Privacy Policy

This Privacy Policy explains how Locket Security LLC(“Locket,” “we,” “us,” or “our”) collects, uses, shares, and protects information about you when you visit locketsecurity.com (the “Site”), book a consultation, subscribe to our newsletter, fill out a form, or purchase any of our services (collectively, the “Services”).

By using the Site or Services, you agree to the practices described here. This Policy is incorporated by reference into our Terms of Service. If you do not agree, please do not use the Site or Services.

Locket Security LLC is a Delaware limited liability company with its principal place of business in New York. We provide personal brand protection and digital-presence security services to creators, influencers, and small businesses.

We are the “data controller” (under EU/UK terminology) or “business” (under California terminology) responsible for the personal information processed through the Site and Services.

We collect personal information in three ways:

a. Information you give us.

• Contact & consultation forms:your name, email address, the Service you’re interested in, and any notes you include.
• Newsletter signup: your email address.
• Survey responses: answers you provide if you choose to participate in our research surveys.
• Bookings: the name, email, and any scheduling details you enter when you book a consultation through Calendly.
• Payment information: billing name and email, country, and the last four digits and brand of your payment card. Full card numbers are handled by Stripe and never stored by Locket.
• Service delivery information: the details you choose to share so we can perform your audit or monitoring — such as social handles, account emails, recovery emails, phone numbers, past breach history, screenshots, and (where you grant supervised access) temporary credentials, two-factor codes, or business-manager invitations.
• Direct communications: the contents of emails, messages, and other communications you send to us.

b. Information we collect automatically.

• Device & usage data: IP address, browser type, operating system, referring URLs, pages viewed, time on page, and approximate location derived from IP.
• Cookies and similar technologies: see Section 8.

c. Information from third parties.

• Payment processor: Stripe sends us limited information about your transaction (status, amount, last four digits) so we can fulfill your order.
• Breach and dark-web data providers: as part of our monitoring services, we query third-party data providers using identifiers you provide (such as email addresses or usernames) and receive back information about whether those identifiers appear in known breaches, dark-web marketplaces, or impersonation campaigns.
• Public sources: publicly available information about your accounts and online presence that we review as part of your audit (for example, what your public profile reveals).

We do not knowingly collect Social Security numbers, government IDs, financial-account numbers, biometric identifiers, or precise geolocation, and we ask that you do not send them to us unless we specifically request them.

We use the information we collect to:

• Provide, operate, and improve the Site and Services — including performing audits, dark-web and breach monitoring, impersonation detection, and reporting;
• Process payments, manage subscriptions, send receipts, and prevent fraud;
• Communicate with you about your account, bookings, support requests, and service updates;
• Send marketing communications, newsletters, and product updates if you have opted in (you can opt out at any time — see Section 10);
• Personalize the Site and tailor our recommendations to your situation;
• Maintain the security of the Site, detect abuse, and enforce our Terms;
• Comply with legal obligations, respond to lawful requests, and establish or defend legal claims;
• Review aggregated server logs to understand how the Site is used and improve our offerings (we do not currently run analytics or behavioral tracking — see Section 8).

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

• Contract: to provide the Services you have requested and to process payments.
• Legitimate interests: to operate and improve our business, to maintain Site security, and to communicate with you about Services you have purchased — provided those interests are not overridden by your rights.
• Consent: for marketing emails, optional cookies, and any sensitive data you choose to share. You can withdraw consent at any time.
• Legal obligation: to comply with applicable laws, tax obligations, and lawful requests.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only as described below:

a. Service providers.

We use trusted third-party vendors to operate the Site and Services under contracts that limit their use of your data to the purposes we authorize. These include:

• Stripe — payment processing and billing;
• Resend — transactional email delivery (such as consultation requests);
• Formspree — newsletter signup form submission;
• Calendly — consultation scheduling;
• Typeform — research surveys, where applicable;
• Hosting & infrastructure providers (for example, Vercel) — to host the Site and store operational data;
• Breach and dark-web data providers — to perform monitoring on the identifiers you authorize us to monitor;
• Communications tools — such as Slack or shared inboxes used to deliver priority support on Protected Princess.

b. Legal and safety.

We may disclose information when we believe in good faith that disclosure is necessary to comply with a law, regulation, subpoena, court order, or other legal process; to protect the rights, property, or safety of Locket, our users, or others; to investigate fraud, security, or technical issues; or to enforce our Terms.

c. Business transfers.

If Locket is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (for example, by email and/or by a notice on the Site) of any change in ownership or material change in how your information is handled.

d. With your consent.

We will share information for any other purpose with your direction or consent — for example, if you ask us to coordinate with your manager, agency, or lawyer.

We keep personal information only as long as we need it for the purposes described in this Policy, including to deliver the Services, comply with legal obligations (such as tax and accounting), resolve disputes, and enforce our agreements. Typical retention windows:

• Account & billing records: for the life of your relationship with Locket plus up to seven (7) years after, to satisfy tax and accounting requirements.
• Audit deliverables and monitoring data: for the duration of your subscription plus up to twelve (12) months after cancellation, then deleted or anonymized.
• Temporary credentials you share for service delivery: destroyed promptly after the work is complete and in no event held longer than reasonably necessary.
• Marketing list (newsletter): until you unsubscribe.
• Server logs: typically retained for up to 24 months. We do not currently run analytics or behavioral tracking.

When information is no longer needed, we delete it or de-identify it so it can no longer be associated with you.

Locket does not currently use cookies or similar technologies for analytics, advertising, or behavioral tracking. We do not run Google Analytics, pixels, or any cross-site tracking on the Site.

When you use third-party features embedded on the Site — for example, Stripe Checkout for payments, Calendly for booking consultations, Typeform for surveys, or Formspree for the newsletter signup — those providers may set their own cookies under their own privacy policies while you interact with their tools. We do not control those cookies.

You can control cookies through your browser settings, and most browsers let you block or delete them. Disabling cookies set by payment or scheduling tools may prevent those features from working (for example, you may not be able to check out).

If we add analytics or tracking technologies in the future, we will update this section and, where required by law, ask for your consent before doing so.

We take reasonable administrative, technical, and physical safeguards designed to protect your information against loss, theft, misuse, and unauthorized access — including TLS encryption in transit, vetted third-party processors, access controls based on least privilege, two-factor authentication on internal accounts, and prompt deletion of credentials we no longer need.

No system is perfectly secure. Cybersecurity is an ongoing practice, and while we work hard to protect your information, we cannot guarantee its absolute security. Please use a strong, unique password and enable two-factor authentication wherever it’s available.

You can:

• Unsubscribe from marketing emails by clicking the unsubscribe link in any marketing message, or by emailing hello@locketsecurity.com. We will still send you transactional messages (receipts, security alerts, account notices).
• Access, correct, delete, or export the personal information we hold about you. To make a request, email hello@locketsecurity.com with the subject line “Privacy Request.”
• Withdraw consent at any time for processing that we base on consent. Withdrawal does not affect processing already performed.
• Object or restrict processing where we rely on legitimate interests.
• Lodge a complaint with your local data-protection authority if you believe our processing violates the law.

We will verify your identity before fulfilling a request and will respond within the timeframe required by applicable law (generally 30–45 days). We do not discriminate against you for exercising your rights.

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the CPRA:

• The right to know what personal information we collect, use, disclose, and (if applicable) sell or share;
• The right to delete personal information we have collected;
• The right to correct inaccurate personal information;
• The right to opt outof the “sale” or “sharing” of personal information for cross-context behavioral advertising — we do not sell or share personal information in this sense;
• The right to limit the use of sensitive personal information — we do not use sensitive information for purposes outside what is described here;
• The right to non-discrimination for exercising these rights.

Submit a request by emailing hello@locketsecurity.com with the subject line “California Privacy Request.” You may designate an authorized agent to act on your behalf.

Locket is based in the United States, and the service providers we use may process information in the U.S. and other countries. If you access the Site from outside the U.S., your information will be transferred to, stored, and processed in the U.S., where data protection laws may differ from those in your country.

When we transfer personal information out of the EEA or UK, we rely on appropriate safeguards — such as Standard Contractual Clauses — to protect that information.

The Site and Services are intended for adults. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact us at hello@locketsecurity.com and we will delete it.

The Site may link to third-party websites, social media platforms, or tools (for example, Instagram, TikTok, YouTube, X, Pinterest, news publications). Those services have their own privacy practices, and we are not responsible for their content or how they handle your information. Please review their policies before sharing personal information.

We do not make solely automated decisions that produce legal or similarly significant effects about you. A human reviews every audit, report, and recommendation we deliver.

Some browsers transmit a “Do Not Track” signal. Because there is no industry-wide standard for honoring those signals, we do not currently respond to them. We do, however, honor opt-out requests submitted through this Policy and applicable Global Privacy Control (GPC) signals where required by law.

We may update this Privacy Policy from time to time. If we make a material change, we will update the “Last updated” date at the top, post a notice on the Site, and — where required by law — notify you by email at least 14 days before the change takes effect. Your continued use of the Site or Services after the change takes effect constitutes acceptance of the updated Policy.

If you have questions about this Privacy Policy or how we handle your information, please contact us:

• Locket Security LLC
• Privacy inquiries: hello@locketsecurity.com
• Instagram: @locketsecurity