1Fort Privacy Notice


Last Revised: August 11, 2025

This Privacy Notice describes how 1Fort Inc. (“we”, “us”, “our”) collects, uses and discloses information about users of our website (www.1fort.com), platform, applications, services, tools and features (collectively, the “Services”) including insurance brokers, clients of insurance brokers, insured businesses, website visitors, and any other individuals who use or interact with the Services. For the purposes of this Privacy Notice, “you” and “your” means you as the user of the Services. Please read this Privacy Notice carefully. By using any of the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Notice. If you do not agree to this Privacy Notice, please do not use or access the Services. We update this Privacy Notice at least every 12 months.

UPDATING THIS PRIVACY NOTICE

We may modify this Privacy Notice from time to time, in which case we will update the “Last Revised” date at the top of this Privacy Notice. If we make material changes to how we use or disclose information we collect, we will use reasonable efforts to notify you (such as by emailing you at the last email address you provided us, by posting notice of such changes on the Services, or by other means consistent with applicable law) and will take additional steps as required by applicable law. If you do not agree to any updates to this Privacy Notice, please do not continue using or accessing the Services.

OUR COLLECTION AND USE OF INFORMATION

When you use or access the Services, we may collect certain categories of information about you from a variety of sources.

California Notice at Collection (CCPA/CPRA). We collect the categories of personal information (PI) below for the purposes and retention periods noted. We disclose PI to service providers and contractors under written contracts that limit use to specified business purposes and require comparable privacy and security protections. We do not sell or share personal information as those terms are defined by California law.

• Identifiers (e.g., name, email, phone, IP address, account IDs): used for account creation, security, support, and communications; disclosed for business purposes; retained for the life of the account plus 3 years.
• Customer records (e.g., billing address, policy identifiers, payment transaction metadata): used for underwriting, billing, customer service, and compliance; disclosed for business purposes; retained for 7 years (tax/audit).
• Internet or other electronic activity (e.g., device and log data, pages viewed, interaction data): used for security, debugging, analytics, and service improvement; disclosed for business purposes; retained for 12 months.
• Approximate geolocation (e.g., city/region inferred from IP): used for fraud prevention, security, and content localization; disclosed for business purposes; retained for 12 months.
• Professional/employment data (e.g., role/title, broker license number if applicable): used for broker/partner management and compliance; disclosed for business purposes; retained for the life of the relationship plus 3 years.
• Commercial information (e.g., quotes, purchases, premiums, program selections): used to provide the Services, analytics, and reporting; disclosed for business purposes; retained for the life of the account plus 3 years.
• Inferences (e.g., security/cyber risk scores or similar): used for product features, analytics, and service improvement; disclosed for business purposes; retained for 24 months.
• Sensitive personal information (e.g., account log‑in and password; payment card details; government ID where required by an insurer or law; any health‑related information you provide): used for authentication, payments, compliance, and fraud prevention; disclosed for business purposes; retained only as necessary for permitted purposes or as required by law.

For PHI, retention and use are governed by our BAA and HIPAA (see HIPAA/PHI Addendum).

We retain personal information for no longer than is reasonably necessary for the purposes disclosed or as required by law. Where specific periods are not listed above, we use criteria such as the nature of the data, the reason it was collected, legal requirements, and the potential need to investigate or defend against claims.

Information Collected Directly From You

Some features of the Services may require you to directly provide certain information about yourself. You may elect not to provide this information, but doing so may prevent you from using or accessing these features. Information that you directly submit through our Services may include:Basic contact details, such as name, address, phone number, email. We use this information to invite you to use the Services, create and maintain your account and provide the Services, and to communicate with you (including to tell you about products or services that may be of interest to you).Account information, such as username, security questions that you select and the answers you provide. We use this information to provide the Services and to maintain and secure your account with us. If you choose to register an account, you are responsible for keeping your account credentials safe. We recommend you do not share your access details with anyone else. If you believe your account has been compromised, please contact us immediately.Payment information, such as credit or debit card information and billing address. We use this information to process your payment and provide the Services.No AI / ML Model Training or Data Retention for That Purpose. We never use user data—whether obtained directly from you or via third-party APIs such as Google Workspace APIs—to develop, improve, or train generalized artificial-intelligence or machine-learning models. Data from such APIs is accessed solely to deliver the features you have requested, retained only as long as needed for that purpose, and then deleted or de-identified in accordance with this Privacy Notice.Any other information you choose to include in communications with us.

Information Collected Automatically

We may use cookies or other tracking technologies to automatically collect certain information about your interactions with the Services, which we use to tailor your experience, provide you with offers or promotions, run analytics, and better understand user interactions with the Services. Such information may include:Device information, such as device type, operating system, unique device identifier, and internet protocol (IP) address.

Location information, such as approximate location.

Other information regarding your interaction with the Services, such as browser type, log data, date and time stamps, clickstream data, and ad impressions. Most browsers accept cookies automatically, but you may be able to control the way in which your devices permit the use of cookies. If you so choose, you may block or delete certain of our cookies from your browser; however, blocking or deleting cookies may cause some of the Services, including any portal features and general functionality, to work incorrectly. Your browser settings may also allow you to transmit certain privacy preference signals. We honor opt‑out preference signals (such as Global Privacy Control) as a valid request to opt out of sale/sharing for that browser or device. We do not respond to legacy “Do Not Track” signals. To learn more about “Do Not Track” signals, you can visit http://www.allaboutdnt.com/. To opt out of tracking by Google Analytics, click here.

Information Collected From Other Sources

We may obtain information about you from outside sources, including information that we collect directly from third parties and information from third parties that you choose to share with us. Such information may include:Analytics data we receive from analytics providers such as HubSpot and Google Analytics.Information we receive from career websites, such as LinkedIn, Monster, or Indeed, which we use to process your application for employment.Information we receive from consumer marketing databases or other data enrichment companies, which we use to better customize advertising and marketing to you.Information we receive when you choose to link any social media platforms to your account, such as Facebook or Twitter, which we use to maintain your account and login information.Any information we receive from outside sources will be treated in accordance with this Privacy Notice. We are not responsible for the accuracy of the information provided to us by third parties and are not responsible for any third party’s policies or practices. See “THIRD‑PARTY WEBSITES AND LINKS” below for more information. In addition to the specific uses described above, we may use any of the above information to provide you with the Services and to maintain our business relationship, including by enhancing the safety and security of our Services (e.g., troubleshooting, data analysis, testing, system maintenance, and reporting), providing customer support, sending service and other non-marketing communications, monitoring and analyzing trends, conducting internal research and development, complying with applicable legal obligations, enforcing any applicable terms of service, and protecting the Services, our rights, and the rights of our employees, users or other individuals.

OUR DISCLOSURE OF YOUR INFORMATION

We may disclose your information to any of the following categories of third parties for legitimate purposes subject to this Privacy Notice:

• Our affiliates or others within our corporate group.
• Vendors or other service providers and contractors who help us provide the Services, including for system administration, cloud storage, security, customer relationship management, marketing communications, web analytics, payment networks, and payment processing.
• Third parties to whom you request or direct us to disclose information, such as through your use of social media widgets or login integration.
• Professional advisors, such as auditors, law firms, or accounting firms.
• Third parties in connection with or anticipation of an asset sale, merger, bankruptcy, or other business transaction.We may also disclose your information as needed to comply with applicable law or any obligations thereunder (including cooperation with law enforcement, judicial orders, and regulatory inquiries), to enforce any applicable terms of service, and to ensure the safety and security of our business, employees, and users.Service Providers and Contractors. Where we disclose PI to service providers or contractors, we do so under written contracts that (i) limit use to specified business purposes; (ii) require comparable privacy and security protections; (iii) prohibit selling or sharing PI or combining it with other data except as permitted by law; and (iv) require the recipient to notify us if it can no longer meet these obligations.

SOCIAL FEATURES

Certain features of the Services allow you to initiate interactions between the Services and third-party services or platforms, such as social networks (“Social Features”). Social Features include features that allow you to access our pages on third-party platforms, and from there “like” or “share” our content. Use of Social Features may allow a third party to collect and/or use your information. If you use Social Features, information you post or make accessible may be publicly displayed by the third-party service. Both we and the third party may have access to information about you and your use of both the Services and the third-party service. Where our ad/analytics partners act as our service providers or contractors, they are restricted by contract from using PI for their own independent purposes.

THIRD‑PARTY WEBSITES AND LINKS

We may provide links to third-party websites or platforms. If you follow links to sites or platforms that we do not control and are not affiliated with us, you should review the applicable privacy notice, policies and other terms. We are not responsible for the privacy or security of, or information found on, these sites or platforms. Information you provide on public or semi-public venues, such as third-party social networking platforms, may also be viewable by other users of the Services and/or users of those third-party platforms without limitation as to its use. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators. Where our service providers or contractors provide functionality on our behalf, they are restricted by contract from using PI for their own independent purposes.

CHILDREN’S PRIVACY

Children under the age of 13 are not permitted to use the Services, and we do not seek or knowingly collect any personal information about children under 13 years of age. If we become aware that we have unknowingly collected information about a child under 13 years of age, we will make commercially reasonable efforts to delete such information from our database. If you are the parent or guardian of a child under 13 years of age who has provided us with their personal information, you may contact us using the below information to request that it be deleted.


HIPAA / PHI ADDENDUM (WHEN WE ACT AS A BUSINESS ASSOCIATE)

When we provide services to a covered entity (e.g., a health plan or health care provider) or another business associate, we may receive Protected Health Information (PHI). For PHI, we act as a Business Associate under HIPAA and will:

• Use or disclose PHI only as permitted by our Business Associate Agreement (BAA) and HIPAA (e.g., to provide the Services, for our management/administration as permitted, and to create de‑identified data).
• Implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 C.F.R. §§ 164.308, 164.310, 164.312).
• Flow down BAA obligations to any subcontractors that handle PHI.
• Apply the minimum necessary standard and maintain required documentation.
• Breach notification: if a breach of unsecured PHI occurs, notify the covered entity without unreasonable delay and no later than 60 days after discovery; the covered entity is responsible for notifying affected individuals as required by law.
• Upon termination, return or destroy PHI if feasible; if not feasible, continue to protect it and limit use to the purposes that make return or destruction infeasible.This addendum is not a HIPAA Notice of Privacy Practices. Individuals should contact their health care provider or plan to exercise HIPAA rights related to PHI. PHI handled pursuant to HIPAA is exempt from CCPA; non‑PHI remains subject to this Privacy Notice.

DATA SECURITY AND RETENTION

Data Protection Mechanisms. We protect all customer data—especially sensitive data such as payment card details, insurance policy information, and any health-related or governmental identifiers—using AES-256 encryption at rest and TLS 1.2+ encryption in transit. Production systems are isolated on hardened networks; access is controlled through role-based permissions, multi-factor authentication, and the principle of least privilege. We maintain detailed audit logs, perform continuous security monitoring and annual independent penetration tests, and are certified as SOC 2 Type II compliant.

Enhanced Safeguards for Sensitive Data. For fields classified as “high sensitivity,” we layer additional controls including field-level encryption or tokenization, segregated key management, strict change-control procedures, and automated alerts for anomalous access attempts. For PHI, we apply the safeguards described in the HIPAA/PHI Addendum above.Despite our reasonable efforts to protect your information, no security measures are impenetrable, and we cannot guarantee “perfect security.” Any information you send to us electronically, while using the Services or otherwise interacting with us, may not be secure while in transit. We recommend that you do not use unsecure channels to send us sensitive or confidential information. We retain your information for as long as is reasonably necessary for the purposes specified in this Privacy Notice, including the category‑level periods noted in the Notice at Collection above, or as required by law. When determining the length of time to retain your information, we consider various criteria, including whether we need the information to continue to provide you the Services, resolve a dispute, enforce our contractual agreements, prevent harm, promote safety, security and integrity, or protect ourselves, including our rights, property or products.

YOUR CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

If you are a California resident, you have the following rights regarding your personal information, subject to certain exceptions:

Right to Know/Access.

You may request details about our collection, use, disclosure, and, if applicable, sale/sharing of your personal information and access a copy of your personal information.Right to Delete. You may request that we delete personal information we collected from you.Right to Correct. You may request that we correct inaccurate personal information we maintain about you.Right to Opt Out of Sale/Sharing. We do not sell or share personal information as defined by the CCPA/CPRA. If our practices change, we will update this Notice and honor opt‑out preference signals (e.g., Global Privacy Control). You may also use the “Do Not Sell or Share My Personal Information” link in our in‑app settings.

Right to Limit Use and Disclosure of Sensitive Personal Information.

We use Sensitive PI only for permitted purposes (e.g., to provide the Services, ensure security and integrity, short‑term transient use, or as otherwise allowed by law). If we ever use Sensitive PI for additional purposes, you may limit such use/disclosure via the “Limit the Use of My Sensitive Personal Information” link in our website footer and in‑app settings.Non‑Discrimination. We will not discriminate against you for exercising any of your rights.

How to Exercise Your Rights. You may submit a request via our web form (available through the links above), by email at hello@1fort.com, or by phone at (646)-389-0780. Please provide sufficient information to allow us to verify your identity and process your request; you may also authorize an agent to submit a request on your behalf with appropriate authorization. Our disclosures cover the 12 months preceding your verifiable request, and, where required by law, we will honor requests beyond that period.Minors. We do not sell or share personal information of consumers under 16 years of age without an opt‑in (parental consent if under 13). Children under 13 are not permitted to use the Services as described above.California “Shine the Light.” California residents may request information about our disclosures of personal information to third parties for their direct marketing purposes (if any) by emailing hello@1fort.com with “Shine the Light” in the subject line.Financial Incentives. We do not offer financial incentives related to the collection, retention, use, or sale of personal information.

HOW TO CONTACT US

Should you have any questions about our privacy practices or this Privacy Notice, please email us at hello@1fort.com or contact us by mail at 335 Madison Ave, New York, NY 10017 or by phone at (646)-389-0780. You may also exercise California privacy choices using the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links in our website footer and in‑app settings.