Privacy Policy
Effective date: 15 June 2026 · Applies to: portal.lodgekeeper.app, the LodgeKeeper mobile app (iOS & Android), and www.lodgekeeper.app.
1. Who we are
LodgeKeeper is operated by Adrian Mizzi, a self-employed sole trader established in Malta and trading as "LodgeKeeper" (collectively, "LodgeKeeper", "we", "us", or "our"). LodgeKeeper is run by an individual rather than an incorporated company, so no company registration number applies. The data controller can be reached by email as set out below; a postal address is available on request.
Questions about this policy or your personal data can be sent to privacy@lodgekeeper.app.
Your account data — we decide how it's used. For personal data relating to property managers, owners, and cleaners who hold accounts on LodgeKeeper, we decide how and why it is used. (In legal terms, we are the "data controller".)
Guest data — the property manager is in charge. Guest data (names, contact details, booking information) comes from Hospitable and we handle it on the property manager's behalf, following their instructions. (In legal terms, the manager is the "data controller" and we are the "data processor".) Managers must have their own valid reason for holding guest data and must tell guests about it in their own privacy notices.
2. What data we collect and hold
Account holders (managers, owners, cleaners)
- Identity and contact: name and email address, collected at account creation or invitation.
- Authentication credentials: passwords are stored as salted hashes managed by Supabase Auth; we never see or store plaintext passwords.
- Role and permissions: the role assigned to each user (Admin, Operations, Finance, Viewer, Owner, Cleaner) and the manager account they belong to.
- Profile and preferences: notification preferences, language settings, and any profile details you choose to add.
- Hospitable Personal Access Token (managers only): stored encrypted at rest using AES-256 encryption in our database. We hold one token per manager account to authenticate all reads and permitted write-backs to the Hospitable API on your behalf.
Property and booking data (synced from Hospitable)
- Property listings and attributes pulled from your Hospitable account.
- Reservation and booking records including stay dates, channel, payout amounts, and booking status.
- Financial transaction data including channel payouts and cleaning fees, used to compute owner statements.
- Calendar and availability data.
- Review data (star ratings, review text, response status) where the Hospitable API makes it available.
Guest data (processed on behalf of the property manager)
- Guest names (displayed in abbreviated form in the owner-facing portal to protect guest privacy, e.g. "Michelle M.").
- Booking dates, channel, payout and financial information associated with a booking.
- No direct contact information (email, phone) for guests is actively stored by LodgeKeeper; we do not request or retain guest communications beyond what Hospitable makes available as part of a booking record.
Mobile app data
- Camera: used solely to scan the pairing QR code shown on-screen during login. Images are not stored, transmitted to our servers, or used for any other purpose.
- Push notification token: an Expo push token is stored against your account to deliver operational notifications (new bookings, upcoming cleanings, task updates). You can withdraw consent by disabling notifications in your device settings.
- Secure on-device storage: login tokens are kept in the device's secure storage and are not accessible to other apps.
Usage and analytics data
- Page views, feature interactions, and navigation events, collected through PostHog (EU region). We've turned off IP logging, and we use this data only in aggregate to understand how the product is used.
- Error and crash reports including stack traces, device type, OS version, and the URL or screen where the error occurred, collected via Sentry. Error reports may incidentally include data visible in the UI at the time of the error.
Communications
- If you contact us by email, we retain that correspondence to handle your inquiry and for our support records.
- In-app feedback submissions (feature requests, bug reports, and improvement suggestions) are stored alongside any screenshot you voluntarily attach.
3. How and why we use personal data
We use your personal data for the following reasons:
To provide the service you signed up for
- Providing the LodgeKeeper portal and mobile app to property managers, owners, and cleaners.
- Authenticating users and enforcing role-based access so each user sees only the data they are entitled to.
- Syncing booking and financial data from Hospitable and computing owner statements.
- Delivering push notifications required for the service (new bookings, shift assignments, task alerts).
- Processing payments for bookings made through the optional direct-booking site add-on (Stripe or Viva Wallet, where enabled by the property manager).
Our legitimate business interests
- Error monitoring and crash diagnostics to maintain service reliability.
- Aggregate product analytics to understand feature usage and prioritise improvements.
- Security logging (authentication events, sync activity) to detect and respond to abuse.
- Retaining records needed for accounting and dispute resolution.
- Sending transactional and operational communications (statement status, sync alerts) where these are a natural part of the service.
With your consent
- Optional AI-powered features (pricing suggestions, review-reply drafts and translation) — these features involve sending relevant property and booking context to an AI model. They are opt-in at the manager level and can be disabled at any time.
- Marketing communications, if and when we introduce them — we will seek separate consent and provide a straightforward unsubscribe mechanism.
To meet legal obligations
- Compliance with applicable tax, financial-record-keeping, and other legal obligations.
4. The services we use and data sharing
We do not sell personal data. We share data only with the service providers listed below, all of whom are bound by data-processing agreements, and in the limited circumstances described afterwards.
| Service | Purpose | Data region / notes |
|---|---|---|
| Hospitable (hospitable.com) | Source of truth for reservations, listings, calendar, and financial data. We read from and write to the Hospitable API on behalf of each connected manager account. | EU (Hospitable is a EU-based service); data flows via their Public API. |
| Supabase | Authentication, PostgreSQL database (all LodgeKeeper application data), and storage (cleaning photos, feedback screenshots). Row-level security isolates each manager's data at the database layer. | EU — hosted in Frankfurt. |
| Vercel | Hosting for the web portal and this marketing site, and running our backend. | EU — hosted in Frankfurt, close to our database. |
| Sentry | Error and crash monitoring for the web portal and mobile app. Stack traces, device information, and context visible in the UI at time of error may be included. | EU — we use Sentry's EU-region data infrastructure (sentry.io/for/eu). |
| PostHog | Product analytics — page views, feature interactions, and navigation events. IP addresses are not logged. Data is used in aggregate only. | EU — PostHog's EU cloud. |
| Expo | Builds our mobile app and delivers push notifications. It receives the device token and message text and relays the notification to Apple and Google on our behalf. | US-based; covered by Expo's data-processing agreement. Notifications contain only the message text and a routing token — no booking financials or guest data. |
| Apple | Delivers push notifications to iPhones and iPads, via Apple's push service. | Apple's infrastructure; governed by the Apple Developer Program agreement. |
| Delivers push notifications to Android devices, via Google's push service (Firebase Cloud Messaging). | Google's infrastructure; governed by Google's terms for Firebase services. | |
| Anthropic (via Vercel AI Gateway or direct) | AI model provider used for optional features: dynamic pricing suggestions, guest-review reply drafts, and offline review pre-translation. Activated only when the manager has enabled the relevant AI feature. Property and booking context (not guest personal data) is included in prompts. | US-based; covered by Anthropic's data-processing terms. Data is not used to train Anthropic models under their commercial API terms. |
| OpenRouter (openrouter.ai) | Alternative AI gateway — a configurable option for the AI-powered features above. When selected by the platform administrator, prompts are routed through OpenRouter to the chosen underlying model provider. | US-based; covered by OpenRouter's terms. See also the note on Anthropic above regarding the underlying model providers. |
| Stripe | Payment processing for direct bookings made through the optional Booking Site add-on, where the property manager has selected Stripe as their payment provider. Stripe handles card data directly; LodgeKeeper never sees or stores raw card numbers. | EU/US; Stripe is certified to PCI-DSS Level 1 and operates under its own privacy policy and DPA. |
| Viva Wallet | Payment processing alternative to Stripe for direct bookings, where the property manager has selected Viva Wallet as their payment provider. | EU-based (Greece); regulated as a payment institution under EU law. |
We may also disclose personal data if required to do so by applicable law, by a court order, or by a regulatory authority with jurisdiction over us, and we may share data with professional advisers (lawyers, auditors) under appropriate confidentiality obligations.
5. International transfers
Our main data storage (our Supabase database and Vercel hosting) is in the European Union (Frankfurt). Some of the services listed above — in particular Expo, Anthropic, OpenRouter, and Stripe — are based in the United States and process data there.
When data goes to a US-based service, it's protected by standard EU-approved contracts (the European Commission's Standard Contractual Clauses) that require them to protect your data to European standards — or by the EU–US Data Privacy Framework where the service is certified under it. We've assessed that these safeguards give your data an adequate level of protection.
If you'd like details of the specific safeguards in place for any individual service, please contact privacy@lodgekeeper.app.
6. Data retention
We retain personal data for as long as is necessary to fulfil the purposes described in this policy, or as required by applicable law.
- Active accounts: data is retained for the duration of the account relationship.
- After account closure or cancellation: we retain statement history and financial records for a minimum of seven years to comply with Maltese accounting and tax obligations. Other personal data is deleted or anonymised within 90 days of a closure request, unless a longer retention period is legally required.
- Push notification tokens: deleted automatically when the device reports that the token is no longer valid (app uninstalled or notifications revoked), and in any event when the associated account is closed.
- Analytics data: PostHog event data is subject to PostHog's own retention configuration; we review this periodically. Error events in Sentry are retained for 90 days by default.
- In-app feedback: retained until resolved or until you request deletion.
- Backup snapshots: encrypted database backups may persist for up to 30 days after deletion of the live record.
7. Security
We take reasonable and appropriate measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction:
- Encryption at rest: the Supabase database (including all application data) is encrypted at rest. The Hospitable Personal Access Token is additionally encrypted at the application layer using AES-256 before storage.
- Encryption in transit: all communications between your browser or app and our servers use TLS (HTTPS). All connections to Hospitable, Supabase, and the other services we use are encrypted in the same way.
- Database-level isolation: the database itself keeps each account's data separate — one manager's data can never be seen by another manager, and each owner can see only their own data within their manager's account.
- Least-privilege access: each user role (Admin, Finance, Operations, Viewer, Owner, Cleaner) carries only the permissions necessary for their function. Cleaner logins cannot access financial or owner data.
- Secret management: API keys and tokens are stored as environment variables in Vercel's encrypted secret storage and are never embedded in source code.
No system can be guaranteed completely secure. If you believe your account has been compromised or you discover a security vulnerability, please contact privacy@lodgekeeper.app promptly.
8. Your rights under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights in relation to your personal data:
- Right of access: you may request a copy of the personal data we hold about you.
- Right to rectification: you may ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): you may ask us to delete your personal data, subject to our legal obligations to retain certain records.
- Right to data portability: where processing is based on your consent or a contract, you may request a copy of your data in a structured, machine-readable format.
- Right to restrict processing: in certain circumstances, you may ask us to restrict how we use your data while a dispute is resolved.
- Right to object: where we rely on our legitimate business interests as the reason for using your data, you may object. We will consider your objection and cease processing unless we have compelling legitimate grounds that override your interests, rights, or freedoms.
- Rights related to automated decision-making: we do not make solely automated decisions with legal or similarly significant effects on individuals. AI-generated pricing suggestions and review-reply drafts are advisory tools reviewed by a human (the property manager) before any action is taken.
- Right to withdraw consent: where processing is based on your consent (for example, optional AI features or marketing communications), you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, please contact privacy@lodgekeeper.app. We will respond within one month, or inform you of an extension where the request is complex or numerous. We may need to verify your identity before fulfilling a request.
Right to lodge a complaint
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority. As a Malta-registered entity, our lead supervisory authority is:
Office of the Information and Data Protection Commissioner (IDPC)
2, Airways House, High Street, Sliema SLM 1549, Malta
idpc.org.mt
You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work within the EU/EEA.
9. Children
LodgeKeeper is a business-to-business property-management tool. It is not directed at, marketed to, or intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe that a child's data has been submitted to us in error, please contact us at privacy@lodgekeeper.app and we will delete it promptly.
10. Cookies and similar technologies
The web portal uses strictly-necessary cookies set by Supabase Auth to maintain your authenticated session. No advertising or cross-site tracking cookies are used.
This marketing site loads a PostHog analytics script that stores a first-party anonymous identifier in localStorage to stitch together page-view sequences. PostHog is configured with IP anonymisation enabled and person profiles disabled for this site. You can prevent PostHog from running by disabling JavaScript or using a content-blocking browser extension.
11. Property managers: your obligations as data controllers for guest data
Where you use LodgeKeeper and it processes guest personal data on your behalf, you are the data controller for that guest data. You are responsible for:
- Having a valid reason (typically that you need it to fulfil the booking, or your legitimate business interests) for handling your guests' personal data.
- Providing guests with a privacy notice that accurately describes how their data is used, including the involvement of LodgeKeeper as a processor.
- Responding to any requests guests make to you, as the property manager, about their data.
- Ensuring that any additional services you introduce (for example, a direct-booking payment provider you select) are covered by appropriate agreements.
We are available to assist you in fulfilling your obligations — contact privacy@lodgekeeper.app for a copy of our Data Processing Agreement if required.
12. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where the changes are significant, notify account holders by email or via an in-app notice. We encourage you to review this page periodically.
Your continued use of LodgeKeeper after a change to this policy constitutes your acceptance of the updated terms, to the extent permitted by applicable law.
13. Contact
All privacy-related correspondence should be directed to:
Adrian Mizzi, trading as LodgeKeeper
Malta
Email: privacy@lodgekeeper.app