THEO Toolbox App | Privacy Statement

Effective Date: March 30, 2026 · Last Updated: March 30, 2026

This Privacy Statement applies specifically to the THEO Toolbox mobile application (“App”) and supplements our general Privacy Statements available at theo.inc/privacy-statement-eu (for EU users) and theo.inc/privacy-statement-us (for US users). Where this App Privacy Statement conflicts with the general Privacy Statements regarding App-specific data practices, this statement controls.

1. Who We Are

THEO Laser Inc. (“Company”, “we”, “us”, “our”) is the controller of your personal data collected through the App.

THEO Laser Inc.
1900 W. Park Dr., Suite #150
Westborough, MA 01581, United States
Email: support@theo.inc
Website: https://theo.inc

EU Representative: marketing@maxlasers.com

2. What Data We Collect

We collect and process the following categories of data when you use the App:

2.1 Account InformationName, email address, company name or affiliation, job title, account credentials (password stored in hashed form only), and distributor or partner association.

HOW COLLECTED

Provided by you during registration, or provisioned by your employer or authorized THEO distributor.

2.2 Machine Registration DataMachine serial numbers, model information, QR code scan data, registration dates, and warranty status.

HOW COLLECTED

Captured when you scan a machine QR code or manually register equipment.

2.3 Service Ticket DataTicket descriptions, status updates, photos and images attached to tickets, timestamps, and communication history between you and THEO support.

HOW COLLECTED

Created by you when submitting or updating service tickets.

2.4 Community ContentPosts, comments, photos, videos, and other media you share in the App’s community features, along with associated metadata (timestamps, author information).

HOW COLLECTED

Submitted by you when participating in community features.

2.5 Training and Certification DataCourse completion records, certification status, certification expiration dates, quiz or assessment results, and training progress.

HOW COLLECTED

Generated as you interact with THEO Academy content within the App.

2.6 Device and Technical InformationDevice type and model, operating system and version, App version, unique device identifiers (such as IDFV), language and locale settings, and time zone.

HOW COLLECTED

Collected automatically when you use the App.

2.7 Push Notification TokensDevice tokens for Apple Push Notification service (APNs).

HOW COLLECTED

Generated when you enable push notifications.

2.8 Crash and Diagnostic DataCrash logs, error reports, app performance data, device state at the time of a crash (memory usage, battery level, network status), stack traces, and breadcrumb events leading up to a crash.

HOW COLLECTED

Collected automatically by Sentry (see Section 5) when the App encounters an error.

2.9 Usage AnalyticsFeature usage patterns, screen views, session duration, and interaction events.

HOW COLLECTED

Collected automatically during your use of the App. This data is aggregated and does not include the content of your communications or submissions.

2.10 Photos and Camera DataPhotos and videos captured through the App’s camera integration or selected from your Photo Library.

HOW COLLECTED

Captured or selected by you for service tickets or community posts. We do not access your camera or Photo Library without your permission, and only images you actively select or capture are transmitted.

3. How We Use Your Data

We process your personal data for the following purposes:

1. Providing the App’s core functionality — account management, machine registration, service ticket processing, community features, and training content delivery.
2. Customer support — responding to your service tickets, troubleshooting issues, and communicating with you about your account or equipment.
3. App improvement — analyzing crash reports and usage patterns to fix bugs, improve performance, and develop new features.
4. Safety and compliance — tracking laser safety certifications and training completion to support workplace safety requirements.
5. Communications — sending push notifications about service ticket updates, certification expirations, community activity, and App updates (you can disable push notifications at any time through your device settings).
6. Legal compliance — meeting our obligations under applicable laws, responding to lawful requests from authorities, and enforcing our terms.
7. Marketing — with your consent where required, we may use aggregated or anonymized usage data to improve our products and services. User-generated community content may be used in THEO marketing and promotional materials as described in the App’s End User License Agreement.

4. Legal Basis for Processing (EU/EEA/UK Users)

If you are located in the European Union, the European Economic Area, or the United Kingdom, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary to provide the App’s services to you, including account management, machine registration, service tickets, training delivery, and community features.
• Legitimate interests (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, including crash reporting and diagnostics (to maintain App stability), usage analytics (to improve the App), and fraud prevention. We have assessed that these interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a) GDPR): Where we rely on your consent (for example, for certain marketing communications or optional data collection), you may withdraw your consent at any time by contacting us at support@theo.inc. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Legal obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with legal obligations to which we are subject.

5. Third-Party Service Providers (Sub-Processors)

We share your data with the following third-party service providers who process data on our behalf:

Sentry (Functional Software, Inc.)

Location: United States

Purpose: Crash reporting and error tracking

Data shared: Crash logs, device information, app state data

Privacy: sentry.io/privacy

Apple Inc.

Location: United States

Purpose: Push notification delivery (APNs), App Store distribution

Data shared: Push notification tokens, App Store transaction data

Privacy: apple.com/privacy

HubSpot

Location: United States

Purpose: Customer relationship management and support communications

Data shared: Account information, service ticket data

Privacy: hubspot.com/data-privacy

We require all sub-processors to enter into data processing agreements that provide safeguards equivalent to those described in this Privacy Statement.

6. International Data Transfers

THEO Laser Inc. is based in the United States. If you are located outside the United States (including in the EU/EEA, United Kingdom, Australia, or Japan), your personal data will be transferred to and processed in the United States.

EU/EEA and UK users: We rely on the European Commission’s Standard Contractual Clauses (SCCs) as our data transfer mechanism under Chapter V of the GDPR. Where applicable, we may also rely on adequacy decisions. You may request a copy of the applicable SCCs by contacting us at support@theo.inc.

Australian users: By using the App, you consent to the transfer of your personal data to the United States. We take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

Japanese users: We comply with the requirements of the Act on the Protection of Personal Information (APPI) regarding cross-border transfers, including providing information about the personal information protection systems of the receiving country. We ensure appropriate safeguards through contractual arrangements with our service providers.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Statement, unless a longer retention period is required or permitted by law.

Data Category	Retention Period
Account Information	Duration of account + 24 months
Machine Registration Data	Duration of account + 24 months, or warranty period (whichever is longer)
Service Ticket Data	36 months after ticket closure
Community Content	Duration of account (may be anonymized upon deletion)
Training & Certification Data	Duration of account + 36 months
Crash & Diagnostic Data	12 months from collection
Usage Analytics	12 months (individual); indefinite (aggregated)
Push Notification Tokens	Until uninstall or notification disable

8. Your Rights

All Users

• Right to access: Request a copy of the personal data we hold about you.
• Right to correction: Request correction of inaccurate or incomplete personal data.
• Right to deletion: Request deletion of your personal data, subject to legal retention requirements.
• Right to data export: Request a copy of your data in a commonly used, machine-readable format.

EU/EEA/UK Users (GDPR)

• Right to restrict processing: Request that we limit how we use your data.
• Right to object: Object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent.
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority.
• Right not to be subject to automated decision-making: We do not make decisions based solely on automated processing that produce legal effects concerning you.

US Users

California (CCPA/CPRA): Right to know, right to delete, right to opt-out of sale/sharing, and right to non-discrimination. We do not sell your personal information. We do not use your personal information for cross-context behavioral advertising.

Other states: Residents of Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia have additional rights under their respective state privacy laws. Please refer to our US Privacy Statement for state-specific details.

Australian Users (Privacy Act 1988)

• Right to access (APP 12): Request access to your personal information held by us.
• Right to correction (APP 13): Request correction of inaccurate, out-of-date, or incomplete personal information.
• Right to complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Japanese Users (APPI)

• Right to disclosure: Request disclosure of personal data held about you.
• Right to correction: Request correction, addition, or deletion of personal data.
• Right to cessation: Request cessation of use or provision of personal data to third parties.
• Right to complain: Lodge a complaint with the Personal Information Protection Commission (PPC).

To exercise any of these rights, please contact us at support@theo.inc or use the data request form available at theo.inc/privacy-statement-eu (EU users) or theo.inc/privacy-statement-us (US users). We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

9. Children’s Privacy

The App is intended for professional use by individuals sixteen (16) years of age or older. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided personal data through the App, please contact us at support@theo.inc. If we learn that we have collected personal data from a child under 16 without verified parental consent, we will take steps to delete that information promptly.

10. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS), access controls and authentication, regular security assessments, and incident response procedures.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

11. Device Permissions

The App requests only the permissions necessary for its features. All permissions are optional and can be managed through your iOS device settings:

• Camera: Used to scan machine QR codes and capture photos for service tickets and community posts. We do not access your camera in the background.
• Photo Library: Used to upload photos and videos to service tickets and community posts. We only access images you explicitly select.
• Push Notifications: Used to send updates about service tickets, certifications, and community activity. You can disable push notifications at any time in your device settings.

12. Cookies and Tracking

The App itself does not use cookies. However, if you access THEO web content through links in the App, those web pages may use cookies as described in our Cookie Policy.

We do not engage in cross-app tracking. We do not share your data with third-party advertisers. We comply with Apple’s App Tracking Transparency (ATT) framework and do not track you across other companies’ apps or websites.

13. Changes to This Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in our data practices or legal requirements. We will provide at least thirty (30) days’ advance notice of material changes through in-app notification and, where we have your email address, by email. The updated statement will also be posted on our website.

Your continued use of the App after the effective date of any changes constitutes your acceptance of the revised Privacy Statement.

14. Contact Us

THEO Laser Inc.

1900 W. Park Dr., Suite #150
Westborough, MA 01581, United States

Email: support@theo.inc · Website: https://theo.inc

EU Representative: marketing@maxlasers.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:

• EU/EEA: Your national Data Protection Authority — edpb.europa.eu
• United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
• Japan: Personal Information Protection Commission (PPC) — ppc.go.jp