PRIVACY POLICY

Annual Enterprise Consulting LLC

Last updated: May 2026 Effective date: May 2026

Annual Enterprise Consulting LLC ("InnLocker," "we," "us," or "our") operates the

InnLocker platform for hotel package management, accessible at innlockerapp.com

and innlocker.com (collectively, the "Website"), and the InnLocker

software-as-a-service application (the "Service").

This Privacy Policy explains how we collect, use, disclose, and protect information

when you visit our Website, use our Service, or interact with us. It also explains

the rights you may have regarding your personal information.

**If you are a hotel guest whose package information has been entered into

InnLocker by a hotel, your primary point of contact regarding your personal

data is the hotel where you are staying. InnLocker processes that data on the

hotel's behalf as a data processor.**

1. WHO THIS POLICY APPLIES TO

This Privacy Policy applies to:

Website Visitors — Anyone who visits innlockerapp.com or innlocker.com;
Hotel Customers — Hotel operators and their staff who subscribe to and use the Service;
Hotel Guests — Individuals whose package information is entered into the Service by a hotel; and
Demo Requesters — Anyone who contacts us to request a product demonstration.

2. INFORMATION WE COLLECT

2.1 Information You Provide to Us

Contact and Account Information:

When you request a demo, contact us, or create an account, we collect:

Full name
Email address
Phone number
Hotel name and address
Job title

Hotel Configuration Data:

When a hotel customer sets up their account, we collect:

Hotel name, address, and time zone
Billing information (processed via Stripe — we do not store full card numbers)
Storage fee configuration and tax settings
Logo and branding assets

Hotel Guest Package Data (processed on behalf of hotels):

When hotel staff log packages through the Service, the system stores:

Guest full name and room number
Package carrier and tracking number
Package size and description
Locker assignment
Storage fee amount
Delivery timestamp and the name of the person who collected the package
Digital signature image (collected at the time of package delivery)
Contact information if provided (email, phone)

2.2 Information We Collect Automatically

When you visit our Website, we may collect:

IP address and approximate location (country/city level)
Browser type and version
Device type and operating system
Pages visited and time spent on each page
Referring URL
Date and time of visit

We use cookies and similar technologies as described in Section 6 below.

2.3 Information from Third Parties

We receive limited information from:

Stripe — Payment confirmation status, last four digits of card, and transaction reference IDs (not full card numbers)
Supabase — Authentication events and session data
WhatsApp — Messages sent to our business number (+1 786-416-2606)

3. HOW WE USE YOUR INFORMATION

3.1 To Provide and Improve the Service

Creating and managing hotel customer accounts
Processing package information as directed by hotel operators
Generating reports, audit trails, and analytics for hotel customers
Billing hotels for their subscription via Stripe
Improving Service features based on aggregated usage patterns
Troubleshooting bugs and technical issues

3.2 To Communicate with You

Responding to demo requests, support inquiries, and customer service questions
Sending subscription-related notifications (invoices, renewal reminders, maintenance notices)
Notifying customers of product updates and new features (you can opt out at any time)
Sending security alerts and breach notifications when required

3.3 For Legal and Safety Purposes

Complying with applicable law, legal process, or government requests
Enforcing our Terms of Service, Master Services Agreement, and Acceptable Use Policy
Protecting the rights, property, and safety of InnLocker, our customers, and third parties
Detecting and preventing fraud, security incidents, and abuse of the Service

3.4 Aggregated Analytics

We may use anonymized, aggregated data that cannot reasonably identify any individual

or hotel for benchmarking, product development, and industry research.

4. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information. We share information only

in the following circumstances:

4.1 Sub-processors and Service Providers

We share data with third parties that help us operate the Service, under data

processing agreements that restrict their use of your data:

Provider	Purpose	Website
Stripe, Inc.	Payment processing	stripe.com
Supabase, Inc.	Database and authentication	supabase.com
Vercel, Inc.	Application hosting	vercel.com
Anthropic, PBC	AI-powered label scanning	anthropic.com
Google LLC	Email communication	google.com

4.2 Hotels (as Controllers)

Hotel guest data is made available to the hotel that submitted it, as the data

controller. InnLocker processes such data only on the hotel's instructions.

4.3 Legal Requirements

We may disclose personal information if required to do so by law, court order, or

governmental authority, or if we believe in good faith that such disclosure is

necessary to protect the rights, property, or safety of InnLocker, our customers,

or the public.

4.4 Business Transfers

If InnLocker is involved in a merger, acquisition, or sale of all or substantially

all of its assets, personal information may be transferred as part of that transaction.

We will notify affected users by email and/or prominent notice on our Website before

any such transfer and before information becomes subject to a materially different

4.5 With Your Consent

We may share your information for other purposes with your explicit prior consent.

5. DATA RETENTION

Type of Data	Retention Period
Hotel customer account data	Duration of subscription + 30 days after termination
Hotel guest package records	Duration of subscription + 30 days after termination
Audit logs	Duration of subscription + 30 days after termination
Website visitor analytics	Up to 12 months
Support communications	Up to 3 years
Financial/billing records	As required by applicable law (typically 7 years)
Marketing contacts (non-customers)	Until opt-out or 2 years of inactivity

After the applicable retention period, we delete or irreversibly anonymize personal information.

Upon termination of a hotel's subscription, the hotel may request a data export within

30 days of termination, after which all hotel and guest data is permanently deleted.

6. COOKIES AND TRACKING TECHNOLOGIES

6.1 What We Use

Our Website uses the following types of cookies and similar technologies:

Type	Purpose	Can You Opt Out?
Strictly Necessary	Required for the Website to function (session management, security)	No — required for operation
Analytics	Understanding how visitors use the Website (page views, traffic sources)	Yes
Preferences	Remembering your language preference (EN/ES toggle)	Yes
Marketing	Measuring demo request conversions and marketing campaign effectiveness	Yes

6.2 How to Control Cookies

You can manage cookies through:

Your browser settings (most browsers allow you to refuse or delete cookies)
The cookie preference banner displayed on your first visit to innlockerapp.com
Third-party opt-out tools (e.g., Google Analytics Opt-Out Browser Add-on)

Disabling strictly necessary cookies may impair Website functionality.

6.3 Do Not Track

Our Website does not currently respond to "Do Not Track" signals from browsers.

We will update this policy if we implement Do Not Track support in the future.

7. DATA SECURITY

We implement reasonable technical and organizational measures to protect personal

information against unauthorized access, disclosure, alteration, and destruction,

including:

Encrypted data transmission (TLS 1.2+)
Encrypted data storage (AES-256)
Role-based access controls
Complete audit logging of all system actions
Regular security reviews and vulnerability assessments
Access limited to personnel who need it to perform their job functions

No method of electronic storage or transmission is 100% secure. In the event of

a data breach affecting your personal information, we will notify you as required

by applicable law.

8. YOUR PRIVACY RIGHTS

8.1 All Users

Regardless of where you are located, you may contact us at hello@innlockerapp.com to:

Request access to the personal information we hold about you
Request correction of inaccurate personal information
Request deletion of your personal information (subject to legal retention requirements)
Withdraw consent where processing is based on consent

We will respond to all requests within 30 days.

8.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

Right to Know. You may request that we disclose the categories and specific

pieces of personal information we have collected about you, the categories of

sources, the purposes for collection, and the categories of third parties with

whom we share information.

Right to Delete. You may request deletion of personal information we have

collected from you, subject to certain exceptions.

Right to Correct. You may request correction of inaccurate personal information. Right to Opt Out of Sale or Sharing. InnLocker does not sell or share personal

information for cross-context behavioral advertising. No opt-out is required.

Right to Limit Sensitive Personal Information. InnLocker does not use sensitive

personal information for purposes beyond those necessary to provide the Service.

Right to Non-Discrimination. We will not discriminate against you for exercising

your CCPA rights.

How to Exercise Your Rights: Email hello@innlockerapp.com with subject line

"California Privacy Request." We will verify your identity before processing your request.

We do not sell personal information. We do not have actual knowledge of selling

personal information of minors under 16 years of age.

8.3 EEA / UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have

additional rights under the GDPR/UK GDPR:

Legal Basis for Processing. We process your personal data on the following bases:

Contractual necessity — to provide the Service to hotel customers
Legitimate interests — to operate and improve the Service, prevent fraud, and communicate with prospects
Legal obligation — to comply with applicable law
Consent — for marketing communications and non-essential cookies (you may withdraw consent at any time)

Your Rights:

Access — obtain a copy of your personal data
Rectification — correct inaccurate or incomplete data
Erasure ("right to be forgotten") — request deletion subject to legal exceptions
Restriction — restrict how we process your data in certain circumstances
Data portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interests
Automated decision-making — not be subject to solely automated decisions with significant effects

How to Exercise: Email hello@innlockerapp.com. We will respond within 30 days

(extendable by 60 days for complex requests).

Supervisory Authority. If you believe we have violated your GDPR rights, you have

the right to lodge a complaint with the supervisory authority in your country of residence.

Data Transfers. If you are in the EEA or UK, your personal data is transferred to

and processed in the United States. These transfers are governed by Standard Contractual

Clauses (SCCs) as described in the Data Processing Agreement (Exhibit B to the MSA)

for hotel customers, or, for Website visitors, are covered by InnLocker's reliance on

SCCs with its Sub-processors.

8.4 Hotel Guests — Special Notice

If you are a hotel guest: Your package information was entered into InnLocker by

the hotel where you are staying. The hotel is the data controller responsible for

your personal data. InnLocker processes your data only as a data processor on the

hotel's behalf.

To exercise your privacy rights regarding your package data, please contact the hotel

directly. If you contact InnLocker directly, we will forward your request to the

relevant hotel within 5 business days.

9. CHILDREN'S PRIVACY

The Service is not directed to children under the age of 13 (or under 16 in the EEA).

We do not knowingly collect personal information from children. If you believe we have

inadvertently collected information from a child, please contact us at

hello@innlockerapp.com and we will delete it promptly.

10. LINKS TO THIRD-PARTY WEBSITES

Our Website may contain links to third-party websites (including Stripe, WhatsApp,

and social media platforms). This Privacy Policy does not apply to those websites.

We encourage you to review the privacy policies of any third-party sites you visit.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our

practices, the Service, or applicable law. We will notify you of material changes by:

Posting the updated policy on innlockerapp.com with a new "Last Updated" date; and
Sending an email notification to hotel customers at their registered email address

at least 30 days before the changes take effect.

Your continued use of the Website or Service after the effective date of any update

constitutes your acceptance of the revised Privacy Policy.

12. CONTACT US

For any privacy-related questions, requests, or concerns, please contact:

Annual Enterprise Consulting LLC — Privacy

Email: hello@innlockerapp.com

WhatsApp: +1 (786) 416-2606

Website: innlockerapp.com

We will respond to all privacy inquiries within 30 days.

Annual Enterprise Consulting LLC · innlockerapp.com Privacy Policy Version 1.0 — May 2026