PRIVACY POLICY Last Updated: December 2025 This Privacy Policy explains how hostU, Inc. (d/b/a Hero by hostU) (“Hero by hostU,” “we,” “us”) collects, uses, stores, and protects personal and business information when visitors access our website or when customers use the Hero by hostU platform and related services (the “Service”). By accessing the website or using the Service, you agree to the practices described in this Privacy Policy. Google API Data Use Disclosure Hero by hostU’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Hero by hostU only accesses, uses, stores, and transfers Google user data as necessary to provide the Service and in accordance with this Privacy Policy. 1. INFORMATION WE COLLECT We collect information in three primary categories: 1.1 Information Provided Directly by Customers This includes any information a Customer or Authorized User submits or transmits through the Service, such as: Email content and communication history Inquiries, drafts, replies, and message metadata Uploaded documents (leases, PDFs, images, forms) Property information and unit data Tenant information provided through property management system (PMS) integrations Any content entered into the system by a Customer Admin or Authorized User Account registration information (name, email, role, property affiliation) This collectively constitutes Customer Data. 1.2 Information Collected Automatically When users access our website or platform, we may collect: IP address Browser and device information Log data and usage activity Session timestamps Diagnostic and performance metrics These logs help us secure, maintain, and improve the Service. 1.3 Information from Third-Party Integrations If a Customer connects an integration (e.g., Entrata, Yardi, AppFolio, Gmail, Outlook), we may receive: Unit availability, pricing, and property records Tenant or prospect communications Work orders or leasing-related data Customer-specific configuration information Additional PMS or email metadata authorized by Customer settings We only access data that the Customer has explicitly enabled. 2. HOW WE USE INFORMATION We use Customer Data and other collected information for the following purposes: 2.1 Service Delivery To operate and provide the Hero by hostU platform, including: Drafting responses using AI Surfacing property data Supporting leasing and operational workflows Routing communications Maintaining system functionality 2.2 Customer-Specific Model Performance Hero by hostU may process Customer Data solely to improve that Customer’s model performance and accuracy within their own account. Hero by hostU does not use Customer Data, including Google user data, to train or improve generalized or shared AI models. Google user data is not retained by third-party AI providers beyond what is required to provide the Service. 2.3 Use of Google Workspace Data If a Customer connects a Google Workspace account (including Gmail), Hero by hostU accesses and processes email content and metadata solely to provide the Service, including: understanding communication context to generate relevant draft responses identifying message threads and updates supporting inbox workflows configured by the Customer Hero by hostU does not send emails automatically. All messages require explicit user review and approval before being sent. 2.4 Communication We may contact Customer Admins regarding: account updates service notifications security alerts product improvements 2.5 Security, Fraud Prevention & Compliance We use data to: detect and prevent unauthorized access enforce platform policies comply with legal obligations 2.6 Website Analytics We may use aggregated analytics to understand website usage patterns and improve the user experience. 3. HOW WE SHARE INFORMATION We do not sell Customer Data. We do not share Customer Data with third parties except as described below. 3.1 Subprocessors We may share Customer Data with trusted service providers who support the operation of Hero by hostU, such as: cloud hosting providers Supabase (database infrastructure) OpenAI (AI model inference) Cloudflare (security and hosting) monitoring and logging tools These subprocessors only use information to provide services on our behalf, are bound by confidentiality obligations, and are prohibited from using Customer Data, including Google user data, for any other purpose. A current list of subprocessors is available upon request. 3.2 Third-Party Integrations When a Customer connects an integration (e.g., Entrata, Yardi, AppFolio, Gmail), we access and process data from those systems only as authorized by the Customer. We do not share Customer Data back to those third parties unless necessary to perform an action explicitly enabled by the Customer (such as sending an email). 3.3 Legal Requirements We may disclose information if legally required or necessary to: comply with law or legal process respond to lawful requests from public authorities protect rights, property, or safety enforce our agreements or policies 4. DATA SECURITY We use industry-standard technical and organizational security measures, including: encryption in transit and at rest role-based access control tenant-level data isolation secure API credential handling audit logging regular monitoring Customers are responsible for: securing admin credentials configuring access permissions for their property team managing authorized users 4.1 Limited Human Access to Customer Data Hero by hostU does not allow employees or contractors to access Customer Data, including Google user data, except in the following limited circumstances: when explicitly authorized by the Customer for support or troubleshooting when necessary to investigate security incidents, abuse, or service failures when required to comply with applicable law or legal process Any such access is logged, limited in scope, and subject to confidentiality obligations. 5. DATA RETENTION We retain Customer Data only as long as necessary to: provide the Service meet legal obligations fulfill Customer instructions Upon termination, Customer Data is deleted according to our retention schedule unless legal retention requirements apply. 6. CHILDREN’S PRIVACY The Service is intended for business use by adults. We do not knowingly collect information from children under 13. 7. CUSTOMER RIGHTS & CHOICES Because Hero by hostU currently serves only U.S.-based customers, U.S. privacy laws apply, including the California Consumer Privacy Act (CCPA), where applicable. Depending on your jurisdiction, you may request to: access certain personal information correct inaccuracies delete certain information restrict certain types of processing Requests must be submitted by the Customer Admin or authorized representative. 8. INTERNATIONAL USE At this time, Hero by hostU is intended for use within the United States. If we expand into the EU or UK in the future, GDPR and UK GDPR provisions will apply and this policy will be updated accordingly. 9. THIRD-PARTY LINKS Our website may contain links to third-party sites. We are not responsible for their privacy practices. 10. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy periodically. We will post the updated version with a revised “Last Updated” date. Continued use of the Service constitutes acceptance of changes. 11. CONTACT US If you have questions about this Privacy Policy or our data practices, you may contact us at: hostU, Inc. (d/b/a Hero by hostU) New York, NY admin@joinhostu.com