Privacy Policy

StayKit ("StayKit," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform at staykit.com and any associated services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

Account Information: When you create an account, we collect your email address and password. You may optionally provide your name and other profile details.

Property Information: If you are a Property Owner, we collect information about your rental property, including property name, description, address, photos, pricing, amenities, house rules, policies, and calendar availability. Your property's street address is stored securely and is never displayed publicly — only an approximate location (offset coordinates) is shown on public maps.

Guest Information: If you are a Guest submitting a booking inquiry or making a payment, we collect your name, email address, phone number, dates of stay, number of guests, and any messages you include with your inquiry.

Guest Contact Records: When a Guest submits an inquiry or completes a booking, their contact information (name, email address, phone number) is automatically added to the Property Owner's contact list within the Service. This contact record may also include booking history (number of stays, total revenue), tags applied by the Property Owner, and the source of the contact (inquiry, booking, manual entry, or CSV import).

Loyalty Program Data: If a Property Owner has enabled a loyalty program, we track the number of completed stays per Guest (derived from booking records) to determine loyalty tier eligibility. Loyalty tier status (e.g., tier name and discount percentage) is associated with the Guest's contact record and may be displayed to the Guest during the booking process.

Promo Code Usage: If a Guest applies a promotional discount code during checkout or inquiry, we record the code used and associate it with the booking record. Promo codes do not contain personal information.

Payment Information: Payment card details are collected and processed directly by Stripe, Inc., our third-party payment processor. StayKit does not store, process, or have access to your full credit card number, CVV, or other sensitive payment card data. See Section 5 for more details.

1.2 Information Collected Automatically

Usage Data: We may collect information about how you access and use the Service, including your IP address, browser type, operating system, referring URLs, pages viewed, and the dates and times of your visits.

Cookies and Similar Technologies: We use essential cookies to maintain your login session and preferences. We may use analytics cookies to understand how the Service is used. You can control cookie settings through your browser. The Service uses Supabase authentication cookies that are necessary for the Service to function — disabling these cookies may prevent you from logging in.

Spam Protection: We use Cloudflare Turnstile on guest-facing forms (inquiry submissions, booking checkouts) to distinguish legitimate users from bots. Cloudflare may collect certain device and browser information for this purpose. Cloudflare's handling of data is governed by Cloudflare's Privacy Policy.

vCard Download Tracking: If a Guest downloads a Property Owner's digital contact card (vCard) from a property site, we record the download event, including the referring source and basic device information (user agent). This data is used to provide download analytics to the Property Owner and does not include the Guest's personal information unless they subsequently submit an inquiry or booking.

1.3 Information from Third Parties

OTA Import: If you use our import feature to bring in listing data from platforms like VRBO or Airbnb, we process the data you provide (pasted HTML or fetched page data) to extract property details. We do not access your accounts on those platforms.

iCal Synchronization: If you provide an iCal feed URL from another booking platform, we periodically fetch that feed to sync your calendar availability. The iCal feed may contain booking dates and limited booking details.

CSV Contact Import: Property Owners may import guest contact lists via CSV file upload. Imported contacts include name, email, phone, and optional tags. StayKit processes this data on behalf of the Property Owner and stores it within the Service. The Property Owner is responsible for ensuring they have the right to share this contact information with StayKit and that the import complies with applicable data protection laws.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service; create and manage your account; display your property listing on your public booking page; process booking inquiries and facilitate communication between Property Owners and Guests; process payments through Stripe; sync calendar availability across platforms via iCal; geocode your property address to display an approximate location on maps; auto-suggest nearby points of interest based on your property location; manage guest contact records on behalf of Property Owners, including associating booking history, loyalty tier status, and tags with guest contact information; facilitate Property Owner marketing to Guests through contact management tools, promo codes, loyalty programs, and direct booking materials; classify and categorize property photos using artificial intelligence to suggest labels and categories; verify that form submissions are from real users using Cloudflare Turnstile spam protection; track vCard contact card downloads for Property Owner analytics; send transactional emails (account verification, password resets, inquiry notifications, booking confirmations); improve, personalize, and develop new features for the Service; detect, investigate, and prevent fraudulent or unauthorized activity; comply with legal obligations; and communicate with you about your account, changes to the Service, or these policies.

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

Public Property Listings: Information you include in your property listing (property name, description, photos, pricing, amenities, policies, approximate map location, and calendar availability) is displayed publicly on your StayKit booking page. Your street address, email, and account details are never displayed publicly.

Guest Data Shared with Property Owners: When a Guest submits a booking inquiry, makes a booking, or otherwise interacts with a property listing, their contact information (name, email address, phone number) and interaction history (inquiry details, booking dates, stay history) are shared with the relevant Property Owner through the Service's contact management tools. Property Owners may use this information for: (a) communications directly related to bookings and stays, including confirmations, check-in instructions, and post-stay follow-up; (b) marketing communications about the Property Owner's properties, including future booking promotions, loyalty program notifications, returning guest discounts, and direct booking incentives; and (c) any other purpose permitted by applicable law.

Guests acknowledge that by submitting an inquiry, making a booking, or providing contact information through a StayKit-powered property site, their information will be shared with the Property Owner and may be used for marketing purposes. Guests may opt out of Property Owner marketing by contacting the Property Owner directly or using any opt-out mechanism provided in the Property Owner's communications. Opting out of marketing does not affect transactional communications related to active or past bookings.

Property Owners are solely responsible for complying with applicable marketing and data protection laws (including CAN-SPAM, TCPA, and CCPA) when using Guest contact information obtained through the Service. StayKit provides tools for managing contacts but does not monitor or guarantee the legality of how Property Owners use Guest data.

Payment Processing: We share necessary transaction data with Stripe to process payments. Stripe's handling of your data is governed by Stripe's Privacy Policy.

Mapping Services: We share your property's coordinates (not street address) with Mapbox to display maps and suggest nearby points of interest. Mapbox's handling of data is governed by Mapbox's Privacy Policy.

AI Photo Processing: When Property Owners upload photos, those photos may be sent to Anthropic (the provider of the Claude AI model) for automated classification and categorization. Anthropic processes the image to suggest a category and descriptive label. No personal information, guest data, financial data, or account credentials are sent to Anthropic — only the photo image. Anthropic's handling of data is governed by Anthropic's Privacy Policy.

Service Providers: We use third-party service providers to operate the Service, including Supabase (database and authentication), Vercel (hosting), Resend (email delivery), Cloudflare (spam protection), Anthropic (AI photo classification), Mapbox (geocoding and maps), and Google Workspace (internal email). These providers access your data only as necessary to perform services on our behalf and are obligated to protect it.

Email Delivery: We use Resend as our email delivery service to send transactional emails (booking confirmations, inquiry notifications, payment receipts, check-in reminders, and other operational communications). Resend processes recipient email addresses and email content on our behalf. Resend's handling of data is governed by Resend's Privacy Policy.

Spam Protection: We use Cloudflare Turnstile to protect guest-facing forms from automated abuse. Cloudflare may process device and browser characteristics to assess whether a submission is legitimate. No personal form data is shared with Cloudflare for this purpose. Cloudflare's handling of data is governed by Cloudflare's Privacy Policy.

Legal Requirements: We may disclose your information if required by law, legal process, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

Business Transfers: If StayKit is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4. Property Address Privacy

We take special care to protect the physical location of rental properties. Your property's full street address is stored in our database but is never exposed on your public booking page, in API responses, or to Guests. The public neighborhood map displays only an approximate location using coordinates that are deterministically offset by approximately 200–400 meters from your actual address. This protects your property while still giving Guests a general sense of the neighborhood.

5. Payment Data and PCI Compliance

StayKit uses Stripe to process all payments. When a Guest enters payment information, that data is collected directly by Stripe through their secure, PCI-DSS compliant payment elements embedded on our site. StayKit never receives, stores, processes, or has access to full credit card numbers or sensitive payment authentication data.

We receive only limited transaction information from Stripe, including transaction amounts, status, the last four digits of the card used, and Stripe transaction identifiers, which we store for record-keeping and display in the Property Owner's payments dashboard.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, tax, or regulatory purposes (e.g., payment transaction records may be retained for up to 7 years for tax compliance).

Property photos stored in our system will be deleted when you remove them from your listing or when your account is terminated. Backups containing your data may persist for up to 30 days after deletion before being purged.

Soft-Deleted Properties: When a Property Owner deletes a property, the property data is retained in a soft-deleted state for up to 6 months to allow for potential restoration. After 6 months, soft-deleted property data is eligible for permanent deletion. Guest contact records, bookings, and inquiries associated with a deleted property are retained for the same period.

Guest Contact Records: Guest contact information stored in the Property Owner's contact list is retained for as long as the Property Owner's account is active. If a Guest requests removal of their contact information, they should contact the Property Owner directly. Property Owners can delete individual contact records through the Service's contact management tools. If a Property Owner's account is terminated, associated guest contact records are deleted in accordance with the account deletion timeline described above.

Payment and Booking Records: Booking records, payment transaction records, and rental agreement records may be retained for up to 7 years after the transaction date for tax, legal, and regulatory compliance purposes, even if the associated account is deleted.

Loyalty and Promotion Data: Loyalty tier history and promo code usage records are retained as part of the booking record and follow the same retention schedule as booking data.

7. Data Security

We implement reasonable technical and organizational measures to protect your personal information, including: encryption of data in transit using TLS/SSL; encryption of data at rest in our database; row-level security (RLS) policies ensuring users can only access their own data; secure authentication using Supabase Auth with PKCE flow; and access controls limiting employee access to personal data.

However, no method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security. You are responsible for keeping your account credentials secure.

8. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

Access and Portability: You may request a copy of the personal information we hold about you.

Correction: You may update or correct your personal information through your account settings or by contacting us.

Deletion: You may request deletion of your account and personal information by contacting us at support@staykit.com. We will process deletion requests within 30 days, subject to legal retention requirements.

Opt-Out of StayKit Marketing: If StayKit sends promotional or platform marketing emails, you may opt out by clicking the unsubscribe link in any such email. Transactional emails related to bookings, payments, account activity, and security are not optional and cannot be unsubscribed from while your account is active.

Opt-Out of Property Owner Marketing: If you are a Guest and wish to stop receiving marketing communications from a Property Owner, you should contact the Property Owner directly or use any opt-out mechanism provided in their communications. StayKit provides Property Owners with tools to track opt-out preferences (the contact opt-out flag), but StayKit does not send marketing emails on behalf of Property Owners and cannot control how Property Owners use contact information outside of the Service. If you are unable to reach a Property Owner or believe your opt-out request is not being honored, you may contact us at support@staykit.com and we will make reasonable efforts to assist.

Guest Contact Data Deletion: If you are a Guest and wish to have your contact information removed from a Property Owner's contact list within the Service, you may contact us at support@staykit.com. We will process the request within 30 days. Note that this removes your contact record from the Service's contact management tools only — it does not affect any data the Property Owner may have exported or copied outside of StayKit, which is the Property Owner's responsibility.

Cookie Controls: You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect the functionality of the Service.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.

Right to Opt-Out of Sale: We do not sell your personal information as defined under the CCPA/CPRA. We do not share your personal information for cross-context behavioral advertising.

Data Shared with Property Owners: Under the CCPA/CPRA, the sharing of Guest contact information with Property Owners as described in Section 3 may constitute a "business purpose" disclosure. We share Guest information with Property Owners solely to facilitate the rental transaction and enable Property Owners to communicate with Guests about bookings and property-related marketing. This sharing is disclosed to Guests at the point of data collection (during inquiry submission and booking checkout). Guests may request information about the categories of data shared with Property Owners by contacting us at support@staykit.com.

Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at support@staykit.com. We will verify your identity before processing your request.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@staykit.com.

11. International Data Transfers

StayKit is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to the transfer of your information to the United States.

12. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by StayKit. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party service you interact with.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates when this Privacy Policy was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

StayKit
Email: support@staykit.com
Website: staykit.com