Privacy Policy

PACE Technologies ("PACE," "we," "us," or "our") is a U.S.-based manufacturer of metallographic equipment and consumables, headquartered at 3601 E. 34th Street, Tucson, Arizona 85713, USA. We are the controller of the personal information described in this Privacy Policy.

This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect personal information when you visit metallographic.com (our "Site"), submit a form, request a quote, purchase through our online shop, attend our events, or otherwise interact with us. By using our Site or services, you acknowledge that you have read this Policy.

2.1 Information You Provide

When you contact us, request a quote, place an order, register for an event, or sign up for communications, we collect what you provide, which may include:

• Name, job title, and department
• Email address and phone number
• Company name, billing address, and shipping address
• Country, state, and city
• Purchase and quote details, including products of interest and budgets
• Technical support requests and the contents of communications you send us
• Payment information, processed by our payment processor (we do not store full payment card numbers)
• Any other information you voluntarily provide

2.2 Information Collected Automatically

When you visit our Site, we and our service providers collect technical and usage information through cookies and similar technologies, including:

• IP address and approximate location derived from IP
• Browser type, version, language, and time zone
• Device type, operating system, and screen size
• Pages visited, links clicked, time on page, and referring site
• Search terms used to reach our Site
• Form interactions and downloaded files

2.3 Business Information

In the course of our business relationship we generate and retain:

• Purchase history, invoices, and shipping records
• Support and service communications
• Training records, attendance, and certifications you have earned
• Warranty and service agreement records

2.4 Sensitive Personal Information

We do not knowingly collect "sensitive personal information" as defined under the California Privacy Rights Act (CPRA) or comparable laws, including Social Security numbers, government IDs, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic or biometric data, or health information. If you submit such information unsolicited (for example, in the body of a support email), we will not use it for any purpose other than responding to your inquiry.

2.5 Equipment Data

Our metallographic equipment does not collect, store, or transmit personal data or usage telemetry. Equipment operates as a standalone instrument under your control. If service or maintenance requires us to handle data from your equipment or attached computer (for example, diagnostic log files), we will treat that data as your confidential information and return or delete it after the service is complete.

We use personal information for the following purposes:

• To respond to inquiries and provide requested information, quotes, samples, or documentation
• To process orders, invoices, shipping, and returns
• To deliver technical support, warranty service, training, and customer service
• To send service-related communications (order confirmations, shipping notifications, recalls)
• To send marketing communications about products, applications, and events where you have consented or where permitted by law (you can unsubscribe at any time)
• To operate, maintain, secure, and improve our Site and products
• To detect and prevent fraud, abuse, and security incidents
• To comply with applicable law, court orders, and lawful requests
• To establish, exercise, or defend legal claims
• In connection with a corporate transaction, including a merger, acquisition, financing, reorganization, or sale of assets

Legal Bases (EEA / UK Residents)

If you are in the European Economic Area or the United Kingdom, our legal basis for processing your personal data under the GDPR / UK GDPR is one or more of the following:

• Performance of a contract with you, or steps you have asked us to take prior to entering into a contract (for example, processing your order or quote request);
• Legitimate interests we or a third party pursue, such as responding to inquiries, securing our Site, marketing to existing customers, and analytics, balanced against your rights and freedoms;
• Consent you have given for a specific purpose, such as marketing emails or non-essential cookies (you can withdraw consent at any time); and
• Compliance with a legal obligation to which we are subject (tax, accounting, export-control recordkeeping, etc.).

Our Site uses cookies, pixels, and similar technologies for the following purposes:

• Strictly necessary: required for the Site to function (load balancing, security, form submission, shopping cart). These cannot be disabled in our system.
• Performance and analytics: help us understand how visitors use the Site. Provided primarily by Google Analytics 4, with IP anonymization where applicable.
• Functional: remember preferences such as language or saved items.
• Marketing: help us measure the performance of our advertising and content. These may include Google Ads conversion tracking, the HubSpot tracking pixel, and the LinkedIn Insight Tag where deployed, and may be set by us or our service providers.

You can control cookies through your browser settings, by using the opt-out tools listed below, or by adjusting any cookie-banner preferences shown to you. Disabling certain cookies may affect Site functionality.

Global Privacy Control (GPC). Where required by law, we treat a Global Privacy Control signal sent by your browser as a valid request to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising under the California Privacy Rights Act and comparable state laws.

Do Not Track (DNT). There is no industry-wide standard for how websites should respond to "Do Not Track" browser signals, and our Site does not currently respond to DNT signals separately from the GPC mechanism above.

Analytics opt-out tools. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, and out of cross-context advertising at aboutads.info/choices or youronlinechoices.eu.

We share personal information with service providers (called "processors" under the GDPR and "service providers" under CCPA/CPRA) who perform functions on our behalf. These currently include:

• HubSpot: web forms, marketing automation, customer relationship management, and live chat
• Google: Analytics, Ads conversion tracking, and Google Workspace (email)
• Payment processors: for secure online and invoiced payments (we do not store full payment card numbers)
• Shipping and logistics partners: including UPS, FedEx, freight forwarders, and customs brokers
• Hosting and content-delivery providers: for the secure operation of our Site and data backups
• Email-delivery and event platforms: for transactional and marketing communications and webinars

These service providers are bound by written agreements to use personal information only for the purposes we authorize, to apply appropriate security measures, and to assist with rights requests where applicable. Each has its own privacy policy that governs its independent use of information it collects directly from you.

We do not sell your personal information for money. We do not "sell" or "share" your personal information for cross-context behavioral advertising as those terms are defined under the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Texas Data Privacy and Security Act (TDPSA), or comparable state laws, except to the limited extent our use of advertising cookies described in Section 4 may technically meet the definition of "sharing", in which case you may opt out as described in Sections 4 and 9.

We may share personal information in the following circumstances:

• With service providers performing functions on our behalf, as described in Section 5;
• For legal compliance: to comply with applicable law, court orders, subpoenas, or lawful requests from public authorities;
• To enforce our rights: to investigate, prevent, or take action against suspected fraud, violations of our Terms, threats to safety, or other unlawful activity;
• In a corporate transaction: in connection with a merger, acquisition, financing, reorganization, dissolution, or sale of all or a portion of our business or assets; and
• With your consent: for any other purpose for which you have provided consent.

We do not sell, license, or otherwise make available personal information you provide to us, including the contents of your support emails, quote requests, or order data, for the training of third-party generative AI or machine-learning models. We do not authorize our service providers to use your personal information for that purpose.

We may use AI-assisted tools internally to improve customer service (for example, drafting responses, summarizing support tickets, or organizing technical documentation). When we do, we contract with providers that offer enterprise-grade privacy terms and we do not permit your data to be retained for the provider's general model improvement.

We do not make significant decisions about you that are based solely on automated processing. See Section 15 for more.

PACE is based in the United States, and personal information we collect is stored and processed in the United States. If you are accessing our Site or services from outside the United States, you understand and consent to the transfer of your personal information to, and its processing in, the United States, which may have data-protection laws different from those of your country.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on one or more of the following safeguards:

• The European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), with the UK International Data Transfer Addendum where applicable;
• Your explicit, informed consent;
• Adequacy decisions, where in force; and
• Other safeguards permitted by applicable law.

You can request a copy of the relevant safeguard by contacting us (see Section 17).

Depending on where you reside, you may have some or all of the following rights regarding your personal information:

• Access / Know: request a copy of the personal information we hold about you and information about how we process it;
• Correction: request correction of inaccurate or incomplete information;
• Deletion: request deletion of your personal information, subject to legal exceptions;
• Portability: receive your personal information in a structured, commonly used, machine-readable format;
• Restriction or Objection: restrict or object to certain processing, including processing based on our legitimate interests;
• Opt out: opt out of the "sale" or "sharing" of personal information and of targeted advertising (see Section 4);
• Withdraw consent: where processing is based on consent, withdraw it at any time;
• Non-discrimination: exercise your rights without receiving discriminatory treatment;
• Appeal: if we deny a rights request, appeal that decision where state law (for example, Virginia, Colorado, or Connecticut) provides an appeal mechanism; and
• Complaint: lodge a complaint with your local data-protection or consumer-protection authority.

How to exercise your rights. Email pace@metallographic.com with the subject line "Privacy Request" and include enough information for us to verify your identity (we may ask you to confirm details we already hold). We will respond within the timeframes required by applicable law, typically 45 days under U.S. state laws and one month under the GDPR, with an extension where necessary.

Authorized agents. California residents may use an authorized agent to make a request on their behalf, subject to the agent providing proof of authority and us verifying the resident's identity.

State-specific laws. The rights described above apply to residents of California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, and any other state with a comprehensive privacy law, to the extent each applies to you. We honor each set of rights in accordance with the applicable statute.

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. These include:

• TLS encryption of personal information in transit between your browser and our Site;
• Role-based access controls and authentication for our internal systems;
• Periodic security reviews of our systems and service providers;
• Employee privacy and security awareness training; and
• An incident-response process for suspected security events.

No method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping any account credentials confidential.

We retain personal information for as long as necessary to fulfill the purposes set out in this Policy, unless a longer retention period is required or permitted by law. Indicative retention periods include:

• Customer transaction records (orders, invoices, shipping): seven (7) years from the last transaction, to satisfy tax and accounting recordkeeping requirements;
• Warranty and service records: ten (10) years from the start of the warranty period;
• Quote and lead data: until you opt out, or up to three (3) years of inactivity, whichever is earlier;
• Marketing contact data: until you unsubscribe, or up to three (3) years of inactivity;
• Website analytics (Google Analytics): twenty-six (26) months by default;
• Backups and disaster-recovery copies: aged out on the schedule of the underlying system, typically within ninety (90) days; and
• Export-control records: as required by the EAR or ITAR, typically five (5) years.

When personal information is no longer needed, we securely delete, de-identify, or aggregate it.

In the event of a personal-data breach that creates a risk to your rights, we will:

• Investigate and contain the incident as promptly as reasonably possible;
• Notify the relevant supervisory authority where required, including notification to EU data-protection authorities within 72 hours where the GDPR applies;
• Notify affected individuals without undue delay, and within the timeframes required by applicable law; and
• Provide information about the nature of the incident, the categories of data affected, and the steps taken or recommended.

Our Site and services are directed to businesses and adult professionals. We do not knowingly collect personal information from individuals under sixteen (16) years of age, and we do not knowingly sell, share, or use such information for targeted advertising. If you believe a child has provided personal information to us, please contact us and we will delete it promptly.

We may send you marketing emails about products, applications, training, and events that we believe may interest you, where you have consented or where permitted by law. Every marketing email contains a one-click unsubscribe link. You may also unsubscribe by replying with the word "unsubscribe" or by emailing pace@metallographic.com.

Opting out of marketing emails does not affect transactional communications related to your orders, warranty, or technical support, which you will continue to receive while you remain a customer. We comply with the U.S. CAN-SPAM Act, Canada's Anti-Spam Legislation (CASL), and applicable consent rules in the EEA and UK.

We do not engage in profiling or automated decision-making that produces legal or similarly significant effects concerning you without human involvement. Routine analytics, such as anonymized traffic reports or marketing-performance dashboards, are not "automated decision-making" for purposes of GDPR Article 22 or U.S. state privacy laws.

We may revise this Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

• Update the "Effective" date and version number at the top of this Policy;
• Post the revised Policy on our website;
• Provide notice through our Site or by email for significant changes; and
• Obtain renewed consent where applicable law requires.

We encourage you to review this Policy periodically.

For questions about this Policy, our data practices, or to exercise your privacy rights:

• Email: pace@metallographic.com (subject line: "Privacy Request")
• Phone: +1 (520) 882-6598
• Mail: PACE Technologies, Attn: Privacy, 3601 E. 34th Street, Tucson, Arizona 85713, USA

We will respond to your inquiry within the timeframes required by applicable law (generally 30–45 days). For privacy-related requests, we may need to verify your identity before processing your request.

If you have a question we haven't covered, just email us.