Privacy Policy

Last Updated: May 2, 2026 · Effective Date: May 2, 2026 (v18)

1. Scope & Roles

The Lotly platform serves several types of users, and our role with respect to personal information varies by user type:

• Operators / Subscribers — the property owners, managers, and operators that contract with Lotly. With respect to information that Subscribers provide directly to us about themselves and their businesses, Lotly is the “business” or “controller.” With respect to information that Subscribers upload about Residents and Applicants, Subscribers are the “business” or “controller” and Lotly is the “service provider” or “processor.”
• Residents (Tenants) and Applicants — Lotly typically acts as a “service provider” or “processor” on behalf of the relevant Subscriber, and as a “reseller” under FCRA when transmitting consumer reports.
• Marketing-site visitors and newsletter subscribers — Lotly is the “business” or “controller” for information collected on lotly.ai itself.

Where Lotly acts as a service provider/processor, the Subscriber’s privacy policy — not this one — governs the Subscriber’s collection and use of Resident/Applicant data. Residents and Applicants should consult Subscriber’s own privacy policy for that purpose. Role designations described in this Policy apply only to processing contextually described in this Policy and may vary by processing activity; for any given processing activity, Lotly’s role is determined by the facts of that activity and Applicable Law, not by a single global label.

Service-provider / processor commitments. Where Lotly acts as a service provider, processor, or contractor (as those terms are defined in Cal. Civ. Code § 1798.140(ag), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and analogous state privacy laws), we process personal information only on the documented instructions of the Subscriber, do not retain, use, or disclose such information for any purpose other than providing the Services or as expressly permitted by Applicable Law, and do not combine such information with personal information obtained from other sources except (i) as permitted by Applicable Law or (ii) for security, fraud-prevention, abuse-detection, billing-integrity, or service-integrity purposes that do not produce consumer-facing scores, ratings, recommendations, or eligibility determinations. Lotly does not independently determine the purposes or means of processing Subscriber-controlled personal information. We do not sell or share Subscriber-controlled personal information as those terms are defined under applicable U.S. state privacy laws.

2. Information We Collect

2.1 Information You Provide

• Account information: name, email, phone, postal address, business name, role.
• Identity-verification information: government-issued ID, beneficial-ownership disclosures, business documents, address-verification, photo (Subscribers).
• Property information: addresses, units, lots, leases, rules, amenities, photographs.
• Financial information: payment-method tokens (we do not store full card or bank numbers), billing addresses, tax-form information for 1099 vendors, owner-statement data.
• Application information: data submitted by Applicants in connection with rental applications, including name, address, employment, income, references, and authorizations to procure consumer reports.
• Communications: messages sent via the Tenant Portal, support chats, emails, and similar.
• Calculator inputs: numbers and selections you enter into our calculators (cap rate, NOI, lot rent, etc.) and the report email address you provide if you request a report by email.
• Newsletter / mailing-list information: email and (optionally) name when you subscribe.

2.2 Information Collected Automatically

• Device and connection information: IP address, browser type and version, operating system, device identifiers, screen size, language, time zone.
• Usage information: pages visited, links clicked, features used, dates and times of access, referring/exit pages, error logs.
• Cookies and similar technologies: see Section 5.
• Server logs: web-server access and error logs.

2.3 Information from Third Parties

• Consumer reporting agencies: credit, criminal, eviction, identity-verification, and income-verification reports from CRAs including TransUnion, Asurint, and Pinwheel, as further described in the Terms of Service.
• Payment processors: confirmation, decline, dispute, and chargeback information from Stax Payments, Accept Blue, Plaid, and successor processors.
• Identity-verification vendors: signal data used to verify user identity and detect fraud.
• Public records: information from publicly available sources, including business filings.
• Subscribers: when a Subscriber adds you as a Resident, Applicant, vendor, employee, or contact, we receive information about you from that Subscriber.

2.4 Sensitive Information

The Services are designed to collect Social Security numbers, financial-account information, criminal-history information, and similar sensitive data only as needed for legitimate business purposes (typically tenant screening, payment processing, or identity verification). This data is described as “Sensitive Personal Information” under California, Virginia, Colorado, Connecticut, and similar state laws, and we treat it accordingly. We do not use Sensitive Personal Information to infer characteristics about you, and we do not use Sensitive Personal Information to infer characteristics for profiling, scoring, ranking, or eligibility purposes. We do not use or disclose Sensitive Personal Information for purposes other than those permitted by Cal. Civ. Code § 1798.121, including to provide the Services requested by the consumer, to perform Services on behalf of the Subscriber, to detect security incidents, to prevent and respond to fraud, illegal activity, or impermissible use, to verify or maintain the quality or safety of the Services, and to comply with Applicable Law.

2.5 Data Minimization

We seek to collect and process personal information only to the extent reasonably necessary and proportionate to achieve the purposes described in this Policy, and we do not seek to collect personal information that is not reasonably relevant to the operation of the Services or to compliance with Applicable Law.

3. How We Use Information

Lawful bases. We process personal information where necessary to (i) provide the Services requested by the user or Subscriber and to perform our contractual obligations to them, (ii) comply with legal, regulatory, and reseller obligations under FCRA and other Applicable Law, (iii) protect against fraud, abuse, security threats, and unauthorized access, and (iv) pursue legitimate business interests — such as operating, securing, debugging, auditing, and improving the Services — that are not overridden by the rights, freedoms, or reasonable expectations of the individual.

Purpose	Examples
Provide the Services	Authenticate users; route applications; deliver consumer reports; collect rent; send certified mail; render dashboards.
Communicate with you	Service notices; payment receipts; rent reminders; security alerts; password resets; calculator-report emails; newsletter (where opted in).
Comply with law	Respond to subpoenas, lawful demands, audits, regulator requests, FCRA reseller obligations, Disposal Rule requirements, breach-notification statutes.
Protect security & prevent fraud	Detect unauthorized access; prevent abuse and impersonation; investigate suspicious activity.
Improve and develop the Services	Diagnose errors; perform analytics; generate limited internal inferences for product-improvement and operational purposes (and not for eligibility, tenancy, credit, or screening determinations or for individual risk scoring tied to any Applicant, Resident, or other consumer); develop new features; develop and improve internal operational systems using de-identified, aggregated data that does not include Customer Data, Applicant data, Resident data, or Reference Communications, and that is not used to train, fine-tune, or otherwise improve any consumer-facing, general-purpose, or cross-customer artificial intelligence or machine-learning models; produce aggregated industry data.
Marketing	Send marketing emails (where opted in); personalize content on lotly.ai; measure marketing effectiveness; target ads on third-party platforms (where opted in).
Administrative	Billing, accounting, audit, recordkeeping, mergers and acquisitions due diligence.

We do not knowingly use personal information for any purpose materially different from those for which it was collected, except with notice or as required by law.

Inference taxonomy. For clarity, Lotly distinguishes three categories of data-derived outputs: (a) Operational signals — account-level fraud, abuse, security, billing-integrity, and reliability indicators generated by internal systems for service operation; (b) Product analytics — aggregated, de-identified usage and performance metrics used to operate, debug, and improve the Services; and (c) Consumer profiling and eligibility inference — outputs that score, rank, classify, or predict an individual consumer’s tenancy suitability, creditworthiness, rental risk, or eligibility. Categories (a) and (b) are permitted; category (c) is not performed by Lotly. Operational signals and product analytics are not used to evaluate a consumer’s eligibility, creditworthiness, tenancy suitability, or personal characteristics, and are not used to make inferences about a consumer’s characteristics for tenancy, leasing, or housing-decision purposes.

4. How We Share Information

Subscriber-controlled processing. Where personal information is processed on behalf of a Subscriber, the Subscriber determines — to the extent permitted by Applicable Law — the categories of data collected, the purposes of processing, the screening criteria applied (if any), and the retention period applicable to the Subscriber’s own copy of the data, subject to Applicable Law and to the FCRA reseller obligations Lotly maintains as described in Section 2.1 of the Terms of Service. Subscribers, not Lotly, are responsible for responding to consumer-rights requests under state privacy law that target the Subscriber’s processing, to the extent permitted by Applicable Law. Lotly does not control or determine Subscriber-defined screening criteria, does not adopt or endorse any particular criterion, and does not assume responsibility for Subscribers’ tenancy, leasing, or screening decisions; those determinations — including their legality, sufficiency, accuracy, fair-housing compliance, and nondiscriminatory application — are the Subscriber’s responsibility.

Lotly’s retained obligations. Nothing in this Section shifts to Subscribers any obligation that Applicable Law imposes directly on Lotly. Lotly retains and complies with its own affirmative obligations, including without limitation the reseller obligations under FCRA § 1681e(a), § 1681e(e), § 1681b(e), and § 1681i(f), the Federal Trade Commission Disposal Rule (16 C.F.R. Part 682), state data-breach-notification statutes, applicable state privacy laws to the extent Lotly is a controller or service provider, and any other duty imposed on Lotly by Applicable Law. Subscriber responsibility allocations described in this Policy do not waive, disclaim, or contract around any non-waivable statutory duty owed by Lotly.

• With Subscribers: information provided by or about Residents and Applicants is shared with the Subscriber that requested the screening or that the Resident/Applicant applied to.
• With service providers and processors: cloud hosting (AWS), payment processors (Stax Payments, Accept Blue, Plaid), screening providers (TransUnion, Asurint, Pinwheel), email and SMS delivery providers, certified-mail providers, identity-verification vendors, analytics providers, customer-support tools, AI/LLM vendors. Each is contractually bound to use information only as instructed and to protect it consistent with this Policy.
• For legal reasons: in response to subpoenas, court orders, regulator requests, or other lawful demands; to enforce our agreements; to protect rights, property, or safety; to investigate fraud or wrongdoing.
• With affiliates and successors: in connection with a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy. We will notify users where required by law.
• With your consent or at your direction: such as when you authorize a Subscriber to procure a consumer report or when you opt in to share information with a third-party integration.
• De-identified or aggregated information: we may share data that does not identify any specific person or household for any lawful purpose. Where we use or disclose de-identified information, we apply commercially reasonable technical and organizational measures — consistent with Applicable Law and current industry standards on re-identification risk — designed to ensure that the information cannot reasonably be associated with a consumer or household, publicly commit to maintain and use the information only in de-identified form, contractually obligate any recipient to comply with these requirements, and do not attempt to re-identify the information except to test the effectiveness of de-identification safeguards or as otherwise expressly permitted by Applicable Law. Any derived datasets, embeddings, vector representations, or similar derived artifacts generated from Customer Data, Applicant data, Resident data, or Reference Communications are subject to the same de-identification, re-identification, and use-limitation commitments described above. Lotly does not currently maintain persistent behavioral profiles of Applicants, Residents, or other individuals for advertising, scoring, ranking, or tenancy-related purposes.

We do not sell personal information as “sale” is defined under applicable U.S. state privacy laws (including, without limitation, Cal. Civ. Code § 1798.140(ad)). We do not “share” personal information for cross-context behavioral advertising as that term is defined under applicable U.S. state privacy laws (including, without limitation, Cal. Civ. Code § 1798.140(ah)), without consent where required by law.

5. Cookies and Similar Technologies

5.1 What We Use

• Strictly necessary cookies: required to operate the Services (authentication, session, security, load balancing).
• Functional cookies: remember preferences and improve user experience (saved filters, layout choices).
• Analytics cookies: help us understand how the Services are used in aggregate (page views, feature usage, errors).
• Advertising cookies: where used, allow us to measure marketing effectiveness and serve ads on third-party platforms. Used only with consent in jurisdictions that require it. Where required by Applicable Law, we treat the use of advertising cookies, ad-tech pixels, and similar tracking technologies as “sharing” of personal information for cross-context behavioral advertising and honor opt-out signals (including Global Privacy Control), as described in Section 15.

5.2 Choices

You can manage cookie preferences in your browser. Disabling strictly necessary cookies may impair access to the Services. For tracking technologies subject to opt-out under U.S. state privacy laws, you may opt out using the controls described in Section 15 and Section 16, or via Global Privacy Control (GPC) signals where supported. Where required by Applicable Law, we obtain consent through a cookie banner or similar consent-management tool prior to the use of non-essential cookies, and we honor opt-outs received through GPC signals or comparable mechanisms, including treating such signals as valid requests to opt out of sale or sharing where applicable. Users may withdraw consent at any time using the same consent-management tool, browser controls, or by following the opt-out instructions in Section 15.

6. Third-Party Services

The Services use third-party providers including, without limitation, the following. Each is governed by its own privacy policy.

• Hosting: Amazon Web Services.
• Screening: TransUnion LLC; One Source Technology, LLC d/b/a Asurint; Underdog Technologies, Inc. d/b/a Pinwheel.
• Payments: Stax Payments; Accept Blue; Plaid Inc.
• Email delivery: Microsoft 365 (Office 365 SMTP).
• Voice / telephony: Vosy LLC (Vosy.ai) — outbound and inbound voice calling, voicemail handling, and voice-agent / interactive-voice-response functionality used for purposes such as contacting prior landlords for reference verification and receiving maintenance and customer-service calls.
• Mapping: OpenStreetMap; Google Maps.
• AI / LLM providers: as listed in product documentation; subject to enterprise data-protection terms that prohibit use of inputs to train, fine-tune, or otherwise improve any consumer-facing, general-purpose, or cross-customer machine-learning or foundation models.

This list is illustrative and may be updated from time to time. We do not control these providers’ sites or apps; visit them directly for their privacy practices.

6.1 Vendor tiering. For diligence and audit clarity, our third-party ecosystem is structured in three tiers:

• (a) Processors / service providers — entities that handle personal information on Lotly’s documented instructions to deliver contracted Services (for example, hosting, transmission, storage, document handling, identity-verification, and email/SMS delivery). Processors are contractually required not to use personal information for their own independent commercial purposes, not to sell or share it, and not to combine it with personal information from other sources except as permitted by Applicable Law.
• (b) Sub-processors — entities engaged by our processors to support the Services and bound by flow-down data-protection, confidentiality, and use-limitation obligations substantially similar to those imposed on the processor.
• (c) Independent third-party controllers — entities that determine their own purposes and means of processing under their own privacy policies. Examples include the originating consumer reporting agencies whose Consumer Reports we resell, and payment networks operating their own settlement and fraud-prevention systems.

Where required by Applicable Law, we enter into data processing agreements or comparable contractual terms with our processors, sub-processors, and (where applicable) independent controllers governing the processing of personal information. A current list of material subprocessors is available on request to privacy@lotly.ai; Lotly will provide reasonable advance notice of material subprocessor changes where required by an executed Data Processing Addendum.

7. FCRA-Regulated Information

Information that constitutes a “consumer report” under FCRA is regulated by separate federal and state law. Our use of FCRA-regulated information is described in detail in the Terms of Service and (for Subscribers) the Master Subscriber Agreement. We act as a “reseller” under FCRA § 603(u) and forward consumer disputes to the originating CRA in accordance with FCRA § 1681i(f). Lotly does not alter, modify, summarize, recharacterize, or reinterpret consumer report information received from consumer reporting agencies; consumer reports are transmitted to Subscribers without substantive modification. Lotly does not assemble, compile, or originate a Lotly-branded consumer report; our role is limited to reselling and transmitting reports furnished by the originating CRAs.

7.1 Fair Housing Alignment

Tenant screening implicates the federal Fair Housing Act, 42 U.S.C. § 3601 et seq., the Equal Credit Opportunity Act, 15 U.S.C. § 1691 et seq., the Servicemembers Civil Relief Act, the Americans with Disabilities Act, HUD’s April 4, 2016 guidance on the use of criminal-history screening, and analogous state and local fair-housing, fair-chance-housing, source-of-income, and anti-discrimination laws. Lotly designs the Services with awareness of disparate-impact risk, including by avoiding consumer-facing scoring, ranking, or recommendation outputs of Lotly’s own that could systematically disadvantage protected classes. Subscribers, not Lotly, are the users of consumer reports under FCRA and the housing providers under FHA, and Subscribers are primarily responsible for adopting and consistently applying objective, non-discriminatory screening criteria, for delivering FCRA § 615 adverse-action notices, and for compliance with state and local fair-housing requirements applicable to their properties, subject to Lotly’s own retained obligations described in Section 4. Nothing in this Policy is legal advice on Fair Housing compliance; Subscribers should consult qualified counsel in the relevant jurisdiction.

8. Payment Information

Payment-card and bank-account information is collected, transmitted, and stored by our PCI-DSS compliant payment processors (Stax Payments, Accept Blue, Plaid, and any successor). Lotly stores tokenized references to your payment method, not the underlying card number or bank account number. Each processor’s privacy policy governs its handling of payment information.

9. Reference Communication Data & Operational Processing

Lotly transmits Consumer Reports furnished by third-party CRAs and operates a Reference Communication Tool that allows landlords to exchange written reference responses about prospective Applicants. Lotly functions solely as a passive conduit for such communications and does not use them for tenancy decisioning, consumer-facing scoring, ranking, or eligibility determinations. See Section 11 of the Terms of Service for full details.

No first-party foundational-model training. Lotly does not currently use Customer Data, Applicant data, Resident data, or Reference Communications to train or fine-tune consumer-facing, general-purpose, cross-customer, or foundational artificial-intelligence or machine-learning models. This restriction does not prevent Lotly from operating internal models or rule-based systems used for security, fraud prevention, abuse detection, billing integrity, infrastructure operation, or service-functionality purposes. Lotly acknowledges that fraud-detection, abuse-detection, and security-monitoring systems may, by their nature, generate operational signals or risk indicators about account-level behavior, transactions, or sessions. Such internal systems do not (a) produce consumer-facing scores, ratings, recommendations, or eligibility determinations; (b) rank, prioritize, or order Applicants or Residents relative to one another for tenancy purposes; (c) generate hidden, undisclosed, or shadow scores used in tenancy, leasing, or eligibility outcomes; (d) infer or score an Applicant’s, Resident’s, or other individual’s tenancy suitability, creditworthiness, or rental risk; or (e) expose Customer Data, Applicant data, Resident data, or Reference Communications across customers. Where third-party operational vendors (for example, document-handling, transcription, or infrastructure providers) process Customer Data on Lotly’s behalf, those vendors are bound by data-protection terms that prohibit use of inputs to train, fine-tune, or otherwise improve the vendor’s consumer-facing, general-purpose, cross-customer, or foundational machine-learning or foundation models, except where explicitly agreed in writing. Standard transient logging, debugging telemetry, and service-operation metadata that an enterprise vendor retains under its own published terms are not considered model training within the meaning of this Section.

9.1 Roles and Automated Decision-Making

Lotly provides information organization, display, and transmission tools. Subscribers independently apply their own criteria and make all eligibility and tenancy decisions, and are responsible for ensuring meaningful human involvement in those decisions. Lotly does not use automated decisionmaking to produce legal or similarly significant effects concerning individuals, such as eligibility for housing, credit, or tenancy. The use of automated systems for fraud detection, security monitoring, abuse detection, billing integrity, and other system-integrity purposes — including machine-learning systems used solely for system integrity and not for consumer evaluation purposes — is permitted and does not, by itself, constitute automated decisionmaking that produces such effects. Any sorting, filtering, labeling, or grouping in the user interface is based on Subscriber-selected criteria or neutral data organization and does not constitute eligibility scoring or screening determinations by Lotly.

Accordingly, we do not currently offer an opt-out of automated decisionmaking under the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the California Privacy Rights Act regulations on automated decisionmaking technology, or analogous state privacy laws, because the Services do not currently perform such automated decisionmaking. If our practices change in a manner that triggers an applicable opt-out right, we will update this Policy and provide the required mechanism.

9.2 Data Protection Assessments

Where Applicable Law requires, Lotly conducts and maintains data protection assessments (sometimes referred to as data protection impact assessments or risk assessments) for processing activities that present a heightened risk of harm to consumers, including the processing of Sensitive Personal Information, the processing of personal information for tenant screening, and the use of new third-party subprocessors that materially change Lotly’s processing posture. These assessments evaluate the benefits and risks of the processing, the safeguards in place, the potential for re-identification of de-identified data, and any disparate-impact or fair-housing-adjacent risks attributable to Lotly’s technical operations. Lotly cooperates with state attorneys-general or other regulators in producing these assessments where required by Applicable Law. Subscribers are independently responsible for any data protection assessment obligations that attach to Subscriber-controlled processing under Applicable Law.

10. SMS & Email

10.1 Email

By providing an email address, you consent to receive transactional, operational, and (where opted in) marketing emails from Lotly. Marketing emails include a one-click unsubscribe link, our physical mailing address, and identify Lotly as the sender, in compliance with the federal CAN-SPAM Act, 15 U.S.C. § 7701 et seq.

10.2 SMS

If you provide a mobile phone number, you consent to receive recurring transactional and operational text messages from Lotly and the relevant Subscriber, including rent reminders, payment confirmations, maintenance updates, lease notices, two-factor authentication codes, and customer-service messages. Messages may be sent using automated technology, including software-based messaging platforms that may otherwise constitute the use of an automatic telephone dialing system or artificial or prerecorded voice as those terms are used in the federal Telephone Consumer Protection Act, 47 U.S.C. § 227. Where you opt in, you may also receive marketing texts; consent to receive autodialed or artificial-voice marketing messages is not a condition of any purchase or use of the Services. Reply HELP for help and STOP to opt out of marketing texts. Message and data rates may apply. We do not sell mobile phone numbers or SMS opt-in data to third parties.

11. Retention

We retain personal information for as long as necessary to provide the Services and to comply with our legal, contractual, audit, accounting, and dispute-resolution obligations, and limited to the minimum period reasonably necessary for those purposes consistent with applicable legal, regulatory, and operational requirements. Retention periods are determined based on the nature and sensitivity of the information, applicable legal and regulatory requirements (including FCRA and the Federal Trade Commission Disposal Rule), contractual obligations, the risk of dispute or litigation, and the operational necessity of the data. The categories below describe policy-based retention ranges and may be adjusted from time to time within the bounds of Applicable Law:

• Subscriber account information: for the duration of the account and a reasonable period thereafter for audit, dispute-resolution, and recordkeeping purposes.
• Applicant data — submitted application, denied or withdrawn: retained for the period required for FCRA recordkeeping, adverse-action audit trail, and any active dispute period, then archived in restricted-access form for the minimum period necessary, then securely deleted or de-identified per the Disposal Rule.
• Applicant data — converted to Resident: retained for the duration of the executed tenancy plus a reasonable post-tenancy period for FCRA, lease-administration, dispute, and tax recordkeeping; then archived in restricted-access form; then securely deleted or de-identified.
• Resident data (active and post-tenancy): retained for the duration of the tenancy and for a reasonable post-tenancy period for collections, security-deposit accounting, dispute resolution, and statutory recordkeeping; then securely deleted or de-identified.
• Consumer Reports furnished by CRAs: retained in accordance with FCRA, the Federal Trade Commission Disposal Rule (16 C.F.R. Part 682), Lotly’s reseller agreements with the originating CRAs, and Subscriber retention instructions, with secure disposal at the end of the retention period. Consumer Reports are kept logically segregated from internal operational metadata.
• Internal operational metadata (audit logs, access logs, billing records, security telemetry, support transcripts): retained for a rolling period sufficient to support security monitoring, fraud detection, billing, and audit, then aggregated, de-identified, or deleted.
• Reference Communications: retained for so long as necessary to provide the Services, support audit and dispute response, and comply with Applicable Law, after which they are securely deleted or de-identified.
• Consumer disputes and dispute responses: retained for the period required by FCRA § 1681i and analogous state law.
• Financial records: for the period required by federal and state tax law (typically seven years).
• Marketing-list records: until you unsubscribe, plus a reasonable period to honor your opt-out.
• Litigation-hold records: for the duration of the hold.

When information is no longer needed, we securely delete or de-identify it consistent with the Disposal Rule and Applicable Law. Specific retention durations are determined by Lotly’s internal retention schedules, which are maintained separately from this Policy and updated from time to time within the bounds of Applicable Law.

12. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. Safeguards include, where appropriate, encryption in transit and at rest, access controls, role-based permissions, network segmentation, logging and monitoring, vendor security review, employee training, and breach-response planning. Our safeguards are designed to meet or exceed industry-standard security practices appropriate to the nature, scope, and sensitivity of the information processed. While we implement robust safeguards, no system can guarantee absolute security against unauthorized access, intrusion, or security breach. The contractual warranty disclaimers applicable to the Services are set forth in the Terms of Service and (for Subscribers) the Master Subscriber Agreement.

Security incident response. In the event of a Security Incident involving personal information, Lotly will investigate the incident, take appropriate remediation steps, and provide notifications to affected individuals, Subscribers, and regulators in accordance with Applicable Law, including without limitation the federal Gramm-Leach-Bliley Safeguards Rule (where applicable), state data-breach-notification statutes (including Cal. Civ. Code §§ 1798.82 et seq., N.Y. Gen. Bus. Law § 899-aa, Mass. Gen. Laws ch. 93H, and analogous laws in every U.S. state and territory), and any contractual notification obligations to CRAs or Subscribers. Notification timing, content, and method will follow the most stringent statutory requirement applicable to the affected residents.

13. International Users

The Services are operated from and intended for users located in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Services, you consent to the transfer and processing of your information in the United States, where data-protection laws may differ from those of your country.

14. Children’s Privacy

The Services are not directed to children under thirteen (13). We do not knowingly collect personal information from children under thirteen. If we learn that we have collected such information, we will delete it. Parents or guardians who believe a child has provided us with personal information may contact privacy@lotly.ai.

15. California Privacy Rights (CCPA / CPRA)

15.1 Categories Collected

In the preceding 12 months, we have collected the following categories of personal information defined by Cal. Civ. Code § 1798.140: identifiers (name, email, IP); customer records (Cal. Civ. Code § 1798.80); commercial information; internet activity; geolocation data (general); professional or employment-related information; financial information; sensitive personal information (Social Security number, account credentials, government-issued identification, precise geolocation in limited cases, and contents of communications); and inferences drawn from the foregoing for limited internal analytics. Where racial or ethnic origin appears incidentally on a government-issued identification document submitted to the Services for identity-verification purposes, that information is collected only as an unavoidable byproduct of the document submission and is not extracted, indexed, used to infer characteristics, used for profiling or decisioning, or otherwise processed for any independent purpose. Sources, purposes, and recipients are described in Sections 2-4.

15.2 Your Rights

If you are a California resident, you have the right to:

• Know what personal information we have collected about you, the sources, the purposes, and the categories of recipients;
• Access / portability: receive a copy of personal information in a portable format;
• Delete personal information, subject to legal exceptions (FCRA recordkeeping, fraud-prevention, ongoing transactions, audit, security);
• Correct inaccurate personal information;
• Opt out of sale or sharing: we do not sell personal information as “sale” is defined under applicable U.S. state privacy laws; if our practices change so that we “share” personal information for cross-context behavioral advertising, you may opt out via the “Do Not Sell or Share My Personal Information” mechanism described below;
• Limit use of Sensitive Personal Information to the purposes for which it was collected;
• Non-discrimination: we will not discriminate against you for exercising your rights.

15.3 How to Exercise

Submit a request by emailing privacy@lotly.ai, by writing to Lotly Software LLC, Attn: Privacy, 5754 Lonetree Blvd, STE C7, Rocklin, CA 95765, or via the request portal linked from lotly.ai/contact. We will verify your identity using account credentials and (where necessary) supplemental information. Authorized agents may submit requests with proof of authorization.

15.4 Do Not Sell or Share My Personal Information

We do not sell personal information as “sale” is defined under California Civil Code § 1798.140(ad) or analogous state privacy laws. If our practices change, we will provide a clear “Do Not Sell or Share My Personal Information” link on lotly.ai. We honor Global Privacy Control (GPC) signals as opt-out requests where required by law.

15.5 Notice at Collection

This Policy serves as our Notice at Collection under CCPA/CPRA. We collect the categories of information identified in Sections 2 and 15.1 for the purposes identified in Sections 3 and 15.1. Information is retained as described in Section 11.

16. Other State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (Mont. Consumer Data Privacy Act), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Delaware (DPDPA), New Jersey (NJDPA), Maryland (Maryland Online Data Privacy Act), Minnesota (Minn. Consumer Data Privacy Act), Rhode Island (Data Transparency and Privacy Protection Act), Kentucky (KY Consumer Data Protection Act), Nebraska (Nebraska Data Privacy Act), New Hampshire (SB 255 / RSA ch. 507-H), and other states with comparable laws have rights similar to those described above, including the right to access, delete, correct, port, and opt out of targeted advertising or sale. To exercise these rights, follow the procedure in Section 15.3. We will respond within the time required by Applicable Law (typically 45-60 days, with possible extensions). You may appeal a denial of your request by emailing privacy@lotly.ai with the subject line “Privacy Appeal.”

Florida. The Florida Digital Bill of Rights, Fla. Stat. § 501.701 et seq., currently applies primarily to large entities meeting specific revenue thresholds; Lotly does not currently meet those thresholds, but if it does in the future, Florida residents will have the rights described therein and we will update this Policy accordingly.

Washington — My Health My Data Act. Lotly does not knowingly collect or process “consumer health data” within the meaning of the Washington My Health My Data Act, RCW ch. 19.373. Subscribers must not upload, transmit, or process consumer health data through the Services without first executing a written agreement with Lotly that addresses MHMD requirements.

Not a registered data broker. Lotly operates as a direct-relationship platform for Subscribers, Applicants, and Residents and does not buy and resell consumer personal information to unrelated third parties. Lotly is not a registered data broker under California Civil Code § 1798.99.80 et seq. (the “Delete Act”), the Vermont data-broker registry (9 V.S.A. ch. 62), the Texas data-broker statute (Tex. Bus. & Com. Code ch. 509), the Oregon data-broker registry (ORS § 646A.500 et seq.), or analogous data-broker registries in other states. If our practices change in a manner that triggers data-broker registration in any jurisdiction, we will register and update this Policy accordingly.

Residents of Massachusetts are protected by Lotly’s written information security program in accordance with 201 CMR 17.00 and our compliance with M.G.L. c. 93H.

Residents of Illinois are protected with respect to biometric information by the Biometric Information Privacy Act, 740 ILCS 14/1 et seq.; Lotly does not collect or use biometric identifiers or biometric information except as expressly disclosed in this Policy and authorized by you.

Residents of New York are protected by the SHIELD Act and related New York data security and breach-notification laws, with which Lotly complies.

17. California “Shine the Light”

California Civil Code § 1798.83 (the “Shine the Light” law) permits California residents to request information regarding the disclosure of personal information to third parties for those third parties’ own direct-marketing purposes. We do not disclose personal information to third parties for their own direct-marketing purposes within the meaning of § 1798.83. To make a Shine the Light request, contact privacy@lotly.ai.

18. Do Not Track

Most browsers offer a “Do Not Track” (DNT) signal. Industry standards for DNT have not been finalized, and we do not currently respond to DNT signals. We honor Global Privacy Control (GPC) signals as opt-outs where required by Applicable Law, as described in Section 15.4.

19. Changes to This Policy

We may modify this Policy from time to time. The “Last Updated” date at the top reflects the most recent change. For material changes, we will provide reasonable advance notice (such as by email, in-product notice, or notice on the Services). Your continued use of the Services after the effective date constitutes your acceptance.

20. Contact

Lotly Software LLC
Attn: Privacy
5754 Lonetree Blvd, STE C7
Rocklin, CA 95765
Email: privacy@lotly.ai · General: Contact@Lotly.ai · Phone: (916) 824-5000

About this document. This Policy supersedes all prior versions. If a Subscriber, Resident, Applicant, or visitor previously accepted an earlier version, continued use of the Services after the “Last Updated” date constitutes acceptance of this version.