Legal
Privacy Policy
Last updated: 19 May 2026
1. Who We Are
Elvirio Host OS (“Elvirio”, “we”, “us”, “our”) is an operational management platform for short-term rental operators. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service at elviriohost.com (the “Service”).
The data controller responsible for your personal data is:
ELVIRIO LTD
Company number: 15478800
128 City Road, London, United Kingdom, EC1V 2NX
Incorporated in England and Wales
Contact: antonia@elvirio.ai
2. What Data We Collect and Why
We collect only the data necessary to provide and improve the Service.
2.1 Account Information
What: Your name and email address, collected when you register.
Why: To create and manage your account. This is necessary to perform our contract with you.
Legal basis (GDPR Art. 6): Contract performance (Art. 6(1)(b)).
2.2 Authentication Data
What:Session tokens, authentication cookies, and — if you use “Sign in with Google” — a Google account identifier (your Google user ID and email as provided by Google’s OAuth service).
Why: To keep you securely signed in and to verify your identity.
Legal basis: Contract performance (Art. 6(1)(b)); Legitimate interests in platform security (Art. 6(1)(f)).
2.3 Property Data
What: Property names, cities, postcodes, property types, number of bedrooms, and base nightly rates you enter for properties you manage.
Why:To power the calendar, pricing, and deal analysis features. This data never leaves our systems and is used solely to provide your account’s functionality.
Legal basis: Contract performance (Art. 6(1)(b)).
2.4 Calendar Feed URLs
What: The iCal URLs you add from Airbnb, VRBO, Booking.com, or other platforms.
Why: To periodically fetch your availability calendar. We store the URL itself, not your OTA account credentials. We do notcollect or store any guest personal data (names, contact details, payment information) that may exist within those platforms — iCal feeds contain only booking dates and statuses.
Legal basis: Contract performance (Art. 6(1)(b)).
2.5 Reservation Data
What:Booking dates (check-in, check-out) and statuses (“reserved” or “blocked”), as parsed from the iCal feeds you connect.
Why:To display your calendar, detect occupancy gaps, and calculate occupancy rates. This data contains no guest personal information — it is availability and scheduling information only.
Legal basis: Contract performance (Art. 6(1)(b)).
2.6 Deal Analysis Inputs
What: Financial inputs you enter into the deal analyzer: nightly rates, occupancy estimates, monthly costs (rent payable, utilities, management fees, etc.).
Why: To calculate and display financial projections. This data is stored so you can revisit and share analyses.
Legal basis: Contract performance (Art. 6(1)(b)).
2.7 Property Images
What: Photos you choose to upload to your property profiles.
Why: To display as thumbnails within your property portfolio. Images are stored on our cloud infrastructure and are not shared publicly unless you explicitly generate a share link.
Legal basis: Contract performance (Art. 6(1)(b)).
2.8 Transactional Emails
What: Your email address, used to send password reset links, calendar sync failure notifications, and other service-related communications.
Why:These emails are necessary to operate the Service — they are not marketing communications.
Legal basis: Contract performance (Art. 6(1)(b)).
2.9 Usage and Performance Data
What: Aggregated, anonymised analytics data about page views and application performance, collected through Vercel Analytics and Vercel Speed Insights. This data does not identify individual users.
Why: To understand how the Service is used and to identify performance issues.
Legal basis: Legitimate interests (Art. 6(1)(f)).
3. Cookies
We use a minimal set of cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth session | Keeps you signed in | Session / up to 7 days |
| CSRF protection token | Security — prevents cross-site request forgery | Session |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies that identify you across other websites. If we introduce additional cookies in the future, we will update this policy and request consent where required.
4. Who We Share Your Data With
We do not sell your data. We do not share your data with third parties for marketing purposes. We use the following sub-processors to operate the Service:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase, Inc. | Database hosting, user authentication | USA (EU region available) |
| Vercel, Inc. | Application hosting, CDN, analytics | USA (global edge) |
| Resend, Inc. | Transactional email delivery | USA |
| Google LLC | Sign in with Google (OAuth 2.0) | USA |
All transfers of personal data to countries outside the UK are conducted under Standard Contractual Clauses (SCCs) or equivalent UK adequacy mechanisms, as approved under UK GDPR Art. 46.
5. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Account information | Until account deletion, plus 30 days to allow recovery |
| Property and calendar data | Until you delete the property or your account |
| Deal analyses | Until you delete them or your account |
| Sync logs | 90 days (for debugging purposes) |
| Transactional email logs | 30 days |
| Anonymised usage analytics | Aggregated indefinitely (non-personal) |
When you delete your account, we permanently delete your personal data within 30 days. Anonymised, non-identifiable aggregate statistics may be retained indefinitely.
6. Your Rights Under UK GDPR
As a UK or EEA resident, you have the following rights:
Right of access (Art. 15)
You can request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
You can correct inaccurate data at any time through your account settings, or by contacting us.
Right to erasure (Art. 17)
You can request deletion of your account and all associated personal data. Exceptions apply where retention is required by law.
Right to restriction of processing (Art. 18)
You can ask us to stop processing your data in certain circumstances while a dispute is resolved.
Right to data portability (Art. 20)
You can request your data in a machine-readable format.
Right to object (Art. 21)
You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to lodge a complaint:You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113. If you are in an EU member state, contact your national supervisory authority.
To exercise any of these rights, email us at: antonia@elvirio.ai. We will respond within 30 calendar days.
7. Data Security
We implement industry-standard security measures including:
- All data transmitted over HTTPS/TLS encryption
- Passwords hashed using bcrypt (managed by Supabase Auth — we never store plaintext passwords)
- Row-level security policies on all database tables — users can only access their own organisation's data
- Session tokens are short-lived and rotated on each authentication
- No storage of OTA platform credentials — we only store iCal URLs, which are read-only availability feeds
Despite these measures, no system is entirely secure. If you discover a security vulnerability, please disclose it responsibly to antonia@elvirio.ai.
8. Children’s Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it immediately.
9. Changes to This Policy
We will notify you of material changes to this Privacy Policy by email or by displaying a notice within the Service at least 14 days before changes take effect. The “Last updated” date at the top of this page will always reflect the current version.
10. Contact
For privacy-related questions or to exercise your rights: