Privacy Policy

Advalis Inc. & FincenRealEstateReport.com

Effective Date: July 11, 2025
Last Updated: July 11, 2025
Version: 2.0

Executive Summary

This Privacy Policy explains how Advalis Inc. handles personal information in connection with our FinCEN real estate reporting platform. Key points:

Our Core Privacy Commitments:

No Marketing Use of Filing Data: We do not use FinCEN report information, transaction data, or any filing information for marketing purposes. Client Data Ownership: All client data remains the property of our title company clients. No Sale of Data: We do not sell or monetize filing information. Purpose-Limited Processing: Filing system data is used solely for regulatory compliance and report generation. SOC 2 Type 2 Certified Security: Enterprise-grade security protects all data. Transparent Practices: We maintain a clear distinction between public website analytics and secure filing system data.

Your Rights:

You have the right to access and download your personal information, correct inaccurate data, request deletion (subject to legal requirements), opt-out of marketing communications, and control cookie preferences.

For detailed information, please read the full policy below.

Table of Contents

1. Introduction
2. Scope of this Policy
3. Definitions
4. Personal Information We Collect
   • 4.1 IMPORTANT: No Marketing Use of Filing Information
   • 4.2 Information Collected Directly
   • 4.3 Information Collected Automatically
   • 4.4 Information from Third Sources
5. How We May Use Personal Information
6. Legal Basis for Processing
7. How We May Disclose Personal Information
8. Cookies and Other Tracking Mechanisms
9. Data Retention
10. Your Privacy Rights and Choices
11. California Privacy Rights
12. Nevada Privacy Rights
13. Children’s Information
14. International Data Transfers
15. External Links and Features
16. Security
17. Data Breach Notification
18. Automated Decision-Making
19. Marketing and Communications
20. Changes to this Policy
21. Contact Us

#1 Introduction

This Privacy Policy (“Policy”) describes how Advalis Inc., a Delaware corporation with its principal place of business at 3500 South Dupont Hwy, Dover, DE 19901 (“Advalis,” “Company,” “we,” “us,” or “our”), collects, uses, discloses, protects, and otherwise processes personal information described in this Policy, as well as the rights and choices individuals have regarding such personal information.

We are committed to protecting your privacy and ensuring the security of your personal information. This Policy applies to our cloud-based software platform and managed filing services specifically engineered for the title insurance, real estate, and financial services industries, enabling the efficient generation, management, submission, maintenance, and tracking of FinCEN Real Estate Reports and Geographic Targeting Order (GTO) filings.

Key Privacy Principles

We operate under the following fundamental privacy principles:

First, we maintain strict separation of filing data and marketing. Information collected through our FinCEN filing system is never used for marketing purposes. We maintain a complete separation between operational filing data and any marketing activities. Second, all transaction data, report information, and filing content remains the exclusive property of our title company clients. We act solely as a data processor, not a data owner. Third, we process filing information only for the specific purpose of enabling regulatory compliance and report generation as directed by our clients. Fourth, we do not sell, rent, license, or otherwise monetize any filing information or client data. Fifth, we maintain transparency by clearly distinguishing between data collected on our public website (which may be used for analytics and marketing) and data within our secure filing system (which is never used for marketing).

By using our Services (as defined below), you agree that your personal information will be handled as described in this Policy. Your use of our Services and any dispute over privacy is subject to this Policy and our Terms of Service, available at https://fincenrealestatereport.com/terms/, including their applicable terms governing limitations on damages and the resolution of disputes.

#2 Scope of Policy

2.1 Services Covered

This Policy applies to the personal information we collect and process related to visitors to our website located at www.fincenrealestatereport.com and all associated domains, subdomains, and web properties (the “Site”). It also covers Licensee Firms (commercial entities that have entered into Platform Services Agreements with us), Authorized Users (employees, contractors, or agents authorized by Licensee Firms), Invited Users (individuals invited by Licensee Firms to submit information for specific real estate transactions), individuals who use our services on behalf of our customers, and prospective customers who inquire about our Services.

Collectively, our website, software platform, applications, tools, features, functionality, managed filing services, APIs, documentation, training resources, support services, and all related online and offline services are referred to as the “Services.”

2.2 Additional Notices and Limitations

Supplemental Notices: Depending on how you interact with us, we may provide you with other privacy notices with additional details about our privacy practices specific to certain Services or features. For example, when you are invited to submit information as an Invited User, you may receive specific privacy information from the Licensee Firm that invited you.

Exclusions: This Policy does not apply to job applicants or our employees (covered by separate employment privacy policies), information we process on behalf of our business clients as a data processor (covered by our agreements with those clients and their privacy policies), or anonymized or aggregated information that cannot reasonably identify you.

Client Data Ownership: Our processing of personal information belonging to our business clients is subject to our agreement with the respective client and their data handling practices. All client data remains the property of our title company clients. We act as a data processor for Client Data, processing it only according to the instructions of our Licensee Firms.

#3 Definitions

For purposes of this Policy, the following definitions apply:

“Authorized Users” means employees, contractors, agents, or other individuals who are granted access to use the Services under a Licensee Firm’s account with express authorization.

“Client Data” means all data, information, content, materials, and other information provided, submitted, uploaded, or transmitted by or on behalf of Licensee Firms or Invited Users through the Services, including personal information, transaction data, documents, reports, and communications.

“FinCEN” means the Financial Crimes Enforcement Network of the United States Department of the Treasury or any successor agency.

“GTO” means Geographic Targeting Order, referring to orders issued by FinCEN requiring reporting of certain real estate transactions in designated geographic areas.

“Invited Users” means individuals, entities, clients, customers, or representatives invited or authorized by a Licensee Firm to submit information through the Services for purposes of completing real estate reports or compliance requirements.

“Licensee Firms” means title companies, real estate firms, financial institutions, law firms, or other business entities within the title, real estate, or financial services industry that have entered into a Platform Services Agreement with Advalis.

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

“Services” means collectively all of Advalis’s cloud-based software platforms, applications, tools, features, functionality, managed filing services, APIs, documentation, training resources, support services, and all related online and offline services.

#4 Personal Information We Collect

We collect personal information directly from you, automatically through your use of the Services, and from other sources. To the extent permitted by applicable law, we may combine the information we collect from or about you. The categories and types of information we collect vary depending on your relationship with us and how you interact with our Services.

4.1 IMPORTANT: No Marketing Use of Filing Information

Information collected in the FinCEN filing system is strictly limited to regulatory compliance purposes and is NEVER used for marketing.

Key restrictions on filing system data include no marketing use, meaning filing platform data is never used for marketing, advertising, or promotional purposes. The filing system does not collect any marketing-related information. We do not sell, rent, license, or otherwise monetize any filing information. All filer information belongs exclusively to the filing firm who licensed the services, not to Advalis. Filing data is used solely for generating reports, compliance, and providing the contracted services. We maintain complete separation between filing system data and any website analytics or marketing systems.

This restriction applies to all information submitted through the secure filing platform, including transaction party information, property and transaction details, identity verification data, beneficial ownership information, all documents uploaded for FinCEN reporting, and any data entered for Geographic Targeting Orders.

4.2 Information Collected Directly

The personal information we collect directly varies depending upon your user category and interactions with us:

For Licensee Firms and Their Authorized Users:

Account Registration Information: We collect legal business name and DBA names, federal tax identification number (EIN), state business registration numbers, principal business address and additional office locations, primary contact information including name, title, email, and phone, billing contact information, account administrator details, and username and password credentials.

Business and Professional Information: This includes professional licenses and certifications, industry affiliations and memberships, business type and structure, years in business, transaction volume estimates, and service area coverage.

Payment and Billing Information: We collect payment method details such as credit card or ACH information, billing address, tax exemption certificates if applicable, purchase orders and invoicing preferences, and transaction history and payment records.

Communications and Support: We maintain records of support tickets and inquiries, training attendance records, feedback and satisfaction surveys, feature requests and suggestions, and correspondence with our team.

For Invited Users:

Transaction Party Information (as required for FinCEN reporting): We collect full legal name and any aliases, date of birth, current residential address, Social Security Number or Tax Identification Number when required, citizenship and residency status, government-issued identification information, and email address and phone number for transaction purposes.

Real Estate Transaction Information: This includes property address and legal description, transaction type and role in transaction, purchase or sale price and payment methods, financing information and sources of funds, entity formation documents for entity buyers or sellers, beneficial ownership information for entities, power of attorney documentation if applicable, and wire transfer instructions and details.

Identity Verification Information: When required, we collect government-issued ID images such as driver’s license or passport, selfie photos for biometric verification, responses to identity verification questions, and documentation supporting identity claims.

4.3 Information Collected Automatically

We and our service providers automatically collect certain information when you use our Services:

Device and Browser Information: We collect IP address and approximate geographic location derived from IP, browser type and version, operating system and version, device type, manufacturer, and model, screen resolution and browser window size, language preferences, unique device identifiers, and mobile network information if applicable.

Usage and Activity Information: This includes pages visited and content viewed, features used and actions taken, search queries within the Services, click paths and navigation patterns, time spent on pages and features, referring and exit URLs, date and time stamps of activities, error logs and performance data, and session duration and frequency.

Location Information: We gather general location through IP address, time zone settings, and language and regional preferences.

Tracking Technologies Information: We collect cookie identifiers, pixel tag data, session replay information on our public website only, analytics identifiers, and marketing attribution data.

4.4 Information from Third Sources

We may collect and receive personal information from third-party sources:

Business Partners and Service Providers: These include identity verification services providing ID verification results, background check providers for business verification, payment processors providing transaction confirmations, credit reporting agencies for business accounts, marketing and lead generation partners, and industry associations and networks.

Public Sources: We may access business registrations and licenses, property records and tax assessments, court records and regulatory filings, professional licensing boards, social media profiles for business accounts, and news articles and press releases.

Data Analytics and Enhancement Providers: We work with ZoomInfo for business contact enrichment, HubSpot for marketing interaction data, Google Analytics for website behavior analysis, and various industry databases and directories.

Government Entities: We may receive information from FinCEN for compliance confirmations, state regulatory bodies, law enforcement when required, and tax authorities for business verification.

#5 How We May Use Personal Information

We collect, use, disclose, and otherwise process the personal information we collect for the following business and commercial purposes:

5.1 Service Delivery and Operations

Providing and Operating Our Services: We use personal information for creating and maintaining user accounts, authenticating users and managing access controls, processing real estate report generation requests, facilitating data collection from transaction parties, performing identity verification services, generating and submitting FinCEN reports, maintaining audit trails and compliance records, and providing technical infrastructure and platform functionality.

Real Estate Reports Management: We enable title companies to generate, manage, and maintain real estate reports, process Geographic Targeting Order (GTO) compliance requirements, automate report generation using AI and machine learning, manage report submission deadlines and notifications, and maintain report archives and retrieval systems. All such data remains the property of our title company clients.

5.2 Business Operations and Improvement

Analytics and Performance: We analyze platform usage patterns and trends, measure feature adoption and effectiveness, identify system performance issues, conduct A/B testing and optimization, evaluate service quality and reliability, create aggregated and anonymized analytics, and monitor system health and availability.

Research and Development: We use data to improve existing features and functionality, develop new products and services, enhance user experience and interface design, train and improve our AI and machine learning models, conduct market research and competitive analysis, test beta features and gather feedback.

5.3 Communications and Support

Customer Communications: We respond to inquiries and support requests, send service-related announcements and updates, provide technical support and troubleshooting, notify about system maintenance and downtime, communicate about account and billing matters, deliver training materials and resources, and send administrative and transactional messages.

Marketing and Promotional Activities: For marketing purposes, we send newsletters and product updates with consent, promote new features and services, conduct customer satisfaction surveys, invite participation in webinars and events, share industry news and compliance updates, and personalize marketing content based on interests. Client data and FinCEN filing information are never used for marketing purposes.

5.4 Security and Legal Compliance

Security and Fraud Prevention: We protect against unauthorized access and cyber threats, detect and prevent fraudulent activities, investigate security incidents and breaches, implement access controls and authentication, monitor for suspicious behavior patterns, maintain system integrity and data protection, and conduct security audits and assessments.

Legal and Regulatory Compliance: We comply with FinCEN reporting requirements, meet anti-money laundering (AML) obligations, adhere to Know Your Customer (KYC) regulations, respond to legal process and law enforcement requests, maintain records as required by law, cooperate with regulatory examinations, and enforce our Terms of Service and policies.

5.5 Business Management

General Business Operations: We manage vendor and partner relationships, conduct financial planning and analysis, process mergers, acquisitions, or restructuring, maintain corporate records and governance, manage insurance and risk assessment, perform accounting and tax functions, and conduct internal audits and compliance reviews.ating report generation using AI and machine learning

• Managing report submission deadlines and notifications
• Maintaining report archives and retrieval systems
• All such data remains the property of our title company clients

#6 Legal Basis for Processing

We process personal information only when we have a valid legal basis to do so. Our legal bases for processing include:

6.1 Contract Performance

We process personal information as necessary to perform our contracts with you, including providing access to our Services under the Terms of Service, delivering services under Platform Services Agreements for Licensee Firms, processing payments and billing, providing customer support, and managing user accounts and authentication.

6.2 Legitimate Interests

We process personal information for our legitimate business interests, including improving and developing our Services, ensuring network and information security, preventing fraud and illegal activities, direct marketing to business contacts where permitted, internal administrative purposes, and enforcing our legal rights and remedies.

When relying on legitimate interests, we balance our interests against your rights and freedoms to ensure they are not overridden.

6.3 Legal Obligations

We process personal information to comply with legal obligations, including FinCEN reporting requirements, anti-money laundering regulations, tax and accounting obligations, responding to legal process, maintaining required business records, and cooperating with law enforcement and regulators.

6.4 Consent

Where required by law, we obtain your consent to process personal information, particularly for marketing communications where consent is required, cookies and similar tracking technologies, processing sensitive personal information, and cross-border data transfers where required.

You may withdraw consent at any time, though this will not affect the lawfulness of processing based on consent before withdrawal.

6.5 Vital Interests

In rare circumstances, we may process personal information to protect vital interests, such as in emergencies where someone’s life or safety is at risk.

6.6 Public Interest

We may process personal information for tasks carried out in the public interest, particularly related to preventing financial crimes and ensuring regulatory compliance.

#7 How We May Disclose Personal Information

We disclose personal information in the following circumstances and for the purposes specified:

7.1 Service Providers and Vendors

We disclose personal information to carefully selected vendors and service providers who perform functions on our behalf that are essential to providing our services, including:

Infrastructure and Technology Providers: These include Amazon Web Services for cloud hosting and storage, content delivery networks for CDN services, database management providers, backup and disaster recovery services, email delivery services, and telecommunications providers.

Business Operations Providers: We work with payment processors and merchant services, accounting and financial services, legal and compliance advisors, insurance providers, office productivity tool providers, and human resources service providers.

All service providers are contractually obligated to protect personal information and use it only for providing services to us. Data shared with service providers is encrypted in transit and at rest.

7.2 Our Customers (Licensee Firms)

We process and disclose personal information as necessary to provide our Services to title company clients by providing Invited User submissions to the requesting Licensee Firm, generating reports as directed by Licensee Firms, sharing identity verification results, providing compliance and audit information, and facilitating communications about transactions.

7.3 Marketing and Analytics Partners

We may disclose website visitor information (not Client Data or filing information) to Google Analytics for website analytics, ZoomInfo for B2B contact information, HubSpot for marketing automation and CRM, marketing attribution platforms, and advertising networks for B2B marketing only.

Important: Client data and FinCEN filing information are never shared with marketing or analytics partners.

7.4 Business Transfers

In connection with business transitions, encrypted database information may be disclosed to acquirers, successors in a merger, acquisition, or sale of assets, bankruptcy trustees or receivers, and investors or lenders with aggregated data only.

7.5 Legal and Compliance Disclosures

We disclose personal information when required or permitted by law to comply with subpoenas, court orders, and other legal process, respond to requests from law enforcement and regulatory authorities, comply with FinCEN and other regulatory requirements, investigate and prevent illegal activities, enforce our Terms of Service and protect our rights, protect the safety and security of individuals, and prevent fraud and financial crimes.

7.6 Consent-Based Disclosures

We may disclose personal information when you direct us to share it with specific third parties, with your explicit consent for specific purposes, or to third parties you designate to receive reports or information.

7.7 Aggregated and De-identified Information

We may use de-identified information that cannot reasonably identify you for benchmarking and internal reports.

#8 Cookies and Other Tracking Mechanisms

8.1 Overview of Tracking Technologies

We and third parties use various tracking technologies to automatically collect information about your browsing activity and use of our Services:

Cookies: Cookies are small text files stored on your device that help us recognize you, remember your preferences, and understand how you use our Services. We use Essential Cookies that are required for the Services to function properly including authentication, security, and load balancing. We also use Performance Cookies that help us understand how visitors interact with our Services through page views and performance metrics. Functionality Cookies remember your preferences and settings such as language, region, and login information. Analytics Cookies collect information about Service usage for improvement purposes. Marketing Cookies track effectiveness of our marketing campaigns on our public website only.

Pixel Tags/Web Beacons: These are tiny graphics with unique identifiers that track user activities, email opens, and help us manage content and compile usage statistics.

Local Storage: We use HTML5 local storage to store preferences and temporary data on your device for improved performance.

Session Replay: On our public website only, not in the secure filing system, we may use session replay tools to understand user interactions and improve user experience.

Device Fingerprinting: We may collect device attributes to create a unique identifier for security and fraud prevention purposes.

8.2 Third-Party Analytics and Advertising

Analytics Services: We use third-party analytics services on our public website to evaluate usage:

We use Google Analytics to analyze website traffic and user behavior. You can learn more at https://www.google.com/policies/privacy/partners/ and opt-out at https://tools.google.com/dlpage/gaoptout. We also use ZoomInfo to identify business visitors and enrich B2B contact information, and HubSpot for marketing analytics and lead tracking.

Advertising Technologies: We work with third-party advertising companies to display ads on other websites. These companies use cookies to track your browsing across websites. We use retargeting and remarketing to show relevant ads based on your visit to our Site. We also participate in interest-based advertising networks.

Important: Tracking for analytics and advertising occurs only on our public website, not within the secure filing system used for FinCEN reporting.

8.3 Your Cookie Choices

Browser Controls: Most browsers allow you to block or delete cookies through settings. You can set your browser to notify you when cookies are placed. Note that disabling cookies may affect Service functionality.

Opt-Out Options: You can opt-out through Google Analytics at https://tools.google.com/dlpage/gaoptout, the Network Advertising Initiative at https://optout.networkadvertising.org/, the Digital Advertising Alliance at https://optout.aboutads.info/, and the European Digital Advertising Alliance at https://www.youronlinechoices.eu/.

Do Not Track Signals: Currently, our Site and Services do not recognize browser “Do Not Track” signals. However, you can use the opt-out mechanisms described above.

Cookie Consent: Where required by law, we obtain consent before placing non-essential cookies. You can manage your consent preferences through our cookie banner when you visit our Site.

#9 Data Retention

9.1 Retention Periods

We retain personal information for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law:

Account Information: Active Licensee Firms’ information is retained for the duration of the subscription term. Authorized Users’ information is retained while authorization is active. Invited Users’ access credentials expire upon submission completion or after 30-90 days.

Transaction and Filing Data: Active Client Data is retained during the subscription term. FinCEN Reports are retained for seven years from filing date as required by regulation. Identity Verification Records are retained for seven years from verification date. Supporting Documentation is retained for seven years or as required by applicable regulations.

Post-Termination Retention: Licensee Firms have a 60-day data retrieval period to retrieve their data. Backup copies may be retained for up to 6 months on a rolling basis. Audit logs are retained for seven years for compliance purposes. Aggregated analytics are retained indefinitely in anonymized form.

Marketing and Communications: Marketing preferences are retained until you opt-out or request deletion. Email communications are retained for three years from last interaction. Support tickets are retained for three years from resolution. Website analytics are retained for 26 months, which is the Google Analytics default.

9.2 Retention Criteria

We determine appropriate retention periods based on the purpose for which information was collected, legal and regulatory requirements, statute of limitations for legal claims, industry standards and best practices, whether retention is necessary for our legitimate interests, and your requests for deletion where applicable.

9.3 Deletion Practices

When personal information reaches the end of its retention period, we delete it from production systems within 30 days, from backup systems on the next backup rotation cycle, and from archived systems annually. Paper records are securely shredded and electronic media is securely wiped or destroyed.

Exception: We may retain information longer if required for legal proceedings, regulatory investigations, or compliance obligations.

#10 Your Privacy Rights and Choices

Depending on your location and applicable laws, you may have certain rights regarding your personal information:

10.1 Access and Portability Rights

Right to Access: You may request information about whether we process your personal information, the categories of personal information we collect, purposes for processing, categories of recipients, retention periods, and your rights regarding the information.

Right to Data Portability: Where technically feasible, you may request your personal information in a structured, commonly used, machine-readable format.

How to Exercise: Licensee Firms can access their data through their account dashboard or contact support. Invited Users should contact the Licensee Firm that invited them, or email us at [email protected].

10.2 Correction and Update Rights

Right to Rectification: You may request correction of inaccurate personal information or completion of incomplete information. Account holders can update information through account settings. Contact our support team for assistance. Invited Users should contact the inviting Licensee Firm.

10.3 Deletion Rights

Right to Erasure: You may request deletion of your personal information, subject to certain exceptions.

Exceptions: We may retain information when necessary to complete transactions or provide requested services, comply with legal obligations, detect security incidents or illegal activity, exercise legal rights or defend against claims, or conduct internal uses aligned with your expectations.

Deletion Requests: Email [email protected] with sufficient information to identify your account and specify what information you want deleted.

10.4 Restriction and Objection Rights

Right to Restrict Processing: You may request we limit processing while verifying accuracy of disputed information, determining lawfulness of processing, or preserving information for legal claims.

Right to Object: You may object to processing based on legitimate interests, direct marketing purposes, or automated decision-making.

10.5 Marketing and Communication Preferences

Opt-Out Options: You can opt-out of marketing emails using the unsubscribe link in any marketing email, manage account notifications through your account settings preferences, text messages by replying STOP, and phone calls by requesting addition to our do-not-call list.

Transactional Communications: You cannot opt-out of service-related communications necessary for account management, security, or legal compliance.

10.6 Cookie and Tracking Preferences

See Section 8.3 for detailed information about managing cookie preferences and opting out of tracking technologies.

10.7 Response Timeline and Verification

Response Timeline: We provide acknowledgment within 5 business days, substantive response within 30 days, and may extend up to 60 additional days for complex requests with notice.

Identity Verification: We may require verification of your identity before processing requests through account verification using login credentials, government-issued ID verification, additional information to confirm identity, or authorized agent documentation where applicable.

10.8 Non-Discrimination

We do not discriminate against individuals who exercise their privacy rights. We will not deny services, charge different prices, provide different service levels, or suggest you will receive different treatment.

#11 California Privacy Rights

11.1 Rights Under the California Consumer Privacy Act (CCPA)

California residents have additional rights under the CCPA:

Right to Know: Twice per year, you may request the categories of personal information collected, categories of sources, business or commercial purposes for collection, categories of third parties with whom we share information, and specific pieces of personal information we hold.

Right to Delete: You may request deletion of personal information, subject to exceptions in Section 10.3.

Right to Opt-Out of Sale: We do not sell personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months.

Right to Non-Discrimination: As described in Section 10.8.

11.2 Categories of Information Collected

In the preceding 12 months, we have collected these categories under the CCPA: identifiers such as names, email addresses, and IP addresses; personal information categories under Cal. Civ. Code § 1798.80(e); commercial information including transaction history; internet activity information; geolocation data from general location derived from IP; professional information; and inferences drawn from other information.

11.3 California Shine the Light Law

Under California Civil Code Section 1798.83, California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

11.4 How to Exercise California Rights

Submit Requests: You can submit requests online at https://fincenrealestatereport.com/privacy-request, by email at [email protected], or by mail to Advalis Inc., Attn: Privacy Rights, 3500 S. Dupont Hwy, Dover, DE 19901.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you, power of attorney if applicable, verification of their identity, and direct confirmation from you of the authorization.

#12 Nevada Privacy Rights

Nevada residents have the right to opt-out of the sale of certain personal information to third parties. We do not currently sell personal information as defined under Nevada law. If you are a Nevada resident and would like to submit a request regarding the sale of your personal information, please contact us at [email protected].

#13 Children’s Information

13.1 Age Restrictions

Our Services are designed exclusively for business use in the title insurance, real estate, and financial services industries. The Services are not intended for, marketed to, or designed for use by children under the age of 18.

13.2 No Knowing Collection

We do not knowingly collect, solicit, or maintain personal information from children under 18 years of age. We do not knowingly permit children under 18 to register for or use the Services.

13.3 Parental Rights

If a parent or guardian believes that their child under 18 has provided us with personal information without their consent, please contact us immediately at [email protected]. We will:

• Investigate the matter promptly
• Delete any such information from our systems
• Terminate any associated access
• Take steps to prevent future collection

#14 International Data Transfers

14.1 Data Location

Your personal information will be transferred to, processed, stored, and maintained in the United States of America. Our primary data centers and servers are located in the United States, specifically in AWS data centers that maintain SOC 2 Type 2 certification.

14.2 Cross-Border Transfers

If you access our Services from outside the United States:

• Your information will be transferred to the United States
• U.S. laws may differ from your country’s laws
• U.S. government authorities may access data under certain circumstances
• By using our Services, you consent to this transfer

14.3 International Users

For EU/EEA Residents:

• We rely on appropriate safeguards for data transfers
• Standard Contractual Clauses may apply to certain transfers
• You may request information about safeguards by contacting us

For UK Residents:

• Similar protections apply as for EU/EEA residents
• We comply with UK GDPR requirements where applicable

For Canadian Residents:

• We comply with PIPEDA requirements
• You may file complaints with the Privacy Commissioner of Canada

14.4 Data Localization

We do not currently offer data localization options. All data is processed and stored in the United States, regardless of where you are located.

#15 External Links and Features

15.1 Third-Party Websites

Our Site and Services may contain links to third-party websites, including:

• Payment processor portals
• Identity verification services
• Government agency websites (FinCEN, IRS)
• Industry association sites
• Educational resources

15.2 No Liability for Third-Party Practices

We are not responsible for the privacy practices, content, or security of third-party websites. These sites have their own privacy policies and terms of use. We encourage you to review their policies before providing any personal information.

15.3 Integrated Services

Some third-party services are integrated into our platform:

• These integrations are governed by our agreements with third parties
• We share only the minimum information necessary
• You may need to agree to third-party terms to use certain features

15.4 Social Media

We maintain presence on social media platforms:

• Our social media pages are governed by the platforms’ policies
• Information you provide on social media is public
• We may respond to public posts or direct messages
• Social media interactions are not covered by this Policy

#16 Security

16.1 Security Program Overview

We have implemented and maintain comprehensive administrative, technical, and physical security measures designed to protect personal information against unauthorized access, use, loss, alteration, disclosure, and destruction. Our security program is based on industry standards and best practices, including SOC 2 Type 2 certification requirements.

16.2 Technical Safeguards

Encryption:

• Data at rest: AES-256 encryption
• Data in transit: TLS 1.2 or higher
• Key management using industry-standard practices
• Encrypted backups and archives

Access Controls:

• Role-based access control (RBAC)
• Principle of least privilege
• Multi-factor authentication for administrative access
• Strong password requirements
• Session timeout controls
• IP whitelisting capabilities

System Security:

• Firewalls and intrusion detection systems
• Regular security patches and updates
• Malware and antivirus protection
• Security information and event management (SIEM)
• Network segmentation
• Regular vulnerability assessments
• Annual penetration testing

16.3 Organizational Safeguards

Personnel Security:

• Background checks for employees with data access
• Confidentiality agreements for all personnel
• Regular security awareness training
• Role-specific security training

Policies and Procedures:

• Written information security policies
• Incident response procedures
• Change management processes
• Vendor management program
• Risk assessment procedures
• Business continuity planning
• Disaster recovery planning

16.4 Physical Safeguards

Data Center Security (AWS):

• SOC 2 Type 2 certified facilities
• 24/7 security monitoring
• Biometric access controls
• Security cameras and recording
• Environmental controls (temperature, humidity)
• Fire suppression systems
• Redundant power systems
• Geographic redundancy

16.5 Security Limitations

Despite our efforts, no security measures are perfect or impenetrable. We cannot guarantee the absolute security of personal information. You acknowledge and accept the inherent security risks of providing information online and will not hold us responsible for breaches of security unless they result from our gross negligence or willful misconduct.

16.6 Your Security Responsibilities

You play a crucial role in maintaining security:

• Use strong, unique passwords
• Enable multi-factor authentication when available
• Keep login credentials confidential
• Log out after each session
• Report suspicious activity immediately
• Keep your devices and software updated
• Use secure networks when accessing the Services

#17 Data Breach Notification

17.1 Incident Response

In the event of a Security Incident involving personal information, we will:

• Immediately initiate our incident response plan
• Investigate and contain the incident
• Assess the nature and scope of the breach
• Identify affected individuals and data types
• Implement remediation measures
• Document all response actions

17.2 Notification Procedures

For Licensee Firms:

• Notification within 48 hours of discovery
• Detailed incident report within 5 business days
• Regular updates throughout investigation
• Final report with remediation measures
• Assistance with regulatory notifications

For Invited Users:

• Notification through the Licensee Firm that invited them
• Direct notification if required by law
• Information about the incident and affected data
• Steps taken to address the breach
• Recommendations for protective measures

17.3 Regulatory Compliance

We will comply with all applicable breach notification laws:

• State breach notification requirements
• CCPA breach provisions
• Industry-specific regulations
• International requirements (GDPR, etc.)

17.4 Cooperation and Support

Following a breach, we will:

• Cooperate with regulatory investigations
• Provide necessary documentation
• Support affected individuals
• Offer credit monitoring services (where appropriate)
• Implement additional security measures

#18 Automated Decision-Making

18.1 Use of Automated Systems

We use automated systems and artificial intelligence for certain processing:

• Report generation and data extraction
• Identity verification matching
• Fraud detection and prevention
• System security monitoring
• Performance optimization

18.2 Human Oversight

Important decisions affecting individuals always involve human review:

• Final report approval by Licensee Firms
• Identity verification exceptions
• Account suspension or termination
• Compliance determinations

18.3 Your Rights

You have the right to:

• Request information about automated processing
• Request human review of automated decisions
• Contest decisions based solely on automated processing
• Opt-out of certain automated processing (where applicable)

#19 Marketing and Communications

19.1 Marketing Communications

Types of Marketing:

• Product announcements and updates
• Industry news and compliance alerts
• Webinar and event invitations
• Educational content and resources
• Customer success stories
• Promotional offers (for qualified businesses)

Legal Basis:

• Consent (where required)
• Legitimate interests (B2B marketing)
• Existing customer relationship

19.2 Communication Preferences

Managing Preferences:

• Email preference center in account settings
• Unsubscribe links in all marketing emails
• Contact preferences for different message types
• Frequency settings for various communications

19.3 Transactional Communications

You cannot opt-out of certain essential communications:

• Security alerts and breach notifications
• Account verification and authentication
• Payment and billing notices
• Service availability and maintenance notices
• Legal and compliance updates
• Terms and policy changes

19.4 Do Not Contact

If you wish to be added to our do-not-contact list:

• Email: [email protected]
• Include all email addresses and phone numbers
• Specify types of communications to block
• Allow 10 business days for processing

#20 Changes to this Policy

20.1 Policy Updates

We may modify this Policy from time to time to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• Industry standards and best practices
• User feedback and concerns

20.2 Notice of Changes

Material Changes:

• 30 days advance notice via email
• Prominent notice on our website
• In-app notifications for active users
• Summary of key changes
• Option to review changes before they take effect

Non-Material Changes:

• Updated Policy posted on website
• “Last Updated” date changed
• Changes effective immediately upon posting

20.3 Acceptance of Changes

Your continued use of the Services after changes become effective constitutes acceptance of the modified Policy. If you do not agree with changes:

• Licensee Firms may terminate according to their Platform Services Agreement
• Invited Users should not submit information through the Services
• You may exercise applicable data rights (deletion, portability)

20.4 Version History

We maintain a version history of this Policy:

• Previous versions available upon request
• Changelog documenting significant updates
• Archived versions for compliance purposes

#21 Contact Us

21.1 Privacy Contact Information

If you have any questions, concerns, requests, or complaints regarding this Policy or our privacy practices, please contact us:

Privacy Team:

• Email: [email protected]
• Hours: Monday-Friday, 9:00 AM – 6:00 PM ET

Data Protection Officer:

• Email: [email protected]

Mailing Address:

Advalis Inc.
Attn: Privacy Department
3500 South Dupont Hwy
Dover, DE 19901
United States

Other Contacts:

• Security Issues: [email protected]
• Legal Notices: [email protected]
• General Support: [email protected]

21.2 Response Commitment

We are committed to addressing your privacy concerns:

• Acknowledgment within 5 business days
• Substantive response within 30 days
• Escalation procedures for complex issues
• Multiple language support available

21.3 Regulatory Authorities

You may also contact relevant privacy authorities:

United States:

• Federal Trade Commission: www.ftc.gov
• State Attorneys General offices
• Consumer Financial Protection Bureau: www.consumerfinance.gov

European Union:

• Your local Data Protection Authority
• European Data Protection Board: www.edpb.europa.eu

Other Jurisdictions:

• Please contact us for information about authorities in your jurisdiction

Thank you for trusting Advalis Inc. with your personal information. We are committed to protecting your privacy and maintaining the security of your data.

This Privacy Policy is effective as of June 11, 2025.