Cookie & Tracking Technologies Policy

1. What Tracking Technologies Are

COMPLETA

COOKIE & TRACKING TECHNOLOGIES POLICY

Website, Mobile Applications, and Related Services

Completa LLC d/b/a Completa

Effective Date: April 28, 2026

THIS POLICY IS PART OF THE COMPLETA LEGAL FRAMEWORK AND SUPPLEMENTS THE COMPLETA PRIVACY POLICY.

Introduction

This Cookie & Tracking Technologies Policy (this "Policy") explains how Completa LLC d/b/a Completa ("Completa," "we," "us," or "our") uses cookies, device identifiers, local storage, analytics tools, and other tracking technologies on the Completa website (completa.io), the Completa mobile application (for Customers), and the Completa Pro mobile application (for Contractors) (collectively, the "Services").

This Policy supplements the Completa Privacy Policy. For information about what personal data we collect, how we use it, and your privacy rights, please refer to the Privacy Policy. This Policy focuses specifically on the tracking technologies we use, the purposes they serve, and the choices available to you.

What Are Cookies and Tracking Technologies?

2.1 Cookies

Cookies are small text files that a website stores on your browser or device when you visit. Cookies allow the website to recognize your device on return visits, maintain session state (such as keeping you logged in), and collect information about your browsing behavior. Cookies may be set by Completa ("first-party cookies") or by third-party services operating on our website ("third-party cookies"). Cookies may persist for the duration of your browser session ("session cookies") or remain on your device until they expire or you delete them ("persistent cookies").

2.2 Mobile Device Identifiers

Our mobile applications use device-level identifiers rather than browser cookies. These include the Identifier for Vendor (IDFV) on iOS, which uniquely identifies your device within the Completa application but is not shared with other apps, and the Android ID on Android, which is a device-scoped identifier. We do not use the Identifier for Advertisers (IDFA) on iOS or Google Advertising ID (GAID) on Android for advertising purposes.

2.3 Local Storage

Our mobile applications use MMKV (a high-performance key-value storage framework) to store data locally on your device for offline functionality, session management, user preferences, and cached content. Data stored in MMKV is local to your device, encrypted, and is not transmitted to third parties.

2.4 Push Notification Tokens

When you enable push notifications, your device generates a unique push token (Expo Push Notifications, APNs for iOS, or Firebase Cloud Messaging for Android). This token is used exclusively to deliver transactional notifications (project updates, milestone status, payment confirmations, dispute alerts) and optional marketing notifications (with your consent). Push tokens are stored on our servers and linked to your user account. You may disable push notifications at any time through your device settings.

2.5 Server-Side Technologies

Our backend uses server-side logs, database session records, managed cache or queue records where configured, and rate-limiting counters to operate and secure the Services. This data is not stored on your device. Session and temporary operational records expire or are deleted according to their purpose and are not used for tracking or advertising purposes.

2. Technologies We Use

Tracking Technologies We Use

3.1 Website (completa.io)

The Completa website uses the following categories of cookies and tracking technologies:

3. Third Parties and Compliance

Third-Party Technologies

5.1 Service Providers

The following third-party services may set cookies or use tracking technologies on the Completa website or within our mobile applications:

Service

Category

Purpose

Data Shared

Stripe, Inc.

Payment Processing

Fraud detection, payment session security, customer payments, Stripe Connect onboarding, payouts, refunds, disputes, and tax/payment reporting support

Payment session data, payment metadata, connected-account metadata, payout/payment identifiers, and related transaction records

Supabase

Authentication / Database / Storage

Account authentication, session management, database records, file storage, realtime events, and row-level-security-backed platform data

Account identifiers, session metadata, project records, messages, uploaded files, legal acceptance records, and operational database records

Amazon Web Services, Inc.

Infrastructure / Storage / SMS

Backend hosting, private object storage, logs, secrets, queues, event routing, web application firewall, and transactional SMS through AWS SNS where configured

Operational logs, private legal/document artifacts, SMS phone number and message routing data, and service metadata

Expo, Apple Push Notification service, and Firebase Cloud Messaging

Push Notifications

Mobile push notification routing for transactional and optional marketing notifications

Push token, platform, user ID, and notification routing metadata

Checkr, Inc.

Background Checks

Contractor owner/principal identity verification and background screening

Completa server-side candidate and invitation data, including contractor name, email, provider reference IDs, package, work location, and status; sensitive identity intake and report details are handled in the Checkr-hosted flow where applicable

DocuSeal

Electronic Signatures

Legal document signing workflow, signed PDFs, signature certificates, signer metadata, and legal evidence routing

Signer name, email, document content, signature event metadata, signed PDF and certificate references

Resend

Transactional Email

Account verification, project, receipt, support, FCRA/adverse-action, signed-document, and operational email delivery

Recipient email, subject, delivery/open/click event data where configured, template/event metadata, and message provider IDs

Sentry

Crash and Error Diagnostics

Crash reporting, stack traces, runtime diagnostics, and operational reliability monitoring

Error context, device/app metadata, stack traces, and related diagnostic data

PostHog

Product Analytics

Configured pseudonymized screen/event analytics, onboarding funnel analytics, feature usage analytics, and performance diagnostics

Pseudonymized user ID, app role, event properties, route templates, timing, feature usage, and device/app metadata

Anthropic and OpenAI where configured

AI/OCR Processing

Approved commercial API image understanding, OCR, document extraction, material/receipt/invoice parsing, and internal project analysis

Project photos, receipts, invoices, materials records, project context, and extracted fields needed for the specific request; not used for external provider model training under approved launch configuration

All third-party service providers are contractually required to process data only for the purposes described above and in accordance with our Privacy Policy. Completa has executed data processing agreements or comparable processor terms with each listed service provider requiring them to process personal data only for the stated purposes and consistent with applicable law. We do not permit third-party service providers to use tracking technologies on our platform for their own independent advertising or data collection purposes.

5.2 Social Media and Embedded Content

The Completa website may contain links to our social media profiles (e.g., Instagram, LinkedIn, X/Twitter). These links do not load third-party tracking scripts unless you actively click through to the external platform. We do not embed social media widgets, "like" buttons, or share buttons that load third-party tracking scripts on page load.

Apple App Tracking Transparency (ATT) Compliance

Completa fully respects Apple's App Tracking Transparency framework introduced in iOS 14.5. Specifically:

No ATT Prompt Required: Because Completa does not use the IDFA, does not engage in cross-app tracking, and does not share data with third-party advertising networks, we are not required to display an ATT permission prompt under Apple's guidelines.
No Cross-App Tracking: We do not track Users across other companies' apps or websites. We do not link device or user data with data from other companies' apps or websites for targeted advertising.
No Data Sharing with Data Brokers: We do not share device identifiers, usage data, or any other information with data brokers or advertising networks.

If Apple's ATT requirements change or if Completa adds functionality that requires IDFA access in the future, we will update this Policy and implement the required ATT prompt before accessing any advertising identifiers.

Do Not Track (DNT) and Global Privacy Control (GPC)

7.1 Do Not Track

Some browsers transmit Do Not Track (DNT) signals. Because there is no universal technical standard for DNT handling, Completa does not guarantee technical response to every DNT signal across every Service surface. Where our website is configured to recognize a DNT signal, we seek to honor that signal for non-essential analytics to the extent reasonably feasible. Strictly necessary technologies may remain active because they are required for the Services to function properly.

7.2 Global Privacy Control

Where our website is configured to recognize a technically valid Global Privacy Control (GPC) signal, Completa treats that signal as a request to opt out of any processing that would constitute a "sale" or "sharing" of personal information under applicable state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA). Because Completa does not sell personal information or engage in cross-context behavioral advertising, no additional action is typically required in the ordinary course.

4. Your Choices and Controls

Your Choices and Controls

8.1 Website Cookie Controls

You may manage cookies through your browser settings (Chrome: Settings → Privacy and Security; Safari: Preferences → Privacy; Firefox: Settings → Privacy & Security; Edge: Settings → Cookies and Site Permissions). If Completa makes a cookie banner, consent tool, or similar website preference control available on completa.io, you may also use that tool to manage non-essential cookies. Declining non-essential analytics cookies does not affect your ability to use the website.

8.2 Mobile App Controls

You have the following controls over tracking technologies in our mobile applications:

Location: You can grant, deny, or revoke location permissions through your device's Settings. Revoking location access may affect Contractor matching and proximity features.
Push Notifications: You can enable or disable push notifications through your device's notification settings. If the then-current app build includes additional in-app notification controls, you may use those controls to manage available notification categories.
Analytics: If the then-current app build includes a pseudonymized analytics preference control, you may use that control. Otherwise, contact legal@completa.io to request information about currently available privacy choices.
Local Storage: You can clear locally stored data by uninstalling and reinstalling the app. If the then-current app build includes a local-data clearing tool, you may use that tool instead. Clearing locally stored data may log you out and remove offline-cached information.

8.3 Email Tracking

Transactional emails sent by Completa (project updates, payment confirmations, dispute notifications) may contain a small, transparent tracking pixel that confirms whether the email was delivered and opened. This data is used solely for delivery monitoring and notification pipeline reliability. Marketing emails may include a tracking pixel for open/click analytics. You may contact legal@completa.io to request information about any email-tracking preferences or opt-out choices then available for your account. Disabling email-tracking pixels, where available, may reduce Completa's ability to diagnose delivery or notification issues. Opting out of marketing emails also disables marketing email open/click analytics for those messages.

Retention of Tracking Data

Data Type

Retention Period

Notes

Session tokens (server-side)

Session duration + 24 hours

Auto-expire; stored in managed server-side operational systems where configured

Push notification tokens

Duration of active account

Deleted upon account deactivation

Analytics data (pseudonymized)

Up to 24 months

Aggregated/anonymized for reporting after 90 days

Website cookie consent preferences

12 months

Re-prompted upon expiration

MMKV local storage (on-device)

Until cleared by User

Cleared on app uninstall or manual clear

Email tracking pixels

90 days

Delivery confirmation data only; not linked to behavioral profiles

Children

Completa's Services are not directed to children under the age of eighteen (18). We do not knowingly use cookies or tracking technologies to collect data from children. For more information, see the Children's Privacy section of our Privacy Policy.

5. State Disclosures and Contact

California-Specific Disclosures

Under the California Consumer Privacy Act (CCPA/CPRA), cookies and tracking technologies may be considered "personal information" if they can be linked to an individual consumer or household. Completa provides the following disclosures for California residents:

Categories Collected via Tracking: Identifiers (device identifiers, session tokens), internet or other electronic network activity (browsing history on completa.io, app usage data), and geolocation data (with consent).
Business Purpose: All tracking technologies are used for business purposes as described in Sections 4.1 through 4.3 of this Policy. We do not use tracking technologies for cross-context behavioral advertising.
No Sale or Sharing: We do not "sell" or "share" (as those terms are defined under CCPA/CPRA) any information collected through cookies or tracking technologies.
Opt-Out: Because we do not sell or share personal information collected through tracking technologies, there is no "Do Not Sell or Share My Personal Information" action required. We nonetheless honor GPC signals as described in Section 7.2.
Texas-Specific Disclosures

Under the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, Texas consumers have the right to opt out of the processing of personal data for targeted advertising. Because Completa does not process personal data collected through tracking technologies for targeted advertising, no additional opt-out mechanism is required. Completa complies with the TDPSA's requirements regarding data minimization, purpose limitation, and consumer rights as described in our Privacy Policy. If you submit a consumer-rights request under the TDPSA and Completa declines to fulfill that request, you have the right to appeal that decision. To appeal, submit a written request to legal@completa.io within sixty (60) days of receiving Completa's denial. Completa will respond to your appeal within sixty (60) days of receipt.

Changes to This Policy

We may update this Cookie & Tracking Policy from time to time. When we make material changes, we will post the updated Policy on our website with the new effective date, provide website notice through any then-current cookie banner, consent tool, or comparable website notice mechanism, and for changes affecting mobile app tracking, provide in-app notification. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

Contact Information

If you have questions about this Cookie & Tracking Policy or wish to exercise your privacy rights:

Completa LLC d/b/a Completa | Attn: Privacy | 5900 Balcones Drive, STE 100 | Austin, TX 78731

Email: legal@completa.io

BY USING THE COMPLETA WEBSITE OR MOBILE APPLICATIONS, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS COOKIE & TRACKING POLICY.