1. Introduction

This Privacy Policy describes how SmartStream ERP Solutions (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal information through our mobile application (the “App”) available on iOS and Android platforms.

1.1 Who We Are

The App is a Business-to-Business (B2B) field service management platform designed for use by employees of organizations (each, a “Tenant” or “Customer”) that have contracted with us for services. This policy applies to users who access the App through their organization’s account.

1.2 Scope of This Policy

This Policy applies to:

• Data collection and processing through the App
• Data transmitted between the App and our servers
• Data shared with your ERP system
• Our Admin Panel website used by Tenants for configuration management

This Policy does NOT cover:

• Your ERP vendor’s data practices (governed by their separate privacy policy)
• Your organization’s internal data handling practices
• Third-party OAuth providers’ data handling (e.g., Microsoft Azure Entra ID)

Note: This policy addresses how we process information as a service provider. Your organization’s own privacy policies and data handling practices also apply to how your personal information is used within your organization.

1.3 Responsibility Model

We are responsible for: Data we collect through the App, how we process it on our servers, and how we transmit it securely.

Tenant is responsible for:

• Obtaining necessary consent from Users to download and use the App
• Determining the lawful basis for processing data through our App
• Data governance within your organization
• Configuring user access controls and license allocations

2. Data We Collect

2.1 Information Provided by Your Organization

When your organization configures the App for its users, we receive:

• Account Identity Information: Name, email address, job title, department, and employee ID
• Authentication Credentials: Your organization’s ERP account credentials OR OAuth tokens (e.g., Azure Entra ID) used to authenticate you into the App
• License Information: Data indicating which features and services your account is licensed to access

2.2 Information Collected During App Usage

As you use the App, we automatically collect:

• Device Information: Device model, operating system version, unique device identifier, and app version
• Usage and Activity Data: Features you access, actions performed, timestamps, and frequency of use
• Location Data: Your approximate or precise location (only when necessary to support field service operations and only with your explicit permission; you can modify location permissions in your device settings)
• IP Address and Network Information: IP address and mobile carrier information
• Performance Data: App crashes, error logs, and performance metrics to improve App functionality

2.3 Information Related to ERP Integration

The App communicates with your organization’s ERP server to manage field service operations. This data flow includes:

• Field Service Data: Task information, job details, completion status, and field service operational data
• ERP User Data: Information about your organization’s ERP users that is necessary to display relevant work assignments and task information
• Operational Logs: Transaction logs and data synchronization records between the App and your ERP system

2.4 License Control Data

To enforce license allocation, we collect and maintain:

• License Usage Data: Which users are assigned to licenses, license activation dates, and license utilization metrics

3. Legal Basis for Processing

We process personal information for the following lawful purposes:

3.1 Contract Performance

• Authenticating you to the App and managing your account access
• Delivering field service management features and functionality
• Enforcing license controls and managing subscription services
• Processing and displaying work assignments and operational data from your ERP system

3.2 Legitimate Business Interests

• Improving and optimizing App performance, security, and stability
• Analyzing aggregated, anonymized usage patterns to develop new features
• Detecting, preventing, and addressing fraud, security issues, and technical problems
• Complying with applicable laws and regulations
• Protecting our legal rights and the rights of our users

3.3 Consent

When we collect location data or access sensitive device features, we rely on explicit consent obtained through your device’s permission system.

4. How We Use Your Information

We use the information we collect to:

• Provide and maintain the App and deliver the services your organization has contracted for
• Authenticate and authorize your access to the App and manage your account
• Synchronize data between the App and your organization’s ERP system
• Display field service information relevant to your assigned tasks and responsibilities
• Manage and enforce license allocations across your organization’s user base
• Improve, develop, and optimize the App through aggregated usage analysis
• Maintain security and prevent misuse of the App and our infrastructure
• Respond to your inquiries and provide customer support
• Comply with legal obligations and enforce our terms of service
• Troubleshoot technical issues, including analyzing app crashes and errors

We do not use personal information for:

• Behavioral marketing or targeted advertising
• Training artificial intelligence or machine learning models on your personal data without explicit separate consent
• Selling or commercially licensing your personal information to third parties
• Any purpose outside the scope of providing the contracted services

5. How We Share Your Information

5.1 Sharing with Your Organization

Your organization’s administrators can access your usage information, assigned tasks, and license status through the App and our Admin Panel. This is necessary for your organization to manage its licenses and field service operations.

5.2 Sharing with Service Providers

We engage third-party service providers to help us operate the App and provide services to you. These providers may access personal information only to the extent necessary to perform their functions:

• Cloud Infrastructure Providers: Host and store App data, process information, and provide security infrastructure
• Analytics and Monitoring Services: Analyze App performance and usage patterns (on an aggregated basis)
• Customer Support Platforms: Manage support inquiries. Receive only information you voluntarily provide when contacting support.
• Payment and Billing Processors: Process subscription and license payments if applicable

We require all service providers to:

• Process personal information only as instructed by us
• Maintain appropriate security measures
• Not disclose personal information for their own purposes
• Delete or return personal information upon request

5.3 Sharing with ERP Systems

The App sends operational data to your organization’s ERP server as instructed. We do not control how your organization’s IT systems use this data once received. Your organization is responsible for managing access to its ERP systems and data.

5.4 Legal Compliance and Safety

We may disclose personal information without seeking prior consent when:

• Required by law, court order, or government request
• Necessary to protect the security or integrity of the App or our services
• Reasonably necessary to prevent fraud, security breaches, or other illegal activities
• Necessary to protect the legal rights, privacy, or safety of our company, users, or the public
• Tenant Request. At the explicit request of your organization’s authorized administrators

6. Data Retention

We maintain different retention schedules for different categories of personal information based on the purposes for which we process them and applicable legal requirements. The categories and retention periods are described below:

6.1 Active Account Data

While your organization maintains an active account with us, we retain your personal information to continue providing the App and managing your license allocation.

6.2 Data Retention Schedule by Category

6.2.1 Authentication Data (Session Management and User Login)

Retention Period:

• Active Sessions: Retained for the duration of your active session (typically until you log out or after a period of inactivity)
• User Login History and Authentication Records: Retained for 1 year from the last login date
• Archived Authentication Data: Additional archived data retained for up to 2 years for security auditing and fraud investigation purposes

Purpose: To maintain account security, prevent unauthorized access, facilitate account recovery, and comply with security audit requirements.

6.2.2 App to ERP Transactions (Transaction Payloads and Logs)

Retention Period:

• Active Transaction Records: Retained for 6 years from the date of transaction completion
• Archived Transaction Data: Archived transaction payloads retained for 6 years with limited access for audit and historical analysis purposes

Purpose: To maintain complete transaction history, support audit trails, comply with financial and operational record-keeping obligations, and facilitate dispute resolution.

Note: These transaction records are critical for field service operational continuity and financial accountability. After 6 years, archived data is securely destroyed in accordance with applicable law.

6.2.3 Tenant Configurations and License Management Data (Admin Panel)

Retention Period:

• Active Configuration Records: Retained for the entire duration of your organization’s active account
• After Tenant Termination: Retained for 6 years following the termination of your organization’s agreement with us
• Configuration History and Audit Logs: Retained for 6 years after account termination

Purpose: To maintain audit trails of license assignments, configuration changes, administrative actions, and support historical context. This extended retention period enables us to address post-termination disputes, fulfill contractual obligations, and comply with record-keeping requirements.

Access: During the 6-year post-termination retention period, archived configuration data is stored securely with restricted access and is used only for dispute resolution, legal compliance, or audit purposes.

6.2.4 Analytical Data (Device Information and Location Data)

Retention Period:

• Analytical Data Retained: 12 months from collection date
• Aggregated, Anonymized Data: May be retained longer for trend analysis and service improvement purposes

Purpose: To analyze app performance, identify usage patterns, diagnose technical issues, and improve the App. Device information and location data used for analytical purposes are typically aggregated and anonymized.

6.2.5 Support Communication Data

Retention Period:

• Support Tickets, Emails, and Chat Logs: Retained for 3 years from the date of the last support interaction
• Resolution Documentation: Retained for 3 years to provide historical context for troubleshooting and pattern recognition

Purpose: To provide continued support to your organization, maintain service quality history, resolve recurring issues, and retain evidence of service delivery and problem resolution.

Access: Support data is retained with access limited to authorized support personnel and administrators requiring historical context for issue resolution.

6.3 After Account Termination

Upon termination of your organization’s agreement with us or closure of your account:

• We securely delete or anonymize personal information according to the category-specific retention schedules outlined in Section 6.2
• Specific retention periods for each data category supersede this general provision
• After the applicable category-specific retention period expires, we securely delete or anonymize the data, except as required by law
• Aggregated and anonymized data may be retained longer for service improvement and statistical analysis

6.4 ERP Data Handling

Your organization’s ERP data remains under your organization’s control. We process it only as instructed by your organization and for the duration of your active account. Upon account termination, your organization is responsible for retrieving its ERP data from our platform. Retention periods for ERP synchronization logs and operational records are managed according to the terms agreed in your organization’s contract with us.

6.5 Legal Holds and Regulatory Retention

We may retain personal information longer than our standard retention periods when:

• Required by applicable law (such as financial, tax, or employment law requirements)
• Subject to a legal hold in connection with litigation, regulatory investigation, or formal government request
• Necessary for fraud prevention, security purposes, or protection of legal rights

In such cases, we will retain the information for the duration of the legal requirement or hold, and will securely delete it afterward.

6.6 Secure Deletion and Anonymization

When we delete personal information, we do so securely using methods that render data unrecoverable. When we anonymize data, we do so in a manner that permanently separates the information from any identifier that could link it to an individual or organization, ensuring that the data cannot be re-identified.

7. Your Privacy Rights and Choices

7.1 Access and Portability

You have the right to:

• Request access to the personal information we hold about you
• Receive your information in a structured, commonly used, portable format
• Understand how your information is being processed

To exercise these rights, contact your organization’s administrator or submit a request to simran@smartstreamerp.com.

7.2 Correction and Updates

You may request correction of inaccurate or incomplete personal information. Your organization’s administrator can typically update account information through the Admin Panel.

7.3 Deletion and Opt-Out

• Right to Deletion: You may request deletion of personal information we hold about you, subject to legal retention obligations. Note that your organization’s administrators may override this request for operational continuity.
• Location Permissions: You can disable location tracking by adjusting your device’s privacy settings for the App
• Device Information: You can restrict collection of certain device identifiers through your device’s privacy settings
• App Analytics: You can limit tracking through your device’s opt-out mechanisms (e.g., Apple’s Limit Ad Tracking or Google’s Ads Personalization settings)

7.4 Withdraw Consent

For any processing that relies on your consent, you may withdraw that consent at any time. However, withdrawal may impact the functionality of the App or prevent us from delivering certain services.

7.5 Lodge Complaints

If you believe we are not handling your personal information in accordance with this policy or applicable law, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.

7.6 Exercise Your Rights

To exercise any of these rights, contact:

• Your Organization’s Administrator (who can facilitate requests on your behalf), OR
• Our Privacy Team: simran@smartstreamerp.com

We will respond to requests within [30 days] (or as required by applicable law), or we will notify you of any extension needed.

8. Data Security

We implement appropriate administrative, technical, and physical security measures to protect personal information against unauthorized access, alteration, disclosure, and destruction.

8.1 Security Measures Include

• Data Encryption: Encryption of personal information in transit (TLS 1.2 or higher) and at rest using industry-standard encryption protocols
• Authentication Controls: Secure credential management for ERP account authentication
• Access Controls: Role-based access control limiting access to personal information to authorized personnel only
• Monitoring and Logging: Continuous monitoring and logging of access to personal information for security and compliance purposes
• Regular Assessments: Periodic security audits and vulnerability assessments
• Incident Response: Documented procedures for responding to security incidents

8.2 Your Responsibility

While we implement strong security measures, no system is completely immune to security risks. You are responsible for:

• Maintaining the confidentiality of your login credentials
• Not sharing your account access with unauthorized individuals
• Reporting suspicious activity to your organization’s administrators
• Keeping your device and operating system updated with security patches

9. Data Transfers and Jurisdictions

9.1 International Data Transfers

Our App and services may involve transfers of personal information across borders, including potentially to countries outside your country of residence. When we transfer personal information internationally, we implement appropriate legal mechanisms and security measures, which may include:

• Standard contractual clauses
• Data processing agreements with strict restrictions on use
• Adequate security and encryption protections

9.2 Data Location

Our servers and primary data centers are located in United States (Central US).

Additional backup and disaster recovery infrastructure may be located in different regions (e.g. Canada).

10. Children’s Privacy

The App is not intended for individuals under the age of 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under the minimum age, we will promptly delete such information.

11. Third-Party Links

The App may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service before providing your personal information.

12. California, Virginia, Colorado, and Other U.S. State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another state with privacy laws, you may have additional privacy rights:

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information (with certain exceptions)
• Right to Correct: Request correction of inaccurate information
• Right to Opt-Out: Opt-out of certain types of data sharing or processing (where applicable)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact simran@smartstreamerp.com. We will verify your identity and respond within the timeframe required by your state’s law (typically 30 to 45 days).

13. European Union and UK Privacy Rights (GDPR and UK GDPR)

If you are located in the European Union or United Kingdom, the GDPR and UK GDPR provide additional privacy rights:

• Right of Access: Request access to your personal information and information about its processing
• Right to Rectification: Request correction of inaccurate personal information
• Right to Erasure: Request deletion of personal information (subject to legal obligations to retain)
• Right to Restrict Processing: Request limitation on how we process your information
• Right to Data Portability: Request your information in a portable format
• Right to Object: Object to certain types of processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Our EU/UK Data Protection Officer: simran@smartstreamerp.com

Data Protection Authority:

• EU: Contact your national supervisory authority at https://edpb.ec.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner’s Office (ICO) at https://ico.org.uk/

To exercise GDPR rights, contact simran@smartstreamerp.com.

14. License Control and Admin Functions

Your organization’s administrators can use the Admin Panel to:

• Assign and revoke licenses for users
• View high-level usage statistics and license allocation
• Manage organizational settings and configurations

Administrators have access to information necessary to manage licenses and the organization’s use of the App, but are subject to role-based access controls that limit their visibility to their organization’s data only.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy with a new “Last Updated” date
• Notify you through the App or email if the changes materially affect your privacy rights
• Require your organization’s acceptance of updated terms for continued use of the App

Your continued use of the App after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

16. Contact Us

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your privacy rights, please contact:

17. Glossary of Terms

• App: The mobile application available on iOS and Android platforms provided by SmartStream ERP Solutions
• Personal Information: Any information that identifies, relates to, or could reasonably be linked with an individual
• Tenant/Customer: An organization that has contracted with us to use the App and related services
• ERP: Enterprise Resource Planning system used by your organization
• OAuth: An open standard for secure authentication and authorization
• Admin Panel: The web-based administrative interface used by your organization to manage the App and user licenses
• Processor: An entity that processes personal information on behalf of a controller, as defined under privacy regulations like GDPR
• Controller: An entity that determines the purposes and means of processing personal information