Legal · Privacy

Privacy Policy

Effective date: 15 June 2026 · Applies to: portal.lodgekeeper.app, the LodgeKeeper mobile app (iOS & Android), and www.lodgekeeper.app.

1. Who we are

LodgeKeeper is operated by Adrian Mizzi, a self-employed sole trader established in Malta and trading as "LodgeKeeper" (collectively, "LodgeKeeper", "we", "us", or "our"). LodgeKeeper is run by an individual rather than an incorporated company, so no company registration number applies. The data controller can be reached by email as set out below; a postal address is available on request.

Questions about this policy or your personal data can be sent to privacy@lodgekeeper.app.

Your account data — we decide how it's used. For personal data relating to property managers, owners, and cleaners who hold accounts on LodgeKeeper, we decide how and why it is used. (In legal terms, we are the "data controller".)

Guest data — the property manager is in charge. Guest data (names, contact details, booking information) comes from Hospitable and we handle it on the property manager's behalf, following their instructions. (In legal terms, the manager is the "data controller" and we are the "data processor".) Managers must have their own valid reason for holding guest data and must tell guests about it in their own privacy notices.

2. What data we collect and hold

Account holders (managers, owners, cleaners)

Property and booking data (synced from Hospitable)

Guest data (processed on behalf of the property manager)

Mobile app data

Usage and analytics data

Communications

3. How and why we use personal data

We use your personal data for the following reasons:

To provide the service you signed up for

Our legitimate business interests

With your consent

To meet legal obligations

4. The services we use and data sharing

We do not sell personal data. We share data only with the service providers listed below, all of whom are bound by data-processing agreements, and in the limited circumstances described afterwards.

Service Purpose Data region / notes
Hospitable (hospitable.com) Source of truth for reservations, listings, calendar, and financial data. We read from and write to the Hospitable API on behalf of each connected manager account. EU (Hospitable is a EU-based service); data flows via their Public API.
Supabase Authentication, PostgreSQL database (all LodgeKeeper application data), and storage (cleaning photos, feedback screenshots). Row-level security isolates each manager's data at the database layer. EU — hosted in Frankfurt.
Vercel Hosting for the web portal and this marketing site, and running our backend. EU — hosted in Frankfurt, close to our database.
Sentry Error and crash monitoring for the web portal and mobile app. Stack traces, device information, and context visible in the UI at time of error may be included. EU — we use Sentry's EU-region data infrastructure (sentry.io/for/eu).
PostHog Product analytics — page views, feature interactions, and navigation events. IP addresses are not logged. Data is used in aggregate only. EU — PostHog's EU cloud.
Expo Builds our mobile app and delivers push notifications. It receives the device token and message text and relays the notification to Apple and Google on our behalf. US-based; covered by Expo's data-processing agreement. Notifications contain only the message text and a routing token — no booking financials or guest data.
Apple Delivers push notifications to iPhones and iPads, via Apple's push service. Apple's infrastructure; governed by the Apple Developer Program agreement.
Google Delivers push notifications to Android devices, via Google's push service (Firebase Cloud Messaging). Google's infrastructure; governed by Google's terms for Firebase services.
Anthropic (via Vercel AI Gateway or direct) AI model provider used for optional features: dynamic pricing suggestions, guest-review reply drafts, and offline review pre-translation. Activated only when the manager has enabled the relevant AI feature. Property and booking context (not guest personal data) is included in prompts. US-based; covered by Anthropic's data-processing terms. Data is not used to train Anthropic models under their commercial API terms.
OpenRouter (openrouter.ai) Alternative AI gateway — a configurable option for the AI-powered features above. When selected by the platform administrator, prompts are routed through OpenRouter to the chosen underlying model provider. US-based; covered by OpenRouter's terms. See also the note on Anthropic above regarding the underlying model providers.
Stripe Payment processing for direct bookings made through the optional Booking Site add-on, where the property manager has selected Stripe as their payment provider. Stripe handles card data directly; LodgeKeeper never sees or stores raw card numbers. EU/US; Stripe is certified to PCI-DSS Level 1 and operates under its own privacy policy and DPA.
Viva Wallet Payment processing alternative to Stripe for direct bookings, where the property manager has selected Viva Wallet as their payment provider. EU-based (Greece); regulated as a payment institution under EU law.

We may also disclose personal data if required to do so by applicable law, by a court order, or by a regulatory authority with jurisdiction over us, and we may share data with professional advisers (lawyers, auditors) under appropriate confidentiality obligations.

5. International transfers

Our main data storage (our Supabase database and Vercel hosting) is in the European Union (Frankfurt). Some of the services listed above — in particular Expo, Anthropic, OpenRouter, and Stripe — are based in the United States and process data there.

When data goes to a US-based service, it's protected by standard EU-approved contracts (the European Commission's Standard Contractual Clauses) that require them to protect your data to European standards — or by the EU–US Data Privacy Framework where the service is certified under it. We've assessed that these safeguards give your data an adequate level of protection.

If you'd like details of the specific safeguards in place for any individual service, please contact privacy@lodgekeeper.app.

6. Data retention

We retain personal data for as long as is necessary to fulfil the purposes described in this policy, or as required by applicable law.

7. Security

We take reasonable and appropriate measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction:

No system can be guaranteed completely secure. If you believe your account has been compromised or you discover a security vulnerability, please contact privacy@lodgekeeper.app promptly.

8. Your rights under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights in relation to your personal data:

To exercise any of these rights, please contact privacy@lodgekeeper.app. We will respond within one month, or inform you of an extension where the request is complex or numerous. We may need to verify your identity before fulfilling a request.

Right to lodge a complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority. As a Malta-registered entity, our lead supervisory authority is:

Office of the Information and Data Protection Commissioner (IDPC)
2, Airways House, High Street, Sliema SLM 1549, Malta
idpc.org.mt

You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work within the EU/EEA.

9. Children

LodgeKeeper is a business-to-business property-management tool. It is not directed at, marketed to, or intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe that a child's data has been submitted to us in error, please contact us at privacy@lodgekeeper.app and we will delete it promptly.

10. Cookies and similar technologies

The web portal uses strictly-necessary cookies set by Supabase Auth to maintain your authenticated session. No advertising or cross-site tracking cookies are used.

This marketing site loads a PostHog analytics script that stores a first-party anonymous identifier in localStorage to stitch together page-view sequences. PostHog is configured with IP anonymisation enabled and person profiles disabled for this site. You can prevent PostHog from running by disabling JavaScript or using a content-blocking browser extension.

11. Property managers: your obligations as data controllers for guest data

Where you use LodgeKeeper and it processes guest personal data on your behalf, you are the data controller for that guest data. You are responsible for:

We are available to assist you in fulfilling your obligations — contact privacy@lodgekeeper.app for a copy of our Data Processing Agreement if required.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where the changes are significant, notify account holders by email or via an in-app notice. We encourage you to review this page periodically.

Your continued use of LodgeKeeper after a change to this policy constitutes your acceptance of the updated terms, to the extent permitted by applicable law.

13. Contact

All privacy-related correspondence should be directed to:

Adrian Mizzi, trading as LodgeKeeper
Malta
Email: privacy@lodgekeeper.app