LockMe
Book a demo

Legal

Privacy policy

What LockMe collects, why we collect it, where we store it, and how to exercise your rights under GDPR.

Last updated:

Plain-language summary. We collect what we need to run the platform — operator account info, the bookings made through your store, and standard logs. We never sell personal data. Your customers' bookings belong to you, not us; we hold them as a processor on your behalf. Anyone can ask us what we hold about them and we'll tell them within 30 days.

Note. This page is a working draft pending review by external counsel before launch. Please email legal@lock-me.com if anything here needs clarification in the meantime.

1. Who we are

The "data controller" for the LockMe website (lock-me.com) and the LockMe operator platform is:

LockMe S.L. (the "Company", "we", "us"), registered in Spain. Address and registry details are listed in our footer and on request from legal@lock-me.com.

For data your store collects from your luggage-storage customers (names, booking details, payment metadata), you are the controller and LockMe is the processor. The legal terms governing that relationship are in our Data Processing Addendum.

2. What we collect, and why

When you sign up as an operator

  • Your name, email, phone number, company name, and (where required for billing) VAT number and billing address.
  • Your password (stored as a salted hash; we cannot recover it).
  • The store(s) you operate, their addresses and opening hours.

We use this information to create and operate your account, send you product updates, and bill you under your subscription.

When you use the platform

  • Bookings made by your customers through the LockMe storefront, embedded widgets or third-party channels.
  • Operator activity logs (which actions your team took inside the dashboard).
  • Performance and error telemetry — anonymous where possible, with operator-account context where required to debug.

When you visit lock-me.com

  • Standard server logs (IP address, user agent, requested URL, timestamp).
  • Cookies as listed in our Cookie policy. Non-essential cookies require consent and the cookie banner records that consent.
  • If you submit a contact form or sign up for a newsletter, the data you provide on that form.

3. Lawful bases under GDPR

We process the data above on the following lawful bases:

  • Contract. When the processing is necessary to deliver the LockMe service to you.
  • Legitimate interests. Product analytics (with privacy-respecting tooling), fraud and abuse prevention, and direct marketing to existing operators about closely related features.
  • Consent. Marketing communications to people who are not yet customers, and any non-essential cookies/pixels.
  • Legal obligation. Tax records, invoices, anti-money-laundering checks where required.

You can withdraw consent at any time without affecting the lawfulness of prior processing.

4. Where it's stored

LockMe is built on Google Cloud Platform. Your data is stored in the European Union (currently europe-west4, Netherlands) by default, with backups in a second EU region. Limited subprocessors (listed in the DPA) may receive specific categories of data under EU-approved transfer mechanisms.

5. How long we keep it

  • Active operator data: for as long as you have an account, plus up to 90 days after closure for backup retention.
  • Bookings and customer data on your behalf: retention is configurable in your operator settings; defaults are 24 months.
  • Invoices and accounting records: retained for the period required by Spanish tax law (currently 6 years).
  • Marketing contacts: until you unsubscribe or two years of inactivity, whichever comes first.

6. Your rights

If you live in the EEA, the UK, Switzerland, California, or any of an increasing number of jurisdictions with comprehensive privacy law, you have the right to:

  • Know what we hold about you.
  • Get a copy in a portable format.
  • Correct inaccurate data.
  • Delete data we no longer have a lawful basis to keep.
  • Object to certain kinds of processing (notably direct marketing).
  • Restrict processing while we investigate a request.
  • Withdraw consent where consent is the lawful basis.

To exercise any of these, email privacy@lock-me.com. We respond within 30 days. If you're a customer of one of our operators, please direct your request to that operator first; they're the controller of that data.

You also have the right to lodge a complaint with a supervisory authority — for Spain, that's the AEPD. We'd appreciate the chance to fix things first.

7. Sharing with third parties

We share personal data only with:

  • Subprocessors strictly necessary to deliver the service (hosting, payments, transactional email, SMS, error monitoring) — see the DPA for the live list.
  • Payment providers that handle their own data as independent controllers, subject to PCI-DSS.
  • Authorities, when a valid legal request compels disclosure. We push back on overbroad requests and notify affected operators where lawful.

We do not sell personal data. We do not use customer data for ad targeting on third-party platforms.

8. Children

LockMe is a B2B platform. We don't knowingly collect data from anyone under 16. If you believe a child has submitted data, contact us at privacy@lock-me.com and we'll delete it.

9. Changes to this policy

If we make material changes, we'll email account owners and update the updatedAt date at the top of this page at least 30 days before the change takes effect.

10. Contact

privacy@lock-me.com for any privacy-related question. legal@lock-me.com for everything else.

Questions about this document? Email legal@lock-me.com. This page is provided for transparency; it does not replace bespoke legal advice for your operation.