Open SesameLegal · 002

Privacy Policy

How we treat the data
that walks through the door.

Effective May 25, 2026Last updated May 25, 2026

1. Who we are

Open Sesame is a visitor-management and access platform for multifamily properties, operated by Southlake Technical, LLC(“Open Sesame,” “we,” “us,” or “our”). This policy describes the personal information we collect across our websites, our resident and visitor mobile and web apps, and the management dashboard used by property staff (collectively, the “Services”).

By using the Services you agree to the practices described here. If you do not agree, please do not use the Services.

2. Information we collect

We collect only the information needed to verify identities at the door, route calls between residents and visitors, and let property staff administer access. The categories below describe what we collect and why.

Account & identity

When you create or are invited to an Open Sesame account, we collect your name, email address, and an internal user identifier. Property staff may also provide your unit / residence assignment and role (resident, manager, admin).

Contact information

Residents and visitors may provide a phone number so we can send one-time verification codes (via Twilio) and so visitors can reach residents through the app.

Property & access data

For each property and residence we store the street address, unit number, and resident-to-unit associations, along with records of visitor calls, temporary access passes, and door-event logs (e.g., who was granted entry and when).

Camera, microphone & calls

The resident and visitor apps use your device’s camera and microphone only during an active visitor call, and only after the operating system has prompted you for permission. We do not record video or audio of calls by default; call media is streamed peer-to-peer through our real-time provider (Vonage / OpenTok) and is not stored on our servers. Where call recording is enabled by a property administrator, it will be disclosed in-product before recording begins.

Push notifications

If you enable notifications, we store a push token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM) so we can alert you to incoming visitor calls and access events. You can disable notifications at any time in your device settings.

Device & technical information

We automatically collect basic technical information about your device and app session, including device model, operating system version, app version, IP address, language, and timestamps. We use this to operate the Services, debug issues, and maintain security.

Payment information (operators only)

If your property pays for Open Sesame, billing details are processed by Stripe. We do not store full payment-card numbers; Stripe handles card data under PCI DSS. We retain only a customer reference, the last four digits, and invoice history.

What we do NOT collect

  • We do not collect precise GPS or background location.
  • We do not sell personal information to third parties.
  • We do not use third-party advertising SDKs or cross-app tracking inside the mobile apps.
  • We do not access your contacts, photos, calendars, or health data.

3. How we use information

We use personal information to:

  • authenticate you and keep your account secure (via our identity provider, WorkOS);
  • connect visitors with the correct resident at the correct unit;
  • deliver and route visitor calls, including audio/video session signaling;
  • send transactional notifications (visitor at the door, pass redeemed, account alerts);
  • let property staff manage residents, visitors, and door access;
  • process subscription billing for property operators;
  • detect, investigate, and prevent fraud, abuse, and security incidents;
  • comply with legal obligations and enforce our terms.

We do not use your information to train machine-learning models for advertising or profiling.

4. Third-party services (sub-processors)

We share personal information only with vendors that help us operate the Services. Each is bound by a written agreement requiring at least the same level of protection described in this policy.

  • WorkOS— identity, authentication, and directory sync (name, email, organization).
  • Twilio— SMS one-time-password delivery for phone verification.
  • Vonage / OpenTok— real-time audio and video session relay for visitor calls.
  • Apple (APNs) and Google (Firebase Cloud Messaging) — push-notification delivery.
  • Stripe— payment processing for property operators.
  • Cloud hosting providers— infrastructure in the United States; data is encrypted in transit (TLS) and at rest.

We may also disclose information when required by law, to respond to lawful requests from public authorities, or to protect the rights, property, or safety of Open Sesame, our users, or others. If our business is transferred (merger, acquisition, asset sale), personal information may be transferred subject to this policy.

5. How long we keep your data

We retain personal information for as long as your account is active and as needed to provide the Services. Specific categories:

  • Account profile— for the life of the account; deleted within 30 days of account closure.
  • Door-event and call logs— up to 24 months, then deleted or anonymized, unless a longer period is required by the property operator or by law.
  • Session and authentication tokens— short-lived (minutes to days); expire automatically.
  • Billing records— up to 7 years to comply with tax and accounting obligations.
  • Backups— rotated on a rolling schedule and overwritten in the normal course; deleted records age out from backups within 90 days.

6. Your choices and rights

You have the following choices regardless of where you live, and additional rights where local law (including the California Consumer Privacy Act and EU/UK GDPR, where applicable) applies:

  • Access & portability. Request a copy of the personal information we hold about you.
  • Correction. Ask us to fix inaccurate or incomplete information.
  • Deletion. Ask us to delete your account and associated personal information. You can also delete your account from within the mobile app under Settings → Account → Delete account, which initiates the same process.
  • Withdraw consent. Revoke camera, microphone, or notification permissions at any time in your device settings. Some features will stop working without them.
  • Opt out of sale/sharing.We do not sell or “share” personal information for cross-context behavioral advertising, so there is nothing to opt out of.
  • Complain. Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email us at support@open-sesame.co. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

7. Security

We protect personal information with technical and organizational safeguards including TLS encryption in transit, encryption at rest for stored data, scoped access controls, secrets management, audit logging, and regular review of vendor security. No system is perfectly secure; if we learn of a breach affecting your data we will notify you and the appropriate authorities as required by law.

8. Children

Open Sesame is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact us and we will delete it.

9. International users

We operate from and host the Services in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States, which may have data-protection laws different from those of your jurisdiction.

10. California residents

California residents have specific rights under the California Consumer Privacy Act (CCPA), as amended. The categories of personal information we collect, the purposes for which we use them, and the third parties with whom we share them are described in sections 2–4 above. We do not sell or share personal information for cross-context behavioral advertising. California residents may exercise their CCPA rights using the contact details below; we will not discriminate against you for exercising those rights.

11. Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of this page. If changes are material, we will provide a more prominent notice (such as an in-app message or email to account holders).

12. Contact us

Questions, requests, or concerns about this policy or your personal information:

Southlake Technical, LLC
d/b/a Open Sesame
Email: support@open-sesame.co

This policy is governed by the laws of the State of Texas, USA, without regard to its conflict-of-laws principles.