Skip to main content
Legal

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly what data we collect, why we collect it, and how you can control it.

Last updated: May 2026

Who we are

MyGuest.Today is a digital guidebook platform for vacation rental hosts and their guests. For data-protection enquiries, contact us at privacy@myguest.today.

What data we collect

We collect different data depending on whether you are a property owner or a guest.

Property owners (registered accounts)

  • Name and email address — provided at registration.
  • Password — stored as a one-way bcrypt hash; we never see the plain-text value.
  • Property details — names, addresses, check-in instructions, Wi-Fi credentials, house rules, and any other content you add to your guidebooks.
  • Stay records — guest token identifiers and check-in/check-out dates.
  • Usage and analytics — page views, feature interactions, and error events collected via Sentry.

Guests (no account required)

  • No registration — guests access guidebooks via a unique link generated by the host.
  • Feedback responses — star ratings and optional text comments submitted through the guidebook.
  • Usage events — anonymous page-view data and error events collected via Sentry. No personally identifying information is attached.

How we use your data

  • Providing the service — creating and displaying guidebooks, authenticating owners, generating guest access links.
  • Improving the platform — analysing aggregated usage patterns to prioritise new features and fix bugs.
  • Error monitoring — Sentry captures stack traces and context to help us diagnose and fix technical issues quickly.
  • Transactional emails — password-reset messages sent to the address you registered with.
  • Security — detecting and preventing unauthorised access, fraud, or abuse.

If you are in the European Economic Area, we process your personal data under the following legal bases:

Processing activityLegal basis
Account creation and authenticationContract performance
Sending password-reset emailsContract performance
Hosting guidebook content you createContract performance
Error monitoring (Sentry)Legitimate interests
Aggregated analyticsLegitimate interests
Legal complianceLegal obligation

Data retention

  • Owner accounts — retained for as long as the account is active. You may delete your account at any time; we will erase your personal data within 30 days.
  • Guest feedback — retained for 12 months after submission, then automatically deleted.
  • Error logs (Sentry) — retained for 90 days.
  • Password-reset tokens — expire after 1 hour and are deleted immediately upon use.

Third-party processors

We share data with the following sub-processors, all operating under appropriate data-processing agreements:

ProcessorPurposeData location
Neon (PostgreSQL)Primary databaseEU (Frankfurt)
VercelWeb app hostingEdge / EU
RailwayAPI server hostingEU (Frankfurt)
CloudflareDNS & CDNGlobal edge
SentryError monitoringEU region

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Cookies

We use a minimal set of cookies necessary to operate the service:

  • Session cookie — keeps you logged in as an owner during your browsing session. Expires when you close the browser or after 30 days if you choose "Remember me".
  • CSRF token — a short-lived cookie that protects form submissions from cross-site request forgery attacks.

We do not use advertising, tracking, or analytics cookies. Guests accessing guidebook pages are not cookied.

Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Restriction — ask us to pause processing of your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email privacy@myguest.today. We will respond within 30 days.

Security

We protect your data using industry-standard measures: TLS encryption in transit, bcrypt password hashing, parameterised database queries, and strict access controls. Despite these precautions, no system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@myguest.today.

Changes to this policy

We may update this policy as our service evolves or legal requirements change. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify registered owners by email. Continued use of the service after changes take effect constitutes acceptance of the updated policy.