Hostdeck

Privacy Policy

Last updated: 4 May 2025

Hostdeck ("we", "us", "our") is operated by Hostdeck Limited, a company incorporated in Ireland. This policy explains what personal data we collect, why we collect it, how we protect it, and your rights under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

1. Who we are

Hostdeck is a software-as-a-service platform for short-term rental hosts. Our registered address is Ireland. For data protection enquiries, contact us at privacy@hostdeck.io.

2. Data we collect

2.1 Account data

When you sign up we collect your name, email address, and a hashed password. We do not store plain-text passwords.

2.2 Workspace and property data

When you create a workspace or property we store the names, addresses, and configuration settings you provide. This is necessary to deliver the service.

2.3 Booking and guest data

When you log a booking you may provide guest names, email addresses, and phone numbers. This data is stored solely on your behalf so you can manage your own operations. You are the data controller for your guests' personal data; we act as data processor.

2.4 Financial data

Income, expense records, and uploaded receipts that you enter into the Accounts section are stored and processed on your behalf.

2.5 iCal feed URLs

If you connect an external calendar (e.g. Airbnb, Booking.com), we store the iCal feed URL you provide and periodically fetch its contents to sync your availability. We do not store or share your Airbnb or Booking.com credentials.

2.6 Usage data

We collect standard server logs (IP address, browser type, pages visited, timestamps) to operate and improve the service. Logs are retained for 30 days.

3. Legal basis for processing

  • Contract performance — processing your account, workspace, property, booking, and billing data is necessary to provide the service you have subscribed to.
  • Legitimate interests — server logs and security monitoring are processed in our legitimate interest to maintain a secure and stable service.
  • Legal obligation — we retain certain billing records to comply with Irish and EU tax law.

4. Where your data is stored

All data is stored within the European Economic Area (EEA). Our subprocessors are:

  • Vercel Inc. — application hosting (EU region); Data Processing Agreement in place.
  • Neon Inc. — PostgreSQL database (EU region); Data Processing Agreement in place.
  • Vercel Blob / Vercel Storage — receipt and file storage (EU region).
  • Resend Inc. — transactional email delivery; emails are processed transiently and not retained by Resend beyond delivery.
  • Stripe Inc. — payment processing; Stripe is certified PCI-DSS Level 1. We do not store card numbers on our infrastructure.

5. Data retention

We retain your data for as long as your account is active. If you delete your account, we permanently delete your personal data within 30 days, except where we are required to retain it for legal or accounting purposes (typically 7 years for financial records under Irish company law).

6. Sharing of data

We do not sell, rent, or share your personal data with third parties for marketing purposes. Data is shared only with the subprocessors listed above and only to the extent necessary to deliver the service. We may disclose data if required to do so by law or a valid court order.

7. Your rights

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure— ask us to delete your personal data ("right to be forgotten").
  • Portability — receive your data in a machine-readable format.
  • Restriction — ask us to restrict processing in certain circumstances.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, email privacy@hostdeck.io. We will respond within 30 days. You also have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie).

8. Cookies

We use a single session cookie to keep you logged in. We do not use third-party tracking cookies or advertising cookies. No cookie banner is required as our cookie is strictly necessary for the service to function.

9. Security

All data is encrypted in transit (TLS 1.2+) and at rest. Passwords are stored as bcrypt hashes. Access to production data is limited to authorised personnel and is logged and audited. We perform regular dependency and security reviews.

10. Changes to this policy

We may update this policy from time to time. When we make material changes we will notify you by email and update the "Last updated" date above. Continued use of Hostdeck after the effective date constitutes acceptance of the revised policy.

11. Contact

For any privacy-related questions or requests: privacy@hostdeck.io.