Legal

Privacy Policy

The minimum data we need, handled the way we'd want our own data handled.

EFFECTIVE · 2026-04-17UPDATED · 2026-07-02PRIVACY · privacy@restay.ai
Plain-language summaryWe collect the minimum data needed to run restay. We never log into your Airbnb account. We use a small set of trusted vendors to operate the Service. We do not sell your personal information. We do not share your data for cross-context behavioral advertising. We do not use your data to train AI models. We don't make fully automated decisions that produce legal effects for you. You can delete your data any time. Questions or requests? Write to privacy@restay.ai. We respond to every verified request within 30 days.

1. Scope and Introduction

This Privacy Policy describes how restay ("restay," "we," "us," or "our") collects, uses, shares, retains, protects, and otherwise processes personal information when you use the restay website at restay.ai, the subscriber dashboard at app.restay.ai, and all related services (collectively, the "Service").

This policy applies to all users of the Service: visitors, paying subscribers, and hosts who connect a property management system. It does not apply to any third-party websites or services that may be linked from or referenced by the Service.

Our role under data protection law. For purposes of the EU GDPR, the UK GDPR, the Swiss FADP, and similar laws, restay acts as the data controller for personal information processed through the Service, except where we act as a data processor on behalf of subscribers.

By using the Service, you acknowledge this Privacy Policy and agree to our Terms of Service.

2. Information We Collect

We collect information in five categories: information you provide directly, information retrieved from licensed data sources at your direction, information received from property management systems you connect, information collected automatically, and information we derive from your use of the Service.

2.1 Information you provide directly

  • Account information — your email address, name, display preferences, and password. Passwords are handled by our dedicated authentication provider and stored only as salted hashes — restay's own systems never see or store your password in plain text.
  • Listing URLs — Airbnb listing URLs you submit for analysis.
  • Payment information — your billing details, submitted directly to our third-party payment processor. We do not receive, store, or process card numbers, CVV codes, or expiration dates.
  • Custom content — any notes, preferences, feedback, custom descriptions, or configuration you enter into the dashboard.
  • Messages to Rev — the conversational input you send to the Rev AI assistant (paid tiers, where available).
  • Support correspondence — any emails, tickets, or messages you send to us for support, legal, or privacy matters.

2.2 Public listing data retrieved on your behalf

When you submit a listing URL, we retrieve publicly available information about that listing from licensed market data providers. This is the same information any guest can see when browsing Airbnb, including:

  • Listing title, description, photos, amenities, and house rules.
  • Pricing, availability, and calendar information that is publicly displayed.
  • Aggregate review data — ratings, review counts, and review text where publicly available.
  • Market benchmarks and data about comparable listings.

We do not log into your Airbnb account. We do not access your reservations, guest messages, host financial statements, or any information behind an authentication wall on Airbnb or any other platform.

2.3 Property management system (PMS) data

If you are a paid subscriber and you choose to connect a PMS (where this capability has shipped for your tier), we receive real-time data about your bookings, rates, calendar, and availability through a licensed PMS integration partner. This data may include:

  • Booking records (dates, check-in/out, source, gross amount).
  • Rate calendar (current and future nightly rates, min-stay rules, rate plans).
  • Availability (blocked dates, unavailable periods).
  • Property metadata (property name, address, unit type).

We do not request or receive guest personal information from your PMS beyond what is necessary to understand your bookings. PMS connection is entirely opt-in; you can disconnect it at any time — revoke restay's access on the PMS side, or ask us at privacy@restay.ai and we will sever the connection.

2.4 Automatically collected information

  • Device and connection data — IP address, general geographic region derived from IP (city-level only), browser type, operating system, device type, and screen size.
  • Usage data — pages visited, features used, time spent on the Service, referral source, and the date/time of visits.
  • Diagnostic data — error logs, performance metrics, and other technical information necessary to maintain and improve the Service.

2.5 Derived information

As you use the Service, we generate derived information based on the data above — your audit findings, rate recommendations, amenity gap analysis, intelligence findings, and the history of Rev's actions (if applicable). Derived information is stored with your account and used exclusively to deliver the Service to you.

2.6 Information we do not collect

  • Social Security numbers, driver's license numbers, passport numbers, or other government identifiers.
  • Biometric identifiers.
  • Precise geolocation data (we use IP-based city-level region only).
  • Health, medical, or insurance information.
  • Sexual orientation, religious beliefs, union membership, or genetic data.
  • Guest personal information from your PMS beyond basic booking metadata.
  • Contents of guest messages on any platform.

3. How We Handle Public Listing Data

restay accesses publicly available Airbnb listing data through licensed market data providers, specifically to generate the analysis and recommendations you requested.

What we do

  • Retrieve listing data only when you submit a URL or actively use the Service.
  • Use that data exclusively to power your analysis, your dashboard, your briefings, and your Rev interactions.
  • Cache retrieved data for a reasonable period — typically up to one month, aligned to our market-data provider's refresh cycle.
  • Maintain aggregated, anonymized market data to benchmark all subscribers operating in the same area.

What we do not do

  • Log into your Airbnb account or any other platform account you hold.
  • Access private information behind authentication walls.
  • Reproduce or redistribute Airbnb listing content in its original form. Our output is original analysis.
  • Use retrieved content to train, fine-tune, evaluate, or benchmark AI models.
  • Share retrieved content with any third party beyond the licensed data providers and AI inference vendors necessary to deliver the Service.
  • Sell retrieved data to advertisers, data brokers, or competing products.

4. How We Use Your Information

We use the information we collect for the following purposes, and only for these purposes:

  • Delivering the Service — audit reports, dashboard, intelligence briefings, Rev conversations and actions, updated recommendations.
  • Account and subscription management — creating and maintaining your account, processing payments, managing renewals and cancellations, sending service emails.
  • Customer support — responding to your questions, investigating issues, and resolving complaints.
  • Security, fraud, and abuse prevention — detecting and preventing unauthorized access, fraudulent payments, rate-limit abuse, and adversarial attacks on Rev.
  • Service improvement — understanding how the Service is used, identifying bugs, measuring performance, improving features. Aggregated, anonymized wherever possible.
  • Transactional communications — service emails, audit delivery, briefings, billing notices, security alerts. Essential to the Service.
  • Marketing communications — with your consent, product updates and feature announcements. Opt out any time.
  • Legal compliance — meeting our obligations under applicable law, responding to valid legal requests, enforcing our Terms.
  • Business operations — internal record-keeping, financial reporting, tax compliance.

What we do not do with your information:

  • We do not sell your personal information to anyone, ever.
  • We do not share your personal information for cross-context behavioral advertising.
  • We do not use your data to train, fine-tune, or improve any AI model.
  • We do not share your data with advertisers or data brokers.
  • We do not use your data for profiling decisions that produce significant legal effects on you.
  • We do not combine your data with data from third parties for marketing purposes.
  • We do not track your activity across unrelated websites.

5. Legal Bases for Processing (GDPR)

If you are located in the EEA, UK, or Switzerland, the GDPR and similar laws require us to identify the legal basis on which we process your personal information.

Processing purposeLegal basis under GDPR Article 6
Generating your audit, dashboard, briefings, and recommendationsArt. 6(1)(b) — Performance of contract
Powering Rev for paid subscribersArt. 6(1)(b) — Performance of contract
Processing payments and managing your subscriptionArt. 6(1)(b) — Performance of contract
Delivering transactional service emailsArt. 6(1)(b) — Performance of contract
Responding to support requestsArt. 6(1)(f) — Legitimate interest (support)
Detecting and preventing fraud, abuse, prompt-injectionArt. 6(1)(f) — Legitimate interest (security)
Aggregated, anonymized service analyticsArt. 6(1)(f) — Legitimate interest (improvement)
Marketing emails and product announcementsArt. 6(1)(a) — Consent (opt-out available)
Tax, financial, and corporate record-keepingArt. 6(1)(c) — Legal obligation
Responding to valid legal requests, subpoenas, court ordersArt. 6(1)(c) — Legal obligation

You have the right to object to any processing based on legitimate interest at any time by contacting privacy@restay.ai.

6. Service Providers and Subprocessors

We rely on a small set of trusted providers to operate the Service. They are contractually required to protect your data, use it only for their specific function on our behalf, and comply with applicable data protection laws.

  • Payment processing — charging and managing subscription fees.
  • Application and database hosting — running the Service and storing your account, subscription, and dashboard data.
  • Market data licensing — retrieving publicly available Airbnb listing data on your behalf.
  • Property management system integration — connecting subscribers' PMS accounts (paid tiers, where available).
  • AI inference — generating audit recommendations, briefings, content rewrites, and Rev's conversational output.
  • Transactional email delivery — delivering service emails.
  • Error monitoring and operational analytics — maintaining reliability and performance.
  • Content delivery and DDoS protection — serving the Service reliably at scale.

Current subprocessor list

A current list of the specific subprocessors we use — including names, countries of operation, and functions — is available on request at privacy@restay.ai with the subject line Subprocessor List Request.

Data Processing Agreements

Business subscribers who are required to enter into a DPA under GDPR, UK GDPR, or similar laws may request one by emailing privacy@restay.ai with the subject line DPA Request. We offer a standard DPA incorporating the EU Standard Contractual Clauses where required.

Other disclosures

We do not sell your personal information to any third party. We do not share your data with advertisers, data brokers, or analytics companies beyond aggregated, anonymized data described in Section 4.

We may disclose personal information if required by law, court order, subpoena, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of restay, our customers, or the public.

In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, we may transfer your personal information to the successor entity, subject to the same protections described in this policy.

7. AI Processing and Rev

restay uses AI models — provided by a third-party AI inference provider — to generate audit recommendations, intelligence briefings, content rewrites, and Rev's conversational output.

7.1 What we send to the AI provider

  • The context the model needs to generate a response (your listing data, recent comp activity, current recommendations, your question to Rev).
  • Our system prompt, which defines the assistant's behavior, voice, and constraints.

7.2 What we do not send

  • Your payment information.
  • Your password or authentication tokens.
  • Our internal cost data, vendor information, operational configuration, or trade secrets.
  • Personal information about other restay subscribers.
  • Guest personal information.

7.3 What the AI provider does

Our AI provider processes inputs to generate the output you request, then returns it. By contract and the provider's commercial API terms, our AI provider does not use our API inputs or outputs to train, fine-tune, or improve its models. Inputs are retained by the AI provider only as required by their standard retention policy — typically a short window for abuse monitoring, safety, and debugging.

7.4 Prompt injection defense

We operate an input-and-output filter layer between you and our AI provider. This layer inspects messages for adversarial inputs (prompt injection attempts, jailbreaks, encoding attacks, extraction attempts) and inspects output for accidentally disclosed confidential content. Security events are logged for fraud and abuse investigation and retained while your account exists; if you delete your account, security-event records are stripped of the account link and retained in de-identified form.

7.5 Rev actions and audit trail

When Rev executes a confirmed action on your behalf (such as pushing a rate change through your connected PMS), we log the action in full: timestamp, parameters, confirmation source, result, and the state of related records before and after. These records are retained while your account exists. If you delete your account, Rev's conversational action records are deleted with it, and the PMS-write execution journal is retained in de-identified form (the account link is removed) as the audit trail described in Section 3.5 of our Terms of Service.

7.6 No AI training on your data

restay does not use your personal information, your listing data, your PMS data, or your Rev conversations to train, fine-tune, evaluate, or improve any AI model. This applies to all customers on all tiers.

8. Automated Decision-Making

GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you.

restay does not make fully automated decisions that produce legal effects or similarly significant effects on you. Our recommendations are advisory. You are always the decision-maker. Rev does not take actions on your listing without your confirmation. There is no automated-execution mode.

9. Sensitive Personal Information

restay does not knowingly collect, use, or disclose sensitive personal information as defined under CPRA, GDPR, or similar laws. This includes SSNs, driver's licenses, IDs, login credentials combined with passwords, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers, health information, and communication contents where we are not the intended recipient.

10. Data Retention

We retain your personal information only as long as necessary for the purposes described, or as required by law.

Data categoryRetention periodWhy we retain it
Legacy free-audit data (the public free audit is retired — the 7-day trial replaced it)No new records are created; remaining legacy records are deleted with the associated account, or earlier on requestHistorical record cleanup
Active account and subscription dataWhile your account exists. You can delete your account at any time from Settings (processed immediately); cancelled accounts inactive for 12+ months may be deleted per our TermsPerformance of contract, support, dispute resolution
Listing and market data cachesUp to ~1 month (provider refresh cycle); listing-scoped caches deleted with your accountEfficient service delivery
Rev chat history (paid tiers)Duration of subscription; deleted 90 days after cancellationMaintain context across sessions
Rev action logs and audit trailWhile your account exists; on account deletion, Rev action records are deleted and the PMS-write execution journal is retained de-identified (see Section 7.5)Audit trail and dispute resolution
Payment and billing recordsUp to 7 yearsTax, financial, and regulatory obligations
Email delivery logsAs long as needed for deliverability troubleshooting and abuse prevention; delivery metadata is also held by our email delivery provider under its own retention policySupport and deliverability
Security event logsWhile your account exists; de-identified after account deletionFraud and abuse investigation
Support correspondence24 monthsQuality, training, and dispute history
Aggregated, anonymized analyticsMay be retained indefinitely once fully anonymizedService improvement and benchmarking

Request deletion any time at privacy@restay.ai. Verified deletion requests are processed within 30 days, subject to legal retention obligations.

11. Data Security

We implement appropriate technical and organizational measures:

  • All data in transit encrypted via TLS 1.2 or higher.
  • Data at rest encrypted using industry-standard encryption.
  • API keys, tokens, and credentials stored exclusively in secure environment variables.
  • Passwords managed by our dedicated authentication provider as salted hashes; restay never stores passwords in plain text.
  • Database access restricted to authorized server-side processes using least-privilege credentials.
  • Payment data handled exclusively by our PCI-compliant payment processor.
  • Prompt-injection defense layer protecting Rev and the AI pipeline.
  • Rate limiting and abuse detection on all public-facing endpoints.
  • Access to production systems limited to a minimal number of authorized personnel.
  • Regular review of our security practices, dependencies, and subprocessors.
  • Backups encrypted and stored separately from primary systems.

Breach notification. In the event of a personal data breach posing a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law, typically within 72 hours.

12. Your Rights (Global)

  • Right of access. Request a copy of the personal data we hold about you.
  • Right to rectification. Request correction of inaccurate data.
  • Right to erasure. Request deletion of your personal data, subject to legal retention obligations.
  • Right to restrict processing. Request that we limit how we process your data in certain circumstances.
  • Right to data portability. Request your data in a structured, machine-readable format.
  • Right to object. Object to processing based on legitimate interests.
  • Right to withdraw consent. Withdraw consent where processing is based on it.
  • Right not to be subject to automated decision-making. See Section 8.
  • Right to lodge a complaint with your local data protection authority.

You can export a copy of your data (JSON) or delete your account directly from Settings → Account in the dashboard — no email required. For anything else, email privacy@restay.ai with the subject line Privacy Request. We respond within 30 days (or 45 days for complex requests).

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the CCPA as amended by the CPRA gives you specific rights.

13.1 Your California rights

  • Right to know. Categories, specific pieces, sources, business purposes, and categories of third parties.
  • Right to delete. Subject to legal retention obligations.
  • Right to correct. Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell. We do not share for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information. We do not use it beyond what's reasonably necessary.
  • Right to non-discrimination. We will not deny you the Service, charge a different price, or reduce quality for exercising rights.
  • Right to opt out of automated decision-making technology. See Section 8.

13.2 CPRA categories collected

CPRA categorySpecific examplesSold / Shared
IdentifiersEmail, name, IP address, account IDNo
Commercial informationSubscription tier, billing history, listings analyzedNo
Internet or network activityPages visited, features used, referral sourceNo
Customer records (Cal. Civ. Code §1798.80(e))Name, email, billing informationNo
InferencesAudit scores, recommendations, usage patternsNo
Sensitive personal informationNone collectedN/A
Biometric informationNone collectedN/A
Precise geolocationNone collected (city-level region only)N/A

13.3 How to exercise your California rights

Email privacy@restay.ai with the subject line California Privacy Request. We respond within 45 days (or 90 days if more time is needed; we will notify you of the extension).

13.4 "Shine the Light" disclosure

California Civil Code §1798.83 permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information for third parties' direct marketing.

14. Other US State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws may have rights similar to those in Sections 12 and 13. To exercise any applicable state privacy right, email privacy@restay.ai with the subject line State Privacy Request and identify your state of residence.

15. International Data Transfers

restay is based in the United States. If you are outside the United States, your information may be transferred to, stored in, and processed in the United States and in other countries where our providers operate.

When we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards: the EU Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, the Swiss FDPIC-approved transfer mechanism, and supplementary measures (encryption, access controls) where applicable.

16. Cookies and Tracking

We use a minimal set of cookies and similar technologies:

  • Essential cookies. Required for session management, authentication, load balancing, and form security.
  • Preference cookies. Remember dashboard preferences such as light/dark mode.
  • Product analytics. We record a small set of product-milestone events (for example, completing signup or connecting a PMS) with our operational-analytics provider. Events are sent server-side (no analytics cookie), keyed to a pseudonymous internal account identifier, and carry no personal details beyond that identifier and coarse account attributes such as subscription tier. They are never used for advertising and never sold or shared.

What we do not use:

  • Third-party advertising cookies or tracking pixels.
  • Social media tracking embeds.
  • Cross-site behavioral advertising trackers.
  • Fingerprinting technologies.

16.1 Error monitoring and session replay

We partner with an error monitoring provider to help us reproduce and fix bugs in the Service. When the Service encounters an error in your browser, our error monitoring provider may record a short replay of the actions immediately preceding that error so we can see exactly what happened. The recording captures structural events (mouse movements, clicks, scrolls, page transitions, and the affected page's document structure). It does not capture the contents of what you read or type — see the masking rules below.

What we configure session replay to capture:

  • Page navigation events (which pages you visited, in what order).
  • UI interactions (clicks, scrolls, hover, focus, form-submit events — captured as structural events, not the field values).
  • Network request and response metadata (URL, HTTP status, duration —not the request or response body).
  • Browser and viewport metadata (browser version, screen size, page load timing) so we can reproduce the bug in the same environment.

What is masked or blocked by default:

  • All text on the page is masked. Names, email addresses, listing titles, dashboard numbers, and any other text rendered on the page is replaced with placeholder characters (*****) before the recording leaves your browser. Our error monitoring provider receives the structural shape of the page, not its contents.
  • All form inputs are masked. Anything you type into a form field — search boxes, text areas, numeric inputs — is replaced with placeholder characters before recording.
  • All images, videos, and embedded media are blocked.Listing photos, profile photos, and other media are not captured.
  • Payment fields and password fields are never captured.These live inside third-party secure iframes (Stripe Elements, Clerk authentication frames) that are isolated from the recorder by design.
  • Health, financial, biometric, and other sensitive personal information categories defined under applicable laws are outside the scope of what we record (we do not display this content in the Service in the first place).

Sampling and volume:

  • We do not record routine sessions that complete without an error. The default sample rate for normal sessions is zero percent.
  • We do record sessions that produce an error so we can investigate it. That sample rate is capped by our error monitoring provider's plan-level quota.

Retention: recordings are stored by our error monitoring provider for no longer than ninety (90) days from the time of capture, then automatically deleted. Our error monitoring provider does not use the recordings to train models or for any purpose other than providing the error monitoring service to us.

Legal basis (EEA, UK, Switzerland residents). We rely on the legitimate interest basis under Article 6(1)(f) of the GDPR for this processing. Our legitimate interest is the ongoing maintenance, reliability, and improvement of the Service we provide to you. We have balanced this interest against your rights and conclude that the processing is proportionate because we mask all text and inputs by default, we do not record happy-path sessions, recordings are retained for a short period, the recordings are accessible only to a small number of authorized engineering personnel for the purpose of debugging, and you have an unconditional right to opt out (see below). We do not use session replay recordings for advertising, marketing, profiling, automated decision-making, or training AI models.

Opt-out (free, no questions asked). You can opt out of session replay at any time by emailing privacy@restay.ai with the subject line Session Replay Opt-Out and your account email. We will exclude your account from session replay within five (5) business days, and confirm the exclusion to you in writing. Opting out does not affect your ability to use the Service in any way.

17. Do Not Track Signals

Because there is no industry or legal standard for Do Not Track, and because we do not engage in tracking that would be affected by a DNT signal, we do not currently respond to DNT signals in any special way. We recognize the Global Privacy Control signal as a valid opt-out of sale or sharing for California residents.

18. Children's Privacy

The Service is not directed at and not intended for children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a child under 18, we will take reasonable steps to delete it promptly.

19. Data Protection Officer

restay is not currently required to appoint a formal DPO under GDPR Article 37. For all privacy-related matters — data subject rights requests, complaints, breach notifications, DPA requests, subprocessor lists — contact privacy@restay.ai.

20. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. Material changes take effect no sooner than 30 days after notice, except for changes required by law or addressing urgent security or compliance concerns, which may take effect immediately.

21. Contact Us