Privacy Policy — DrLock

Effective Date: April 22, 2026 | Last Updated: April 22, 2026

1. Introduction

Welcome to DrLock ("App", "we", "us", or "our"). This Privacy Policy explains how Shenzhen Lanxin Zhilian Technology Co., Ltd. , a company registered in Shenzhen, Guangdong, China, collects, uses, shares, and protects your personal information when you use the Dr. Lock mobile application.

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree to this policy, please do not use the App.

Contact us regarding privacy matters:
Email: drlock@skychip.top

2. Information We Collect

2.1 Information You Provide to Us

Category	Data Items	Purpose
Account	Email address, password (hashed)	Account registration and login
Profile	Display name, profile photo	Personalization
Lock sharing	Recipient email address or phone number	Sharing lock access with others

2.2 Information Collected Automatically

Category	Data Items	Purpose
Device information	Device model, operating system version, device identifier	Service compatibility, crash diagnosis
Usage analytics	App feature usage, session duration, event logs	Product improvement
Crash reports	Stack traces, device state at time of crash	Bug fixing and stability
Push notification token	Firebase registration token	Sending push notifications
Door lock event logs	Unlock records, alarm events, doorbell events, video events	Lock activity history shown to you

2.3 Information Collected via Device Permissions

We request the following device permissions only when needed for specific features. You may deny any permission; however, the corresponding feature will be unavailable.

Permission	When Requested	Why
Bluetooth	Always — core feature	Communicating with smart lock hardware via BLE
Location (while using app)	When scanning for nearby locks	Bluetooth device scanning requires location permission on iOS and Android
Camera	When scanning QR codes or uploading profile photo	QR code device pairing; avatar upload
Microphone	When using the video doorbell intercom	Two-way voice communication with the doorbell
Contacts	When sharing lock access	Selecting a contact as the lock access recipient
Photo Library (read)	When uploading profile photo	Selecting an existing photo for your avatar
Photo Library (add only)	When saving captured images	Saving doorbell snapshots to your photo album
Notifications	On first launch	Receiving lock alerts, doorbell rings, and system notices

We do not collect raw microphone audio beyond the live intercom session. No audio is recorded or transmitted to our servers.

3. How We Use Your Information

We use your information for the following purposes, each supported by a legal basis under applicable law:

Purpose	Legal Basis (GDPR)	CCPA Category
Providing and operating the App's core features	Performance of contract	Service providers
Sending push notifications for lock events and alerts	Legitimate interests / Consent	Identifiers
Sending access-sharing emails or SMS on your behalf	Performance of contract	Identifiers
Diagnosing crashes and improving App stability	Legitimate interests	Internet/network activity
Analyzing aggregate feature usage to improve the App	Legitimate interests	Internet/network activity
Complying with legal obligations	Legal obligation	—
Processing in-app subscription purchases	Performance of contract	Commercial information

We do not use your information for advertising, marketing profiling, or selling to third parties.

4. Information Sharing and Disclosure

We do not sell your personal information. We share information only in the following limited circumstances:

4.1 Service Providers (Sub-processors)

We engage the following third-party service providers who process data on our behalf:

Provider	Service	Data Processed	Privacy Policy
Google LLC (Firebase Analytics)	Usage analytics	Anonymous usage events, device type, OS version	policies.google.com/privacy
Google LLC (Firebase Crashlytics)	Crash reporting	Crash stack traces, device model, OS version	policies.google.com/privacy
Google LLC (Firebase Cloud Messaging)	Push notifications	Push notification token, device identifier	policies.google.com/privacy
Apple Inc.	In-app purchases (iOS)	Transaction identifier, subscription status	apple.com/legal/privacy
Google LLC (Google Play)	In-app purchases (Android)	Transaction identifier, subscription status	policies.google.com/privacy
Email service provider	Transactional emails	Recipient email address, email content	Per provider privacy policy

All service providers are contractually bound to process your data only for the purposes specified by us.

4.2 Lock Access Sharing

When you choose to share lock access with another person via email or SMS, we transmit the recipient's email address or phone number to our backend server solely to send the access notification. This information is not used for any other purpose.

4.3 Legal Disclosure

We may disclose your personal information if required to do so by law or in response to valid legal requests (e.g., court orders, government requests), or to protect the rights, property, or safety of our users, ourselves, or others.

4.4 Business Transfer

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your personal information may be transferred to the acquiring entity. We will notify you of any such change via email or a prominent in-app notice.

5. Data Retention

Data Type	Retention Period
Account information	Until account deletion, plus 30 days for recovery
Door lock event logs	90 days rolling window (configurable)
Video recordings	Dependent on your subscription plan; deleted after plan expiry
Crash reports	90 days
Analytics data	14 months (Firebase default)
Purchase records	As required by applicable tax and accounting laws (typically 5–7 years)

When you delete your account, we delete or anonymize all personal data associated with your account within 30 days, unless retention is required by law.

6. Data Security

We implement industry-standard security measures to protect your personal information:

All data transmitted between the App and our servers is encrypted using HTTPS/TLS.
Passwords are stored in hashed form — we never store plaintext passwords.
Bluetooth communication with lock hardware uses the lock manufacturer's proprietary encrypted protocol.
Access to our backend systems is restricted to authorized personnel only.

Despite our efforts, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

7. International Data Transfers

Our servers are located in the People's Republic of China. If you access the App from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is transferred to and processed in China.

China is not recognized by the European Commission as providing an adequate level of data protection equivalent to the EEA. We rely on the EU Standard Contractual Clauses (SCCs) as the legal mechanism for transferring personal data from the EEA to China. You may request a copy of the applicable SCCs by contacting us at drlock@skychip.top.

8. Your Privacy Rights

8.1 Rights for All Users

Regardless of your location, you may:

Access your personal data via the "Profile" section of the App.
Correct inaccurate information by editing your profile.
Delete your account via Settings → Account → Delete Account. This removes your personal data within 30 days.
Withdraw consent for push notifications via your device's notification settings at any time.

8.2 Additional Rights for EEA / UK / Swiss Users (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the GDPR:

Right of access — request a copy of all personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — request deletion of your personal data where no legitimate basis for retention exists.
Right to restriction — request that we restrict processing of your data in certain circumstances.
Right to data portability — request your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interests.
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
Right to lodge a complaint — file a complaint with the supervisory authority in your Member State. A list of EEA supervisory authorities is available at: edpb.europa.eu.

To exercise your GDPR rights, contact us at drlock@skychip.top. We will respond within 30 days.

EU Representative: We are in the process of appointing an EU representative as required by Article 27 of the GDPR. Contact details will be updated in this policy once appointed. In the meantime, please contact us directly at drlock@skychip.top.

8.3 Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

Right to Know — request disclosure of the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it.
Right to Delete — request deletion of personal information we have collected from you, subject to certain exceptions.
Right to Correct — request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing — we do not sell or share personal information for cross-context behavioral advertising.
Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights.

Categories of personal information collected:

CCPA Category	Collected	Examples
Identifiers	✅ Yes	Email address, device ID, push token
Personal information (Cal. Civ. Code §1798.80)	✅ Yes	Name
Commercial information	✅ Yes	Subscription purchase records
Internet/network activity	✅ Yes	App usage analytics, crash logs
Geolocation data	✅ Yes (approximate, BLE scanning only)	Location while scanning for nearby locks
Sensory/audio data	❌ No	Microphone used for live intercom only, not recorded
Inferences	❌ No	We do not build consumer profiles

To exercise your CCPA rights, contact us at drlock@skychip.top. We will respond within 45 days, with one possible 45-day extension if needed.

8.4 CalOPPA Disclosure

We comply with the California Online Privacy Protection Act (CalOPPA):

This Privacy Policy is accessible from within the App (Settings → Privacy Policy).
We do not track users across third-party websites or online services.
The App does not respond differently to browser "Do Not Track" signals, as we do not engage in the type of tracking that DNT is designed to prevent.

9. Children's Privacy

The App is not directed to children under the age of 13 (or under 16 for users in the EEA). We do not knowingly collect personal information from children under these ages. If you become aware that a child has provided us with personal information without parental consent, please contact us at drlock@skychip.top. We will promptly delete such information.

10. Third-Party Links and Services

The App may contain links to third-party websites or services (e.g., our in-app purchase pages managed by Apple or Google). These third parties have their own privacy policies. We are not responsible for the privacy practices of third-party sites or services and encourage you to review their policies.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

Displaying a notice within the App before the changes take effect, and/or
Sending an email to the address associated with your account.

The "Last Updated" date at the top of this policy reflects the most recent revision. Your continued use of the App after any changes indicates your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Shenzhen Lanxin Zhilian Technology Co., Ltd.

Email: drlock@skychip.top

We aim to respond to all privacy-related inquiries within 30 days.