Privacy Policy

1. Introduction

Welcome to GuestLoop ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

GuestLoop provides a Guest Relationship & Rebooking Engine for vacation rental property owners ("Hosts") to manage guest communications, digital guidebooks, and marketing campaigns.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password (encrypted)
• Property Information: Property details, addresses, amenities, photos
• Guest Information: Guest names, email addresses, phone numbers, booking details
• Payment Information: Processed securely through Stripe (we do not store credit card numbers)
• Communication Content: Email campaigns, SMS messages, guidebook content

2.2 Information Collected Automatically

• Usage Data: Pages viewed, features used, time spent on platform
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Server logs, error reports, performance metrics
• Cookies: Session cookies, authentication tokens, preferences
• Security Events: Login attempts, failed authentications, account lockouts (for security monitoring)

2.3 Information from Third Parties

• OAuth Providers: Google (if you sign up with Google)
• Integration Partners: Booking platforms (Airbnb, Booking.com, VRBO) if you connect them
• Payment Processor: Stripe (payment status, subscription details)

3. How We Use Your Information

• Provide Services: Enable you to create guidebooks, send campaigns, manage guests
• Account Management: Create and maintain your account, process payments, provide support
• Communications: Send service updates, security alerts, billing notifications
• Security: Detect fraud, prevent abuse, monitor for security threats
• Analytics: Improve our platform, understand usage patterns, develop new features
• Legal Compliance: Comply with applicable laws, regulations, and legal processes
• Marketing: Send promotional emails (you can opt out anytime)

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

• Service Providers: Third-party vendors who help us operate our platform (hosting, email delivery, analytics)
• Payment Processing: Stripe (for subscription billing)
• At Your Direction: When you connect integrations or share guidebooks with guests
• Legal Requirements: When required by law, subpoena, or court order
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you explicitly authorize us to share your information

5. Third-Party Services We Use

• Neon Database: Database hosting (SOC 2 compliant, encrypted at rest)
• Vercel: Application hosting (HTTPS enforced, SOC 2 compliant)
• Upstash Redis: Caching and rate limiting (encrypted in transit)
• Stripe: Payment processing (PCI DSS compliant)
• Resend: Transactional email delivery (GDPR compliant)
• Twilio: SMS delivery (SOC 2 compliant)
• Google OAuth: Optional login method

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication: Secure password hashing (bcrypt), optional 2FA with TOTP
• Access Controls: Role-based permissions, admin oversight
• Monitoring: 24/7 security monitoring, automated threat detection
• Audit Logging: Comprehensive audit trail of all security events (2-year retention)
• Rate Limiting: Protection against brute force and DDoS attacks
• Session Management: Automatic timeout (2 hours idle, 12 hours absolute)
• Account Lockout: Automatic lockout after 5 failed login attempts

7. Data Retention

• Account Data: Retained while your account is active
• Guest Data: Retained as long as you maintain it in your account
• Audit Logs: Retained for 2 years for security and compliance
• Billing Records: Retained for 7 years for tax compliance
• Deleted Accounts: Personal data deleted within 30 days of account deletion (except as required by law)

8. Your Privacy Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal data
• Data Portability: Receive your data in a machine-readable format
• Opt-Out: Unsubscribe from marketing emails
• Restrict Processing: Limit how we use your data
• Object: Object to certain types of processing

To exercise these rights, email us at privacy@guestloop.com

9. Cookies and Tracking

We use cookies and similar technologies for:

• Essential Cookies: Required for authentication and security (cannot be disabled)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Understand how you use our platform

You can control cookies through your browser settings, but disabling cookies may limit functionality.

10. Children's Privacy

GuestLoop is not intended for users under 18. We do not knowingly collect information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs)
• Vendor compliance with GDPR and other data protection laws

12. GDPR Compliance (EU Users)

If you are in the European Economic Area (EEA), we process your data under the following legal bases:

• Contract Performance: To provide our services to you
• Legitimate Interests: To improve our platform and prevent fraud
• Legal Obligation: To comply with applicable laws
• Consent: For marketing communications (you can withdraw anytime)

13. CCPA Compliance (California Users)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to say no to the sale of personal information (we do not sell your data)
• Right to deletion
• Right to non-discrimination for exercising your rights

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a notice on our platform

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us: