BnB Scheduler

Privacy Policy

Last updated: June 1, 2026

Overview

BnB Scheduler ("BnB Scheduler", "we", "our", or "us") is a property management platform for short-term rental hosts, operated by Lash Digital Solutions LLC, a Florida limited liability company. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our website, web application, any mobile apps we make available, or related services (collectively, the "Service").

By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

Who This Policy Covers

This Policy applies to two distinct groups:

  • Hosts and team members — account owners, property managers, and staff who sign up for the Service to manage their short-term rental operations.
  • Guests— individuals whose personal information is processed by the Service because a host added their reservation, sent them a message, or accepted their direct booking. Guests interact with the Service through guest portals and booking pages but do not have BnB Scheduler accounts. Hosts are the data controllers of their guests' information; we process it on hosts' behalf.

Information We Collect

From Hosts and Team Members

  • Account credentials: email address, full name, phone number (optional), bcrypt-hashed password, two-factor authentication secret (if enabled), bcrypt-hashed recovery codes
  • Billing information: payment method details are collected and stored by Stripe, Inc.; we receive only metadata (last 4 digits of card, brand, expiration, billing email)
  • Property information: property names, addresses, geocoordinates (auto-derived from address), photos, descriptions, house rules, amenities, pricing, tax configuration, cancellation policies, door codes, Wi-Fi credentials, check-in instructions
  • Branding assets: company name, custom logo (uploaded to AWS S3), color palette
  • Operational data: tasks (cleaning, maintenance, etc.), task photos, task comments, checklists, inventory counts, damage reports and their photos, automation rules, guest message templates, staff availability schedules, team assignments
  • Accounting records (optional): if you use the accounting features, the income and expense entries, categories, vendor names, notes, and receipt images you upload (stored on AWS S3), plus recurring-bill rules
  • Smart-lock data (optional): if you connect smart locks, the lock devices and labels you add and the time-bound access codes generated for reservations. Your lock-account connection is held by our smart-lock provider (Seam); we store device identifiers and the generated codes
  • Stripe Connect data (for direct booking): if you enable direct booking, Stripe collects identity verification information from you under their own privacy policy. We receive only your Stripe account ID, capability flags (charges enabled / payouts enabled), and requirement statuses — we never receive your Social Security Number, EIN, or bank account details
  • Calendar feed URLs: the iCal URLs you provide for Airbnb, VRBO, Booking.com, and other booking sources, and the reservation data we import from them
  • Security and audit information: IP addresses, user-agent strings, login attempts, password reset requests, role changes, refresh-token rotation events

From Guests

  • Reservation data imported from connected calendars: guest names, reservation dates, booking source, external booking reference
  • Direct booking submissions: guest name, email address, phone number, number of guests, presence of pets, booking notes, and payment details collected by Stripe Checkout (or, where applicable, an alternative payment processor)
  • Two-way messages: messages a guest sends the host through the guest portal, and the host's replies. To help hosts triage, inbound guest messages may be automatically classified for topic and urgency by our AI provider (Anthropic); see "How We Use Your Information."
  • Smart-lock access codes: if the host uses smart locks, the access code (PIN) issued for the reservation is shown to the guest in their portal
  • Guest portal access: when a guest opens their guest portal link, we log access for security purposes

From Prospective Users

If you join our launch waitlist, we collect the email address you submit solely to notify you about availability and product updates. You can ask us to remove it at any time by emailing privacy@bnbscheduler.com.

Automatically Collected

  • Usage data: pages viewed, features used, timestamps, browser type, device type, operating system
  • Error and performance telemetry: we use Sentry to capture unhandled errors, performance traces (10% sampled), and session replays with personally identifiable text masked
  • Authentication state: session tokens stored in HTTP-only cookies on the web and in encrypted secure storage on mobile

How We Use Your Information

  • To provide, maintain, and improve the Service
  • To authenticate users and protect against unauthorized access
  • To synchronize external calendars and import reservations
  • To process payments for SaaS subscriptions (via Stripe Billing) and to facilitate guest payments to hosts (via Stripe Connect)
  • To deliver task notifications, automation emails, and guest messages you configure
  • To power optional AI-assisted features you choose to use — drafting and translating guest replies, generating listing descriptions and message templates, translating listings, and classifying the topic and urgency of inbound guest messages
  • To generate and revoke time-bound guest access codes on smart locks you connect
  • To geocode property addresses and display maps
  • To respond to support requests and communicate about the Service
  • To diagnose technical issues, monitor security events, and prevent abuse
  • To comply with legal obligations, court orders, and tax requirements

AI features and your data.When you use an AI-assisted feature, the relevant content (such as a property fact-sheet, a draft, or a guest message) is sent to our AI provider, Anthropic, solely to return a result. Under Anthropic's commercial terms, that content is not used to train its models. AI message classification runs in the background and never delays a guest's message; AI drafts and translations are suggestions only and are never sent automatically. Neither we nor our AI provider uses your data to train models, and we do not sell, rent, or trade your personal information to third parties for their own marketing.

Third-Party Service Providers (Sub-Processors)

We share data only with vendors who help us run the Service, under written agreements that restrict their use of your data. Current sub-processors:

  • Stripe, Inc. — payment processing for SaaS subscriptions (Stripe Billing) and direct guest bookings (Stripe Connect). Stripe is a PCI-DSS Level 1 service provider; we never see raw card data.
  • Amazon Web Services, Inc. (AWS) — application hosting (ECS), database (RDS PostgreSQL), file storage (S3 for photos, logos, and receipts), and secrets management. All in US-East regions.
  • Anthropic, PBC — AI processing that powers optional assistive features (reply drafting and translation, listing and template generation, and inbound-message classification). Content sent for these features is processed only to return a result and is not used to train Anthropic's models.
  • Seam Labs, Inc. — smart-lock connectivity (optional). If you connect smart locks, Seam holds your lock-account connection and generates or revokes the time-bound guest access codes used at your properties.
  • Resend, Inc. — transactional email delivery from notifications@bnbscheduler.com (replies are directed to support@bnbscheduler.com). We also process delivery events (hard bounces and spam complaints) from this provider to maintain a suppression list, so we stop emailing addresses that can't or don't want to receive our messages.
  • Vercel, Inc. — frontend hosting and DNS for bnbscheduler.com and tenant subdomains.
  • Google LLC (Maps Platform) — address geocoding and map rendering. We share property addresses only; never guest information.
  • Functional Software, Inc. (Sentry) — error monitoring and performance telemetry, with PII masking enabled on session replay.
  • Cloudflare, Inc. (Turnstile) — bot and abuse protection on public forms (sign-up, password reset, waitlist). Processes limited interaction signals and your IP address to verify you are human; it is privacy-respecting and is not used for cross-site tracking or advertising.
  • ImprovMX — inbound email forwarding for @bnbscheduler.com aliases.

We may engage additional payment processors in the future (for example, to support hosts in regions where our primary processor is unavailable). Any such provider will be added to this list and bound by equivalent data-protection terms.

We may also disclose information when required by law, subpoena, or court order, or to protect the rights, safety, or property of BnB Scheduler, our users, or the public.

Data Security

We implement industry-standard security measures, including:

  • TLS 1.2+ encryption for all data in transit (HTTPS-only)
  • Encryption at rest for database and object storage
  • Bcrypt password hashing with per-user salts
  • Short-lived JWT access tokens with single-use refresh-token rotation and theft detection
  • Optional two-factor authentication (TOTP) with bcrypt-hashed recovery codes
  • Per-account login rate limiting and lockout after repeated failures
  • Multi-tenant data isolation enforced at the application layer
  • Daily database backups with point-in-time recovery
  • Comprehensive audit logging of security-relevant events

No method of transmission or storage is perfectly secure. If we become aware of a security incident that materially affects your personal information, we will notify affected users without undue delay and consistent with our legal obligations.

Data Retention

We retain personal data while your account is active and as long as needed to provide the Service. When you close your account through the in-product cancellation flow, we:

  • Immediately revoke account access and log you out
  • Complete any outstanding refunds and Stripe Connect cleanup (typically a few business days while balances settle)
  • Delete personal data from active systems, retaining only what is legally required (e.g., transactional records for tax, anti-fraud, or dispute purposes)

Routine database backups may retain deleted data for up to several days (currently a 7-day backup window) before being aged out. Audit logs are retained for security purposes for up to 24 months.

Your Rights and Choices

Regardless of where you live, you may:

  • Access and update most of your information directly through the dashboard
  • Request an export of your account data (offered as part of the account closure flow, or by emailing us)
  • Close your account at any time and have your personal data deleted, subject to legal retention requirements
  • Opt out of non-essential communications (transactional emails are required to operate the Service and cannot be opted out of)

California residents (CCPA/CPRA): you have the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising, and we treat a Global Privacy Control (GPC) browser signal as a valid opt-out request where applicable. Send requests to privacy@bnbscheduler.com.

European Economic Area, UK, and Switzerland (GDPR/UK GDPR): Lash Digital Solutions LLC acts as data controller for host account data and as data processor for guest data (where the host is the controller). You have the rights of access, rectification, erasure, restriction, portability, and objection. The legal basis for processing is contract performance, our legitimate interests in operating the Service, or your consent where required. Data is hosted in the United States; we rely on Standard Contractual Clauses or equivalent safeguards for international transfers. You may lodge a complaint with your supervisory authority. Send requests to privacy@bnbscheduler.com.

Children's Privacy

The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact privacy@bnbscheduler.com and we will delete it.

Cookies and Local Storage

We use:

  • Authentication cookies (essential): HTTP-only secure cookies store session and refresh tokens. Without these, you cannot stay logged in.
  • Local storage (essential): small preference flags such as sidebar expand state and dismissed banners.
  • Sentry session replay storage: brief in-memory buffers used to capture error context; sensitive fields are masked.

We do not use tracking cookies, advertising cookies, or third-party analytics that follow you across sites.

International Users

The Service is operated from the United States and data is hosted on US-based AWS infrastructure. If you access the Service from outside the United States, you consent to the transfer and processing of your information in the United States, which may have different data-protection rules than your country.

Changes to This Policy

We may update this Privacy Policy as the Service evolves. The "Last updated" date at the top reflects the most recent revision. For material changes, we will provide additional notice (such as an in-product banner or email). Continued use of the Service after a change means you accept the updated Policy.

Contact

Privacy questions, requests, or complaints should be sent to privacy@bnbscheduler.com. For general support, use support@bnbscheduler.com. BnB Scheduler is operated by Lash Digital Solutions LLC, a Florida limited liability company.

← Back to Home