Privacy Policy

Last updated: May 2, 2026

Plain-English summary. AwayWatch is the back-office for vacation rental owners. We store the data you put in (invoices, vendors, bookings, taxes), use it only to deliver the service you signed up for, and never share it with third parties for marketing. You own your data, can export it anytime, and can delete your account whenever you want. We use third-party processors (Hostinger for hosting, Anthropic for AI invoice OCR) and disclose them below.

1. Who we are

AwayWatch ("we", "us", "our") is operated by Germain Delagardelle, an individual operator providing a SaaS back-office for vacation rental owners. Contact details are listed in the Imprint.

2. What data we collect

2.1 Account data (you provide)

Name + email when you accept an invitation or are added by an existing customer.
Password (stored hashed; never readable to us).
Optional: phone number, secondary email, language preference.
Two-factor authentication: an authenticator-app secret (encrypted at rest) and/or an email-based fallback flag.

2.2 Operating data (you upload + the app generates)

Invoices & receipts — PDF / image files plus the extracted line-item data.
Bookings — guest name, email, stay dates, prices (when supplied by your booking platform via iCal feed, Smoobu API, email forwarding, or CSV import).
Vendors — names, contacts, tax IDs, payment history.
Bank statements — CSV imports for matching expenses (we never see your card numbers; we don't process payments).
Tax filings — locally generated forms (DR-15, TDT, 1099-NEC, Schedule E packet).
Audit log — who changed what and when, retained for compliance + dispute resolution.

2.3 Technical data (collected automatically)

Session cookies (essential, for login).
IP address + user-agent on each request, retained briefly for security investigation.
Heartbeat row in user_sessions showing your last-active timestamp (for the operator's own session-management view).

3. How we use the data

To deliver the service you signed up for — book-keeping, vendor management, tax-form generation, compliance tracking. This is the legal basis: contract.
To send transactional email — booking confirmations to your guests when you've configured email templates, password resets, expiry alerts. Legal basis: contract.
To meet legal obligations — keeping audit logs, retaining records for tax/accounting purposes. Legal basis: legal obligation.
To improve the product — aggregated, non-identifying usage patterns (e.g. how often a feature is opened). Legal basis: legitimate interest.

We do not sell, rent, or share your data with third-party marketers. We do not use your data to train AI models. We do not show ads.

4. Sub-processors

We use these third parties to operate the service. Each processes data only on our instructions:

Processor	Purpose	Data they see	Location
Hostinger International Ltd.	Application hosting + database storage	Everything in your tenant	EU (Lithuania), USA
Anthropic PBC	AI extraction of invoices / receipts / utility bills via Claude API	The PDF / image contents you upload, only at the moment of extraction	USA
Frankfurter / European Central Bank	Daily FX rates for non-USD mortgage conversion	None of yours — we only fetch public rate data	EU
SES / SMTP provider (when configured)	Outbound email delivery	Email recipients + body content	varies by host's region

Anthropic's data-handling: per their privacy policy, API requests are not used for model training and are retained for up to 30 days for trust & safety review.

5. Where data is stored

Application data lives in the database hosted by Hostinger. Backups are taken nightly to the same provider. We do not transfer data to non-adequacy jurisdictions beyond the sub-processors listed above.

6. How long we keep data

Active customers — for as long as your account is open.
After account deletion — soft-deleted immediately; permanently erased after 30 days. Backup tapes age out within 30 days of deletion.
Audit log — kept for 6 years (matches typical tax-record retention requirements).
Tax-related records — kept for 7 years after the relevant tax year, even after account closure, to comply with US/EU record-retention rules.

7. Your rights

If you're in the EU/UK, GDPR gives you these rights. We honour them globally for all users:

Access — see what we hold (every invoice / booking / vendor; available via self-serve export).
Portability — download a complete ZIP of your data (CSV + original PDFs).
Rectification — edit anything wrong.
Erasure — delete your account; data soft-deleted then permanently erased after 30 days.
Restriction / objection — pause or limit specific processing.
Complaint — file with your data-protection authority (e.g. CNPD in Luxembourg, BfDI in Germany).

8. Cookies

We use only essential cookies — the session cookie that keeps you logged in and the CSRF token. We do not run analytics or advertising trackers. The cookie banner you saw on first visit confirms this and offers no "accept tracking" option because there is nothing to accept.

9. Security

HTTPS-only (HSTS enabled) for all traffic.
Passwords stored using bcrypt; secrets (TOTP, recovery codes) encrypted at rest.
Per-tenant query isolation (one customer never sees another's data, even on shared infrastructure).
Activity log of every change (who, when, what was changed).
Two-factor authentication available; recommended for all owner accounts.

10. Breach notification

If we discover a personal-data breach affecting you, we'll notify you within 72 hours of confirming it (per GDPR Art. 33). The notice will describe what happened, what data was affected, and what steps you can take.

11. Children

AwayWatch is a B2B tool for property owners and is not directed at children. We do not knowingly collect data from anyone under 16.

12. Changes to this policy

If we change this policy materially, we'll notify the operator email of every active account at least 14 days before the change takes effect. The "Last updated" date at the top always reflects the current version.

13. Contact

For privacy questions, data requests, or to report a concern: see the contact details in the Imprint.