LockRoute Privacy Policy

1. Who We Are & Scope

"LockRoute," "we," "us," or "our" refers to the operator of the LockRoute dispatch platform available at lockroute.app and related subdomains. This policy explains how we collect, use, and share information when you visit our website, sign up for an account, or use our services as a Dispatcher Company, Partner, Technician sub-user, or end Customer.

2. Roles & Data Controllership

LockRoute operates a multi-tenant Software-as-a-Service platform. The role we play depends on whose data we are handling:

• Dispatcher Companies, Partners, sub-users: We act as a controller of your account data (the information you give us to set up and bill your account).
• End-Customer information (names, phone numbers, addresses, service requests) that a Dispatcher Company collects through LockRoute: We act as a processor on behalf of that Dispatcher Company. The Dispatcher Company is the controller and remains responsible for the lawful basis of collection and for honoring end-customer requests.

3. Information We Collect

3.1 Information you give us directly

• Account: name, business name, email, phone, password (hashed), business address.
• Billing: card details handled exclusively by Stripe (we never see or store full card numbers); we retain Stripe customer/subscription IDs and last-4 metadata.
• Bank / payout info: collected by Stripe Connect during partner/dispatcher onboarding and held by Stripe. We never see full bank credentials.
• Identity verification: Stripe may require government-issued ID for Connect onboarding. We do not store these documents.
• Customer data uploaded for dispatching: customer names, phones, emails, addresses, service requests, photos, and notes.
• Communications: any messages you send through our contact form, support chat, or email.

3.2 Information collected automatically

• Device/log data: IP address, user-agent, request paths, timestamps. Used for security, abuse prevention, and debugging.
• Cookies: a session cookie that stores your authentication token. We do not use third-party advertising cookies.
• SMS / email delivery logs: timestamps, recipients, status (delivered, failed, undelivered).

3.3 Information from third parties

• Stripe: payment status, dispute notifications, payout events.
• Twilio: inbound SMS responses (e.g. STOP, HELP), delivery status callbacks.

4. How We Use Information

• Provide, maintain, and improve the dispatch platform.
• Route jobs to partners, send SMS/email notifications, generate invoices, process payments, and disburse payouts.
• Send transactional service messages (job offers, payment links, password resets, billing alerts).
• Send platform-related operational emails (trial expiring, payment failed, watchdog alerts).
• Authenticate users, prevent fraud, enforce our Terms.
• Comply with tax, accounting, and other legal obligations.
• Aggregate, anonymized analytics about platform usage. Aggregated data does not identify any individual.

We do not sell personal information. We do not use your data to train third-party AI models. We do not run advertising on the platform.

5. Sub-Processors / Service Providers

We share data with the limited set of vendors required to deliver service. Each is contractually bound to use data only for the services they provide to us:

• Stripe, Inc. — PCI DSS Level 1 certified payment processor. Handles card capture, charges, refunds, Connect payouts, the customer billing portal, and stores payment-method details. We never see, store, or process raw card numbers; Stripe.js / Stripe Elements isolates card data from our servers. Stripe Privacy Policy.
• Twilio, Inc. — A2P 10DLC-registered SMS delivery and inbound message routing. Phone numbers, message bodies, and delivery status are processed by Twilio. Twilio Privacy Notice.
• Resend — transactional email delivery (job notifications, receipts, password resets, billing alerts). Resend Privacy Policy.
• Railway — application hosting + managed PostgreSQL (US data centers). Railway Privacy Policy.
• Sentry (if enabled) — error monitoring; PII is scrubbed from error reports before transmission.
• Cloudflare — DNS and DDoS protection at the network edge. Cloudflare Privacy Policy.

We do not sell, rent, or trade your data to advertisers or marketing brokers. We do not use your data to train third-party AI models.

6. Disclosure of Information

We may disclose information when:

• Required by law (subpoena, court order, lawful government request);
• Necessary to protect the rights, property, or safety of LockRoute, our users, or the public;
• Investigating fraud, abuse, or violations of our Terms;
• Required as part of a business transaction (merger, acquisition, sale of assets) — successor will be bound by terms at least as protective as this policy;
• The user has given explicit consent.

7. SMS / TCPA Compliance

7.1 What we send

SMS messages sent through LockRoute are transactional / informational in nature. Examples include:

• Job offers sent to Partners: "New job: 2024 Honda Civic — house lockout — Jamaica NY. Reply YES to accept or NO to decline."
• Customer tracking links: "Hi Maria — your locksmith is on the way. Track here: https://lockroute.app/t/abc123. Reply STOP to opt out."
• Payment links: "Your service from ABC Locks is complete — $185.00. Pay here: https://lockroute.app/p/xyz789"
• Post-service surveys (single, optional message after job completion).
• Operational alerts to Dispatcher staff (job stuck, partner not responding, etc.).

7.2 Consent & opt-out

By providing a phone number to a Dispatcher Company that uses LockRoute, you consent to receive transactional SMS related to your service request. Dispatcher Companies are required by these terms to collect numbers only with valid consent. Recipients may at any time:

• Text STOP to opt out of all further messages from that sender. Opt-outs are honored automatically and immediately.
• Text HELP for contact information.
• Email privacy@lockroute.app with a phone number to be globally suppressed across all senders on our platform.

Frequency: typical recipient receives 1-3 messages per service request. We do not send marketing SMS, promotional offers, or recurring messages to consumers; the platform is for transactional dispatch only.

7.3 Compliance

Message & data rates may apply. We comply with the US Telephone Consumer Protection Act (TCPA), CTIA messaging guidelines, and the A2P 10DLC / Toll-Free Verification framework. Dispatcher Companies are the senders of record for compliance purposes; LockRoute provides the technical platform.

8. International Transfers

Our infrastructure is hosted in the United States. If you access the service from outside the US, your data will be transferred to and stored in the US. We rely on standard contractual clauses with our sub-processors when applicable.

9. Data Retention

• Active accounts: Data retained for the life of your account.
• Closed accounts: Operational data deleted within 90 days of cancellation, except for billing records retained for 7 years for tax/accounting compliance, and audit logs retained 1 year for security.
• Customer data uploaded by Dispatcher Companies: Deleted on Dispatcher Company instruction or 90 days after their account closes.
• SMS / email delivery logs: 24 months.

10. Security

We implement industry-standard administrative, technical, and physical safeguards including TLS in transit, encryption at rest for sensitive fields, hashed passwords (bcrypt), least-privilege database access, signed-webhook verification for Stripe, audit logging, and regular security reviews. No system is perfectly secure; we cannot guarantee absolute security.

11. Your Rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you;
• Correct inaccurate information;
• Request deletion (subject to retention requirements above);
• Request a copy of your data in a portable format;
• Object to or restrict certain processing;
• Withdraw consent.

To exercise these rights, email privacy@lockroute.app. We respond within 30 days. If you are an end customer of a Dispatcher Company using our platform, requests should be directed first to that Dispatcher Company; we will assist them in fulfilling your request.

12. California (CCPA) Notice

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell or share personal information for cross-context behavioral advertising. Contact privacy@lockroute.app to exercise California rights. We will not discriminate against you for exercising them.

13. EU/UK (GDPR) Notice

If you are in the European Economic Area or UK, our legal bases for processing are: performance of contract (providing the service), legitimate interests (security, fraud prevention, service improvement), legal obligation (tax/accounting), and consent (where applicable, e.g. SMS opt-in). You can lodge a complaint with your local data protection authority.

14. Children

LockRoute is not directed to anyone under 16. We do not knowingly collect information from children. If you believe a child has provided us information, contact privacy@lockroute.app and we will delete it.

15. Third-Party Links

The platform may contain links to third-party services (Stripe-hosted billing, customer support tools). Their privacy practices are governed by their own policies; we are not responsible for them.

16. Changes

We may update this policy. The "Last updated" date will reflect the change. Material changes will be announced by email to account owners at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.

17. Contact

Privacy inquiries: privacy@lockroute.app
General contact: support@lockroute.app