1. Introduction

This Privacy Policy ("Policy") describes how Icarus Inc., the developer and operator of Hail Sentinel ("Company," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use any of our services, including:

• The Hail Sentinel marketing website at hailsentinel.com (the "Website")
• The Hail Sentinel mobile application for iOS and Android (the "App")
• The Hail Sentinel Business Console web platform (the "Console")

Collectively, these are referred to as the "Services." By accessing or using any of the Services, you acknowledge that you have read and understood this Policy.

2. Scope and Operator

The business responsible for your personal information is:

3. Information We Collect

3.1 Information You Provide Directly

Across all Services, we may collect information you provide directly:

• Account Information: Email address, name, and password (stored as a salted hash) when you create an account.
• Profile Information: Any additional information you choose to add to your profile.
• Communication Data: Content of messages you send us through contact forms, email, support channels, or surveys.
• Payment Information: Billing details processed through secure third-party payment processors — we do not directly store payment card details.

3.2 Website Data

When you visit our Website, we collect contact information (name, email, phone) when you submit forms or subscribe to our newsletter; device and browser information (IP address, browser type, OS, device type, screen resolution); and usage information (pages visited, time on page, referrer, click patterns). We use Google Analytics 4 and Microsoft Clarity for first-party analytics — see Section 6. We do not run advertising or retargeting pixels on the Website.

3.3 Mobile App Data

When you use the Hail Sentinel App, we collect the following data. This section is provided to comply with Apple App Store and Google Play data disclosure requirements.

3.3.1 Location Data

• Foreground Location: Your device's precise geographic location when the App is open and in use.
• Background Location ("Follow Me" Mode): With your explicit permission, the App may collect your location even when closed. This enables real-time weather alerts as you travel. You can enable or disable this at any time in App settings or device location permissions.
• Saved Locations: Addresses and coordinates of locations you save for weather monitoring.
• Location History: We may retain location data to improve forecast accuracy and provide historical weather information.

Precise geolocation is treated as sensitive personal information under the California Consumer Privacy Act. We use it only to deliver the Services you signed up for (alerts, forecasts, historical analysis) and never for advertising, profiling, or sale.

3.3.2 Device Information

Device type, model, and manufacturer; operating system and version; unique device identifiers (device ID, advertising ID); mobile network information; time zone and language settings; App version.

3.3.3 Usage and Notification Data

App features accessed and actions taken; frequency and duration of usage; crash reports and performance data; push notification interactions and tokens; search queries within the App.

3.3.4 Third-Party Data

If you sign in using Google, Apple, or other third-party authentication, we receive basic profile information as permitted by those services. RevenueCat provides subscription status, purchase history, and entitlement information. In-app purchases are processed through Apple App Store or Google Play Store.

3.4 Business Console Data

3.4.1 Account & Organization Information

Administrator details (name, email, phone, job title); organization information (company name, address, industry, size, billing); team member data (names, emails, roles).

3.4.2 Location & Asset Data

Monitored locations (addresses, coordinates, property details); asset information (optional vehicle fleets, equipment, property values); custom geographic zones and alert boundaries.

3.4.3 Usage & Technical Data

Console activity (features, reports, alerts, actions); API usage (calls, endpoints, parameters); device information (browser, OS, IP); access logs, error logs, and security audit trails.

3.4.4 Integration Data

Data exchanged with connected third-party services (CRM, ERP, fleet management); webhook transmissions; SSO/SAML authentication tokens and user attributes.

3.5 Categories of Personal Information Collected (CCPA/CPRA Notice at Collection)

In the preceding 12 months, we have collected the following statutory categories of personal information, from the sources and for the purposes described in this Policy:

Category	Examples	Sold or Shared?
Identifiers	Name, email, phone, account ID, IP address, device ID	No
Customer Records	Billing address, payment information (handled by processors)	No
Commercial Information	Subscription tier, purchase history, entitlement state	No
Internet Activity	Pages visited, click patterns, session duration, referrer	No
Geolocation Data	Precise device location (App, with permission); coarse IP-based location (Website)	No
Sensory Data	Microsoft Clarity heatmap and session recording metadata (no audio, no video, form fields auto-redacted)	No
Professional Information	Company, job title, role (Console only)	No
Inferences	Risk profiles, preferred locations, alert thresholds	No
Sensitive PI	Precise geolocation (used only to deliver Services, never for advertising)	No

4. How We Use Your Information

4.1 Core Service Delivery

Providing weather forecasts, hail predictions, and storm alerts; sending push notifications (App); enabling "Follow Me" mode (App); generating reports and analytics (Console); managing your account and preferences; processing subscriptions; processing API requests (Console).

4.2 Service Improvement

Analyzing usage to improve features; improving forecast accuracy and alert timing; debugging technical issues; research and development; measuring marketing effectiveness (Website).

4.3 Communications

Responding to support requests; service announcements and updates; newsletters and promotional materials (with consent); subscription status notifications; maintenance notices (Console).

4.4 Legal, Security & Compliance

Complying with legal obligations; protecting against fraud and unauthorized access; enforcing our Terms of Service; maintaining audit trails (Console).

5. Information Sharing and Disclosure

5.1 Service Providers

We share data with trusted third-party service providers under contracts that bind them to use the data only on our behalf:

• Firebase (Google): Authentication, database (Firestore), push notifications (FCM), analytics, crash reporting (Crashlytics), App Check
• RevenueCat: Subscription management and in-app purchase processing (App)
• Apple & Google: In-app purchase payment processing (App)
• Stripe: Payment processing and billing (Console)
• Google Cloud Platform: Data hosting and processing
• Google Analytics 4: First-party website analytics, configured with Google Signals and ad personalization disabled (opt out)
• Microsoft Clarity: First-party heatmaps and session recordings, with form input fields auto-redacted (opt out)

A complete current list, including data categories and certifications, is maintained on our Subprocessor List.

5.2 Your Integrations

When you configure integrations, data may be shared with third-party services you connect (CRM, ERP, fleet management), webhook endpoints you configure, and your identity provider for SSO/SAML authentication.

5.3 Other Disclosures

We may share anonymized or aggregated location data with weather data partners. We may disclose your information to comply with legal process, protect rights and safety, enforce our Terms, or in connection with a merger or acquisition (with notice).

6. Cookies and Tracking Technologies

Cookies are small text files stored on your device when you visit a website. The Hail Sentinel mobile app does not use browser cookies. The Website uses two categories of cookies:

Category	Purpose	Examples
Strictly Necessary	Required for the Website to function (e.g., remembering your light/dark theme preference, session continuity).	localStorage keys (hs-theme, hs-analytics-optout)
Analytics	First-party analytics that help us understand how visitors interact with the Website. We do not use these cookies for advertising.	Google Analytics 4 cookies (_ga, _ga_*); Microsoft Clarity cookies (_clck, _clsk)

You can manage analytics on this Website at any time through our Your Privacy Choices page, by enabling Global Privacy Control in your browser, or by using your browser's cookie controls. Blocking strictly necessary cookies may impact your experience.

7. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Policy:

Data Type	Retention Period	Platform
Contact Form Submissions	Up to 2 years	Website
Newsletter Subscriptions	Until you unsubscribe	Website
Website Analytics	Up to 14 months (GA4); up to 90 days (Clarity)	Website
Location Data (real-time)	Processed immediately, not stored	App
Account Data	Active + up to 3 years after deletion	App, Website
Business Account Data	Contract duration + 3 years	Console
Location/Asset Data	Contract duration + 1 year	Console
Usage/Analytics Data	Up to 2 years	All
API Logs	90 days (customizable for business)	Console
Transaction/Billing Records	Up to 7 years	All
Support Communications	Up to 3 years after resolution	All
Security Audit Logs	Up to 3 years	Console

Business customers may have custom retention periods. When data is no longer needed, we securely delete or anonymize it.

8. Your Privacy Rights (All U.S. Users)

Regardless of which state you live in, we extend the following rights to all U.S. users of the Services:

• Right to Know / Access: Request a copy of the personal information we have about you.
• Right to Delete: Request deletion of your personal information, subject to legal retention requirements (e.g., billing records).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising — there is nothing to opt out of, but our Your Privacy Choices page lets you also opt out of website analytics.
• Right to Limit Use of Sensitive Personal Information: We use sensitive PI (precise geolocation) only to deliver the Services you requested.
• Right to Non-Discrimination: We will not deny service, charge a different price, or provide a different level of service because you exercised a privacy right.
• Right to Appeal: If we deny a privacy request, you may appeal by replying to our denial notice or contacting privacy@hailsentinel.com.

To exercise any of these rights, email privacy@hailsentinel.com or use the in-product privacy controls in the App or Console. We will verify your identity before responding (typically by confirming control of the email on your account) and will respond within 45 days, with a possible 45-day extension where permitted. You may designate an authorized agent to submit a request on your behalf.

9. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), grants you additional rights. We honor all CCPA/CPRA rights described in Section 8.

9.1 Categories Collected, Sources, Purposes, and Recipients

See Section 3.5 for the categories of personal information we have collected in the preceding 12 months. Sources include: directly from you, automatically from your device when you use the Services, and from service providers (e.g., authentication and payment processors). Business purposes include service delivery, security, fraud prevention, debugging, and analytics. Recipients are the service providers listed in Section 5.1.

9.2 No Sale; No Sharing for Cross-Context Behavioral Advertising

We have not sold and have not shared (as those terms are defined under CCPA/CPRA) any personal information of California residents in the preceding 12 months. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

9.3 Sensitive Personal Information

The only sensitive PI we collect is precise geolocation (App). We use it only to deliver the Services you signed up for (alerts, forecasts, historical analysis) — uses that are exempt from the right to limit under CCPA §1798.121(d). We do not infer characteristics about you from sensitive PI.

9.4 Shine the Light

California Civil Code §1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

9.5 How to Exercise CCPA/CPRA Rights

Email privacy@hailsentinel.com, or use the toggle on Your Privacy Choices. We honor Global Privacy Control as a valid opt-out signal — see Section 13.

10. Other U.S. State Privacy Rights

If you are a resident of Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Utah (UCPA), Virginia (VCDPA), or another U.S. state with a comprehensive privacy law in effect, you have the rights described in Section 8.

• Targeted advertising: We do not engage in targeted advertising as defined under any state privacy law.
• Profiling for legally significant decisions: We do not use your personal information for automated decision-making that produces legal or similarly significant effects.
• Universal opt-out signals: We honor Global Privacy Control in Colorado and Connecticut as a valid opt-out request, in addition to California — see Section 13.
• Appeals: Residents of Colorado, Connecticut, Texas, and Virginia may appeal a denied privacy request by replying to our denial notice or emailing privacy@hailsentinel.com. If your appeal is denied, you may contact your state Attorney General.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication: Secure authentication mechanisms, including Firebase App Check
• Access Controls: Role-based access control (RBAC) limiting access to personal data
• Infrastructure: Secure cloud infrastructure through reputable providers
• Monitoring: Regular security assessments and updates

For Business Console customers, additional measures include infrastructure built on Google Cloud's SOC 2 Type II certified platform, Google Cloud built-in security monitoring and audit logging, and comprehensive audit trails.

While we strive to protect your information, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials.

12. Children's Privacy

The Services are not directed to children under the age of 13. In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@hailsentinel.com and we will promptly delete it. We do not knowingly sell or share the personal information of consumers under 16 years of age (CCPA/CPRA).

13. Global Privacy Control

Hail Sentinel honors the Global Privacy Control (GPC) browser signal as a valid opt-out request, as recognized by the California Privacy Protection Agency, the Colorado Attorney General, and the Connecticut Attorney General. When your browser sends a GPC signal, we automatically disable analytics cookies on this Website on a per-browser basis — no further action is required from you.

Because the Services do not engage in cross-context behavioral advertising, "Do Not Track" browser signals do not change our behavior. You can manage your analytics preferences at Your Privacy Choices.

14. Changes to This Policy

We may update this Policy from time to time. We will notify you of material changes by posting the updated Policy, sending a push notification or email for significant changes, posting notice in the App or Console, and updating the "Last Updated" date. Material changes will have a 30-day notice period before taking effect. Your continued use of the Services after changes become effective constitutes acceptance.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices: