CONCOURSE TECHNOLOGIES, INC.

Privacy Policy

Last updated: April 14, 2026

Scope and Roles

This Privacy Policy explains how Concourse Technologies, Inc. ("Concourse," "we," "our," or "us") collects, uses, discloses, and otherwise processes personal information when individuals interact with our website, communications, business operations, and software services.

Concourse does not perform the same privacy role in every context. The role depends on the processing activity and the source of the data.

When Concourse collects and uses personal information for its own website, marketing, lead generation, sales, contracting, support, billing administration, security, recruiting, vendor management, or other internal business purposes, Concourse generally acts as a controller under the GDPR and a business under U.S. state privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

When Concourse processes customer-controlled data through the Services, including data made available through integrations, uploads, workbooks, reports, prompts, outputs, or related service metadata, Concourse generally acts as a processor under the GDPR and as a service provider or contractor, as applicable, under the CCPA/CPRA and similar U.S. state laws, subject to the governing customer contract and data processing terms.

If you use the Services through your employer, customer, or another organization, that organization generally controls the customer-controlled service data made available through the Services. In those cases, that organization is usually responsible for determining the legal basis for processing, issuing any required notices, and responding to rights requests relating to that customer-controlled service data.

This Privacy Policy does not apply to information that is fully anonymized so that it cannot reasonably be linked to an individual. It also does not replace separate privacy notices that Concourse may provide for employees, applicants, contractors, or vendors where a more specific notice applies.

Personal Information We Collect for Concourse-Controlled Purposes

For Concourse-controlled website and business interactions, we may collect the following categories of personal information, depending on the context:

• identifiers and contact information, such as name, business email address, phone number, mailing address, company name, title, and account credentials;
• commercial, billing, and transaction information, such as subscription details, invoice records, payment status, procurement contacts, and related business records;
• internet or other electronic network activity information, such as IP address, browser type, device type, operating system, referral source, pages viewed, links clicked, approximate location derived from IP, and interactions with our website or communications;
• professional or employment-related information, such as company affiliation, business role, team information, support or administrator status, and information relevant to demos, onboarding, or customer relationship management;
• audio, visual, or similar information, such as call recordings, meeting recordings, webinars, demos, screenshots, or support materials where recording or capture is enabled and permitted;
• inferences or derived information, such as preferences, engagement indicators, or product-interest insights derived from website, communication, or business interactions; and
• sensitive personal information only to the limited extent necessary for lawful purposes or where voluntarily provided, for example account credentials or precise business contact details included in support or contracting records.

Customer-Controlled Service Data

The Services are designed to work with customer-controlled data, including data made available through data warehouse connections, ERP and accounting system integrations, payroll or HRIS integrations, CRM integrations, analytics or product telemetry integrations, CSV uploads, workbooks, reports, exports, and related service features.

Customer-controlled service data may include business records and may also include personal information contained in those customer systems, including customer employee information, billing contacts, vendor contacts, customer customer data, or other data that the customer makes available through the Services.

As between Concourse and its customer, customer contracts generally recognize that the customer owns and controls customer data and that Concourse may process that data only as necessary to provide, secure, support, maintain, and improve the Services, consistent with the customer contract and applicable data processing terms.

Concourse may maintain service-generated outputs and metadata related to customer-controlled service data, such as workbooks, reports, prompts, outputs, memories, usage logs, support records, and security logs, to operate the Services, support collaboration, maintain integrity and security, and comply with contractual or legal obligations.

Concourse does not use customer-controlled service data to train public or shared foundation models. Concourse may use aggregated or de-identified information that does not reasonably identify an individual or customer, to the extent permitted by contract and applicable law.

If you are an authorized user of a customer workspace and want to exercise rights relating to customer-controlled service data, you should normally contact the organization that provided your access first. Concourse will assist customers with such requests where required by contract or law.

Sources of Personal Information

Depending on the context, we may collect personal information from one or more of the following sources:

• directly from you, such as when you request a demo, sign up for communications, enter into a contract, submit a support request, participate in a webinar, or otherwise contact us;
• automatically from your browser, device, or use of our website or Services through cookies, pixels, logs, analytics tools, session technologies, and similar mechanisms;
• from your organization or one of our customers, such as when you are designated as an administrator, billing contact, support contact, or authorized user;
• from third-party integrations and platforms that you or our customers choose to connect to the Services;
• from service providers, vendors, business partners, event platforms, identity providers, payment processors, analytics providers, and other lawful third-party sources; and
• from publicly available or commercially available sources, where lawful and relevant to lead generation, due diligence, fraud prevention, or business relationship management.

How We Use Personal Information and, for EEA / UK / Switzerland Individuals, Our Legal Bases

Where Concourse acts as a controller, we may use personal information for the following purposes:

• to provide and administer the website, communications, demos, events, contracting, billing, support, and other business operations — legal bases: performance of a contract; steps at your request before entering a contract; legitimate interests; and legal obligations;
• to communicate with you about your account, services, support matters, transactions, renewals, product updates, security notices, and administrative messages — legal bases: performance of a contract; legitimate interests; and legal obligations;
• to operate, monitor, maintain, secure, troubleshoot, and improve our website, Services, infrastructure, documentation, and internal systems — legal bases: legitimate interests and legal obligations;
• to measure engagement, analyze usage, understand product performance, improve functionality, and develop new features — legal bases: legitimate interests and, where required, consent;
• to market our Services, manage campaigns, send promotional communications, and understand campaign performance — legal bases: legitimate interests and, where required, consent;
• to detect, investigate, prevent, and respond to fraud, abuse, security incidents, and legal or policy violations — legal bases: legitimate interests and legal obligations;
• to comply with tax, accounting, legal, insurance, regulatory, recordkeeping, and audit obligations — legal bases: legal obligations and legitimate interests; and
• to evaluate or complete corporate transactions, financing activities, or due diligence — legal bases: legitimate interests.

Where required by applicable law, we will obtain consent before processing personal information for a specific purpose. Where Concourse acts only as a processor or service provider/contractor for customer-controlled service data, the relevant customer is generally responsible for determining the legal basis for processing.

How We Disclose Personal Information

We may disclose personal information to the following categories of recipients, depending on the context:

• our customers and their authorized administrators, where you use the Services on behalf of an organization;
• hosting, infrastructure, authentication, security, analytics, observability, communications, support, billing, payment, CRM, and other service providers or contractors that help us operate our business and Services;
• integration partners and connected platforms when a customer or authorized user chooses to enable an integration or direct data exchange;
• professional advisors such as lawyers, accountants, auditors, consultants, lenders, and insurers;
• actual or prospective acquirers, investors, financing counterparties, and transaction advisors, subject to appropriate confidentiality protections;
• courts, regulators, law enforcement, or other parties where disclosure is required by law or reasonably necessary to protect rights, safety, systems, customers, or the public;
• other parties at your direction or with your consent; and
• recipients of aggregated or de-identified information that cannot reasonably identify an individual.

Appendix A identifies Concourse's current named service providers and subprocessors that may process personal information in connection with the website, the Business, or customer-controlled service data. The list may change over time as our service providers or subprocessors change, and any updated list will be reflected in a revised policy or separate public notice where applicable.

Cookies, Similar Technologies, and Opt-Out Preference Signals

We and our partners may use cookies, pixels, SDKs, local storage, session technologies, and similar tools on the website and, where relevant, in service interfaces. These technologies may support strictly necessary functionality, security, authentication, load balancing, fraud prevention, analytics, communications, and campaign measurement.

You can manage cookies through your browser settings and, where available, through our cookie or privacy preference tools. Blocking some technologies may affect functionality.

Where required by applicable law, Concourse recognizes browser-based opt-out preference signals, such as Global Privacy Control ("GPC"), for the browser or device from which the signal is sent. Where such a signal applies, we will treat it as a request to opt out of processing for purposes such as the sale, sharing, or targeted advertising of personal information, to the extent required by applicable law and technically applicable to the interaction.

Concourse does not sell or share customer-controlled service data for cross-context behavioral advertising. For website and business interaction data, Concourse does not sell personal information for money. If any website analytics, advertising, or attribution technology is treated as a sale, share, or targeted advertising activity under applicable law, Concourse will provide the required opt-out mechanisms.

U.S. State Privacy Rights

Depending on your state of residence, the context of processing, and whether the relevant law applies to Concourse, you may have some or all of the following rights:

• to know, confirm, or access the personal information we process about you;
• to obtain a portable copy of personal information in a usable format where required by law;
• to correct inaccuracies in personal information we maintain about you;
• to delete personal information, subject to legal, contractual, security, and operational exceptions;
• to opt out of the sale or sharing of personal information and/or targeted advertising;
• to opt out of certain profiling or automated decision-making activities where applicable law provides that right;
• to limit the use and disclosure of sensitive personal information where California law applies and the right is available;
• to withdraw consent where processing is based on consent;
• to appeal a denied request where applicable state law provides appeal rights; and
• to not receive unlawful discrimination or retaliation for exercising privacy rights.

To submit a rights request, email privacy@concourse.co. We may need to verify your identity and, where relevant, your authority to make a request. Where permitted by law, you may use an authorized agent to submit certain requests on your behalf, subject to verification.

If we deny a request and appeal rights apply, you may appeal by replying to our decision notice or by emailing privacy@concourse.co within the period stated in the denial notice. We will review the appeal and respond within the time required by applicable law. If we deny an appeal where state law requires us to do so, we will explain how you may contact the appropriate regulator or attorney general.

California Supplemental Disclosures

This section supplements the rest of this Privacy Policy for California residents and is intended to address the CCPA/CPRA.

During the preceding 12 months, Concourse may have collected the following categories of personal information, depending on the context: identifiers; customer records information; commercial information; internet or other electronic network activity information; geolocation data derived from IP address; audio, electronic, or visual information; professional or employment-related information; inferences; and, where relevant and lawfully collected, limited categories of sensitive personal information.

Concourse may collect personal information from the following categories of sources: directly from individuals; automatically from devices and browsers; from customers or their organizations; from service providers and business partners; from integrations or connected platforms; and from publicly available or commercially available sources.

Concourse may use personal information for the following business or commercial purposes: providing and administering the website, Services, and business relationships; communications and support; billing and payment processing; security, fraud prevention, and incident response; analytics, product improvement, and performance monitoring; legal compliance, audits, and recordkeeping; and business operations, including corporate transactions and relationship management.

Concourse may disclose personal information for business purposes to service providers, contractors, customers, integration partners, professional advisors, transaction counterparties, and authorities.

Appendix A lists Concourse's current named service providers and subprocessors together with their service functions and typical processing context.

Concourse does not sell customer-controlled service data. Concourse does not knowingly sell personal information for monetary consideration. If any website technology is treated as a sale or share of personal information under California law, the relevant categories may include identifiers, internet or other electronic network activity information, and related inferences used for analytics, attribution, or advertising purposes, and California residents may opt out through available controls and recognized opt-out preference signals where required.

Concourse does not use or disclose sensitive personal information for purposes that would trigger a standalone California right to limit use and disclosure, except to the extent such use occurs and the right becomes applicable, in which case Concourse will provide the required mechanism.

California residents may request information under California Civil Code section 1798.83 ("Shine the Light") by contacting privacy@concourse.co.

EEA / UK / Switzerland Privacy Rights

If the GDPR, UK GDPR, or Swiss data protection law applies to our processing of your personal information, and Concourse acts as a controller, you may have the right to:

• access your personal data;
• rectify inaccurate or incomplete personal data;
• request erasure in certain circumstances;
• request restriction of processing in certain circumstances;
• object to processing based on legitimate interests, including objection to direct marketing;
• receive personal data in portable form where applicable;
• withdraw consent where processing is based on consent; and
• lodge a complaint with a competent supervisory authority.

If you use the Services through an organization and your request relates to customer-controlled service data for which that organization is the controller, you should normally direct your request to that organization first. Concourse will assist the relevant controller where required by contract or law.

International Data Transfers

Concourse is based in the United States and may process personal information in the United States and other jurisdictions where we or our service providers operate. Where required by applicable law, we implement appropriate safeguards for cross-border transfers, such as standard contractual clauses or other recognized transfer mechanisms.

Data Security

Concourse maintains administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. These measures may include encryption in transit and at rest, access controls, authentication and authorization checks, logging, monitoring, secure development practices, security testing, and role-based restrictions appropriate to the context.

No system can be guaranteed to be perfectly secure. If you believe your account or information has been compromised, please contact security@concourse.co promptly.

Data Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, including for contractual performance, business operations, support, security, fraud prevention, legal compliance, auditing, dispute resolution, and recordkeeping.

Retention varies by category and context. For example:

• inquiry, demo, and marketing-contact information is generally retained for the life of the business relationship and a reasonable period afterward, or longer where suppression or compliance records are needed;
• account, administrator, support, and contracting records are generally retained for the life of the account or contract and for a reasonable period thereafter for legal, tax, accounting, insurance, audit, and dispute-resolution purposes;
• security, diagnostics, and operational logs are retained according to technical, security, operational, and legal needs;
• billing, finance, and payment-related records are generally retained for tax, accounting, audit, and regulatory purposes for the period required by applicable law or internal policy; and
• customer-controlled service data is retained primarily under the applicable customer agreement, customer instructions, backup practices, legal holds, and security or operational requirements.

When retention is no longer required, we will delete, de-identify, anonymize, or securely dispose of the information in accordance with applicable law and our internal policies.

Children's Privacy

The website and Services are not directed to children under 16, and we do not knowingly collect personal information directly from children under 16 for Concourse-controlled purposes without the consent required by law. If you believe a child has provided personal information to us unlawfully, please contact privacy@concourse.co.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, service providers, legal obligations, or business operations. We will post the updated version and revise the "Last updated" date. Where required by law, we will provide additional notice.

Contact Us

If you have questions about this Privacy Policy or want to submit a privacy request, please contact us at:

Email: privacy@concourse.co

Concourse Technologies, Inc.

149 5th Ave, 2nd Floor East

New York, NY 10010

Appendix A. Current Named Service Providers and Subprocessors

The following list reflects the primary service providers and subprocessors currently disclosed by Concourse as of the Last updated date of this policy. Depending on the context, these providers may process Concourse-controlled personal information and/or customer-controlled service data on Concourse's behalf or in support of the Services.

Amazon Web Services (AWS)

Service / Role: Cloud Provider (IaaS)

Address: 410 Terry Ave N, Seattle, WA 98109, USA

Typical Processing Context: Hosts servers, storage, databases, networking, backups, and core infrastructure where customer data and Concourse application infrastructure may reside.

Snowflake

Service / Role: Data Storage and Processing

Address: Suite 3A, 106 East Babcock Street, Bozeman, Montana 59715, USA

Typical Processing Context: Provides cloud data warehousing and analytics used to store or analyze application, usage, and reporting data and, where configured, customer data.

Anthropic

Service / Role: AI / Data Processing

Address: 500 Howard Street, San Francisco, CA 94105, USA

Typical Processing Context: Provides AI and large language model services that may process prompts, inputs, outputs, and related application data for AI-enabled features.

Stripe

Service / Role: Finance and Payments

Address: 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA

Typical Processing Context: Provides payment processing and subscription billing services and processes customer billing, payment, and related business contact information.

Datadog

Service / Role: Cloud Monitoring / Logging

Address: 620 8th Ave Fl 45, New York, NY 10018-1741, USA

Typical Processing Context: Provides application performance monitoring, log management, reliability, and security support; may process limited customer-related data contained in logs and telemetry.

Clerk

Service / Role: Authentication Platform

Address: 660 King Street, Unit 345, San Francisco, CA 94107, USA

Typical Processing Context: Provides authentication, session management, multi-factor authentication, and user management for platform access.

Google Workspace

Service / Role: Identity Provider / Email / Collaboration

Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Typical Processing Context: Supports internal communications, document management, collaboration, and certain identity or account-administration workflows.

OpenAI

Service / Role: AI / Data Processing

Address: 3180 18th Street, San Francisco, CA 94110, USA

Typical Processing Context: Provides AI and large language model services used to process user-submitted content and generate application outputs as part of core service functionality.

Nango

Service / Role: Engineering / Integration Synchronization

Address: 548 Market Street, PMB 77835, San Francisco, CA 94104, USA

Typical Processing Context: Provides API integration and data synchronization services used to connect the platform with third-party systems and may process customer data as part of integration workflows.

PostHog

Service / Role: Product Analytics

Address: 2261 Market Street, Suite 4008, San Francisco, CA 94114, USA

Typical Processing Context: Processes telemetry, analytics, and session-replay or behavioral information that may include identifiers or usage information tied to users or customers.

Langfuse

Service / Role: Observability / LLM Engineering

Address: 156 2nd St, Suite 608, San Francisco, CA 94105, USA

Typical Processing Context: Provides observability for AI features, including traces, prompts, outputs, metrics, and evaluations used to debug, monitor, and improve AI-enabled functionality.

Appendix B. Retention Criteria Summary

Concourse determines retention using criteria such as the nature of the relationship, the purpose for processing, legal and contractual retention obligations, security and fraud-prevention needs, backup and business continuity requirements, dispute-resolution needs, and whether the information is necessary to provide the Services or document compliance.