Privacy Policy

Effective Date: September 18, 2025

1. Introduction

This Privacy Policy applies to Zapper Edge LLC ("Zapper Edge", "we", "us", or "our") and describes how we collect, use, disclose, retain and protect Personal Data in connection with our managed file transfer platform (the "Platform"), related services (the "Services"), and our websites. The Platform is delivered to and operated within the cloud environment selected and controlled by our clients. As described below, clients are generally the data controllers for the content they process through the Platform.

2. Definitions

For purposes of this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person.

• "Client" means an entity that has contracted with Zapper Edge for the use of the Platform or Services.

• "Client Data" means content, files and data uploaded, stored, processed or transmitted by the Client through the Platform.

• "Processor" and "Controller" have the meanings set out in applicable data protection law.

3. Scope; Controller / Processor Roles

Clients deploying the Platform on their cloud environment are the Controller of Client Data. Zapper Edge does not take ownership of, host, or otherwise hold Client Data as part of the ordinary provision of the Platform. Where Zapper Edge processes Personal Data on behalf of a Client (for example, certain support diagnostics or managed services provided under a separate agreement), Zapper Edge acts as a Processor and will process such Personal Data only on documented instructions from the Client pursuant to a Data Processing Agreement (DPA) or Business Associate Agreement (BAA).

4. Categories of Personal Data Collected

Zapper Edge may collect and process Personal Data in the following categories:

a) Account and contact data: names, job titles, business contact details, billing and invoicing information.

b) Transaction data: records of orders, subscriptions, invoices and payments.

c) Support and technical data: support tickets, correspondence with our support team, and limited diagnostic logs or metadata provided with consent to troubleshoot issues.

d) Website and usage data: cookies, IP addresses, device information, browsing activity, and analytics data from our websites and marketing materials.

5. Purposes and Legal Bases for Processing

We process Personal Data for the following purposes: (i) to perform contractual obligations to Clients (on the basis of contract); (ii) to comply with legal obligations; (iii) to pursue our legitimate business interests such as improving the Platform, fraud detection, and security (where such interests are not overridden by data subject rights); and (iv) with consent where required (for example, certain cookies or marketing communications).

6. Cookies and Tracking

We use cookies and similar technologies on our websites for site functionality, analytics and security. We use session and persistent cookies. Visitors may control cookie settings through their browser preferences; disabling cookies may affect functionality.

7. Disclosure and Recipients

Zapper Edge does not sell or share Personal Data for third-party marketing. We do not disclose Client Data to third parties for their independent use. Personal Data may be disclosed: (a) to our personnel and service providers who require access to perform services on our behalf (subject to confidentiality obligations and contractual restrictions); (b) in response to lawful requests by public authorities; (c) to comply with legal process; or (d) to protect the rights, property or safety of Zapper Edge, our users or others.

8. Subprocessors and Third-Party Services

Where Zapper Edge acts as a Processor, we may engage subprocessors (such as hosting providers, analytics services, or support tooling) to perform processing activities on our behalf. We will enter into written contracts with subprocessors that impose data protection obligations at least as protective as those in our DPA. We do not transfer Personal Data to subprocessors for their independent use.

9. International Transfers

Because Clients select the cloud regions where the Platform is deployed, Personal Data may be processed in multiple jurisdictions. Where Zapper Edge transfers or receives Personal Data across borders (e.g., when performing support or managed services), we will use appropriate safeguards such as Standard Contractual Clauses or other lawful mechanisms, or rely on an adequacy decision where available.

10. Data Retention and Deletion

Personal Data processed by Zapper Edge is retained only as long as necessary to fulfill the purposes described in this Policy, to comply with legal obligations, or as otherwise agreed in writing with the Client. For Client Data residing in the Client's environment, retention and deletion are controlled by the Client and performed per the Client's instructions ('as per client request'). Upon termination of Services, Zapper Edge will, at the Client's direction and subject to applicable law, delete or return Personal Data processed on the Client's behalf.

11. Security

Zapper Edge maintains administrative, technical and physical safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration or destruction. Security measures include access controls, encryption where appropriate, secure development practices, vulnerability management, logging and monitoring. While we implement reasonable measures, no security control can provide absolute protection.

12. Data Subject Rights

Subject to local law, individuals may have rights to access, correct, object to or restrict processing, erase Personal Data, and obtain a copy of Personal Data in a portable format. To exercise these rights, contact us at contactus@zapperedge.com. We will respond to verified requests in accordance with applicable law.

13. Breach Notification

In the event of a security incident affecting Personal Data for which Zapper Edge is responsible, we will notify the affected Client(s) without undue delay and cooperate in incident response and remediation. Notification timelines and content will be governed by the DPA or BAA where applicable and by applicable law.

14. Compliance; Regulatory Commitments

Zapper Edge designs its security and privacy practices to align with GDPR, HIPAA and SOC 2 principles. Statements regarding compliance do not constitute a certification unless expressly stated; Zapper Edge will enter into a DPA or BAA with Clients where required by law or at the Client's request.

15. Children's Privacy

The Services are intended for business use and are not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children under the age of 16.

16. Changes to this Policy

We may modify this Privacy Policy from time to time. Material changes will be posted on our website and the Effective Date will be updated. Continued use of the Services after the Effective Date constitutes acceptance of the revised Policy.

17. Contact

If you have questions, requests, or concerns about this Privacy Policy, contact:

Zapper Edge LLC
1621 Central Ave
Cheyenne, WY 82001
United States
Email: contactus@zapperedge.com

Annex A: Data Processing Agreement / Business Associate Agreement (Summary & Template)

This Annex provides a concise Data Processing Agreement ("DPA") and Business Associate Agreement ("BAA") template that Zapper Edge will execute with Clients when Zapper Edge processes Personal Data on the Client's behalf or where the Client requires HIPAA Business Associate protections.

A.1. Purpose and Scope

The DPA/BAA governs Zapper Edge's processing of Personal Data on behalf of the Client, including the subject-matter, duration, nature and purpose of processing; the types of Personal Data; and categories of data subjects.

A.2. Roles and Responsibilities

Client: Controller. Zapper Edge: Processor/Business Associate. The Processor will process Personal Data only on documented instructions from the Controller and will implement appropriate technical and organizational measures.

A.3. Processing Details

Nature and purpose: Provision, operation, maintenance and support of the Platform.

Duration: For the term of the relevant Services and any data retention period required by law or agreed by the Parties.

Types of Personal Data: account and contact data, transaction data, support and diagnostic data, website usage data.

Categories of Data Subjects: Client personnel, Client customers (to the extent data is processed as part of managed services), and visitors to Client-managed endpoints.

A.4. Security Measures

Processor will implement and maintain appropriate technical and organizational measures including, where applicable: access controls, encryption in transit, secure development lifecycle, vulnerability management, logging, monitoring, and incident response.

A.5. Subprocessing

Processor may engage subprocessors to perform processing activities on its behalf. Processor will: (a) maintain a current list of subprocessors; (b) flow down equivalent data protection obligations to subprocessors; and (c) remain responsible for subprocessors' compliance.

A.6. International Transfers

Where applicable, the Parties will implement appropriate transfer mechanisms (e.g., Standard Contractual Clauses) for transfers of Personal Data across borders.

A.7. Audit Rights

Client may, upon reasonable notice and subject to confidentiality obligations, audit Processor's compliance with the DPA/BAA through (a) review of Processor's SOC 2 or other third-party audit reports where available; or (b) an on-site audit, if mutually agreed and limited in scope and frequency.

A.8. Breach Notification and Cooperation

Processor will notify Controller without undue delay upon becoming aware of a Personal Data breach and will cooperate in investigation and remediation. Notification will include details to the extent known, including a description of the breach, categories and approximate number of data subjects affected, and measures taken.

A.9. Return or Deletion

Upon termination of Services, Processor will, at Controller's choice, return or securely delete Personal Data processed on its behalf, except as required by law.

A.10. Liability Allocation

The DPA/BAA will include the Parties' liability allocation in accordance with the applicable Terms and any limitations otherwise agreed by the Parties.