Privacy Policy
Effective as of February 12, 2025
OneLobby, Inc. ("OneLobby," "Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy ("Policy") describes how we collect, use, disclose, retain, and safeguard information in connection with the OneLobby building operations platform, our website at onelobby.co, and all related services, features, and functionality (collectively, the "Service").
This Policy applies to all users of the Service, including building staff (doormen and front desk personnel), property managers and administrators, residents of participating buildings, and visitors to our website. By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Service.
This Policy should be read in conjunction with our Terms of Service, available at onelobby.co/terms. Capitalized terms not defined herein have the meanings ascribed to them in the Terms of Service.
1. Information We Collect
1.1 Information Provided Directly by Users
We collect information that you voluntarily provide when creating an account, using the Service, or communicating with us, including the following categories:
| Category | Data Elements |
|---|---|
| Identity Data | Full name, unit number, role/title |
| Contact Data | Email address, telephone number (mobile and/or landline), mailing address |
| Account Data | Username, password (stored in hashed form), account preferences, notification settings |
| Building Operations Data | Package photographs and label data (sender, carrier, tracking number); guest access records; amenity reservations; maintenance request details; building announcements; staff activity logs |
| Communications Data | SMS and email message content, delivery status, opt-in/opt-out preferences |
1.2 Information Collected Automatically
When you access or use the Service, we automatically collect certain technical and usage information, including: device type, model, and operating system; browser type and version; Internet Protocol (IP) address; unique device identifiers; referring and exit URLs; pages and features accessed, clickstream data, and timestamps; geolocation data (approximate location derived from IP address; we do not collect precise GPS location); and log data, including server logs and error reports.
1.3 Information from Third Parties
We may receive information from third parties in connection with the Service, including: Subscriber-provided data, where property managers upload resident directories, staff rosters, unit assignments, and contact information; identity verification data from third-party authentication providers; and messaging delivery data from our communications infrastructure providers (e.g., Twilio), including delivery receipts, bounce notifications, and opt-out signals.
1.4 Cookies and Similar Technologies
We use cookies, web beacons, pixels, and similar tracking technologies to operate and improve the Service. We use the following categories of cookies:
| Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, session management, security | Session or up to 30 days |
| Functional | User preferences, notification settings | Up to 1 year |
| Analytics | Usage patterns, feature adoption, performance monitoring | Up to 2 years |
You may control cookie preferences through your browser settings. Disabling strictly necessary cookies may impair the functionality of the Service.
2. How We Use Your Information
2.1 Purposes of Processing
We process personal information for the following purposes:
Service Delivery. To provide, operate, and maintain the Service, including processing package records, managing guest access, facilitating amenity reservations, routing maintenance requests, and delivering building notifications.
Transactional Communications. To send you transactional notifications related to building operations via SMS, email, and push notification, including package arrival alerts, guest access notifications, building announcements, amenity confirmations, and maintenance status updates.
Account Administration. To create and manage accounts, authenticate users, process access requests, and enforce role-based permissions.
Customer Support. To respond to inquiries, troubleshoot issues, and provide technical assistance.
Service Improvement. To monitor and analyze usage trends, diagnose technical problems, and develop new features and functionality.
Security and Fraud Prevention. To detect, investigate, and prevent security incidents, unauthorized access, and fraudulent activity.
Legal Compliance. To comply with applicable legal and regulatory obligations, respond to legal process, and exercise or defend legal claims.
Aggregated Analytics. To generate aggregated, de-identified data for benchmarking, industry research, and product development purposes, as described in Section 2.2.
2.2 Aggregated and De-Identified Data
We may create aggregated or de-identified data from personal information by removing or altering information that makes the data personally identifiable. We may use and disclose aggregated or de-identified data for any lawful purpose, including analytics, benchmarking, and product improvement. We commit to maintaining the de-identified status of such data and will not attempt to re-identify it.
2.3 What We Do Not Do
We do not sell personal information to third parties. We do not use personal information for targeted advertising or behavioral profiling unrelated to the Service. We do not share personal information with third parties for their own direct marketing purposes.
3. SMS and Email Communications
3.1 Nature of Communications
The Service facilitates the delivery of transactional communications from participating buildings to Residents and building staff. All messages sent through the Service are operational and transactional in nature—they are not marketing or promotional communications. Message categories include: package arrival and pickup notifications; guest access and arrival alerts; building-wide and unit-specific operational announcements (e.g., elevator outages, water shutdowns, fire alarm testing); amenity reservation confirmations and reminders; and maintenance request acknowledgments and status updates.
3.2 Consent
By providing your telephone number or email address to the Service (whether directly or through your building's property management), you expressly consent to receive the transactional messages described in Section 3.1. Your building's property management is responsible for ensuring that it has obtained all necessary consents prior to uploading your contact information to the Service.
3.3 Frequency and Charges
Message frequency varies based on building activity, your unit's package volume, and your notification preferences. You may receive multiple messages per day during periods of high building activity. Standard message and data rates imposed by your wireless carrier may apply. OneLobby is not responsible for any charges incurred in connection with messages delivered through the Service.
3.4 Opt-Out Rights
SMS: You may opt out of SMS notifications at any time by replying "STOP" to any message received from the Service. Following receipt of your opt-out request, we will confirm your removal and cease sending SMS messages within a commercially reasonable timeframe. You may re-subscribe at any time by replying "START" or by updating your notification preferences within the Service.
Email: You may opt out of email notifications by clicking the "Unsubscribe" link included in each email or by modifying your notification preferences within the Service.
You acknowledge that opting out of certain notifications may impair your ability to receive time-sensitive information regarding your building's operations, including package arrivals and building emergencies.
3.6 Mobile Data Sharing
Mobile opt-in data, including telephone numbers collected for the purpose of sending SMS notifications through the Service, will not be shared with or sold to third parties or affiliates for marketing or promotional purposes.
3.5 Messaging Infrastructure Providers
OneLobby uses Twilio, Inc. and other third-party communications platform providers ("Messaging Providers") to facilitate SMS and email delivery. Messaging Providers process recipient telephone numbers, email addresses, and message content solely for the purpose of message transmission and delivery. Messaging Providers are bound by data processing agreements that require them to process data only on our instructions and in compliance with applicable law.
4. How We Share Your Information
4.1 Within Your Building
Information necessary for building operations is shared with authorized personnel within your building, as determined by your building's Subscriber and in accordance with role-based access controls. For example, package records are visible to building staff and property managers; guest access records are visible to doormen and property managers; and maintenance requests are visible to building staff and property managers. Residents can view their own package history, guest access records, amenity reservations, and maintenance requests.
4.2 Service Providers
We engage third-party service providers ("Sub-Processors") who process personal information on our behalf to provide, maintain, and improve the Service. Sub-Processors include providers of cloud infrastructure and hosting (e.g., Amazon Web Services); messaging and communications delivery (e.g., Twilio); payment processing; analytics and monitoring; and customer support tools. All Sub-Processors are contractually obligated to process personal information solely in accordance with our instructions and to implement appropriate technical and organizational security measures. A current list of Sub-Processors is available upon request to [email protected].
4.3 Legal and Regulatory Disclosure
We may disclose personal information where we reasonably believe disclosure is required: (a) to comply with applicable law, regulation, legal process, or enforceable governmental request; (b) to enforce our Terms of Service, including investigation of potential violations; (c) to detect, prevent, or otherwise address fraud, security, or technical issues; or (d) to protect the rights, property, or safety of OneLobby, our users, or the public as required or permitted by law. Where legally permissible, we will endeavor to provide notice to affected users prior to such disclosure.
4.4 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or other change of control involving OneLobby, personal information may be transferred to the acquiring entity or successor. We will provide notice of any such transfer and any material changes to this Policy that result therefrom. Your information will remain subject to the protections of this Policy (as in effect at the time of collection) until a successor policy is communicated and accepted.
4.5 With Your Consent
We may share personal information with third parties where you have provided explicit consent to such sharing.
5. Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, as described in this Policy, unless a longer retention period is required or permitted by applicable law. Specific retention periods are as follows:
Account Data: Retained for the duration of the account's active status and for a reasonable period thereafter to allow for reactivation, unless deletion is requested.
Building Operations Data: Retained in accordance with the terms of the applicable Order Form between OneLobby and the Subscriber. In the absence of specific terms, building operations data is retained for the duration of the Subscriber's subscription plus thirty (30) days, after which it is securely deleted or anonymized.
Communications Data: SMS and email delivery logs are retained for up to twelve (12) months for operational and troubleshooting purposes. Message content is retained only for the period necessary to complete delivery and confirm receipt.
Technical and Usage Data: Retained for up to twenty-four (24) months for analytics, security monitoring, and service improvement purposes.
Upon expiration of the applicable retention period, personal information is securely deleted or anonymized using industry-standard methods. Notwithstanding the foregoing, we may retain personal information for longer periods where required by applicable law or regulation, or where necessary to establish, exercise, or defend legal claims.
6. Data Security
OneLobby maintains a comprehensive information security program that incorporates administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Key security measures include:
Encryption: All data in transit is encrypted using Transport Layer Security (TLS) 1.2 or higher. Data at rest is encrypted using Advanced Encryption Standard (AES)-256 or equivalent.
Access Controls: Role-based access controls, multi-factor authentication for administrative accounts, and least-privilege access policies.
Infrastructure Security: Hosting on SOC 2-compliant cloud infrastructure with network segmentation, intrusion detection, and DDoS mitigation.
Application Security: Secure software development lifecycle practices, regular code reviews, dependency scanning, and vulnerability assessments.
Incident Response: Documented incident response procedures with defined escalation paths. In the event of a Security Incident involving unauthorized access to or disclosure of personal information, OneLobby will: (a) notify affected Subscribers without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident; (b) provide information regarding the nature and scope of the incident, the categories and approximate number of affected individuals, and the measures taken to address the incident; and (c) cooperate with Subscribers in their notification obligations to affected individuals and supervisory authorities.
No method of electronic transmission or storage is completely secure. While we strive to use commercially reasonable means to protect personal information, we cannot guarantee absolute security.
7. Your Rights and Choices
7.1 General Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal information:
Right of Access: The right to request confirmation of whether we process your personal information and to obtain a copy of such information.
Right of Rectification: The right to request correction of inaccurate or incomplete personal information.
Right of Deletion: The right to request deletion of your personal information, subject to certain exceptions (e.g., legal retention obligations).
Right to Restrict Processing: The right to request that we limit the processing of your personal information in certain circumstances.
Right to Data Portability: The right to receive your personal information in a structured, commonly used, and machine-readable format.
Right to Object: The right to object to the processing of your personal information for certain purposes.
Right to Withdraw Consent: Where processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within the timeframe required by applicable law (generally within thirty (30) days). We may request verification of your identity before processing your request. We will not discriminate against you for exercising any of your privacy rights.
7.2 Rights for Residents of Subscriber Buildings
If you are a Resident of a building that subscribes to the Service, please note that your building's property management (the Subscriber) is the data controller with respect to most of the personal information processed through the Service. For requests relating to data controlled by the Subscriber (e.g., your directory information, unit assignment, or contact details uploaded by property management), we may direct you to your building's property manager or cooperate with the Subscriber to fulfill your request.
8. State-Specific Privacy Rights
8.1 California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing: We do not sell personal information, nor do we share personal information for cross-context behavioral advertising purposes within the meaning of the CCPA/CPRA.
Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.
Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
To submit a request, please contact us at [email protected]. You may also designate an authorized agent to submit a request on your behalf, subject to appropriate verification.
In the preceding twelve (12) months, we have collected the categories of personal information identified in Section 1 of this Policy. We have not sold personal information. We have disclosed personal information for the business purposes described in Section 4 of this Policy.
8.2 Other State Privacy Laws
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy legislation may have similar rights to those described in Sections 7 and 8.1, including the right to access, correct, delete, and obtain a copy of personal information, and the right to opt out of certain processing activities. To exercise rights under applicable state law, please contact us at [email protected]. If we decline your request, you may have the right to appeal our decision by contacting us at the same address.
9. Children's Privacy
The Service is not directed to individuals under the age of sixteen (16). We do not knowingly collect personal information from children under the age of sixteen. If we become aware that we have inadvertently collected personal information from a child under sixteen, we will take commercially reasonable steps to delete such information promptly. If you believe that a child under sixteen has provided us with personal information, please contact us immediately at [email protected].
10. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, you acknowledge that your personal information will be transferred to, processed, and stored in the United States, where data protection laws may differ from those in your country of residence. By using the Service, you consent to such transfer. Where required by applicable law, we will implement appropriate safeguards for international data transfers, such as standard contractual clauses or other approved transfer mechanisms.
11. Third-Party Links and Services
The Service may contain links to third-party websites, applications, or services. This Policy does not apply to any third-party services, and we are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services before providing personal information.
12. Changes to This Privacy Policy
We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will indicate the date of the most recent revision at the top of this Policy. For material changes, we will provide notice through the Service, by email, or by other means reasonably designed to notify affected users at least thirty (30) days prior to the change taking effect. Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of such changes.
We encourage you to review this Policy periodically to stay informed about how we protect your information.
13. Data Protection Officer and Contact Information
If you have questions, concerns, or complaints regarding this Policy, our data processing practices, or your privacy rights, please contact us at:
OneLobby, Inc.
Attention: Privacy
Email: [email protected]
Website: https://onelobby.co
For SMS-specific inquiries:
Text "HELP" to any OneLobby message for assistance, or email [email protected].
We will endeavor to respond to all inquiries within thirty (30) days. If you are not satisfied with our response, you may have the right to lodge a complaint with your applicable data protection supervisory authority.