App Privacy Policy

1. Introduction

EvolveWell, Inc., along with its affiliates and subsidiaries (collectively, "EvolveWell", "we", "us", or "our"), prioritizes the protection of the privacy of its users ("you" or "your"). This Privacy Policy ("Policy") governs the collection, use, sharing, and safeguarding of your personal information when you use the SkyPulse iOS application distributed via the Apple App Store ("the App"), the SkyPulse management hub at https://skypulseaviation.com ("the Hub"), and the backend services that support both (collectively, "the Service").

The Service is provided to employees of organizations that have licensed SkyPulse from us ("Customer Organizations"). When you use the App as an employee, the Customer Organization that employs you is the data controller for your personal data, and EvolveWell acts as their data processor under a written data processing agreement. This Policy describes the processing we perform on their behalf and the limited processing we perform as a controller in our own right (for example, to operate, secure, and improve the Service).

For the separate EvolveWell marketing website at www.evolvewell.com, refer to the EvolveWell website privacy policy.

2. Personal Information We Collect

We collect only the personal information needed to operate the Service. Specifically:

• Identifiers provided by your employer: When your Customer Organization adds you to SkyPulse through the Hub, we store your full name, work email address, role/title, organizational unit, and the Customer Organization you belong to. We also store authorization information that determines which bulletins, training programs, and pulse checks apply to your role.

• Authentication data: The email address you enter at sign-in and the one-time codes you submit. Sign-in is performed using a one-time code sent to your work email. The App does not allow end users to create accounts from the device.

• User Content you submit through the App: Your answers to daily pulse checks (including free-text comments), your responses to training quiz questions, your progress through training lessons, and your acknowledgements of compliance bulletins.

• Support communications: Messages you send to help@skypulseaviation.com or privacy@evolvewell.com, including the content of those messages and any information you choose to share.

• Device and session metadata: Device type and model, operating system version, app version, language, time zone, IP address, approximate region derived from IP, and timestamps of activity.

• Product analytics: Events describing how you interact with the App and Hub — such as screens visited, buttons tapped, and features used — collected through PostHog Cloud (EU).

• Session recordings (replays): For a portion of sessions we record a structured representation of what is shown on screen so we can debug issues. All text inputs and all images are masked before recording, so we do not capture your typing or the contents of images. Recordings are stored in the EU and retained as described in Section 11.

• Diagnostic and crash data: Information about errors and crashes, including stack traces and basic device state.

Information We Do Not Collect

The App and Hub do not collect, store, or transmit:

• Geolocation data. The App does not request the NSLocationWhenInUseUsageDescription permission, does not use any location APIs, and does not derive precise location from device sensors. The approximate region described above is derived from IP address only.

• Microphone, camera, photo library, contacts, calendar, or health data.

• Browsing history or data from other apps.

• Payment or billing information. SkyPulse is licensed to Customer Organizations under a separate commercial agreement; there are no in-app purchases for end users.

3. How We Use Your Information

We use your personal information for the purposes permitted by applicable law, including:

• To provide the Service. To authenticate you, keep your session secure, deliver the bulletins, training, and pulse checks your Customer Organization has assigned to your role, and record your responses, progress, and acknowledgements so your employer can meet its safety, training, and regulatory obligations.

• To improve and secure the Service. To diagnose technical problems, monitor for abuse and security incidents, measure usage patterns, and improve performance, reliability, and user experience.

• To respond to you. To answer support requests, provide customer service, and act on data-subject requests described in Section 6.

• To comply with legal obligations. Including tax obligations, business obligations, response to lawful requests from authorities, and aviation-industry recordkeeping where applicable.

• With your consent, where required (for example, optional research surveys outside the core product flow).

We do not use your personal information for advertising, and we do not sell or share it for cross-context behavioral advertising.

Legal Bases (EEA / UK)

Where GDPR or UK GDPR applies, we rely on:

• Performance of a contract between you (via your Customer Organization) and us — for sign-in, content delivery, and recording your progress.

• Legitimate interests — for security monitoring, diagnostics, fraud prevention, and product improvement, balanced against your rights and freedoms.

• Legal obligation — where aviation safety regulations or other laws require us to retain certain records.

• Consent — only where specifically requested. You can withdraw consent at any time without affecting prior processing.

4. How We Share Your Information

We share personal information only as described below.

• With your Customer Organization. Your name, role, training progress, quiz results, bulletin acknowledgements, and pulse responses are visible to administrators and supervisors in the Hub. Free-text pulse comments are visible to your employer's supervisors and are not shared with other employees.

• With service providers ("sub-processors"). We use the vendors listed in Section 5 to host the Service, send transactional email, store files, run product analytics, and distribute the App. Each is bound by a written data processing agreement and processes data only on our instructions.

• With legal and regulatory authorities when required by law or to respond to valid legal requests.

• In a business transfer, such as a merger, sale, or asset transfer in which we are involved, for the purpose of evaluating or carrying out the transaction. We will notify Customer Organizations of any such transfer that materially affects this Policy.

We may disclose your personal information with other third parties where we have your consent or your Customer Organization's instruction to do so, except as otherwise prohibited by law.

We do not sell personal information and we do not share it with advertising networks.

5. Sub-processors and Where Data Is Stored

Sub-processor

Purpose

Region

WorkOS

Identity and authentication (magic-code sign-in, session tokens)

United States

PostHog Cloud (EU)

Product analytics, session replay (masked), feature flags

European Union

Microsoft Azure Storage

File storage for training materials, bulletins, and uploaded content

[REGION]

Microsoft Azure Communication Services

Delivery of transactional email (sign-in codes, notifications)

[REGION]

Neon

Managed PostgreSQL database for application data

[REGION]

Apple

App distribution, push notifications, crash reports

Global

Where data leaves the EEA or UK, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards.

6. Your Choices and Rights

Subject to applicable law and to any retention required by your Customer Organization or by regulation, you have the following rights with respect to the personal information we hold about you:

• Access and Portability — request a copy of your personal information in a structured, commonly used, machine-readable format.

• Correction — ask us to update or correct inaccurate or incomplete information.

• Deletion ("Right to be Forgotten") — ask us to delete your personal information, subject to retention required by law, regulation, or your Customer Organization's compliance obligations.

• Restriction of Processing — ask us to suspend processing in certain circumstances.

• Objection — object to processing that relies on our legitimate interests.

• Consent Withdrawal — withdraw consent at any time where processing is based on consent.

• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@evolvewell.com from the email address associated with your SkyPulse account. We will respond within a reasonable timeframe, and in any event within the period required by applicable law (typically 30 days under GDPR). If your Customer Organization is the controller for the data in question, we may need to coordinate the request with them.

Account Deletion Specifically

Because user accounts are provisioned by Customer Organization administrators in the Hub and not from the mobile App, the in-app account deletion flow described in Apple App Store Review Guideline 5.1.1(v) does not apply to the App. You may nonetheless request deletion of your account and all associated personal data by emailing help@skypulseaviation.com (the same address surfaced from the in-app Help & Support screen) or privacy@evolvewell.com. We complete verified deletion requests within 14 days and confirm completion by email. Some records may be retained where required by law or aviation-industry regulation; we will tell you what we keep and why.

7. Cookies and Similar Technologies

The App is a native iOS application and does not set browser cookies. The Hub uses a small number of strictly necessary cookies and similar technologies (for authentication, session management, and basic analytics). We do not use advertising cookies or third-party advertising trackers.

8. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect your personal information. These include encryption in transit (TLS 1.2 or higher), encryption at rest for stored data, role-based access controls, audit logging, and ongoing vulnerability management. No system is perfectly secure; we encourage you to keep your device and operating system up to date and to report any suspected incident to help@skypulseaviation.com.

9. International Data Transfers

EvolveWell is based in the United States. Personal information we collect about you may be transferred to, stored in, and processed in the United States, the European Union, and other jurisdictions where our sub-processors operate (see Section 5). Personal information processed outside of your country may be accessible to foreign courts, law enforcement, and national security authorities. We take appropriate measures — including, where applicable, the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum — to ensure that your personal information remains protected.

If you have questions about our cross-border transfer practices, contact Jack Browner at privacy@evolvewell.com.

10. Children's Privacy

SkyPulse is an employee tool and is not directed at children. We do not knowingly collect personal information from anyone under the age of 18 (or the equivalent local age of consent). If we become aware that we have inadvertently received personal information from someone under 18, we will delete it. Contact us at privacy@evolvewell.com if you have concerns.

11. How Long Do We Retain Your Personal Information?

We retain personal information for as long as necessary to fulfil the purposes outlined in this Policy or as otherwise required by law, regulation, or our Customer Organization's instructions. Indicative retention periods:

• Account data (name, email, role): retained for as long as your Customer Organization maintains your SkyPulse account, plus up to [NN] days after deactivation for backup expiry.

• Pulse responses, training records, and bulletin acknowledgements: retained for as long as your Customer Organization requires for regulatory compliance, typically [NN] years. Your Customer Organization instructs us on retention.

• Session recordings: [NN] days, then deleted.

• Product analytics events: [NN] months in aggregate form; individual-level events [NN] days.

• Support email: [NN] months from last reply.

• Backups: rolling encrypted backups retained for [NN] days.

We dispose of personal information in accordance with our internal retention policies and procedures.

12. Automated Decision-Making and AI

The version of the App distributed on the App Store at the date of this Policy does not include the AI assistant feature. We do not make decisions producing legal or similarly significant effects about you using solely automated means. If a future version reintroduces AI-assisted features, this Policy will be updated to explain what models are used, what data is sent to them, and what safeguards apply, and we will notify you through the App or by email before the change takes effect.

13. Tracking and the Apple App Tracking Transparency Framework

The App does not track you across other companies' apps or websites and does not present Apple's App Tracking Transparency (ATT) consent prompt because no such tracking occurs.

14. Notifications

The current version of the App does not send push notifications. If push notifications are introduced in a future version, they will be sent only with your permission (granted via the standard iOS prompt) and only for in-product events such as new bulletins, training reminders, or daily pulse reminders. You can disable them at any time in iOS Settings.

15. State Privacy Rights (United States)

Residents of certain U.S. states have specific rights regarding their personal information.

• California (CCPA / CPRA). You have the right to know, access, delete, and correct your personal information, and the right to opt out of "sale" or "sharing" and to limit use of sensitive personal information. We do not sell or share personal information as those terms are defined under California law.

• Colorado, Connecticut, Utah, and Virginia. You have rights to access, delete, and correct your personal information, and to opt out of targeted advertising and the sale of personal information. We do not engage in targeted advertising and do not sell personal information.

To exercise these rights, contact privacy@evolvewell.com. Appeals for declined requests can also be submitted to that address.

16. EU and UK Privacy Rights

If you are located in the EEA or the UK, you have the following rights under the GDPR and UK GDPR:

• Right of Access — receive a copy of the personal information we hold about you.

• Right to Rectification — correct or complete inaccurate personal information.

• Right to Erasure ("Right to be Forgotten") — request deletion where there is no good reason for continued processing.

• Right to Restrict Processing — in certain circumstances.

• Right to Data Portability — receive your personal information in a structured, commonly used, machine-readable format.

• Right to Object — to processing based on our legitimate interests.

To exercise these rights, contact privacy@evolvewell.com. If you believe our processing infringes data protection laws, you also have the right to lodge a complaint with the supervisory authority in your country of residence.

17. Changes to This Policy

We may update this Policy from time to time. The updated version will be indicated by an updated "Last Updated" date and will be effective as soon as it is accessible. For material changes, we will notify you through the App, the Hub, or by email before the change takes effect.

18. How to Contact Us

For any questions or comments about this Policy, or to exercise your rights:

• Privacy and data protection: Jack Browner — privacy@evolvewell.com

• Product support: help@skypulseaviation.com

• Postal mail: EvolveWell, Inc., [REGISTERED ADDRESS]