Privacy Policy

The "Service" referenced in this Policy is provided by Excess Quest LLC, a Delaware limited liability company with its registered office at 8 The Green, STE A, Dover, DE 19901, United States ("Excess Quest", "we", "us", or "our"). Excess Quest LLC is the data controller for users worldwide and the merchant of record for all subscriptions and digital purchases (processed via Stripe).

Our iOS application "Surplus Funds List" is distributed on the Apple App Store under the developer account of Excess Quest Ltd, a separate company organized under the laws of England and Wales and under common ownership with Excess Quest LLC. Excess Quest Ltd's role is limited to App Store distribution; it does not operate the Service, hold customer data, or process payments. References in this Policy to "we", "us", or "our" mean Excess Quest LLC unless explicitly stated otherwise.

This Privacy Policy ("Policy") governs the collection, use, storage, disclosure, and protection of Personal Data by Excess Quest LLC, the operator of the Surplus Funds List platform (the "Service," which includes the web application accessible at surplusfundslist.com and the Surplus Funds List iOS application (the "Mobile App")). This Policy applies to each natural person who accesses or uses the Service (each, a "User"), including visitors to the marketing website, registered subscribers (each, an "Account" holder), individuals invited to an Account by an administrator (each, an "Authorized User"), and any data subject whose Personal Data is processed through the Service.

For purposes of this Policy, "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and Cal. Civ. Code § 1798.140(v) (the California Consumer Privacy Act, as amended by the California Privacy Rights Act, collectively "CCPA/CPRA"). "Sub-processor" means a third party engaged by Excess Quest to process Personal Data on its behalf in connection with the Service. "AI Sub-processors" means the Sub-processors identified in Section 4.1.1. By accessing or using the Service, the User acknowledges receipt of this Policy and, to the extent processing is conditioned on consent, consents to the processing described herein. This Policy is incorporated by reference into, and read in conjunction with, the Terms & Conditions.

1. Categories of Personal Data Collected

1.1 Personal Data Provided by the User

Excess Quest collects the following categories of Personal Data when voluntarily submitted by the User:

• Account Registration Data: first name, last name, email address, hashed authentication credentials, telephone number, business name, and state of operation.
• Billing and Payment Data: payment card or debit card details, billing address, and transaction history. Cardholder data is processed by Stripe, Inc. (a PCI-DSS Level 1 service provider). Excess Quest does not store the primary account number, full magnetic stripe data, CVV, or PIN on its own servers.
• Customer Relationship Management Data ("CRM Data"): contact records, case files, notes, documents, attachments, templates, and any other content the User uploads to or generates within the Service.
• Communications Content: SMS messages, voice call audio, call recordings, voicemail recordings, electronic mail content, and electronically signed documents transmitted or received through the Service.
• Support Correspondence: messages and electronic mail directed to Excess Quest support personnel.
• AI Interaction Data: prompts, queries, and conversational inputs submitted to the Ivy assistant or any other AI-enabled feature of the Service.
• Organization Data: organization name, Authorized User identifiers, and organizational hierarchy as configured within the Account.

1.2 Personal Data Collected Automatically

The Service collects the following categories of Personal Data automatically upon access:

• Device and Browser Data: Internet Protocol (IP) address, user agent string, operating system, device type, screen resolution, and language preference.
• Usage Data: pages and features accessed, in-app actions, click events, session duration, and navigation paths.
• Log Data: access timestamps, error logs, referring URLs, and server request metadata.
• Approximate Location Data: coarse geographic location derived from IP address. Precise geolocation (GPS) is not collected.

1.3 Personal Data Received from Third Parties

Excess Quest may receive Personal Data from third-party services that the User connects to the Service, including identity providers (Apple, Google), payment processors (Stripe), telecommunications providers (Twilio), and lawfully obtained public-record sources used to compile the leads database.

1A. Mobile App Data and Device Permissions

The Mobile App requests access to specified device capabilities only upon User-initiated action. Each request is presented through the iOS system permission prompt and may be reviewed or revoked at any time within iOS Settings. Permissions are scoped to the minimum necessary to deliver the relevant feature.

1A.1 Camera

The Mobile App invokes camera access solely when the User affirmatively elects to scan a case document or capture an image for attachment to a case. Background camera access is not performed. Captured images remain on the User's device unless and until the User attaches them to a case, at which point the image is uploaded to the Account.

1A.2 Photo Library

The Mobile App invokes read access to the iOS Photo Library only at the moment the User selects a photograph for attachment. Add access is invoked only when the User elects to save a Service-generated document (for example, an executed PDF) to the Photo Library. The Mobile App does not scan, index, or read the Photo Library in the background.

1A.3 Microphone

The Mobile App invokes microphone access exclusively during voice calls placed through the in-app dialer. Call audio is transmitted in real time through Twilio Inc., the telecommunications Sub-processor identified in Section 4.1, for the purpose of call connection and signaling.

If the User enables call recording for a given call, the resulting recording is stored within the Twilio infrastructure and made accessible to the User and to other Authorized Users associated with the same Account. The User is solely responsible for compliance with all applicable wiretap, eavesdropping, and call-recording consent statutes, including (without limitation) the federal Wiretap Act (18 U.S.C. § 2511) and the call-recording consent regimes of the User's jurisdiction and the jurisdiction of each call participant (whether one-party or two-party consent). Excess Quest provides the technical capability to record calls; it does not adjudicate the legality of recording in any particular jurisdiction or transaction, and it does not undertake to obtain consent on the User's behalf.

1A.4 Push Notifications

Push notifications are opt-in and are delivered through the Apple Push Notification service. When enabled, the Mobile App uses push notifications to alert the User to inbound message replies, incoming calls routed through the Service, and assigned tasks. The User may revoke push notification consent at any time within iOS Settings or within the Mobile App at Settings, Notifications.

1A.5 Categories of Data Not Collected by the Mobile App

The Mobile App does not collect any of the following categories of data:

• precise geolocation or background location data;
• contacts from the device address book;
• calendar entries, reminders, or task data outside the Service;
• health, fitness, or medical data;
• the Identifier for Advertisers (IDFA) or any other advertising identifier;
• any data used for cross-application or cross-website tracking, as that term is defined under Apple's App Tracking Transparency framework.

2. Purposes of Processing

Excess Quest processes Personal Data for the following purposes:

2.1 Provision and Operation of the Service

• operating, maintaining, and providing the Service and each of its features;
• processing Account registration and managing the User's subscription;
• processing payments, billing, invoicing, and reconciliation;
• delivering leads data, CRM functionality, communications tools, AI assistant outputs, and electronic-signature workflows;
• providing technical support and responding to User inquiries.

2.2 Service Improvement

• analyzing usage patterns to improve functionality, performance, and reliability;
• developing new features and product capabilities;
• conducting internal research and analytics on aggregated and de-identified data;
• identifying and remediating defects, errors, and security vulnerabilities.

2.3 Communications

• sending transactional communications relating to the Account (billing receipts, password resets, security alerts);
• sending service communications (feature updates, scheduled maintenance, material changes to this Policy or the Terms & Conditions);
• sending promotional communications, subject to the User's opt-out rights under applicable law.

2.4 Security, Fraud Prevention, and Legal Compliance

• detecting, preventing, and investigating fraud, abuse, and unauthorized access;
• enforcing the Terms & Conditions and other governing policies;
• complying with legal obligations, court orders, and regulatory requirements;
• protecting the rights, property, and safety of Excess Quest, its Users, and the public.

3. Legal Bases for Processing

For Users subject to the GDPR or analogous regimes, Excess Quest processes Personal Data on the following legal bases set forth in Article 6(1) of the GDPR:

• Performance of a Contract (Art. 6(1)(b)): processing necessary to perform the contract for provision of the Service to which the User is a party, or to take pre-contractual steps at the User's request.
• Consent (Art. 6(1)(a), Art. 7): processing based on the User's freely given, specific, informed, and unambiguous consent (for example, optional marketing communications and non-essential cookies). The User may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legitimate Interests (Art. 6(1)(f)): processing necessary for the legitimate interests pursued by Excess Quest or a third party (including service improvement, information security, fraud prevention, and direct business communications), provided such interests are not overridden by the User's fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): processing necessary to comply with a legal obligation to which Excess Quest is subject.

4. Disclosures of Personal Data

Excess Quest does not sell or share Personal Data within the meaning of Cal. Civ. Code § 1798.140(t) and § 1798.140(ah). Personal Data is disclosed only in the limited circumstances set forth in this Section 4.

4.1 Sub-processors

Excess Quest engages the Sub-processors identified below to perform discrete processing functions on its behalf. Each Sub-processor is bound by a written Data Processing Agreement ("DPA") that satisfies the requirements of GDPR Article 28 (or, where applicable, the equivalent provisions of CCPA/CPRA Service Provider obligations under § 1798.140(ag)). Each Sub-processor is permitted to process Personal Data solely for the purpose of providing the contracted service to Excess Quest, is required to maintain appropriate technical and organizational security measures, and is prohibited from selling or independently using the Personal Data.

• Supabase, Inc. (Delaware, United States). Purpose: authentication, relational database hosting, and object storage for Account records, CRM Data, and uploaded documents. Data categories transferred: all Personal Data identified in Section 1.1 and 1.2. Legal basis under GDPR: Art. 6(1)(b). DPA: in place; Standard Contractual Clauses where applicable.
• Stripe, Inc. (Delaware, United States). Purpose: subscription billing and payment processing. Data categories transferred: payment card details, billing address, transaction history. Legal basis under GDPR: Art. 6(1)(b). DPA: in place; Standard Contractual Clauses where applicable.
• Twilio Inc. (Delaware, United States). Purpose: SMS messaging, voice call origination and termination, call recording, and voicemail. Data categories transferred: call audio, SMS message content, sender and recipient telephone numbers, call recordings (when enabled by the User), voicemail recordings, and associated metadata. Legal basis under GDPR: Art. 6(1)(b). DPA: in place; Standard Contractual Clauses where applicable.
• Resend (Beam Software, Inc.) (Delaware, United States). Purpose: transactional electronic mail delivery for Account notifications, password resets, security alerts, and lead distribution reports. Data categories transferred: recipient email address, message content, and delivery metadata. Legal basis under GDPR: Art. 6(1)(b). DPA: in place; Standard Contractual Clauses where applicable.
• Sentry (Functional Software, Inc.) (Delaware, United States). Purpose: application error and crash reporting. Data categories transferred: stack traces, device and browser metadata, request paths, and User identifiers necessary for defect diagnosis. Legal basis under GDPR: Art. 6(1)(f). DPA: in place; Standard Contractual Clauses where applicable.
• Apple Inc. (California, United States). Purpose: Sign in with Apple authentication and Apple Push Notification service. Data categories transferred: name, email address (or Apple Private Relay address where elected), and device push tokens. Legal basis under GDPR: Art. 6(1)(b). DPA: in place; Apple's standard data terms apply.
• Google LLC (Delaware, United States). Purpose: Sign in with Google authentication via OAuth 2.0, limited to the profile and email scopes. Data categories transferred: name, email address, and Google account identifier. Legal basis under GDPR: Art. 6(1)(b). DPA: in place; Standard Contractual Clauses where applicable.
• Cloudflare, Inc. (Delaware, United States). Purpose: Cloudflare Turnstile bot-detection and abuse prevention on the Sign-Up page (implemented via @marsidev/react-turnstile on the /onboarding route, with server-side challenge validation in /api/auth/signup). Data categories transferred: IP address, browser fingerprint, and challenge-response token. Processing is automated and limited to the duration of the challenge. Legal basis under GDPR: Art. 6(1)(f). DPA: in place; Standard Contractual Clauses where applicable.
• Unipile S.A.S. (France). Purpose: third-party email account integration. When the User connects an email mailbox to the Service, Unipile authenticates with the underlying provider on the User's behalf and reads, sends, and organizes messages within the Service in accordance with the access the User grants. Data categories transferred: provider authentication tokens, message envelope metadata, message content, and contact identifiers. The User authorizes the connection on a per-account basis and may revoke it at any time within Account settings. Legal basis under GDPR: Art. 6(1)(b) and, for any optional analytics, Art. 6(1)(a). DPA: in place; intra-EU transfer where applicable, Standard Contractual Clauses for any onward transfer outside the EEA.

4.1.1 AI Sub-processors and Data Transmitted to AI Services

Excess Quest engages the following AI Sub-processors to deliver the AI-enabled features of the Service (the "AI Services"), including the Ivy in-app assistant, case research, message drafting, and CSV column-mapping suggestions:

• Anthropic, PBC (Delaware, United States). Purpose: primary inference provider for the Ivy assistant and other AI Services via the Claude API. Legal basis under GDPR: Art. 6(1)(b). DPA: in place; Standard Contractual Clauses where applicable.
• OpenAI, L.L.C. (Delaware, United States). Purpose: secondary inference provider used as a fallback when the primary provider is unavailable, and for CSV column-mapping suggestions during data imports. Legal basis under GDPR: Art. 6(1)(b). DPA: in place; Standard Contractual Clauses where applicable.

Categories of data transmitted to AI Sub-processors. When the User invokes an AI Service, Excess Quest transmits to the relevant AI Sub-processor only the data necessary to generate the requested output, comprising:

• the User-typed prompt or instruction;
• Case data (claimant name; claimant contact information; case status; case identifiers; and document content where the User has expressly attached it to the prompt or to the underlying case);
• Organization metadata (organization name; message templates; saved learnings configured within the Account);
• Authorized User name (for attribution).

Categories of data not transmitted. Payment card data, authentication credentials, and the User's IP address are not transmitted to the AI Sub-processors in connection with a prompt.

Model training restriction. Each AI Sub-processor is contractually bound, under its enterprise or API terms of service applicable to Excess Quest, not to use Excess Quest customer data (including User prompts and Case data submitted through the Service) to train its base or foundation models.

User election to avoid AI processing. The User may avoid all transmission of data to AI Sub-processors by electing not to invoke the AI Services (Ivy assistant, case research features, and CSV column-mapping suggestions). As of the Effective Date, no global toggle disables AI Services at the Account level; AI processing occurs only upon affirmative invocation by the User.

4.2 International Data Transfers

Personal Data may be transferred to, stored in, and processed in jurisdictions outside the User's country of residence, including the United States. Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or to any other third country that has not received an adequacy decision from the European Commission (or, as applicable, the United Kingdom Government or the Swiss Federal Data Protection and Information Commissioner), Excess Quest relies on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor) or Module 3 (processor-to-processor) as applicable, executed with each Sub-processor pursuant to GDPR Articles 44 to 49. Equivalent transfer mechanisms (the UK International Data Transfer Addendum and the Swiss FDPIC's recognition of the SCCs) are used for transfers originating in the United Kingdom and Switzerland respectively. A copy of the relevant transfer mechanism is available on request to [email protected].

4.3 User Rights and How to Exercise Them

Subject to applicable law and verification of identity, the User has the right to know what Personal Data is processed about the User and the purposes of processing (Cal. Civ. Code §§ 1798.100, 1798.110, 1798.115; GDPR Art. 15); the right to delete Personal Data (Cal. Civ. Code § 1798.105; GDPR Art. 17); the right to correct inaccurate Personal Data (Cal. Civ. Code § 1798.106; GDPR Art. 16); the right to opt out of the sale or sharing of Personal Data (Cal. Civ. Code § 1798.120; not applicable, as Excess Quest does not sell or share Personal Data); the right to non-retaliation for the exercise of privacy rights (Cal. Civ. Code § 1798.125); the right to data portability (GDPR Art. 20); the right to restrict processing (GDPR Art. 18); the right to object to processing based on legitimate interests (GDPR Art. 21); the right to withdraw consent where processing is based on consent (GDPR Art. 7(3)); and the right to lodge a complaint with a competent supervisory authority (GDPR Art. 77). Rights with respect to automated decision-making are addressed in GDPR Art. 22; Excess Quest does not engage in solely automated decision-making producing legal or similarly significant effects on the User. To exercise any right, the User shall send a written request to [email protected]; identity verification consistent with 11 C.C.R. § 7060 et seq. (or the equivalent verification standard under applicable law) is required before substantive action is taken on any request.

4.4 Disclosures Required by Law

Excess Quest may disclose Personal Data where required by law, regulation, judicial process, or governmental request, including (without limitation) responses to subpoenas, search warrants, court orders, civil investigative demands, and lawful requests from law enforcement or regulatory authorities. Where permitted by law, Excess Quest will provide reasonable notice to the affected User prior to disclosure.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar corporate transaction involving Excess Quest, Personal Data may be transferred to the successor or acquiring entity as part of the transferred business assets. Excess Quest will provide notice of any such transfer and of any choices the User may have with respect to the transferred Personal Data.

4.6 Protection of Rights

Excess Quest may disclose Personal Data where it has a good-faith belief that disclosure is reasonably necessary to protect its rights, enforce the Terms & Conditions, investigate suspected violations, prevent fraud or security incidents, or protect the safety of Users or the public.

4.7 Disclosures with the User's Consent

Excess Quest may disclose Personal Data to third parties where the User has provided explicit consent to that disclosure.

5. Data Location, Security, and Retention

5.1 Data Location

Personal Data is stored on infrastructure located in the United States. By using the Service, the User acknowledges the cross-border transfer described in Section 4.2 and consents (where consent is the relevant lawful basis) to processing in the United States, which may afford different statutory data-protection guarantees than the User's country of residence.

5.2 Security Measures

Excess Quest maintains technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, loss, or destruction, consistent with GDPR Article 32 and CCPA/CPRA § 1798.150(a)(1). Such measures include:

• encryption of data in transit using TLS 1.2 or higher;
• encryption of designated categories of data at rest;
• cryptographic password hashing using industry-standard algorithms;
• role-based access controls and the principle of least privilege for internal systems;
• periodic vulnerability assessment and security monitoring;
• network segmentation and firewall controls.

No method of electronic transmission or storage is fully secure, and Excess Quest cannot warrant absolute security. The User is responsible for safeguarding the confidentiality of Account credentials and for all activity occurring under the Account.

5.3 Data Retention

Personal Data is retained for the duration of the Account and for a reasonable period thereafter as necessary to:

• satisfy legal, tax, accounting, anti-money-laundering, and regulatory obligations;
• resolve disputes and enforce agreements;
• prevent fraud and abuse;
• maintain business records as required by applicable law.

Following the applicable retention period, Personal Data will be securely deleted or de-identified such that it no longer relates to an identified or identifiable natural person. CRM Data, uploaded documents, and communications records associated with a terminated Account are deleted in accordance with the internal retention schedule, subject to the carve-outs identified in Section 7.5.

6. Cookies and Similar Technologies

6.1 Categories of Cookies

• Strictly Necessary Cookies: required to deliver the Service, including session management, authentication, and security. These cookies cannot be disabled without rendering the Service inoperable.
• Functional Cookies: retain User preferences and configuration (for example, theme and language) to provide a consistent experience.
• Analytics Cookies: collect aggregated, de-identified data regarding Service usage for performance and product improvement purposes.

6.2 Third-Party Cookies

Excess Quest does not deploy third-party advertising or behavioral-tracking cookies. Certain integrated third-party services (for example, payment processors and analytics tools) may set their own cookies governed by their respective privacy policies.

6.3 Cookie Management

The User may control cookie behavior through browser settings. Disabling strictly necessary cookies will impair core Service functionality.

7. User Rights Under Applicable Law

Section 4.3 sets forth the consolidated catalogue of User rights and the procedure for exercising them. This Section 7 supplements Section 4.3 with jurisdiction-specific detail.

7.1 Generally Available Rights

• Access: the right to obtain confirmation of processing and a copy of Personal Data held by Excess Quest.
• Correction: the right to obtain rectification of inaccurate or incomplete Personal Data. Most Account fields may be updated directly within Account settings.
• Deletion: the right to obtain erasure of Personal Data, subject to permissible exceptions and to legal retention obligations.
• Marketing Opt-Out: the right to opt out of promotional communications at any time via the unsubscribe mechanism in any marketing email or by written request. Opt-out does not affect transactional or service communications.
• Portability: the right to receive Personal Data in a structured, commonly used, machine-readable format.

7.2 California Residents (CCPA/CPRA)

Residents of the State of California are afforded the rights enumerated at Cal. Civ. Code §§ 1798.100 et seq., including:

• the right to know what Personal Data is collected, used, disclosed, and sold or shared (§§ 1798.100, 1798.110, 1798.115). Excess Quest does not sell or share Personal Data within the meaning of § 1798.140(t) and § 1798.140(ah);
• the right to delete Personal Data (§ 1798.105), subject to the statutory exceptions in § 1798.105(d);
• the right to correct inaccurate Personal Data (§ 1798.106);
• the right to opt out of the sale or sharing of Personal Data (§ 1798.120) (not applicable);
• the right to limit use and disclosure of sensitive Personal Data (§ 1798.121);
• the right to non-retaliation for the exercise of CCPA/CPRA rights (§ 1798.125).

To exercise any right under CCPA/CPRA, the User shall contact [email protected]. Excess Quest will verify identity in accordance with 11 C.C.R. § 7060 et seq. and will respond to a verifiable consumer request within 45 days, subject to a one-time 45-day extension where reasonably necessary and with notice to the User.

7.3 European Economic Area, United Kingdom, and Switzerland (GDPR)

Users located in the EEA, the United Kingdom, or Switzerland are afforded the rights set forth at GDPR Articles 15 to 22, including:

• access (Art. 15);
• rectification (Art. 16);
• erasure (Art. 17);
• restriction of processing (Art. 18);
• data portability (Art. 20);
• objection to processing based on legitimate interests, including profiling (Art. 21);
• withdrawal of consent at any time, without retroactive effect (Art. 7(3));
• the right to lodge a complaint with a competent supervisory authority (Art. 77).

The Service is operated from the United States. International transfers are addressed in Section 4.2 above.

7.4 Other State Privacy Laws

Residents of other U.S. states with comprehensive consumer privacy legislation (including, without limitation, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with enacted statutes) may exercise the rights conferred by their respective state laws by contacting [email protected].

7.5 Account Deletion (CCPA § 1798.105; GDPR Art. 17; App Store Review Guideline 5.1.1(v))

In furtherance of the User's statutory right of erasure under Cal. Civ. Code § 1798.105 and Article 17 of the GDPR, the User may delete the Account and the associated Personal Data directly within the Service. To initiate deletion, the User shall navigate to Settings, Personal, Delete Account within the Mobile App or the web application and confirm the deletion. The User may alternatively submit a deletion request to [email protected]. (The in-app deletion path is provided in compliance with Apple App Store Review Guideline 5.1.1(v).)

Upon confirmation, Excess Quest will remove the Account and the associated Personal Data from active production systems within twenty (20) days, subject to the following carve-outs: (i) Personal Data subject to legal retention obligations (including, without limitation, tax, accounting, anti-money-laundering, and dispute-resolution requirements) will be retained for the period mandated by applicable law and will be access-restricted during such retention; (ii) aggregated and de-identified data that no longer permits the identification of the User will be retained; and (iii) communications metadata held by Sub-processors (for example, call detail records held by the telecommunications Sub-processor) will be deleted in accordance with each Sub-processor's standard retention schedule and applicable telecommunications recordkeeping requirements.

8. Communications Data (Voice, SMS, and Electronic Mail)

Use of the in-app communications tools causes the following categories of Personal Data to be collected and stored:

• call metadata (originating and terminating telephone numbers, call duration, timestamps, and call disposition);
• call recordings (where the User has enabled recording for the call);
• SMS message content, sender and recipient telephone numbers, and delivery status;
• electronic mail content, sender and recipient addresses, and delivery status;
• voicemail recordings and machine-generated transcriptions.

User responsibility. The User is solely responsible for compliance with all federal, state, and foreign laws governing the recording, monitoring, and transmission of voice, SMS, and electronic mail communications, including (without limitation) the federal Wiretap Act (18 U.S.C. §§ 2510 et seq.), the Electronic Communications Privacy Act, the Telephone Consumer Protection Act (47 U.S.C. § 227) and its implementing regulations at 47 C.F.R. § 64.1200, the CAN-SPAM Act (15 U.S.C. §§ 7701 et seq.), and applicable state-law one-party or two-party consent regimes. The User is responsible for obtaining all consents required from each call or message recipient.

Communications Data is retained for the duration of the active subscription and is subject to the retention provisions of Section 5.3. Excess Quest does not monitor, review, or access the content of User communications except as necessary to provide technical support (with the User's consent), to comply with legal process, or to investigate suspected violations of the Terms & Conditions.

9. CRM Data and User-Uploaded Content; Controller and Processor Roles

As between Excess Quest and the User, the User retains all right, title, and interest in and to all CRM Data and other content the User uploads to or creates within the Service. Excess Quest processes such content solely for the purpose of providing the Service.

The User is the Data Controller (within the meaning of GDPR Art. 4(7) and the equivalent "Business" designation under Cal. Civ. Code § 1798.140(d)) with respect to the Personal Data of third parties (clients, leads, claimants, and contacts) stored within the Service. The User is responsible for establishing a lawful basis for processing such Personal Data, for issuing all required notices, and for obtaining all required consents.

Excess Quest is the Data Processor (within the meaning of GDPR Art. 4(8) and the equivalent "Service Provider" designation under Cal. Civ. Code § 1798.140(ag)) with respect to such Personal Data. Excess Quest processes CRM Data only as necessary to provide the Service in accordance with the User's documented instructions, the Terms & Conditions, and applicable law, and does not access, use, retain, or disclose CRM Data for any purpose other than the provision of the Service unless required by law or expressly authorized by the User.

10. Children's Privacy

The Service is directed exclusively to natural persons aged eighteen (18) years or older. Excess Quest does not knowingly collect Personal Data from any individual under the age of eighteen, nor from any "child" as defined in the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501 et seq. Upon becoming aware that Personal Data has been collected from a person under the age of eighteen, Excess Quest will take reasonable steps to delete such Personal Data without undue delay. Suspected violations of this Section 10 may be reported to [email protected].

11. Do Not Track Signals

In the absence of a uniform industry or regulatory standard governing the interpretation of the "Do Not Track" (DNT) browser signal, the Service does not respond to DNT signals. Excess Quest does not track Users across third-party websites or applications for advertising purposes.

12. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or resources. This Policy applies solely to the Service. Excess Quest is not responsible for the privacy practices, content, or security of any third-party website or service. The User should review the privacy policies of each third-party service accessed through or in connection with the Service.

13. Personal Data Breach Notification

In the event of a Personal Data breach (as defined in GDPR Art. 4(12)) or a security incident involving the unauthorized acquisition of Personal Data (as defined under applicable U.S. state breach-notification statutes), Excess Quest will notify affected Users and competent regulatory authorities in accordance with GDPR Articles 33 and 34, the applicable state breach-notification statutes (including, without limitation, Cal. Civ. Code §§ 1798.29 and 1798.82), and any other governing law. Notification will identify, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

14. Changes to This Privacy Policy

Excess Quest may amend this Policy from time to time to reflect changes in its practices, the Service, or applicable law. Where an amendment is material, Excess Quest will provide notice by posting the revised Policy with an updated Effective Date and, where appropriate, by sending a notice to the email address associated with the Account. Continued use of the Service following an amendment constitutes acceptance of the revised Policy.

Users are encouraged to review this Policy periodically.

15. Contact Information

Questions, requests, and complaints concerning this Policy or the processing of Personal Data may be directed to:

Excess Quest will respond to privacy inquiries within thirty (30) days of receipt, or within such shorter period as may be required by applicable law.