Privacy Policy

Last updated: March 27, 2026

1. Data Controller

The data controller for your personal data is OnboardGuest, headquartered at 75 rue Leon Blum, France.

For any questions regarding the protection of your data, please contact us at: contact@onboard-guest.com

2. Data Collected and Purposes

We only collect data that is strictly necessary to provide our service. Here is a breakdown of the processing carried out:

2.1 Account Data

  • Data collected: email address, name (via Google OAuth)
  • Purpose: account creation and management, authentication
  • Legal basis: performance of a contract (Art. 6.1.b GDPR)

2.2 Property Data

  • Data collected: property name, address, amenities, services, WiFi credentials, house rules, local guide, and any information entered during portal configuration
  • Purpose: generation and display of the digital welcome portal
  • Legal basis: performance of a contract (Art. 6.1.b GDPR)

2.3 Billing Data

  • Data collected: payment details (credit card, etc.) are collected and processed directly by Stripe — OnboardGuest never stores your banking information
  • Purpose: payment processing and subscription management
  • Legal basis: performance of a contract (Art. 6.1.b GDPR)

2.4 Navigation and Analytics Data

  • Data collected: pages visited, session duration, device type, country of origin (anonymised or pseudonymised data)
  • Purpose: service improvement, performance analysis, error detection
  • Legal basis: legitimate interest (Art. 6.1.f GDPR) and/or consent (Art. 6.1.a GDPR) depending on the tool

3. Data Retention

  • Account data: retained for the duration of the account, then deleted within 30 days of account closure
  • Property data: retained while the account is active, then deleted within 30 days of subscription cancellation
  • Billing data: retained for 10 years in accordance with legal accounting and tax obligations
  • Analytics data: retained according to each third-party tool's policy (generally 13 to 26 months)

4. Recipients and Sub-processors

Your data may be shared with the following sub-processors, strictly within the scope of providing the service:

  • Supabase (database hosting) — data hosted within the European Union
  • Stripe (online payment) — PCI DSS certified; data may be processed in the United States under appropriate safeguards (standard contractual clauses)
  • Google (OAuth authentication, Google Analytics, Google Tag Manager) — data may be processed in the United States under appropriate safeguards (EU–US Data Privacy Framework)
  • Microsoft Clarity (session recordings, heatmaps) — data may be processed in the United States under appropriate safeguards
  • Vercel (application hosting, performance analytics) — data may be processed in the United States under appropriate safeguards

These sub-processors are contractually bound to comply with applicable data protection regulations. Your data is never sold to third parties.

5. Transfers Outside the European Union

Some of our sub-processors (Stripe, Google, Microsoft, Vercel) are based in the United States. These transfers are governed by appropriate safeguards in accordance with the GDPR: standard contractual clauses (SCCs) approved by the European Commission and/or participation in the EU–US Data Privacy Framework (DPF).

6. Cookies and Trackers

Our website uses the following categories of cookies:

  • Strictly necessary cookies: essential for the service to function (session, authentication). No consent required.
  • Analytics cookies: Google Analytics and Vercel Analytics measure site traffic and performance. Data is anonymised or pseudonymised.
  • Behavioural measurement cookies: Microsoft Clarity records user interactions (clicks, scrolling, heatmaps) to improve the user experience.
  • Tag management cookies: Google Tag Manager orchestrates the triggering of other measurement tools.

You can opt out of non-essential cookies by contacting us at contact@onboard-guest.com. You may also configure your browser to refuse cookies.

7. Your Rights

Under the GDPR (Articles 15 to 22), you have the following rights regarding your personal data:

  • Right of access: obtain a copy of your personal data
  • Right to rectification: correct inaccurate or incomplete data
  • Right to erasure: request the deletion of your data ("right to be forgotten")
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interest
  • Right to restriction: request the temporary suspension of a processing activity

To exercise these rights, send your request to contact@onboard-guest.com. We will respond within one month.

If you believe your rights are not being respected, you may lodge a complaint with your local supervisory authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés) — www.cnil.fr.

8. End Guest Data

OnboardGuest does not directly collect personal data from the end guests who visit the welcome portals created by hosts. The host is solely responsible for any processing of data relating to their own guests, and must comply with the GDPR in the context of their activity.

9. Data Security

OnboardGuest implements appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration, or disclosure. These measures include encrypted communications (HTTPS), strict database access controls, and the use of certified providers.

10. Changes to This Policy

OnboardGuest reserves the right to modify this privacy policy at any time. In the event of a material change, you will be notified by email or via a notice displayed on the Platform. The date of the last update is indicated at the top of this page.