Privacy Policy
Last updated: February 6, 2026
1. Introduction
AuraStay ("we", "us", or "our") is a Property Management System (PMS) designed for vacation rental property managers and hosts. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.
By using AuraStay, you agree to the collection and use of information in accordance with this policy.
2. Data Controller and Processor Roles
Under the General Data Protection Regulation (GDPR) and similar data protection laws:
- You (the User) are the Data Controller for guest and property information that you input or import into AuraStay. You determine the purposes and means of processing this personal data.
- AuraStay acts as a Data Processor on your behalf, processing guest and property data according to your instructions and the functionality of our platform.
- For data we collect directly from you (your account information, usage data), AuraStay is the Data Controller.
3. Information We Collect
3.1 Information You Provide
- Account information: name, email address, password
- Profile information: phone number, company name, address
- Property details: names, addresses, amenities, photos, pricing
- Guest information: names, contact details, booking history
- Payment information: processed securely through Stripe
- Communications: messages, support requests, feedback
3.2 Information from Third-Party Integrations
When you connect external booking platforms (Airbnb, Booking.com, VRBO, etc.), we may receive:
- Listing information: property names, descriptions, photos
- Reservation data: dates, guest names, pricing, confirmation codes
- Calendar availability
- Guest messages (if authorized)
3.3 Automatically Collected Information
- IP address and location data
- Browser type and device information
- Usage data: pages visited, features used, timestamps
- Cookies and similar tracking technologies
4. Third-Party Integrations
AuraStay integrates with third-party booking platforms and services. When you connect these services:
- You authorize AuraStay to access and process data from these services on your behalf
- You remain responsible for compliance with those platforms' terms of service
- Those services' privacy policies apply separately to their handling of your data
- AuraStay is not responsible for third-party service failures, outages, or data loss
- You are responsible for maintaining active connections to your booking channels
4.1 Data Recipients
Your data may be shared with the following categories of third parties:
- Airbnb Ireland UC (when you connect your Airbnb account)
- Booking.com B.V. (when you connect your Booking.com account)
- Expedia Group / VRBO (when you connect your VRBO account)
- Payment processors (Stripe)
- Cloud infrastructure providers (Cloudflare)
- Email service providers (for transactional emails)
5. Airbnb Integration & Data Limitations
When you connect your Airbnb account to AuraStay, please be aware of the following limitations imposed by Airbnb's privacy policies:
5.1 Data We CAN Access from Airbnb
- Listing information (name, description, amenities, photos)
- Reservation details (dates, guest first name, pricing, status)
- Calendar availability
- Messages through Airbnb (if authorized)
5.2 Data We CANNOT Access from Airbnb
- Guest email addresses: Airbnb does not share real guest email addresses. Proxy email addresses may be available with professional hosting tools.
- Guest postal addresses: Airbnb does not share guest address information (country, postal code) with third-party software.
- Historical guest data: Guest details from reservations made before you connected your account cannot be imported due to Airbnb privacy restrictions.
- Payment details: Airbnb payment information is never shared.
AuraStay only accesses data that Airbnb explicitly provides through its Partner API. For complete information about Airbnb's data sharing practices, please reviewAirbnb's Host Privacy Standards.
6. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve our services
- Synchronize your reservations across booking channels
- Send automated messages on your behalf (with your explicit activation)
- Generate financial reports and owner statements
- Process payments and manage subscriptions
- Send you technical notices, updates, and support messages
- Respond to your comments, questions, and requests
- Monitor and analyze usage patterns to improve our platform
- Protect against fraud, abuse, and unauthorized access
7. Data Retention
We retain your data for as long as your account is active or as needed to provide you services. Specific retention periods:
- Account data: Retained while your account is active and for 2 years after closure
- Reservation data: Retained for 7 years for tax and legal compliance
- Financial records: Retained for 7 years as required by law
- Automated logs: Retained for 1 year for troubleshooting and audit purposes
- Usage analytics: Aggregated and anonymized after 90 days
Upon account deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes.
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or similar jurisdictions, you have the following rights:
- Right to Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate personal data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of how we use your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing of your personal data
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise any of these rights, please contact us at privacy@innovationforge.top. We will respond to your request within one month, or inform you if an extension is needed (up to two additional months for complex requests).
9. Security Measures
AuraStay implements technical and organizational security measures compliant with GDPR Article 32, including:
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access, multi-factor authentication available
- Infrastructure Security: Hosted on Cloudflare's global edge network with DDoS protection
- Database Security: Cloudflare D1 with automatic backups and encryption
- OAuth Token Security: Third-party access tokens stored encrypted, refreshed automatically
- Audit Logging: All automated actions logged for accountability
- Regular Testing: Periodic security assessments and vulnerability scanning
10. Sub-processors
We use the following sub-processors to help deliver our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, database, security | USA (global edge) |
| Stripe, Inc. | Payment processing | USA |
| Brevo (Sendinblue) | Transactional emails | France |
| Google LLC | OAuth authentication, analytics | USA |
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- If the breach is likely to result in a high risk to your rights, we will notify you directly without undue delay
- Notification will include: nature of the breach, likely consequences, measures taken or proposed to address it
- We maintain an internal breach register documenting all incidents
12. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Sub-processors certified under recognized frameworks
- Cloudflare's Data Processing Addendum and privacy commitments
13. Children's Privacy
AuraStay is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will take steps to delete that information promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.
15. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- Email: privacy@innovationforge.top
- Website: https://innovationforge.top
You also have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.