Privacy Policy

When you sign up, we collect: your name, email, hashed password (we never store passwords in plaintext), and the organization name you create. If you enable 2FA we also store an encrypted TOTP secret and bcrypt-hashed backup codes.

When you use the dashboard, we collect: devices you add (name, type, brand, serial number, firmware version, online state, battery level), access users and PIN codes you create, activity events (lock/unlock, motion, codes used, errors), and listings + reservations imported from iCal feeds.

When you connect a payment method, Stripe collects your card details directly; we never see them. We retain a Stripe customer ID, subscription status, and invoice metadata.

We collect minimal telemetry: server logs (request paths, timing, error stacks), authenticated API key usage, and webhook delivery results. We don't use third-party analytics or ad trackers.

• To provide the service — show you your devices, sync your reservations, send the codes you mint to the locks you've linked.
• To send transactional email — team invites, password resets. (No marketing email without your opt-in.)
• To bill you — through Stripe, on the plan you selected.
• To detect abuse and protect the service — rate limiting, error reporting.

Production data is stored on Neon (Postgres, US-East). The application runs on Vercel (US-East default region). All connections are TLS. Backups are encrypted at rest and rotated within 30 days.

See our subprocessor list for the third parties involved in delivering the service.

We don't sell your data. We share data only with the subprocessors strictly necessary to run the service. We may share data if required by valid legal process; in that case we'll notify you to the extent permitted by law.

You can, at any time:

• Access — export your data via the CSV export on the activity page, or via the public REST API.
• Correct — edit your profile, your org, your devices, your access users.
• Delete — from the dashboard you can remove individual records; email privacy@locksteve.com to delete the entire account. Production data is removed within 30 days, backups within 90.
• Object / portability — applicable rights under GDPR / CCPA are honored; email the address above.

Active account data is retained as long as you have an account with us. Activity events are retained per your plan's history window (14 days, 90 days, 1 year, or 7 years). Webhook delivery logs are kept 30 days. Stripe invoices are kept for the legal retention period (typically 7 years for tax/accounting purposes).

LockSteve is a B2B service intended for property operators. We don't knowingly collect data from anyone under 16.

We use a single first-party cookie (locksteve_session) to keep you signed in. It's httpOnly, SameSite=Lax, and Secure in production. We don't use third-party tracking or advertising cookies.

Material changes will be announced via email at least 14 days before they take effect.

Email privacy@locksteve.com. For security disclosures, please use security@locksteve.com.