Privacy Policy
Last updated: 2026-03-18
Effective Date: March 1, 2026
Last Updated: March 1, 2026
This Privacy Policy explains how StaySpark ("we," "us," "our") collects, uses, stores, and shares your information when you use our platform at stayspark.io. StaySpark is owned and operated by Matt Brown, based in Charlotte, North Carolina, USA.
We believe in transparency. This policy is written in plain English — no buried surprises.
1. Who This Policy Covers
This policy applies to:
- Hosts — Users who create accounts and build direct booking websites on StaySpark
- Guests — People who book stays through StaySpark-powered websites
- Visitors — Anyone browsing stayspark.io or a StaySpark-generated website
2. What We Collect
From Hosts (Account Holders)
| Data | Why |
|---|---|
| Name, email address | Account creation, communication |
| Password (hashed) | Authentication via NextAuth.js |
| Subscription & billing info | Payment processing via Stripe |
| Property details & photos | Generating your direct booking website |
| Airbnb/VRBO listing URLs | Importing your listing data |
| Usage data | Improving the platform |
From Guests (Bookers)
| Data | Why |
|---|---|
| Name, email, phone number | Booking confirmation & communication |
| Payment information | Processed by Stripe — we never see full card numbers |
| Booking details (dates, property, guests) | Fulfilling the reservation |
Automatically Collected
| Data | Why |
|---|---|
| Page views & basic analytics | Umami Analytics (privacy-friendly, no cookies, no personal data) and Microsoft Clarity (UX analytics) |
| Device type, browser, general location | Standard web analytics |
| Cookies (essential only by default) | See our Cookie Policy |
3. How We Use Your Data
We use your information to:
- Provide the Service — Generate websites, process bookings, send confirmations
- Process payments — Via Stripe Connect for guest bookings and subscription billing
- Communicate with you — Transactional emails (booking confirmations, account updates) via Resend
- Improve the platform — Analytics, bug fixing, feature development
- Generate content — Your listing data is processed through OpenAI/Anthropic APIs to create website content
- Send marketing emails — Only with your consent (see Marketing Consent)
- Comply with legal obligations — Tax reporting, legal requests
4. How We Share Your Data
We do not sell your personal data. Period.
We share data with these service providers, solely to operate the Platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Billing info, transaction data |
| Vercel | Website hosting | All website content, traffic data |
| Supabase | Database & file storage | Account data, property data, photos |
| OpenAI / Anthropic | AI content generation | Property descriptions, listing details |
| Umami Analytics | Privacy-friendly analytics | Anonymized page views (no personal data) |
| Microsoft Clarity | UX analytics (session replay, heatmaps) | Anonymized interaction data |
| Resend | Email delivery | Email addresses, email content |
We may also share data:
- When required by law, subpoena, or legal process
- To protect StaySpark's rights, safety, or property
- In connection with a merger, acquisition, or sale of assets (we'll notify you)
AI Processing Disclosure
When you paste a listing URL or create content, we send property information to OpenAI and/or Anthropic APIs to generate your website. This data is processed according to their API terms (not used to train their models under current API agreements). We do not send guest personal data to AI services.
5. Data Storage & Security
- Where: Your data is stored in the United States via Supabase (database and file storage) and Vercel (hosting)
- Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest
- Authentication: Managed via NextAuth.js with secure session handling
- Payments: All payment data is handled by Stripe (PCI DSS Level 1 compliant) — we never store credit card numbers
- Access: Limited to essential personnel on a need-to-know basis
No system is 100% secure. We implement reasonable safeguards but cannot guarantee absolute security.
6. Data Retention
- Active accounts: We retain your data as long as your account is active
- Closed accounts: We delete your data within 90 days of account closure, except where required by law (e.g., tax records)
- Guest booking data: Retained as long as the host's account is active, or as required for legal/tax purposes
- Analytics: Umami and Microsoft Clarity retain anonymized analytics data per their respective retention policies
7. Your Rights
All Users
You have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your data (subject to legal retention requirements)
- Export your data in a portable format
- Opt out of marketing communications
To exercise any of these rights, email us at support@stayspark.io.
California Residents (CCPA)
If you're a California resident, you additionally have the right to:
- Know what personal information we collect and why
- Request deletion of your personal information
- Opt out of the sale of personal information (we don't sell your data)
- Non-discrimination for exercising your rights
To make a CCPA request, email support@stayspark.io with "CCPA Request" in the subject line. We'll respond within 45 days.
European Residents (GDPR)
If you're in the European Economic Area (EEA) or UK, you have additional rights under GDPR:
- Legal basis for processing: Contract performance (providing the Service), legitimate interest (improving the platform), and consent (marketing emails)
- Data portability: Request your data in a machine-readable format
- Right to object: Object to processing based on legitimate interest
- Right to restrict processing
- Right to lodge a complaint with your local data protection authority
For GDPR requests, email support@stayspark.io with "GDPR Request" in the subject line.
Host Responsibilities for Guest Data
If you're a host, you act as the data controller for your guests' personal data. StaySpark acts as a data processor on your behalf. See our Data Processing Agreement for details. You are responsible for:
- Having a legal basis to collect guest data
- Informing guests about how their data is used
- Responding to guest data requests related to your properties
8. Cookies
We use minimal cookies. See our Cookie Policy for full details. In short:
- Essential cookies: Required for the platform to function (authentication, session management)
- Analytics: Umami Analytics is cookie-free by design; Microsoft Clarity may use session cookies for UX improvement
- No third-party tracking cookies by default
9. Children's Privacy
StaySpark is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided data to us, contact support@stayspark.io and we'll delete it promptly.
10. International Data Transfers
StaySpark is based in the United States. If you access the platform from outside the US, your data will be transferred to and processed in the US. By using StaySpark, you consent to this transfer. We rely on Standard Contractual Clauses and other appropriate safeguards for transfers from the EEA/UK.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes:
- We'll update the "Last Updated" date
- We'll notify you by email for material changes
- Continued use after changes constitutes acceptance
12. Contact Us
Questions or concerns about your privacy?
- Email: support@stayspark.io
- Website: stayspark.io
This Privacy Policy was last updated on March 1, 2026.