HostFlowHostFlow

Privacy Policy

Effective date: April 26, 2026

HostFlow (“we”, “our”, or “us”) operates the HostFlow service accessible at hostflow-app.us. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. By using HostFlow you agree to the practices described here.

Questions? Email us at privacy@hostflow-app.us.

1. Information We Collect

Account information

When you register, we collect your name, email address, and a hashed password (or authentication tokens if you sign in via Google OAuth). We store this in Supabase, our database provider.

Listing and booking data

You provide property details (name, iCal URL, timezone, check-in/check-out times) and we import and store booking records synced from your Airbnb calendar feed (confirmation codes, guest name, dates). This data is necessary to operate the service.

Team member data

You enter contact information for your team members (cleaners, co-hosts): name, email address, phone number, and optionally a Telegram chat ID or Slack channel. You are responsible for having the appropriate basis to share that information with us.

Notification content

We store the message templates and scheduled notification records you create, including message bodies and delivery timestamps.

Google account data (Gmail integration)

If you connect your Gmail account, we receive and securely store an OAuth 2.0 refresh token issued by Google. This token grants HostFlow the ability to send email messages on your behalf using the Gmail API (“Send” scope only). We do not request permission to read, modify, or delete your emails, access your contacts, or access any other Google account data. The refresh token is stored encrypted at rest in our database and is used exclusively to send the notification emails you configure. You can revoke this access at any time from your Google Account security settings or from within HostFlow.

Usage data

We collect standard web server logs (IP address, browser type, pages visited, timestamps) and may use error-reporting tools to detect and fix bugs. We do not use third-party advertising trackers.

2. How We Use Your Information

  • To provide and operate the HostFlow service (calendar sync, automated notifications, team coordination).
  • To send notification emails to your team members on your behalf via the Gmail API, using only the access you have explicitly granted.
  • To send notification messages via Telegram or Slack if you configure those integrations.
  • To authenticate you and maintain your session.
  • To respond to support requests sent to our contact addresses.
  • To detect, investigate, and fix security issues and bugs.
  • To comply with legal obligations.

We do not use your data or any data obtained through Google APIs for advertising, marketing profiling, or any purpose other than providing you with the HostFlow service.

3. Google API Services — Limited Use Disclosure

HostFlow's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data received from Google APIs is:

  • Used only to send notification emails on your behalf as directed by you within the app.
  • Not transferred to third parties except as necessary to provide this specific feature (e.g., Google's own servers process the send request).
  • Not used for serving advertisements.
  • Not used to train AI or machine learning models.
  • Not read by HostFlow employees or contractors except to address a support issue you have requested help with, and only with your permission.

4. Data Sharing and Third Parties

We do not sell, rent, or share your personal information with third parties for their marketing purposes. We share data only as follows:

  • Supabase — our database and authentication provider. Data is stored in their infrastructure. See Supabase Privacy Policy.
  • Vercel — our hosting provider. Web requests pass through their infrastructure. See Vercel Privacy Policy.
  • Inngest — our background job and workflow provider, used to schedule and trigger notifications. See Inngest Privacy Policy.
  • Google (Gmail API) — used to send emails on your behalf when you connect Gmail.
  • Slack — used to send Slack messages to your team when you connect Slack.
  • Telegram — notification messages are delivered via the Telegram Bot API.
  • Legal compliance — we may disclose information if required to do so by law or in response to a valid legal process.

5. Data Retention

We retain your account and associated data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law or legitimate business interest (e.g., billing records).

Gmail OAuth refresh tokens are deleted immediately when you disconnect Gmail from within HostFlow, or when you revoke access via your Google Account. You can verify revocation at myaccount.google.com/permissions.

6. Your Rights and Choices

  • Access and correction — you can view and update your account information in the Profile section of the app.
  • Disconnect integrations — you can disconnect Gmail, Slack, or Telegram at any time from your profile settings.
  • Account deletion — email us at privacy@hostflow-app.us to request deletion of your account and all associated data.
  • Data portability — contact us to request an export of the data we hold about you.
  • GDPR / CCPA — if applicable law grants you additional rights (access, erasure, restriction, portability, objection), you may exercise them by contacting us at the address below.

7. Security

We use industry-standard measures to protect your data: TLS encryption in transit, encrypted storage at rest, row-level security in the database so users can only access their own data, and limited access to production systems. OAuth tokens are stored encrypted. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at hello@hostflow-app.us.

8. Children

HostFlow is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify you by email or via an in-app notice. Continued use of the service after the effective date constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related questions or requests:

HostFlow
privacy@hostflow-app.us
hostflow-app.us