Privacy Policy.

Stayful (“Stayful”, “we”, “us”, or “our”) operates a SaaS platform that lets vacation rental property managers run a direct-booking website connected to their Property Management System (PMS). This Privacy Policy explains what personal data we collect from property managers (our customers) and from guests (visitors to sites built on Stayful), how we use it, who we share it with, and the rights you have over it.

This policy applies to stayful.co, the Stayful dashboard, and any tenant subdomain or custom domain operated on the Stayful platform.

• Account: name, email address, and authentication data (managed by Clerk — we never see your password).
• Business profile: company name, branding (logo, colors, copy), property descriptions, custom domain.
• PMS credentials: the API key, OAuth tokens, or client credentials for the PMS you connect (Hostfully, Guesty, Hostaway, OwnerRez, Lodgify, Hospitable, etc.). Stored encrypted at rest with AES-256-GCM.
• Newsletter integration credentials: API keys and account IDs for Mailchimp, ConvertKit, Klaviyo, MailerLite, StayFi, etc. Stored encrypted at rest with AES-256-GCM.
• Billing:Stripe customer ID, subscription status, plan tier, trial dates. Payment card numbers and bank account details are handled directly by Stripe — they never touch Stayful's servers.
• Usage data: dashboard activity (which pages you view, which actions you take), browser type, IP address, and session timestamps for security, debugging, and product improvement.
• Communications: support emails, feature requests, and any content you send to us.

• Newsletter signups: email address, plus user-agent, referring URL, and IP address (for spam prevention) when a guest submits the newsletter popup or footer form on a tenant site.
• Booking inquiries:when a guest searches for dates or initiates checkout, we relay name, email, phone number, check-in/out dates, and guest count to the property manager's PMS for fulfillment. The PMS is the system of record for the reservation.
• Payments:for PMSes that process payment through Stayful's booking widget (e.g. Hospitable, Guesty), card details are collected by Stripe Elements running in the guest's browser and sent directly to Stripe. We never see or store card numbers, CVCs, or full bank details.
• Site analytics: if the property manager has enabled analytics for their site, we collect anonymized usage metrics (page views, unique visitors, country, referrer) — no personally identifying information.
• Reviews:reviews displayed on tenant sites are either synced from the property manager's PMS (Airbnb, Vrbo, Booking.com, direct), embedded via a third-party widget like Elfsight, or added manually by the property manager.

The Stayful dashboard sets essential cookies for authentication (managed by Clerk). Tenant marketing sites set no tracking cookies by default. Tenant sites that enable analytics or third-party embeds (e.g. a reviews widget) may set additional cookies — the property manager is responsible for surfacing a consent banner where required by law (GDPR, ePrivacy, CCPA, etc.).

We honor Global Privacy Control (GPC) and Do Not Track signals where applicable to opt out of any analytics that would otherwise be collected.

• To provide, maintain, and improve the Service.
• To sync property data (listings, photos, descriptions, availability, rates, reviews) from the PMS you connect, and to push reservations back to your PMS where supported.
• To forward newsletter signups to the mailing-list provider you configure.
• To process subscription payments and manage your trial / billing state.
• To diagnose errors and monitor security incidents.
• To send service-related emails — outages, billing receipts, important product updates, and security notifications. You can opt out of non-essential email at any time.
• To enforce our Terms and comply with legal obligations.

We do not sell personal data to advertisers, and we do not use guest data from one tenant site for any purpose related to another tenant.

We share data only with the subprocessors needed to run the Service. Each is contractually required to protect your data and use it only to provide their service to us.

• Vercel — application hosting, edge delivery, image optimization.
• Neon — managed Postgres database.
• Clerk — authentication and account management.
• Stripe — subscription billing and (for some PMSes) guest booking payments.
• Vercel Blob — storage for host-uploaded photos and assets.
• Sentry — error monitoring (no PII intentionally sent; scrubbing rules in place).
• Resend (or equivalent) — transactional email delivery (account verification, password reset, billing receipts).
• The PMS provider you connect (Hostfully, Guesty, Hostaway, OwnerRez, Lodgify, Hospitable) — receives booking inquiries and reservations.
• The mailing-list provider you configure (Mailchimp, ConvertKit, Klaviyo, MailerLite, StayFi, etc.) — receives newsletter signups from your tenant site.

We may also disclose data when required by law (subpoena, court order, lawful government request), to prevent fraud or abuse, or in connection with a corporate transaction (merger, acquisition, asset sale) — with notice to affected parties where legally permitted.

Stayful is operated from the United States. If you access the Service from outside the US, your data will be transferred to, stored, and processed in the US (or other countries where our subprocessors operate). Where required by law, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain processing, including profiling and direct marketing.
• Withdraw consent where processing relies on consent.
• Lodge a complaint with your local data protection authority (residents of the EEA, UK, and Switzerland).

Property managers can export their newsletter subscribers as CSV from the Subscribers tab in their dashboard at any time. To exercise any other right, email privacy@stayful.co. We'll respond within 30 days. We may verify your identity before acting on a request.

California residents (CCPA / CPRA):you have the right to know what categories of personal information we've collected, sold, or shared (we don't sell), to request deletion, to correct, and to limit the use of sensitive personal information. We do not discriminate against users who exercise these rights.

We retain account data while your subscription is active and for 90 days after cancellation, after which it's deleted unless longer retention is required by law (tax, accounting, dispute resolution).

Newsletter subscriber records are retained for as long as the property manager's tenant remains active, or until the subscriber unsubscribes or requests deletion.

Database backups are kept for 7 days. Error logs (no PII) are retained for 30 days.

We take security seriously and follow industry-standard practices:

• All traffic encrypted in transit (HTTPS / TLS 1.2+).
• Sensitive credentials (PMS API keys, mailing-list keys, OAuth tokens) encrypted at rest with AES-256-GCM, with keys held separately from the database.
• Database access restricted to least-privilege service accounts. Production access requires multi-factor authentication.
• Continuous error monitoring with redaction of any inadvertently captured personal data.
• Regular review of subprocessor security posture and access scope.

No system is perfectly secure. In the event of a data incident affecting your personal data, we'll notify you and any applicable regulator within the timelines required by law (within 72 hours for GDPR-covered incidents).

The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we'll delete it.

For data collected through a tenant site (newsletter signups, booking inquiries, etc.), the property manager operating that site is the data controller and Stayful acts as a data processor on their behalf. The property manager is responsible for posting their own privacy notice on their site, obtaining any required consent, and responding to data subject requests from their guests. A Data Processing Agreement (DPA) is available on request at privacy@stayful.co.

We'll post material changes at this URL and notify account holders by email. The “Last updated” date at the top of this policy reflects when the current version took effect. Your continued use of the Service after a change indicates acceptance.

For any privacy questions, requests, or complaints, email privacy@stayful.co.