Legal

Privacy Policy

The minimum data we need, handled the way we'd want our own data handled.

EFFECTIVE · 2026-04-17UPDATED · 2026-04-17PRIVACY · privacy@restay.ai

Plain-language summaryWe collect the minimum data needed to run restay. We never log into your Airbnb account. We use a small set of trusted vendors to operate the Service. We do not sell your personal information. We do not share your data for cross-context behavioral advertising. We do not use your data to train AI models. We don't make fully automated decisions that produce legal effects for you. You can delete your data any time. Questions or requests? Write to privacy@restay.ai. We respond to every verified request within 30 days.

1. Scope and Introduction

This Privacy Policy describes how restay ("restay," "we," "us," or "our") collects, uses, shares, retains, protects, and otherwise processes personal information when you use the restay website at restay.ai, the subscriber dashboard at app.restay.ai, the free audit tool, and all related services (collectively, the "Service").

This policy applies to all users of the Service: visitors, free audit users, paying subscribers, and hosts who connect a property management system. It does not apply to any third-party websites or services that may be linked from or referenced by the Service.

Our role under data protection law. For purposes of the EU GDPR, the UK GDPR, the Swiss FADP, and similar laws, restay acts as the data controller for personal information processed through the Service, except where we act as a data processor on behalf of subscribers.

By using the Service, you acknowledge this Privacy Policy and agree to our Terms of Service.

2. Information We Collect

We collect information in five categories: information you provide directly, information retrieved from licensed data sources at your direction, information received from property management systems you connect, information collected automatically, and information we derive from your use of the Service.

2.1 Information you provide directly

Account information — your email address, name, display preferences, and password (hashed and salted; we never store passwords in plain text).
Listing URLs — Airbnb listing URLs you submit for analysis.
Payment information — your billing details, submitted directly to our third-party payment processor. We do not receive, store, or process card numbers, CVV codes, or expiration dates.
Custom content — any notes, preferences, feedback, custom descriptions, or configuration you enter into the dashboard.
Messages to Rev — the conversational input you send to the Rev AI assistant (paid tiers, where available).
Support correspondence — any emails, tickets, or messages you send to us for support, legal, or privacy matters.

2.2 Public listing data retrieved on your behalf

When you submit a listing URL, we retrieve publicly available information about that listing from licensed market data providers. This is the same information any guest can see when browsing Airbnb, including:

Listing title, description, photos, amenities, and house rules.
Pricing, availability, and calendar information that is publicly displayed.
Aggregate review data — ratings, review counts, and review text where publicly available.
Market benchmarks and data about comparable listings.

We do not log into your Airbnb account. We do not access your reservations, guest messages, host financial statements, or any information behind an authentication wall on Airbnb or any other platform.

2.3 Property management system (PMS) data

If you are a paid subscriber and you choose to connect a PMS (where this capability has shipped for your tier), we receive real-time data about your bookings, rates, calendar, and availability through a licensed PMS integration partner. This data may include:

Booking records (dates, check-in/out, source, gross amount).
Rate calendar (current and future nightly rates, min-stay rules, rate plans).
Availability (blocked dates, unavailable periods).
Property metadata (property name, address, unit type).

We do not request or receive guest personal information from your PMS beyond what is necessary to understand your bookings. PMS connection is entirely opt-in; you can disconnect it at any time from your dashboard.

2.4 Automatically collected information

Device and connection data — IP address, general geographic region derived from IP (city-level only), browser type, operating system, device type, and screen size.
Usage data — pages visited, features used, time spent on the Service, referral source, and the date/time of visits.
Diagnostic data — error logs, performance metrics, and other technical information necessary to maintain and improve the Service.

2.5 Derived information

As you use the Service, we generate derived information based on the data above — your 15-factor audit score, rate recommendations, amenity gap analysis, intelligence findings, and the history of Rev's actions (if applicable). Derived information is stored with your account and used exclusively to deliver the Service to you.

2.6 Information we do not collect

Social Security numbers, driver's license numbers, passport numbers, or other government identifiers.
Biometric identifiers.
Precise geolocation data (we use IP-based city-level region only).
Health, medical, or insurance information.
Sexual orientation, religious beliefs, union membership, or genetic data.
Guest personal information from your PMS beyond basic booking metadata.
Contents of guest messages on any platform.

3. How We Handle Public Listing Data

restay accesses publicly available Airbnb listing data through licensed market data providers, specifically to generate the analysis and recommendations you requested.

What we do

Retrieve listing data only when you submit a URL or actively use the Service.
Use that data exclusively to power your analysis, your dashboard, your briefings, and your Rev interactions.
Cache retrieved data for a reasonable period — typically 24 to 72 hours for rate data and up to 7 days for structural listing data.
Maintain aggregated, anonymized market data to benchmark all subscribers operating in the same area.

What we do not do

Log into your Airbnb account or any other platform account you hold.
Access private information behind authentication walls.
Reproduce or redistribute Airbnb listing content in its original form. Our output is original analysis.
Use retrieved content to train, fine-tune, evaluate, or benchmark AI models.
Share retrieved content with any third party beyond the licensed data providers and AI inference vendors necessary to deliver the Service.
Sell retrieved data to advertisers, data brokers, or competing products.

4. How We Use Your Information

We use the information we collect for the following purposes, and only for these purposes:

Delivering the Service — audit reports, dashboard, intelligence briefings, Rev conversations and actions, updated recommendations.
Account and subscription management — creating and maintaining your account, processing payments, managing renewals and cancellations, sending service emails.
Customer support — responding to your questions, investigating issues, and resolving complaints.
Security, fraud, and abuse prevention — detecting and preventing unauthorized access, fraudulent payments, rate-limit abuse, and adversarial attacks on Rev.
Service improvement — understanding how the Service is used, identifying bugs, measuring performance, improving features. Aggregated, anonymized wherever possible.
Transactional communications — service emails, audit delivery, briefings, billing notices, security alerts. Essential to the Service.
Marketing communications — with your consent, product updates and feature announcements. Opt out any time.
Legal compliance — meeting our obligations under applicable law, responding to valid legal requests, enforcing our Terms.
Business operations — internal record-keeping, financial reporting, tax compliance.

What we do not do with your information:

We do not sell your personal information to anyone, ever.
We do not share your personal information for cross-context behavioral advertising.
We do not use your data to train, fine-tune, or improve any AI model.
We do not share your data with advertisers or data brokers.
We do not use your data for profiling decisions that produce significant legal effects on you.
We do not combine your data with data from third parties for marketing purposes.
We do not track your activity across unrelated websites.

5. Legal Bases for Processing (GDPR)

If you are located in the EEA, UK, or Switzerland, the GDPR and similar laws require us to identify the legal basis on which we process your personal information.

Processing purpose	Legal basis under GDPR Article 6
Generating your audit, dashboard, briefings, and recommendations	Art. 6(1)(b) — Performance of contract
Powering Rev for paid subscribers	Art. 6(1)(b) — Performance of contract
Processing payments and managing your subscription	Art. 6(1)(b) — Performance of contract
Delivering transactional service emails	Art. 6(1)(b) — Performance of contract
Responding to support requests	Art. 6(1)(f) — Legitimate interest (support)
Detecting and preventing fraud, abuse, prompt-injection	Art. 6(1)(f) — Legitimate interest (security)
Aggregated, anonymized service analytics	Art. 6(1)(f) — Legitimate interest (improvement)
Marketing emails and product announcements	Art. 6(1)(a) — Consent (opt-out available)
Tax, financial, and corporate record-keeping	Art. 6(1)(c) — Legal obligation
Responding to valid legal requests, subpoenas, court orders	Art. 6(1)(c) — Legal obligation

You have the right to object to any processing based on legitimate interest at any time by contacting privacy@restay.ai.

6. Service Providers and Subprocessors

We rely on a small set of trusted providers to operate the Service. They are contractually required to protect your data, use it only for their specific function on our behalf, and comply with applicable data protection laws.

Payment processing — charging and managing subscription fees.
Application and database hosting — running the Service and storing your account, subscription, and dashboard data.
Market data licensing — retrieving publicly available Airbnb listing data on your behalf.
Property management system integration — connecting subscribers' PMS accounts (paid tiers, where available).
AI inference — generating audit recommendations, briefings, content rewrites, and Rev's conversational output.
Transactional email delivery — delivering service emails.
Error monitoring and operational analytics — maintaining reliability and performance.
Content delivery and DDoS protection — serving the Service reliably at scale.

Current subprocessor list

A current list of the specific subprocessors we use — including names, countries of operation, and functions — is available on request at privacy@restay.ai with the subject line Subprocessor List Request.

Data Processing Agreements

Business subscribers who are required to enter into a DPA under GDPR, UK GDPR, or similar laws may request one by emailing privacy@restay.ai with the subject line DPA Request. We offer a standard DPA incorporating the EU Standard Contractual Clauses where required.

Other disclosures

We do not sell your personal information to any third party. We do not share your data with advertisers, data brokers, or analytics companies beyond aggregated, anonymized data described in Section 4.

We may disclose personal information if required by law, court order, subpoena, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of restay, our customers, or the public.

In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, we may transfer your personal information to the successor entity, subject to the same protections described in this policy.

7. AI Processing and Rev

restay uses AI models — provided by a third-party AI inference provider — to generate audit recommendations, intelligence briefings, content rewrites, and Rev's conversational output.

7.1 What we send to the AI provider

The context the model needs to generate a response (your listing data, recent comp activity, current recommendations, your question to Rev).
Our system prompt, which defines the assistant's behavior, voice, and constraints.

7.2 What we do not send

Your payment information.
Your password or authentication tokens.
Our internal cost data, vendor information, operational configuration, or trade secrets.
Personal information about other restay subscribers.
Guest personal information.

7.3 What the AI provider does

Our AI provider processes inputs to generate the output you request, then returns it. By contract and the provider's commercial API terms, our AI provider does not use our API inputs or outputs to train, fine-tune, or improve its models. Inputs are retained by the AI provider only as required by their standard retention policy — typically a short window for abuse monitoring, safety, and debugging.

7.4 Prompt injection defense

We operate an input-and-output filter layer between you and our AI provider. This layer inspects messages for adversarial inputs (prompt injection attempts, jailbreaks, encoding attacks, extraction attempts) and inspects output for accidentally disclosed confidential content. Security events may be logged for up to 12 months for fraud and abuse investigation.

7.5 Rev actions and audit trail

When Rev executes a confirmed action on your behalf (such as pushing a rate change through your connected PMS), we log the action in full: timestamp, parameters, confirmation source, result, and the state of related records before and after. Retained for the duration of your subscription plus twelve (12) months after cancellation.

7.6 No AI training on your data

restay does not use your personal information, your listing data, your PMS data, or your Rev conversations to train, fine-tune, evaluate, or improve any AI model. This applies to all customers on all tiers.

8. Automated Decision-Making

GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you.

restay does not make fully automated decisions that produce legal effects or similarly significant effects on you. Our recommendations are advisory. You are always the decision-maker. Rev does not take actions on your listing without your confirmation, except where you have explicitly enabled automated execution with parameters you defined.

9. Sensitive Personal Information

restay does not knowingly collect, use, or disclose sensitive personal information as defined under CPRA, GDPR, or similar laws. This includes SSNs, driver's licenses, IDs, login credentials combined with passwords, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers, health information, and communication contents where we are not the intended recipient.

10. Data Retention

We retain your personal information only as long as necessary for the purposes described, or as required by law.

Data category	Retention period	Why we retain it
Free audit data (no account created)	90 days after audit, then deleted	Abuse prevention and audit recreation
Active account and subscription data	Duration of subscription plus 90 days	Performance of contract, support, dispute resolution
Listing and market data caches	24 hours to 7 days; deleted within 30 days of account closure	Efficient service delivery
Rev chat history (paid tiers)	Duration of subscription; deleted 90 days after cancellation	Maintain context across sessions
Rev action logs and audit trail	Duration of subscription plus 12 months	Audit trail and dispute resolution
Payment and billing records	Up to 7 years	Tax, financial, and regulatory obligations
Email delivery logs	90 days	Support and deliverability
Security event logs	12 months	Fraud and abuse investigation
Support correspondence	24 months	Quality, training, and dispute history
Aggregated, anonymized analytics	May be retained indefinitely once fully anonymized	Service improvement and benchmarking

Request deletion any time at privacy@restay.ai. Verified deletion requests are processed within 30 days, subject to legal retention obligations.

11. Data Security

We implement appropriate technical and organizational measures:

All data in transit encrypted via TLS 1.2 or higher.
Data at rest encrypted using industry-standard encryption.
API keys, tokens, and credentials stored exclusively in secure environment variables.
Passwords hashed and salted; no plain-text storage.
Database access restricted to authorized server-side processes using least-privilege credentials.
Payment data handled exclusively by our PCI-compliant payment processor.
Prompt-injection defense layer protecting Rev and the AI pipeline.
Rate limiting and abuse detection on all public-facing endpoints.
Access to production systems limited to a minimal number of authorized personnel.
Regular review of our security practices, dependencies, and subprocessors.
Backups encrypted and stored separately from primary systems.

Breach notification. In the event of a personal data breach posing a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law, typically within 72 hours.

12. Your Rights (Global)

Right of access. Request a copy of the personal data we hold about you.
Right to rectification. Request correction of inaccurate data.
Right to erasure. Request deletion of your personal data, subject to legal retention obligations.
Right to restrict processing. Request that we limit how we process your data in certain circumstances.
Right to data portability. Request your data in a structured, machine-readable format.
Right to object. Object to processing based on legitimate interests.
Right to withdraw consent. Withdraw consent where processing is based on it.
Right not to be subject to automated decision-making. See Section 8.
Right to lodge a complaint with your local data protection authority.

Email privacy@restay.ai with the subject line Privacy Request. We respond within 30 days (or 45 days for complex requests).

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the CCPA as amended by the CPRA gives you specific rights.

13.1 Your California rights

Right to know. Categories, specific pieces, sources, business purposes, and categories of third parties.
Right to delete. Subject to legal retention obligations.
Right to correct. Request correction of inaccurate personal information.
Right to opt out of sale or sharing. We do not sell. We do not share for cross-context behavioral advertising.
Right to limit use of sensitive personal information. We do not use it beyond what's reasonably necessary.
Right to non-discrimination. We will not deny you the Service, charge a different price, or reduce quality for exercising rights.
Right to opt out of automated decision-making technology. See Section 8.

13.2 CPRA categories collected

CPRA category	Specific examples	Sold / Shared
Identifiers	Email, name, IP address, account ID	No
Commercial information	Subscription tier, billing history, listings analyzed	No
Internet or network activity	Pages visited, features used, referral source	No
Customer records (Cal. Civ. Code §1798.80(e))	Name, email, billing information	No
Inferences	Audit scores, recommendations, usage patterns	No
Sensitive personal information	None collected	N/A
Biometric information	None collected	N/A
Precise geolocation	None collected (city-level region only)	N/A

13.3 How to exercise your California rights

Email privacy@restay.ai with the subject line California Privacy Request. We respond within 45 days (or 90 days if more time is needed; we will notify you of the extension).

13.4 "Shine the Light" disclosure

California Civil Code §1798.83 permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information for third parties' direct marketing.

14. Other US State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws may have rights similar to those in Sections 12 and 13. To exercise any applicable state privacy right, email privacy@restay.ai with the subject line State Privacy Request and identify your state of residence.

15. International Data Transfers

restay is based in the United States. If you are outside the United States, your information may be transferred to, stored in, and processed in the United States and in other countries where our providers operate.

When we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards: the EU Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, the Swiss FDPIC-approved transfer mechanism, and supplementary measures (encryption, access controls) where applicable.

16. Cookies and Tracking

We use a minimal set of cookies and similar technologies:

Essential cookies. Required for session management, authentication, load balancing, and form security.
Preference cookies. Remember dashboard preferences such as light/dark mode.
Privacy-preserving analytics. Lightweight, cookieless or pseudonymous analytics. Not tied to individual users.

What we do not use:

Third-party advertising cookies or tracking pixels.
Social media tracking embeds.
Cross-site behavioral advertising trackers.
Fingerprinting technologies.
Session recording or replay tools.

17. Do Not Track Signals

Because there is no industry or legal standard for Do Not Track, and because we do not engage in tracking that would be affected by a DNT signal, we do not currently respond to DNT signals in any special way. We recognize the Global Privacy Control signal as a valid opt-out of sale or sharing for California residents.

18. Children's Privacy

The Service is not directed at and not intended for children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a child under 18, we will take reasonable steps to delete it promptly.

19. Data Protection Officer

restay is not currently required to appoint a formal DPO under GDPR Article 37. For all privacy-related matters — data subject rights requests, complaints, breach notifications, DPA requests, subprocessor lists — contact privacy@restay.ai.

20. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. Material changes take effect no sooner than 30 days after notice, except for changes required by law or addressing urgent security or compliance concerns, which may take effect immediately.

21. Contact Us

Privacy requests and data rights: privacy@restay.ai
Legal notices and formal correspondence: legal@restay.ai
General questions and support: hello@restay.ai