Privacy Policy

---

Effective date: September 22, 2023
Version: 1.3

This Privacy Policy explains how Framework Systems LLC. ("Framework Systems", "we", "us", "our")—delling the product Framework EDI—collects, uses, discloses, and protects information about you when you visit our websites, interact with us for sales or support, or use our products and services (collectively, the "Services").

Plain‑English summary: We use your information to operate and improve our website and Services, respond to you, secure our systems, and meet legal obligations. We do not sell your personal information. We only share it with trusted service providers and partners under contract to help us deliver the Services.
 

If you have questions or want to exercise privacy rights, contact us at [privacy@frameworksystems.com] or the postal address in Contact Us below.

This Policy applies to:

• Our public websites, landing pages, and forms (the "Website").
   
• Our software and related support (the "Product"), including any connectors you enable in your Microsoft tenant, and our help desk/knowledge base.
   

This Policy does not cover third‑party sites or services that are not under our control. Their privacy practices are governed by their own policies.

• Account & Profile: name, business email, phone number, job title, company, password, user preferences.
   
• Business Communications: inquiries, support tickets, chat messages, call notes, and related attachments.
   
• Transactions: billing contact details, purchase records, tax IDs; limited payment details if processed via a PCI‑compliant provider (we do not store full card numbers on our servers).
   
• Product Content (Customer Data): EDI messages, master data, and related business records you or your organization choose to process via the Product. You control what is submitted.
   

• Usage & Diagnostics: pages viewed, features used, timestamps, referring URLs, and performance metrics.
   
• Device & Log Data: IP address, browser type, OS, device identifiers, language, error logs.
   
• Cookies & Similar Technologies: essential cookies for site operation; optional analytics/measurement cookies; see Cookies below.
   

• Partners & Social/Ad Platforms: lead referrals, campaign performance, and form enrichment (business‑contact only).
   
• Integrations you enable: if you connect the Product to Microsoft Dynamics 365 or other systems, we may receive limited metadata necessary to enable the integration, subject to your configuration.
   

We do not knowingly collect information from children and do not offer the Services to individuals under 16.

We use information to:

1. Provide and maintain the Website and Product, including user authentication and account administration.
    
2. Operate product features, process Customer Data per your instructions, and provide support.
    
3. Secure the Services, prevent fraud/abuse, and detect, investigate, and mitigate incidents.
    
4. Improve our offerings through analytics, quality assurance, and product research.
    
5. Communicate with you about updates, security notices, and transactional or marketing messages (you may opt out of marketing anytime).
    
6. Comply with laws, enforce agreements, and protect our legal rights.
    

We do not use Customer Data (your EDI content or business records) to build or improve generalized AI models without your explicit, documented consent.

Where GDPR/UK GDPR applies, our processing is based on:

• Contract (Art. 6(1)(b)) to provide the Services.
   
• Legitimate interests (Art. 6(1)(f)) for security, improvement, and B2B marketing (balanced against your rights).
   
• Consent (Art. 6(1)(a)) where required (e.g., non‑essential cookies, certain marketing).
   
• Legal obligation (Art. 6(1)(c)).
   

We share information only as described below:

• Service Providers (Processors): hosting, backup, analytics, communications, CRM, email delivery, support tooling, security, and payments—bound by confidentiality and data‑processing terms.
   
• Partners/Resellers (Independent Controllers): if you request a referral, co‑selling support, or enable a partner relationship, we may share your business contact details and relevant engagement context.
   
• Legal/Compliance: to comply with law, enforce terms, or protect rights, privacy, safety, or property.
   
• Business Transfers: in a merger, acquisition, or asset sale with appropriate safeguards.
   

We do not sell personal information and we do not share it for cross‑context behavioral advertising as defined by the California Consumer Privacy Act (CCPA/CPRA).

We may process information in countries other than where you live. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms and implement additional safeguards.

We retain information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods:

• Account & profile: life of the account + up to 12 months.
   
• Marketing leads: 24 months from last interaction (unless you unsubscribe sooner).
   
• Support records: up to 36 months after closure.
   
• Logs & diagnostics: 12–18 months.
   
• Customer Data in the Product: per your organization’s configuration and contract; we delete/return upon termination or at your written instruction, subject to backups and applicable law.
   

We implement administrative, technical, and physical safeguards proportionate to the sensitivity of the data, including:

• Encryption in transit (TLS) and at rest for applicable systems;
   
• Role‑based access controls, least privilege, and SSO options;
   
• Network segmentation, monitoring, and vulnerability management;
   
• Secure development lifecycle and change controls;
   
• Incident response procedures and breach notification consistent with applicable laws.
   

No system is perfectly secure; please use strong passwords and enable available security controls.

You can unsubscribe from marketing emails via the link in each message. We may still send essential transactional or security communications.

See Cookies below to manage preferences. Where required, we will honor your Global Privacy Control (GPC) signal for opt‑out of sale/sharing.

Subject to law, you have the right to request: access, rectification, erasure, restriction, portability, and to object to certain processing (including direct marketing). You also have the right to withdraw consent where processing is based on consent.

California residents may request: to know/access, correct, and delete personal information; to opt out of sale or sharing; to limit use/disclosure of sensitive personal information; and to be free from discrimination for exercising rights. You may use an authorized agent to submit requests. We will verify requests consistent with law.

To exercise rights, contact us at [privacy@frameworksystems.com] or use our request form (if available). We will respond within legally required timeframes.

We use:

• Essential cookies (strictly necessary): security, session management, load balancing.
   
• Analytics cookies: to measure site usage and improve the Website.
   
• Functional cookies: to remember preferences and enhance features.
   

You can control cookies through your browser settings and (where available) our on‑site Cookie Preferences banner. Blocking some cookies may limit functionality.

We do not serve interest‑based advertising on our Website and do not use your information for cross‑context behavioral advertising.

• Customer Data processing: We process EDI messages and other Customer Data only per your organization’s instructions and applicable contract; you are the controller of Customer Data.
   
• AI/automation features: If you enable optional AI features, we process inputs/outputs to return results and to maintain the feature. We do not use Customer Data to train generalized models absent your explicit, opt‑in agreement.
   
• Microsoft ecosystem: Where the Product runs within your Microsoft tenant, your data remains governed by your tenant’s policies and controls. Any limited telemetry we collect is for security, reliability, and product improvement and is subject to this Policy and our DPA.
   

We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will take appropriate steps to delete it.

We may update this Policy from time to time. The updated version will be indicated by an updated Effective date and will be posted on the Website. Material changes will be communicated via notice on the Website or by email where appropriate.

Categories collected (CPRA): identifiers (e.g., name, email), professional information (e.g., job title, company), internet/network activity (e.g., logs), geolocation (coarse IP‑based), and in limited cases financial/billing information via our payment processor. Sensitive personal information is not sought, but if provided (e.g., government IDs in support artifacts), we use it only for the purpose collected.
Purposes: as described in How we use information.
Retention: as described in Retention.
Sale/Sharing: we do not sell or share personal information for cross‑context behavioral advertising.
Right to opt out: not applicable because we do not sell or share as defined by CPRA; we still honor GPC signals.

For customers subject to data‑protection laws (e.g., GDPR, CPRA), our standard DPA governs our processing of Customer Data as a processor/service provider. Please contact us to request a copy or to execute the DPA.

• Replace bracketed placeholders (email, address, reps) with your real details.
   
• If you use specific subprocessors (e.g., hosting, analytics, email providers), link a Subprocessor List page.
   
• If you deploy advertising/remarketing, update Cookies and Sale/Sharing statements and add an opt‑out link.
   
• If you store or process payment data directly, update the Transactions and Security sections accordingly.
   
• Consult counsel to align with your contracts, industry, and jurisdictional requirements.