LotKey
← Back to home
Legal

Privacy Policy

Effective April 26, 2026 · How we collect, use, and protect your information.

LotKey watches the New York City affordable-housing lottery system and files applications on your behalf. To do that, we have to handle some pretty personal information about you and your household. This policy explains what we collect, why, who we share it with, and what you can do about it.

Short version, up front: we collect what we need to file lottery applications for you, store it encrypted on US-based servers, never sell it, never share it with data brokers, and never use it to train AI models. The rest of this page is the long version.

If anything is unclear, email us at hello@mylotkey.com — we will actually answer.

1. Who this policy applies to

This policy applies to people who use mylotkey.com and the related services (the “Service”). It is part of our Terms of Service. The terms “LotKey”, “we”, and “us” mean the operator of mylotkey.com.

The Service is offered to people in the United States, primarily residents of and applicants to the five boroughs of New York City. We don’t target users outside the US, and the Service may not be appropriate for use elsewhere.

2. Information we collect

Information you give us during onboarding and use

When you sign up and complete your profile, we collect the information NYC Housing Connect lotteries actually ask for, plus what we need to communicate with you and run your account:

  • Identity: legal first / middle / last name, date of birth.
  • Contact: email address, phone number (optional, for SMS notifications), current address (street, city, ZIP, borough).
  • Household composition: number of people in your household, and for each member: name, relationship to you, date of birth, and optional demographic / income fields.
  • Income: annual household income bracket, and the components (employment, self-employment, government benefits, retirement) where you provide them.
  • Preferences: boroughs you’d consider, bedroom count, and any voucher or rental-assistance programs you participate in.
  • Self-attested status: gender, pronouns, and whether you self-identify as a student, NYC employee, military service member, or as having a mobility, vision, or hearing disability — only because some lotteries grant priority based on these. You provide them; we don’t verify them.
  • Assets: a coarse bracket (under $180K, $180K–$324K, over $324K) and whether you own real estate. Required by some lotteries.

What we do not collect: government-issued IDs, Social Security numbers, pay stubs, tax returns, bank statements, or supporting documents of any kind. Those go directly from you to the building if you’re selected for a unit (see Section 6 of our Terms of Service).

Account and authentication information

  • Email address and a hashed password, or — if you sign in with Google — your Google account identifier and basic profile information (name, email, profile photo URL).
  • Login timestamps, the device / browser you signed in from, and the IP address used at sign-in (for security and fraud prevention).

Billing information

Payments are handled by a third-party payment processor. When you start a subscription, the processor collects your payment method and gives us a token, the last four digits of your card, the card brand, the expiration date, your billing ZIP, and your subscription status. We never see or store your full card number, your CVC, or your bank-account details. The processor’s own privacy practices are governed by its privacy notice.

Lottery activity we generate on your behalf

As we file applications and watch for results, we generate records about that activity: which lotteries we’ve matched you to, which we’ve filed for, the timestamps of those filings, log numbers HPD assigns, and any messages buildings or HPD send back about your applications. We retrieve those messages from HPD and surface them to you.

Information collected automatically

  • Device and browser data: browser type and version, operating system, screen size, language, and the URL you came from.
  • Usage data: pages viewed, buttons clicked, features used, errors encountered, and approximate session duration.
  • IP address: used for security, fraud prevention, and to derive an approximate (city-level) location.
  • Cookies and similar technologies: a session cookie that keeps you logged in, plus cookies set by our analytics provider. Details in Section 7 below.

Information from third parties

  • If you sign in with Google, we receive the basic profile data described above.
  • If you contact us for support, we may receive whatever you choose to share in that conversation.
  • We do not buy data about you from data brokers, advertising networks, or any third party.

3. How we use your information

We use the information we collect to:

  • Run the Service. Match your profile against open NYC Housing Connect lotteries, file applications you qualify for under your authorization, and surface the results back to you.
  • Communicate with you. Send transactional email and (if you opted in) SMS about your account, billing, lottery activity, and messages from HPD or buildings about your applications.
  • Process payments. Manage your subscription and the housewarming refund described in our Terms of Service.
  • Improve the Service. Understand which features are useful, diagnose bugs, and prioritize what to build next.
  • Keep things safe. Detect and prevent fraud, abuse, and security incidents.
  • Comply with the law. Respond to lawful requests, enforce our Terms, and protect our rights and yours.

We do not use your personal information for any of the following:

  • Selling, renting, or licensing it to third parties.
  • Sharing it with data brokers or advertising networks.
  • Training, fine-tuning, or evaluating any artificial-intelligence or machine-learning model — ours, a vendor’s, or anyone else’s.
  • Targeted advertising.

4. Who we share information with

NYC Housing Connect and participating buildings

When we file a lottery application on your behalf, we submit the relevant subset of your information to NYC Housing Connect, which is operated by the NYC Department of Housing Preservation and Development (“HPD”), and through that platform to the building running the lottery. This is the whole point of the Service. We submit only what each lottery actually requires.

What HPD and buildings do with your information is governed by their own policies, not this one.

Service providers

We rely on a small set of US-based service providers to operate the Service. Each handles specific data, only for purposes we direct, under written confidentiality and security obligations. We don’t name them publicly to avoid handing competitors a roadmap of our stack, but we describe them by category and purpose:

  • Hosting provider — runs the website and the application you interact with.
  • Database and authentication provider — stores your account, profile, household information, and lottery-activity records, and handles login. Data is encrypted at rest, in US-based regions.
  • Payment processor — handles billing and stores your payment method. The processor is the source of truth for billing data.
  • Email delivery provider — sends transactional email (welcome, billing receipts, lottery notifications, password resets, etc.).
  • Product-analytics provider — collects product-analytics data (page views, clicks, errors).

If you want the specific names of these providers — for example, to review their own privacy practices — email us at hello@mylotkey.com and we’ll send them.

Legal and safety

We may disclose your information when we reasonably believe doing so is necessary to:

  • Comply with a subpoena, court order, or other legal process.
  • Enforce our Terms of Service or this policy.
  • Investigate or prevent fraud, security threats, abuse, or harm to users, LotKey, or the public.
  • Protect anyone’s legal rights, property, or safety.

When we receive a request, we’ll review it carefully, push back when it seems overbroad, and — except in emergencies or where legally prohibited — tell you about it before disclosing your information.

Business transfers

If LotKey is involved in a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We’ll require the successor to honor this policy or notify you and give you a reasonable chance to delete your account first.

What we never do

We don’t sell your information, share it for cross-context behavioral advertising, share it with data brokers, or use it to train AI models. If California law treats certain analytics or tracking activity as a “sale” or “sharing”, we treat the same activity that way and provide opt-outs accordingly (see Section 7).

5. How long we keep your information

We keep information only as long as we need it for the purposes described in this policy, or as long as the law requires.

  • Active accounts: for as long as your account is open. You can edit or remove most of your profile at any time from your account settings.
  • Closed or deleted accounts: we will delete your personal information from active systems within 30 days of your deletion request or account closure. Some information may persist in encrypted backups for up to 90 days after that, after which it ages out automatically.
  • Billing records: we (and our payment processor) keep transaction records for at least 7 years, as required by US tax and accounting rules. These are kept separately from your profile.
  • Inactive accounts: if you don’t sign in for 24 months, we’ll email the address on your account. If you don’t respond within 30 days, we’ll close and delete the account on the same schedule above.
  • Lottery applications already submitted: once an application has been filed with HPD or a building, that submission lives on their systems independent of ours. We can delete our copy of the application record on the schedule above, but we cannot delete it from HPD’s or any building’s records.
  • Aggregated and anonymized data: data that has been aggregated or stripped of personal identifiers may be kept indefinitely, since it can’t be linked back to you.
  • Legal hold: if we’re required to preserve information for an investigation, claim, or legal proceeding, we’ll keep it for as long as required by that hold, and only for that purpose.

6. Your choices and rights

Always available, regardless of where you live

  • Access and edit. Sign in to view and update your profile, household details, and preferences.
  • Export. Email hello@mylotkey.com and we’ll send you a portable copy of your data within 30 days.
  • Delete. You can delete your account from your account settings or by emailing us. Deletion follows the schedule in Section 5.
  • Opt out of marketing email. Click the unsubscribe link in any marketing message, or change your preferences in your account. Service emails (billing, lottery notifications, account-security messages) continue while your account is open — those are part of the Service.
  • Opt out of SMS. Reply STOP to any text from us, or change your preferences in your account.

If you live in California

The California Consumer Privacy Act (as amended by the CPRA) gives California residents specific rights:

  • Right to know. What personal information we’ve collected about you, where it came from, why we use it, and who we’ve shared it with — all listed in this policy. You can also request the specific pieces tied to you.
  • Right to delete. Request deletion of personal information we have about you, subject to limited exceptions (for example, information we’re legally required to keep).
  • Right to correct. Ask us to correct inaccurate information.
  • Right to opt out of sale or sharing. We don’t sell personal information or share it for cross-context behavioral advertising. If you nonetheless want to send us an opt-out for the record, email us with the subject line “Do Not Sell or Share”.
  • Right to limit use of sensitive personal information. We only use sensitive information (income, household composition, self-attested status) to run the Service — we don’t use it for any of the purposes that would trigger the right to limit under CPRA. If that ever changes, we’ll add an opt-out.
  • Right to non-discrimination. We will not deny you the Service, charge you a different price, or give you a lower quality of service for exercising any of these rights.

To exercise any of these, email hello@mylotkey.com. We may need to verify your identity (typically by confirming you control the email address on the account). You can also have an authorized agent submit a request, with proof of authorization.

If you live in New York

We follow the New York SHIELD Act’s requirements for reasonable safeguards and breach notification. If you have a question or concern about your information that we can’t resolve, you can contact the New York Attorney General’s office.

7. Cookies and tracking

We use a small number of cookies and similar technologies:

  • Strictly necessary. A session cookie keeps you signed in and remembers your authentication state. The site doesn’t work without it.
  • Analytics. Our product-analytics provider drops a cookie to recognize returning visitors and stitch together page-view sessions. We use this to understand which features people use and to find bugs.

We don’t use third-party advertising cookies, fingerprinting, or cross-site tracking technologies.

You can clear cookies in your browser at any time, or set your browser to refuse them. Most modern browsers also support a Global Privacy Control (GPC) signal, which we treat as a valid opt-out of analytics tracking for users who send it.

8. Security

We use industry-standard safeguards to protect your information:

  • Data is encrypted in transit (TLS) and at rest in our database.
  • Production access is limited to a small number of people, behind multi-factor authentication and audit logging.
  • Passwords are stored as salted hashes, never in plain text.
  • Payment data lives at our payment processor, not on our servers.

No system is completely secure. If we ever discover a breach affecting your personal information, we’ll notify you and the appropriate authorities as required by law (under New York’s SHIELD Act and any other applicable rules), without undue delay.

9. Children’s privacy

The Service is for adults. You must be at least 18 years old to create an account. We don’t knowingly collect personal information from anyone under 18. If we learn we’ve collected information from a child, we’ll delete it. If you’re a parent or guardian and believe your child has given us information, email hello@mylotkey.com.

10. Where your information lives

Your information is stored on servers located in the United States. The Service is intended for use in the United States. If you access the Service from outside the US, you’re consenting to having your information transferred to and processed in the US, where data-protection laws may differ from those in your country.

11. Changes to this policy

We may update this policy from time to time. If we make a material change, we’ll post the updated policy here and email you at least 30 days before it takes effect. Your continued use of the Service after the effective date means you accept the updated policy. The “Effective” date at the top of this page will always tell you when the current version began.

12. How to reach us

For privacy questions, requests, or anything else: hello@mylotkey.com.

You read a privacy policy. That’s genuinely impressive. Email us if anything is unclear.