Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Valletto LLC ("Valletto," "Company," "we," "our," or "us") collects, uses, stores, protects, and shares information when you access or interact with our technology platform. For purposes of this Policy, the term "Platform" includes:

• The primary domain valletto.io,
• Any valet-company subdomain such as {companySubdomain}.valletto.io,
• Digital check-in and SMS intake pages,
• Valet retrieval and status-update interfaces,
• Operational dashboards and employee tools, and
• Administrative and support systems used by participating valet companies.

This Policy applies to all guests, visitors, employees of valet companies, administrative users, and any individual who accesses or uses the Platform ("users," "you," or "your"). By using the Platform, you acknowledge and agree that your information will be handled in accordance with this Policy.

Valletto provides technological tools, workflow automation, SMS communications, and data processing functionality used by independent valet companies to manage their operations. These companies are responsible for delivering physical valet services, while Valletto provides the digital infrastructure that enables those services. This Policy explains how data flows between these roles, how it is stored, and how we safeguard your privacy.

If you do not agree with the terms of this Policy, you should discontinue use of the Platform. For additional legal terms governing your use of the Platform, please review the Terms of Service at: {companySubdomain}.valletto.io/terms

2. Children's Privacy

3. Roles & Responsibility Structure

Understanding the roles of Valletto and each valet company is essential in determining who is responsible for which parts of your data. Valletto provides the technological infrastructure that enables valet companies to manage their daily operations, communicate with guests, record vehicle handling events, and maintain accountability. The valet company you interact with — identified by its unique subdomain — is the party responsible for performing physical valet services, such as checking in your vehicle, parking it, moving it, storing keys, and retrieving it. Valletto, on the other hand, acts as the processor and custodian of the digital data required to support these services.

For purposes of applicable data protection laws, valet companies act as data controllers and Valletto acts as a data processor with respect to guest and operational data.

Valletto processes data strictly on documented instructions from valet companies and does not independently determine the purposes or means of processing guest data.

3.1 Valet Company Responsibilities

The valet company associated with the subdomain is responsible for:

• Performing all physical valet operations
• Employing and managing staff
• Conducting safety and damage inspections
• Handling customer service and support
• Complying with property access rules and local regulations
• Maintaining accuracy of their business information on the Platform

3.2 Valletto Responsibilities

Valletto functions as:

• Technology Provider
• Data Processor on behalf of each valet company
• SMS communications operator
• Operational workflow and data handler

Valletto does not touch vehicles, make valet decisions, or employ valet staff.

4. Subdomain & Multi-Company Structure

Each valet company on our platform is provided its own dedicated subdomain (e.g., {companySubdomain}.valletto.io) that uniquely identifies that business. All operational data captured through that subdomain belongs to and is processed on behalf of that specific valet company. This ensures clarity regarding which business is providing your service and which entity is responsible for operational decisions.

Valletto handles only the technology; valet companies handle the service.

5. Categories of Information We Collect

This section provides a detailed breakdown of the information collected through the Platform, how it is generated, and why it is necessary. We process both guest-submitted information and operational data generated through valet workflows. Each category is collected for specific operational purposes — primarily accuracy, accountability, communication, and safety. We do not collect information that is not required to provide or support the valet service.

5.1 Information You Provide

• Name
• Email address
• Mobile phone number
• Vehicle details (make, model, color, license plate)
• Notes or instructions
• Voluntary photos (vehicle condition, personal notes)
• Payment information (processed securely through PCI-compliant partners)

Your mobile number is used exclusively for SMS valet updates.

Your contact number will not be shared with third parties for their marketing or other purposes.

5.2 Operational Valet Data

Automatically collected to ensure accurate documentation and operational accountability:

• Check-in timestamps and workflow events
• Parking timestamps and parking location metadata
• Vehicle movement logs
• Retrieval requests and completion timestamps
• Damage photos captured by staff
• Key handoff logs
• Employee accountability logs
• Audit trails with detailed event history

5.3 Technical & Device Data

Collected automatically for security and performance:

• IP address
• Browser type and version
• Device identifiers
• Operating system
• Session identifiers
• Error logs
• Navigation patterns
• Performance analytics

5.4 Cookies & Tracking Technologies

What Are Cookies? Cookies are small text files stored on your device when you use the Platform. We use cookies and similar tracking technologies to maintain login sessions, secure workflows, optimize performance, and detect misuse.

Types of Cookies We Use:

Essential Cookies (Required):

• Session management: Keep you logged in during your visit
• Security: Prevent unauthorized access and detect suspicious activity
• Core functionality: Enable basic platform features

Analytics Cookies (Optional):

• Performance monitoring: Track page load times and system performance
• Error logging: Identify and fix technical issues
• Usage patterns: Understand how the Platform is used to improve functionality

Third-Party Cookies: We may use third-party services (e.g., Google Analytics, error monitoring tools) that place their own cookies. These third parties have their own privacy policies.

Cookie Lifespan: Session cookies are deleted when you close your browser. Persistent cookies remain for up to 1 year.

How to Manage Cookies: You may adjust cookie settings through your browser (e.g., Chrome: Settings → Privacy and Security → Cookies; Firefox: Settings → Privacy & Security → Cookies; Safari: Preferences → Privacy → Cookies).

Impact of Disabling Cookies: Disabling essential cookies may prevent you from using certain Platform features, including login and secure transactions.

For questions about cookies, contact privacy@valletto.io.

6. How We Use Your Information

We use the information collected strictly for operational, security, compliance, and service-related purposes. We do not use personal information for advertising, behavioral profiling, or marketing of any kind. Every use of data is tied directly to valet operations or system stability.

Primary Uses Include:

• Managing check-in, parking, and retrieval workflows
• Sending required SMS updates
• Maintaining operational accuracy and logs
• Supporting employee accountability
• Processing payments and issuing digital receipts
• Enhancing performance and preventing fraud
• Investigating damage claims or safety concerns
• Meeting carrier, regulatory, or legal requirements
• Ensuring system reliability and uptime

No promotional or marketing use occurs. Ever.

7. SMS Messaging & 10DLC Compliance

SMS communication is a core functional requirement of valet operations, and Valletto adheres strictly to CTIA and carrier compliance rules. Messages are limited exclusively to operational content and are never used to promote offers, market services, or send unrelated content. This section outlines how SMS is used, how consent is obtained, and how STOP/HELP commands function.

7.1 Purpose of SMS Messages

• Confirm check-in
• Provide vehicle status updates
• Notify when the vehicle is approaching
• Confirm retrieval
• Provide timing updates
• Communicate urgent or required service information

7.2 Required Intake Disclosure

Displayed directly above the opt-in checkbox:

"I agree to receive SMS updates about my valet service. Message and data rates may apply. Message frequency varies. Reply STOP to unsubscribe or HELP for assistance."

7.3 STOP & HELP

• STOP immediately ends all SMS communications for the session
• HELP provides support contact details

7.4 Required No-Sharing Clause

Your contact number will not be shared with third parties for their marketing or other purposes.

8. Information Sharing & Disclosure

Valletto does not sell, rent, trade, or share personal information for marketing or unrelated purposes. Information is only shared when essential to providing valet services, ensuring safety, complying with legal requirements, or supporting system infrastructure.

8.1 Service Providers

We work with vetted third-party processors for:

• Cloud hosting
• SMS delivery
• Security monitoring
• Payment processing
• System analytics

8.2 Property or Building Management

Limited data may be shared for:

• Security checks
• Gate or garage access
• Incident review
• Identity confirmation

8.3 Legal Obligations

We may disclose information to:

• Law enforcement
• Government authorities
• Courts and legal processes
• Investigators responding to fraud, threats, or safety issues

8.4 Business Transfers

In a merger or acquisition, data may be transferred to the successor entity under this same policy.

9. Data Security

We employ layered, industry-standard security controls to protect all personal and operational data. Our infrastructure uses encryption, access controls, and continuous monitoring to reduce risk. We regularly perform security audits, review employee access permissions, and deploy automated systems to detect anomalies.

Security measures include:

• Encryption in transit and at rest
• Strict role-based access controls
• Secure cloud infrastructure
• Audit logging and monitoring
• Intrusion detection systems
• Network segmentation
• Encrypted backups
• Regular vulnerability assessments

9.1 Data Breach Notification

In the event of a data security breach involving unauthorized access to or disclosure of personal information, we will:

Notification to Affected Individuals:

• Notify affected users without unreasonable delay, typically within 30–60 days of discovering the breach, or as required by applicable law
• Provide notification via email, SMS, or prominent website notice
• Include information about the nature of the breach, types of information affected, steps we are taking to address the breach, and steps you can take to protect yourself

Notification to Authorities:

• Notify applicable regulatory authorities as required by law (e.g., state attorneys general, data protection authorities)
• Comply with GDPR's 72-hour notification requirement where applicable

Cooperation: We will cooperate with law enforcement and regulatory investigations.

Limitation of Liability: To the maximum extent permitted by law, we are not liable for data breaches caused by factors outside our reasonable control, including third-party service provider failures, sophisticated cyberattacks, or employee errors despite reasonable security training.

For questions about our data breach procedures, contact privacy@valletto.io.

10. Data Retention

We retain information only as long as necessary to support valet services, protect against disputes, meet legal obligations, and maintain operational records. Retention periods may vary depending on the type of information and may also vary depending on legal and operational requirements.

Examples:

• Vehicle photos: retained for damage claims and audits
• SMS logs: retained per carrier and compliance requirements
• Payment records: retained under financial and tax regulations
• Operational logs: retained for safety, accountability, and dispute resolution

11. Your Privacy Rights

Depending on your jurisdiction, you may have the right to request access to your personal data, correction of inaccurate information, deletion of certain data, restrictions on processing, or copies of your information. We honor all rights as required under applicable laws.

11A. State-Specific Privacy Rights

Depending on your state of residence, you may have additional privacy rights under applicable state laws. This section describes the rights available to residents of certain U.S. states.

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose categories of personal information we collected about you, categories of sources, business or commercial purpose, categories of third parties with whom we share your personal information, and specific pieces of personal information we collected about you.
• Right to Delete: You have the right to request that we delete personal information we collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell or share personal information as defined by the CCPA.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use of sensitive personal information. We do not use sensitive personal information beyond what is necessary to provide valet services.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.

How to Exercise Your Rights: Submit requests to privacy@valletto.io. We will respond within 45 days. You may designate an authorized agent to submit requests on your behalf. We may require verification of your identity before processing requests.

Virginia Residents (VCDPA)

If you are a Virginia resident, you have the following rights under the Virginia Consumer Data Protection Act (VCDPA):

• Right to Access: Confirm whether we process your personal data and access such data
• Right to Correction: Correct inaccuracies in your personal data
• Right to Deletion: Delete personal data you provided
• Right to Data Portability: Obtain a copy of your personal data in a portable format
• Right to Opt-Out: Opt out of processing for targeted advertising, sale of personal data, or profiling (we do not engage in these activities)

Submit requests to privacy@valletto.io. We will respond within 45 days. If we deny your request, you may appeal by contacting privacy@valletto.io.

Colorado Residents (CPA)

If you are a Colorado resident, you have rights under the Colorado Privacy Act (CPA) similar to those described for Virginia residents above, including right to access, correct, delete, and obtain a copy of your personal data; right to opt out of targeted advertising, sale of personal data, and profiling; and right to appeal denials of requests. Submit requests to privacy@valletto.io.

Connecticut, Montana, Oregon, Texas, and Utah Residents

Residents of Connecticut, Montana, Oregon, Texas, and Utah have similar rights to those described above under their respective state privacy laws. To exercise your rights, contact privacy@valletto.io.

Other States

If you reside in a state with privacy laws not listed above, you may still have rights under those laws. Contact privacy@valletto.io for information about exercising your rights.

12. International Data Transfers

Your information may be processed in the United States or other regions where our infrastructure or vendors operate. We ensure that any international transfers comply with applicable data protection laws and include appropriate safeguards.

For customers subject to GDPR, we execute a Data Processing Addendum (DPA) available upon request at privacy@valletto.io or at the URL provided in your Master Service Agreement.

13. Changes to This Privacy Policy

We may update this Privacy Policy as our Platform evolves or as legal requirements change. When updates occur, the "Last Updated" date will be modified. Significant changes may be presented through notifications or informational banners.

14. Terms of Service Reference

For detailed rules governing valet service operations, liability, subdomain branding, SMS compliance, arbitration procedures, and guest responsibilities, please review the Terms of Service: {companySubdomain}.valletto.io/terms

15. Contact Information

For questions, privacy requests, or concerns regarding this Policy:

Valletto LLC
1111 Brickell Avenue
Suite 1000, 10th Floor
Miami, FL 33131

Email:

• Privacy inquiries: privacy@valletto.io
• General inquiries: info@valletto.io
• Legal notices: legal@valletto.io
• Technical support: support@valletto.io

Website: https://valletto.io

Acceptance

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy.