Privacy Policy

TL;DR — Your Privacy at SmoothStay

• We collect only what we need to operate the platform

• We don't sell or rent your personal data

• You own your guidebook content

• AI-generated content uses the data you provide; we do not use your identifiable content to train AI models without your consent

• When you collect guest data through our platform, you are the data controller and we process it on your behalf

• Guidebook analytics use browser timezone for approximate location — no IP address is ever collected or stored

• You can access or delete your data at any time

• We use trusted subprocessors including Lemon Squeezy, Hospitable, and Rybbit

• Questions? Email us at hello@smoothstay.io

1. Information We Collect

a. Information You Provide (Host Data)

• Name, email address, and other contact details when you sign up or contact us

• Property information, descriptions, photos, and other guidebook content you upload

• Statistical information about your brand or organization

• Billing details when you subscribe to a paid plan (processed by Lemon Squeezy)

• Communications you send to our support team

b. Guest Data Collected on Your Behalf

When you enable features such as online check-in, guest registration forms, or the AI chatbot, your guests may provide personal information through the Services. This may include:

• Guest name, email address, phone number

• Identification documents (passport, national ID) submitted via online check-in features

• Arrival and departure details

• Guest queries and responses entered into the AI chatbot

• Any other information guests submit through forms you configure

In these cases, you are the data controller and SmoothStay acts as a data processor on your behalf. You are responsible for ensuring guests are informed about how their data is used and for complying with applicable privacy laws in your jurisdiction. Where you enable guest data collection such as guest registration forms, guests may also provide marketing consent. This consent, including the exact label text the guest agreed to and the timestamp of consent, is stored on your behalf. You are responsible for ensuring your use of this data complies with applicable marketing laws, including CAN-SPAM and GDPR.

c. Automatically Collected Data

When you or your guests use the Services, we may automatically collect:

• Browser type, device type, and preferred language

• Referring and exit pages

• Date and time of visits

• Usage behavior (clicks, pages viewed, chatbot interactions)

• Approximate geographic location (country and region) derived from the browser's timezone setting — not from IP address. No IP address is stored.

d. Third-Party Integration Data

If you connect the Services to a third-party platform such as a property management system (PMS), we may receive data from that platform including reservation details, guest names, booking dates, and property information, to the extent necessary to provide the integration features.

e. Cookies and Tracking Technologies

We use cookies and similar technologies for essential platform functionality and analytics. See Section 10 for full details.

2. How We Use Your Information

We use personal data to:

• Provide, operate, and maintain the Services

• Deliver AI-powered features including guidebook generation and the AI chatbot (see Section 3)

• Communicate with you regarding your account, support requests, and product updates

• Process payments and manage subscriptions

• Improve platform functionality and user experience

• Monitor for fraud, abuse, or security issues

• Comply with legal obligations and enforce our Terms of Service

• Facilitate third-party integrations you have enabled

We do not sell, rent, or share your personal data for advertising purposes.

3. AI Features and Data Use

a. How AI Features Use Your Data

SmoothStay's AI features — including the AI guidebook generator and AI chatbot — use the content and property information you provide to generate outputs. Specifically:

• The AI guidebook generator uses property details, listing URLs, and any information you input to create draft guidebook content.

• The AI chatbot uses the content published in your guidebook to respond to guest queries at runtime.

b. Model Training

We do not use your identifiable Content or Guest Data to train our AI models without your explicit consent. We may use anonymized, aggregated data derived from platform usage to evaluate and improve AI output quality.

c. Third-Party AI Providers

Our AI features are powered by third-party AI providers. These providers may process the inputs you provide as part of generating outputs. We select providers that operate under data processing agreements and data protection standards consistent with this policy. The current providers are listed in our Subprocessors table in Section 8.

d. Guest Chatbot Interactions

When your guests interact with the AI chatbot, their queries are processed in real time to generate a response based on your guidebook content. These interactions may be logged to monitor quality and detect abuse. As the host, you are the data controller for your guests' chatbot interactions; SmoothStay processes them on your behalf.

e. AI-Generated Content Responsibility

AI-generated content may contain errors or inaccuracies. You are responsible for reviewing all AI-generated content before publishing it to guests. SmoothStay is not liable for damages arising from inaccurate AI-generated content that has been published without review.

4. Guest Data: Controller and Processor Roles

a. SmoothStay as Data Processor

Where you use SmoothStay features to collect, store, or process personal data about your guests (such as through online check-in, guest registration forms, or chatbot interactions), SmoothStay processes that data as a data processor on your behalf. You remain the data controller and are solely responsible for:

• Providing guests with appropriate notice about how their data will be used

• Obtaining any required consents from guests

• Ensuring your data collection practices comply with applicable laws in your jurisdiction, including GDPR, LGPD, LFPDPPP, and any other local regulations

b. Data Processing Agreement (DPA)

If you are subject to GDPR or another regulation that requires a Data Processing Agreement between controllers and processors, you may request a DPA by contacting hello@smoothstay.io. Our DPA is consistent with the requirements of GDPR Article 28.

c. Identity Documents (ID Capture)

Where you enable online check-in with identity document capture, guests' identification documents are processed solely for the purpose of completing the check-in process. These documents are handled with heightened security controls. Retention of identity documents is limited to the minimum period required by applicable law or guest registration obligations in your jurisdiction. We do not use identity documents for any purpose beyond facilitating your compliance requirements. Where we integrate with a third-party compliance partner to process these documents, that partner is listed in Section 8.

d. Other Travel Agency (OTA) compliance

Where you use OTA compliance features — such as restricting marketing content on OTA-restricted links — SmoothStay provides tools to assist compliance, but you remain solely responsible for ensuring your guidebook content complies with the terms of service of each booking platform you use.

5. Legal Basis for Processing (EEA / UK Users)

If you are in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

• Performance of a contract — to deliver the Services you subscribed to

• Legitimate interest — for analytics, platform security, fraud prevention, service improvement, and associating guidebook activity with an existing reservation booking relationship

• Consent — for marketing communications

• Legal obligation — to comply with applicable regulations

Where we process guest data on your behalf as a data processor, the legal basis for that processing is determined by you as the data controller.

6. Your Rights

a. EEA / UK Users (GDPR / UK GDPR)

If you reside in the EEA or UK, you may:

• Access the personal data we hold about you

• Correct inaccurate or incomplete information

• Request deletion ("right to be forgotten")

• Restrict or object to processing

• Withdraw consent at any time (without affecting prior lawful processing)

• Request data portability in a machine-readable format

• Lodge a complaint with your local supervisory authority

b. California Residents (CCPA / CPRA)

If you are a California resident, you may:

• Request access to the categories and specific pieces of personal information we have collected

• Request deletion of your personal data

• Opt out of the sale or sharing of your data (we do not sell or share your data)

• Request correction of inaccurate personal information

c. How to Exercise Your Rights

To exercise any of the above rights, email hello@smoothstay.io with sufficient detail to verify your identity. We respond within 30 days of verification. For guest data requests, we may need to redirect you to the host who collected that data, as they are the data controller.

7. Data Storage and Security

Your data is stored using trusted cloud infrastructure that meets industry standards for privacy and security. We implement appropriate technical and organizational safeguards, including:

• Encryption of data in transit (TLS) and at rest

• Secure user authentication

• Role-based access controls limiting internal access to personal data

• Platform and infrastructure monitoring

• Heightened handling controls for identity documents submitted via check-in features

No system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and, where required by law, the relevant supervisory authority, within the timeframes required by applicable regulation (72 hours under GDPR where feasible).

8. Subprocessors

We use a limited number of trusted service providers ("subprocessors") to operate and improve SmoothStay. The current list includes:

• Core application hosting and infrastructure — Our platform and all application data are hosted on AWS secure cloud infrastructure (USA)

• Lemon Squeezy — Billing, subscription management, and payment processing; acts as merchant of record (USA)

• Rybbit — Privacy-first website and app analytics; no cookies, no personal data collected, GDPR-compliant by design (Germany, EU)

• LLM providers — AI guidebook generation and AI chatbot responses (USA)

• Loop.so — Email marketing (USA)

• GTranslate — Guidebook translation features (USA and EU)

• Hospitable — PMS integration; reservation data exchange (USA)

9. Data Retention

We retain personal data only as long as necessary to:

• Deliver the Services and maintain your account

• Fulfill legal, accounting, or regulatory obligations

• Resolve disputes or enforce our agreements

Host account data is retained for the duration of your subscription and deleted or anonymized within 30 days of account closure, unless a longer retention period is required by law.

Guest data collected through your use of check-in or registration features is retained for the minimum period necessary to fulfill the purpose for which it was collected, as determined by applicable law (including local guest registration requirements). You may configure retention settings where available; otherwise, you may contact us to arrange deletion.

Identity documents collected via online check-in are deleted as soon as the check-in process is complete and any mandatory legal retention period has passed.

You may request deletion of your data at any time by contacting hello@smoothstay.io.

10. Cookies and Tracking

a. What We Use

• Essential cookies — required for the platform to function (login sessions, security tokens). Cannot be disabled.

• Functional cookies — where you enable guest registration on a guidebook, a cookie is set on the guest's device to remember that they have already registered. This cookie is scoped to the specific property, expires after 90 days, and contains no personal data.

• Analytics — we use Rybbit, a privacy-first analytics tool that uses no cookies and collects no personal data. Guidebook usage analytics (page views, article views, chatbot interactions) use approximate location derived from browser timezone — no IP address is involved.

b. Consent

When guests access a guidebook via a reservation link, a dismissible notice is displayed informing them that their activity may be associated with their reservation record. This notice is not a consent gate — it is a transparency disclosure under the legitimate interest basis, as the activity is linked to an existing booking relationship. No banner is shown on general share links or public links, where analytics are collected anonymously with no personal association. The functional registration cookie can be cleared at any time through your browser settings.

c. Third-Party Cookies

Embedded content or third-party tools on our site may set their own cookies subject to their own privacy policies. We do not control these.

11. Children's Privacy

SmoothStay is not intended for users under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from someone under 16, we will delete it promptly. If you believe a minor has submitted personal data through our Services, contact us at hello@smoothstay.io.

12. International Data Transfers

Your data may be processed in the United States or other jurisdictions where our subprocessors operate. For transfers of personal data from the EEA or UK to countries without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent mechanisms under UK GDPR.

13. Changes to This Policy

We may update this Privacy Policy periodically. The "Last Updated" date at the top of this page reflects the most recent version. For material changes that affect how we process your personal data, we will make reasonable efforts to notify active customers by email or in-app notice prior to the change taking effect. Continued use of the Services after updates constitutes acceptance of the revised policy.

14. Contact Us

For any questions, concerns, data access requests, or DPA inquiries, contact us at:

Email: hello@smoothstay.io Mailing Address: HelloBnB LLC (DBA SmoothStay) 1007 N Orange St, 4th Floor, Suite 3246 Wilmington, DE 19801, USA