HostRev
Start now

Legal

Privacy policy

Version 2.0 · Effective 17 May 2026

HostRev helps short-term-rental hosts improve their listings. We collect only what we need, never sell your information, and let you delete your account and data on a 7-day SLA. We do not train AI on your photos or AI outputs — see section 4 below.

1Who we are

HostRev is operated by HostRev Solutions (sole proprietorship, Dutch Handelsregister, KvK number 42073239), established at 2e Wormenseweg 75, 7331 VD Apeldoorn, The Netherlands (VAT ID: NL003627894B03). HostRev Solutions is the controller of your personal data within the meaning of Regulation (EU) 2016/679 ("GDPR") and the equivalent legislation in the UK (UK GDPR / DPA 2018), the United States (CCPA/CPRA + state laws), Canada (PIPEDA + Quebec Law 25), and Australia (Privacy Act 1988).

contact@hostrev.io is HostRev's single canonical address for all support, legal, privacy, data-protection (including DPA inquiries and data subject access requests), and DMCA / Notice-and-Action communications. Notices are acknowledged within 5 business days.

We do not have a designated Data Protection Officer under GDPR Art. 37 — we do not engage in large-scale systematic monitoring or processing of special-category data.

2Data we collect

We collect only what we need to deliver and operate HostRev:

Account data
Email, hashed password (or magic-link credential), billing address, country.
Listing data
Airbnb URL, listing title, listing description, uploaded photos, pricing data you enter, neighbourhood info you provide.
Generated outputs
AI-enhanced photos, rewritten copy, audit results we produce. Stored in your project until you delete it.
Payment data
Handled by Stripe. We receive a transaction reference, amount, and credits granted — never the full card number.
Usage data
IP address (hashed for rate-limiting and security), browser type, device type, pages visited, features used, errors encountered.
Communication data
Emails you send to us, support tickets, feedback you provide.
Cookies
See section 9 below.

3Why we process your data (legal bases)

For each processing activity, GDPR requires a lawful basis. The bases we rely on:

Provide the service
Account, listing, AI processing — Contract performance (Art. 6(1)(b))
Process payments
Payment, account — Contract performance
Transactional email
Magic-link, receipts, generation-complete notices — Contract performance
Marketing email
Soft opt-in under ePrivacy Directive Art. 13(2) + NL Telecomwet 11.7, with one-click unsubscribe
Security, fraud, rate-limiting
Hashed IP, account — Legitimate interest (Art. 6(1)(f))
Customer support
All categories — Legitimate interest + Contract
Aggregated service-quality analytics
Listing, usage — Legitimate interest with appropriate aggregation safeguards (see section 4)
Legal obligations
All as relevant — Legal obligation (Art. 6(1)(c))
Marketing case studies
Listing, account — Opt-in consent (Art. 6(1)(a))

4We do not train AI models on your content

HostRev does not, and will not, use any of the following for the training, fine-tuning, retraining, evaluation, or benchmarking of any artificial intelligence model — whether developed by HostRev or by any third party:

  • photos you upload to the service
  • AI outputs generated by the service for your account
  • listing text, descriptions, or audits you submit
  • personal data of individuals depicted in your uploads

This commitment is both contractual (mirrored in the Acceptable Use section, which forbids you from doing the same to our outputs) and a privacy safeguard.

Where we use aggregated, de-identified telemetry to improve prompt quality (e.g. counting how often a given room-type template is used, or the average user-rated quality score for a prompt variant), the input is statistical — counts, scores, categorical metadata — and does not include images, image features, or personal data.

We will not change this position without giving 90 days' notice and an opt-out to active customers, and we will not retroactively apply any new policy to content uploaded before the notice.

5How long we keep your data

Free-audit leads (never paid)
24 months after last interaction, then deleted
Unsubscribed leads
Email retained in a suppression list (required for ePrivacy/CAN-SPAM/CASL compliance); other data deleted within 30 days
Active paid account
For the duration of your subscription
Closed account — core data
Soft-deleted on request or on closure, hard-deleted within 7 days via nightly background job
Closed account — financial records
Retained 7 years (Dutch fiscal obligation, Algemene Wet inzake Rijksbelastingen Art. 52), in anonymised form (user identity replaced with deleted_user marker)
Uploaded photos
Until the end of your account, or earlier on request, except cached copies that may take up to 7 days to fully expire across CDN edge nodes
Audit logs
12 months, then auto-deleted
Suppression list
Indefinitely (required by CAN-SPAM, CASL, ePrivacy)

6Sub-processors

We rely on a small set of vetted infrastructure providers. Each is bound by a data-processing agreement under GDPR Art. 28.

Supabase Inc.
Postgres database + file storage — Frankfurt, EU. Intra-EEA transfer.
Stripe, Inc.
Payment processing — USA + Ireland. EU SCCs 2021/914.
Resend, Inc.
Transactional + marketing email — USA. EU SCCs 2021/914.
Replicate, Inc.
AI image processing — USA. EU SCCs 2021/914.
Anthropic PBC
AI text generation (Claude) — USA. EU SCCs 2021/914.
Google LLC (Gemini API)
AI vision processing — USA. EU SCCs 2021/914 + EU-US Data Privacy Framework.
Firecrawl, Inc.
Public-page reader for listing auto-fill — USA. EU SCCs 2021/914.
Trigger.dev, Inc.
Background job execution — USA. EU SCCs 2021/914.
Vercel, Inc.
Application hosting + edge network — USA + global edge. EU SCCs 2021/914.
Upstash, Inc.
Rate-limit cache (Redis) — Frankfurt, EU. Intra-EEA transfer.
PostHog (EU)
Product analytics — EU region. Intra-EEA transfer.

We notify customers of material changes to this list at least 30 days in advance via email.

7International data transfers

Some of our sub-processors are based in the United States. For personal data transferred from the EU/EEA, UK, or Switzerland to these sub-processors, we rely on the Standard Contractual Clauses (EU SCCs 2021/914, Module 2 or 3 as applicable), supplemented by:

  • encryption in transit (TLS 1.3) and at rest (AES-256);
  • limited sub-processor access on a need-to-know basis;
  • contractual obligations on sub-processor onward transfers;
  • annual review of sub-processor security posture.

For US-based sub-processors certified under the EU-US Data Privacy Framework (Google, where applicable), we rely on the DPF in addition to SCCs. We do not rely on the deprecated EU-US Privacy Shield (invalidated by Schrems II in 2020 and replaced by the DPF in July 2023).

8Your rights

EU/EEA/UK (GDPR / UK GDPR)

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object to legitimate-interest processing (Art. 21)
  • Right to withdraw consent at any time (Art. 7(3))
  • Right to lodge a complaint with a supervisory authority — for NL-based users, this is the Autoriteit Persoonsgegevens.

California (CCPA/CPRA)

  • Right to know what information is collected and shared
  • Right to delete personal information
  • Right to correct inaccurate information
  • Right to opt out of "sale" or "sharing" — we do not sell personal information in the CCPA sense, but you can still submit a request
  • Right to non-discrimination for exercising your rights
  • Right to limit use of sensitive personal information — we do not collect any

Canada (PIPEDA + Quebec Law 25)

  • Right of access and correction
  • Right to withdraw consent
  • Right to data portability (Quebec Law 25)

Australia (Privacy Act 1988 + APP)

  • Right of access (APP 12)
  • Right of correction (APP 13)

Email contact@hostrev.io to exercise any of these. We respond within 30 days (60 days under CCPA, extendable by 45 days with notice) and may ask for proof of identity before fulfilling the request.

9Cookies and tracking

See our cookie policy for the full breakdown. In short:

  • Strictly necessary (no consent required): session cookies, CSRF tokens, site-password gate cookie during pre-launch.
  • Analytics (opt-in): PostHog EU product analytics, Sentry error monitoring.
  • Marketing (opt-in): pixel-based retargeting when and if we add LinkedIn / Meta / Google advertising.

You can change your preferences at any time via the "Cookie preferences" link in the footer.

10Children

HostRev is intended for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact contact@hostrev.io and we will delete it promptly.

11Security

We implement technical and organisational security measures appropriate to the risk: TLS in transit, AES-256 at rest, row-level security policies, access controls, audit logging, regular backups, and incident response procedures. No internet service is completely secure. If we become aware of a personal-data breach likely to result in a high risk to your rights, we will notify affected users without undue delay per GDPR Art. 34.

12Changes to this policy

We may update this policy. Material changes are communicated by email to active users at least 30 days before they take effect. The version number and effective date at the top of this page always reflect the most recent revision.

13Relationship to Airbnb

HostRev is independent. We are not affiliated with, endorsed by, or sponsored by Airbnb, Inc. We only access the publicly visible content of the listing URL you provide; we do not log in to your Airbnb account, do not bypass Airbnb's terms, and do not have an API integration with Airbnb.

14Contact

HostRev Solutions
2e Wormenseweg 75, 7331 VD Apeldoorn, The Netherlands
KvK: 42073239 · VAT ID: NL003627894B03
contact@hostrev.io

Questions? Email contact@hostrev.io.