PRIVACY POLICY industrial-slabs.com — Enryo Software LLC Effective date: September 14, 2025 This Privacy Policy explains how Enryo Software LLC (“Enryo,” “we,” “us,” “our”) collects, uses, discloses, and protects information in connection with the website, app, and services available at industrial-slabs.com (the “Service”). Business address: 1309 Coffeen Avenue, STE 1200, Sheridan, Wyoming 82801, USA Contact: contact[at]enryosoft.com 1) WHO WE ARE & SCOPE Enryo operates a web-based engineering calculations tool for industrial slabs-on-ground. This Policy applies to information we process as a controller (e.g., account info) and, where you use the Service for your business, as a processor on your behalf (e.g., project inputs/results). 2) INFORMATION WE COLLECT We collect and process the following categories: • Account & Contact Information: name, company, email, country, and communications with us. • Authentication: password (stored using strong one-way hashing; never in plaintext). • Project Data (you upload or enter): material properties, fiber parameters, project/site locations, designer name, load data (e.g., MHE, racking, wheel loads), boundary conditions, safety factors, and calculation results/exports. • Payment & Subscription Events (via Merchant/Seller of Record): we use Paddle as Merchant/Seller of Record. We receive webhook payloads from Paddle containing subscription and billing metadata (e.g., order/subscription IDs, product/plan, status events, renewal/cancellation dates, customer contact, amounts, tax/VAT status). We do not receive or store full card numbers or CVV. • Device & Usage Data: IP address, browser/user agent, pages visited, timestamps, and similar diagnostic/log information (to operate and secure the Service). • Cookies/Similar Technologies: see Section 8. 3) HOW WE USE INFORMATION (PURPOSES & LEGAL BASES) We use information to: • Provide, maintain, and secure the Service; perform calculations; generate reports. (Contract) • Create and manage accounts; authenticate and support users. (Contract; Legitimate Interests) • Process subscriptions, taxes, invoices/refunds via Paddle. (Contract; Legal Obligation) • Communicate about updates, security, and changes to terms. (Contract; Legitimate Interests) • Improve and develop features, including aggregated/anonymized analytics on usage and performance. (Legitimate Interests) • Comply with legal obligations, enforce Terms, and prevent abuse/fraud/security incidents. (Legal Obligation; Legitimate Interests) If we rely on consent (e.g., optional marketing emails), you can withdraw consent at any time. 4) ROLES; YOUR CONTENT • Controller: We are the controller for your account/profile and our own business records. • Processor: For Project Data you input to run calculations for your organization, we process that data on your instructions to provide the Service. We can provide a Data Processing Addendum upon request: [privacy@industrial-slabs.com]. 5) DISCLOSURES & RECIPIENTS We disclose information to: • Merchant/Seller of Record: Paddle (payments, invoicing, tax compliance, and related webhooks/events). • Service Providers: cloud hosting, storage/backup, logging, email delivery, customer support, security, analytics/measurement, and anti-abuse vendors—bound by contracts to process only under our instructions. • Legal/Compliance: when required by law or to protect rights, safety, and security. • Corporate Transactions: in a merger, acquisition, or asset sale, subject to this Policy’s protections. We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. If this changes, we will update this Policy and provide required choices. 6) INTERNATIONAL TRANSFERS We may process and store data in the United States and other countries. Where required (e.g., EEA/UK/Switzerland), we use appropriate safeguards such as the EU Standard Contractual Clauses/UK Addendum. 7) SECURITY We implement administrative, technical, and physical safeguards appropriate to the risk: • Encryption in transit; strong cryptography for stored passwords (never plaintext). • Access controls, least-privilege, logging, and monitoring. • Secure development practices and regular backups. No system is 100% secure. If we learn of a data breach affecting you, we will notify you and regulators as required by law. 8) COOKIES & TRACKING TECHNOLOGIES (UPDATED; ALL COOKIES TREATED AS NECESSARY) We use cookies and similar technologies (collectively, “cookies”) to operate, secure, and maintain the availability and performance of the Service. We consider the cookies we deploy to be **necessary** for core functionality, security, fraud prevention, service reliability, and aggregate measurement required to operate and improve the Service. We do not offer in-product options to disable cookies. You may block cookies in your browser, but parts of the Service may not function correctly. A. TYPES (ALL NECESSARY FOR OPERATION) • Strictly Necessary / Session: authentication, session continuity, load balancing, request routing, CSRF/security, rate limiting. • Security & Fraud Prevention: bot detection and abuse prevention (e.g., Google reCAPTCHA) used to protect forms and login flows. • Service Measurement (Aggregate, Operations-Critical): limited, aggregate measurement to understand service availability, feature uptake, and performance so we can keep the Service reliable at scale. Where we use third-party tools, we configure them to avoid using identifiers unnecessary to our purposes. B. THIRD-PARTY SERVICES WE MAY USE IN A NECESSARY MODE • Google reCAPTCHA: used solely for security/anti-abuse; may set security cookies and collect device/usage data to distinguish humans from bots. • Google Analytics (GA4) in consent/cookieless or similarly restricted mode: used for aggregate, operational measurement (e.g., page load reliability, feature uptake). Configured to minimize identifiers and avoid storing full IP addresses in reports. Where local laws require consent for analytics cookies, we implement GA4 in a mode th