Privacy Policy

Effective Date: March 5, 2026 Entity: CoolR Group, Inc. (Delaware, USA)

This Privacy Policy ("Policy") describes how CoolR Group, Inc. ("CoolR", "we", "us", "our") collects, processes, stores, and protects personal data and other information across all of our touchpoints, including:

The CoolR website at https://www.coolr.ai
The VistaZ web application and portal
The CoolR mobile application (iOS and Android)
The VistaZ hardware device deployed in client assets (coolers, fridges, freezers)
All associated APIs, integrations, and documentation

This Policy applies to enterprise clients ("Clients"), their authorized users ("Authorized Users"), store operators and retailers whose assets host VistaZ devices, and visitors to our website. Where this Policy references "you", it applies to all of those groups as relevant context.

This Policy should be read alongside the Terms and Conditions that govern use of the Services.

1. Who We Are

CoolR Group, Inc. is an IoT-enabled retail execution company. Our VistaZ platform uses AI-powered computer vision cameras deployed at retail locations and inside commercial refrigeration assets (coolers, fridges, freezers) to help food and beverage brands, distributors, and retailers monitor stock availability, merchandising compliance, and retail execution performance.

For data protection inquiries, our designated contact is:


Data Protection Contact	mail@coolr.ai
Support	support@coolr.ai
Address	4451 Brookfield Corporate Drive, Suite 111, Chantilly, VA 20151, USA

2. Scope: What This Policy Covers

This Policy covers three distinct data environments:

Environment	Primary Data Types
VistaZ Device (in-asset camera)	Cooler interior images, temperature readings, door open/close events
Platform (web app, mobile app, APIs)	Authorized User account data, usage logs, Client retail data, planogram data
Website (coolr.ai)	Website visitor data, cookies, contact form submissions, marketing analytics

Each environment is addressed separately in the sections below.

3. VistaZ Device: Data Collected In-Asset

3.1 What the Device Captures

The VistaZ device is installed inside commercial refrigeration assets. It is designed and configured to capture only:

Still images of the interior contents of the asset (facing inward toward products)
Temperature readings at periodic intervals
Door open/close timestamps (used to trigger image capture and detect usage patterns)

The device does not capture:

Video or audio (the hardware has no such capability)
Any information about individuals, shoppers, or store staff
Location metadata embedded in images
Any data from outside the asset

Images are generally captured once or twice per day on a pre-scheduled basis, or triggered by door open events (typically 1 to 4 images per day total).

3.2 Accidental Capture of Personal Data

In rare instances, a partial body part (such as a hand or arm) may be incidentally captured during the moment a door is opened. CoolR addresses this as follows:

AI-based processing automatically detects and removes any such data
Images containing identifiable personal information are destroyed within 24 hours of transfer from the device
No such images are retained, processed for recognition, or shared

3.3 Legal Basis

Processing of device-captured data is based on the legitimate interests of CoolR and its Clients in monitoring stock levels and retail execution performance in a commercial B2B context. No personal data is intentionally collected by the device. Where any personal data is incidentally captured, it is deleted at the earliest opportunity.

4. Platform: Data Collected via Web App, Mobile App, and APIs

4.1 Authorized User Account Data

To provide access to the platform, CoolR collects and processes the following personal data for Authorized Users:

Full name and email address (used for account creation and login)
Job title and organization (provided by the Client during provisioning)
Browser type and IP address (logged for security and auditing purposes)
Device identifiers and operating system version (mobile app)
Session activity logs and feature usage patterns
Phone number (optional - on opt-in basis for notifications)

This data is collected with GDPR's data minimization principle in mind. Only data necessary to provide the Services is collected and retained.

4.2 Client-Provided Business Data

Clients supply operational data to enable image analysis and reporting. This includes:

Outlet (store) information: names, addresses, identifiers
Product catalogs and SKU data
Planogram and merchandising standards
Store manager or sales representative contact information (for notifications and alerts)

This data is used exclusively to deliver the contracted Services and fulfill CoolR's obligations under the applicable Order Form or SOW.

4.3 Platform Usage Analytics

CoolR logs application usage to maintain service quality and improve the platform:

Feature interaction logs (anonymized where possible)
API call logs and error rates
Performance telemetry

Only Authorized Users are tracked. Anonymous or unauthenticated visitors to the portal are not tracked.

4.4 Mobile Application

The CoolR mobile application (iOS and Android) collects:

Account credentials (email/password or SSO token) for authentication
Device identifiers and OS version for compatibility and support
Push notification tokens (if notifications are enabled)
Offline data cache for field use in low-connectivity environments

Location data is not collected by the mobile application unless explicitly enabled as part of a location tracking feature agreed upon with the Client. If enabled, location tracking scope and controls are documented separately in the applicable SOW.

4.5 Legal Basis

Processing of platform data is based on:

Contract performance: to deliver the Services under the applicable Order Form
Legitimate interests: for security, auditing, fraud prevention, and service improvement
Legal obligation: to comply with applicable laws and regulations

5. Website: Data Collected at coolr.ai

5.1 Website Visitor Data

When you visit https://www.coolr.ai, we collect:

IP address and approximate geographic location (country/region level)
Browser type, version, and device type
Pages visited, time on page, and referral source
Cookie identifiers (see Section 5.3)

This data is used to understand website traffic patterns, improve content, and measure the effectiveness of marketing.

5.2 Contact and Inquiry Forms

If you submit a contact or demo request form on our website, we collect:

Name, email address, company name, and job title
Any message content you provide

This information is used solely to respond to your inquiry and, with your consent, to send relevant product communications. It is not shared with third parties for marketing purposes.

5.3 Cookies and Tracking

Our website uses cookies and similar tracking technologies. Categories of cookies used include:

Category	Purpose	Required
Strictly Necessary	Session management, security, load balancing	Yes
Analytics	Traffic measurement, page performance (e.g., anonymized analytics)	Optional
Marketing	Attribution tracking for inbound marketing campaigns	Optional

You can manage cookie preferences via the cookie consent banner on the website. Strictly necessary cookies cannot be disabled as they are required for the site to function.

For full details, refer to our Cookie Policy.

5.4 Legal Basis

Website data processing is based on:

Legitimate interests: for security monitoring and analytics
Consent: for optional analytics and marketing cookies
Contract performance: for responding to demo or inquiry submissions

6. Data Usage

We use collected data for the following purposes only:

Purpose	Data Used
Delivering the Services	Client Data, Authorized User accounts, device imagery
User authentication and access control	Account credentials, session tokens
Security monitoring and auditing	IP logs, access logs, API call logs
Service performance and reliability	Anonymized telemetry and error logs
Improving AI/ML recognition models	Anonymized, aggregated stock imagery
Client notifications and alerts	Contact information provided by Clients
Marketing and sales (website only)	Website visitor data, form submissions, with consent

We do not sell, rent, or trade personal data to any third party.

7.1 Authorized Access

Access to data is restricted to:

CoolR's internal engineering, operations, and support teams (on a need-to-know basis)
Client's own designated Authorized Users
Approved subcontractors and infrastructure providers (listed below)

7.2 Subprocessors and Infrastructure

CoolR uses a limited number of carefully vetted third-party infrastructure providers. All subprocessors are contractually bound to GDPR-compliant data protection standards and are prohibited from using Client Data for their own purposes. Key infrastructure categories include:

Cloud hosting and storage: Microsoft Azure (primary: USA, geo-redundancy: Australia)
Application performance monitoring: Limited telemetry providers under DPA
Email delivery: For system notifications and alerts

Alternate storage regions may be agreed upon contractually with Clients subject to specific regulatory requirements.

7.3 Legal Disclosures

CoolR may disclose data if required by law, court order, or lawful request from a government authority. Where permitted by law, CoolR will notify the affected Client before complying.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, data may be transferred to the successor entity. Affected parties will be notified in advance where required by law.

8. Data Storage and Security

8.1 Storage Location

Data Type	Primary Location	Failover
Platform and Client Data	USA (Microsoft Azure)	Australia
Application logs	USA	N/A
Website analytics	Varies by tool	N/A

Alternate storage locations may be agreed upon contractually for Clients with specific data residency requirements.

8.2 Security Measures

CoolR implements commercially reasonable administrative, physical, and technical safeguards, including:

Encryption in transit using TLS for all data transfers
Encryption at rest for stored Client Data
Access controls restricted by role, network location, and user account
Infrastructure access limited by IP allowlisting and multi-factor authentication
Regular review of access permissions and security posture

8.3 Data Breach Response

In the event of a confirmed data breach affecting personal data, CoolR will:

Notify affected Clients without undue delay and within 72 hours of becoming aware of the breach where GDPR applies
Notify the relevant supervisory authority as required by applicable law
Provide details of the nature of the breach, data affected, and remediation steps taken

9. Data Retention

Data Category	Retention Period
Authorized User account data	Duration of subscription plus 90 days post-termination
Client Data (retail, planogram, imagery)	Duration of subscription plus 90 days post-termination
Application and security logs	Maximum 6 months
Website analytics data	As configured per analytics tool, typically 26 months
Contact form submissions	Until inquiry is resolved, plus 12 months

Following the applicable retention period, data is securely deleted or anonymized. Clients may request earlier deletion in writing to support@coolr.ai.

CoolR is committed to compliance with the General Data Protection Regulation (GDPR) and equivalent data protection laws globally.

10.1 Data Subject Rights

Individuals whose personal data is processed by CoolR have the following rights under GDPR:

Right	Description
Access	Request a copy of personal data we hold about you
Rectification	Request correction of inaccurate or incomplete data
Erasure	Request deletion of personal data where no longer necessary
Restriction	Request restriction of processing in certain circumstances
Portability	Receive personal data in a structured, machine-readable format
Objection	Object to processing based on legitimate interests
Withdrawal of Consent	Withdraw consent at any time where processing is consent-based

Requests should be directed to mail@coolr.ai. CoolR targets a 7-day response for all data subject requests and will not exceed the 30-day statutory deadline.

10.2 Data Processing Agreement

Enterprise Clients whose use of the Services involves processing of personal data subject to GDPR or equivalent regulation must execute a Data Processing Agreement (DPA) with CoolR. To request a DPA, contact legal@coolr.ai.

10.3 International Transfers

Where personal data is transferred outside the European Economic Area (EEA), CoolR ensures appropriate transfer mechanisms are in place, including Standard Contractual Clauses (SCCs) where required.

10.4 Supervisory Authority

If you believe CoolR has not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

11. CCPA (California Residents)

For California residents, the California Consumer Privacy Act (CCPA) provides additional rights:

Right to Know: What personal information we collect, use, and share
Right to Delete: Request deletion of personal information we hold about you
Right to Opt Out: We do not sell personal information. No opt-out is required.
Right to Non-Discrimination: Exercising CCPA rights will not result in discriminatory treatment

To exercise these rights, contact support@coolr.ai.

12. Children's Privacy

The Services are designed exclusively for enterprise B2B use by adults. CoolR does not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data has been collected from a minor, it will be deleted immediately.

13. Changes to This Policy

CoolR may update this Policy from time to time. When material changes are made:

The "Effective Date" at the top of this page will be updated
Enterprise Clients will be notified by email or in-application notice at least 30 days before changes take effect
Website visitors will see a notice via the cookie consent mechanism or website banner

Continued use of the Services after the effective date of changes constitutes acceptance of the revised Policy.

14. Contact and Requests

Inquiry Type	Contact
Data subject rights requests	mail@coolr.ai
Data Processing Agreement (DPA)	legal@coolr.ai
General support and data deletion	support@coolr.ai
Legal notices	legal@coolr.ai

CoolR Group, Inc.
4451 Brookfield Corporate Drive, Suite 111
Chantilly, VA 20151, USA
https://www.coolr.ai

1. Who We Are​

2. Scope: What This Policy Covers​

3. VistaZ Device: Data Collected In-Asset​

3.1 What the Device Captures​

3.2 Accidental Capture of Personal Data​

3.3 Legal Basis​

4. Platform: Data Collected via Web App, Mobile App, and APIs​

4.1 Authorized User Account Data​

4.2 Client-Provided Business Data​

4.3 Platform Usage Analytics​

4.4 Mobile Application​

4.5 Legal Basis​

5. Website: Data Collected at coolr.ai​

5.1 Website Visitor Data​

5.2 Contact and Inquiry Forms​

5.3 Cookies and Tracking​

5.4 Legal Basis​

6. Data Usage​

7. Data Sharing and Third-Party Processors​

7.1 Authorized Access​

7.2 Subprocessors and Infrastructure​

7.3 Legal Disclosures​

7.4 Business Transfers​

8. Data Storage and Security​

8.1 Storage Location​

8.2 Security Measures​

8.3 Data Breach Response​

9. Data Retention​

10. GDPR Compliance​

10.1 Data Subject Rights​

10.2 Data Processing Agreement​

10.3 International Transfers​

10.4 Supervisory Authority​

11. CCPA (California Residents)​

12. Children's Privacy​

13. Changes to This Policy​

14. Contact and Requests​

Related Pages​