← Rent Tool

Privacy Policy

Last updated: 2026-05-04

Scope

This policy covers the free hosted instance at renttools.io. If you self-host the open-source code, you control your own data — this policy does not apply.

What data we collect

  • Account: the username and hashed password you provide at signup. We do not require an email at signup. Passwords are hashed with bcrypt and never stored in cleartext.
  • Properties & reservations: everything you create or import — names, dates, platforms, notes. iCal feeds you connect (Airbnb, Booking.com) are pulled every 10 minutes.
  • Guest records: if you upload a passport photo for extraction, the photo is sent to Google Gemini Vision for OCR and the extracted fields are stored in your account. Photos themselves are not retained after extraction completes.
  • Operational logs: request logs (path, status, duration, IP, user ID) are kept for up to 30 days to debug issues. Sync logs are retained per property to power the alerts banner.
  • Audit log: a record of mutations on your own resources (create / update / delete) is retained so you can review your own activity from the Profile panel.

Where data lives

Production data is stored in a SQLite database on a DigitalOcean droplet operated by the maintainer. Daily backups are kept on the same machine for 14 days, weekly for 8 weeks, monthly for 6 months. During the migration off the previous Vercel + Turso stack, some logs may briefly co-exist on both providers; this transitional state ends once the cutover is complete.

Passport photos are sent to Google Gemini for OCR. Google's data handling for the Gemini API is governed by Google's API terms.

Cookies

We set one HTTP-only session cookie (rent-tool-session), a 7-day JWT, used solely for authentication. We do not use third-party analytics, advertising, or tracking cookies on the hosted instance.

Sharing

We do not sell or rent your data. We share data only with the infrastructure providers that host the service (the droplet provider and Google Gemini, as listed above), and only to the extent necessary to operate the service.

Your rights (GDPR)

  • Access & export:the Reports panel exports your reservations as CSV. The Profile > Audit Log section shows your activity history. A full account export is available from the Profile panel.
  • Deletion:Profile > Danger zone > Delete my account permanently removes your account immediately, along with every property, reservation, guest, calendar link, message template, cleaning record, audit entry and extraction log we hold for you. The action requires re-typing your username and current password and cannot be undone. Backups containing the deleted data age out within 6 months.
  • Rectification: all fields are user-editable through the app.

Guest passport data — your responsibility

When you store a guest's passport details, you are the data controller under GDPR for that information. Make sure you have a lawful basis to collect and retain it, and respect your guests' rights to access, rectify, and delete. Rent Tool is the data processor and will act on instructions from you (the controller) — including erasure.

Children

The service is intended for property owners and is not directed at children. Don't create accounts on behalf of minors.

Contact

Questions or data-rights requests: github.com/Gribadan/rent-tool/issues.