Last updated: 21 May 2026
We collect information you provide directly: account details (name, email), property information, guest conversation data, and files you upload. We also collect usage data (page views, feature usage) and technical data (IP address, browser type).
We use your data to: provide and improve the Service; process guest messages through AI; send you notifications and service emails; enforce our terms; and comply with legal obligations. See /legal/ai for AI-specific disclosures under EU AI Act Article 50.
Guest messages are processed by third-party AI models (via OpenRouter — see sub-processors) to generate responses. We send only the necessary context. We do not use guest content to train any model.
Your data is stored on MongoDB Atlas (cloud database) and Cloudflare R2 (file storage). All data is encrypted in transit (TLS 1.2+). At rest, the database uses storage-layer AES-256 encryption; additional fields including channel credentials (Telegram bot tokens, Google Drive refresh tokens, Twilio sub-account tokens) and entries in the optional access-secrets store are encrypted at the application layer with AES-256-GCM. Access codes pasted into free-text property notes rely on storage-layer encryption only — use the dedicated access-secrets store for application-layer protection.
We do not sell your data. We share data only with the third-party services listed on our sub-processors register, each engaged under a written data-processing agreement (where the provider offers one).
Account and conversation data are retained for the life of your account. Account deletion: when you delete your account from settings, we schedule deletion for 30 days later (a grace period during which you can sign in to cancel). After the grace period, your data is removed from production within a further 30 days; copies in encrypted backups age out within 35 days. Guest media files are auto-deleted after 90 days (configurable). Audit-log entries are retained for 2 years. Billing records are retained 7 years where required by tax law.
You can: access all your data; export your data; correct inaccurate data; delete your account; and withdraw consent for non-essential processing. Email [email protected] to exercise any of these rights. We respond within 30 days (extendable to 90 for complex requests, per GDPR Art. 12).
We use strictly-necessary cookies (sign-in session, CSRF) — these are always on. With your consent, we also use optional analytics services: PostHog (product analytics), Google Analytics 4, and Microsoft Clarity. None of these load until you accept the analytics category in our cookie banner. You can change your decision any time via the Cookie settings link in the footer, or reject everything with Do Not Sell or Share My Personal Information. See our cookie policy for details.
For privacy inquiries, email us at [email protected].