Privacy Policy for ShawTech, LLC

1. Scope and who this policy applies to

ShawTech, LLC is a Pennsylvania-based business. This policy applies to information collected through:

• Our public website and informational pages.
• Customer portals, dashboards, and reports for PGH Core and PGH Core+.
• Monitoring agents or integrations used as part of PGH services.
• BRIDGE scoping, on-site readiness reviews, findings documents, and related communications.
• Email, forms, support messages, and other direct communications with us.

This policy does not override separate written agreements (such as an order form, statement of work, or data processing addendum) that expressly state different data-handling terms for a specific customer engagement. If there is a conflict, the signed written agreement controls for that engagement.

2. The types of information we collect

We collect information from you directly, automatically, and through service operation.

A. Information you provide directly

• Contact details (name, company, role, email, phone number).
• Account and login-related information for portal users (such as usernames, role assignments, and authentication events).
• Billing and subscription information (billing contacts, plan selection, transaction references, and related records).
• Messages, support requests, form submissions, and attachments you send us.
• BRIDGE scoping information, including business context, site details, timelines, and constraints.

B. Information collected automatically from website and portals

• IP address, browser type, device type, operating system, and basic technical identifiers.
• Page views, link clicks, session timing, and general usage patterns.
• Performance and diagnostic data used to maintain and improve service reliability.

C. Information collected through PGH agents and integrations

• Device identifiers and system details (for example: hostname, OS version, hardware details).
• Installed software, patch/update status, and selected configuration or security posture data.
• Connectivity and uptime signals (for example, online/offline status and reporting timestamps).
• Selected event and alert data relevant to health and security monitoring.
• Vulnerability or scan-related results presented in PGH Core+ reports and related reporting workflows.

D. Information collected through BRIDGE engagements

• Interview notes, scoping notes, and operational/process observations.
• Evidence notes, screenshots, and document references included in findings reports (where applicable).
• On-site observations relevant to readiness review scope.
• Deliverables such as Raw Findings Reports and Suggested Remediation Plans.

3. What we do not intend to collect

Our services are designed around visibility, reporting, and readiness support. We do not intend to collect the contents of your files, emails, messages, or databases as part of normal PGH operation, and BRIDGE is not designed to copy or ingest your business content beyond what is reasonably needed for the scoped engagement.

If information outside intended scope is incidentally received (for example, within a screenshot, support attachment, or log excerpt), we may process it only as needed to deliver the service, secure the environment, or comply with law, and we will work to minimize further use or retention where practical.

4. How we use information

We use information to operate and improve ShawTech services and to communicate with you, including to:

• Provide and maintain PGH Core and PGH Core+ portals, dashboards, and reports.
• Perform BRIDGE scoping, readiness review work, reporting, and walkthroughs.
• Authenticate users, secure accounts, detect misuse, and respond to security concerns.
• Deliver billing, subscription, administrative, and support communications.
• Troubleshoot, monitor performance, improve reliability, and plan service improvements.
• Meet legal, accounting, contractual, or regulatory obligations.
• Protect our rights, systems, customers, and business operations.

5. Roles and responsibilities for customer data

In many cases, your organization decides what systems are monitored, what information is shared with us, and what users are granted access. In those cases, your organization is responsible for making sure it has the authority to share that information and to authorize monitoring, review, and reporting activities.

You represent that you have the rights, permissions, and legal basis required to provide information to ShawTech and to direct us to process it. This includes information about your staff, contractors, devices, and environments.

ShawTech is not responsible for privacy notices, employment notices, or internal approvals that your organization is required to provide.

6. Legal bases for processing (where required)

If data protection laws require us to identify a legal basis for processing, we generally rely on one or more of:

• Contract: to provide services you request or purchase.
• Legitimate interests: to operate, secure, improve, and administer our services in a balanced way.
• Consent: where we ask for it for a specific purpose.
• Legal obligations: when we must retain, disclose, or process information to comply with law.

7. How we share information

We do not sell your personal information or customer data. We also do not share customer data for cross-context behavioral advertising. We may disclose information only in limited circumstances such as the following:

• Service providers and subprocessors: vendors that host, secure, support, deliver email, process payments, or operate core service infrastructure on our behalf.
• Authorized third parties: your internal team members, consultants, MSPs, or IT partners if you authorize access or ask us to coordinate with them.
• Legal or safety reasons: where disclosure is reasonably necessary to comply with law, enforce our terms, or protect rights, safety, or security.
• Business transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality and legal safeguards.

We do not disclose more information than reasonably necessary for the purpose of the disclosure.

8. Cookies, logs, and analytics

We use logs, cookies, and similar technologies to keep our website and portals working, remember preferences, maintain security, and understand usage trends. Some cookies may be required for core site or portal functionality.

You may be able to control cookies through your browser settings, but disabling some cookies may affect how the website or portals function.

We may use analytics tools to understand site and portal performance. We do not use customer monitoring data from PGH or BRIDGE deliverables for ad targeting.

9. Data retention and deletion

We retain information only as long as reasonably necessary for the purposes described in this policy, to fulfill contractual obligations, to resolve disputes, and to meet legal, tax, accounting, or security requirements.

Retention periods vary by data type and service. Examples may include account records, support communications, billing records, portal activity logs, PGH reports, and BRIDGE deliverables. Some report retention periods are controlled by service design or customer plan settings.

When information is no longer required, we take reasonable steps to delete, de-identify, or securely dispose of it. Backups and archived copies may persist for a limited period where deletion is not immediately practical.

10. Security and incident handling

We use reasonable administrative, technical, and organizational safeguards designed to protect information against unauthorized access, use, disclosure, alteration, and destruction. No system is perfectly secure, and no method of transmission or storage can be guaranteed 100% secure.

If we become aware of a confirmed security incident affecting information we process and notification is required by law or contract, we will notify affected customers within a reasonable time, subject to legal restrictions and the need to preserve investigations or mitigate risk.

You are responsible for securing your own systems, credentials, backups, and access controls, and for promptly notifying us of suspected unauthorized use of ShawTech services.

11. International transfers

We and our service providers may process information in the United States or other countries. If you access our services from outside the United States, your information may be transferred to and processed in countries that may not provide the same level of legal protection as your home jurisdiction.

Where legally required, we use appropriate transfer safeguards or contractual protections.

12. Your choices and privacy rights

Depending on your location, you may have rights to request access to, correction of, deletion of, or restriction of certain personal information, and to object to certain processing or request portability where applicable.

To protect privacy and security, we may need to verify your identity and authority before processing a request. We may deny or limit requests where permitted by law, including when doing so would negatively affect the rights of others, compromise security, or conflict with legal obligations.

You may also opt out of non-essential marketing emails using unsubscribe links or by contacting us directly.

13. Children's privacy

Our services are intended for business use and are not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have done so without appropriate authorization, we will take reasonable steps to delete it.

14. Changes to this Privacy Policy

We may update this policy from time to time to reflect changes in our services, practices, vendors, or legal requirements. When we make material changes, we will update the “Last updated” date above and may provide additional notice through the website, portal, or email where appropriate.

Your continued use of the services after the effective date of an updated policy means you acknowledge the updated policy, to the extent permitted by law.