PRIVACY POLICY

OM Intelligence Inc.

A Delaware Corporation

Effective Date: March 24, 2026

Last Revised: March 24, 2026

1. INTRODUCTION

OM Intelligence Inc. (“Company,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, store, disclose, and safeguard information when you access or use our website at om-intelligence.com and any subdomains, mobile applications, APIs, or successor services (collectively, the “Service”). This Privacy Policy is incorporated into and subject to the Terms of Service. Capitalized terms not defined herein have the meanings given in the Terms of Service.

By accessing or using the Service, you consent to the collection, use, and processing of information as described in this Privacy Policy. If you do not agree, you must not use the Service.

1.1 Data Processing Roles

OM Intelligence acts as a data controller with respect to account information, usage data, and operational data. With respect to User Content (documents, deal data, and other materials you upload or input), the Company acts primarily as a data processor on your behalf. Where required by applicable law (including GDPR or CCPA/CPRA), the Company will enter into a Data Processing Agreement (DPA) or equivalent addendum upon request.

1.2 Confidentiality Commitment

We treat User Content as confidential. We do not access, use, or disclose User Content except as necessary to provide, maintain, and improve the Service, or as required by law. Access to User Content is restricted to authorized personnel on a need-to-know basis and to automated systems necessary for Service delivery.

2. INFORMATION WE COLLECT

2.1 Information You Provide

• Account Information: Name, work email address, company name, and login credentials provided during registration or account management.
• User Content: Offering memorandums, financial documents, rent rolls, operating statements, appraisals, buyer models, Excel files, and other materials you upload to the Service. User Content may contain financial data, property information, tenant details, and other business information.
• Deal Data: Assumptions, manual overrides, scenario parameters, waterfall configurations, and other inputs you provide through the platform interface.
• Intelligence Chat Interactions: Questions, queries, and conversational inputs you submit through the Intelligence Chat feature, along with the system-generated responses.
• Communications: Messages sent to support, feedback submissions, and other communications with the Company.
• Demo Request Information: Name, work email, and company name submitted through the demo request form on the landing page.

2.2 Information Generated by the Service

In the course of providing the Service, we generate and store the following data associated with your account:

• Extracted Data: Structured data extracted from your uploaded documents by AI models and deterministic parsers, including evidence candidates, confidence scores, source lineage, field assignments, and resolution outcomes.
• Traced Values: Immutable records tracking the origin, history, and supersession chain of every data value in the system, including extraction origin, user overrides, and computed derivations.
• Governance Data: Validation run results, export certifications, staleness flags, override audit trails, and dependency tracking records.
• Grading and Metrics: Extraction grades, coverage percentages, completeness scores, anchor pass rates, and diagnostic counts computed by the pipeline.
• Service Outputs: Generated exports including IC Memo PDFs, Pro Forma PDFs, Parameters PDFs, Excel models, waterfall workbooks, and chat export PDFs.

2.3 Automatically Collected Information

• Device and Usage Data: IP address, browser type and version, operating system, device identifiers, pages visited, features used, time and date of access, referral URLs, and session duration.
• Analytics Data: Document processing events, extraction pipeline metrics, export actions, API usage patterns, error logs, and performance data.
• Cookies and Similar Technologies: We may use cookies, local storage, and similar technologies to maintain session state, remember preferences, and collect usage analytics. You may configure your browser to reject cookies, though some features of the Service may not function properly.

2.4 Information We Do Not Intentionally Collect

We do not intentionally collect sensitive personal identifiers such as Social Security numbers, bank account numbers, credit card numbers, health information, or government-issued identification numbers. If such information is included in uploaded documents, it will be processed as part of document extraction but is not separately identified, indexed, or used by the Company for any purpose other than delivering the Service.

3. HOW WE USE YOUR INFORMATION

We use information collected through the Service for the following purposes:

• Service Delivery: To provide, operate, maintain, and deliver the Service, including document extraction, data resolution, deterministic underwriting, scenario modeling, waterfall calculations, Intelligence Chat responses, governance validation, and export generation.
• AI Processing: To process User Content through AI models for data extraction and analysis. This may involve transmitting User Content to third-party AI service providers (see Section 5).
• Account Management: To authenticate users, manage accounts, and prevent unauthorized access.
• Service Improvement: To analyze usage patterns, diagnose technical issues, improve extraction accuracy, optimize pipeline performance, and develop new features.
• Communications: To respond to support requests, send service announcements, and communicate material changes to the Service or these policies.
• Security and Compliance: To detect, prevent, and respond to fraud, security incidents, or other harmful activities, and to comply with legal obligations.
• Legal Protection: To enforce our Terms of Service, protect our rights, and respond to legal process.

4. DATA RETENTION AND DELETION

4.1 User Content and Uploaded Documents

Uploaded documents are stored in association with your account and are retained for as long as your account is active or as needed to provide the Service. You may request deletion of specific documents at any time. Upon account termination, uploaded documents will be deleted after a reasonable retention period (typically 30 days) to allow for data export.

4.2 Extracted and Structured Data

Extracted fields, evidence candidates, traced values, governance records, scenarios, overrides, and other structured deal data are retained for as long as your account is active. This data is necessary to provide the Service, including audit trails, lineage tracking, and historical analysis. Upon account termination, structured data will be deleted in accordance with Section 4.1.

4.3 Service Outputs

Generated exports (PDFs, Excel files) are available for download but may not be permanently retained by the Service. The Company does not guarantee the long-term availability or reproducibility of any Service Output. Users are strongly encouraged to download and maintain independent copies of all Service Outputs they wish to preserve, as the Company does not guarantee long-term availability or reproducibility of generated exports.

4.4 Account Information

Account registration information (name, email, company) is retained while your account is active. You may request deletion of your account and associated personal information by contacting support@om-intelligence.com. We will process deletion requests within 30 days, subject to any legal retention requirements.

4.5 Logs and Analytics

We retain device data, usage logs, analytics data, and error logs for security, debugging, and service improvement purposes, typically for 12 to 24 months. This data may be retained in anonymized or aggregated form beyond that period.

4.6 Intelligence Chat History

Chat interactions (your queries and system-generated responses) are stored in association with your account and the relevant deal. Chat history is retained for as long as the associated deal exists in your account. You may request deletion of chat history for specific deals.

5. THIRD-PARTY DATA PROCESSING

5.1 AI Service Providers

User Content may be transmitted to third-party AI service providers for data extraction and analysis. Current providers include Anthropic (Claude) and OpenAI (GPT-4). These providers process User Content as necessary to perform extraction and generate analysis results. By using the Service, you consent to the transmission and processing of User Content by such providers.

We select AI providers that maintain commercially reasonable data handling safeguards and contractual commitments regarding data use. However, data transmitted to third-party AI providers is subject to those providers’ own privacy policies and data practices, which are outside the Company’s direct control.

5.1.1 AI Model Training

We do not use User Content to train proprietary AI models. User Content transmitted to third-party AI providers is sent via API for transient processing only. We select API configurations and provider agreements that are designed to prevent the use of User Content for model training by third-party providers. However, the Company cannot independently audit or guarantee the internal data handling practices of third-party AI providers. Users who require absolute assurance that their data will not be used for model training should review the applicable provider’s data policies directly. Users with heightened sensitivity regarding data usage for model training should consider this limitation before uploading highly confidential documents.

5.2 Infrastructure Providers

The Service is hosted on Amazon Web Services (AWS) infrastructure located in the United States (us-east-1 region). User Content and account data are stored on AWS services including but not limited to RDS (PostgreSQL), S3, ECS, and CloudFront. AWS maintains its own security certifications and compliance programs.

5.3 Other Service Providers

We may share information with service providers who assist in operating the Service, including email delivery, analytics, monitoring, and payment processing. These providers are contractually bound to use your information only as necessary to perform services on our behalf and to maintain appropriate security measures.

5.4 Subprocessors

We may engage additional subprocessors to assist in providing the Service. All subprocessors are subject to comparable data protection obligations. We maintain an internal record of subprocessors and will notify enterprise customers of material changes to subprocessors where required by applicable data processing agreements.

6. DISCLOSURE OF INFORMATION

We do not sell personal information. We do not use personal information or User Content for advertising, profiling, or marketing purposes unrelated to the Service. We may disclose information in the following circumstances:

• Service Providers: As described in Section 5, to third-party providers who assist in delivering the Service.
• Legal Requirements: When required by law, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will provide notice where feasible and require the acquiring entity to honor this Privacy Policy.
• With Your Consent: We may share information with your explicit consent or at your direction.
• Aggregated or De-Identified Data: We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you, for research, analysis, benchmarking, or industry reporting purposes.

7. SECURITY

We implement reasonable technical, administrative, and physical safeguards designed to protect information transmitted to and stored within the Service, including:

• AES-256 encryption for data at rest
• TLS 1.2/1.3 encryption for data in transit
• Multi-tenant isolation with row-level security (RLS) enforced at the database level
• Role-based access controls and authentication via JSON Web Tokens (JWT)
• Audit logging of access and modification events
• Infrastructure-level security via AWS security groups, VPC isolation, and managed services
• Regular security monitoring and incident response procedures

While we implement commercially reasonable safeguards, no system is completely secure, and we cannot guarantee that unauthorized access, data breaches, or security incidents will never occur. The Company does not guarantee the security, integrity, or confidentiality of any data transmitted to or stored within the Service. You transmit information at your own risk.

8. DATA LOCATION AND TRANSFERS

The Service is operated from the United States. All data, including User Content, account information, and Service Outputs, is stored and processed in the United States (AWS us-east-1, N. Virginia). If you access the Service from outside the United States, you consent to the transfer of your information to the United States, which may have different data protection laws than your jurisdiction.

Data transmitted to third-party AI providers may be processed in locations determined by those providers. The Company does not control the data processing locations of third-party AI providers.

Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States or other jurisdictions, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent transfer safeguards as required by applicable law.

9. YOUR PRIVACY RIGHTS

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Restriction: Request restriction of processing of your personal information in certain circumstances.
• Data Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
• Objection: Object to processing of your personal information in certain circumstances.
• Withdrawal of Consent: Where processing is based on consent, withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact support@om-intelligence.com. We will respond within 30 days or such shorter period as required by applicable law. We may require verification of your identity before processing requests.

9.1 California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information as defined under the CCPA.

9.2 European Privacy Rights

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR) or equivalent local legislation. Our legal basis for processing your personal information includes performance of a contract (providing the Service), legitimate interests (security, improvement), and consent (where applicable). You have the right to lodge a complaint with your local data protection authority.

10. CHILDREN’S PRIVACY

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child has provided personal information to us, please contact support@om-intelligence.com.

11. DO NOT TRACK

The Service does not currently respond to “Do Not Track” browser signals. We may use analytics and usage tracking as described in Section 2.3 regardless of any Do Not Track preferences.

12. THIRD-PARTY LINKS

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any third-party services you access.

13. DATA BREACH NOTIFICATION

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and in accordance with applicable law, typically within 72 hours where required by GDPR or equivalent legislation. Notification may be provided via email to the address associated with your account, through the Service interface, or by other means as required by applicable law. The Company will make reasonable efforts to determine the scope of the breach and take steps to mitigate further risk.

14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the revised policy on the Service and update the “Last Revised” date. Material changes will be communicated via email or prominent notice on the Service. Your continued use of the Service after changes are posted constitutes acceptance of the revised Privacy Policy.

15. RELATIONSHIP TO TERMS OF SERVICE

This Privacy Policy is incorporated into and forms part of the Terms of Service. In the event of any conflict between this Privacy Policy and the Terms of Service regarding data handling, the more protective provision shall apply. All limitations of liability, disclaimers, and indemnification provisions in the Terms of Service apply to this Privacy Policy.

16. CONTACT US

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Email: support@om-intelligence.com

OM Intelligence Inc.

A Delaware Corporation

OM Intelligence Inc.

A Delaware Corporation