Privacy Policy

Last Updated: 4th June 2026

Introduction

Welcome to IntuitiveStay. We are committed to protecting your personal data and being transparent about how we collect and use it. This policy applies to Members (Property Owners), Guests (Feedback Providers), and Staff Members using our platform. Please read it carefully.

Information We Collect

A. From Members (Property Owners)

When you register an account or add a property, we collect:

Identity and Business Data: Full name, property name, property type, and business website.

Contact Data: Email address and business phone number.

Location Data: Physical address of the property, including street address, city, postcode, and country.

Technical Data: IP address, login credentials, and device information.

Subscription Data: Plan details and transaction history. Payments are processed securely by Stripe. We do not store your full card details.

B. From Guests (Feedback Providers)

We take a Privacy First approach to guest feedback. By default, we do not collect any personally identifiable information from guests.

Guests using a standard hospitality property (hotel, restaurant, or similar) are asked to rate four pillars: Resilience, Empathy, Anticipation, and Recognition. Guests using a HomeHost or HomeHost Plus property are asked to rate four different pillars: Accuracy, Welcome, Responsiveness, and Experience.

Guests may also select descriptive words about their experience (displayed in the Guest Voice Cloud on the property dashboard) and nominate a staff member who delivered exceptional service.

Where a guest submits a low score, an optional field appears allowing them to leave a free-text comment (Vent Box) and, if they wish, their email address so the property owner can follow up.

Direct Booking Win-Back (standard properties only) - On standard hospitality properties (not HomeHost), guests are presented with an optional consent checkbox: "I'm happy to hear about booking direct next time." If a guest ticks this box, they are asked to provide their email address. This is entirely voluntary and separate from the low-score feedback field. Where consent is given, IntuitiveStay sends a single follow-up email on behalf of the property approximately 24 hours after checkout, containing the property's direct booking link. The email includes an unsubscribe link. IntuitiveStay records whether the link in that email was clicked, for the purpose of reporting to the property owner. Guest email addresses collected via this feature are retained for 12 months from the date of submission, or until the guest unsubscribes, whichever is sooner. The Property Owner is the Data Controller for this communication; IntuitiveStay acts as the Data Processor.

Providing either is entirely voluntary.

Where a guest provides their email address, that information is passed directly to the relevant Member for the sole purpose of resolving their concern. Where a guest provides their email address in the low-score feedback field, that information is passed to the relevant Member for the sole purpose of resolving their concern. Where a guest separately opts in to the Direct Booking Win-Back feature (see below), their email is used to send a one-time follow-up email on behalf of the property. IntuitiveStay does not use guest email addresses for any other purpose.

- Numerical scores across the relevant pillar set
- Guest Voice Cloud adjectives selected by the guest
- Staff nominations entered by the guest
- Free-text feedback, where voluntarily submitted
- Timestamp of submission
- Email address, only where voluntarily provided

- Consent status and email address, where a guest opts in to Direct Booking Win-Back (standard properties only)
- A record of whether the win-back email was sent and whether the booking link was clicked

Property Owners are the Data Controllers for any guest email addresses and staff names provided through the platform. It is the responsibility of the Member to ensure their staff are informed that their names may be mentioned and processed through IntuitiveStay for internal recognition and performance purposes, and to handle any guest contact data in accordance with UK GDPR.

C. From Staff Members

Staff members who are invited to the platform by a Property Owner, or who independently create a Service Signature account, provide:

- Full name and email address
- A portable staff profile, which may be made publicly accessible and display aggregated performance statistics based on guest feedback

Staff members may also subscribe to push notifications and will receive automated email summaries of their performance, including a Daily Digest and a Monthly Wrapped email. Their email address is used for these communications.

Staff members are informed of this processing when they activate their account.

How We Use Your Data

To Provide the Service: We use guest feedback to calculate the Guest Connection Score® (GCS) for Member dashboards, generate pillar breakdowns, and power features including the Superhost Tracker (HomeHost plans), Listing Health Score, and Review Intercept Counter.
AI-Generated Summaries: For eligible plan tiers, guest feedback data, including scores, anonymised vent text, and staff mentions is sent to Anthropic (the provider of the Claude AI model) to generate a written daily summary for the property dashboard. No personally identifiable guest information is included in this process. See the AI Processing section below for more detail.
Communications: We send system alerts, score updates, Red Alert notifications, and administrative notices to Members. We send performance summaries and digest emails to Staff Members.
Marketing: We may use Member email addresses to send newsletters or updates about IntuitiveStay. You may opt out at any time.
Direct Booking Win-Back: Where a guest has explicitly opted in, we send a single follow-up email on behalf of the Property Owner approximately 24 hours after checkout. This email contains the property's direct booking link and an unsubscribe option. We do not send further marketing emails to guests.
Analytics and Monitoring: We use third-party tools including Sentry to monitor platform performance, log errors, and improve reliability.
Aggregated Insights: We may generate anonymised, aggregated industry reports using non-identifiable data. You agree that we may use such data for commercial and research purposes.
Content Moderation: We may use automated filters to identify and remove prohibited content from guest feedback to maintain professional standards.
The Guest Connection Score® is generated through automated mathematical averaging of guest inputs. These scores are intended for internal insight only and do not constitute a legal or professional performance evaluation by IntuitiveStay.

Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:
Contract Performance: Processing your account data, property data, and subscription information is necessary to deliver the services you have signed up for.
Legitimate Interests: We process technical data, platform usage data, and error logs to maintain the security and reliability of the platform. We also process anonymised feedback data for aggregated benchmarking. These interests do not override your rights.
Consent: Where we send marketing communications to Members, we rely on your consent, which you may withdraw at any time.
Consent: Where guests opt in to the Direct Booking Win-Back feature, we process their email address and send the follow-up email on the basis of their explicit consent, given via the opt-in checkbox on the feedback form. Guests may withdraw consent at any time using the unsubscribe link in the email.
Legal Obligation: We may process and retain data where required to comply with UK law.
For staff performance data processed via Service Signature, the legal basis is legitimate interests (enabling staff recognition and career development) alongside the contractual relationship between the staff member and their employer.

AI Processing

For Members on eligible plan tiers, IntuitiveStay uses Anthropic's Claude AI model to generate written daily summaries of guest feedback for your property dashboard. This feature processes anonymised and aggregated guest data including numerical scores, selected adjectives, and anonymised vent text to produce a narrative insight.
We do not send any personally identifiable information about guests or staff to Anthropic as part of this process. Anthropic processes this data as a data processor acting on our instructions, under Anthropic's data processing terms.
You may contact us to request that AI-generated summaries are disabled for your property.

Push Notifications

Members and Staff Members may subscribe to browser push notifications. When you opt in, we store a push notification subscription object which includes a device endpoint URL and encryption keys on our servers. This data is used solely to deliver notifications to your device and is deleted when you unsubscribe or your account is closed.
Push notifications are delivered via the Web Push Protocol and are not shared with any third party.

Third-Party Data Processors

We use the following third-party services to operate the platform. Each acts as a data processor under appropriate data processing agreements:

Stripe - payment processing and subscription management
Supabase - database hosting and storage
Railway - application server hosting
Resend - transactional and notification email delivery
Anthropic - AI-generated daily summaries (anonymised data only)
Sentry - error monitoring and performance logging
We do not sell your data to any third party.

International Data Transfers

Some of our third-party processors, including Supabase, Railway, Stripe, Anthropic, and Resend, are based in the United States. When your data is processed by these providers, it may be transferred outside of the United Kingdom.
Where such transfers occur, we ensure appropriate safeguards are in place in accordance with UK GDPR, including reliance on Standard Contractual Clauses or the UK International Data Transfer Agreement where applicable.

Data Storage and Security

Your data is stored in a secure PostgreSQL database hosted by Supabase, behind firewalled servers. Application servers are hosted on Railway. Both providers maintain industry-standard security practices.
Stripe, our payment processor, adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council. We do not store full card details on our own servers.
Access to Member and Staff data is restricted to authorised personnel only.

Data Retention & Deletion

Active Accounts: We retain your data for as long as your account is active in order to provide historical insights and continuity of service.
Cancellation: Upon cancellation of your subscription or a request for account deletion, we reserve the right to delete all associated property and guest feedback data from our live databases.
Guest Feedback: As guest feedback is submitted anonymously, it may be retained in an aggregated, non-identifiable format for industry benchmarking after an account is closed.
Staff Data: If a staff member's profile is removed by a Property Owner, their data is flagged as removed and excluded from active processing. Staff members may contact us directly to request full deletion of their account and associated data.
Breach Notification: In accordance with UK GDPR, we will notify relevant parties within 72 hours of becoming aware of a security breach that puts personal data at risk.
Win-Back Guest Emails: Email addresses collected through the Direct Booking Win-Back opt-in are retained for 12 months from submission or until the guest unsubscribes, whichever is sooner.

Cookies

We use cookies to maintain your session and enhance your experience on the platform.
Essential cookies are required for security and account authentication and cannot be disabled.
Analytical cookies help us understand how the platform is used so we can improve it.
You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from logging in or using the platform.

Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the United Kingdom. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of the United Kingdom.

Your Rights

Under UK GDPR, you have the right to:
Access: Request a copy of the personal data we hold about you.
Rectification: Request that we correct any inaccurate or incomplete data.
Erasure: Request that we delete your personal data, subject to any legal obligations requiring us to retain it.
Restriction: Request that we restrict the processing of your data in certain circumstances.
Portability: Request that we provide your data in a structured, commonly used, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.
Automated Decision-Making: The Guest Connection Score is calculated using automated mathematical averaging. This is not used to make legally significant decisions about any individual, and you have the right to request human review of any automated output.
Members can exercise their right to access, portability and erasure directly from their account. Log in to your dashboard, go to Account Settings and scroll to the Data & Privacy section. From there you can download a full copy of your data or permanently delete your account and all associated data without needing to contact us.
To exercise any other right, or if you require assistance, please contact us using the details below. We will respond within one month as required by UK GDPR.

Contact Us

For any questions about this policy, to exercise your data rights, or to request account or data deletion, please contact us at:
[email protected]

Children’s Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete that information promptly.