Privacy Policy

Last updated: May 3, 2026

Lockafy ("Lockafy," "we," "us," or "our") provides booking software for escape room businesses. This Privacy Policy explains what information we collect through our website at lockafy.com and our hosted software (collectively, the "Services"), how we use it, and the choices you have. We are based in Illinois, United States. Questions? Email hello@lockafy.com.

1. Who this policy covers

Lockafy is a business-to-business service. Our direct customers are the escape room businesses ("Operators") that license our software. Operators use Lockafy to take bookings from their own end customers ("Players"). This policy describes:

• Information we collect from visitors to lockafy.com (including newsletter subscribers and people who request a demo).
• Information we collect from Operators who sign up for and use Lockafy.
• Information processed on behalf of Operators about Players who book through an Operator's Lockafy-powered booking widget. For that data, the Operator is the controller and we act as a service provider/processor.

2. Information we collect

From visitors to lockafy.com

• Contact details you submit (for example, when you email hello@lockafy.com, request a demo, or subscribe to our newsletter): name, email address, business name, and any message you send.
• Standard web/server logs: IP address, browser/user-agent, referring page, and pages viewed.
• Analytics data via Google Analytics (page views, device/browser info, approximate location). See "Cookies and analytics" below.

From Operators (Lockafy account holders)

• Account information: name, email address, password (hashed), business name, location, phone number, and role.
• Billing information: handled by our payment processor; we receive limited records (such as the last four digits of a card and transaction status), not full card numbers.
• Configuration data you enter into Lockafy: rooms, schedules, pricing, branding, staff accounts, integrations (e.g., Google Calendar, Gmail, payment gateway, SMS provider) and the credentials/tokens needed to connect those integrations.
• Support communications with us (email content, attachments).
• Usage data: actions taken in the admin app, which we use for product improvement, security, and support.

About Players (booking through an Operator)

When a Player books through an Operator's Lockafy widget or portal, we process the following on the Operator's behalf:

• Name, email address, phone number, party size and any optional booking notes the Player provides.
• Booking history with that Operator, including completion outcomes (e.g., escape time) the Operator records.
• Payment metadata returned by the Operator's chosen payment gateway (transaction ID, amount, status). Payment card details are entered into the gateway's hosted fields and are not stored by Lockafy.
• Communications sent on the Operator's behalf (email/SMS confirmations, reminders, receipts).

Players who want to access, correct, or delete their data should contact the Operator they booked with. We will support Operators in honoring those requests.

3. How we use information

• To provide, operate, secure, and improve the Services.
• To process bookings, payments, reminders, and confirmations on behalf of Operators.
• To respond to inquiries, demo requests, and support tickets.
• To send transactional messages about your account (security alerts, billing notices, service updates) — you cannot opt out of these while you have an active account.
• To send marketing newsletters and product updates to people who have opted in. You can unsubscribe at any time using the link in any newsletter, or by emailing hello@lockafy.com.
• To detect, investigate, and prevent fraud, abuse, or violations of our Terms of Service.
• To comply with legal obligations.

4. How we share information

We do not sell personal information. We share data only with the categories of recipients described below, and only as needed to operate the Services:

• Hosting and infrastructure: our servers and databases are hosted on third-party infrastructure providers.
• Email delivery: transactional and marketing email is sent through Amazon Web Services (Amazon SES). Newsletters are managed using a self-hosted Listmonk instance that delivers via Amazon SES.
• SMS delivery: when an Operator enables SMS, messages are sent through the Operator's selected provider (such as Twilio or OpenPhone) using credentials they provide.
• Payment processing: when an Operator accepts payments, transactions are processed by the Operator's selected payment gateway (such as Square or Authorize.Net). Lockafy does not store full card numbers.
• Analytics: lockafy.com uses Google Analytics. Operators may also configure Google Analytics or Google Ads conversion tracking on their own booking widgets; that data is governed by the Operator's privacy notice.
• Optional integrations selected by the Operator, such as Google Calendar, Gmail, Nextcloud, or Pushover. Data is shared only to the extent the Operator enables the integration.
• Professional advisors (lawyers, accountants, auditors) under confidentiality obligations.
• Legal and safety: to comply with law, enforce agreements, or protect rights, property, or safety.
• Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this policy.

5. Cookies and analytics

We use cookies and similar technologies to keep you signed in, remember preferences, and measure how the site is used. Specifically:

• Session cookies for authentication and security.
• Analytics cookies set by Google Analytics to measure visits and interactions.

Most browsers let you block or delete cookies. Doing so may break parts of the site that require login.

6. Data retention

We keep personal information only as long as needed for the purposes described in this policy:

• Account and configuration data: while your Lockafy account is active, plus a reasonable period afterward to handle disputes, billing, and legal obligations (typically up to 7 years for financial records).
• Booking records: retained on behalf of the Operator until the Operator deletes them or terminates their account.
• Newsletter subscriber data: until you unsubscribe, plus a short suppression-list period to honor your opt-out.
• Server logs: typically up to 90 days for security and debugging.

When data is no longer needed, we delete or anonymize it.

7. Security

We use industry-standard safeguards including TLS encryption in transit, password hashing, role-based access controls, and tenant isolation enforced at the database level. No system is perfectly secure; if we become aware of a breach affecting your information, we will notify you as required by law.

8. Your rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Request deletion of your information.
• Object to or restrict certain processing.
• Request a portable copy of your information.
• Opt out of marketing communications at any time.
• Lodge a complaint with a data protection authority.

EU/UK residents (GDPR): We rely on the legal bases of contract, legitimate interests, consent (for marketing), and legal obligation. You have the rights listed above and the right to withdraw consent at any time.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, to request deletion, to correct it, and to opt out of "sales" or "sharing" of personal information. We do not sell personal information. To exercise any right, email hello@lockafy.com.

If you booked with an escape room that uses Lockafy and want to exercise rights over your booking data, please contact that escape room directly. We will assist them in fulfilling your request.

9. Marketing emails and unsubscribing

We only send marketing newsletters to people who have asked to receive them. Every marketing email includes a one-click unsubscribe link. You can also email hello@lockafy.com at any time and we will remove you. Transactional messages about your account or active bookings are not marketing and cannot be turned off while your account or booking is active.

10. Children

Lockafy is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact hello@lockafy.com and we will delete it.

11. International users

Lockafy is operated from the United States. If you access the Services from outside the U.S., your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Material changes will be communicated by email or by a notice on the site.

13. Contact us

Questions, concerns, or requests about this policy or your information:

Email: hello@lockafy.com
Lockafy · Illinois, United States