users

You may: - Access the personal information we hold about you. - Correct inaccurate or incomplete personal information. - Delete your account and associated personal information. - Export your data in a machine-readable format. - Opt out of non-essential push notifications via app settings.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act: - Right to Know: You may request the categories and specific pieces of personal information we have collected about you. - Right to Delete: You may request deletion of your personal information, subject to certain exceptions. - Right to Correct: You may request correction of inaccurate personal information. - Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. - Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at [rasha@palmbeachtech.io](mailto:rasha@palmbeachtech.io) or submit a request through the app. We will respond within 45 days.

Categories of personal information collected (preceding 12 months): - Identifiers (name, email, phone, device IDs) - Geolocation data (employee clock-in/clock-out GPS) - Commercial information (POS transaction data) - Internet/electronic activity (app usage, device info) - Audio/visual information (CCTV video clips and snapshots) - Professional/employment information (employee role, schedules)

6.3 Florida Residents

If you are a Florida resident, the following applies: - Video surveillance: Florida law permits video-only surveillance in public and commercial areas with appropriate notice (signage). RetailedAgent processes video only — no audio is captured or processed by our AI system. - Audio recording: Florida Statutes § 934.03 requires all-party consent for oral communications interception. RetailedAgent does not record, process, or transmit audio. If your cameras have built-in microphones, you must disable audio recording or obtain consent from all recorded parties independently. Palm Beach Tech, LLC is not responsible for audio recording configurations on your hardware. - Florida Digital Bill of Rights (effective July 1, 2024): If applicable, Florida residents who interact with businesses meeting the statutory thresholds may exercise rights to access, correct, and delete personal data, and to opt out of certain data processing. Contact us to exercise these rights.

6.4 European Economic Area, UK, and Swiss Residents (GDPR)

If you are in the EEA, UK, or Switzerland, you have the following rights: - Right of Access (Article 15) - Right to Rectification (Article 16) - Right to Erasure (Article 17) - Right to Restriction of Processing (Article 18) - Right to Data Portability (Article 20) - Right to Object (Article 21) - Right to Withdraw Consent at any time where processing is based on consent

To exercise these rights, contact our Data Protection contact at [rasha@palmbeachtech.io](mailto:rasha@palmbeachtech.io). You also have the right to lodge a complaint with your local supervisory authority.

Legal Bases for Processing: - Contract: Providing the Service you subscribed to. - Legitimate Interest: Security monitoring, fraud prevention, service improvement. - Consent: Push notifications, optional analytics. - Legal Obligation: Tax records, employment law compliance.

6.5 Employee Data Rights

Employees whose data is collected through the Service (clock-in/clock-out, location verification) should contact their employer (the business using RetailedAgent) for data access requests. Employers are the data controllers for employee data; Palm Beach Tech, LLC acts as a data processor.

---

7. AI and Automated Decision-Making

7.1 How AI Is Used

The Service uses artificial intelligence to: - Detect persons in CCTV camera feeds using object detection models. - Analyze detected behavior and assign threat levels (green = normal, yellow = attention, red = alert). - Generate descriptive annotations of observed activity.

7.2 Human Oversight

AI-generated threat assessments are informational alerts intended to assist human decision-making. They do not trigger automated actions against any individual. Business owners and operators review all alerts and make independent decisions about any response.

7.3 Limitations

AI analysis may produce inaccurate results. Threat-level assessments are probabilistic and should not be used as the sole basis for any action affecting an individual. We do not use facial recognition or biometric identification.

---

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at [rasha@palmbeachtech.io](mailto:rasha@palmbeachtech.io).

---

9. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services (e.g., POS systems, camera hardware). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you use in connection with RetailedAgent.

---

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by: - Posting the updated policy within the app. - Sending a notification to your registered email address. - Updating the "Last Updated" date at the top of this policy.

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

---

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Palm Beach Tech, LLC Email: [rasha@palmbeachtech.io](mailto:rasha@palmbeachtech.io) Website: [https://retailedagent.com](https://retailedagent.com)

For data protection inquiries, privacy rights requests, or complaints, please email [rasha@palmbeachtech.io](mailto:rasha@palmbeachtech.io) with the subject line "Privacy Request."