Privacy Policy
The minimum data we need, handled the way we'd want our own data handled.
- Scope and Introduction
- Information We Collect
- How We Handle Public Listing Data
- How We Use Your Information
- Legal Bases (GDPR)
- Service Providers and Subprocessors
- AI Processing and Rev
- Automated Decision-Making
- Sensitive Personal Information
- Data Retention
- Data Security
- Your Rights (Global)
- California Privacy Rights
- Other US State Privacy Rights
- International Data Transfers
- Cookies and Tracking
- Do Not Track Signals
- Children's Privacy
- Data Protection Officer
- Changes to This Policy
- Contact Us
1. Scope and Introduction
This Privacy Policy describes how restay ("restay," "we," "us," or "our") collects, uses, shares, retains, protects, and otherwise processes personal information when you use the restay website at restay.ai, the subscriber dashboard at app.restay.ai, and all related services (collectively, the "Service").
This policy applies to all users of the Service: visitors, paying subscribers, and hosts who connect a property management system. It does not apply to any third-party websites or services that may be linked from or referenced by the Service.
Our role under data protection law. For purposes of the EU GDPR, the UK GDPR, the Swiss FADP, and similar laws, restay acts as the data controller for personal information processed through the Service, except where we act as a data processor on behalf of subscribers.
By using the Service, you acknowledge this Privacy Policy and agree to our Terms of Service.
2. Information We Collect
We collect information in five categories: information you provide directly, information retrieved from licensed data sources at your direction, information received from property management systems you connect, information collected automatically, and information we derive from your use of the Service.
2.1 Information you provide directly
- Account information — your email address, name, display preferences, and password. Passwords are handled by our dedicated authentication provider and stored only as salted hashes — restay's own systems never see or store your password in plain text.
- Listing URLs — Airbnb listing URLs you submit for analysis.
- Payment information — your billing details, submitted directly to our third-party payment processor. We do not receive, store, or process card numbers, CVV codes, or expiration dates.
- Custom content — any notes, preferences, feedback, custom descriptions, or configuration you enter into the dashboard.
- Messages to Rev — the conversational input you send to the Rev AI assistant (paid tiers, where available).
- Support correspondence — any emails, tickets, or messages you send to us for support, legal, or privacy matters.
2.2 Public listing data retrieved on your behalf
When you submit a listing URL, we retrieve publicly available information about that listing from licensed market data providers. This is the same information any guest can see when browsing Airbnb, including:
- Listing title, description, photos, amenities, and house rules.
- Pricing, availability, and calendar information that is publicly displayed.
- Aggregate review data — ratings, review counts, and review text where publicly available.
- Market benchmarks and data about comparable listings.
We do not log into your Airbnb account. We do not access your reservations, guest messages, host financial statements, or any information behind an authentication wall on Airbnb or any other platform.
2.3 Property management system (PMS) data
If you are a paid subscriber and you choose to connect a PMS (where this capability has shipped for your tier), we receive real-time data about your bookings, rates, calendar, and availability through a licensed PMS integration partner. This data may include:
- Booking records (dates, check-in/out, source, gross amount).
- Rate calendar (current and future nightly rates, min-stay rules, rate plans).
- Availability (blocked dates, unavailable periods).
- Property metadata (property name, address, unit type).
We do not request or receive guest personal information from your PMS beyond what is necessary to understand your bookings. PMS connection is entirely opt-in; you can disconnect it at any time — revoke restay's access on the PMS side, or ask us at privacy@restay.ai and we will sever the connection.
2.4 Automatically collected information
- Device and connection data — IP address, general geographic region derived from IP (city-level only), browser type, operating system, device type, and screen size.
- Usage data — pages visited, features used, time spent on the Service, referral source, and the date/time of visits.
- Diagnostic data — error logs, performance metrics, and other technical information necessary to maintain and improve the Service.
2.5 Derived information
As you use the Service, we generate derived information based on the data above — your audit findings, rate recommendations, amenity gap analysis, intelligence findings, and the history of Rev's actions (if applicable). Derived information is stored with your account and used exclusively to deliver the Service to you.
2.6 Information we do not collect
- Social Security numbers, driver's license numbers, passport numbers, or other government identifiers.
- Biometric identifiers.
- Precise geolocation data (we use IP-based city-level region only).
- Health, medical, or insurance information.
- Sexual orientation, religious beliefs, union membership, or genetic data.
- Guest personal information from your PMS beyond basic booking metadata.
- Contents of guest messages on any platform.
3. How We Handle Public Listing Data
restay accesses publicly available Airbnb listing data through licensed market data providers, specifically to generate the analysis and recommendations you requested.
What we do
- Retrieve listing data only when you submit a URL or actively use the Service.
- Use that data exclusively to power your analysis, your dashboard, your briefings, and your Rev interactions.
- Cache retrieved data for a reasonable period — typically up to one month, aligned to our market-data provider's refresh cycle.
- Maintain aggregated, anonymized market data to benchmark all subscribers operating in the same area.
What we do not do
- Log into your Airbnb account or any other platform account you hold.
- Access private information behind authentication walls.
- Reproduce or redistribute Airbnb listing content in its original form. Our output is original analysis.
- Use retrieved content to train, fine-tune, evaluate, or benchmark AI models.
- Share retrieved content with any third party beyond the licensed data providers and AI inference vendors necessary to deliver the Service.
- Sell retrieved data to advertisers, data brokers, or competing products.
4. How We Use Your Information
We use the information we collect for the following purposes, and only for these purposes:
- Delivering the Service — audit reports, dashboard, intelligence briefings, Rev conversations and actions, updated recommendations.
- Account and subscription management — creating and maintaining your account, processing payments, managing renewals and cancellations, sending service emails.
- Customer support — responding to your questions, investigating issues, and resolving complaints.
- Security, fraud, and abuse prevention — detecting and preventing unauthorized access, fraudulent payments, rate-limit abuse, and adversarial attacks on Rev.
- Service improvement — understanding how the Service is used, identifying bugs, measuring performance, improving features. Aggregated, anonymized wherever possible.
- Transactional communications — service emails, audit delivery, briefings, billing notices, security alerts. Essential to the Service.
- Marketing communications — with your consent, product updates and feature announcements. Opt out any time.
- Legal compliance — meeting our obligations under applicable law, responding to valid legal requests, enforcing our Terms.
- Business operations — internal record-keeping, financial reporting, tax compliance.
What we do not do with your information:
- We do not sell your personal information to anyone, ever.
- We do not share your personal information for cross-context behavioral advertising.
- We do not use your data to train, fine-tune, or improve any AI model.
- We do not share your data with advertisers or data brokers.
- We do not use your data for profiling decisions that produce significant legal effects on you.
- We do not combine your data with data from third parties for marketing purposes.
- We do not track your activity across unrelated websites.
5. Legal Bases for Processing (GDPR)
If you are located in the EEA, UK, or Switzerland, the GDPR and similar laws require us to identify the legal basis on which we process your personal information.
| Processing purpose | Legal basis under GDPR Article 6 |
|---|---|
| Generating your audit, dashboard, briefings, and recommendations | Art. 6(1)(b) — Performance of contract |
| Powering Rev for paid subscribers | Art. 6(1)(b) — Performance of contract |
| Processing payments and managing your subscription | Art. 6(1)(b) — Performance of contract |
| Delivering transactional service emails | Art. 6(1)(b) — Performance of contract |
| Responding to support requests | Art. 6(1)(f) — Legitimate interest (support) |
| Detecting and preventing fraud, abuse, prompt-injection | Art. 6(1)(f) — Legitimate interest (security) |
| Aggregated, anonymized service analytics | Art. 6(1)(f) — Legitimate interest (improvement) |
| Marketing emails and product announcements | Art. 6(1)(a) — Consent (opt-out available) |
| Tax, financial, and corporate record-keeping | Art. 6(1)(c) — Legal obligation |
| Responding to valid legal requests, subpoenas, court orders | Art. 6(1)(c) — Legal obligation |
You have the right to object to any processing based on legitimate interest at any time by contacting privacy@restay.ai.
6. Service Providers and Subprocessors
We rely on a small set of trusted providers to operate the Service. They are contractually required to protect your data, use it only for their specific function on our behalf, and comply with applicable data protection laws.
- Payment processing — charging and managing subscription fees.
- Application and database hosting — running the Service and storing your account, subscription, and dashboard data.
- Market data licensing — retrieving publicly available Airbnb listing data on your behalf.
- Property management system integration — connecting subscribers' PMS accounts (paid tiers, where available).
- AI inference — generating audit recommendations, briefings, content rewrites, and Rev's conversational output.
- Transactional email delivery — delivering service emails.
- Error monitoring and operational analytics — maintaining reliability and performance.
- Content delivery and DDoS protection — serving the Service reliably at scale.
Current subprocessor list
A current list of the specific subprocessors we use — including names, countries of operation, and functions — is available on request at privacy@restay.ai with the subject line Subprocessor List Request.
Data Processing Agreements
Business subscribers who are required to enter into a DPA under GDPR, UK GDPR, or similar laws may request one by emailing privacy@restay.ai with the subject line DPA Request. We offer a standard DPA incorporating the EU Standard Contractual Clauses where required.
Other disclosures
We do not sell your personal information to any third party. We do not share your data with advertisers, data brokers, or analytics companies beyond aggregated, anonymized data described in Section 4.
We may disclose personal information if required by law, court order, subpoena, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of restay, our customers, or the public.
In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, we may transfer your personal information to the successor entity, subject to the same protections described in this policy.
7. AI Processing and Rev
restay uses AI models — provided by a third-party AI inference provider — to generate audit recommendations, intelligence briefings, content rewrites, and Rev's conversational output.
7.1 What we send to the AI provider
- The context the model needs to generate a response (your listing data, recent comp activity, current recommendations, your question to Rev).
- Our system prompt, which defines the assistant's behavior, voice, and constraints.
7.2 What we do not send
- Your payment information.
- Your password or authentication tokens.
- Our internal cost data, vendor information, operational configuration, or trade secrets.
- Personal information about other restay subscribers.
- Guest personal information.
7.3 What the AI provider does
Our AI provider processes inputs to generate the output you request, then returns it. By contract and the provider's commercial API terms, our AI provider does not use our API inputs or outputs to train, fine-tune, or improve its models. Inputs are retained by the AI provider only as required by their standard retention policy — typically a short window for abuse monitoring, safety, and debugging.
7.4 Prompt injection defense
We operate an input-and-output filter layer between you and our AI provider. This layer inspects messages for adversarial inputs (prompt injection attempts, jailbreaks, encoding attacks, extraction attempts) and inspects output for accidentally disclosed confidential content. Security events are logged for fraud and abuse investigation and retained while your account exists; if you delete your account, security-event records are stripped of the account link and retained in de-identified form.
7.5 Rev actions and audit trail
When Rev executes a confirmed action on your behalf (such as pushing a rate change through your connected PMS), we log the action in full: timestamp, parameters, confirmation source, result, and the state of related records before and after. These records are retained while your account exists. If you delete your account, Rev's conversational action records are deleted with it, and the PMS-write execution journal is retained in de-identified form (the account link is removed) as the audit trail described in Section 3.5 of our Terms of Service.
7.6 No AI training on your data
restay does not use your personal information, your listing data, your PMS data, or your Rev conversations to train, fine-tune, evaluate, or improve any AI model. This applies to all customers on all tiers.
8. Automated Decision-Making
GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you.
restay does not make fully automated decisions that produce legal effects or similarly significant effects on you. Our recommendations are advisory. You are always the decision-maker. Rev does not take actions on your listing without your confirmation. There is no automated-execution mode.
9. Sensitive Personal Information
restay does not knowingly collect, use, or disclose sensitive personal information as defined under CPRA, GDPR, or similar laws. This includes SSNs, driver's licenses, IDs, login credentials combined with passwords, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers, health information, and communication contents where we are not the intended recipient.
10. Data Retention
We retain your personal information only as long as necessary for the purposes described, or as required by law.
| Data category | Retention period | Why we retain it |
|---|---|---|
| Legacy free-audit data (the public free audit is retired — the 7-day trial replaced it) | No new records are created; remaining legacy records are deleted with the associated account, or earlier on request | Historical record cleanup |
| Active account and subscription data | While your account exists. You can delete your account at any time from Settings (processed immediately); cancelled accounts inactive for 12+ months may be deleted per our Terms | Performance of contract, support, dispute resolution |
| Listing and market data caches | Up to ~1 month (provider refresh cycle); listing-scoped caches deleted with your account | Efficient service delivery |
| Rev chat history (paid tiers) | Duration of subscription; deleted 90 days after cancellation | Maintain context across sessions |
| Rev action logs and audit trail | While your account exists; on account deletion, Rev action records are deleted and the PMS-write execution journal is retained de-identified (see Section 7.5) | Audit trail and dispute resolution |
| Payment and billing records | Up to 7 years | Tax, financial, and regulatory obligations |
| Email delivery logs | As long as needed for deliverability troubleshooting and abuse prevention; delivery metadata is also held by our email delivery provider under its own retention policy | Support and deliverability |
| Security event logs | While your account exists; de-identified after account deletion | Fraud and abuse investigation |
| Support correspondence | 24 months | Quality, training, and dispute history |
| Aggregated, anonymized analytics | May be retained indefinitely once fully anonymized | Service improvement and benchmarking |
Request deletion any time at privacy@restay.ai. Verified deletion requests are processed within 30 days, subject to legal retention obligations.
11. Data Security
We implement appropriate technical and organizational measures:
- All data in transit encrypted via TLS 1.2 or higher.
- Data at rest encrypted using industry-standard encryption.
- API keys, tokens, and credentials stored exclusively in secure environment variables.
- Passwords managed by our dedicated authentication provider as salted hashes; restay never stores passwords in plain text.
- Database access restricted to authorized server-side processes using least-privilege credentials.
- Payment data handled exclusively by our PCI-compliant payment processor.
- Prompt-injection defense layer protecting Rev and the AI pipeline.
- Rate limiting and abuse detection on all public-facing endpoints.
- Access to production systems limited to a minimal number of authorized personnel.
- Regular review of our security practices, dependencies, and subprocessors.
- Backups encrypted and stored separately from primary systems.
Breach notification. In the event of a personal data breach posing a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law, typically within 72 hours.
12. Your Rights (Global)
- Right of access. Request a copy of the personal data we hold about you.
- Right to rectification. Request correction of inaccurate data.
- Right to erasure. Request deletion of your personal data, subject to legal retention obligations.
- Right to restrict processing. Request that we limit how we process your data in certain circumstances.
- Right to data portability. Request your data in a structured, machine-readable format.
- Right to object. Object to processing based on legitimate interests.
- Right to withdraw consent. Withdraw consent where processing is based on it.
- Right not to be subject to automated decision-making. See Section 8.
- Right to lodge a complaint with your local data protection authority.
You can export a copy of your data (JSON) or delete your account directly from Settings → Account in the dashboard — no email required. For anything else, email privacy@restay.ai with the subject line Privacy Request. We respond within 30 days (or 45 days for complex requests).
13. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the CCPA as amended by the CPRA gives you specific rights.
13.1 Your California rights
- Right to know. Categories, specific pieces, sources, business purposes, and categories of third parties.
- Right to delete. Subject to legal retention obligations.
- Right to correct. Request correction of inaccurate personal information.
- Right to opt out of sale or sharing. We do not sell. We do not share for cross-context behavioral advertising.
- Right to limit use of sensitive personal information. We do not use it beyond what's reasonably necessary.
- Right to non-discrimination. We will not deny you the Service, charge a different price, or reduce quality for exercising rights.
- Right to opt out of automated decision-making technology. See Section 8.
13.2 CPRA categories collected
| CPRA category | Specific examples | Sold / Shared |
|---|---|---|
| Identifiers | Email, name, IP address, account ID | No |
| Commercial information | Subscription tier, billing history, listings analyzed | No |
| Internet or network activity | Pages visited, features used, referral source | No |
| Customer records (Cal. Civ. Code §1798.80(e)) | Name, email, billing information | No |
| Inferences | Audit scores, recommendations, usage patterns | No |
| Sensitive personal information | None collected | N/A |
| Biometric information | None collected | N/A |
| Precise geolocation | None collected (city-level region only) | N/A |
13.3 How to exercise your California rights
Email privacy@restay.ai with the subject line California Privacy Request. We respond within 45 days (or 90 days if more time is needed; we will notify you of the extension).
13.4 "Shine the Light" disclosure
California Civil Code §1798.83 permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information for third parties' direct marketing.
14. Other US State Privacy Rights
Residents of Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws may have rights similar to those in Sections 12 and 13. To exercise any applicable state privacy right, email privacy@restay.ai with the subject line State Privacy Request and identify your state of residence.
15. International Data Transfers
restay is based in the United States. If you are outside the United States, your information may be transferred to, stored in, and processed in the United States and in other countries where our providers operate.
When we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards: the EU Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, the Swiss FDPIC-approved transfer mechanism, and supplementary measures (encryption, access controls) where applicable.
16. Cookies and Tracking
We use a minimal set of cookies and similar technologies:
- Essential cookies. Required for session management, authentication, load balancing, and form security.
- Preference cookies. Remember dashboard preferences such as light/dark mode.
- Product analytics. We record a small set of product-milestone events (for example, completing signup or connecting a PMS) with our operational-analytics provider. Events are sent server-side (no analytics cookie), keyed to a pseudonymous internal account identifier, and carry no personal details beyond that identifier and coarse account attributes such as subscription tier. They are never used for advertising and never sold or shared.
What we do not use:
- Third-party advertising cookies or tracking pixels.
- Social media tracking embeds.
- Cross-site behavioral advertising trackers.
- Fingerprinting technologies.
16.1 Error monitoring and session replay
We partner with an error monitoring provider to help us reproduce and fix bugs in the Service. When the Service encounters an error in your browser, our error monitoring provider may record a short replay of the actions immediately preceding that error so we can see exactly what happened. The recording captures structural events (mouse movements, clicks, scrolls, page transitions, and the affected page's document structure). It does not capture the contents of what you read or type — see the masking rules below.
What we configure session replay to capture:
- Page navigation events (which pages you visited, in what order).
- UI interactions (clicks, scrolls, hover, focus, form-submit events — captured as structural events, not the field values).
- Network request and response metadata (URL, HTTP status, duration —not the request or response body).
- Browser and viewport metadata (browser version, screen size, page load timing) so we can reproduce the bug in the same environment.
What is masked or blocked by default:
- All text on the page is masked. Names, email addresses, listing titles, dashboard numbers, and any other text rendered on the page is replaced with placeholder characters (
*****) before the recording leaves your browser. Our error monitoring provider receives the structural shape of the page, not its contents. - All form inputs are masked. Anything you type into a form field — search boxes, text areas, numeric inputs — is replaced with placeholder characters before recording.
- All images, videos, and embedded media are blocked.Listing photos, profile photos, and other media are not captured.
- Payment fields and password fields are never captured.These live inside third-party secure iframes (Stripe Elements, Clerk authentication frames) that are isolated from the recorder by design.
- Health, financial, biometric, and other sensitive personal information categories defined under applicable laws are outside the scope of what we record (we do not display this content in the Service in the first place).
Sampling and volume:
- We do not record routine sessions that complete without an error. The default sample rate for normal sessions is zero percent.
- We do record sessions that produce an error so we can investigate it. That sample rate is capped by our error monitoring provider's plan-level quota.
Retention: recordings are stored by our error monitoring provider for no longer than ninety (90) days from the time of capture, then automatically deleted. Our error monitoring provider does not use the recordings to train models or for any purpose other than providing the error monitoring service to us.
Legal basis (EEA, UK, Switzerland residents). We rely on the legitimate interest basis under Article 6(1)(f) of the GDPR for this processing. Our legitimate interest is the ongoing maintenance, reliability, and improvement of the Service we provide to you. We have balanced this interest against your rights and conclude that the processing is proportionate because we mask all text and inputs by default, we do not record happy-path sessions, recordings are retained for a short period, the recordings are accessible only to a small number of authorized engineering personnel for the purpose of debugging, and you have an unconditional right to opt out (see below). We do not use session replay recordings for advertising, marketing, profiling, automated decision-making, or training AI models.
Opt-out (free, no questions asked). You can opt out of session replay at any time by emailing privacy@restay.ai with the subject line Session Replay Opt-Out and your account email. We will exclude your account from session replay within five (5) business days, and confirm the exclusion to you in writing. Opting out does not affect your ability to use the Service in any way.
17. Do Not Track Signals
Because there is no industry or legal standard for Do Not Track, and because we do not engage in tracking that would be affected by a DNT signal, we do not currently respond to DNT signals in any special way. We recognize the Global Privacy Control signal as a valid opt-out of sale or sharing for California residents.
18. Children's Privacy
The Service is not directed at and not intended for children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a child under 18, we will take reasonable steps to delete it promptly.
19. Data Protection Officer
restay is not currently required to appoint a formal DPO under GDPR Article 37. For all privacy-related matters — data subject rights requests, complaints, breach notifications, DPA requests, subprocessor lists — contact privacy@restay.ai.
20. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. Material changes take effect no sooner than 30 days after notice, except for changes required by law or addressing urgent security or compliance concerns, which may take effect immediately.
21. Contact Us
- Privacy requests and data rights: privacy@restay.ai
- Legal notices and formal correspondence: legal@restay.ai
- General questions and support: hello@restay.ai