Privacy Policy

CommandOS™ ("we," "our," or "us") is committed to protecting the privacy and security of the information entrusted to us by fire departments, EMS agencies, and their personnel ("Departments," "you," or "your"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access or use the CommandOS™ platform, website, and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please discontinue use of our Services.

We collect information in the following categories:

2.1 Information You Provide Directly — Department and organizational information (department name, address, state, size) — Personnel information (name, job title, email address, phone number) — Account credentials and authentication data — Incident reports, training records, and operational data entered into the platform — Communications submitted through contact, demo request, or quote request forms

2.2 Information Collected Automatically — Log data (IP address, browser type, pages visited, timestamps) — Device information (operating system, device identifiers) — Usage data (features accessed, session duration, interaction patterns) — Cookies and similar tracking technologies (see Section 7)

2.3 Information from Third Parties We do not purchase or acquire personal data from third-party data brokers. We may receive authentication data from identity providers you authorize.

We use the information we collect for the following purposes:

— Platform Operation: To provide, maintain, and improve the CommandOS™ platform and its features — Account Management: To create and manage department accounts and user access — Customer Support: To respond to inquiries, troubleshoot issues, and provide technical assistance — Communications: To send service updates, security alerts, and administrative notices — Compliance: To comply with applicable laws, regulations, and legal obligations — Security: To detect, investigate, and prevent fraudulent or unauthorized activity — Analytics: To understand usage patterns and improve platform performance (using aggregated, de-identified data only) — Contractual Obligations: To fulfill obligations under department service agreements

We do not sell, rent, or trade your personal information or department data to third parties for marketing purposes.

We may share your information only in the following limited circumstances:

4.1 Service Providers We engage trusted third-party vendors to assist in operating our platform (e.g., cloud hosting, database infrastructure, email delivery). These vendors are contractually obligated to protect your data and may only use it to perform services on our behalf.

4.2 Legal Requirements We may disclose information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of CommandOS™, our clients, or the public.

4.3 Business Transfers In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify affected Departments prior to any such transfer.

4.4 With Your Consent We may share information for any other purpose with your explicit written consent.

We do not share operational incident data, personnel records, or department-specific data with any other department, agency, or third party without explicit authorization from the originating Department.

We implement industry-standard administrative, technical, and physical safeguards to protect your information, including:

— Encryption of data in transit (TLS 1.2+) and at rest (AES-256) — Role-based access controls limiting data access to authorized personnel — Regular security assessments and vulnerability testing — Secure data centers with physical access controls — Incident response procedures for potential data breaches

While we take reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly notifying affected Departments in the event of a confirmed data breach as required by applicable law.

We retain your information for as long as your Department maintains an active service agreement with CommandOS™, plus any additional period required by applicable law or regulation.

Upon termination of a service agreement: — Department operational data (incident reports, training records, personnel data) will be made available for export for a period of 30 days following termination — After the export window, data will be securely deleted from our systems within 90 days, unless retention is required by law — Aggregated, de-identified analytics data may be retained indefinitely

Departments may request early deletion of their data by submitting a written request to [email protected].

We use cookies and similar technologies to operate and improve our Services:

— Essential Cookies: Required for platform authentication and session management. Cannot be disabled. — Analytics Cookies: Used to understand how the platform is used (aggregated data only). Can be disabled via browser settings. — Preference Cookies: Used to remember your settings and preferences.

We do not use advertising or behavioral tracking cookies. You can control cookie settings through your browser; however, disabling essential cookies may affect platform functionality.

CommandOS™ is designed for use by public safety agencies and is built with awareness of applicable regulatory frameworks, including:

— CJIS (Criminal Justice Information Services): We follow CJIS Security Policy guidelines where applicable to law enforcement-adjacent data — HIPAA Considerations: While CommandOS™ is not a covered entity under HIPAA, we handle EMS patient data with appropriate safeguards and can execute Business Associate Agreements (BAAs) upon request — State Public Records Laws: Departments are responsible for complying with applicable state public records and open records laws. We will cooperate with lawful records requests directed to Departments — NIST Cybersecurity Framework: Our security practices are aligned with NIST CSF guidelines

Departments with specific compliance requirements should contact us to discuss applicable data handling addenda.

Authorized Department administrators have the following rights regarding their data:

— Access: Request a copy of data held about your Department — Correction: Request correction of inaccurate information — Deletion: Request deletion of Department data (subject to legal retention requirements) — Portability: Request an export of Department data in a standard format — Restriction: Request restriction of certain processing activities

To exercise these rights, contact us at [email protected]. We will respond to verified requests within 30 days.

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, please contact us immediately at [email protected].

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify active Departments of material changes via email at least 30 days prior to the effective date of the update. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

The current version of this policy is always available at commandoperatingsystem.com/privacy-policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

CommandOS™ — Privacy & Legal Email: [email protected] Website: commandoperatingsystem.com

We are committed to resolving privacy concerns promptly and transparently.