Back to home

Privacy Policy

Last updated: March 14, 2026

Effective Date: March 14, 2026

OnStay AI, LLC
9032 Hourglass Cir, Roseville, CA 95747, USA
Email: [email protected]

This Privacy Policy explains how OnStay AI ("OnStay AI," "we," "us," or "our") collects, uses, and shares information when you use our mobile application, websites, and related services (collectively, the "Service"). This policy applies to all users, including "Hosts" and "Guests" as defined below. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. Subscriptions for the Service are purchased and managed exclusively through our web application using third-party payment processors such as Stripe; our native mobile applications function as companion clients and do not themselves process in-app purchases or payments.

1. Scope, Roles, and Relationship of Parties

This policy applies to data processed through our Service globally. We support two primary user types:

  • "Hosts" are our business customers (e.g., property owners, managers) who create an OnStay AI account to configure and manage one or more properties.
  • "Guests" are individuals who interact with the Service in relation to a Host's property (for example, by scanning a QR code or following a property-specific link).

Our role under data protection laws (such as the EU/UK GDPR and California's CCPA/CPRA) depends on the context of the processing:

OnStay AI as Processor: When we process Guest data to provide the Service on behalf of a Host (e.g., answering questions about that Host's property), we generally act as a "data processor" or "service provider." The Host is the "data controller" or "business" responsible for that data.

OnStay AI as Controller: When we process data for our own business purposes—such as managing Host accounts, securing our platform, performing analytics to improve the Service, and for billing—we act as a "data controller" or "business."

This Privacy Policy does not apply to the practices of third parties that we do not own or control, including any third-party websites or services that you elect to access through the Service.

2. Definitions

"Personal Data" (or "Personal Information") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

"Sensitive Personal Data" means a subset of Personal Data that may receive heightened protection under applicable law, such as precise geolocation, biometric data, or certain account credentials.

"Biometric Identifier" means a measurement or scan of a unique physical characteristic used to identify an individual, such as a fingerprint, a voiceprint, or a scan of face or hand geometry. A "Voiceprint" is a type of Biometric Identifier created from an audio recording of a person's voice and is distinct from the audio recording itself.

"Child" or "Minor" means, for the purposes of this policy, an individual under the age of 18. Specific age thresholds may apply for certain legal obligations (e.g., under 13 or under 16 for consent purposes).

"Companion App" refers to our native mobile application, which functions as a client for accessing the Service, with primary account and subscription management occurring on our web platform.

"Data Protection Impact Assessment" (DPIA) means a systematic process for identifying and minimizing the data protection risks of a project or plan, as required by certain laws like the California Age-Appropriate Design Code.

"Processing" means any operation performed on Personal Data, such as collection, use, storage, disclosure, analysis, or deletion.

"Property Access Information" means sensitive information provided by a Host for a specific property, such as lockbox codes, Wi-Fi credentials, or alarm instructions.

"Service Provider" (or "Processor") means an entity that processes Personal Data on our behalf, or on behalf of a Host, pursuant to a written contract with appropriate safeguards.

3. Categories of Data Collected

We collect information in several ways: when you provide it to us directly, automatically through your use of the Service, and from third-party sources.

Information You Provide Directly

For Hosts:

  • Account and Profile Information: When you create an account, we collect your name, email address, authentication credentials (such as magic links or tokens), and any other profile details you provide.
  • Property Information: You provide information about your properties, including names, addresses, descriptions, photos, house rules, and instructions for Guests.
  • Property Access Information: This includes security-sensitive data such as Wi-Fi credentials, lockbox codes, smart-lock access details, and alarm instructions that you choose to store in the Service.
  • Guest-Related Information: You may provide information about your Guests, such as their name, dates of stay, and language preferences.

For Guests:

  • Session Information: When you interact with the Service (e.g., by scanning a QR code), we collect information you provide, such as your language selection, feedback, and any questions or commands you submit.
  • Optional Contact Details: If you contact us or a Host through the Service, we collect any contact information you provide (e.g., name, email, phone number) and the content of your message.

For All Users:

  • Audio, Video, and Voice Data: We collect audio and video recordings when you use features such as property walkthroughs, video messages, or voice conversations with our AI. From this, we may generate derived data such as transcripts or summaries.
  • Communications: We collect the contents of your messages and any attachments when you contact us via email, support channels, or other means.

Information Collected Automatically

  • Usage and Log Data: We automatically log technical information about your use of the Service, including the pages and screens you view, features you use, IP address, device type, operating system, app version, and error logs.
  • Approximate Location: We may infer your approximate location (e.g., city, region) from your IP address for purposes such as content localization and fraud detection.
  • Payment Metadata (Hosts): When you subscribe, we collect transaction metadata, such as subscription tier and payment status. We do not collect or store full payment card numbers.

Information from Third Parties

  • From Hosts: We process information that Hosts provide about their Guests.
  • From Service Providers: We receive data from third-party services that help us operate our platform, such as analytics providers and hosting services.
  • From Data-Retrieval Services: At a Host's direction, we may use services to retrieve publicly available information about a property from online sources to help populate content.

4. How We Use Data (Purposes of Processing)

We process the information we collect for the following purposes:

  • Providing and Operating the Service: To operate, maintain, and provide the features and functionality of our platform, including enabling Hosts to manage properties and allowing Guests to access property information and concierge services.
  • Generating AI-Powered Responses: To use Host-provided data and Guest queries to power our conversational AI, which generates answers to questions about properties, house rules, and local attractions.
  • Billing and Account Management: To process Host subscriptions, send invoices and transactional messages, and manage Host accounts.
  • Security, Safety, and Fraud Prevention: To protect the integrity of our Service, monitor for and prevent fraudulent or unauthorized activity, and enforce our terms and policies.
  • Analytics and Service Improvement: To understand how users interact with our Service, diagnose technical issues, improve existing features, and develop new products and services.
  • Communications: To communicate with you, including sending service-related announcements, responding to support inquiries, and, where permitted, sending marketing communications from which you can opt out.
  • Legal and Compliance: To comply with applicable legal obligations, respond to lawful requests from government authorities, defend our legal rights, and enforce our agreements.

5. Audio/Video, Transcripts, and Biometric Statement

The Service includes features that allow you to record and transmit audio and video, such as for property walkthroughs or when using voice commands with our AI concierge. When you use these features, we collect the resulting audio and/or video recordings. We may process these recordings to generate derived data, such as written transcripts or summaries, to operate and improve the Service.

Under certain laws, such as the Illinois Biometric Information Privacy Act (BIPA), a "Voiceprint" or other "Biometric Identifier" derived from a recording to uniquely identify a person is considered sensitive data requiring specific consent. It is our policy and practice not to create, collect, or store Biometric Identifiers from your audio or video recordings for the purpose of identifying or authenticating you as an individual. An audio recording itself is not a Biometric Identifier; rather, a Biometric Identifier is a unique set of measurements derived from a recording for identification purposes.

We contractually require our third-party Service Providers (such as AI model vendors) who process this data to use it only for the purpose of providing their service to us. Our agreements prohibit them from using this data to build, train, or enrich their own biometric databases or to identify individuals for their own purposes. This is a critical safeguard to prevent the type of misuse alleged in cases where third-party vendors were accused of surreptitiously creating and using voiceprints from user communications.

Should we, in the future, offer a feature that involves the collection and use of a Biometric Identifier (for example, for secure identity verification), we will do so only in strict compliance with applicable law. This would involve providing you with a specific written notice detailing the purpose and retention period for the data and obtaining your prior, explicit written consent before any such data is collected.

6. Third-Party Services, Data Sharing, and Disclosures

We do not sell your Personal Data. We share information only in the limited circumstances described below, and we do so under contractual safeguards where required.

We share data with the following categories of third-party Service Providers to operate our platform:

  • AI Model and Voice Processing Providers: To provide conversational AI features and generate transcripts, we send relevant data (such as audio recordings, property information, and text queries) to our AI service providers.
  • Hosting and Infrastructure Providers: We use third-party vendors for cloud hosting, database management, and other core infrastructure services.
  • Analytics Providers: We use third-party services to help us understand usage patterns and improve the Service.
  • Communications Providers: We use third-party services to send emails, push notifications, and other communications.
  • Payment Processors (Hosts): Host subscription payments are processed by Stripe, our third-party payment processor. We do not store or have access to your full payment card details.
  • Data-Retrieval Providers: At a Host's direction, we may use services to retrieve publicly available information about a property to help populate content.

We enter into written agreements with these Service Providers that, among other things, prohibit them from selling or sharing the Personal Data we provide, and from retaining, using, or disclosing it for any purpose other than providing the contracted services to us, consistent with laws like the CCPA/CPRA.

We may also disclose information in the following situations:

  • Between Hosts and Guests: We share property-related information provided by a Host with Guests who are authorized to access it.
  • Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as a business asset.
  • Legal and Safety Purposes: We may disclose information if we believe in good faith that it is necessary to comply with a legal obligation, respond to a lawful request from a public authority, protect our rights or property, prevent fraud, or protect the safety of our users or the public.
  • With Your Consent: We may share your information with any other third party with your prior consent or at your direction.

7. Payments, Subscriptions, and App Review Positioning

OnStay AI is a business-to-business (B2B) subscription service designed for professional Hosts. Subscriptions are created, managed, and billed exclusively through our web application, which uses a third-party payment processor, Stripe. When a Host chooses to subscribe or manage their billing, they are directed to an external browser (e.g., Safari) to complete the transaction. We do not use Apple's in-app purchase (IAP) system or process any subscription payments through the Apple App Store.

Our native mobile application for iOS functions as a Companion App. It is designed to provide existing, subscribed business customers with mobile access to their accounts and the features of the Service. The native app does not itself initiate new subscriptions, unlock features via a purchase, or process payments. This architecture is intended to be consistent with app store guidelines for B2B services that operate on a "reader" or companion-app model, where the service is purchased externally.

8. Children and Age-Appropriate Design

The Service is intended for and directed to adults (individuals aged 18 and older). The guest-facing concierge and other Service features are not designed for independent use by Minors and should be used only under the supervision of an adult. We do not knowingly collect Personal Data from Children under the age of 13.

We recognize that Guest-facing features of the Service (such as a concierge interface accessed via QR code in a property) may be accessed by Minors who are part of a family or group staying at a Host's property. In compliance with laws such as the California Age-Appropriate Design Code, if we determine that a feature is "likely to be accessed by children," we will:

  • Complete a Data Protection Impact Assessment (DPIA) for that feature to identify and mitigate risks of material detriment to Children.
  • Configure all default privacy settings for that feature to a high level of privacy.
  • Take reasonable measures to minimize the collection of Personal Data from Children.

Where audio or video recording features are used in a property, a Minor may be incidentally recorded. Hosts are responsible for complying with all applicable laws regarding notice and consent for recording individuals, including Minors, on their property. If we ever require consent from a Minor to process their Personal Data, we will obtain it in a manner consistent with applicable law, which may require verifiable parental consent for Children under 13.

9. Data Retention and Deletion

We retain Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, including to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Our retention periods are based on the type of data and the purpose of its collection.

  • Host Account and Profile Data: We retain this data for as long as the Host maintains an active account and for a reasonable period thereafter to comply with legal and financial record-keeping obligations.
  • Property Information: This information, including sensitive Property Access Information, is retained as long as the Host's account is active. Hosts are responsible for the accuracy and currency of this data and may update or delete it at any time.
  • Guest Interaction Data: Data from Guest sessions, such as queries and usage logs, is retained for the period necessary to provide and improve the Service, after which it is deleted or anonymized. We generally will not retain such data beyond three years from the date of the interaction, unless required for legal or security purposes.
  • Audio/Video Recordings and Transcripts: These are retained for a limited period necessary to provide the relevant feature, for quality assurance, and for service improvement, after which they are permanently deleted from our systems.

You may request the deletion of your Personal Data as described in the "Your Rights and Choices" section below. Please note that we may be required to retain certain information for legal or security reasons, even after a deletion request.

10. Security Measures and Incident Response

We are committed to protecting the security of your Personal Data. We implement and maintain a program of reasonable administrative, technical, and physical security measures designed to protect the information we process from unauthorized access, destruction, use, modification, or disclosure. These measures include:

  • Encryption: We use industry-standard encryption to protect data in transit and at rest.
  • Access Controls: We limit access to Personal Data to authorized personnel who have a legitimate business need to access it, based on the principle of least privilege.
  • Vendor Security: We require our third-party Service Providers to adhere to contractual obligations to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
  • Training: We provide our employees with training on data security and privacy best practices.
  • Incident Response: We have developed and maintain an incident response plan to promptly address and manage any security incidents. In the event of a data breach that affects your information, we will provide notice in accordance with applicable legal requirements.

While we take security seriously, no method of transmission over the internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

11. Residents' Rights and How to Exercise Them (EEA/UK/US/CA)

Depending on your location and subject to applicable law, you may have certain rights regarding your Personal Data. These rights may include:

  • Right to Access / Know: The right to request information about the Personal Data we have collected about you and to receive a copy of that data.
  • Right to Rectification / Correction: The right to request that we correct inaccurate Personal Data we maintain about you.
  • Right to Erasure / Deletion: The right to request that we delete your Personal Data, subject to certain exceptions.
  • Right to Data Portability: The right to receive your Personal Data in a structured, commonly used, and machine-readable format.
  • Right to Restrict or Object to Processing: The right to object to or request that we restrict certain processing of your Personal Data.
  • Right to Opt-Out of Sale or Sharing: The right to opt out of the "sale" or "sharing" of your Personal Data, as those terms are defined under applicable law.
  • Right to Limit Use of Sensitive Personal Information: The right to limit our use and disclosure of your sensitive Personal Data to specific purposes permitted by law.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request in accordance with applicable law after verifying your identity. If you are a Guest, some requests may need to be directed to the Host, who is the data controller for your property-specific information. If you are unsatisfied with our response, you may have the right to appeal our decision or lodge a complaint with your local data protection authority.

12. California-Specific Disclosures (CCPA/CPRA and Age-Appropriate Design Code)

This section provides additional disclosures for California residents, pursuant to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

  • Statement on "Sale" and "Sharing": We do not "sell" your Personal Information for monetary or other valuable consideration. We also do not "share" your Personal Information for purposes of cross-context behavioral advertising.
  • Consumer Rights: As a California resident, you have the rights listed in the "Residents' Rights and How to Exercise Them" section above, including the Right to Know, Correct, and Delete your Personal Information, and the Right to Limit the Use and Disclosure of Sensitive Personal Information. To exercise these rights, please contact us at [email protected].
  • Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • Authorized Agents: You may designate an authorized agent to make a request on your behalf. We will require proof of your authorization.
  • "Dark Patterns": We are committed to providing you with clear and easy-to-understand choices. Our user interfaces for submitting requests and obtaining consent are designed to be free of "dark patterns" that would subvert or impair your autonomy, decision-making, or choice.
  • Age-Appropriate Design Code: We recognize our obligations under California's Age-Appropriate Design Code. As detailed in our "Children and Age-Appropriate Design" section, for any feature of our Service likely to be accessed by Children in California, we conduct Data Protection Impact Assessments (DPIAs), configure default settings to a high level of privacy, and take other required measures to protect their data.

13. International Transfers and Safeguards

OnStay AI is based in the United States, and we process and store Personal Data on servers located in the U.S. and other countries where our Service Providers operate. If you are using our Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

When we transfer Personal Data from regions with comprehensive data protection laws (such as the European Economic Area, the United Kingdom, and Switzerland) to other countries, we do so in compliance with applicable law. We rely on legal transfer mechanisms such as the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions about certain countries, and other contractual protections to ensure that your data receives an adequate level of protection in the jurisdiction where it is processed. For more information about the safeguards we have in place, you may contact us at [email protected].

14. Data Processing Agreement and Host Terms (DPA Reference)

For our Hosts who act as data controllers or businesses under applicable data protection laws (such as the GDPR or CCPA/CPRA), we make available a Data Processing Agreement (DPA). Our DPA details our commitments as a data processor or service provider and outlines the terms for our processing of Personal Data on the Host's behalf.

The DPA includes our commitments regarding: processing data only on the Host's documented instructions; implementing appropriate technical and organizational security measures; our obligations regarding subprocessors; and assisting the Host in meeting their own compliance obligations.

Hosts may request a copy of our DPA by contacting us at [email protected]. The DPA forms part of our agreement with the Host and should be read in conjunction with our Terms of Service.

15. Law Enforcement, Legal Requests, and Safety

We may access, preserve, and disclose your Personal Data if we believe in good faith that it is required or permitted by law. This includes responding to valid legal requests such as subpoenas, court orders, or search warrants from government authorities. We will assess the legal validity of each request before responding.

We may also disclose information when we believe it is necessary to prevent imminent death or serious bodily harm, to protect our rights or property, to prevent fraud or abuse of our Service, or to protect the safety of our users.

Where permitted by law, we will make a reasonable effort to notify you before disclosing your information in response to a legal request. We may not provide notice if we are legally prohibited from doing so, or if we believe that providing notice would be futile, ineffective, or create a risk of harm.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will revise the "Last Updated" date at the top of this policy. If we make material changes, we may provide you with more prominent notice, such as by sending an email or displaying a notice within the Service. We encourage you to review this Privacy Policy periodically to stay informed about our data practices. Your continued use of the Service after any changes become effective constitutes your acceptance of the revised policy.

17. Contact Information and Complaint/Appeal Process

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact us at:

Email (privacy): [email protected]
Email (general): [email protected]
Email (support): [email protected]
Mailing Address: OnStay AI, Attn: Privacy, 9032 Hourglass Cir, Roseville, CA 95747, USA

We will respond to your inquiries in accordance with applicable law. If you are not satisfied with our response, you may have the right to appeal our decision or lodge a complaint with your local data protection supervisory authority.

18. Miscellaneous Legal Terms

This Privacy Policy is governed by and construed in accordance with the laws of the State of California and the United States, without regard to any conflict of laws principles. This policy is incorporated into and is subject to our Terms of Service.

If any provision of this Privacy Policy is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions will remain in full force and effect. Except where required by applicable law, this Privacy Policy is not intended to and does not create any contractual or other legal rights in or on behalf of any party.

Appendix A: Major Service Providers and Subprocessors

We partner with third-party Service Providers to deliver our Service. The following list identifies major providers by category and is illustrative, not exhaustive.

  • AI and Machine Learning: xAI (Grok) — primary conversational and analysis model provider; Google (Gemini) — location and context grounding; ElevenLabs — text-to-speech and voice cloning; Deepgram — speech-to-text transcription
  • Cloud Hosting: Railway — application and server hosting; Neon — PostgreSQL database; Expo/EAS — mobile app build and distribution
  • Analytics and Monitoring: Sentry — error tracking, performance, and diagnostics
  • Communications: Resend
  • Payment Processing: Stripe
  • Data Retrieval: Firecrawl
  • Mapping: Google Maps Platform

Appendix B: Glossary of Key Terms

  • Biometric Identifier: A unique measurement (e.g., a voiceprint) derived from a recording to identify a person.
  • Controller vs. Processor: A Controller determines why and how data is processed; a Processor handles it on the Controller's behalf.
  • DPIA (Data Protection Impact Assessment): A formal risk assessment required by laws like the California Age-Appropriate Design Code for features likely accessed by children.
  • Sharing (CCPA): Disclosing personal information for cross-context behavioral advertising.

Appendix C: Sample Data Protection Impact Assessment (DPIA) Summary

This is a summary of the DPIA conducted for our Guest concierge feature, which may be "likely to be accessed by children."

  • Feature and Purpose: An AI-powered concierge to answer Guest questions about a property.
  • Data Processed: Text queries and, if used, temporary audio recordings. No user profiles are created.
  • Risk Assessment Summary:
    • Harmful Content/Contacts: Risk is mitigated by grounding AI responses in Host-provided data and implementing content filters. The feature does not enable user-to-user contact.
    • Detrimental Profiling/Use: We do not profile Children. Data is used only to generate an immediate response. Default settings are high-privacy, and the interface avoids features designed to extend use unnecessarily ("dark patterns").