Comprehensive Privacy Notice for GDPR, UK GDPR, and U.S. State Privacy Laws

Last Updated	April 20, 2026
Version	3.0
Privacy Contact	privacy@braxos.com

1. Introduction

braXos Security Software LLC (“braXos,” “we,” “us,” or “our”) provides enterprise physical access, identity synchronization, workflow automation, and vertical transportation software and related services.

This Privacy Notice explains how we collect, use, disclose, and otherwise process personal information when individuals interact with:

• braXpass – a mobile credential application that allows authorized users to request, receive, and delete mobile credentials on their mobile device (iOS and Android).
• Composer – a workflow automation platform that enables the construction of integrations using a library of cloud connectors, which may process personal information residing in connected systems; Composer is stateless and currently accessible only to braXos personnel.
• Crescendo – an elevator access control solution integrated with braXos’s access management platform.
• LiftOff – a mobile application that allows users to call an elevator using their mobile device (iOS and Android).
• Symphony – an identity lifecycle management portal and API that enables customers to manage credentials for access control systems under their subscription; Symphony is stateless.
• Harmony – braXos’s cloud platform and supporting infrastructure used to deliver the above services.
• braxos.com – the braXos corporate website and related web properties, which use cookies and similar tracking technologies as described in the Cookie Policy section of this Notice.

This Privacy Notice also explains the rights available to individuals under applicable privacy laws, including the GDPR, UK GDPR, and U.S. state privacy laws.

2. braXos’s Role

braXos may act in different roles depending on the service and context:

• Controller / business: For information we collect through our website, marketing activities, support interactions, account administration, security operations, and certain product administration functions, braXos acts as a controller (under GDPR/UK GDPR) or equivalent business (under U.S. state privacy laws).
• Processor / service provider: When we process personal information on behalf of our customers in connection with customer-configured use of our products and services—including identity synchronization, access provisioning, credential management, elevator workflows, and related integrations—braXos generally acts as a processor (under GDPR/UK GDPR) or service provider (under U.S. state privacy laws) acting on the customer’s instructions.
• Independent third parties: Building owners, property managers, employers, security integrators, access control providers, elevator vendors, and credential issuers may act as separate controllers for the personal information they collect or receive through their own systems.

If you use braXos services through a building, employer, property manager, or another organization, that organization may be the primary controller for much of the product-related personal information. In those cases, questions about your data may need to be directed first to that organization.

3. Personal Information We Collect

3.1 Information You Provide Directly

When you register for or use our Services, you may provide:

• first and last name;
• email address;
• phone number, where relevant to a service such as LiftOff, Harmony, support, or account verification;
• account credentials and authentication-related information;
• support requests, correspondence, and other communications you send to us; and
• other information you choose to provide when contacting us or using our services.

3.2 Information Collected Automatically

When you use our apps, website, or services, we may automatically collect:

• Device Information: device make, model, operating system, application version, device identifiers, IP address, and online identifiers.
• Usage and Log Information: app events, authentication events, system activity, error logs, and service diagnostics.
• Mobile Activity: activity data when the app is in the foreground or when the app, in the background, is near an access control reader or elevator lobby Bluetooth beacon.
• Approximate Location Information: proximity or location-related information generated through Bluetooth beacons, access control readers, or elevator lobby beacons where the relevant service requires that functionality. When not within range of a beacon, the app does not report or collect location information.
• Website Usage Information: information collected through cookies and similar technologies, as described in the Cookie Policy section below.

3.3 Information Received from Third Parties

We may receive personal information from customers and their authorized representatives, including:

• building administrators;
• employers, property managers, and tenant administrators;
• access control, identity, property management, visitor, and elevator systems;
• credential issuers;
• security integrators; and
• service providers supporting delivery of our services.

3.4 Product-Specific Data Categories

Depending on the solution, we may process:

• identity data such as name and email address;
• credential-related data such as card number, facility code, credential status, and credential activation/expiration details;
• access group or entitlement information;
• elevator call and destination request information;
• app verification and authentication details; and
• operational and audit records necessary to deliver, secure, troubleshoot, and improve the service.

Symphony-Specific Collection

Symphony manages the synchronization, addition, updating, and deletion of credential information on behalf of properties whose user information resides in access control systems. The following attributes may flow through Symphony:

• first and last name;
• email address;
• credential information (card number, facility code, etc.);
• access group membership; and
• profile and credential activation and expiration dates.

Symphony portal access registration involves users supplying their first and last name and email address.

Composer-Specific Collection

Composer is a workflow automation platform that processes data flowing through integrations configured by braXos. The Composer portal is currently accessible only to braXos personnel via VPN and is not available to end customers. As a stateless system, Composer does not independently store personal information; data passes through integrations in real time as configured.

3.5 Data We Do Not Intentionally Collect

We do not intentionally collect special categories of personal data (as defined under GDPR/UK GDPR) unless such processing is required in a particular customer deployment and is authorized by law and contract. We do not knowingly collect personal information directly from children where prohibited by applicable law.

4. How We Use Personal Information

We use personal information for the following purposes, as applicable:

• to provide, administer, operate, and support our services;
• to configure and enable access control, identity synchronization, workflow automation, credentialing, and vertical transportation functionality;
• allowing building approvers and administrators to grant access to secured locations and additional privileges;
• to verify identity, ownership of contact information, or eligibility for access;
• processing elevator calls and providing elevator calling activity to building administrators (LiftOff);
• to communicate with users, administrators, and customers regarding service operation, security, authentication, updates, and support;
• communicating via push notifications (e.g., QuickLift Push, 2FA);
• to secure our systems, monitor for fraud or abuse, and maintain service integrity;
• to troubleshoot incidents, perform diagnostics, and collaborate with customers, integrators, vendors, or credential issuers to resolve technical problems;
• to maintain logs, records, and audit trails;
• to comply with legal obligations, regulatory requirements, and lawful requests;
• to enforce contracts, policies, and terms;
• to improve, develop, test, and enhance our services, including conducting research and development; and
• to operate our website and manage cookie preferences, analytics, and related functionality where permitted.

5. Lawful Bases for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, braXos relies on one or more of the following lawful bases, depending on the context:

• Performance of a contract: to provide requested services, manage accounts, enable access workflows, and perform our contractual obligations.
• Legitimate interests: to secure our services, prevent fraud, troubleshoot issues, maintain audit logs, improve services, respond to inquiries, and operate our business, provided such interests are not overridden by individuals’ rights and freedoms.
• Compliance with legal obligations: to meet legal, regulatory, tax, accounting, law enforcement, or compliance requirements.
• Consent: where required by law, such as for certain cookies and similar tracking technologies, or in limited situations where we specifically ask for consent.

Where braXos acts as a processor on behalf of a customer, the relevant customer is responsible for identifying the appropriate lawful basis for the processing it instructs us to perform.

6. How We Disclose Personal Information

We may disclose personal information to the following categories of recipients, where necessary and appropriate:

• customers and their authorized administrators;
• building owners, property managers, employers, and tenant administrators;
• access control providers, elevator vendors, mobile credential issuers, and security integrators involved in delivering or supporting the relevant solution;
• service providers and subprocessors that help us host, secure, support, analyze, and operate our services;
• professional advisers such as auditors, insurers, and legal counsel;
• regulators, courts, law enforcement, or governmental authorities where required by law or legal process; and
• relevant third parties in connection with a corporate transaction, reorganization, merger, acquisition, financing, or sale of assets.

We do not sell personal information, and we do not use personal information for targeted advertising as described under many U.S. state privacy laws.

7. International Transfers

braXos may transfer personal information to and process personal information in countries other than the country in which it was originally collected.

Where required by applicable law, we implement appropriate safeguards for international transfers, which may include:

• adequacy regulations or adequacy decisions;
• the European Commission’s Standard Contractual Clauses;
• the UK International Data Transfer Addendum or other approved UK transfer mechanisms; and/or
• other lawful transfer mechanisms recognized under applicable data protection law.

You may contact us using the details below to request additional information about applicable transfer safeguards.

8. Data Retention

We retain personal information for as long as necessary for the purposes described in this Privacy Notice, including to provide services, maintain security, satisfy legal or contractual obligations, resolve disputes, and enforce our agreements.

Retention periods vary depending on the type of information, the applicable service, customer instructions, legal requirements, and operational needs. Where braXos processes personal information on behalf of a customer, retention may also be determined by that customer’s instructions and contractual arrangements.

When personal information is no longer required, we will delete, anonymize, or de-identify it in accordance with applicable law and our retention practices.

9. Data Subject Rights (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, you may have the right to:

• request access to personal information we hold about you;
• request correction of inaccurate or incomplete personal information;
• request deletion (erasure) of personal information;
• request restriction of processing;
• object to processing based on legitimate interests;
• request portability of personal information, where applicable;
• withdraw consent at any time, where processing is based on consent (without affecting the lawfulness of processing carried out prior to withdrawal); and
• lodge a complaint with your local data protection authority or supervisory authority.

If braXos processes your information on behalf of one of our customers, we may direct your request to the relevant customer or ask you to contact that organization directly, because it may be best positioned to respond.

To exercise your rights, contact privacy@braxos.com. We may need to verify your identity before acting on your request.

10. Security

braXos maintains administrative, technical, and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures may include encryption in transit and at rest where appropriate, authentication controls, role-based access controls, logging, monitoring, vulnerability management, and related security safeguards.

No system is completely secure. We therefore cannot guarantee absolute security.

11. Subprocessors and Service Providers

braXos uses service providers and subprocessors to support the delivery of its services, such as cloud hosting, customer support, analytics, communications, and security operations.

Where required, we maintain contractual protections with such providers, including data processing terms and confidentiality and security obligations.

12. Cookies and Similar Technologies

12.1 Overview

braXos uses cookies and similar technologies on braxos.com to operate the site, remember preferences, measure performance, and understand how visitors use our website. A cookie is a small text file stored on your device by your web browser.

12.2 Categories of Cookies

We may use the following categories of cookies:

Category	Purpose	Consent Required?
Strictly Necessary	Core site functionality, security, session management, and load balancing. These cookies are essential for the website to function and cannot be switched off.	No (exempt under all frameworks)
Functional	Remember preferences (e.g., language, region) and improve usability. These cookies enhance your experience but are not strictly necessary.	EEA/UK: Yes (opt-in)US: Set by default (opt-out available)
Analytics / Performance	Understand website usage, measure performance, and improve site experience. braXos uses Google Analytics for this purpose.	EEA/UK: Yes (opt-in)US: Set by default (opt-out available)

braXos does not currently use cookies for targeted advertising or profiling.

12.3 Consent Management

braXos uses CookieYes as its consent management platform (CMP) to manage cookie preferences and comply with applicable consent requirements.

• EEA and UK visitors: Non-essential cookies are blocked until opt-in consent is provided, in compliance with GDPR and the ePrivacy Directive.
• U.S. visitors: Non-essential cookies may be set by default. You may opt out at any time through the cookie banner, consent manager, or the “Do Not Sell or Share My Personal Information” link in the site footer.

You may update your preferences at any time through the cookie banner, consent manager, or related controls made available on the site. Most web browsers also allow you to manage cookies through browser settings.

12.4 Google Analytics and Google Consent Mode v2

We use Google Analytics to understand website traffic and usage patterns. Google Analytics may set cookies and collect data such as pages visited, time on site, and referral source.

braXos has implemented Google Consent Mode v2, which adjusts the behavior of Google tags based on your consent status. When consent is not granted (e.g., for EEA/UK visitors who have not opted in), Google tags operate in a restricted, cookieless mode that does not store cookies or collect personal identifiers.

For more information about how Google processes data, please review Google’s privacy information.

12.5 Global Privacy Control (GPC)

braXos honors Global Privacy Control (GPC) signals where required by applicable law. If your browser sends a GPC signal, we treat it as a valid opt-out of the sale or sharing of personal information.

13. Third-Party Links and Services

Our website and services may contain links to third-party websites, services, or platforms. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices.

14. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect operational, legal, technical, or regulatory changes. We will post the updated version on this page and update the ‘Last Updated’ date.

15. Contact Us

If you have questions about this Privacy Notice or braXos’s privacy practices, or if you would like to exercise applicable privacy rights, please contact:

• braXos Security Software LLC
• Privacy inquiries: privacy@braxos.com
• General support: support@braxos.com

16. U.S. State-Specific Privacy Rights

Multiple U.S. states have enacted comprehensive consumer privacy laws. The sections below describe the rights available to residents of each applicable state and how braXos complies with these laws. braXos does not sell personal information and does not process personal information for the purposes of targeted advertising.

16.1 California Privacy Rights (CCPA/CPRA)

This California Consumer Privacy Act Notice (“California Notice”) describes how we handle your personal information, the reasons we do so, and the rights you have as a California resident regarding your information. This Notice supplements the braXos Privacy Notice.

This California Notice uses certain terms that have the meaning given to them in the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) and its implementing regulations.

Categories of Personal Information Collected

We may collect or receive (and may have collected or received during the 12-month period prior to the Last Updated date of this California Notice) the categories of personal information listed below. Not all categories will be collected or received for every individual.

Category	Details
Identifiers	Personal identifiers, such as name, telephone number (LiftOff and Harmony), and email address. Telephone numbers are not stored by LiftOff; obfuscated numbers are shown to delegated partners.
Device Information and Online Activity	Device and online identifiers, mobile activity when the app is in the foreground or when the app, in the background, is near an access control reader or elevator lobby Bluetooth beacon.
Communications	Verification of the phone number associated with the device (LiftOff) or via SMS for enrollment (Harmony), and verification of the email address if the property is managing access via an access control system.
Geolocation	Location information as reported by access control readers or elevator beacons to the app via Bluetooth. When not within range of a beacon, the app does not report or collect location information.

Categories of Sources

We may obtain and combine personal information from different sources:

• provided directly by you;
• collected from the device associated with you; and
• collected from a building or a building’s affiliated third party with whom you have a relationship.

Purposes for Collecting Personal Information

We may use your personal information for the purposes described in Section 4 (How We Use Personal Information) above and as provided below:

• providing customer service;
• conducting auditing and monitoring of transactions and engagement, including auditing compliance;
• helping to ensure security and integrity and prevent fraud;
• undertaking activities to verify or maintain the quality or safety of our services or devices and to improve, upgrade, or enhance them;
• debugging to identify and repair errors;
• conducting business analysis, such as analytics, projections, and identifying areas for operational improvement;
• conducting research and development, including undertaking internal research for technological development and demonstration; and
• fulfilling our legal functions or obligations.

Sale and Sharing of Personal Information

braXos does not sell personal information. Except as noted in Section 6 (How We Disclose Personal Information), braXos does not share personal information.

Personal Information of Consumers Under 16 Years of Age

braXos does not knowingly collect personal information from children under the age of 16. By using the Services, you represent that you are at least 16 years old or that you are the parent or guardian of a minor and you grant consent to such minor’s use of the Services. If we learn that personal information from users less than 16 years old has been collected, we will deactivate any related accounts and will delete such information from our records.

Disclosing Personal Information for Business Purposes

During the 12-month period prior to the Last Updated date of this California Notice, we may have disclosed your personal information with certain categories of third parties as described in Section 6 above, including device and online identifiers, location information, personal identifiers, and access control and elevator calling activity.

California Privacy Rights

If you are a California resident, you can make certain requests regarding your personal information, and we will fulfill each request to the extent required by law:

• Right to Know / Access: request access to a copy of and certain details regarding the personal information we have about you (up to two times in a rolling twelve-month period);
• Right to Delete: request deletion of your personal information;
• Right to Correct: request correction of inaccurate personal information;
• Right to Opt-Out of Sale/Sharing: braXos does not sell or share personal information as defined by the CCPA;
• Right to Limit Use of Sensitive Personal Information (SPI): braXos does not collect SPI at this time.

To exercise any of these privacy rights, send an email to support@braxos.com. To delete your personal information, you may also click “Delete Account” on the Settings panel of the applicable app.

Verifying Your Identity

If you request access to, or the correction or deletion of, your personal information, we will verify your identity before disclosing the requested information. To do so, we may ask that you log into your account or provide us with your first name, last name, email address, and/or phone number. Third-party identification services may help us with verification to prevent disclosure resulting from fraudulent requests.

Authorized Agents

In order to process requests using an authorized agent, braXos will require documentation demonstrating your agent’s authority to submit requests on your behalf (e.g., power of attorney or a signed letter of authorization).

Shine the Light

California residents have the right to request a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, and the identity of those third parties. To exercise this right, please send an email to support@braxos.com.

Notice of Financial Incentive

If we provide a financial incentive, we will provide you with the details, including how the incentive is related to your data before you participate so that you may make an informed decision. You will always have the right to withdraw from participation.

Number of Requests Received in 2025

0

16.2 Utah Privacy Rights (UCPA)

This Utah Consumer Privacy Act Notice supplements the braXos Privacy Notice and uses certain terms that have the meaning given to them in the Utah Consumer Privacy Act of 2022.

Categories of Personal Information Collected

Category	Details
Identifiers	Personal identifiers, such as name, telephone number (LiftOff and Harmony), and email address
Device Information and Online Activity	Device and online identifiers, mobile and web network activity and related information (such as IP address and Device ID)
Commercial Information	Not collected
Communications	Communication details (such as the content of emails, text messages, or other communications) where braXos is a party to the exchange
Demographic Information	Not collected
Financial Information	Not collected
Biometric Information	Not collected
Geolocation	Location information, such as geolocation information by means of Bluetooth beacon reporting or when a credential is presented at a reader
Sensory Information	Not collected (activity at sensor-equipped locations may be communicated to an access control system by the property)
Background Information	Not collected
Inferences	Individual preferences and characteristics
Sensitive Personal Information	Not collected

Exercising Your Utah Privacy Rights

Utah residents can exercise the following rights by sending an email to support@braxos.com or by using the “Delete” function in the applicable app:

• Request to Access My Personal Information
• Delete My Personal Information

16.3 Colorado Privacy Rights (CPA)

This Colorado Consumer Privacy Notice supplements the braXos Privacy Notice and applies solely to Colorado consumers who interact with us in an individual capacity. This Notice uses certain terms that have the meaning given to them in the Colorado Privacy Act.

Collection, Use, and Sharing of Personal Data

Category	Processing Purpose	Targeted Ads?	Sold or Shared
Identifiers	Fulfilling legal obligations; Ensuring security and preventing fraud; Performing services; Auditing and monitoring; Quality and safety verification	No	Only first name, last name, email address, and obfuscated phone number are shared with building administrators and elevator vendors for managing authorized access
Device and Online Identifiers	Fulfilling legal obligations; Ensuring security and preventing fraud; Debugging; Performing services; Auditing and monitoring; Quality and safety verification	No	No
Internet and Network Activity	Same as above	No	No
Geolocation	Same as above	No	Activity at access control readers and elevators is shared with building administrators and elevator vendors, contingent upon local laws and regulations
Biometric Info	Not collected	No	Biometric authorization may be required for certain app functions, but biometric data is not collected by braXos. The app relies on iOS or Android for biometric authorization.
Inferences	Same as above	No	No

Your Colorado Privacy Rights

If you are a Colorado consumer who interacts with us in an individual capacity, you may have the right to: (1) request access to, correction of, or deletion of your personal data; (2) opt-out of the processing of your personal data for purposes of targeted advertising or the sale of your personal data; and (3) obtain your personal data in a portable and, to the extent technically feasible, readily usable format. braXos does not engage in profiling in furtherance of decisions that produce legal or similarly significant effects.

To submit a request, please email support@braxos.com.

16.4 Additional State Privacy Rights

In addition to California, Utah, and Colorado, the following states have enacted comprehensive consumer privacy laws that may apply to our processing of personal information:

State	Law	Effective Date
Connecticut	Connecticut Data Privacy Act (CTDPA)	July 1, 2023
Virginia	Virginia Consumer Data Protection Act (VCDPA)	January 1, 2023
Montana	Montana Consumer Data Privacy Act (MCDPA)	October 1, 2024
Oregon	Oregon Consumer Privacy Act (OCPA)	July 1, 2024
Texas	Texas Data Privacy and Security Act (TDPSA)	July 1, 2024
Delaware	Delaware Personal Data Privacy Act (DPDPA)	January 1, 2025
Iowa	Iowa Consumer Data Protection Act (ICDPA)	January 1, 2025
Nebraska	Nebraska Data Privacy Act (NDPA)	January 1, 2025
New Hampshire	New Hampshire Privacy Act (NHPA)	January 1, 2025
New Jersey	New Jersey Data Privacy Act (NJDPA)	January 15, 2025
Tennessee	Tennessee Information Protection Act (TIPA)	July 1, 2025
Minnesota	Minnesota Consumer Data Privacy Act (MCDPA)	July 31, 2025
Maryland	Maryland Online Data Privacy Act (MODPA)	October 1, 2025
Indiana	Indiana Consumer Data Protection Act (INCDPA)	January 1, 2026
Kentucky	Kentucky Consumer Data Protection Act (KCDPA)	January 1, 2026
Rhode Island	Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)	January 1, 2026

Common Consumer Rights

While each state’s law has unique provisions, the following core consumer rights are generally available to residents of the states listed above. Not all rights are available in every state; for example, Iowa does not include a right to correct personal data.

• Right to Access: You may request confirmation of whether we are processing your personal data and request access to such data.
• Right to Correct: You may request that we correct inaccurate personal data we hold about you.
• Right to Delete: You may request that we delete personal data we have collected from or about you.
• Right to Data Portability: You may request a copy of your personal data in a portable and, to the extent technically feasible, readily usable format.
• Right to Opt Out of Sale: You may opt out of the sale of your personal data. braXos does not sell personal information.
• Right to Opt Out of Targeted Advertising: You may opt out of the processing of your personal data for purposes of targeted advertising. braXos does not process personal information for targeted advertising.
• Right to Opt Out of Profiling: You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. braXos does not engage in such profiling.

How braXos Complies

braXos is committed to respecting the privacy rights of consumers in all states with applicable privacy legislation. In particular:

• braXos does not sell personal information.
• braXos does not process personal information for the purposes of targeted advertising.
• braXos does not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.
• braXos obtains opt-in consent before processing sensitive personal information where required by applicable law.
• For states that require controllers to provide a list of specific third parties to which personal data has been disclosed (such as Oregon, Delaware, and Connecticut), braXos discloses personal information only to building administrators, elevator vendors, and security integrators as described in Section 6.

Exercising Your Rights

Residents of any of the above states may exercise their applicable privacy rights by:

• sending an email to support@braxos.com;
• using the “Delete Account” or “Delete” function within the Settings section of the applicable braXos app; or
• correcting personal information directly within the applicable braXos app.

We will respond to your request within the timeframe required by your state’s applicable law (typically 45 days, with extensions available in certain circumstances). If we are unable to comply with your request in whole or in part, we will notify you with reasons for the denial.

If you are not satisfied with our response to your request, you may have the right to appeal our decision. To submit an appeal, please email support@braxos.com with the subject line “Privacy Rights Appeal.” If your appeal is denied, you may have the right to contact your state’s Attorney General to submit a complaint.

Identity Verification

Before fulfilling your request, we may need to verify your identity. We may ask that you log into your account or provide us with your first name, last name, email address, and/or phone number. Third-party identification services may assist with verification to prevent fraudulent requests.

Authorized Agents

Where permitted by applicable state law, you may designate an authorized agent to submit a privacy request on your behalf. braXos will require documentation demonstrating the agent’s authority, such as a power of attorney or a signed letter of authorization.

Non-Discrimination

braXos will not discriminate against you for exercising any of your privacy rights under applicable state law. We will not deny you goods or services, charge you different prices, or provide a different level or quality of service because you exercised your rights.

17. Policy Change Log

Date	Version	Summary of Changes
Apr 2026	3.0	Merged GDPR/UK GDPR transparency framework with comprehensive U.S. state privacy rights into a single unified notice. Strengthened controller/processor role descriptions with dual GDPR and U.S. terminology. Added dedicated GDPR lawful bases section (Section 5). Added international transfers section with SCCs and UK IDTA mechanisms (Section 7). Expanded data subject rights section for GDPR/UK GDPR (Section 9). Enhanced Cookie Policy with CookieYes CMP deployment, Google Consent Mode v2, GPC signal support, and EU opt-in vs. U.S. opt-out consent mechanics. Updated privacy contact to privacy@braxos.com. Preserved all 19-state U.S. coverage.
Mar 2026	2.1	Added Cookie Policy section covering cookie categories, consent mechanics, Google Analytics, and CookieYes CMP. Added braxos.com to list of covered Services.
Feb 2026	2.0	Consolidated individual product privacy notices (braXpass, Composer, LiftOff, Symphony) into a single unified Privacy Notice. Added Crescendo and Harmony product coverage. Expanded state-specific privacy rights to cover all 19 states with comprehensive consumer privacy laws.
Mar 2025	1.0	Initial publication of individual product privacy notices for braXpass, Composer, LiftOff, and Symphony.