CheckinRulesBack to homepage

Last updated: May 20, 2026

Privacy Policy

1. Information We Collect

Account information

Email, name, organization name, and authentication identifiers when you register.

Property information

Property names, addresses, timezone, notification settings, and rule configuration.

Booking information

Guest names, contact information (phone, email), check-in dates, and booking metadata.

Verification data

Guest responses to attestation questions, electronic signatures, timestamps, IP addresses, and generated PDF records.

Payment information

Billing is processed by Stripe. We store subscription and invoice references, not full card numbers.

Usage and technical data

Application logs (hosted on Vercel), error reports (Sentry, with identifying details minimized where possible), and optional product analytics (PostHog, EU-hosted) when you opt in. Analytics uses a hashed form of your email for identification — we do not send raw email addresses to PostHog. Guest wizard activity is not tracked.

2. How We Use Information

  • Provide, operate, and secure the Service
  • Process payments and manage subscriptions (Stripe)
  • Send guest and host notifications (Twilio, Resend)
  • Sync with property management systems (e.g., OwnerRez) when you connect integrations
  • Improve reliability, support, and product features
  • Comply with legal obligations and enforce our policies

3. Information Sharing

We share data with service providers that help us operate CheckinRules, including:

  • Supabase (database and authentication)
  • Stripe (payments)
  • Twilio (SMS)
  • Resend (email)
  • Vercel (hosting and logs)
  • Sentry (error monitoring)
  • PostHog (optional product analytics, when you consent)
  • OwnerRez and other PMS providers you connect

We may disclose information when required by law (subpoena, court order, or similar legal process). We do not sell personal data to third parties for their marketing purposes.

4. Data Retention

Retention depends on data type and whether your organization still exists:

Account data

  • When you are the sole member of your organization and confirm account deletion via /app/settings/danger, your organization and associated data are permanently removed as part of that confirmation flow.
  • Deletion requires email confirmation; the confirmation link expires 24 hours after you request deletion. If you do not confirm in time, no deletion occurs and your data remains.
  • No grace period for restoration after you confirm deletion. This is intentional: when you confirm, your data is gone.
  • If your organization has multiple users and you delete only your user account, your personal user record is removed; the organization and its data remain for other members.

Verification PDFs

  • Retained while the associated property and organization exist, so you can access evidence from your dashboard.
  • Hard-deleted when the organization is deleted (including sole-member account deletion described above).

Audit logs

  • Default retention: 24 months from the event date (older events may be archived then purged).
  • Billing-related events (payments, subscriptions, invoices, Stripe customer events): 7 years.
  • Verification submission audits (e.g., verification submitted, guest confirmed): retained permanently as part of the legal record while your organization exists; removed when the organization is deleted.

Stripe customer record

  • When your organization is deleted, we cancel active subscriptions and remove our reference to your Stripe customer in our systems.
  • Stripe retains its own records according to Stripe's privacy policy.

5. Your Rights

Depending on your location, you may have rights to:

  • Access personal data we hold about you
  • Export your data (export features may be offered separately)
  • Delete your account via self-service at /app/settings/danger
  • Correct inaccurate account information

GDPR (EU/EEA): You may have rights of access, rectification, erasure, restriction, portability, and objection. Contact us to exercise these rights.

CCPA (California): California residents may have rights to know, delete, and opt out of certain sharing. We do not sell personal information as defined under the CCPA.

6. Cookies and Tracking

  • Essential cookies for session authentication and CSRF protection
  • Optional PostHog analytics cookies and local storage, only if you accept the analytics consent banner or enable analytics in Privacy settings. If you decline, we do not show the banner again unless you change your preference in settings.
  • No third-party advertising or cross-site tracking for ads
  • Sentry for error tracking (configured to limit personal data where feasible)
  • We respect Do Not Track browser settings for optional analytics

7. International Data Transfers

Data may be processed in the United States and other countries where our providers operate. For EU personal data, we rely on appropriate safeguards such as Standard Contractual Clauses where required.

8. Children's Privacy

The Service is not directed at individuals under 18. We do not knowingly collect personal information from children.

9. Changes to Privacy Policy

We may update this policy and will revise the "Last updated" date. Material changes will be communicated to account holders by email where appropriate.

10. Contact

Privacy questions: privacy@checkinrules.com

← Back to homepage