Privacy Policy

RALCO PRIVACY POLICY

Last Updated: February 1, 2026

1. Introduction

Ralco Compliance Limited (“RALCO,” “we,” “us,” or “our”) is a company incorporated in Ireland (company number 759312) with its registered office at 17 Percy Place, Dublin 4, D04 V250, Ireland. RALCO is the parent company of Ralco Inc., a Delaware corporation. RALCO operates the RALCO platform, including the website at https://ralco.io and the RALCO Worker mobile application (collectively, the “Service”). RALCO provides workforce management solutions to construction companies and other businesses (our “Customers”). If you are an employee or worker of one of our Customers who uses the RALCO Worker app, you are an “End User” of our Service.

This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service. It applies to both Customers and End Users. If you are an End User, please note that your employer (our Customer) may have its own privacy policy that also applies to you, and your employer controls certain decisions about how your data is used within the Service.

Important:We collect biometric information, including facial recognition data and electronic signatures. Please read Section 4 carefully and review our separate Biometric Information Privacy Policy for detailed information about how we handle biometric data.

2. Data Controller and Processor Roles

Because RALCO is established in Ireland, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to our processing of personal data by virtue of Article 3(1), even though the personal data we process relates primarily to individuals located in the United States and is stored on servers in the United States.

The roles of the parties with respect to personal data are as follows:

• Your employer (our Customer)is the data controller. Your employer decides why and how your personal data is processed through the Service — for example, for time tracking, workforce compliance, and payroll purposes.

• RALCOisthedata processor. We process personal data on behalf of ourCustomersin accordance with their instructions and our Data Processing Agreement (“DPA”). A copy of our standard DPA is available on request.

• Amazon Web Services (AWS)is a sub-processor. AWS provides the cloud infrastructure on which the Service operates, located in the United States (Northern Virginia region).

In certain limited circumstances, RALCO acts as an independent data controller — for example, when we process data for our own account management, billing, product improvement, legal compliance, and security purposes.

3. Information We Collect

3.1 Information Provided by Customers

When a Customer registers for and uses the Service, we collect: account registration information (company name, contact name, email address, phone number, billing address); payment information (processed by our payment processor Stripe — we do not store credit card numbers); and information about End Users that the Customer adds to the platform (such as names, job roles, and contact information).

3.2 Information Provided by End Users

When End Users use the RALCO Worker app, wecollect:account credentials and profile information; biometric information, including facial scans used for identity verification at clock-in and clock-out, and electronic signatures (see Section 4 and our Biometric Information Privacy Policy); and time and attendance records.

3.3 Information Collected Automatically

Usage Data:When you use the Service, we automatically collect information about your device and usage, including IP address, browser type, device type and identifiers, operating system, pages visited, and interaction data.

Location Data:The RALCO Worker app collects location data at the time of clock-in and clock-out to verify work site attendance. We do not continuously track End User location. Location services can be managed through your device settings, though disabling location may prevent you from using certain features of the Service.

Cookies and Similar Technologies:We use cookies (session cookies, preference cookies, and security cookies) and similar tracking technologies to operate and improve the Service. You can control cookies through your browser settings, but disabling cookies may affect Service functionality.

4. Legal Bases for Processing (GDPR)

Where the GDPR applies, we process personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b)):Processing necessary to provide the Service under our agreement with the Customer.

• Legitimate interests (Article 6(1)(f)):Processing for product improvement, security, fraud prevention, and analytics, where those interests are not overridden by the data subject’s rights. Our legitimate interest assessment is available on request.

• Legal obligation (Article 6(1)(c)):Processing necessary to comply with applicable laws, including employment recordkeeping requirements and tax obligations.

• Consent (Article 6(1)(a)):Where required, including for the collection and processing of biometric data. Consent for biometric data is obtained through the clickwrap mechanism at first use of the RALCO Worker app. Consent may be withdrawn at any time, though withdrawal may affect your ability to use certain features of the Service.

Special category data (Article 9):Biometric data used for the purpose of uniquely identifying a natural person constitutes special category data under Article 9 of the GDPR. We process this dataon the basis ofexplicit consent (Article 9(2)(a)), obtained via the clickwrap consent flow.

5. How We Use Information

We use the information we collect to: provide, maintain, and improve the Service; process transactions and send related information; verify End User identity through biometric authentication; provide time, attendance, and workforce management functionality to Customers; send technical notices, updates, security alerts, and administrative messages; respond to comments, questions, and customer service requests; monitor and analyze usage trends to improve user experience; detect, prevent, and address fraud, security issues, and technical problems; and comply with legal obligations.

6. Biometric Information

We collect biometric information from End Users, including facial geometry data (captured through facial scans for identity verification at clock-in and clock-out) and electronic signatures. This biometric data is collected and used solely for the purpose of verifying End User identity and authenticating time and attendance records.

Facial recognition processing is performed using AmazonRekognition, and biometric data is stored on secure Amazon Web Services (AWS) servers located in the United States (Northern Virginia region).

For complete information about our biometric data practices, including collection, use, retention, and destruction policies, and your rights regarding your biometric information, please review our Biometric Information Privacy Policy, which is incorporated into this Privacy Policy by reference.

7. How We Share Information

With Customers:If you are an End User, your employer (our Customer) has access to information about you within the Service, including time and attendance records, location data at clock-in/out, and verification status. Your employer, not RALCO, determines how this information is used for employment purposes.

With Service Providers/ Sub-processors:We share information with third-party vendors.These providers are contractually obligated to use your information only to provide services to us and in accordance with this Privacy Policy and applicable data protection laws. A current list of our sub-processors is maintained in our DPA and is available on request.

For Legal Reasons:We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers:If RALCO is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Service of any change in ownership orusesof your information.

We do not sell your personal information, including biometric information, to third parties.

8. International Data Transfers

RALCO is established in Ireland and is subject to the GDPR. Personal data processed through the Service is stored on servers located in the United States (Amazon Web Services, Northern Virginia region). RALCO personnel in Ireland may access personal data remotelyin order toprovide the Service, perform support, and fulfill its obligations under the DPA.

To the extent that this constitutes an international data transfer under Chapter V of the GDPR, the following safeguards are in place:

• AWS:AWS’s Data Processing Addendum incorporates Standard Contractual Clauses (SCCs) approved by the European Commission, providing appropriate safeguards for the transfer of personal data.

• Stripe:Stripe’s data processing terms incorporate SCCs and/or reliance on the EU-US Data Privacy Framework, as applicable.

[Note: Confirm transfer mechanisms for Google Analytics and any other sub-processors. Google Analytics may require additional assessment following CJEU guidance.]

You may request a copy of the relevant transfer safeguards by contacting us using the details in Section 15.

9. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

• Biometric data:Retained and destroyed in accordance with our Biometric Information Privacy Policy. Generally, biometric data is permanently destroyed when the initial purpose for collection has been satisfied, or within three (3) years of the End User’s last interaction with the Service, whichever occurs first.

• Time and attendance records:Retained for 5 years from the date of creation, consistent with federal and state recordkeeping requirements (including OSHA and Department of Labor requirements).

• Account and billing information:Retained for the duration of the Customerrelationshipand for 7 years thereafter for tax and accounting purposes.

• Usage data: retained for as long as necessary for analytics and service improvement purposes.

Upon termination of a Customer’s account, Customer data (including End User data associated with that Customer) will be retained for a period of30 days toallow fordata export, after which it will be securely deleted unless retention is required by law or the Customer has requested earlier deletion.

Under the GDPR, personal data shall not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (Article 5(1)(e)). The retention periods above are justifiedon the basis ofcontractual necessity, legal obligation, and legitimate interest, and are subject to periodic review.

10. Data Security

We implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage (in accordance with Article 32 of the GDPR). These measures include:

Technical safeguards: Encryption of data in transit and at rest using industry-standard protocols; access controls including multi-factor authentication for administrative access access.

Administrative safeguards:Employee training on data protection; access limited to personnel who need it to perform their job functions; vendor security assessments; and incident response procedures.

Physical safeguards:Data hosted in secure AWS data centers with physical access controls.

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Breach Notification

In the event of a personal data breach (as defined under Article 4(12) of the GDPR), we will:

• Notify affected Customers (as data controllers) without undue delay,in accordance with ourDPA;

• Provide sufficient information to enable the Customer to assess the breach and fulfill its own notification obligations to supervisory authorities (within 72 hours under Article 33 of the GDPR) and toaffecteddata subjects (under Article 34 of the GDPR);

• Cooperate with Customers in investigating, mitigating, and remediating the breach.

To the extent required by US state breach notification laws (including the CCPA/CPRA and applicable state statutes), we will provide Customers with sufficient information to comply with their notification obligations.

Customers are responsible for notifying their End Users, relevant supervisory authorities, and state regulators as required by applicable law.

12. Your Rights

12.1 Rights Under the GDPR

If the GDPR applies to the processing of your personal data, you have the following rights:

• Right ofaccess(Article 15):You have the right to obtain confirmation as to whether your personal data is being processed, and to access that data.

• Right to rectification (Article 16):You have the right to have inaccurate personal data corrected.

• Right to erasure (Article 17):You have the right to request deletion of your personal data in certain circumstances.

• Right to restriction of processing (Article 18):You have the right to request restriction of processing in certain circumstances.

• Right to data portability (Article 20):You have the right to receive your personal data in a structured, commonly used, machine-readable format.

• Right to object (Article 21):You have the right to object to processing based on legitimate interests or for direct marketing purposes.

• Right to withdraw consent (Article 7(3)):Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

• Right to lodge a complaint:You have the right to lodge a complaint with a supervisory authority, including the Irish Data Protection Commission (see Section 15 for contact details).

Where RALCO is acting as a processor, we will redirect data subject requests to the relevant Customer (controller) unless otherwise instructed. We will assist the Customer in responding to such requests in accordance with our DPA.

12.2 Rights Under US State Laws

California Residents(CCPA/CPRA):If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to request deletion of your personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of your personal information (note: we do not sell personal information); and the right to non-discrimination for exercising your privacy rights. To submit a request, contact us using the information in Section 15. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

Biometric Information Rights:For information about your rights regarding biometric data, including rights under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act, and similar state laws, please see our Biometric Information Privacy Policy.

12.3 All Users

Regardless of your location, you may request access to, correction of, or deletion of your personal information by contacting us using the details in Section 15. If you are an End User, certain requests may need to be directed to your employer (our Customer), as they control aspects of your data within the Service.

13. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the privacy practices of third parties. We encourage you to review the privacy policy of any third-party site you visit.

14. Children’s Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new “Last Updated” date and, where required by law or where changes are significant, by email to Customers. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy. Where required by the GDPR, we will obtain fresh consent if changes materially affect the basis on which personal data is processed.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have a complaint about how your personal data is being processed, please contact us at:

Ralco Compliance Limited

17 Percy Place, Dublin 4, D04 V250, Ireland

Email: privacy@ralco.io

Phone: +353 (0)1 513 4400

Data Protection Officer / Privacy Contact:

Ciara Nolan, Data Protection Officer — privacy@ralco.io

Supervisory Authority:

Irish Data Protection Commission

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

Phone: +353 (0)1 765 0100 / 1800 437 737