Privacy Policy – Guestfier

Last updated: September 30, 2025

At Guestfier (“we”, “us”, “our”), your privacy matters. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our platform and sites at guestfier.com (the “Service”), including when you sign in with Google or connect Google services.

By using Guestfier, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1) Who We Are (Controller)

Guestfier Brasil LTDA is the data controller for the Service.

Guestfier is a management platform for short-term rental hosts to organize properties and reservations, generate GuestLinks (guest portals), sell extras (e.g., breakfast, tours), and access financial reports.

2) What We Collect (Data Accessed)

We collect and process the following categories of data, depending on how you use the Service:

2.1. Account & Profile (Hosts)

  • Full name, email, phone
  • Password (hashed) if you sign up with email/password
  • Business information (company name, tax info if provided)
  • Subscription & billing info (e.g., card last 4 digits, Pix reference, invoices)
  • Communication preferences

2.2. Properties & Reservations

  • Property data: name, address, descriptions, photos
  • Reservation data: check-in/check-out dates, reservation identifiers
  • Guest details entered by the host (name, email, phone)

2.3. Sales of Extras (via GuestLink)

  • Items offered (name, price, photo)
  • Orders/purchases and payment confirmations

2.4. Technical & Usage

  • IP address, device, browser type/version, OS
  • Cookies, local storage, session identifiers
  • Log data (timestamps, pages/screens used)
  • Analytics events (e.g., feature usage, conversion funnels)

2.5. Google User Data (OAuth) — Only if you connect Google

If you sign in or connect Google services, we may access only the minimum required data:

  • Identity/Sign-in: openid, email, profile → name, email, avatar
  • Calendar (read): https://www.googleapis.com/auth/calendar.readonly → to read events for reservation sync/display
  • Calendar (write, optional/opt-in): https://www.googleapis.com/auth/calendar.events → to create/update events only if you explicitly enable write-back

We do not request Gmail scopes. If Gmail access is ever enabled, this Policy will be updated and we will comply with Google’s Restricted Scopes and Limited Use requirements.

3) How We Use Data (Data Usage)

We process data to:

  • Provide the Service: create/manage your account; show properties & reservations; generate GuestLinks; enable extras catalog and checkout.
  • Payments & Billing: process subscriptions and order payments; issue invoices; prevent fraud.
  • Calendar Sync (Google): display your bookings within Guestfier and, if enabled, write bookings to your Google Calendar.
  • Support & Communications: respond to support requests; send service notices (e.g., trial ending, payment issues).
  • Improve & Secure the Service: analytics, debugging, monitoring uptime, preventing abuse.
  • Legal/Compliance: meet tax, accounting, and legal obligations.

No Ads Profiling with Google Data. We do not use Google user data for advertising, profiling, or creditworthiness.

4) Cookies & Similar Technologies

We use cookies/local storage for:

  • Session management and authentication
  • Remembering preferences
  • Analytics (e.g., Google Analytics)
  • Basic performance and security

You can adjust cookie settings in your browser; some features may not function without essential cookies.

5) Sharing of Data (Data Sharing)

We do not sell personal data. We share data only with:

  • Payment processors / gateways (e.g., card acquirers, Pix intermediaries) to process transactions securely
  • Cloud hosting & infrastructure (e.g., reputable cloud providers) to run and back up the Service
  • Customer support & operational tools (e.g., ticketing, email delivery) strictly to provide the Service
  • Professional advisors (legal/accounting) under confidentiality
  • Authorities when required by law, court order, or to enforce legal rights

Google user data obtained via OAuth is never shared with third parties except as necessary to provide user-facing features, operate the Service (e.g., secure hosting), or as required by law.

6) Storage & Security (Data Storage & Protection)

We apply industry-standard safeguards:

  • Encryption: HTTPS/TLS in transit; encrypted storage at rest for sensitive data and tokens
  • Credentials: passwords hashed (e.g., bcrypt/argon2); OAuth tokens stored securely
  • Access control: least-privilege, role-based access, audit logs for administrative access
  • Secure development practices: periodic reviews, dependency updates, backups, monitoring

Despite our efforts, no method of transmission or storage is 100% secure.

7) Retention & Deletion (Data Retention & Deletion)

  • We retain host and guest data while your account is active and for as long as necessary to provide the Service.
  • We retain billing/transaction data as required for accounting, tax, fraud prevention, and legal compliance.
  • Google user data & tokens are retained only while the integration is active and for the minimal period needed to deliver the feature.

Deletion & Revocation

  • You can request deletion of your account/data at admin@guestfier.com. We typically respond within 30 days and delete within up to 30 days after verification, subject to legal retention.
  • You can disconnect Google any time in Settings → Integrations (in-app).
  • You can also revoke Guestfier’s access in your Google Account: https://myaccount.google.com/permissions.
  • After disconnection/revocation, we delete stored Google tokens and Google-derived data within 7 days (with typical backup purge windows 30–90 days).

8) Your Rights & Choices

Depending on your location, you may have rights to:

  • Access your data and request a copy
  • Correct inaccurate or incomplete data
  • Delete your data (subject to legal retention)
  • Object or restrict processing in certain cases
  • Data portability (structured, commonly used format)
  • Withdraw consent (e.g., disconnect Google)

To exercise these rights, contact admin@guestfier.com. We may need to verify your identity before fulfilling requests.

9) Google API Services Disclosure (Limited Use)

Guestfier complies with the Google API Services User Data Policy, including the Limited Use requirements. We only access, use, store, and share Google user data to provide or improve user-facing features of Guestfier; we do not use it for advertising, profiling, or sale of data.

OAuth Scopes We Request & Why

  • openid, email, profile — sign-in with Google and basic profile
  • https://www.googleapis.com/auth/calendar.readonly — read calendar data to display/sync bookings
  • (Optional, opt-in) https://www.googleapis.com/auth/calendar.events — create/update events when you explicitly enable write-back

User Control & Revocation

If Guestfier ever enables Gmail access, we will update this Policy and comply with Google’s Restricted Scopes and Limited Use.

10) International Transfers & Legal Bases

We may process data in Brazil, the US, the EU, or other countries using appropriate safeguards (e.g., Standard Contractual Clauses where applicable).

GDPR legal bases (EU/EEA/UK):

  • Contract (Art. 6(1)(b)) — to provide the Service you request
  • Consent (Art. 6(1)(a)) — e.g., connecting Google, certain marketing emails
  • Legitimate interests (Art. 6(1)(f)) — service improvement, security, fraud prevention
  • Legal obligation (Art. 6(1)(c)) — tax, accounting, regulatory duties

You may lodge a complaint with your local data protection authority, but please contact us first so we can help.

11) California Privacy Notice (CCPA/CPRA)

For California residents:

  • We do not sell or share personal information as defined by CCPA/CPRA.
  • You have rights to know, access, delete, correct, and opt out of certain processing.
  • To exercise rights, email admin@guestfier.com. We will not discriminate against you for exercising your rights.

12) Children’s Privacy

Guestfier is not directed to children under 13 (or the relevant age of digital consent in your region). If we learn we have collected personal data from a child, we will delete it promptly. Parents/guardians may contact admin@guestfier.com.

13) Third-Party Links & Integrations

The Service may link to third-party sites or integrate with third-party tools (e.g., payment processors, analytics). Their privacy practices are governed by their own policies. We recommend reviewing those policies.

14) Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version here and, if changes are material, notify you via email or in-app notice. Your continued use after changes means you accept the updated Policy.

15) Contact Us

Questions or requests about privacy?

Appendix: Summary of Data Flows (At a Glance)

  • You → Guestfier: account, properties, reservations, extras, payments
  • Your browser/app ↔ Guestfier: secure HTTPS, essential cookies, analytics
  • Guestfier ↔ Payment processors: subscription billing, orders (no full card storage by Guestfier)
  • Guestfier ↔ Google (optional): OAuth sign-in; calendar read (and write if enabled)
  • Retention: active account (service needs); tokens only while connected; legal retention for billing
  • Deletion: email admin@guestfier.com; disconnect Google in-app or via myaccount.google.com/permissions