Privacy Policy

1. Introduction

Guestbook ("we", "us", "our") provides a software-as-a-service platform for creating and sharing digital guidebooks for properties. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our service. By using Guestbook, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Account registration information (name, email address)
• Profile details and user-generated content
• Property information and guidebook content
• Payment information (processed by Stripe; we do not store full credit card numbers)
• Contact information when you reach out to us

2.2 Information Collected Automatically

• Device and browser information (type, version, operating system)
• IP address and approximate location
• Usage data (pages visited, features used, time spent)
• Session information and authentication cookies
• Performance metrics and error logs

2.3 Information from Third Parties

• Payment metadata from Stripe (transaction history, billing status)
• Analytics data from PostHog (usage patterns, feature adoption)
• If you connect third-party services via OAuth or integrations

3. How We Use Your Information

• To provide, maintain, and improve our services
• To authenticate your account and manage your session
• To process payments and manage billing through Stripe
• To analyze usage patterns and improve user experience
• To send you service-related communications (notifications, updates, support)
• To comply with legal obligations and protect our rights
• To detect and prevent fraud, abuse, and security issues

4. Third-Party Services and Data Sharing

We rely on the following service providers to operate our platform. Each receives only the data necessary to perform their function:

4.1 Service Providers

• Vercel: Hosting, deployment, CDN, server logs, and performance metrics. Vercel maintains a Data Processing Addendum (DPA) and subprocessor list available at vercel.com/legal/dpa
• Supabase: Database, authentication, and file storage. Supabase processes data as a data processor under their DPA. See supabase.com/legal/dpa
• PostHog: Analytics and product usage tracking. PostHog is GDPR compliant and provides options for cookieless tracking. See posthog.com/docs/privacy/gdpr-compliance
• Stripe: Payment processing and billing. Stripe handles all payment card data; we do not store full credit card numbers or sensitive payment information.
• Google: Google AdSense (guest-facing pages) and Google Places API (for location autocomplete features).

4.2 Legal Requirements and Business Transfers

We may share your data if required by law, to protect our rights or safety, or in connection with a merger, acquisition, or sale of assets. In such cases, we will ensure similar privacy protections.

5. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Authentication: Session management and user authentication (required for the service to function)
• Analytics: PostHog and Vercel Analytics to understand how our service is used and improve it
• Advertising: Google AdSense on guest-facing pages (where applicable)

You can control cookies through your browser settings, though disabling certain cookies may affect service functionality.

6. Data Retention

• We retain your account and profile information for as long as your account is active or as needed to provide the service
• Transaction and billing data may be retained to satisfy legal, tax, or audit obligations
• Analytics and log data may be retained for up to one year for monitoring, security, and product improvement
• When you delete your account, we will delete or anonymize your personal data within a reasonable timeframe, subject to legal requirements

7. International Data Transfers

Our services are hosted on infrastructure provided by Vercel and Supabase, which may operate in multiple jurisdictions including the United States and European Union. If your data is transferred across borders, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and our service providers' compliance with GDPR and other data protection frameworks.

8. Security

We implement reasonable technical and organizational measures to protect your data, including:

• Encryption in transit (HTTPS/TLS) and at rest
• Secure authentication and access controls
• Regular security assessments and monitoring
• Infrastructure security provided by our hosting providers

However, no system is completely secure. We will notify you and applicable authorities of any data breach that affects your personal information as required by law.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal obligations)
• Objection: Object to certain types of processing (e.g., analytics)
• Restriction: Request restriction of processing in certain circumstances
• Portability: Request transfer of your data to another service provider
• Withdrawal of Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us using the information provided in Section 12. We will respond to your request within 30 days.

10. Children's Privacy

Our service is not intended for children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children without parental consent. If we become aware that we have collected such information, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last Updated" date. We may also notify you via email or through our service for significant changes. Your continued use of the service after such changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: