Privacy Notice

Sustainable Facilities Management Group, an S corporation ("SFMG," "we," "our," "us"), provides environmental control and facility maintenance for luxury retail boutiques. This notice describes how we collect, use, disclose, and protect information about visitors to sfmg.group, our brand clients, and our certified service partners.

Inquiries about this notice or your information may be sent to zamora@sfmg.group or by phone at (786) 267-1740.

We collect three categories of information.

A. Information you give us directly

• Inquiry forms. Contact form, request-proposal form, and demo-access submissions: name, company name, work email, phone (optional), location count or market, and the message you send us.
• Client and partner accounts. Account name, email, hashed password, role, and login activity. For service partners, we additionally hold the business contact, service categories, certifications, insurance, W-9 status, and bank / routing details only insofar as required to issue payment through QuickBooks (we do not store full account numbers on-platform; QuickBooks is the system of record).
• Service-visit records. When a partner completes a visit to a client boutique, the partner uploads photos and check-in data through the partner portal. Photos may include the boutique interior or exterior; they are not intended to capture people. Photo metadata may include device EXIF coordinates and a timestamp; we use these to confirm that the visit occurred at the contracted location and time.

B. Information collected automatically

• Server logs. Every request to our origin records the requesting IP address, user agent string, requested URL, timestamp, and HTTP status. We use these for security monitoring, abuse detection, and capacity planning.
• First-party cookies and similar storage. See Section 5 for the complete list.
• Performance and error telemetry. When the platform emits an unexpected error, we capture a stack trace, the anonymized request context, and a build identifier so engineers can reproduce and fix the issue.

C. Information from third parties

• QuickBooks. When a client account is connected to QuickBooks, we read invoice and payment records associated with SFMG so we can reconcile open balances and surface payment status in the client portal.
• Public business directories. When evaluating a new lead, we may enrich the profile with publicly available information about the business (location count, brand, public contact information). We do not enrich individual identity profiles from people-search vendors.

We use information for the following purposes:

• Deliver the service. Schedule visits, dispatch service partners, generate certificates of completion, issue invoices, send reminders, and operate the client and partner portals.
• Communicate with you. Respond to inquiries, send operational updates about your account, and (with your consent) share occasional editorial briefings about the SFMG operating standard.
• Improve and secure the platform. Detect abuse, investigate security incidents, debug errors, and develop new features. We use de-identified or aggregated information for analytics where the underlying dataset would otherwise reveal personal information.
• Verify service execution. Compare partner-uploaded photo metadata to the contracted boutique coordinates so brand clients receive verifiable proof that work was performed at the correct location.
• Comply with legal obligations. Tax records, accounts payable, contractor 1099 reporting, court orders, lawful requests by regulators.

We do not sell your personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act.

For visitors and account-holders in the EU, UK, and Switzerland, we rely on the following GDPR / UK-GDPR legal bases:

• Performance of a contract — operating client and partner accounts, scheduling visits, processing payments.
• Legitimate interest — security monitoring, fraud prevention, error reporting, and confirming that contracted services were performed at the contracted location. We have balanced these interests against your rights and concluded the processing is proportionate.
• Consent — optional editorial communications. You may withdraw consent at any time without affecting prior lawful processing.
• Legal obligation — tax, accounting, and lawful requests.

For California residents, we collect the following categories of personal information defined at Cal. Civ. Code § 1798.140: identifiers, customer-records information, commercial information (transaction history with SFMG), internet/electronic-network activity (server logs and cookies), and geolocation associated with service-visit photos. We do not collect biometric identifiers, characteristics of protected classifications, audio/visual information of identifiable persons, or sensitive personal information as defined in § 1798.140(ae) — to the extent a partner-uploaded photo inadvertently captures a person, we treat it as service-visit operational data and do not perform facial recognition or other biometric processing.

We use the smallest set of first-party storage that lets the site function. We do not run third-party advertising trackers.

• Session cookies — issued at sign-in to the client portal, partner portal, and the internal Vault. Required for these surfaces to work; expire when you sign out or after a period of inactivity.
• CSRF tokens — short-lived per-form tokens used to prevent cross-site request forgery on portal actions.
• Preference storage — local-storage entries that remember last-used filters or table sort orders inside the portals.
• Build telemetry — a single non-tracking identifier used to associate a server-side error with the build that emitted it. It does not persist across sessions and is not used for marketing.

Public marketing pages do not require cookies to function. If we add an analytics cookie at any time, this notice will be updated and visitors in the EU/UK will be presented a consent prompt before the cookie is set.

We engage operators who process data on our behalf, under contract terms that require they use the data only to deliver their service to us. The current list:

• QuickBooks (Intuit Inc., USA) — invoicing, accounts receivable, accounts payable, contractor payments.
• DigitalOcean Holdings, Inc. (USA) — application and database hosting infrastructure.
• PingCAP / TiDB Cloud (USA) — managed database service.
• Amazon Web Services / CloudFront (USA) — content delivery for static images and video assets.
• Resend Inc. (USA) — transactional email delivery (account confirmations, invoice notifications).
• Anthropic, PBC (USA) — large-language-model inference used by the operations platform for editorial drafting, anomaly detection summaries, and AI photo verification.
• Google LLC (USA) — Workspace email + calendar, Maps APIs for address geocoding, and the Google Cloud project that holds OAuth credentials.
• Let's Encrypt (USA, ISRG) — TLS certificates.
• Telegram FZ-LLC (UAE) — bot platform that delivers operational alerts to the founder. No client or partner personal information is sent through Telegram beyond what is necessary to identify the alert (e.g. ticket number, location short-name, vendor short-name).

We may add or change subprocessors. Material changes will be reflected in this notice; if you have a direct contract with us that requires advance notice of subprocessor changes, the contract terms control.

SFMG operates from the United States and most of our subprocessors are US-based. If you access the service from the EU, UK, Switzerland, or another jurisdiction with a data-export regime, your information will be transferred to and processed in the United States. We rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum where applicable) with subprocessors that handle personal data of EU/UK data subjects.

We retain personal information only as long as needed for the purposes described above:

• Inquiry submissions — kept for the lifetime of the business relationship plus three years, then archived in aggregate form.
• Client and partner accounts — kept while the account is active, plus a reasonable period after termination to close out final invoices and disputes (up to three years), and longer where required by tax or accounting law (up to seven years).
• Service-visit records and certificates — kept as long as the brand client whose location they document maintains a relationship with us, then offered to the client for export.
• Server logs — rotated within 30 days unless retained for an open security incident.
• Backups — encrypted point-in-time backups are kept for up to 30 days for disaster recovery and are then overwritten.

We use commercially reasonable technical and organizational measures:

• Encryption in transit for all public traffic (TLS 1.2+) and for connections to our database and subprocessors.
• Encryption at rest on managed database storage and cloud provider disks.
• Account credentials stored as bcrypt hashes; never in cleartext.
• Bearer-token authentication on internal API surfaces; the bearer secret is rotated on a defined cadence.
• Least-privilege access — engineering and operations personnel have role-scoped access; founder-level access is used only for incident response and audit.
• Patch hygiene — dependencies are tracked against known-vulnerability advisories and bumped on a regular cadence.

No system is impervious. If we ever experience a breach affecting your personal information, we will notify you in compliance with applicable law and provide details of the scope, remediation, and recommended steps.

California (CCPA / CPRA)

California residents have the right to know what personal information we have collected about them, the right to request deletion of personal information (subject to limited exceptions), the right to correct inaccurate personal information, the right to limit our use of sensitive personal information, and the right not to be discriminated against for exercising these rights. Because we do not sell or "share" personal information for cross-context behavioral advertising, no separate "Do Not Sell or Share My Personal Information" link is required, but you may still confirm this in writing by contacting us.

EU / UK / Switzerland (GDPR / UK-GDPR)

EU, UK, and Swiss data subjects have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection (including objection to processing based on legitimate interest). Where we rely on consent, you have the right to withdraw consent at any time. You also have the right to lodge a complaint with your supervisory authority — for example, the UK Information Commissioner's Office (ICO), the Irish Data Protection Commission, or the data protection authority in your country of residence.

Everyone else

Even if you are not in California or the EU/UK, we will honor reasonable requests to access, correct, or delete information we hold about you, unless we have a legal obligation to retain it.

How to exercise these rights

Send your request to zamora@sfmg.group. We will confirm your identity (typically by replying from the email associated with your account) and respond within 45 days for CCPA requests or one month for GDPR requests, with a permitted extension where the request is complex. You can authorize an agent to make a request on your behalf; we will require written authorization and proof of the agent's identity.

The service is intended for businesses and their adult employees and contractors. We do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, contact zamora@sfmg.group and we will delete it.

Our public website does not currently respond to browser "Do-Not-Track" headers because there is no industry consensus on their meaning. We honor a Global Privacy Control (GPC) signal as an opt-out of "sale" or "sharing" of personal information for California residents — though we do not sell or share for cross-context behavioral advertising in any case.

Our site links to third-party services (for example, a partner's website or a public portfolio brand). This notice applies only to sfmg.group and the SFMG operations platform. Third parties have their own privacy practices.

We will revise this notice as our practices evolve. The "Effective" date at the top will reflect the latest revision. If we make material changes — for example, adding a new category of personal information or a new subprocessor that materially changes data flows — we will notify account-holders by email and post a banner on the site for at least 30 days before the change takes effect.

SFMG (Sustainable Facilities Management Group)
zamora@sfmg.group
(786) 267-1740

For privacy-specific inquiries, please put "Privacy" in the subject line.