1. Introduction

This Privacy Policy describes how Smith Varmint Works LLC ("Smith Varmint Works," "Company," "we," "us," or "our") collects, uses, stores, and protects information in connection with the Mother Hen™ monitoring system and related services (the "Service").

We are committed to data minimization, transparency, and user trust. We do not sell your data, and we do not use it for advertising.

2. Information We Collect

2.1 Account Information

When you create an account to use Mother Hen, we collect:

• Your name
• Your email address
• Your phone number (used to deliver SMS alerts)
• Your mailing address (used for hardware shipping)
• Your payment information (processed by our payment processor, Square; we do not store full card numbers)

2.2 Installation and Configuration

When you set up and operate Mother Hen, you provide:

• Approximate coop location, typically accurate to within 1 to 5 kilometers, derived automatically from your cellular controller's connection to its cellular network (via our cellular partner, Hologram). We use this location only for sunrise and sunset calculations and timezone determination. We do not use precision GPS positioning, and we do not derive your operational location from your shipping address.
• Sensor placement and configuration settings
• Responses to any site survey questions we may ask

2.3 Device Telemetry

Mother Hen hardware automatically transmits operational data to our cloud service, including:

• Door open/close status and timestamps
• Temperature and humidity readings
• Cellular signal strength and network information (carrier, band, signal quality)
• Device battery levels (Coop Climate Sensors and Door Monitors)
• Controller uptime and connectivity status
• Firmware version information

2.4 Alert and Interaction Data

In the course of operating the Service, we collect:

• Alert history (what was sent, when, and to whom)
• SMS responses and commands you send to the system
• Portal login times and usage patterns

2.5 Automatically Collected Technical Data

When you access the Portal, we collect:

• Your IP address
• Your browser type and version
• The type of device you use to access the Portal

2.6 Cookies and Local Storage

The Portal uses session cookies to keep you signed in. These cookies are managed by AWS Cognito, our identity provider, and persist only for the duration of your session or as required to maintain your sign-in across the Portal. We do not currently use third-party advertising or tracking cookies. If we add analytics in the future, we will update this Privacy Policy and notify you in accordance with Section 12.

3. How We Use Your Information

We use collected information solely to:

• Operate the Service: Process telemetry, trigger alerts, display data in the Portal, and deliver SMS notifications.
• Maintain and improve hardware: Push firmware updates, diagnose device issues, and monitor system health.
• Provide customer support: Troubleshoot problems and respond to inquiries.
• Improve the Service: Analyze aggregate usage patterns to improve reliability, alert accuracy, and user experience.
• Send you marketing communications about Mother Hen product updates, new features, and related offerings, subject to your opt-out preferences described in Section 8.5.
• Solicit your feedback on the product through occasional surveys or follow-up communications, also subject to Section 8.5.
• Comply with legal obligations: Respond to lawful requests from authorities.

Note on alert delivery timing. When the system detects an issue that warrants alerting you, we send SMS notifications 24 hours a day, 7 days a week. We do not implement time-based suppression of alerts. You may disable SMS alerts entirely via a master toggle in the Portal at any time; we do not offer per-alert or scheduled-window mute functionality. This is a deliberate design choice for an animal-welfare and property-monitoring product.

4. What We Do Not Do

• We do not sell your personal information to any third party.
• We do not share data for advertising or marketing by third parties.
• We do not use telemetry data to profile you for purposes unrelated to the Service.
• We do not retain data longer than necessary to operate the Service.

5. Data Sharing

5.1 Subprocessors

We engage the following subprocessors to operate the Service. Each subprocessor receives only the data necessary to perform its function. None is permitted to use your data for any purpose beyond serving Mother Hen.

• Amazon Web Services (AWS) — all data storage, processing, identity, and SMS delivery. Services used: DynamoDB (telemetry and account data), Lambda (compute), IoT Core (device messaging), Cognito (identity and authentication), S3 (logs and firmware artifact storage), Pinpoint SMS Voice v2 (SMS delivery to your phone). All in the us-east-2 region (Ohio, United States).
• Hologram — cellular SIM service for the Mother Hen controller. Hologram sees the device's ICCID, its cell-tower-derived approximate location, and session metadata (when the device connected and for how long). Hologram contracts directly with upstream cellular network operators; those operators are Hologram's subprocessors, not ours.
• Square — payment processing for hardware purchases and subscription renewals. Square sees your cardholder name, card number, billing address, purchase amount, and timestamp. We do not store your full card number; that data is held by Square in compliance with PCI DSS.
• GitHub — firmware artifact distribution. GitHub stores compiled firmware binaries that your controller downloads during over-the-air updates. GitHub does not receive customer personal information; it only serves firmware files.

An up-to-date subprocessor list is also available at themotherhen.net/legal/subprocessors. We will provide reasonable notice of any material changes.

5.2 Legal Requirements

We may disclose information if required by law, court order, subpoena, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfer

If Smith Varmint Works LLC is acquired, merges, or sells substantially all its assets, customer data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

6. Data Storage and Security

6.1 Where Data Is Stored

All data is stored in AWS infrastructure located in the United States (us-east-2 region, Ohio).

6.2 Security Measures

• TLS encryption for all data in transit (device-to-cloud and Portal access)
• Encryption at rest for stored data
• AWS Cognito for authentication and access control
• Role-based access controls for internal systems

6.3 No Guarantee

While we take reasonable precautions, no system is perfectly secure. We cannot guarantee absolute security of your data.

6.4 Breach Notification

If we discover a security breach that has compromised, or has a reasonable likelihood of having compromised, your personal information, we will notify you by email and SMS within seventy-two (72) hours of our discovery of the breach. The notification will describe:

• What categories of your personal information were affected;
• When the breach occurred, to the extent known;
• What steps we have taken in response and what steps we recommend you take;
• How to contact us with questions about the incident.

We will cooperate with law enforcement and regulatory authorities as legally required. If law enforcement specifically requests a delay in customer notification to avoid impeding an investigation, we will comply with that request and notify affected customers as soon as the delay is lifted.

7. Data Retention

• Account data: Retained while your account is active and for thirty (30) days after termination, then deleted.
• Telemetry data: Retained for twelve (12) months on a rolling basis while your account is active; deleted thirty (30) days after account termination.
• Alert history: Retained for twelve (12) months while your account is active; deleted thirty (30) days after account termination.
• Payment records: Retained as required by applicable tax and financial regulations (may survive account deletion).

Upon account termination, all data except legally required payment records is deleted thirty (30) days after termination. During that window, you may request a data export.

Two cancellation paths. Subscriptions may end in two ways, and we handle your data differently in each:

• Lapse (non-payment): If your subscription expires without renewal, we suspend service but retain your account and telemetry data in a dormant state. If you re-subscribe within twelve (12) months, your account is restored and continues from where it left off. After twelve months of dormancy without renewal, dormant data is automatically transitioned to the cancellation path below.
• Explicit cancellation: If you initiate cancellation through the Portal or by written request to us, we treat this as a permanent end to your relationship. Within thirty (30) days, we delete your account, telemetry, and alert history. We retain only the legally required payment and tax records held by our payment processor (see Section 5.1). We may also offer you a buyback program for your hardware at our discretion; participation in any such program is voluntary and is governed by the Terms of Service in effect at the time of your request.

At our current scale and as a Tennessee LLC selling directly to consumers, no state-specific data retention statutes (including the Tennessee Information Protection Act) impose mandatory retention periods on us. The retention windows above reflect our operational needs and a 30-day grace window for customer-initiated data export.

8. Your Rights

8.1 Access

You may request a copy of the personal information we hold about you.

8.2 Correction

You may update your account information through the Portal or by contacting us.

8.3 Deletion

You may request deletion of your account and associated data. We will comply within thirty (30) days, except where retention is required by law. Deletion of your account will result in termination of cloud services.

8.4 Data Export

You may request an export of your telemetry and alert data in a machine-readable format. We will fulfill export requests within thirty (30) days.

8.5 Opt-Out of Non-Essential Communications

You may opt out of marketing communications at any time. You cannot opt out of service-critical communications (billing notices, safety alerts, Terms updates) while your account is active.

9. Children's Privacy

Mother Hen is not directed at children under eighteen (18). We do not knowingly collect personal information from minors. If we learn we have collected information from a child under 18, we will delete it promptly.

10. State-Specific Rights

At our current size — a single-member Tennessee LLC operating below the customer-count and revenue thresholds of state-specific privacy laws — we do not currently meet the applicability triggers for the Tennessee Information Protection Act (TIPA), the California Consumer Privacy Act and California Privacy Rights Act (CCPA / CPRA), or comparable state statutes.

If your state grants you specific privacy rights and you wish to exercise them, please contact us at the address in Section 13 and we will evaluate your request in good faith.

California residents: we cannot provide specific legal advice regarding your CCPA / CPRA rights. If you have concerns about how a Tennessee-based company handles your data under California law, we encourage you to consult California-licensed legal counsel. We will continue to apply our general privacy posture (data minimization, no selling, no advertising sharing) to all customers regardless of state.

11. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the State of Tennessee, without regard to its conflict-of-law principles. Any dispute arising under this Privacy Policy is subject to the binding arbitration and venue provisions set forth in Section 12 of our Terms of Service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least thirty (30) days before the changes take effect.

13. Contact