Privacy Policy - LaHaus (U.S.) & Notice at Collection

1) Who We Are & Scope

This Policy applies when LaHaus provides the Services to (a) our own prospects and customers; and (b) enterprise customers and licensees ("Licensees") who enable LaHaus AI for their organizations and submit, connect, or sync their contacts or other data.

2) Roles: Controller vs. Processor/Service Provider

• 2.1 Controller Mode (Direct). When LaHaus collects personal data directly from individuals (e.g., our sites, sign-ups, trials/demos, and our own marketing), LaHaus acts as the "controller."
• 2.2 Processor/Service Provider Mode (Licensees). When Licensees upload, connect, or instruct us to process personal data in LaHaus AI, LaHaus acts as their "processor," "service provider," or "contractor," and processes such data only under their instructions and our Data Processing Addendum (DPA). Licensees (not LaHaus) are solely responsible for providing required privacy notices and obtaining all legally required consents/permissions (including for SMS/calls and email) before submitting personal data to the Services.
• 2.3 Independent vs. On-Behalf Communications. When we contact individuals on behalf of a Licensee (e.g., messages a Licensee requests), we act as the Licensee's processor. When we contact individuals for LaHaus's own marketing, we act as an independent controller separate from the Licensee.
• 2.4 No Joint Controllership. Unless expressly agreed in writing, LaHaus and Licensees are not joint controllers. Each party is independently responsible for its controller obligations.

3) Personal Data We Collect

• Identity & Contact Data: name, email, telephone numbers (mobile/landline), messaging app identifiers (if connected), company, role, time zone, and contact preferences.
• Account & Commercial Data: account credentials (hashed), subscription/tier, transactions, trial/demo interactions.
• Lead & Consent Metadata: source URL/form, consent language and timestamp, IP, user agent, opt-in/opt-out status, suppression list entries.
• Usage & Device Data: log files, telemetry, IP address, approximate location, browser/device information, pages viewed, and in-product events.
• Customer/Licensee Content (Processor Context): files, records, and contact lists that a Licensee submits or connects to LaHaus AI. In that context, the Licensee is the controller and LaHaus processes only under its instructions.
• Inferences & Scores: segments and profiles to prioritize outreach, route leads, or improve the Services.

Prohibited Categories: Licensees must not submit children's data, protected health information (PHI), credit card numbers, government IDs (beyond what is strictly necessary for verification), precise geolocation, or other sensitive data unless expressly permitted in writing.

4) Sources of Personal Data

We collect personal data directly from you (forms, chat, email, phone), automatically from your device/browser, from Licensees and their providers (CRMs, marketing tools, list partners), and from service providers that host or deliver parts of the Services. We may receive lead metadata (e.g., timestamped consent records) to help verify and document consent.

5) How We Use Personal Data (Purposes)

• Provide & Operate the Services, including LaHaus AI; secure, troubleshoot, and support.
• Communications & Outreach: to contact you by SMS/text, phone (including autodialed/prerecorded where permitted), email, and in-app messages about our Services, trials, demos, and related offers; to schedule calls during permitted hours; to record and respect preferences and opt-outs; and to maintain internal do-not-contact lists.
• On-Behalf Messaging: to send communications that Licensees instruct us to send to their contacts.
• Research & Development: to analyze usage and improve features and scoring. We may use de-identified or aggregated telemetry to improve LaHaus AI. We do not use Licensee content to train third-party foundation models unless expressly authorized.
• Safety, Security & Compliance: to detect/prevent fraud or abuse, ensure integrity of messaging programs, comply with law, and enforce terms.

6) Disclosures of Personal Data

We disclose personal data to:

1. Service providers/contractors (hosting, support, analytics, billing, fraud/security)
2. Messaging/communications providers (SMS aggregators, voice platforms, email delivery) to send messages, manage STOP/HELP, and maintain suppression lists
3. Licensees (in processor context)
4. Affiliates and professional advisors
5. Acquirers or successors in interest
6. Authorities where required by law

"Sale"/"Share": We do not sell personal data. We do not share personal data for targeted advertising where you have opted out or where prohibited. Where required, we provide a "Do Not Sell or Share My Personal Information" link.

7) Messaging & Telemarketing Disclosures (U.S.)

By providing a telephone number, you consent to receive calls and texts from LaHaus (or our providers) about our Services. Consent is not a condition of purchase. Message & data rates may apply. Message frequency varies. Reply STOP to opt out and HELP for help. We contact only during permitted hours (generally 8:00 a.m.-9:00 p.m. local time) and maintain internal do-not-call lists. Where required, we will obtain prior express written consent for autodialed/prerecorded marketing calls/texts. If you receive messages on behalf of a Licensee, that Licensee is responsible for obtaining the required consent; we act as its processor/service provider.

• We maintain verifiable consent records, including the exact opt-in language presented, source URL, timestamp, affirmative action (e.g., checkbox, form submit, keyword), user agent/IP, and any voice or paper artifacts (file ID or recording reference). Unless a longer period is required by law or for dispute resolution, we retain consent evidence for at least four (4) years.
• LaHaus Alerts / LaHaus AI. Recurring messages; frequency varies. Msg&Data rates may apply. Reply STOP to opt out, HELP for help, or email servicioalcliente@lahaus.com. Consent not a condition of purchase. 18+ only. We may send account, informational, and marketing texts where permitted.

8) Cookies, Targeted Ads & Universal Opt-Out Signals

We use cookies and similar technologies for essential functions, analytics, and (where permitted) advertising. You can manage cookies via our Cookie Preferences tool and browser settings. We honor required universal opt-out mechanisms (e.g., Global Privacy Control) and other applicable signals in states that mandate them. You may opt out of "sharing"/targeted advertising as provided below.

9) U.S. State Privacy Rights

Depending on your state of residence, you may have the right to: confirm processing; access; delete; correct; portability; opt out of sale, sharing/targeted advertising, and certain profiling; and appeal a denial. We will verify requests as required by law. Authorized agents must provide written authorization (and we may require identity verification). We do not discriminate for exercising rights. We respond within applicable timelines and provide an appeals process.

If we deny your request, you may appeal by emailing legalteam@lahaus.com with "Privacy Appeal" in the subject line and a brief explanation. We will respond within the timeline required by your state (typically 45 days). If you remain unsatisfied, our response will explain how to contact your state attorney general or relevant authority.

10) Profiling & Automated Decision-Making

We may use data (e.g., interaction history, attributes provided by you or Licensees) to score or profile leads and prioritize outreach. You may opt out of profiling used for targeted advertising where applicable. Upon request, we will provide information about the logic involved and a description of the likely outcomes where required by law. We do not make decisions that produce legal or similarly significant effects without appropriate notice and, where required, consent.

11) De-Identified & Aggregated Data

We may create and use de-identified or aggregated data for analytics, safety, and product improvement. We take reasonable steps to ensure de-identified data cannot be associated with a person or device, and we do not attempt to re-identify it, except to test and maintain de-identification.

12) Security

We implement administrative, technical, and physical safeguards appropriate to the nature of the data, including encryption in transit and at rest (where applicable), role-based access, least-privilege controls, logging/monitoring of authentication and messaging events, vendor diligence, and incident response. No method of transmission or storage is 100% secure.

13) Retention

We retain personal data as needed for the purposes above. Consent and messaging logs (opt-ins, STOP requests, timestamps, source, and language) are retained for up to four (4) years or longer if needed to satisfy applicable limitation periods. Do-not-contact lists are retained indefinitely to honor opt-outs. We delete or de-identify data when no longer needed, subject to legal requirements and backup retention.

14) International Transfers

Where transfers are restricted, we use appropriate mechanisms (e.g., Standard Contractual Clauses and UK IDTA) and risk-based safeguards (encryption, access controls).

15) Children

The Services are not directed to children under 18 and we do not knowingly collect personal data from them.

16) Contact Us

Email: legalteam@lahaus.com

Please include your name, state of residence, and the right you wish to exercise.

17) Changes to this Policy

We will update this Policy as needed. For material changes, we will provide notice consistent with applicable law.

Notice at Collection (U.S.)

• Categories: identifiers (name, email, phone), commercial information, internet/activity data, inferences, and lead/consent metadata.
• Purposes: see Section 5 (including Communications & Outreach).
• Third Parties: service providers/contractors (including messaging providers), Licensees (processor context), and advisors/authorities as required.
• Sale/Sharing: we do not sell personal data. We do not share personal data for targeted advertising where you have opted out or where prohibited. You can opt out via the choices above and by using universal opt-out mechanisms where applicable.
• Retention: see Section 13.
• Your Rights & How to Exercise: see Section 9 (including appeals).

Enterprise Customer & Licensee Responsibilities (LaHaus AI)

If you are a Licensee:

1. You have provided all legally required notices and obtained all required consents/permissions (including TCPA/TSR consent for calls/texts and CAN-SPAM compliance for emails) before submitting contact data
2. You will not submit sensitive data unless permitted in writing
3. You will honor and promptly pass to LaHaus any opt-out or do-not-contact request
4. You will maintain up-to-date suppression lists
5. You will inform LaHaus of your permitted sending hours and geographic constraints
6. You will not direct processing that would violate applicable law

LaHaus processes your contact data solely under your instructions as your processor/service provider pursuant to our DPA.