Privacy Policy

Last updated: April 26, 2026

This Privacy Policy explains how Hey Cabas LLC ("Cabas," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use our mobile application and website at heycabas.com (collectively, the "Platform").

Hey Cabas LLC is a Wyoming limited liability company. By using the Platform, you agree to the practices described in this policy.

1. INFORMATION WE COLLECT

Information You Provide

• Account information: Name, email address, phone number, and password when you create an account.

• Profile information: Avatar photo, specialty tags, and Instagram handle (optional).

• License information: State-issued professional license image and extracted data (name, license number, state, expiration date) for verification purposes.

• Listing information: Suite photos, address, description, amenity tags, equipment tags, content tags, pricing, operating hours, and access method details (Owners).

• Payment information: Processed and stored by Stripe. Cabas does not directly store your credit card numbers, bank account numbers, or other financial account details.

• Communications: Messages sent through the in-app messaging system.

• Reviews: Ratings, comments, and tags you submit about other users.

• Claims: Damage claim descriptions, categories, and supporting photos.

• Support requests: Content of any communications you send to support@heycabas.com, legal@heycabas.com, privacy@heycabas.com, or accessibility@heycabas.com.

Information We Collect Automatically

• Device information: Device type, operating system, app version, unique device identifiers, and browser type.

• Usage data: Pages viewed, features used, actions taken, timestamps, session duration, and interaction patterns.

• Location data: Approximate location based on IP address. Precise GPS location only when you explicitly use the "Near me" search feature, and only while the feature is active. We do not track your location in the background.

• Check-in and check-out data: Timestamps, photos, and geolocation metadata (EXIF data) captured during the booking check-in and check-out process. This geolocation data is used for booking verification and claim evidence.

• Access code data: Records of when door codes were generated, delivered, used, and expired. Smart lock access logs may include location data associated with lock events.

• Performance data: Crash reports, error logs, and diagnostic information to improve app stability.

Information from Third Parties

• Stripe: Payment confirmation, payout status, account verification status, and chargeback notifications.

• Seam: Smart lock connection status, access code usage logs, lock health data, battery levels, and connectivity status.

• AWS Textract: Extracted text from license images for verification purposes. Textract performs optical character recognition (text extraction) only. We do not extract, collect, or store biometric identifiers, facial geometry, or any biometric data from license images.

• Twilio: SMS delivery status and phone number validation.

2. HOW WE USE YOUR INFORMATION

We collect and process your information only as reasonably necessary and proportionate for providing and maintaining the services you requested through the Platform. Specifically, we use your information to:

• Create and manage your account

• Verify your professional license

• Facilitate bookings between Pros and Owners

• Process payments and payouts through Stripe

• Generate and deliver temporary access codes for smart locks

• Display your public profile to other users

• Calculate and display your integrity score and reputation milestones using automated systems

• Process damage claims and dispute resolution

• Send booking confirmations, reminders, access codes, and platform notifications

• Administer the Myre Caroline Ambassador Program (referral tracking and rewards)

• Detect, prevent, and address fraud, abuse, and violations of our Terms of Service

• Enforce our Terms of Service and protect the safety and security of our users and the Platform

• Improve the Platform through aggregated, anonymized usage analysis

• Communicate with you about your account, bookings, and platform updates

• Comply with legal obligations, respond to legal process, and cooperate with law enforcement

We do not use your personal information for purposes beyond those listed above without providing additional notice and obtaining your consent where required by applicable law.

3. AUTOMATED DECISION-MAKING

Cabas uses automated systems to support certain platform functions:

• Integrity score calculation: Your integrity score is computed algorithmically based on your booking completion rate, review ratings, claim history, cancellation rate, and overall platform behavior. This score affects your profile visibility, tier status, and access to certain features such as premium listings.

• Listing quality scoring: New listings receive an automated quality score that determines approval status and search visibility.

• Fraud detection: We use automated tools to detect suspicious patterns in bookings, referrals, claims, and account creation.

You may request information about how automated decisions affect your account by contacting support@heycabas.com. If you believe an automated decision has adversely affected you, you may request a human review by contacting the same address.

4. HOW WE SHARE YOUR INFORMATION

We do not sell your personal information. We have never sold personal information and we will not sell personal information. We do not share personal information for cross-context behavioral advertising or targeted advertising purposes.

We share your information only in these circumstances:

With Other Users

• Pros can see: Owner display name, listing details (after booking confirmation: full address including suite number), listing photos, and Owner reviews.

• Owners can see: Pro display name, avatar, specialty, integrity score, license verification status, Pro member status, and Pro reviews.

• Neither side sees: Email addresses, phone numbers, financial information, or license images. Full suite addresses (including suite numbers) are only visible to the Pro after a booking is confirmed.

With Service Providers

We share information with third-party service providers who perform services on our behalf:

Supabase

Receives: Account data, booking data, messaging data, listing data

Purpose: Database infrastructure, authentication, real-time communication

Stripe

Receives: Name, email, bank account details (Owners), payment card details (Pros)

Purpose: Payment processing, payout disbursement, fraud prevention

Seam

Receives: Lock identifiers, booking time windows

Purpose: Smart lock access code generation and management

Twilio

Receives: Phone number, booking reference

Purpose: SMS delivery of door codes

AWS Textract

Receives: License images

Purpose: Optical character recognition for license text extraction

Resend

Receives: Email address, booking details

Purpose: Transactional email delivery

Each provider is contractually required to protect your data, use it only for the purpose of providing their service to Cabas, and comply with applicable data protection laws.

For Legal Reasons

We may disclose your information if required by law, valid subpoena, court order, or legal process, or if we reasonably believe disclosure is necessary to:

• Comply with applicable law or respond to valid legal process

• Protect the rights, safety, or property of Cabas, our users, or the public

• Detect, prevent, or address fraud, security issues, or technical problems

• Enforce our Terms of Service

When compelled to disclose user data to law enforcement or government agencies, we may provide booking records, transaction history, access code logs, messages, location data, and account information as required. We will notify the affected user of such disclosure unless prohibited by law or court order.

In a Business Transfer

If Cabas is acquired, merged, reorganized, or sells substantially all of its assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy. You will have the opportunity to delete your account before any such transfer.

5. DATA RETENTION

We retain your personal information for as long as your account is active or as needed to provide services, comply with legal obligations, resolve disputes, and enforce our agreements.

When you delete your account:

• Your profile and personal information are permanently deleted within 30 days.

• Your booking history is anonymized (your name and identifying details are removed, but anonymized booking records are retained for platform analytics and financial reporting as required by law).

• Your license image is permanently deleted.

• Your check-in and check-out photos are permanently deleted.

• Your messages are deleted from your account but may remain visible to the other party in their conversation history for up to 90 days before automatic deletion.

• Your reviews remain on the Platform but are attributed to "Former User."

• Any pending claims or disputes are resolved before deletion is processed.

• Payment records are retained for the period required by applicable tax and financial reporting laws (typically 7 years), after which they are permanently deleted.

6. DATA SECURITY

We implement industry-standard technical and organizational security measures to protect your information, including:

• Encryption in transit (TLS 1.2+) for all data transmitted between your device and our servers

• Encryption at rest for sensitive data stored in our database

• Row-Level Security (RLS) policies on every database table, ensuring users can only access data they are authorized to view

• Secure authentication tokens that expire and refresh automatically

• Multi-factor authentication support

• Access controls limiting which team members can access production data, with access logged and audited

• Regular security assessments of our infrastructure and third-party providers

• Secure deletion procedures for data that is no longer needed

No method of electronic storage or transmission is 100% secure. While we implement and maintain reasonable security measures consistent with industry standards, we cannot guarantee absolute security against all threats.

Data breach notification: In the event of a data breach that affects your personal information, we will notify you in accordance with applicable state and federal law. Where required, notification will be provided within the timeframe specified by the applicable state's breach notification statute (typically 30 to 72 days of discovery). Notification will include a description of the breach, the types of information affected, and steps you can take to protect yourself.

7. YOUR RIGHTS AND CHOICES

All Users

• Access: You can view your personal information through your profile settings at any time.

• Correction: You can update your profile information, name, and contact details through the app.

• Deletion: You can delete your account through the Profile settings. See Section 5 for what happens when you delete your account.

• Notification preferences: You can control which notifications you receive (push, email, SMS) through the Notification Settings page.

• Location: You can revoke location permissions through your device settings at any time. The "Near me" feature will not function without location permission.

• Automated decisions: You can request information about how automated systems affect your account, and request human review of automated decisions that adversely affect you, by contacting support@heycabas.com.

Response timeframe: We respond to all privacy rights requests within 30 days of receipt. If we need additional time (up to 30 additional days), we will notify you of the extension and the reason.

Universal Opt-Out Signals

We honor Global Privacy Control (GPC) signals and other universal opt-out mechanisms where required by applicable law. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for the sale or sharing of personal information (though we do not sell or share personal information for advertising purposes).

State-Specific Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know what personal information we collect, use, disclose, and sell

• Right to delete your personal information, subject to certain exceptions

• Right to correct inaccurate personal information

• Right to opt out of the sale or sharing of personal information (we do not sell or share personal information)

• Right to limit the use of sensitive personal information to purposes necessary for providing the services

• Right to non-discrimination for exercising your privacy rights

To exercise these rights, email privacy@heycabas.com with "California Privacy Request" in the subject line.

Texas Residents (TDPSA)

If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act:

• Right to access, correct, and delete your personal information

• Right to data portability in a commonly used, machine-readable format

• Right to opt out of the processing of your data for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

• Right to appeal a denial of your privacy request

To exercise these rights, email privacy@heycabas.com with "Texas Privacy Request" in the subject line.

Florida Residents (FDBR)

If you are a Florida resident, you have rights under the Florida Digital Bill of Rights:

• Right to access, correct, and delete your personal information

• Right to opt out of the sale of your personal data, targeted advertising, and certain profiling

• Right to obtain a copy of your personal data in a portable format

To exercise these rights, email privacy@heycabas.com with "Florida Privacy Request" in the subject line.

Virginia, Colorado, Connecticut, and Other States

If you reside in a state with a comprehensive consumer privacy law (including but not limited to Virginia, Colorado, Connecticut, Oregon, Montana, Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island), you have rights that may include:

• Right to access, correct, and delete your personal information

• Right to data portability

• Right to opt out of targeted advertising, sale of personal data, and profiling

• Right to appeal a denial of your request

To exercise these rights, email privacy@heycabas.com with "[Your State] Privacy Request" in the subject line.

For all state privacy requests: We will verify your identity before processing your request. We do not charge a fee for processing privacy requests. If we deny your request, we will provide the reason and information about how to appeal.

8. BIOMETRIC DATA

We do not collect, store, or process biometric identifiers or biometric information. Our license verification system uses AWS Textract for optical character recognition (text extraction) only. It does not analyze facial features, fingerprints, voiceprints, retina or iris scans, or any other biometric characteristic. This disclosure is provided in compliance with the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and similar state statutes.

9. CHILDREN'S PRIVACY

Cabas is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete that information promptly. If you believe a child under 18 has created an account, contact privacy@heycabas.com immediately.

10. COOKIES AND TRACKING

The Cabas mobile app does not use cookies or web-based tracking technologies. The heycabas.com website may use:

• Essential cookies for functionality such as session management and security. These cannot be disabled.

• Analytics cookies to understand how visitors use the site. These can be declined.

We do not use advertising cookies, retargeting pixels, or third-party tracking technologies for advertising purposes. We do not participate in cross-site tracking or behavioral advertising networks.

11. PUSH NOTIFICATIONS AND SMS

We send push notifications for booking updates, payment activity, access codes, reviews, milestones, and ambassador program updates. You can manage your notification preferences in the app settings.

Door access codes are delivered via SMS to your registered phone number. This is a critical security notification that cannot be disabled, the code is required to enter the suite. Standard carrier messaging rates may apply.

We use Twilio to deliver SMS messages. Your phone number is shared with Twilio solely for the purpose of delivering these messages and is subject to Twilio's privacy policy.

12. THIRD-PARTY LINKS AND SERVICES

The Platform may contain links to third-party websites or services (such as Stripe's dashboard for payout management or Instagram for profile linking). We are not responsible for the privacy practices, security, or content of third-party sites. We encourage you to read the privacy policies of any third-party service you access through or in connection with the Platform.

13. INTERNATIONAL DATA

Cabas operates in the United States. All data is stored and processed in the United States. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Platform, you consent to this transfer and processing.

14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top

• Notify you through the app or via email at least 30 days before the changes take effect

• Provide a summary of the material changes

Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy. If you do not agree with the updated policy, you must stop using the Platform and may delete your account. Previous versions of this Privacy Policy are available upon request by contacting privacy@heycabas.com.

15. CONTACT US

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your data, contact us at:

Hey Cabas LLC
Privacy inquiries: privacy@heycabas.com
General support: support@heycabas.com
Legal inquiries: legal@heycabas.com
Accessibility: accessibility@heycabas.com
Entity: Wyoming Limited Liability Company

For privacy requests, please include your full name, the email address associated with your Cabas account, your state of residence, and a description of your request. We will respond within 30 days.