1. Introduction
This Privacy Policy describes how Turnfolio ("we," "us," or "our") collects, uses, stores, shares, and protects personal data when you use our website at turnfolio.com and related services (the "Service"). This policy applies to all users of the Service, including hosts (account holders), cleaners, inspectors, and guests whose data may be processed through the Service.
We are committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable United States privacy laws.
2. Data Controller
For the purposes of GDPR, the data controller for information collected directly through the Service (account data, usage data, payment data) is Turnfolio. For personal data that hosts input about guests, cleaners, and inspectors, the host acts as the data controller and Turnfolio acts as a data processor on the host's behalf.
3. Personal Data We Collect
3.1 Account Data (Host)
We collect the following information when you create an account: your email address (collected via Supabase Auth magic link sign-in), your full name (if supplied), and your account role (default: host).
3.2 Payment Data
When you subscribe to a paid plan, Stripe processes your payment. We store your Stripe customer ID, subscription ID, subscription status, plan identifier, current billing period end date, and trial end date. We also log Stripe webhook events (event ID, type, livemode status, payload hash, and processing timestamp) for auditing purposes. We do not store your full credit card number.
3.3 Property and Unit Data
Hosts provide property names, addresses, property types, cover images, unit labels, and bedroom/bathroom counts. Hosts may also provide iCal URLs from Airbnb, Vrbo, and Booking.com, which enable automatic reservation synchronization.
3.4 Reservation Data
Reservation data enters the system via iCal synchronization or manual entry. This includes the hosting platform name, reservation ID, check-in and check-out dates, and guest name. Guest names are extracted from iCal feeds as published by the hosting platform.
3.5 Photograph Data
For every photograph uploaded (baseline or checkout), we collect and store: the image file itself, original filename (sanitized), file size, SHA-256 hash (for tamper detection), EXIF timestamp, EXIF GPS latitude and longitude, EXIF camera model, software alteration flags, metadata-stripped flags, compliance pass status, and C2PA (Content Authenticity Initiative) verification data.
Important Notice Regarding EXIF Data: Photographs may contain precise geolocation data (latitude and longitude of where the photo was taken), device information (camera/phone model), and exact timestamps. We intentionally retain this metadata to support the evidentiary integrity of damage claims — proving when and where a photograph was taken and that it was not fabricated or altered. This means the Service holds a precise location-and-time record for every photograph uploaded.
3.6 Claim Data
When you generate a claim package, we store: guest name, reservation ID, platform, checkout timestamp, claim deadline, itemized claims (item name, location, action, pricing, depreciation, invoices), AI-generated claim narrative text, verification data (confidence, C2PA, editing checks), model artifacts metadata, and receipt match summaries.
3.7 Field Team Data
Hosts may enter names, email addresses, phone numbers, and roles of cleaners, inspectors, and property managers. The host is the data controller for their field team's contact information.
3.8 Data from Cleaners and Inspectors (Non-Account Holders)
When a cleaner or inspector accesses a walkthrough link and uploads checkout photographs, we process the same photograph metadata described in Section 3.5 above. The cleaner/inspector does not create an account and is not required to provide identifying information beyond what is embedded in their photograph EXIF data (device model, geolocation, timestamp).
3.9 Technical and Usage Data
We collect: authentication cookies (HTTP-only, Secure, SameSite=Lax; no advertising or third-party analytics cookies); IP addresses (hashed with SHA-256 for rate limiting, with only a 24-character prefix retained in memory and lost on restart); User-Agent and referrer headers (logged by our reverse proxy); and standard email headers for transactional emails.
4. How We Use Personal Data
We process personal data for the following purposes and legal bases:
Performance of Contract (GDPR Art. 6(1)(b)): Providing the Service, processing subscriptions, generating claim packages, enabling walkthrough links, and sending transactional notifications.
Legitimate Interests (GDPR Art. 6(1)(f)): Ensuring security and integrity of the Service (rate limiting, tamper detection, image verification), maintaining audit logs of payment events, and improving service reliability. Our legitimate interests do not override the fundamental rights and freedoms of data subjects.
Consent (GDPR Art. 6(1)(a)): Where required, such as for processing involving AI features where guest personal data is sent to third-party providers. You may withdraw consent at any time.
Legal Obligation (GDPR Art. 6(1)(c)): Where required to comply with applicable tax, financial, or other regulatory obligations.
5. AI Processing and Data Sharing with AI Providers
This section is the master disclosure for all AI-related data processing across both our Terms of Service and this Privacy Policy.
5.1 What Is Sent to AI Providers
When you invoke AI features, we transmit data to third-party AI providers via OpenRouter's API:
Damage Detection: Signed URLs for baseline and checkout photos (valid for 10 minutes), plus the room tag identifier.
Claim Narrative Generation: Platform name, reservation ID, guest name, unit and property identifiers, checkout timestamp, claim deadline, currency, total amount, and an itemized array of claim details.
Receipt Extraction: The receipt image (as a data URL or signed URL), which may contain cardholder name, last four card digits, and vendor letterhead.
5.2 AI Provider Data Usage Disclosure
Under the default terms of our current AI routing provider (OpenRouter), submitted prompts and responses may be logged and may be used to train or improve the underlying AI models. The relevant upstream model provider's terms (currently Google's policies for the Gemini model) are layered on top of OpenRouter's policies.
We do not send your password, billing credentials, or photographs to AI providers unless you explicitly invoke an AI feature on those specific photographs or data. AI processing only occurs when you affirmatively trigger it (e.g., clicking "Generate with AI" or "Scan receipt with AI").
5.3 AI Output Limitations
All AI-generated content is presented as a draft for your review. The AI is instructed not to invent items, damage, amounts, dates, or evidence, but outputs are non-deterministic and may contain errors. You are solely responsible for verifying AI outputs before use. For liability limitations related to AI outputs, see our Terms of Service, Section 4.
6. Third-Party Subprocessors
We share personal data with the following third-party service providers ("subprocessors") as necessary to operate the Service:
Supabase (authentication, database, and file storage): All persistent data including account information, photographs, and claim data. Privacy policy: supabase.com/privacy.
Stripe (payment processing): Customer email, subscription plan, card token, and invoice events. Privacy policy: stripe.com/privacy.
OpenRouter (AI model routing): Prompts, JSON facts, image URLs/data, and model identifiers. Privacy policy: openrouter.ai/privacy.
Google (Gemini AI model, via OpenRouter): Data forwarded by OpenRouter for AI processing. Privacy policy: policies.google.com/privacy.
Twilio (SMS notifications, fallback only): Inspector phone number and message body containing guest name, property name, and check-out date. Privacy policy: twilio.com/legal/privacy.
Hostinger (SMTP for transactional email and VPS hosting): Sender mailbox, recipient address, message body, message headers, and standard server access logs. Privacy policy: hostinger.com/legal/privacy-policy.
Airbnb, Vrbo, Booking.com (iCal sources): Our server IP, User-Agent, and the iCal URL for calendar synchronization. Subject to each platform's respective privacy policies.
7. Data Storage and International Transfers
Your data is stored on servers located in the United States (AWS US-East-2 via Supabase) and processed on servers in Europe (Hetzner, Germany). Stripe processes payment data in the United States. OpenRouter and underlying AI model providers may process data in the United States or other jurisdictions.
For users in the European Economic Area (EEA) or United Kingdom: Where personal data is transferred outside the EEA/UK to countries not recognized as providing an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards under GDPR Article 46. You may request a copy of the relevant transfer mechanism by contacting us.
For users in the United States: Data is processed domestically. We comply with applicable state privacy laws including the CCPA/CPRA for California residents.
8. Data Security
We implement the following technical and organizational measures to protect personal data:
Transport encryption via HTTPS with HSTS preload (max-age=31536000; includeSubDomains; preload). Content Security Policy restricting connections to approved domains only (Supabase, Stripe, OpenRouter). No third-party scripts or analytics are loaded.
Encryption at rest provided by Supabase's underlying infrastructure. Passwordless authentication via magic link (no passwords stored). HTTP-only, Secure, SameSite=Lax cookies. Postgres Row-Level Security on every database table, filtering all reads and writes by authenticated user ID.
Image integrity verification via server-side SHA-256 hashing, C2PA manifest reading, and EXIF analysis for software alteration or metadata stripping. IP-based rate limiting. Server-side MIME type verification of upload magic bytes. Filename sanitization preventing path traversal. Stripe webhook signature verification.
All photograph storage buckets (baseline-photos, checkout-photos, exports) are private with no public read URLs. Access is gated by Row-Level Security policies. File uploads are capped at 25MB per photo and 50MB per export.
9. Data Retention and Deletion
We retain personal data for as long as your account is active or as needed to provide the Service. Specific retention periods are as follows:
Account data: Retained until you request account deletion. Upon deletion, your authentication record is deleted via Supabase Auth, and dependent records (profiles, properties, units, claims) are removed via cascading deletion.
Photographs and exports: Retained until you delete them manually or request account deletion. Upon account deletion, stored objects in baseline-photos, checkout-photos, and exports buckets associated with your account will be purged within 30 days of a verified deletion request.
Stripe event logs: Retained for audit and compliance purposes. These are service-level records not accessible via client API.
Rate-limiting data: IP hashes are stored in memory only and are lost on server restart. No persistent IP address storage occurs.
AI provider retention: Third-party AI providers maintain their own data retention policies independent of ours. Please refer to the subprocessor privacy policies listed in Section 6.
10. Your Rights
10.1 Rights Under GDPR (EEA/UK Users)
If you are located in the EEA or UK, you have the right to access, correct, delete, restrict, or port your personal data, and to object to processing based on legitimate interests, each as provided under GDPR Articles 15–21. You may withdraw consent at any time. You also have the right to lodge a complaint with your local data protection supervisory authority. We do not make decisions with legal or similarly significant effects based solely on automated processing; all final decisions regarding claim submission are made by you.
10.2 Rights Under US Law (California Residents — CCPA/CPRA)
California residents may request access to, deletion of, or correction of their personal information and may opt out of any sale or sharing of personal information under the CCPA/CPRA. We do not sell or share personal information, and we do not use it for cross-context behavioral advertising. Categories of personal information we collect include identifiers, commercial information, internet or network activity, geolocation data, and professional information.
10.3 Exercising Your Rights
To exercise any of the above rights, contact us at privacy@turnfolio.com. We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA/CPRA). We may request verification of your identity before processing a request.
11. Cookies and Tracking
We use only essential, first-party cookies required for authentication and session management (Supabase auth cookies and standard Next.js/Traefik session cookies). These cookies are HTTP-only, Secure, and set with SameSite=Lax.
We do not use advertising cookies, tracking pixels, or third-party analytics services. We do not engage in cross-site tracking or behavioral profiling.
Because we use only strictly necessary cookies, consent banners are not required under GDPR Article 5(3) of the ePrivacy Directive. However, we disclose our cookie usage here for transparency.
12. Communications
We send transactional emails from notifications@turnfolio.com via our SMTP server hosted at Hostinger. These emails relate to account activity, walkthrough notifications, and service updates.
For inspector notifications, we may send SMS messages via Twilio as a fallback when email delivery fails. SMS messages contain the inspector's name, property name, guest name, and check-out date with a walkthrough URL.
13. Data Processing for Non-Account Holders
Cleaners and inspectors who access walkthrough links can see: the property name, unit label, and room checklist. They cannot see: other units, other properties, other cleaners, the host's billing information, or any other account data.
When a non-account holder uploads photographs, we process EXIF metadata (including device model, geolocation, and timestamp) embedded in those photographs. This processing is necessary for the legitimate purpose of evidentiary integrity. Non-account holders may contact us at privacy@turnfolio.com to exercise their data protection rights regarding any data derived from their uploads.
14. Special Categories of Data
We do not intentionally collect special categories of personal data as defined under GDPR Article 9 (e.g., health data, biometric data, racial or ethnic origin, political opinions, religious beliefs). If such data is incidentally captured in photographs, it is not processed or used for any purpose other than storage as part of the photographic record.
15. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of the Service after any changes constitutes acceptance of the revised policy.
17. Contact Information
For questions about this Privacy Policy, to exercise your data protection rights, or to file a complaint, please contact:
Turnfolio — Privacy Email: privacy@turnfolio.com
For EU/UK users, if you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.