ValetBridge Privacy Policy

ValetBridge is a business-to-business integration platform and is not directed at or intended for use by individual consumers or members of the general public in a consumer context. The Platform is licensed exclusively to Operators under executed Master Subscription Agreements (MSAs). The ValetBridge website (valetbridge.io), however, is publicly accessible and collects Prospect Data through its Contact Form and Demo Request Form. This Policy governs both the Platform and the website.

With respect to Hotel Guest Data that Operators cause to transit through the ValetBridge Platform in connection with PMS integrations via the Unified API, each Operator acts as an independent Data Controller and is solely responsible for: (i) ensuring it has obtained all required consents and authorizations from hotel guests and property management systems; (ii) compliance with all applicable privacy laws governing such Hotel Guest Data; (iii) the accuracy, completeness, and lawfulness of Hotel Guest Data submitted to the Platform; and (iv) providing appropriate privacy notices to data subjects whose data the Operator causes to be processed through the Platform.

To the extent Hotel Guest Data constitutes Personal Data under applicable law, ekSource processes such data solely as a Data Processor acting on behalf of and under the instructions of the Operator as Data Controller. ekSource does not independently determine the purposes or means of processing Hotel Guest Data.

This Policy applies to: (i) the ValetBridge website and all associated web forms; (ii) the ValetBridge web application and administrative portal; (iii) the Unified API and all integration endpoints; (iv) A2P SMS and email communications initiated by ekSource; (v) billing and payment processing activities; (vi) communications between Operators, Prospects, Authorized Users, and ekSource; and (vii) all data processed through the Platform or collected via the website, regardless of whether such data is stored by ekSource.

• Full legal name and trade name of the Operator organization
• Names, titles, business email addresses, and telephone numbers of Operator representatives and Authorized Users
• Business mailing address and principal place of operations
• Federal Employer Identification Number (EIN) or equivalent business identifier, for contractual and billing purposes
• Billing contact name and billing email address, for invoice and payment receipt delivery
• Payment Method Token: prior to the Operator's first Property Activation, the Platform prompts the Operator to submit a payment method through Stripe's secure embedded payment element. Stripe returns a Payment Method Token to ekSource, which ekSource stores and uses to initiate authorized charges for PMS Setup Fees and Property Monthly Fees. ekSource never stores full payment card numbers, CVV codes, or bank account details — such data is processed and stored exclusively by Stripe, Inc. in accordance with its PCI-DSS Level 1 certification.
• Account credentials, including usernames and hashed passwords for Authorized Users of the ValetBridge administrative portal

• Staging Credentials: PMS credentials provided for use in the Staging Environment prior to Property Activation. Used solely to validate connectivity with the applicable PMS provider's sandbox or non-production environment and are retained for the duration of active Staging Environment use.
• Production Credentials: PMS credentials used in live production following Property Activation. These include Oracle OHIP / Opera Cloud (Client ID, Client Secret, Enterprise ID, Property Codes, OHIP gateway endpoints, OAuth tokens), StayNTouch (API keys, property identifiers, environment configuration), Agilysys (Property Management Interface credentials, site identifiers), and any additional PMS credentials for future Supported PMS Platform types.

All PMS Credentials — both staging and production — are treated as highly sensitive confidential information. ekSource encrypts PMS Credentials at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Access to PMS Credentials is strictly limited to authorized ekSource engineering personnel on a need-to-know basis and is subject to audit logging.

• Internal data mapping records generated by ekSource's field translation engine during normalization of Operator data to PMS-specific schemas.

In the course of performing folio lookup and Folio Post operations via the Unified API, the Platform may receive, transmit, and temporarily buffer Hotel Guest Data returned by or submitted to the Operator's connected PMS. Hotel Guest Data that may transit through the Platform includes guest last name and room number (for folio lookup), folio number, folio balance, reservation confirmation numbers, and charge posting status.

ekSource does not collect, transmit, or store raw payment card numbers, expiry dates, CVV codes, or bank account details. All such sensitive payment data is handled exclusively by Stripe, Inc. as a PCI-DSS Level 1 certified sub-processor. For information on Stripe's data practices, see Stripe's Privacy Policy at stripe.com/privacy.

The Platform automatically generates and collects Technical Data to support operations, security monitoring, debugging, and service improvement, including IP addresses of Authorized Users, API request and response metadata (endpoint paths, HTTP status codes, request timestamps, response latency), system error logs, exception reports, and stack traces, browser type, operating system, and device identifiers for Authorized Users accessing the administrative portal, session identifiers and authentication event logs, and integration health metrics, Unified API connection status records, and uptime telemetry.

ekSource retains records of communications between Operators, Authorized Users, Prospects, and ekSource personnel, including email correspondence, support tickets, and written notices, to the extent necessary to administer the MSA, respond to inquiries, and resolve disputes.

ekSource processes aggregated and de-identified Technical Data and usage statistics for the purpose of analyzing Platform performance, identifying operational bottlenecks, planning capacity, and improving the functionality and reliability of the Service. ekSource does not use identifiable Client Data, PMS Credentials, Hotel Guest Data, or Billing and Payment Data for service improvement purposes.

Payment processing is performed by Stripe, Inc., ekSource's third-party payment processor, which operates under its own privacy policy and is PCI-DSS Level 1 certified. ekSource does not store raw payment card details; all sensitive payment data is handled exclusively by Stripe.

ekSource does not sell, rent, lease, license, or otherwise transfer Personal Data or Client Data to third parties for monetary or other consideration. This prohibition applies to Hotel Guest Data, Platform Account Data, Billing and Payment Data, Prospect Data, PMS Credentials, and Transaction Data.

ekSource engages carefully vetted third-party service providers (“Sub-Processors”) to assist in operating, maintaining, and improving the Platform. Sub-Processors process data only on ekSource's behalf, pursuant to written data processing agreements imposing confidentiality, security, and data protection obligations at least as protective as those in this Policy. Current Sub-Processors include:

By enabling a PMS integration through ValetBridge, the Operator authorizes ekSource to transmit the Operator's PMS Credentials and applicable Transaction Data and Hotel Guest Data to the designated Supported PMS Platform solely as necessary to perform the requested integration transaction via the Unified API. Such transmissions are governed by the applicable PMS provider's own terms of service, which the Operator is independently responsible for accepting. ekSource makes no representations regarding the data practices of any PMS provider.

ekSource may disclose Client Data or Prospect Data if required to do so by applicable law, valid legal process, or regulatory demand. To the extent permitted by law, ekSource will provide prompt written notice to the affected party and disclose only the minimum data required.

In the event of a merger, acquisition, asset sale, or other corporate transaction involving ekSource or the ValetBridge Platform, Client Data and Prospect Data may be transferred to a successor entity. ekSource will provide reasonable advance notice to Operators and will require the successor entity to honor the terms of this Policy.

ekSource may disclose information where necessary to protect the rights, property, or safety of ekSource, its personnel, its Clients, Prospects, hotel guests, or the public.

• Encryption of all data in transit using TLS 1.2 or higher with strong cipher suites
• Encryption of all Client Data and PMS Credentials at rest using AES-256 encryption
• Role-based access controls and the principle of least privilege for all ekSource personnel
• Multi-factor authentication (MFA) requirements for all ekSource personnel accessing production systems
• Automated intrusion detection and anomaly monitoring for Unified API and administrative interfaces
• Regular vulnerability assessments and penetration testing of Platform components
• Formal incident response procedures for security events affecting Client Data or Prospect Data
• Background checks and confidentiality agreements for ekSource personnel with access to Personal Data

All PMS Credentials — staging and production — are stored in encrypted credential vaults with access strictly limited to authorized ekSource engineering personnel, subject to audit logging, and subject to immediate rotation procedures in the event of a suspected compromise. PMS Credentials are never stored in plain text in any system, log, configuration file, or communication.

Billing and Payment Data is protected through ekSource's engagement of Stripe, Inc. as a PCI-DSS Level 1 certified payment processor. ekSource stores only the Payment Method Token; raw payment card data never enters ekSource's systems. The Payment Method Token is stored in access-controlled systems accessible only to authorized ekSource engineering and finance personnel.

Prospect Data, including mobile telephone numbers collected through web forms, is stored in access-controlled systems and is accessible only to ekSource personnel with a legitimate need to respond to inquiries or manage sales communications. Prospect Data is not stored in the same systems as Platform Client Data or PMS Credentials.

No information security program can guarantee absolute protection against all threats. The security measures described herein represent ekSource's current good-faith efforts to protect Personal Data consistent with industry standards for B2B SaaS middleware platforms.

ekSource retains Client Data and Prospect Data only for as long as necessary to fulfill the purposes described in this Policy, to perform its obligations under the MSA, and to comply with applicable legal, regulatory, and contractual requirements.

Within sixty (60) days following the effective date of termination or expiration of an Operator's MSA, ekSource will, at the Operator's election: (i) permanently delete all Client Data in ekSource's possession that is subject to deletion under this Section; or (ii) provide the Operator with a machine-readable export of applicable Client Data in a standard format. Operators must submit a written election to ekSource no later than thirty (30) days following the effective date of MSA termination.

The ValetBridge Platform and its associated data stores are hosted on AWS cloud infrastructure located within the United States of America. As of the Effective Date of this Policy, ekSource does not routinely transfer Client Data outside of the United States in the ordinary course of providing the Service.

ekSource anticipates expanding ValetBridge services to Operators located in Canada. To the extent ekSource processes Personal Information of Canadian residents on behalf of Canadian Operators, ekSource will comply with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, including its accountability, consent, and safeguard principles. Operators subject to Quebec Law 25 should note that ekSource's monday.com sub-processor processes data in the United States and Israel; the MSA and DPA v1.1 (Exhibit D) establish the contractual framework governing such cross-border transfers. Canadian Prospects who submit information through the ValetBridge website will be required to provide express opt-in consent before receiving any SMS communications, consistent with CASL and PIPEDA requirements.

To the extent that Personal Data is transferred from jurisdictions outside the United States to ekSource in the United States, such transfers shall be conducted pursuant to lawful transfer mechanisms under applicable law, including, where applicable, standard contractual clauses or other lawful mechanisms approved by applicable regulatory authorities. The DPA v1.1 (Exhibit D to the MSA), when executed, serves as the contractual framework for Personal Data transfers from Canada to the United States.

The ValetBridge Platform is operated by ekSource from Virginia. ekSource's processing activities are subject to the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (“VCDPA”). To the extent Authorized Users and Prospects are Virginia residents whose personal data is processed by ekSource, such individuals may have the following rights under the VCDPA, subject to applicable exceptions:

To exercise any applicable VCDPA rights, individuals should submit a verifiable written request to the Data Privacy contact identified in Section 15. ekSource will respond within forty-five (45) days, extendable by an additional forty-five (45) days upon notice.

Prospects may request access to, correction of, or deletion of their Prospect Data at any time by contacting ekSource at the Data Privacy contact identified in Section 15. Prospects may also opt out of all marketing email and SMS communications at any time as described in Section 12.6.

Operators may review and update Platform Account Data and billing contact information by logging into the ValetBridge administrative portal or by submitting a written request to ekSource. Operators may update their payment method through the Stripe-managed payment interface in the administrative portal; ekSource cannot directly modify stored payment card details as these are held by Stripe.

As ekSource acts as a Data Processor with respect to Hotel Guest Data, requests from hotel guests seeking to exercise privacy rights must be directed to the applicable Operator, who is the Data Controller. ekSource will provide reasonable cooperation to Operators in responding to such requests.

ekSource will not discriminate against any Operator, Prospect, or Authorized User for exercising their privacy rights under applicable law.

ekSource's A2P SMS communications are transmitted through registered 10DLC telephone numbers. ekSource maintains active campaign registration with The Campaign Registry (TCR) and applicable wireless carriers. Registered campaign use case: informational and transactional messages to prospective and active B2B clients of the ValetBridge platform.

In addition to marketing SMS (which require SMS Consent), ekSource may send transactional SMS including: form submission confirmation, demonstration appointment reminders, and Platform operational alerts to Authorized Users. Transactional messages do not include promotional content.

All A2P SMS messages will clearly identify ekSource Technologies, Inc. and/or ValetBridge as the sender, include STOP opt-out instructions in every initial marketing message and at minimum in every monthly marketing message cycle, and will not be sent between 9:00 PM and 8:00 AM in the recipient's local time zone, consistent with TCPA quiet hours requirements.

Recipients may opt out of A2P SMS communications at any time, at no cost:

Opting out of marketing SMS or email communications will not affect the Operator's receipt of transactional and operational communications necessary for the administration of their MSA (such as invoices, payment receipts, renewal notices, and security alerts), which are sent on the basis of the contractual relationship.

Following an opt-out, a new, affirmative SMS Consent must be obtained before any further marketing SMS messages are sent. ekSource will not interpret subsequent form submissions as implicit re-consent following an opt-out.

• Transactional Emails: Confirmation of form submissions, demonstration appointment confirmations and reminders, MSA routing and execution notifications, invoices, payment receipts, renewal notices, and security notifications. Transactional emails are sent on the basis of the contractual relationship.
• Marketing Emails: Promotional emails regarding ValetBridge features, updates, pricing, and industry content, sent only to Prospects who have submitted the Contact Form or Demo Request Form. Every marketing email includes ekSource as identified sender, ekSource's valid postal address, a clear Unsubscribe mechanism, and an accurate subject line.

ekSource will not sell, transfer, or share A2P SMS opt-in lists or email subscriber lists with any third party for that third party's independent marketing purposes.