Privacy Policy – LaHaus (U.S.) & Notice at Collection

Effective Date: September 1, 2025
Last Updated: October 23, 2025

This Privacy Policy describes how LaHaus Tech INC and its affiliates ("LaHaus," "we," "our," or "us") collect, use, and disclose personal data in connection with our websites, applications, and software-as-a-service products, including LaHaus AI (the "Services"). This U.S.-focused Notice does not apply to processing subject to the laws of other countries. If you interact with us from another jurisdiction, please see the applicable regional notice.

1. Who We Are & Scope

This Policy applies when LaHaus provides the Services to (a) our own prospects and customers; and (b) enterprise customers and licensees ("Licensees") who enable LaHaus AI for their organizations and submit, connect, or sync their contacts or other data.

2. Roles: Controller vs. Processor/Service Provider

• Controller Mode (Direct). When LaHaus collects personal data directly from individuals (e.g., our sites, sign-ups, trials/demos, and our own marketing), LaHaus acts as the "controller."
• Processor/Service Provider Mode (Licensees). When Licensees upload, connect, or instruct us to process personal data in LaHaus AI, LaHaus acts as their "processor," "service provider," or "contractor," and processes such data only under their instructions and our Data Processing Addendum (DPA). Licensees (not LaHaus) are solely responsible for providing required privacy notices and obtaining all legally required consents/permissions (including for SMS/calls and email) before submitting personal data to the Services.
• Independent vs. On‑Behalf Communications. When we contact individuals on behalf of a Licensee (e.g., messages a Licensee requests), we act as the Licensee's processor. When we contact individuals for LaHaus's own marketing, we act as an independent controller separate from the Licensee.
• No Joint Controllership. Unless expressly agreed in writing, LaHaus and Licensees are not joint controllers. Each party is independently responsible for its controller obligations.

3. Personal Data We Collect

• Identity & Contact Data: name, email, telephone numbers (mobile/landline), messaging app identifiers (if connected), company, role, time zone, and contact preferences.
• Account & Commercial Data: account credentials (hashed), subscription/tier, transactions, trial/demo interactions.
• Lead & Consent Metadata: source URL/form, consent language and timestamp, IP, user agent, opt‑in/opt‑out status, suppression list entries.
• Usage & Device Data: log files, telemetry, IP address, approximate location, browser/device information, pages viewed, and in‑product events.
• Customer/Licensee Content (Processor Context): files, records, and contact lists that a Licensee submits or connects to LaHaus AI. In that context, the Licensee is the controller and LaHaus processes only under its instructions.
• Inferences & Scores: segments and profiles to prioritize outreach, route leads, or improve the Services.
• Prohibited Categories: Licensees must not submit children's data, protected health information (PHI), credit card numbers, government IDs (beyond what is strictly necessary for verification), precise geolocation, or other sensitive data unless expressly permitted in writing.

4. Sources of Personal Data

We collect personal data directly from you (forms, chat, email, phone), automatically from your device/browser, from Licensees and their providers (CRMs, marketing tools, list partners), and from service providers that host or deliver parts of the Services. We may receive lead metadata (e.g., timestamped consent records) to help verify and document consent.

5. How We Use Personal Data (Purposes)

• Provide & Operate the Services, including LaHaus AI; secure, troubleshoot, and support.
• Communications & Outreach: to contact you by SMS/text, phone (including autodialed/prerecorded where permitted), email, and in‑app messages about our Services, trials, demos, and related offers; to schedule calls during permitted hours; to record and respect preferences and opt‑outs; and to maintain internal do‑not‑contact lists.
• On‑Behalf Messaging: to send communications that Licensees instruct us to send to their contacts.
• Research & Development: to analyze usage and improve features and scoring. We may use de‑identified or aggregated telemetry to improve LaHaus AI. We do not use Licensee content to train third‑party foundation models unless expressly authorized.
• Safety, Security & Compliance: to detect/prevent fraud or abuse, ensure integrity of messaging programs, comply with law, and enforce terms.
• No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, excluding aggregators and providers of the Text Message services.

LaHaus Alerts Program

• Program Name: LaHaus Alerts
• Description: Informational and marketing SMS/MMS about product updates, account/support notices, onboarding tips, feature announcements, events/webinars, and service notifications you request.
• Opt-In & Consent: By providing your mobile number and submitting a form on our site, texting a keyword to our number, or consenting via recorded voice or paper form, you agree to receive SMS/MMS from LaHaus at the number you provided. Consent is not a condition of purchase.
• Message Frequency: Message frequency varies. Message & data rates may apply.
• Opt-Out & Help: Reply STOP to cancel. After you send STOP, we will send a one-time confirmation message and no further messages will be sent unless you opt in again. Reply HELP for help or contact servicioalcliente@lahaus.com.
• Rejoin: To rejoin after opting out, submit a new form on our site or otherwise opt in again.
• Carrier Liability: Carriers are not liable for delayed or undelivered messages.
• Supported Carriers: Delivery may be limited by carrier participation and network conditions.
• Privacy: See "Mobile Privacy" above; mobile opt-in data/consent is not shared except with messaging aggregators/providers as required to deliver the service.

We collect only the personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes described in this Policy.

6. Disclosures of Personal Data

• We disclose personal data to: (i) service providers/contractors (hosting, support, analytics, billing, fraud/security); (ii) messaging/communications providers (SMS aggregators, voice platforms, email delivery) to send messages, manage STOP/HELP, and maintain suppression lists; (iii) Licensees (in processor context); (iv) affiliates and professional advisors; (v) acquirers or successors in interest; and (vi) authorities where required by law.
• "Sale"/ "Share": We do not sell personal data. We do not share personal data for targeted advertising where you have opted out or where prohibited. Where required, we provide a "Do Not Sell or Share My Personal Information" link.
• We maintain a list of core service providers/sub-processors (e.g., hosting, analytics, messaging aggregators). Enterprise customers may request the current list or subscribe to email notifications of material changes. We will provide advance notice of material vendor additions or replacements where contractually required.

7. Messaging & Telemarketing Disclosures (U.S.)

By providing a telephone number, you consent to receive calls and texts from LaHaus (or our providers) about our Services. Consent is not a condition of purchase. Message & data rates may apply. Message frequency varies. Reply STOP to opt out and HELP for help. We contact only during permitted hours (generally 8:00 a.m.–9:00 p.m. local time) and maintain internal do‑not‑call lists. Where required, we will obtain prior express written consent for autodialed/prerecorded marketing calls/texts. If you receive messages on behalf of a Licensee, that Licensee is responsible for obtaining the required consent; we act as its processor/service provider. For help at any time, reply HELP or contact servicioalcliente@lahaus.com. Messaging programs are intended for individuals 18 years of age or older; you must be 18+ to enroll. We honor applicable federal and state quiet-hour requirements and any more restrictive local telemarketing rules based on area code and/or location. Content Standards. We prohibit messages containing illegal content or content related to sex, hate, alcohol (where restricted), firearms, or tobacco. We do not use public link shorteners in program messages; where links are included, we use branded or dedicated short domains.

• We maintain verifiable consent records, including the exact opt-in language presented, source URL, timestamp, affirmative action (e.g., checkbox, form submit, keyword), user agent/IP, and any voice or paper artifacts (file ID or recording reference). Unless a longer period is required by law or for dispute resolution, we retain consent evidence for at least four (4) years.
• LaHaus Alerts / LaHaus AI. Recurring messages; frequency varies. Msg&Data rates may apply. Reply STOP to opt out, HELP for help, or email servicioalcliente@lahaus.com. Consent not a condition of purchase. 18+ only. We may send account, informational, and marketing texts where permitted. We honor federal and state quiet hours and maintain internal do-not-call and opt-out lists across our systems.

8. Cookies, Targeted Ads & Universal Opt‑Out Signals

We use cookies and similar technologies for essential functions, analytics, and (where permitted) advertising. You can manage cookies via our Cookie Preferences tool and browser settings. We honor required universal opt‑out mechanisms (e.g., Global Privacy Control) and other applicable signals in states that mandate them. You may opt out of "sharing"/targeted advertising as provided below.

9. U.S. State Privacy Rights

Depending on your state of residence, you may have the right to: confirm processing; access; delete; correct; portability; opt out of sale, sharing/targeted advertising, and certain profiling; and appeal a denial. We will verify requests as required by law. Authorized agents must provide written authorization (and we may require identity verification). We do not discriminate for exercising rights. We respond within applicable timelines and provide an appeals process.

If we deny your request, you may appeal by emailing legalteam@lahaus.com with "Privacy Appeal" in the subject line and a brief explanation. We will respond within the timeline required by your state (typically 45 days). If you remain unsatisfied, our response will explain how to contact your state attorney general or relevant authority.

10. Profiling & Automated Decision‑Making

We may use data (e.g., interaction history, attributes provided by you or Licensees) to score or profile leads and prioritize outreach. You may opt out of profiling used for targeted advertising where applicable. Upon request, we will provide information about the logic involved and a description of the likely outcomes where required by law. We do not make decisions that produce legal or similarly significant effects without appropriate notice and, where required, consent.

We use AI to support functions such as content generation, classification, summarization, quality/safety review, and lead-scoring recommendations. We do not use Licensee content to train third-party foundation models without the Licensee's express authorization. We require our AI vendors to act solely as service providers/contractors and to process personal data only to deliver services to us. Where applicable law provides, you may request human review and more information about the logic involved in automated outputs that could significantly affect you.

11. De‑Identified & Aggregated Data

We may create and use de‑identified or aggregated data for analytics, safety, and product improvement. We take reasonable steps to ensure de‑identified data cannot be associated with a person or device, and we do not attempt to re‑identify it, except to test and maintain de‑identification.

12. Security

We implement administrative, technical, and physical safeguards appropriate to the nature of the data, including encryption in transit and at rest (where applicable), role‑based access, least‑privilege controls, logging/monitoring of authentication and messaging events, vendor diligence, and incident response. No method of transmission or storage is 100% secure.

We maintain administrative, technical, and physical safeguards designed to protect personal data. Where a security incident rises to the level of a data breach requiring notification, we will notify affected individuals and/or regulators as required by applicable law and our contractual commitments.

13. Retention

We retain personal data as needed for the purposes above. Consent and messaging logs (opt‑ins, STOP requests, timestamps, source, and language) are retained for up to four (4) years or longer if needed to satisfy applicable limitation periods. Do‑not‑contact lists are retained indefinitely to honor opt‑outs. We delete or de‑identify data when no longer needed, subject to legal requirements and backup retention.

14. International Transfers

Where transfers are restricted, we use appropriate mechanisms (e.g., Standard Contractual Clauses and UK IDTA) and risk‑based safeguards (encryption, access controls).

Where required, we conduct and document transfer impact assessments and implement supplementary measures to ensure an essentially equivalent level of protection for personal data transferred internationally.

15. Children

The Services are not directed to children under 18 and we do not knowingly collect personal data from them.

16. Contact Us

Email: legalteam@lahaus.com

Please include your name, state of residence, and the right you wish to exercise.

17. Changes to this Policy

We will update this Policy as needed. For material changes, we will provide notice consistent with applicable law.

18. Notice at Collection (U.S.)

• Categories: identifiers (name, email, phone), commercial information, internet/activity data, inferences, and lead/consent metadata.
• Purposes: see Section 5 (including Communications & Outreach).
• Third Parties: service providers/contractors (including messaging providers), Licensees (processor context), and advisors/authorities as required.
• Sale/Sharing: we do not sell personal data. We do not share personal data for targeted advertising where you have opted out or where prohibited. You can opt out via the choices above and by using universal opt‑out mechanisms where applicable.
• Enterprise Customer & Licensee Responsibilities (LaHaus AI): If you are a Licensee: (i) you have provided all legally required notices and obtained all required consents/permissions (including TCPA/TSR consent for calls/texts and CAN‑SPAM compliance for emails) before submitting contact data; (ii) you will not submit sensitive data unless permitted in writing; (iii) you will honor and promptly pass to LaHaus any opt‑out or do‑not‑contact request; (iv) you will maintain up‑to‑date suppression lists; (v) you will inform LaHaus of your permitted sending hours and geographic constraints; and (vi) you will not direct processing that would violate applicable law. LaHaus processes your contact data solely under your instructions as your processor/service provider pursuant to our DPA.

U.S. Messaging Program Terms (Summary)

• Program: LaHaus AI communications.
• Frequency: varies. Message & data rates may apply. Opt‑Out/Help: reply STOP to opt out; HELP for help.
• Quiet Hours: we contact only during permitted hours (generally 8:00 a.m.–9:00 p.m. local time). We apply federal and state quiet-hour restrictions to calls and texts (including more restrictive state or local rules) based on area code and/or detected location, and we maintain internal do-not-call suppression lists.
• Consent: where required, we obtain prior express written consent for autodialed/prerecorded marketing calls/texts. Consent is not a condition of purchase.