Privacy Policy

CODE RIGHT INC.

CapitalPath Pro and Related Services

Government Municipal Edition

Effective Date: April 22, 2026 | Last Updated: April 22, 2026 | Version: 2.0

PLEASE READ CAREFULLY

This Privacy Policy describes how Code Right Inc. collects, uses, discloses, and protects personal information in connection with CapitalPath Pro and our related websites and services. This Policy should be read in conjunction with our Terms and Conditions.

1. INTRODUCTION

Code Right Inc. (doing business as CodeRight) ("Code Right," "CodeRight," "we," "us," or "our") provides the CapitalPath Pro application and related websites, support, and services (collectively, the "Services").

This Privacy Policy ("Policy") explains how we collect, use, disclose, and protect personal information in connection with the Services. This Policy should be read together with our Terms and Conditions, which govern the contractual relationship with our customers.

Who This Policy Applies To

This Policy applies to:

visitors to our websites and product pages;
current and prospective customers;
users authorized by our customers to access CapitalPath Pro; and
individuals who communicate with us for support, sales, or other business purposes.

Our Role When Serving Organizations

When CapitalPath Pro is provided to a government entity, municipality, or other organization (a "Customer"), the Customer organization controls the account and the information submitted to the application. In those cases, CodeRight processes personal information on the Customer's behalf as a service provider, processor, or in a similar role. Requests relating to application data should generally be directed to the Customer organization first.

2. PERSONAL INFORMATION WE COLLECT

Depending on how you interact with the Services, we may collect the following categories of personal information:

Category

Examples

Sources

Purpose

A. Contact & Business Information

Name, business email, phone, job title, organization name, mailing address

You; Customer admins; sales interactions

Communicate; provide Services; administer accounts

B. Account & Administrative Information

Account IDs, user roles, permissions, tenant info, authentication details

Customer; Microsoft platform

Provisioning; access control; support

C. Customer Application Data

Project records, funding requests, cost details, workflow status, approvals, comments, attachments

Customer and Users

Deliver Services on Customer's behalf

D. Support & Communications Data

Information in support tickets, demos, forms, correspondence

You

Respond to inquiries; improve support

E. Usage, Log & Device Information

Sign-in events, access times, pages viewed, browser, IP address, device IDs, diagnostic data

Automatically from your use

Security; troubleshooting; product improvement

F. Cookies & Similar Technologies

Browsing activity, session activity, preferences

Your browser or device

Functionality; analytics; security

Sensitive Personal Information

We do not intentionally collect or process sensitive personal information (as that term is defined under California and other state privacy laws) in connection with the Services, except as incidentally included in communications initiated by Users or in Customer Application Data controlled by the Customer. If you are a California resident, you have the right to limit the use and disclosure of sensitive personal information — see Section 12.

3. SOURCES OF INFORMATION

We collect personal information:

directly from you;
from our Customers and their authorized administrators;
automatically through your use of the Services (via cookies, analytics, server logs, and similar technologies);
from support, sales, marketing, and onboarding interactions;
from service providers, subprocessors, and business partners that assist us in operating the Services; and
from publicly available sources where permitted by law.

4. HOW WE USE PERSONAL INFORMATION

We use personal information for the following purposes:

to provide, host, administer, support, and maintain the Services;
to authenticate Users and manage access, permissions, and security;
to communicate with Customers and Users about the Services, updates, support matters, and service-related notices;
to monitor performance, troubleshoot issues, and improve the functionality, reliability, and security of the Services;
to analyze usage trends and develop, enhance, and improve our products and services;
to comply with applicable laws, regulations, legal process, and contractual obligations;
to investigate, prevent, or address fraud, security incidents, misuse, or other harmful or unlawful activity;
to establish, exercise, or defend legal claims; and
for other disclosed purposes that are compatible with the context in which the information was collected.

We do not use personal information for purposes materially different from those described in this Policy without updating this notice as required by applicable law.

5. AUTOMATED DECISION-MAKING AND PROFILING

CapitalPath Pro is a capital planning and workflow application that supports human decision-making by government finance and capital planning staff. The Services do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals.

To the extent the Services provide recommendations, prioritization scoring, forecasting, or other analytical outputs, those outputs are advisory and are intended to inform (not replace) decisions made by authorized human decision-makers at the Customer organization.

If CodeRight in the future introduces features that engage in automated decision-making or profiling producing legal or similarly significant effects, we will update this Policy, provide required notice, and offer any rights available under applicable law, including the right to request human review where applicable.

6. OUR ROLE WHEN PROCESSING PERSONAL INFORMATION

6.1 Processor / Service Provider Role

For personal information contained in Customer Application Data, CodeRight acts as a service provider, processor, or contractor on behalf of the Customer organization that uses CapitalPath Pro. In this role:

the Customer organization determines how and why that data is processed;
CodeRight processes the data to provide and support the Services under contract;
CodeRight will not retain, use, or disclose Customer Application Data for any purpose other than providing the Services or as permitted by applicable law; and
individuals seeking to exercise rights regarding Customer-controlled application data should direct their request to the relevant Customer organization first.

6.2 Controller / Business Role

CodeRight acts as the controller or business for personal information collected directly by us for our own operational purposes, such as website administration, account management, support, security, billing, sales, and marketing communications. For this information, individuals may exercise rights directly with CodeRight as described in Sections 11–13.

7. HOW WE DISCLOSE PERSONAL INFORMATION

We may disclose personal information in the following circumstances:

Service Providers and Subprocessors: We share information with vendors that help us operate, host, secure, support, or improve the Services, including Microsoft Corporation (Azure, Dataverse, Power Platform). We maintain a list of key subprocessors that is available upon request to Customers.
Customer Organizations: Information submitted to CapitalPath Pro may be available to the Customer organization that owns or administers the account.
Affiliates and Professional Advisors: We may disclose information to affiliated entities, auditors, insurers, attorneys, or other professional advisors as reasonably necessary.
Legal Compliance and Protection: We may disclose information where required by law, subpoena, court order, public records request, or other legal process, or where reasonably necessary to protect rights, safety, security, or property.
Business Transfers: We may disclose information in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, subject to appropriate confidentiality measures.
With Consent or Direction: We may disclose information where you or the Customer organization instructs us to do so.

No Sale; No Sharing for Cross-Context Behavioral Advertising

We do not sell personal information as "sell" is defined under applicable law (including for monetary or other valuable consideration). We do not share personal information for cross-context behavioral advertising. We do not knowingly sell or share the personal information of consumers under 16 years of age. If we ever change these practices, we will update this Policy and provide any opt-out mechanism required by applicable law.

8. DATA STORAGE, HOSTING, AND SECURITY

8.1 Hosting Environment

CapitalPath Pro operates on Microsoft business application technologies, including Microsoft Dynamics 365, Dataverse, Azure, and related Microsoft cloud services. Hosting, storage, and processing locations may depend on Microsoft platform configuration, customer environment choices, and Microsoft's service architecture. Microsoft publishes security, privacy, and compliance documentation for these platforms.

8.2 International Transfers

Customer and personal information may be processed in the United States and, in limited circumstances, in other locations depending on Microsoft's service architecture and support arrangements. Code Right does not independently control Microsoft's global infrastructure. Customers seeking specific data residency commitments should address those requirements in the applicable Microsoft environment configuration and contractual documentation. Where Code Right transfers personal information in a manner subject to applicable transfer restrictions, we will use safeguards required by applicable law.

8.3 Security Safeguards

We use administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, and destruction. These safeguards include access controls, encryption of data in transit, logging and monitoring, secure development practices, and vendor management. Specific technical safeguards applicable to a particular deployment are described in the applicable Order Document, Statement of Work, or security documentation.

8.4 Security Program

Code Right maintains administrative, technical, and organizational safeguards designed to protect personal information appropriate to the nature of the Services and the information we process. These measures may include internal policies and procedures, role-based access controls, incident response practices, and vendor management controls. Specific safeguards applicable to a particular deployment may also be described in the applicable Order Document, Statement of Work, or other security documentation.

8.5 No Security Is Perfect

No security measure is perfect. While we implement reasonable safeguards, we cannot guarantee absolute security of personal information.

9. SECURITY INCIDENT NOTIFICATION

If we become aware of a confirmed security incident involving personal information, we will provide notifications as required by applicable law and our contractual commitments. Where applicable, notification may be provided to affected Customers, individuals, or regulatory authorities without unreasonable delay.

Our response may be informed by applicable breach notification laws, contractual requirements, and the facts of the incident.
Where appropriate, notifications may describe the categories of information affected, the date of discovery, a description of the incident, and steps taken to mitigate the incident and help prevent recurrence.
Customers remain responsible for notifications to their constituents, employees, or other individuals except to the extent a separate written agreement provides otherwise.

10. DATA RETENTION

We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support legitimate business operations. Representative retention periods are set forth below:

Data Category

Retention Period

Notes

Account and contact information

Duration of relationship + 7 years

Extended for tax and accounting

Customer Application Data

As specified by Customer; default: duration of subscription + 30 days

Subject to Customer's instructions

Support and communications data

3 years

Longer for escalated or legal matters

Website analytics and cookies

Up to 2 years

See Section 17 (Cookies)

Security logs and audit trails

1–2 years

Longer for active investigations

Marketing and sales inquiries

Duration of engagement + 2 years

Shorter if opt-out is exercised

Longer retention may apply where required to comply with legal obligations, defend or establish legal claims, or as required by the Customer organization's applicable records retention schedule. For government Customers, retention may be governed by the Customer's records retention requirements under applicable municipal, state, or federal law.

11. YOUR PRIVACY RIGHTS

Depending on your jurisdiction and the circumstances of your relationship with us, you may have the following rights regarding personal information that CodeRight processes as a controller or business (i.e., for our own operational purposes):

Right

What It Means

Right to Know / Access

Request confirmation of whether we process your personal information and obtain a copy of that information.

Right to Correct

Request correction of inaccurate personal information.

Right to Delete

Request deletion of personal information, subject to legal exceptions.

Right to Data Portability

Receive certain personal information in a portable, commonly used format.

Right to Opt-Out of Sale/Sharing

We do not sell or share for cross-context behavioral advertising. If this changes, you will have an opt-out right.

Right to Limit Use of SPI

California residents may limit use and disclosure of sensitive personal information in certain circumstances.

Right to Opt-Out of Profiling

In certain states, you may opt out of profiling that produces legal or similarly significant effects. See Section 5.

Right to Appeal

If we deny a request, you may appeal the decision where required by applicable law.

Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

11.1 Where to Direct Requests

For personal information contained in Customer Application Data, please direct your request to the Customer organization (e.g., your municipality or employer) first. We will assist our Customers with appropriate requests where required by law or contract.

For personal information CodeRight collects directly (website visitors, marketing inquiries, direct support requests), please contact us using the information in Section 20.

11.2 Verification and Response Timelines

We will respond to verified requests within the timelines required by applicable law (generally 45 days, with a permitted extension of an additional 45 days where reasonably necessary). We will verify your identity to a degree of certainty appropriate to the sensitivity of the request, which may include confirming information we already have about you or requesting additional documentation.

11.3 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authorization and may require you to verify your identity directly with us.

11.4 Appeals

If we deny your request, you may appeal by submitting a written appeal to the address in Section 20, noting "Privacy Appeal" in the subject line. We will respond to the appeal within the timeline required by applicable law (generally 60 days). If you are unsatisfied with the outcome, you may contact your state Attorney General or applicable regulatory authority.

11.5 Anti-Discrimination

We will not deny you Services, charge you different prices, or provide you a different level or quality of Services because you exercised your privacy rights, except as permitted by applicable law.

12. CALIFORNIA RESIDENTS (CCPA / CPRA)

This section supplements Section 11 for residents of California under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.) ("CCPA").

12.1 Categories Collected in the Preceding 12 Months

In the preceding 12 months, we have collected the categories of personal information described in Section 2. See the table in Section 2 for categories of personal information, sources, and purposes. Information about how we disclose personal information is described in Section 7.

12.2 Sale and Sharing

We have not sold personal information and have not shared personal information for cross-context behavioral advertising in the preceding 12 months, and we do not intend to do so.

12.3 Sensitive Personal Information

California residents have the right to limit the use and disclosure of sensitive personal information (SPI) to purposes necessary to provide the Services. We do not use SPI for purposes beyond those described in Section 2. You may submit a request to limit use of SPI using the contact information in Section 20.

12.4 California Civil Code § 1798.83 ("Shine the Light")

California residents may request information regarding our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes.

12.5 Minors Under 16

We do not knowingly sell or share for cross-context behavioral advertising the personal information of consumers under 16 years of age without affirmative opt-in consent from the consumer (for consumers aged 13–15) or the consumer's parent or guardian (for consumers under 13).

13. OTHER U.S. STATE PRIVACY RIGHTS

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, Nebraska, and other states with comprehensive consumer privacy laws may have rights similar to those described in Section 11, subject to each statute's thresholds, exemptions, and procedures.

13.1 Opt-Out Preference Signals (GPC)

At this time, our websites do not respond to Global Privacy Control (GPC) browser signals or equivalent universal opt-out mechanisms. If our practices change, we will update this Policy accordingly.

13.2 Do Not Track (DNT)

Our websites do not currently respond to Do Not Track (DNT) browser signals.

13.3 Appeals

State laws typically require the option to appeal denied requests. The appeal process is described in Section 11.4.

14. EUROPEAN UNION / UNITED KINGDOM / EEA RESIDENTS (GDPR)

Although CapitalPath Pro is designed for U.S. governmental and municipal use, visitors from the European Union, European Economic Area, United Kingdom, or Switzerland may interact with our websites or submit inquiries. This section addresses additional rights and disclosures applicable under the GDPR and UK GDPR.

14.1 Legal Bases for Processing

Where the GDPR applies, we process personal information under the following legal bases: (a) performance of a contract; (b) compliance with legal obligations; (c) legitimate interests (including operating and improving our business, securing our systems, and communicating about the Services), where such interests are not overridden by your rights and freedoms; and (d) consent, where required.

14.2 International Transfers

Personal information may be transferred to, stored, and processed in the United States and other countries where data protection laws may differ from those in your jurisdiction. Where required, we implement appropriate safeguards (such as Standard Contractual Clauses) to protect international transfers.

14.3 GDPR-Specific Rights

Data subjects in the EEA, UK, and Switzerland may have the rights of access, rectification, erasure, restriction, portability, objection, and to lodge a complaint with a supervisory authority. To exercise these rights, contact us as described in Section 20.

15. GOVERNMENT AND MUNICIPAL CUSTOMER CONSIDERATIONS

CapitalPath Pro is designed for use by government and municipal customers. This section addresses privacy considerations specific to the government customer context.

15.1 Public Records Laws

Government Customers may be subject to public records laws (such as the Massachusetts Public Records Law, M.G.L. c. 66, and state equivalents). Customer Application Data may constitute a public record under these laws. CodeRight does not determine whether specific Customer data is subject to public records disclosure — that determination is made by the Customer organization.

When CodeRight receives a public records request that implicates Customer data, we will cooperate with the Customer organization to facilitate appropriate response while protecting legally exempt materials and trade secrets.

15.2 Regulated Data Categories

The Services are not designed or certified for storage or processing of data subject to specialized regulatory regimes, including the Criminal Justice Information Services (CJIS) Security Policy, the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), or Controlled Unclassified Information (CUI) requirements. Customers should not submit regulated data to the Services unless a separate written agreement specifically addresses the applicable regulatory framework.

15.3 Government Employee Data

Personal information of Customer employees (government staff) is processed on behalf of the Customer under the applicable Terms and Conditions and Data Processing Agreement. Government employees should direct requests regarding their personal information to their employing agency first.

15.4 Government Audit Access

Customer may be subject to audit by government authorities, including the Massachusetts State Auditor, the Office of the Inspector General, and other oversight bodies. Where required by contract, we cooperate reasonably with such audits to the extent they relate to Customer's use of the Services.

16. SUBPROCESSORS

We engage subcontractors and third-party subprocessors to assist in delivering the Services. Our current key subprocessors include (without limitation):

Microsoft Corporation and its affiliates — cloud hosting, Power Platform, Dataverse, Azure, Dynamics 365;
security, analytics, email, and support providers engaged in the operation of the Services.

A current list of key subprocessors is available upon request from Customers. We remain responsible for the performance of our subprocessors to the extent set forth in the applicable contract. We provide reasonable advance notice of material changes to our subprocessor list in accordance with applicable law and contract terms.

17. COOKIES AND SIMILAR TECHNOLOGIES

Our websites and product pages may use cookies and similar technologies for the following purposes:

Strictly necessary: keeping the site functioning, enabling authentication, maintaining session state;
Functional: remembering preferences and settings;
Analytics: understanding traffic and usage patterns to improve performance and usability;
Security: detecting and preventing fraudulent or malicious activity.

You may manage cookies through your browser settings. Disabling cookies may limit certain functionality of the Services.

Our websites do not currently respond to Global Privacy Control (GPC) browser signals or Do Not Track (DNT) browser signals.

18. CHILDREN'S PRIVACY

The Services are intended for business and governmental use and are not directed to children. We do not knowingly collect personal information from children under 13 through the Services (Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.).

We do not knowingly sell or share personal information of consumers under 16 years of age for cross-context behavioral advertising without the required affirmative opt-in consent.

If we become aware that we have collected personal information from a child under 13 without appropriate parental consent, we will delete that information. Parents or guardians may contact us using the information in Section 20 to request deletion of a child's personal information.

19. ACCESSIBILITY

We are committed to making our Services and this Policy accessible to persons with disabilities. If you have difficulty accessing this Policy or need an alternative format, please contact us using the information in Section 20 and we will provide reasonable accommodations.

20. CHANGES TO THIS PRIVACY POLICY

We may update this Policy from time to time. When we do, we will revise the Effective Date and Last Updated date at the top of this Policy and post the updated version at the relevant website or application location. If changes are materially significant, we will provide additional notice as appropriate, which may include email notification to Customers or in-product notification.

Prior versions of this Policy are maintained in our records and may be made available where appropriate. Your use of the Services remains subject to applicable law and any separate signed agreement that governs the Services.

21. CONTACT US

If you have questions about this Policy, wish to submit a privacy-related request, or need to contact our Privacy Coordinator, please use the information below:

Code Right Inc.

Attention: Privacy Coordinator

20 Marion Drive

Tewksbury, MA 01876

Privacy inquiries: privacy@coderight.com

General support: support@coderight.com

Phone: 781-389-9695

CapitalPath Pro Privacy Policy — Government Municipal Edition