Last updated · April 20, 2026

Privacy policy

The short version: we collect what we need to run the service, we don't sell it, and we don't use your data for advertising. The long version is below.

Who runs this

hostcare.app (“we”, “us”) is operated by Marcin Walczak, an individual developer based in Poland. If you need to reach a human, email info@hostcare.app.

What we collect

From hosts (you)

Account info: your email address (required to sign in), optional name, and an optional password if you choose to set one. Without an email we can't send you magic-link sign-in links, so this is non-negotiable.
Property data: names, addresses, access codes, iCal URLs from Airbnb / VRBO / Booking.com / other platforms, and any notes you add.
Cleaner roster: names, phone numbers, optional emails, rate info. This data belongs to you — we store it only so we can dispatch cleans on your behalf.
Booking data: we fetch your iCal feeds every 15 minutes and store the check-in/check-out dates and guest names your calendar exports. We do not contact guests.
Clean records + photos: metadata for every clean (who, when, amount owed/paid) plus photo uploads from cleaners.
Basic request logs: IP address, browser user-agent, and timestamps, kept for 30 days for abuse detection and debugging.

From cleaners

Phone number (provided by the host who employs them), so we can send the SMS dispatch link.
Confirmation responses (Accept / Can't make it) and photo uploads submitted through the tokenized link we text them.
We do not require cleaners to create accounts, download an app, or share location data.

Automatically collected

Standard web server logs, first-party session cookies (a signed session identifier + a CSRF token), and aggregate traffic stats via Plausible Analytics.

Plausible. A privacy-friendly, cookieless alternative to Google Analytics. It records pageviews and referrer, but no cookies, no cross-site tracking, no personal identifiers, no IP addresses stored, no fingerprinting. Because it collects no personal data, it doesn't trigger GDPR/ePrivacy consent requirements — you won't see a cookie banner on hostcare.app.

We don't use Google Analytics, Meta Pixel, TikTok Pixel, or any advertising tracker.

What we do with it

Dispatch SMS messages to cleaners on your behalf.
Send you transactional emails (sign-in links, receipts).
Render your dashboard and the cleaner confirmation page.
Parse iCal feeds into bookings and create cleaning jobs.
Store photos your cleaners upload so you can verify completed cleans.
Debug issues and prevent abuse.

That's it. We do not profile you, train AI on your data, or sell it.

SMS and phone numbers (Twilio)

We send SMS messages through Twilio, a telecommunications carrier. When you enter a cleaner's phone number, we store it on our servers and pass it to Twilio to deliver the message. Twilio is bound by its own privacy terms and applicable telecom regulations.

We do not share phone numbers with any third party for marketing purposes, and we do not sell phone numbers. Cleaners can reply STOP to any SMS to opt out — that's handled by Twilio at the carrier level. If a cleaner opts out, we'll surface that in your host dashboard and you'll need to contact them directly to re-enable SMS.

Where the data lives

Database: our Postgres instance on our own server in the EU (Falkenstein, Germany).
Photos: Cloudflare R2 (global, encrypted in transit and at rest).
SMS delivery: Twilio (US).
Transactional email: Resend (US).

We transfer personal data across borders (EU → US) as needed to deliver SMS and email. If you're in the EU, we rely on the standard contractual clauses published by the European Commission; our subprocessors (Twilio, Resend, Cloudflare) publish their own SCCs and privacy terms.

How long we keep it

While your account is active: indefinitely, so your dashboard stays useful.
After you delete your account: we remove your data within 30 days, with two exceptions:
- Aggregated, non-identifying counts (e.g. "N cleans in April 2026") may be kept for internal metrics.
- Records we're legally required to retain (e.g. accounting records for up to 5 years under Polish tax law).
SMS delivery logs: 30 days for abuse/debugging, then anonymized.

Your rights

Regardless of where you're based, you can:

See everything we have on you — email us and we'll export it.
Correct anything that's wrong — the dashboard does most of this; for the rest, email us.
Delete your account — there's a button in Settings, or email us.
Take your data with you — we'll send you a JSON export within 30 days of asking.

If you're in the EU / UK, you additionally have GDPR rights (portability, objection, restriction). Exercise them by emailing us. If we handle your request badly, you can complain to your local data protection authority.

If you're in California, CCPA/CPRA rights apply. We don't "sell" personal information as the statute defines it.

Subprocessors

We use:

Twilio — SMS delivery
Resend — transactional email
Cloudflare R2 — photo storage
Cloudflare — DNS
Hetzner — server hosting (EU)

If we add or swap a subprocessor, we'll update this list and email you. If you object, you can cancel your subscription.

Security

Standard stuff: TLS for everything in transit, hashed passwords (bcrypt) when set, session tokens via signed cookies, database on a private network, backups encrypted. If we discover a breach involving your data, we'll email you within 72 hours with what we know, what we're doing about it, and what you should do.

Kids

hostcare.app is a B2B product for rental hosts. We don't knowingly collect data from anyone under 16. If we somehow end up with it, email us and we'll delete it.

Changes

If we change this policy materially (e.g. adding a new subprocessor category, or starting to use your data for something new), we'll email every active account at least 14 days before it takes effect. Small wording changes we'll just update here and bump the "last updated" date.

Contact

info@hostcare.app for anything — privacy requests, abuse reports, subpoenas (we'd rather see them), or just feedback.