Locker management — physical and RFID

The locker is the most underrated component at a bath. Nobody markets it, but if it doesn't work the guest stays angry — and argues at reception for 15 minutes. Lunda supports two locker patterns and we've burned ourselves on each in ways worth remembering.

Pattern A — numbered key, tracked on the pass

The traditional layout: every locker has a physical key, the key has a numbered wristband or chip. The guest:

1. Enters, gets the key at the gate or at reception.
2. Has the chip scanned, the backend records: "guest X received locker 142 at 09:23".
3. Opens the locker with the physical key and takes the key with them.
4. On exit returns the key, the backend closes the allocation.

Upsides: simple, reliable, cheap. Downsides: keys get lost (4–6 lost keys / month at a typical mid-size pool), and you can't reissue them on demand.

Lunda tracks: which key is with which guest, when issued, when returned. If someone walks off with a key (or loses it), the system flags it after 24 hours and adds a pop-up note to the guest profile.

Pattern B — RFID-locked self-service

The modern alternative: RFID locks on the lockers, the guest opens / closes with their pass card or wristband. The guest:

1. Enters, gets a wristband (or their existing pass card works).
2. Walks to a locker, taps the wristband to the lock → the lock engages (and the allocation is active).
3. Comes back, taps the wristband again → it opens.
4. On exit returns the wristband or keeps it linked to the pass.

Upsides: no losable key, the guest picks their own locker, faster. Downsides: more expensive (RFID lock €60–120 / locker), and there's a failure mode we hit.

The March 2026 bug

In March one customer running RFID locks logged a complaint: the guest closed the locker in the morning, went swimming, came back and the wristband wouldn't open. Everything was inside — phone, keys, wallet.

The investigation: the guest's ticket was 90-minute (a time-limited promo ticket bought online). At minute 89 they engaged the locker and went swimming — at minute 91 the ticket auto-deactivated in the entry-control system. The locker module shared the same guest token and once deactivated, it no longer recognised it.

Fix (rollout 2 weeks later): grace period for the locker. If the guest's ticket expires, the locker stays openable with the same token for another 60 minutes. In that window the guest either exits, or extends the ticket at reception. The 60 minutes is a hard limit — after that the locker can only be opened physically (with the master key).

We've enabled this grace period by default at every Lunda customer running RFID locks since. No similar complaint since.

Per-customer configuration

Lunda supports both patterns and many customers mix them:

• Ground-floor / general lockers — RFID lock, self-service.
• Premium lockers (extra fee, bigger, more secure zone) — physical key, because the guest finds it more reassuring ("I have the key").
• For groups / school groups — physical key, easier for the group leader to manage.

In the admin UI it's per-locker which zone uses which pattern. The Lunda backend keeps the same allocation record for both.

Lesson

The locker isn't an afterthought — this is where guests' belongings can be lost and where complaints stick. We support two patterns, and the March 2026 grace-period bug is the lesson: when a ticket expires, don't kill the locker the same second.