Your Data, Your Control.
We're hosts too. We treat your data the way we'd want ours treated — with respect, transparency, and zero funny business.
Last updated: June 16, 2026
Introduction
HostAssistant is an AI-powered platform that helps vacation rental hosts automate guest communication, manage bookings, and coordinate cleaning. This privacy policy explains what data we collect, how we use it, who we share it with, and your rights regarding that data.
We're a small team based in the Netherlands, building in close collaboration with hosts who test and shape every feature. We take privacy seriously. If something in this policy isn't clear, email us and we'll explain it in plain English.
This policy applies to both host account owners ("Hosts") and the guests who message them ("Guests").
Data We Collect
Host Data (account owners)
- Email address, display name, password (hashed via Supabase Auth)
- Property details: addresses, photos, WiFi passwords, check-in instructions, house rules, smart lock codes
- WhatsApp Business credentials (access tokens, phone numbers) for messaging
- Stripe billing information: customer ID, subscription status, payment history
- AI usage: message count, language preferences
- Account settings: notification preferences, language (nl/en/pt)
Guest Data (end users of our hosts)
- Phone numbers (via WhatsApp messages)
- Message content (guest questions, check-in requests, issues)
- Language detected from messages (auto-detected via AI)
- Booking references (if shared by guest)
No names or email addresses are collected unless explicitly shared by the guest.
System Data
- IP addresses, browser info (for security and analytics)
- WhatsApp message logs (inbound/outbound for audit trail)
- AI-generated replies (stored for quality and compliance)
- Error logs and performance metrics
How We Use Your Data
We only use your data to make the product work. No ads, no selling, no creepy inferences.
To run the service
Syncing calendars, sending WhatsApp replies, showing you your dashboard — the core features you signed up for.
To generate AI replies
Guest messages are processed by OpenAI GPT-4o-mini to draft replies. This only happens when you've enabled auto-reply. Language detection happens on the server side using the first 280 characters.
To process payments
Stripe handles all billing. We store your Stripe customer ID and subscription status — never your full card details.
To improve the product
Aggregated, anonymized data helps us understand which features hosts use most. We never look at individual guest messages unless you report a bug.
To keep things secure
IP addresses and access logs help us detect and block abuse. Error logs help us fix bugs before they affect your guests.
Data Sharing
We share data with a small number of trusted services — and only what's strictly needed. Here's the full list:
OpenAI
AI reply generationGuest messages are sent to OpenAI's API to generate reply drafts. OpenAI does not retain this data or use it to train models.
Meta / WhatsApp
Message deliveryMessages are routed through the WhatsApp Cloud API. Subject to Meta's terms of service and privacy policy.
Twilio
WhatsApp messagingWhatsApp messages are sent via Twilio using the official WhatsApp Business API.
Stripe
Payment processingStripe stores billing data and processes payments. We never see your full card number.
Supabase
Database & authenticationAll data is stored in PostgreSQL on Supabase, hosted in the EU. Supabase manages authentication and row-level security.
No data is sold to third parties. We don't use advertising trackers or data brokers. Never have, never will.
Your Rights (GDPR)
HostAssistant complies with the GDPR. As a Host, you have the following rights:
Right to access
Request a full export of all your data at any time.
Right to rectification
Edit your profile and property details whenever you want.
Right to erasure
Delete your account and all associated data permanently.
Right to portability
Export your booking history and property data in a standard format.
Right to restrict processing
Disable AI auto-reply, pause calendar sync, or limit integrations.
Right to object
Object to specific processing activities — contact us to discuss.
If you're a Guest messaging a Host who uses HostAssistant: the Host is the data controller for your messages. Contact the Host directly for access or deletion requests. We anonymize all guest messages 90 days after they're received.
Security
End-to-end encryption
WhatsApp messages are encrypted in transit and at rest by Meta's infrastructure.
Row-Level Security (RLS)
Every database query is scoped to the authenticated host. You can only see your own data — enforced at the database level.
JWT authentication
Supabase manages authentication with short-lived JWT tokens that rotate automatically. No session hijacking.
Webhook verification
Stripe and WhatsApp webhooks are cryptographically verified — we never process unverified events.
EU data residency
All data is stored in Supabase's EU region. GDPR-compliant data storage.
Regular security audits
We regularly audit our infrastructure and dependencies for vulnerabilities.
Data Retention
- Guest messages: kept for 90 days, then anonymized.
- Host data: kept until account deletion. You can delete your account at any time.
- Billing records: retained as required by tax law (typically 7 years).
- Error logs: rotated after 30 days.
Contact
If you have questions about this policy or want to exercise your rights — reach out. We answer privacy questions personally.
You have the right to lodge a complaint with your local data protection authority if you believe your data is being processed unlawfully.
This policy may be updated from time to time. We'll notify active hosts by email for any material changes.