Privacy Policy

Last updated: May 19, 2026

This Privacy Policy explains how Hey Cabas LLC ("Cabas," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use our mobile application and website at heycabas.com (collectively, the "Platform").

Hey Cabas LLC is a Wyoming limited liability company. By using the Platform, you agree to the practices described in this policy.

1. INFORMATION WE COLLECT

Information You Provide

• Account information: Name, email address, phone number, and password when you create an account.

• Profile information: Avatar photo, specialty tags, and Instagram handle (optional).

• License information: State-issued professional license image and extracted data (name, license number, state, expiration date) for verification purposes.

• Government-issued ID: Driver's license, state-issued ID card, or passport image and extracted data (name, date of birth) collected during account setup for identity verification. The ID number is stored only in hashed (non-reversible) form for duplicate account detection.

• Listing information: Suite photos, address, description, amenity tags, equipment tags, content tags, pricing, operating hours, and access method details (Owners).

• Payment information: Processed and stored by Stripe. Cabas does not directly store your credit card numbers, bank account numbers, or other financial account details.

• Communications: Messages sent through the in-app messaging system.

• Reviews: Ratings, comments, and tags you submit about other users.

• Claims: Damage claim descriptions, categories, and supporting photos.

• Support requests: Content of any communications you send to support@heycabas.com, legal@heycabas.com, privacy@heycabas.com, or accessibility@heycabas.com.

• Appointment information: Service selected, Pro selected, appointment date and time, appointment notes, and cancellation details (Clients).

• Service menu information: Service names, descriptions, prices, durations, and categories that you create and publish (Pros).

• Inner Circle information: Invite code used, acceptance timestamp, and device information at the time of joining (Inner Circle Owners).

• Phone verification: Phone number submitted for verification before booking a Client appointment.

• Saved Pros: The list of Pros you save to your favorites (Clients).

• Calendar sync data: When you use the calendar integration feature, appointment details (date, time, location, service name, display name) are exported to your personal calendar application at your request.

• Portfolio and gallery: Photos of your work that you upload organized by service category (Pros).

• Terms consent: Timestamp of when you agreed to the Terms of Service and Privacy Policy during account creation.

• Safety reports: Content of any safety reports you submit about suites on the Platform, including descriptions, photos, and supporting evidence.

• Insurance certificate (optional): Certificate of insurance (COI) image and extracted data (insurer name, policy number, coverage limits, expiration date) uploaded by Pros and Owners who choose to display an "Insured" badge on their public profile.

• State acknowledgment records: Timestamps and version identifiers of state-specific legal acknowledgments you have read and confirmed during account setup or while using the Platform.

• Named space information: Studio or salon name, cover photo, and description created by Owners as part of listing setup. The named space aggregates all suites listed by an Owner at the same address.

• Referral and attribution data: Your unique referral code (system-generated or customized by you), the date you last customized your code, referral relationships (who referred whom), the source URL of each referral, and the date of each referral. When you share a listing, shop, or Pro profile using the share feature, your referral code is automatically embedded in the shared URL.

• Deferred deep link data: If you visit a listing, shop, or Pro profile on the Cabas website and then download the mobile app, a temporary link token may be stored in your browser's local storage to direct you to the correct content when you first open the app. This token contains: the destination URL, a referral code (if applicable), and an expiration timestamp. The token is deleted after use or upon expiration (24 hours). Cabas does not retain deferred deep link tokens on its servers beyond the expiration window.

• Demand and trend indicator data: Cabas computes demand indicators (such as "Hot," "Best Value," "New," "Pro Favorite," and "Trending") for listings and Pro indicators for professional profiles using aggregated booking data, review data, and listing characteristics. These indicators are stored on the listing and profile records and are visible to all users.

• Fair market pricing data: Cabas collects and analyzes booking rates across the Platform by state to establish fair market pricing guidance ranges. This analysis uses aggregated, anonymized booking data and does not involve individual user profiles or personally identifiable information. Pricing ranges are computed at the state level and may include metro-area overrides where sufficient transaction data exists.

• Account status records: If your account is paused or deactivated as a result of a verification discrepancy, license expiration, or policy violation, we store the reason for the status change, the date it was initiated, the cure deadline (if applicable), the date it was resolved, and any related correspondence.

Information We Collect Automatically

• Device information: Device type, operating system, app version, unique device identifiers, and browser type.

• Usage data: Pages viewed, features used, actions taken, timestamps, session duration, and interaction patterns.

• Location data: Approximate location based on IP address. Precise GPS location only when you explicitly use the "Near me" search feature, and only while the feature is active. We do not track your location in the background.

• Check-in and check-out data: Timestamps, photos, and geolocation metadata (EXIF data) captured during the booking check-in and check-out process. This geolocation data is used for booking verification and claim evidence.

• Access code data: Records of when door codes were generated, delivered, used, and expired. Smart lock access logs may include location data associated with lock events.

• Performance data: Crash reports, error logs, and diagnostic information to improve app stability.

• Appointment activity data: Appointment creation, confirmation, completion, cancellation, and no-show timestamps and metadata.

• Rebook data: Records of when Clients use the rebook feature, including which Pro and service were rebooked.

• Availability data: Pro availability schedules indicating which suite booking hours are open for Client appointments.

• Notification interaction data: Whether notifications (including saved Pro availability alerts, appointment reminders, and Inner Circle good standing notices) were delivered, opened, or dismissed.

• Unauthenticated browsing data: If you browse listings, shops, or Pro profiles on the Platform without creating an account, we collect standard device and usage information (device type, browser type, pages viewed, session duration, and general geographic location derived from IP address) through standard server logs. We do not collect personally identifiable information from unauthenticated visitors. No user account is created and no personal data is stored as a result of unauthenticated browsing.

Information from Third Parties

• Stripe: Payment confirmation, payout status, account verification status, and chargeback notifications.

• Seam: Smart lock connection status, access code usage logs, lock health data, battery levels, and connectivity status.

• AWS Textract: Extracted text from license images and government-issued ID images for verification purposes. Textract performs optical character recognition (text extraction) only. We do not extract, collect, or store biometric identifiers, facial geometry, or any biometric data from license or ID images.

• Licensify: Real-time confirmation of professional license status with state cosmetology, barbering, and related licensing boards. Licensify receives license number, licensee name, and state of issuance and returns current license status (active, expired, suspended, revoked, not found).

• Twilio: SMS delivery status and phone number validation.

• RevenueCat: Subscription status, purchase receipts, trial eligibility, and customer identifiers for managing Pro Membership subscriptions.

2. HOW WE USE YOUR INFORMATION

We collect and process your information only as reasonably necessary and proportionate for providing and maintaining the services you requested through the Platform. Specifically, we use your information to:

• Create and manage your account

• Verify your professional license

• Facilitate bookings between Pros and Owners

• Process payments and payouts through Stripe

• Generate and deliver temporary access codes for smart locks

• Display your public profile to other users

• Calculate and display your integrity score and reputation milestones using automated systems

• Process damage claims and dispute resolution

• Send booking confirmations, reminders, access codes, and platform notifications

• Administer the Myre Caroline Ambassador Program (referral tracking and rewards)

• Detect, prevent, and address fraud, abuse, and violations of our Terms of Service

• Enforce our Terms of Service and protect the safety and security of our users and the Platform

• Improve the Platform through aggregated, anonymized usage analysis

• Communicate with you about your account, bookings, and platform updates

• Comply with legal obligations, respond to legal process, and cooperate with law enforcement

• Facilitate Client appointments between Clients and Pros, including scheduling, payment processing, and notifications

• Generate and deliver calendar sync files for confirmed appointments

• Calculate and display Pro client ratings based on Client reviews using automated systems

• Monitor Inner Circle Owner account activity and send automated good standing notices at 60 days, 90 days, and 120 days of inactivity as required by the Inner Circle Program terms

• Send automated appointment reminders to Clients and Pros (24 hours and 1 hour before appointment start)

• Notify Clients when their saved Pros open new availability

• Process appointment no-show flags and enforce the appointment no-show policy

• Verify Client phone numbers before their first appointment booking

• Display Pro service menus, availability schedules, portfolio photos, and client ratings to Clients browsing the Platform

• Administer the Inner Circle Program, including tracking eligibility, good standing status, and commission rate adjustments

• Review user safety reports and take voluntary action on reported hazards

• Provide automated notices for Terms of Service changes, fee structure changes, Ambassador Program changes, and Inner Circle Program changes as required by the applicable notice periods

• Verify user identity using government-issued photo identification, including confirming the user is at least 18 years old and that the name on the ID matches the account information

• Verify the current status of Pro professional licenses with state licensing boards through third-party verification services such as Licensify

• Monitor Pro license expiration dates and send automated reminders at 60 days, 30 days, and 7 days before expiration

• Display an optional "Insured" badge on Pro and Owner profiles based on uploaded certificates of insurance and remove the badge automatically upon COI expiration

• Store records of state-specific legal acknowledgments confirmed by users during account setup or Platform use

• Re-verification: We may use your previously submitted license information (license number, licensee name, state of issuance, license type) to periodically re-verify your license status with state licensing boards through third-party verification services. This processing is necessary to maintain the integrity and safety of the marketplace.

• Referral tracking: We use referral codes and attribution data to track the success of user referrals for the Myre Caroline Ambassador Program. Referral data is used to calculate ambassador tier status, referral credits, and program eligibility. Referral tracking does not involve monitoring your browsing activity or sharing your personal information with the referred user beyond your first name (displayed in the warm intro banner when a referred user arrives via your link).

• Demand indicator computation: We use aggregated booking volume, booking frequency, review ratings, listing age, repeat booking rates, and pricing competitiveness to compute demand and trend indicators for listings and Pro profiles. This computation uses anonymized data and does not involve manual review of individual user activity.

• Fair market pricing computation: We analyze booking rates by state to establish pricing guidance ranges. This computation uses aggregated, anonymized rate data from completed bookings and does not involve individual user profiles.

• Amenity scoring data: When an Owner creates or edits a listing, the amenities they select are scored using a point-based system that assigns values based on the listing's primary service type. We store the earned points, maximum possible points, normalized score (0 to 100), and resulting tier (Tier 1, Tier 2, or Tier 3) on the listing record. This data is used to provide pricing guidance and is visible to the Owner. The normalized score and tier are also visible to Pros browsing listings.

• Space type classification: Each listing is classified by the Owner as either a Chair/Booth or a Private Suite. This classification is stored on the listing record and is visible to all users browsing the Platform.

We do not use your personal information for purposes beyond those listed above without providing additional notice and obtaining your consent where required by applicable law.

Data Minimization: Cabas collects only the personal information reasonably necessary to provide the services described in this policy. We do not collect data for purposes unrelated to Platform operations. We periodically review the data we retain and delete information that is no longer necessary for the purposes for which it was collected. When possible, we use anonymized or aggregated data rather than personally identifiable information for analytics and platform improvement.

Third-Party Analytics: Cabas may use analytics services to understand how users interact with the Platform and to improve Platform performance and user experience. If analytics services are implemented, they may collect anonymized or pseudonymized usage data including pages viewed, features used, session duration, device type, and general location. Cabas will update this section to identify any analytics providers before they are activated. Cabas will not implement any analytics service that shares personally identifiable information with third parties for advertising or cross-context behavioral tracking purposes. Any analytics data collected is used solely for Platform improvement, performance monitoring, and aggregate reporting.

3. AUTOMATED DECISION-MAKING

Cabas uses automated systems to support certain platform functions:

• Integrity score calculation: Your integrity score is computed algorithmically based on your booking completion rate, review ratings, claim history, cancellation rate, and overall platform behavior. This score affects your profile visibility, tier status, and access to certain features such as premium listings.

• Listing quality scoring: New listings receive an automated quality score that determines approval status and search visibility.

• Fraud detection: We use automated tools to detect suspicious patterns in bookings, referrals, claims, and account creation.

• Client rating calculation: Pro client ratings are computed algorithmically based on Client reviews submitted after completed appointments. This rating is displayed separately from the Pro's suite booking rating and is visible on the Pro's public profile.

• Inner Circle good standing monitoring: An automated system monitors Inner Circle Owner booking activity. Automated notices are sent at 60 days and 90 days of inactivity. If inactivity reaches 120 days (including the 30-day cure period), the system automatically adjusts the Owner's commission rate from 8% to 12%. All automated notices are timestamped and stored as part of your account record.

• Appointment no-show detection: When a Pro flags a Client no-show, the system automatically processes the payment to the Pro and records the no-show on the Client's account. Repeated no-shows may trigger automated account review or suspension.

• Saved Pro matching: When a Pro opens new availability, the system automatically identifies Clients who have saved that Pro and sends push notifications.

• Algorithmic ranking: Cabas uses automated systems to rank, sort, filter, and display listings, Pros, and services. Ranking considers factors including location, pricing, availability, ratings, reviews, and platform activity. Ranking does not constitute an endorsement or certification.

• Safety report processing: Safety reports submitted by users may be prioritized and routed using automated systems based on the severity and content of the report.

You may request information about how automated decisions affect your account by contacting support@heycabas.com. If you believe an automated decision has adversely affected you, you may request a human review by contacting the same address.

For Inner Circle commission rate changes, appointment no-show determinations, and algorithmic ranking decisions that you believe have adversely affected your account, you may request a human review by contacting support@heycabas.com within 14 days of the automated action.

Artificial Intelligence and Automated Processing Technologies: Cabas uses automated processing and artificial intelligence technologies in the following areas: optical character recognition for license text extraction, algorithmic calculation of integrity scores and listing quality scores, automated no-show detection and enforcement, automated Inner Circle good standing monitoring, algorithmic ranking of listings and search results, automated fraud and review manipulation detection, automated safety report routing and prioritization, automated notification scheduling and delivery, state-level fair market pricing range computation based on aggregated booking data, amenity point scoring and tier computation based on service-type weighted amenity values, demand and trend indicator computation for listings and Pro profiles, re-verification of professional licenses using third-party validation services, deferred deep link resolution for cross-platform continuity, referral code attribution tracking. These systems process personal data to make or support decisions that affect your account, visibility, and access to Platform features. No automated system used by Cabas makes final decisions about account termination without the option of human review. You have the right to request information about how these automated systems affect your account and to request human review of automated decisions as described earlier in this section.

4. HOW WE SHARE YOUR INFORMATION

We do not sell your personal information. We have never sold personal information and we will never sell personal information. Cabas does not sell personal information as defined by the California Consumer Privacy Act, the California Privacy Rights Act, the Texas Data Privacy and Security Act, the Florida Digital Bill of Rights, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, or any other applicable state privacy law. Cabas does not share personal information with data brokers, data aggregators, or data resellers. Cabas does not share personal information for cross-context behavioral advertising, targeted advertising, or profiling for advertising purposes. We do not share personal information for any purpose other than those expressly described in this policy.

We share your information only in these circumstances:

With Other Users

• Pros can see: Owner display name, listing details (after booking confirmation: full address including suite number), listing photos, and Owner reviews.

• Owners can see: Pro display name, avatar, specialty, integrity score, license verification status, Pro member status, and Pro reviews.

• Neither side sees: Email addresses, phone numbers, financial information, or license images. Full suite addresses (including suite numbers) are only visible to the Pro after a booking is confirmed.

• Clients can see: Pro display name, avatar, specialty, client rating, client review count, service menu (names, descriptions, prices, durations), availability schedule, portfolio photos, and Pro reviews from other Clients.

• Pros can see: Client display name and avatar for confirmed appointments. Pros cannot see Client phone numbers, email addresses, or payment information.

• Clients cannot see: Pro phone numbers, email addresses, financial information, license images, or the full suite address until 24 hours before their appointment.

With Service Providers

We share information with third-party service providers who perform services on our behalf:

Each provider is contractually required to protect your data, use it only for the purpose of providing their service to Cabas, and comply with applicable data protection laws.

For Legal Reasons

We may disclose your information if required by law, valid subpoena, court order, or legal process, or if we reasonably believe disclosure is necessary to:

• Comply with applicable law or respond to valid legal process

• Protect the rights, safety, or property of Cabas, our users, or the public

• Detect, prevent, or address fraud, security issues, or technical problems

• Enforce our Terms of Service

When compelled by valid legal process (including subpoenas, court orders, search warrants, or national security letters), Cabas may provide the following categories of data to law enforcement or government agencies:

• Account registration information (name, email address, phone number, role, account creation date)

• Booking and appointment history with dates, times, and locations

• Transaction records and payment amounts (Cabas does not hold full payment card numbers or bank account numbers, which are held by Stripe)

• Access code activation and usage logs with timestamps

• IP addresses and device identifiers associated with account activity and login sessions

• Messages sent through the Platform messaging system

• Check-in and check-out photos and associated timestamps and geolocation metadata

• Location data associated with bookings and the "Near me" search feature

• Integrity score history and platform behavior records

• Safety reports submitted or received

Cabas does not voluntarily provide user data to law enforcement absent valid legal process, except in cases involving an imminent threat to life or physical safety where immediate disclosure is necessary to prevent serious harm.

When legally permitted, Cabas will notify the affected user before disclosing their data to law enforcement and will provide a copy of the legal process requiring disclosure. Cabas will not provide such notification if prohibited by law, court order, or if notification would jeopardize an ongoing investigation as determined by the requesting authority.

In a Business Transfer

If Cabas is acquired, merged, reorganized, or sells substantially all of its assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy. You will have the opportunity to delete your account before any such transfer.

Third-Party Provider Data Breaches

Cabas relies on third-party service providers to process and store certain categories of user data as described in this section. In the event of a data breach at a third-party provider, Cabas will cooperate with the affected provider to notify impacted users as required by applicable law.

Cabas is not responsible for the security practices, data breaches, or data handling failures of its third-party service providers. Each provider's own privacy policy and security commitments govern the data they process. Cabas does not guarantee the security of data held by third-party providers.

If Cabas becomes aware of a third-party provider breach that may have affected your data, we will notify you within the timeframe required by applicable state data breach notification laws and will provide information about which provider was affected and what categories of data may have been compromised.

5. DATA RETENTION

We retain your personal information for as long as your account is active or as needed to provide services, comply with legal obligations, resolve disputes, and enforce our agreements.

When you delete your account:

• Your profile and personal information are permanently deleted within 30 days.

• Your booking history is anonymized (your name and identifying details are removed, but anonymized booking records are retained for platform analytics and financial reporting as required by law).

• Your license image is permanently deleted.

• Your check-in and check-out photos are permanently deleted.

• Your messages are deleted from your account but may remain visible to the other party in their conversation history for up to 90 days before automatic deletion.

• Your reviews remain on the Platform but are attributed to "Former User."

• Any pending claims or disputes are resolved before deletion is processed.

• Payment records are retained for the period required by applicable tax and financial reporting laws (typically 7 years), after which they are permanently deleted.

• Your Client appointment history is anonymized (your name and identifying details are removed, but anonymized appointment records are retained for Pro earnings records and tax reporting).

• Your saved Pros list is permanently deleted.

• Your Client reviews remain on the Platform but are attributed to "Former User."

• Your Pro service menu is deactivated and hidden from Clients.

• Your Pro portfolio photos are permanently deleted.

• Your Inner Circle membership status and commission rate history are retained for financial audit purposes for 7 years, then permanently deleted.

• Your appointment calendar sync data exists only in your personal calendar application and is not controlled by Cabas after export.

• Automated notice records (Inner Circle good standing notices, Terms change notices, fee change notices) are retained for 7 years as legal compliance records.

• Safety reports you submitted are retained in anonymized form for platform safety analysis.

• Account status records: Records of account pauses, deactivations, cure period outcomes, and related correspondence are retained for 7 years as legal compliance records.

• Deferred deep link tokens: Tokens are stored in browser local storage for a maximum of 24 hours and are deleted after use or upon expiration. No server-side retention beyond the expiration window.

• Referral relationship records: Referral attribution data (referrer code, referred user ID, referral date, source URL) is retained for the life of both accounts for ambassador program calculations. If either account is deleted, the referral record is anonymized (referrer code retained, user ID removed).

• Demand indicator history: Historical demand indicator values are not retained. Only the current indicator values are stored on the listing record. Previous values are overwritten when indicators are recomputed.

Government-Issued ID Retention: Government-issued ID images are stored encrypted and retained for up to 12 months from the date of upload or last account activity, whichever is later. If your account becomes inactive, your ID image is automatically deleted at the end of the retention period. The hashed (non-reversible) ID number used for duplicate account detection is retained for the life of your account and deleted when your account is deleted. Insurance Certificate Retention: Uploaded certificates of insurance (COIs) are retained while valid. The COI image and extracted data are automatically deleted 90 days after the policy expiration date shown on the document. State Acknowledgment Retention: State-specific legal acknowledgment records (including timestamp and version of the notice acknowledged) are retained for 7 years as compliance records, even after account deletion, in order to evidence that required disclosures were presented and confirmed.

Legal Retention Requirements: Certain data must be retained after account deletion to comply with legal obligations regardless of your deletion request. Tax-related payment records are retained for 7 years as required by federal tax law (26 U.S.C. 6501). Records related to active or anticipated fraud investigations are retained for 3 years after the investigation concludes. Data subject to a legal hold in connection with pending or anticipated litigation is retained until the hold is released by legal counsel. Safety reports are retained in anonymized form indefinitely for platform safety analysis. Automated notice records (Inner Circle good standing notices, Terms of Service change notices, fee change notices) are retained for 7 years as legal compliance records. Data that has been aggregated and anonymized such that it can no longer reasonably identify you is not considered personal data under applicable law and may be retained indefinitely for analytics, research, and platform improvement.

6. DATA SECURITY

We implement industry-standard technical and organizational security measures to protect your information, including:

• Encryption in transit (TLS 1.2+) for all data transmitted between your device and our servers

• Encryption at rest for sensitive data stored in our database

• Row-Level Security (RLS) policies on every database table, ensuring users can only access data they are authorized to view

• Secure authentication tokens that expire and refresh automatically

• Multi-factor authentication support

• Access controls limiting which team members can access production data, with access logged and audited

• Regular security assessments of our infrastructure and third-party providers

• Secure deletion procedures for data that is no longer needed

• Safety Report Data: Safety reports are stored with restricted access. Only authorized Cabas personnel involved in safety review may access safety report content. Safety reports are not shared with the reported Owner unless Cabas determines, at its sole discretion, that sharing is necessary for remediation.

Personnel Access Controls: Access to user personal data within Cabas is restricted to authorized personnel who require access to perform their job functions related to Platform operations, user support, safety review, or legal compliance. All personnel with access to user data are bound by written confidentiality obligations. Production database access requires multi-factor authentication. Access events are logged and subject to periodic audit. As the Cabas team grows, access controls will be expanded to include role-based access restrictions with the principle of least privilege, segregation of duties for sensitive operations such as financial data and account termination, mandatory security training for all personnel with data access, and regular access reviews with revocation of unnecessary permissions.

No method of electronic storage or transmission is 100% secure. While we implement and maintain reasonable security measures consistent with industry standards, we cannot guarantee absolute security against all threats.

Data breach notification: In the event of a data breach that affects your personal information, we will notify you in accordance with applicable state and federal law. Where required, notification will be provided within the timeframe specified by the applicable state's breach notification statute (typically 30 to 72 days of discovery). Notification will include a description of the breach, the types of information affected, and steps you can take to protect yourself.

Limitation of Liability for Data Breaches: To the maximum extent permitted by applicable law, Cabas's liability for any data breach is limited to the notification obligations described in this policy, any credit monitoring or identity protection services we elect to provide, and any remediation required by applicable state and federal data breach laws. Cabas is not liable for consequential, incidental, or indirect damages arising from a data breach, including but not limited to identity theft, financial fraud, emotional distress, credit score impact, or reputational harm, except where such limitation is prohibited by applicable law. This limitation applies to breaches of Cabas's own systems and does not apply to breaches at third-party providers, which are governed by those providers' own terms and liability frameworks.

Compliance Commitment: If Cabas is notified of a potential privacy compliance deficiency by a regulatory authority, affected user, or through internal review, Cabas will make good faith efforts to investigate and cure the identified deficiency within 30 days of notification. This commitment applies to all applicable state and federal privacy laws and does not limit Cabas's obligations under any specific statute that requires a different cure period.

7. YOUR RIGHTS AND CHOICES

All Users

• Access: You can view your personal information through your profile settings at any time.

• Correction: You can update your profile information, name, and contact details through the app.

• Deletion: You can delete your account through the Profile settings. See Section 5 for what happens when you delete your account.

• Notification preferences: You can control which notifications you receive (push, email, SMS) through the Notification Settings page.

• Location: You can revoke location permissions through your device settings at any time. The "Near me" feature will not function without location permission.

• Automated decisions: You can request information about how automated systems affect your account, and request human review of automated decisions that adversely affect you, by contacting support@heycabas.com.

• Appointment data: You can view your complete appointment history, including cancelled and completed appointments, through the app.

• Client reviews: Clients can view all reviews they have submitted. Pros can view all Client reviews received. You cannot edit a submitted review, but you can contact support@heycabas.com to request removal of a review that violates the review standards described in the Terms of Service.

• Saved Pros: You can add or remove saved Pros at any time through the app.

• Calendar data: Calendar sync exports are one-time data transfers to your personal calendar application. Cabas does not have the ability to modify or delete appointment entries in your personal calendar after export.

• Service menu: Pros can create, edit, activate, and deactivate services in their service menu at any time.

• Portfolio: Pros can upload, reorder, and delete portfolio photos at any time through the app.

• Inner Circle status: Inner Circle Owners can view their current good standing status, commission rate, and activity history through the app.

• Safety reports: You can view safety reports you have submitted. You cannot retract a safety report after submission, but you can submit a follow-up clarification.

Response timeframe: We respond to all privacy rights requests within 30 days of receipt. If we need additional time (up to 30 additional days), we will notify you of the extension and the reason.

Universal Opt-Out Signals

We honor Global Privacy Control (GPC) signals and other universal opt-out mechanisms where required by applicable law. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for the sale or sharing of personal information (though we do not sell or share personal information for advertising purposes).

Do Not Track Signals: Some web browsers transmit "Do Not Track" (DNT) signals. There is currently no industry-standard technology for recognizing or implementing DNT requests. Cabas does not currently respond to DNT browser signals. We do honor Global Privacy Control (GPC) signals as described above, which is the successor standard to DNT and is recognized under California law.

State-Specific Rights

For all state privacy requests: We will verify your identity before processing your request. We do not charge a fee for processing privacy requests. If we deny your request, we will provide the reason and information about how to appeal.

8. BIOMETRIC DATA

We do not collect, store, or process biometric identifiers or biometric information. Our license verification and identity verification systems use AWS Textract for optical character recognition (text extraction) only. They do not analyze facial features, fingerprints, voiceprints, retina or iris scans, or any other biometric characteristic. This disclosure is provided in compliance with the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and similar state statutes.

The Client Appointment feature does not collect biometric data from Clients or Pros. Phone number verification uses a one-time SMS code and does not involve voice recognition, facial recognition, or any biometric process.

9. CHILDREN'S PRIVACY

Cabas is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete that information promptly. If you believe a child under 18 has created an account, contact privacy@heycabas.com immediately.

10. COOKIES AND TRACKING

The Cabas mobile app does not use cookies or web-based tracking technologies. The heycabas.com website may use:

• Essential cookies for functionality such as session management and security. These cannot be disabled.

• Analytics cookies to understand how visitors use the site. These can be declined.

We do not use advertising cookies, retargeting pixels, or third-party tracking technologies for advertising purposes. We do not participate in cross-site tracking or behavioral advertising networks.

11. PUSH NOTIFICATIONS AND SMS

We send push notifications for booking updates, payment activity, access codes, reviews, milestones, and ambassador program updates. You can manage your notification preferences in the app settings.

Door access codes are delivered via SMS to your registered phone number. This is a critical security notification that cannot be disabled. The code is required to enter the suite. Standard carrier messaging rates may apply.

We use Twilio to deliver SMS messages. Your phone number is shared with Twilio solely for the purpose of delivering these messages and is subject to Twilio's privacy policy.

Appointment Notifications: Clients and Pros receive push notifications for appointment confirmations, cancellations, 24-hour reminders, 1-hour reminders, new appointment requests, and Client review notifications. These can be managed in the app notification settings.

Saved Pro Notifications: Clients who save a Pro to their favorites list may receive push notifications when that Pro opens new availability. This can be disabled in the app notification settings.

Inner Circle Notifications: Inner Circle Owners receive email and in-app notifications related to their good standing status at 60 days and 90 days of inactivity, and a final notice at 120 days if the cure period is not fulfilled. These notifications cannot be disabled as they are required contractual notices under the Inner Circle Program terms.

Safety Report Notifications: If you submit a safety report, you may receive notifications regarding the status of your report. If a safety report is filed about your listing, you may receive a notification requesting information or action.

12. THIRD-PARTY LINKS AND SERVICES

The Platform may contain links to third-party websites or services (such as Stripe's dashboard for payout management or Instagram for profile linking). We are not responsible for the privacy practices, security, or content of third-party sites. We encourage you to read the privacy policies of any third-party service you access through or in connection with the Platform.

13. INTERNATIONAL DATA

Cabas operates in the United States. All data is stored and processed in the United States. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Platform, you consent to this transfer and processing.

14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top

• Notify you through the app or via email at least 30 days before the changes take effect

• Provide a summary of the material changes

Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy. If you do not agree with the updated policy, you must stop using the Platform and may delete your account. Previous versions of this Privacy Policy are available upon request by contacting privacy@heycabas.com.

15. CONTACT US

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your data, contact us at:

Hey Cabas LLC
Privacy inquiries: privacy@heycabas.com
General support: support@heycabas.com
Legal inquiries: legal@heycabas.com
Accessibility: accessibility@heycabas.com
Entity: Wyoming Limited Liability Company

For privacy requests, please include your full name, the email address associated with your Cabas account, your state of residence, and a description of your request. We will respond within 30 days.

© 2026 Hey Cabas LLC. All rights reserved.