Cookie Policy

Version v3.0 · Effective April 12, 2026 · Phoenix Holdings LLC

1. Definitions

The following defined terms apply throughout this Cookie Policy. Capitalized terms not defined here have the meanings given in the Terms of Service, Privacy Policy, or applicable Data Processing Agreement.

• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data in connection with the Service, including the GDPR, UK GDPR, ePrivacy Directive, CCPA/CPRA, and all U.S. state privacy laws identified in Appendix A.
• "Authorized User" means any individual granted access to the SaaS Application by a Customer, including employees, contractors, agents, and consultants.
• "Business Purpose" has the meaning given under the CCPA (Cal. Civ. Code § 1798.140(e)), and includes auditing, security, debugging, short-term transient use, performing services, internal research, and verifying quality and safety.
• "Consent" means a freely given, specific, informed, and unambiguous indication of the data subject's wishes, as defined under Article 4(11) of the GDPR.
• "Controller" has the meaning given under Article 4(7) of the GDPR.
• "Cookie(s)" means HTTP cookies, web beacons, pixels, local storage objects, session storage, ETags, device identifiers, and any similar tracking technologies placed on or accessed from a Device.
• "Customer" means the organization or individual that subscribes to the Service under a paid or trial plan.
• "Customer Data" means any data uploaded, entered, or generated by a Customer or its Authorized Users within the SaaS Application, excluding Usage Data.
• "Data Processing Agreement" or "DPA" means a separately executed agreement between the Company and a Customer governing the processing of Personal Data, including any Standard Contractual Clauses incorporated therein.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed through Cookies.
• "Device" means any internet-enabled hardware used to access the Service.
• "Global Privacy Control" or "GPC" means the browser-level privacy signal defined at globalprivacycontrol.org, recognized as a legally valid opt-out signal under the CCPA/CPRA, CPA, CTDPA, and other applicable laws.
• "Marketing Website" means the public-facing website at www.dealmatrixcrm.com used for product information, pricing, and lead generation.
• "Personal Data" / "Personal Information" has the broadest meaning given under any Applicable Data Protection Law, including the GDPR (Article 4(1)) and CCPA (§ 1798.140(v)).
• "Processing" has the meaning given under Article 4(2) of the GDPR.
• "Processor" has the meaning given under Article 4(8) of the GDPR.
• "SaaS Application" means the authenticated web application accessible at https://www.dealmatrixcrm.com and any associated APIs, mobile applications, and integrations.
• "Service" means the Marketing Website, SaaS Application, APIs, mobile applications, email communications, and all related services operated by the Company.
• "Service Provider" has the meaning given under the CCPA (§ 1798.140(ag)).
• "Sharing" / "Share" has the meaning given under the CCPA/CPRA (§ 1798.140(ah)), including making Personal Information available to a third party for cross-context behavioral advertising.
• "Sub-processor" means a third party engaged by the Company to process Personal Data collected through Cookies on behalf of a Customer.
• "Usage Data" means aggregated, anonymized, or pseudonymized data derived from Cookies about how users interact with the Service.

2. Introduction and Scope

2.1 Purpose

This Cookie Policy ("Policy") explains how Phoenix Holdings LLC, an Illinois Limited Liability Company, doing business as Deal Matrix CRM ("Company," "we," "us," or "our"), uses Cookies when you access or use our Service. This Policy is incorporated into and forms part of our Terms of Service and Privacy Policy. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, you must discontinue use of the Service immediately and delete any Cookies already placed by the Service.

2.2 Scope of Application

This Policy applies differently depending on how you interact with us:

• Marketing Website: All visitors. Only strictly necessary Cookies are set.
• SaaS Application: Authenticated Authorized Users. Strictly Necessary Cookies are placed upon login.
• APIs: Authentication tokens transmitted in request headers are treated as Strictly Necessary.
• Mobile Applications: Device identifiers and local storage are governed by this Policy, subject to platform-level privacy settings (iOS App Tracking Transparency, Android Privacy Sandbox).

2.3 Data Controller and Processor Roles

For cookie processing on the Marketing Website: The Company acts as the sole Controller of Personal Data collected through Cookies.

For cookie processing within the SaaS Application: The Company acts as a Processor on behalf of the Customer (Controller) with respect to Customer Data, and as an independent Controller with respect to Usage Data and operational data (e.g., authentication tokens, security cookies). The allocation of Controller/Processor roles for specific data categories is further detailed in the applicable DPA.

Third-party cookie providers (e.g., Clerk, Stripe) act as independent Controllers or Sub-processors, depending on the nature of their processing. The Company maintains contractual agreements (DPAs or equivalent) with all third-party cookie providers.

3. Cookie Technologies

3.1 First-Party vs. Third-Party Cookies

First-Party Cookies are set by our domain. Third-Party Cookies are set by a domain other than ours, typically by integration partners such as our authentication provider (Clerk) and payment processor (Stripe).

3.2 Session vs. Persistent Cookies

Session Cookies are deleted when you close your browser. Persistent Cookies remain for a defined period or until manually deleted.

3.3 Other Tracking Technologies

• Web Beacons / Pixels: Transparent images tracking page visits and email opens.
• Local Storage (HTML5): Browser storage for caching preferences and offline functionality.
• Session Storage: Tab-scoped storage cleared on tab close.
• ETags / Cache Identifiers: HTTP headers that may identify cached resources.
• Device Identifiers (Mobile): IDFA (iOS), GAID (Android), subject to device-level privacy controls.
• Server-Side Analytics: Server-side processing of analytics data governed by this Policy where Personal Data is involved.

3.4 Technologies We Do Not Use

We explicitly do NOT use: browser fingerprinting, canvas fingerprinting, device fingerprinting, ultrasonic cross-device tracking, CNAME cloaking to disguise third-party cookies as first-party, or any technology designed to circumvent user Consent choices.

4. Detailed Cookie Inventory

The table below lists representative Cookies deployed by the Service. This inventory is updated following each quarterly audit (Section 11). Cookies not listed here that are discovered during audits are blocked until classified and disclosed.

4.1 Strictly Necessary Cookies

Essential for core functionality. Cannot be disabled. No Consent required (ePrivacy Directive Article 5(3); CCPA "Business Purpose" exemption).

The Service does not currently deploy any performance/analytics, error-monitoring, functional, or targeting/advertising cookies. If that changes, this Policy will be updated, a compliant consent banner will be published, and affirmative consent will be obtained before any non-essential cookie is set.

5. Additional Tracking Disclosures

5.1 Embedded Third-Party Content

Pages may embed content from third parties (YouTube, Vimeo, Google Maps, Stripe Elements, social media widgets). These providers may set their own Cookies subject to their own policies. We use privacy-enhanced modes where available (e.g., YouTube no-cookie embed).

5.2 Single Sign-On (SSO)

SSO flows through identity providers (Google Workspace, Microsoft Entra ID, Okta) may set Cookies from the provider's domain, governed by that provider's cookie policy. These are Strictly Necessary for SSO.

5.3 API Authentication Tokens

JWT tokens and API keys transmitted in HTTP headers function analogously to session Cookies and are Strictly Necessary.

5.4 Cross-Device Tracking

We do not engage in deterministic or probabilistic cross-device tracking for advertising. Authenticated sessions are linked to your user account across devices for core functionality only and are not shared with third parties for advertising.

6. Legal Bases for Processing

• Strictly Necessary Cookies: Legitimate interest (GDPR Article 6(1)(f)); ePrivacy Directive Article 5(3) exemption; CCPA "Business Purpose" exemption. No Consent required.
• All Other Cookie Categories: Explicit, informed, freely given, and unambiguous Consent (GDPR Article 6(1)(a)). Obtained before any non-essential Cookie is placed. (Not currently applicable — no non-essential cookies are set.)
• Withdrawal of Consent: Where applicable, available at any time without affecting the lawfulness of prior processing.
• Legitimate Interest Assessment (LIA): Where we rely on legitimate interest, we have conducted and documented a balancing test. A summary is available upon request to the DPO.
• CCPA Categories: Under the CCPA, Cookie processing constitutes the collection of the following categories of Personal Information: identifiers, internet activity information, and inferences. These are collected for the Business Purposes of: performing services, short-term transient use, security/fraud detection, debugging, and internal research.

7. Privacy by Design and Data Minimization

The Company is committed to Privacy by Design and Data Minimization with respect to Cookie processing:

• Minimal Collection: We collect only the minimum data necessary to achieve each Cookie's stated purpose.
• Retention Minimization: Cookie durations are set to the shortest period necessary for their purpose.
• Purpose Limitation: Cookie data is used only for the purpose disclosed in this Policy.
• Default Privacy Settings: Only strictly necessary cookies are set by default. No optional cookies are placed without prior affirmative consent.
• Data Protection Impact Assessment (DPIA): We have conducted DPIAs for Cookie processing where required by GDPR Article 35. Summaries are available to enterprise Customers and supervisory authorities upon request.

8. Record of Processing Activities

In accordance with GDPR Article 30, we maintain a Record of Processing Activities (ROPA) that includes Cookie processing. The ROPA documents: the categories of Data Subjects and Personal Data processed through Cookies; the purposes of processing; the categories of recipients; international transfer mechanisms; retention periods; and technical and organizational security measures. The ROPA is available to supervisory authorities upon request.

9. Cookie Consent Mechanism

Because the Service currently sets only strictly necessary Cookies, no affirmative consent is legally required under the ePrivacy Directive, the GDPR, the CCPA/CPRA, or any operative U.S. state privacy law before placing such Cookies. Strictly Necessary Cookies fall within the ePrivacy Directive Article 5(3) exemption and the CCPA "Business Purpose" exemption.

Informational Cookie Notice. The Marketing Website displays a brief informational cookie notice on first visit with an "Accept" button and a link to this Cookie Policy. The notice is informational only; dismissing it records a client-side acknowledgment in your browser's local storage (cookie-consent key) and does not itself enable or disable any cookie, because only strictly necessary Cookies are set. The notice is intended to direct users to this Policy, not to collect GDPR/ePrivacy-grade consent.

Future Non-Essential Cookies. If the Company later introduces any non-essential Cookie category (analytics, error monitoring, functional, or targeting/advertising), before such Cookies are placed the Company will: (a) update this Policy and publish a new version; (b) upgrade the informational notice to a compliant cookie consent banner meeting WCAG 2.1 Level AA accessibility standards, presenting cookie categories with plain-language descriptions, providing granular opt-in per category, giving "Reject All" equal prominence to "Accept All," and prohibiting pre-checked boxes, dark patterns, cookie walls, or reliance on scrolling or continued browsing as consent; and (c) maintain auditable records of each consent event (date/time, Policy version, categories accepted or refused, method of consent, pseudonymized identifier, truncated IP, user agent) for a minimum of five (5) years. Enterprise Customers may have additional or overriding consent administration provisions in their signed DPA.

10. Managing Your Cookie Preferences

10.1 Browser Controls

Browser settings can accept, block, or delete Cookies. Blocking Strictly Necessary Cookies may prevent login and core functionality. The Company is not liable for Service degradation from user-initiated Cookie blocking.

10.2 Global Privacy Control (GPC)

Because we do not currently set any advertising, targeting, or sale/sharing Cookies, there is nothing for a GPC signal to opt out of today. If we introduce non-essential Cookies in the future, we will honor GPC as a legally valid opt-out of the sale/sharing of Personal Information under CCPA/CPRA, CPA, CTDPA, VCDPA, TDPSA, OCPA, and MCDPA, automatically disabling Targeting Cookies and preventing sharing of cookie-derived Personal Data with advertising partners.

10.3 Do Not Track (DNT)

We do not respond to DNT signals as no universal standard exists. We recommend GPC, which has legal recognition.

10.4 California "Do Not Sell or Share My Personal Information"

We do not sell Personal Information and do not engage in "Sharing" as defined by the CCPA/CPRA. Accordingly, no opt-out is currently required. California residents with questions may contact us at the address in Section 25.

10.5 Third-Party Opt-Out Links

• Google Analytics: tools.google.com/dlpage/gaoptout
• Meta/Facebook: facebook.com/settings/?tab=ads
• LinkedIn: linkedin.com/psettings/guest-controls
• Network Advertising Initiative: optout.networkadvertising.org
• Digital Advertising Alliance: optout.aboutads.info
• European Interactive Digital Advertising Alliance: youronlinechoices.eu
• Google Ad Settings: adssettings.google.com

11. Cookie Audit and Scanning

• Automated Scanning: Quarterly automated scans detect new, modified, or unauthorized Cookies.
• Manual Review: Annual manual audit by privacy and engineering teams, or upon significant new integrations.
• Unauthorized Cookie Remediation: Unlisted Cookies are blocked within ten (10) business days. Unauthorized Cookies that process Personal Data trigger the breach notification procedures in Section 14.
• Enterprise Audit Reports: Available upon request to Customers with a signed DPA.
• Audit Logs: Scan results, findings, and remediation actions are logged and retained for five (5) years.

12. Data Collected, Shared, and Transferred

12.1 Categories Collected

• Device Information: Browser type/version, OS, device type, screen resolution, language, installed plugins.
• Usage Information: Pages visited, features used, clicks, scroll depth, session duration, entry/exit pages, referral URLs, in-app search queries.
• Network Information: IP address (anonymized where feasible), approximate geolocation, ISP.
• Authentication Information: Session tokens, security tokens.
• Preference Information: Language, theme, timezone, UI configuration.
• Error/Performance Information: JavaScript errors, API response times, page load metrics, interaction sequences leading to errors.

12.2 Third-Party Sharing

Cookie data may be shared with: infrastructure providers (security/performance) and payment processors (session state/identity). All third parties are bound by DPAs or equivalent contracts. We do not share cookie-derived data with analytics, advertising, or marketing providers.

12.3 Data We Never Share or Sell

We do not sell Personal Information to any third party. We do not permit third parties to collect Personal Information from the Service for independent purposes. We do not share Customer Data with analytics or advertising providers.

12.4 International Data Transfers

Cookie data may be transferred outside your jurisdiction, including to the United States. Safeguards include: EU Commission-approved Standard Contractual Clauses (SCCs), including Module 1 (Controller-to-Controller) and Module 2 (Controller-to-Processor); supplementary measures per the Schrems II decision (encryption in transit and at rest, access controls, pseudonymization); UK International Data Transfer Agreements (IDTAs); and any additional mechanisms required by Applicable Data Protection Law.

13. Automated Decision-Making and Profiling

• Security (Bot Detection): Cloudflare cookies may automatically block or challenge suspicious requests. Legitimate interest basis.
• Fraud Prevention: Stripe cookies contribute to automated fraud scoring. Users may request human review from Stripe.

We do not use Cookie-derived data for automated decision-making producing legal or similarly significant effects (GDPR Article 22). If this changes, we will update this Policy, conduct a DPIA, and obtain explicit Consent.

14. Cookie-Related Breach Notification

In the event of a security incident affecting Cookie-derived Personal Data:

• GDPR (EU/EEA): Notification to the lead supervisory authority within seventy-two (72) hours of becoming aware of the breach (Article 33). Affected Data Subjects notified without undue delay where the breach is likely to result in a high risk to their rights (Article 34).
• UK GDPR: Notification to the ICO within seventy-two (72) hours.
• CCPA/CPRA (California): Notification to affected consumers in the most expedient time possible and without unreasonable delay, consistent with Cal. Civ. Code § 1798.82.
• Other U.S. States: Notification in accordance with the breach notification statute of each affected state.
• Enterprise Customers: Notification to the Customer's designated security contact within the timeframe specified in the applicable DPA (typically 24–72 hours).

Breach notifications will include: nature of the incident; categories and approximate number of affected Data Subjects; likely consequences; and measures taken or proposed to mitigate.

15. Data Retention

Upon account termination, Cookie-derived Personal Data is deleted or anonymized within thirty (30) days, except where retention is required by law, regulatory obligation, or for the establishment, exercise, or defense of legal claims.

16. Cookie-Related Data Subject Access Requests

Data Subjects may exercise rights related to Cookie-derived Personal Data by contacting us at the addresses in Section 25. Supported rights include:

• Right of Access (GDPR Art. 15 / CCPA § 1798.110): Request a copy of Cookie-derived Personal Data we hold about you. We will respond within thirty (30) days (extendable by sixty (60) days for complex requests).
• Right to Deletion (GDPR Art. 17 / CCPA § 1798.105): Request deletion of Cookie-derived Personal Data. We will comply within thirty (30) days, subject to applicable exemptions (e.g., legal obligations, fraud prevention).
• Right to Rectification (GDPR Art. 16): Request correction of inaccurate Cookie-derived data.
• Right to Restriction (GDPR Art. 18): Request restriction of processing while a dispute is resolved.
• Right to Data Portability (GDPR Art. 20): Request Cookie-derived Personal Data in a structured, machine-readable format.
• Right to Object (GDPR Art. 21): Object to processing based on legitimate interest.
• Right to Opt-Out of Sale/Sharing (CCPA § 1798.120): See Section 10.4.

We do not discriminate against any user for exercising these rights (CCPA § 1798.125; GDPR Art. 12(2)). Identity verification is required for all requests and follows the procedures in our Privacy Policy.

17. Cookie Security

• Secure Flag: HTTPS-only transmission. HSTS enforced with a minimum max-age of one year, including subdomains.
• HttpOnly Flag: Authentication/session cookies marked HttpOnly (prevents XSS access).
• SameSite Attribute: SameSite=Lax or Strict (prevents CSRF and limits cross-origin transmission).
• Encryption: Sensitive cookie values encrypted with AES-256-GCM or equivalent.
• Content Security Policy (CSP): Restricts executable scripts and Cookie-setting domains.
• Subresource Integrity (SRI): Third-party scripts verified via SRI hashes.
• Certificate Transparency: All TLS certificates logged to public CT logs.
• Penetration Testing: Annual third-party penetration testing includes Cookie security assessment.

18. Regulatory Compliance

18.1 EU / EEA (GDPR & ePrivacy)

The Company does not currently target or offer services to individuals in the European Union or European Economic Area. However, should the Company expand to serve EU/EEA users in the future, it will comply with Regulation (EU) 2016/679 (GDPR) and Directive 2002/58/EC (ePrivacy Directive), including appointing an EU Representative per Article 27. This Policy has been drafted to be GDPR-ready to facilitate such expansion.

18.2 United Kingdom (UK GDPR & PECR)

The Company does not currently target or offer services to individuals in the United Kingdom. Should the Company expand to serve UK users, it will comply with the UK GDPR and PECR 2003, including appointing a UK Representative per Article 27.

18.3 United States — Federal

CAN-SPAM Act compliance. COPPA compliance (Service not directed at children under 13; we apply a 16-year threshold). FTC Act Section 5 (unfair or deceptive practices) compliance.

18.4 United States — State Privacy Laws

We comply with all operative U.S. state comprehensive privacy laws. See Appendix A for a state-by-state compliance schedule.

18.5 Canada (PIPEDA / Quebec Law 25)

PIPEDA compliance nationally. Quebec Law 25 compliance including privacy impact assessments and consent requirements.

18.6 Brazil (LGPD)

Lei Geral de Proteção de Dados compliance. Rights of access, correction, anonymization, blocking, and deletion.

18.7 Australia (Privacy Act 1988)

Australian Privacy Principles compliance.

18.8 Required Website Footer Links

• "Cookie Policy" — This Policy (all jurisdictions).
• "Privacy Policy" — Full Privacy Policy (all jurisdictions).
• "Accessibility" — Accessibility statement (ADA, EAA, WCAG).

18.9 Cooperation with Supervisory Authorities

The Company will cooperate with and respond to inquiries from applicable data protection supervisory authorities (DPAs) regarding Cookie processing. Enterprise Customers will be promptly notified of any DPA inquiry that relates to the processing of their Customer Data.

18.10 Government and Law Enforcement Requests

If we receive a legally valid request from a government agency or law enforcement body for Cookie-derived Personal Data, we will: comply only with requests that meet applicable legal standards (warrant, subpoena, or court order as required); notify the affected Customer or individual before disclosure unless legally prohibited from doing so; limit disclosure to the minimum data required; and document all such requests and make summaries available in our annual transparency report.

19. Children's Privacy

The Service is not directed at individuals under sixteen (16). We do not knowingly collect Personal Data through Cookies from anyone under 16. If discovered, such data will be deleted within seventy-two (72) hours. In U.S. jurisdictions applying a 13-year threshold (COPPA), we apply the higher 16-year standard.

20. Enterprise & Organizational Customer Provisions

20.1 DPA Precedence

In the event of a conflict between this Policy and a signed DPA, the DPA prevails with respect to Customer Data processing.

20.2 Organizational Cookie Management

• Restrict specific cookie categories organization-wide.
• Request periodic audit reports.
• Configure data residency preferences where available.
• Request suppression of specific third-party integrations.

20.3 Sub-processors

Third-party cookie providers are Sub-processors. A current list is at dealmatrixcrm.com/legal/sub-processors. Thirty (30) days' prior written notice before engaging a new Sub-processor, with objection rights per the DPA.

20.4 Compliance Certifications

The Company maintains the following certifications and attestations relevant to Cookie data processing: SOC 2 Type II (annual audit covering security, availability, and confidentiality trust service criteria; report available under NDA); ISO 27001:2022; ISO 27701:2019; and CSA STAR, where applicable. Certification status, scope, and reports are available through our trust center or upon written request.

20.5 Transparency Reporting

The Company publishes an annual transparency report summarizing: the number of government/law enforcement data requests received and fulfilled; the number of Cookie-related data subject requests received and fulfilled by category; the number of Cookie-related security incidents; and material changes to Cookie processing practices.

21. Representations and Warranties

21.1 Company Representations

The Company represents and warrants that: it has the legal authority to collect and process Personal Data through Cookies as described in this Policy; it has implemented and will maintain appropriate technical and organizational measures to protect Cookie-derived Personal Data; all third-party Cookie providers are bound by written agreements requiring equivalent data protection standards; it will process Cookie-derived Personal Data only in accordance with this Policy, Applicable Data Protection Law, and any applicable DPA; it will promptly notify affected parties of any material breach of this Policy; and it maintains cyber liability insurance with coverage limits appropriate to the nature and volume of Personal Data processed.

21.2 Disclaimer

EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION 21, THE COMPANY MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, WITH RESPECT TO COOKIE PROCESSING OR THE INFORMATION COLLECTED THERETHROUGH. THE COMPANY DOES NOT WARRANT THAT COOKIE PROCESSING WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE.

22. Limitation of Liability

22.1 Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS COOKIE POLICY OR THE PROCESSING OF COOKIE-DERIVED PERSONAL DATA, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITY, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE), EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

22.2 Aggregate Liability Cap

THE COMPANY'S TOTAL AGGREGATE LIABILITY UNDER THIS COOKIE POLICY SHALL NOT EXCEED THE GREATER OF: (A) THE TOTAL FEES PAID BY THE CUSTOMER TO THE COMPANY IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE CLAIM; OR (B) ONE HUNDRED THOUSAND DOLLARS ($100,000 USD).

22.3 Exceptions to Liability Limitations

The limitations in Sections 22.1 and 22.2 shall not apply to: (a) the Company's indemnification obligations under Section 23; (b) liability arising from the Company's willful misconduct, gross negligence, or fraud; (c) liability arising from a breach of confidentiality obligations; (d) liability for infringement of intellectual property rights; or (e) any liability that cannot be limited under Applicable Data Protection Law, including fines and penalties imposed by supervisory authorities.

23. Indemnification

23.1 Company Indemnification

The Company shall indemnify, defend, and hold harmless the Customer and its officers, directors, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) the Company's material breach of this Cookie Policy; (b) the Company's violation of Applicable Data Protection Law in connection with Cookie processing; (c) any unauthorized processing of Cookie-derived Personal Data caused by the Company's negligence or willful misconduct; or (d) any regulatory fines or penalties imposed on the Customer directly resulting from the Company's breach of its obligations under this Policy or applicable DPA.

23.2 Customer Indemnification

The Customer shall indemnify, defend, and hold harmless the Company from and against any third-party claims arising out of: (a) the Customer's instructions to the Company that cause the Company to violate Applicable Data Protection Law; (b) the Customer's failure to provide adequate notice or obtain required consent from its Authorized Users regarding Cookie processing; or (c) any claims arising from Customer Data processed through the Service.

23.3 Indemnification Procedures

The indemnifying party must be promptly notified in writing of any claim. The indemnifying party has the right to control the defense and settlement (provided no settlement admits liability on behalf of the indemnified party without consent). The indemnified party shall cooperate reasonably and may participate at its own expense.

24. Changes to This Policy

• Material Changes: Thirty (30) days' prior notice via email and in-application notification. Fresh consent obtained where required.
• Non-Material Changes: "Last Updated" date and version number updated. Continued use constitutes acceptance.

Previous versions are archived and available upon request. A revision history is maintained in Appendix B.

25. Contact Information

• Legal Entity: Phoenix Holdings LLC, an Illinois Limited Liability Company
• Privacy Email: privacy@dealmatrixcrm.com
• Legal Email: legal@dealmatrixcrm.com
• Support Email: support@dealmatrixcrm.com
• Data Protection Officer: dpo@dealmatrixcrm.com
• Website: www.dealmatrixcrm.com

25.1 Supervisory Authorities

• California CPPA: cppa.ca.gov
• Illinois Attorney General: illinoisattorneygeneral.gov
• FTC Consumer Complaints: reportfraud.ftc.gov

26. Governing Law

This Policy is governed by and construed in accordance with the laws of the State of Illinois, without regard to conflicts of law principles, except where superseded by mandatory provisions of Applicable Data Protection Law.

27. Dispute Resolution

27.1 Mandatory Arbitration

Any dispute, claim, or controversy arising out of or relating to this Cookie Policy ("Dispute") shall be resolved exclusively by binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules. The arbitration shall be conducted by a single arbitrator in Cook County, Illinois. The arbitrator's award shall be final and binding and may be entered as a judgment in any court of competent jurisdiction. This arbitration clause is governed by the Federal Arbitration Act, 9 U.S.C. §§ 1–16.

27.2 Class Action Waiver

TO THE MAXIMUM EXTENT PERMITTED BY LAW, YOU AND THE COMPANY EACH WAIVE THE RIGHT TO PARTICIPATE IN A CLASS ACTION, COLLECTIVE ACTION, PRIVATE ATTORNEY GENERAL ACTION, OR ANY OTHER REPRESENTATIVE PROCEEDING WITH RESPECT TO ANY DISPUTE ARISING UNDER THIS POLICY. ALL DISPUTES SHALL BE RESOLVED ON AN INDIVIDUAL BASIS ONLY.

27.3 Jury Trial Waiver

TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY IRREVOCABLY AND UNCONDITIONALLY WAIVES ANY RIGHT IT MAY HAVE TO A TRIAL BY JURY IN RESPECT OF ANY DISPUTE ARISING UNDER OR IN CONNECTION WITH THIS POLICY.

27.4 Exceptions to Arbitration

Notwithstanding the foregoing: (a) either party may seek injunctive or equitable relief in any court of competent jurisdiction to prevent irreparable harm; (b) disputes involving supervisory authority orders, regulatory proceedings, or Data Subject complaints shall be resolved through the applicable regulatory process; and (c) claims within the jurisdiction of small claims court may be brought in such court.

27.5 Attorneys' Fees

In any action to enforce this Policy, the substantially prevailing party shall be entitled to recover its reasonable attorneys' fees and costs from the other party.

28. Assignment and Change of Control

The Company may assign this Policy in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, provided that the assignee assumes all obligations hereunder and provides notice to affected parties within thirty (30) days. In the event of such assignment, Data Subjects and Customers retain the right to withdraw Consent and request deletion of Cookie-derived Personal Data. You may not assign your rights or obligations under this Policy without the Company's written consent.

29. Force Majeure

Neither party shall be liable for delays or failures in performance resulting from causes beyond its reasonable control, including acts of God, natural disasters, war, terrorism, riots, embargoes, government actions, pandemics, epidemics, internet or telecommunications failures, cyberattacks by state actors, or power outages. Force majeure does not excuse obligations related to data security, breach notification, or data subject rights.

30. General Provisions

30.1 Survival

Sections 1 (Definitions), 12 (Data Collected), 14 (Breach Notification), 15 (Data Retention), 16 (DSARs), 17 (Security), 21 (Representations and Warranties), 22 (Limitation of Liability), 23 (Indemnification), 25 (Contact), 26 (Governing Law), 27 (Dispute Resolution), and this Section 30 shall survive termination or expiration of this Policy.

30.2 Severability

If any provision is held invalid or unenforceable, it shall be modified to the minimum extent necessary or, if modification is not possible, severed. The remaining provisions continue in full force.

30.3 Waiver

No failure or delay by either party in exercising any right under this Policy shall constitute a waiver of that right. A waiver of any breach shall not constitute a waiver of any subsequent breach.

30.4 Notice Provisions

All formal notices under this Policy shall be in writing and delivered by: (a) certified mail, return receipt requested; (b) nationally recognized overnight courier; or (c) email to the Legal Email address in Section 25 with delivery confirmation. Notices are effective upon receipt. Routine communications may be made through the Service interface.

30.5 Third-Party Beneficiaries

This Policy does not confer any third-party beneficiary rights, except that Data Subjects are intended third-party beneficiaries of the data protection obligations in this Policy to the extent required by Applicable Data Protection Law.

30.6 Entire Agreement

This Cookie Policy, together with the Terms of Service, Privacy Policy, Acceptable Use Policy, and any applicable DPA, constitutes the entire agreement regarding Cookie usage and supersedes all prior communications on this subject.

30.7 Construction

This Policy shall be construed neutrally and not against the drafter. Headings are for convenience only and have no legal effect. "Including" means "including without limitation." References to statutes include amendments and successor legislation.

30.8 Electronic Acceptance

This Policy may be accepted electronically. Electronic acceptance has the same legal effect as a handwritten signature to the extent permitted by the Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. §§ 7001–7006), the Uniform Electronic Transactions Act (UETA), and equivalent international laws (eIDAS Regulation in the EU).

Appendix A — U.S. State Comprehensive Privacy Law Compliance Schedule

The following table summarizes our compliance posture under each operative U.S. state comprehensive privacy law as of the Effective Date of this Policy. This schedule is updated with each Policy revision.

This schedule is non-exhaustive. Additional states may enact privacy legislation after the Effective Date. The Company monitors legislative developments and will update this schedule accordingly. For states not listed, the Company applies the most protective standard among applicable laws.

Appendix B — Revision History