Privacy Policy

1. Who we are

thehost.life is operated by JCC Global Unipessoal Lda, VAT 519070437, Ponta Delgada, Azores, Portugal. We are the data controller for personal data collected through this service.

2. Data we collect

• Account data: your email address, used to authenticate you via magic link.
• Property data: property name, address, check-in/out times, WiFi credentials, house rules, local tips, and photos that you provide.
• Usage & analytics: how you use the Service (features accessed, time spent, etc.) to improve the product and understand user behavior.
• Billing: subscription status. Payment details are handled exclusively by Stripe — we do not store card numbers.

3. How we use your data

We use your data to:

• Operate the service and display your guest pages
• Send you transactional emails (signup, payment confirmation, cancellation) via Resend
• Process subscription payments via Stripe
• Generate AI-powered welcome book content using the Anthropic Claude API
• Track usage and analytics to improve the Service (GA4 — coming soon)

We do not sell your data, use it for advertising, or share it with third parties except as necessary to operate the service.

3a. Legal basis for processing (GDPR)

We process your personal data on these legal bases:

• Contract: Processing needed to provide the Service (email, password, payment info)
• Legitimate interest: Analytics and usage data to improve the Service, fix bugs, and understand product usage
• Legal obligation: Tax and payment records as required by Portuguese and EU law

4. Data storage

Your data is stored in Supabase (PostgreSQL database and file storage). Our Supabase project is hosted in the EU region. Property photos are stored in Supabase Storage.

5. Third-party processors

Your data may be shared with these processors to operate the Service:

• Supabase (EU) — database, authentication, file storage
• Anthropic (USA) — AI content generation (property data sent to Claude API for welcome book creation)
• Stripe (USA) — payment processing (card data never reaches our servers)
• Resend (USA) — transactional email delivery
• Vercel (USA) — application hosting and serverless functions
• Google Analytics 4 — (planned) website analytics (cookies may be used for tracking)

We have data processing agreements in place with these processors to ensure your data is protected. Some processors are located outside the EU/EEA and may be subject to different data protection laws.

6. Your rights (GDPR)

If you are based in the EU/EEA, you have the right to:

• Access: request a copy of the data we hold about you
• Deletion: request deletion of your account and all associated data
• Portability: receive your data in a machine-readable format
• Correction: update inaccurate data directly in the dashboard or by contacting us

To exercise any of these rights, email joaocmcabral@gmail.com with the subject line "Data request — [your email]". We will respond within 30 days.

7. Data retention

• Active accounts: Data is retained for as long as your account exists
• Deleted accounts: After deletion, we retain your data for 6 months to allow account recovery. After 6 months, all data is permanently deleted
• Analytics/usage data: Retained indefinitely in anonymized, aggregated form to improve the Service
• Legal/tax records: Retained as required by Portuguese and EU law (typically 5-7 years)

8. Cookies & Analytics

We use a session cookie to keep you signed in. When GA4 is enabled, Google Analytics may place tracking cookies on your browser to collect usage data. You can opt out by disabling cookies in your browser settings.

9. Contact

Privacy questions or GDPR requests: joaocmcabral@gmail.com