Privacy Policy
We believe privacy is a right, not a feature. This policy explains exactly what data we collect, why we collect it, and how you can control it.
Last updated: May 2026
Who we are
MyGuest.Today is a digital guidebook platform for vacation rental hosts and their guests. For data-protection enquiries, contact us at privacy@myguest.today.
What data we collect
We collect different data depending on whether you are a property owner or a guest.
Property owners (registered accounts)
- Name and email address — provided at registration.
- Password — stored as a one-way bcrypt hash; we never see the plain-text value.
- Property details — names, addresses, check-in instructions, Wi-Fi credentials, house rules, and any other content you add to your guidebooks.
- Stay records — guest token identifiers and check-in/check-out dates.
- Usage and analytics — page views, feature interactions, and error events collected via Sentry.
Guests (no account required)
- No registration — guests access guidebooks via a unique link generated by the host.
- Feedback responses — star ratings and optional text comments submitted through the guidebook.
- Usage events — anonymous page-view data and error events collected via Sentry. No personally identifying information is attached.
How we use your data
- Providing the service — creating and displaying guidebooks, authenticating owners, generating guest access links.
- Improving the platform — analysing aggregated usage patterns to prioritise new features and fix bugs.
- Error monitoring — Sentry captures stack traces and context to help us diagnose and fix technical issues quickly.
- Transactional emails — password-reset messages sent to the address you registered with.
- Security — detecting and preventing unauthorised access, fraud, or abuse.
Legal basis for processing (GDPR)
If you are in the European Economic Area, we process your personal data under the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Contract performance |
| Sending password-reset emails | Contract performance |
| Hosting guidebook content you create | Contract performance |
| Error monitoring (Sentry) | Legitimate interests |
| Aggregated analytics | Legitimate interests |
| Legal compliance | Legal obligation |
Data retention
- Owner accounts — retained for as long as the account is active. You may delete your account at any time; we will erase your personal data within 30 days.
- Guest feedback — retained for 12 months after submission, then automatically deleted.
- Error logs (Sentry) — retained for 90 days.
- Password-reset tokens — expire after 1 hour and are deleted immediately upon use.
Third-party processors
We share data with the following sub-processors, all operating under appropriate data-processing agreements:
| Processor | Purpose | Data location |
|---|---|---|
| Neon (PostgreSQL) | Primary database | EU (Frankfurt) |
| Vercel | Web app hosting | Edge / EU |
| Railway | API server hosting | EU (Frankfurt) |
| Cloudflare | DNS & CDN | Global edge |
| Sentry | Error monitoring | EU region |
We do not sell, rent, or share your personal data with third parties for marketing purposes.
Cookies
We use a minimal set of cookies necessary to operate the service:
- Session cookie — keeps you logged in as an owner during your browsing session. Expires when you close the browser or after 30 days if you choose "Remember me".
- CSRF token — a short-lived cookie that protects form submissions from cross-site request forgery attacks.
We do not use advertising, tracking, or analytics cookies. Guests accessing guidebook pages are not cookied.
Your rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data ("right to be forgotten").
- Restriction — ask us to pause processing of your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, email privacy@myguest.today. We will respond within 30 days.
Security
We protect your data using industry-standard measures: TLS encryption in transit, bcrypt password hashing, parameterised database queries, and strict access controls. Despite these precautions, no system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@myguest.today.
Changes to this policy
We may update this policy as our service evolves or legal requirements change. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify registered owners by email. Continued use of the service after changes take effect constitutes acceptance of the updated policy.
Questions about this policy? Email privacy@myguest.today.
Also see our Terms of Service and Accessibility Statement.