Privacy Policy

1. Information We Collect

a. Information You Provide Directly

• Account registration: first and last name, email address, phone number, and password.
• Brand profiles: company name, brand logo, marketing materials, social media handles, industry category, and a description of your brand.
• Community profiles: property name, address, unit count, amenity details, space photos, booking rules, operating hours, and pricing.
• Booking requests: event date and time, expected attendee count, event type, special requirements, and any communications with the other party through our messaging system.
• Insurance documentation: certificates of insurance, policy numbers, and coverage details when required to complete a booking.
• Attendee lists: names and, where required by a Community, resident-affiliation verification data for attendees of a booked event.
• Identity verification: government-issued ID or business registration documents if we request verification to prevent fraud.
• Support communications: messages, emails, and other correspondence you send to our team.

b. Information We Collect Automatically

• Usage data: pages visited, search queries, filters applied, listings viewed, booking steps completed, and time spent on each section.
• Device and technical data: IP address, browser type and version, operating system, referring URLs, and screen resolution.
• Log data: server-side request logs including timestamps, response codes, and feature interactions.
• Session data: encrypted session tokens stored via Redis to maintain your authenticated state and chat history.

c. Information From Third Parties

• Payment processors: Stripe provides us with transaction identifiers, payment status, and limited card metadata (last four digits, card brand, expiry). We never receive or store your full card number or CVV.
• Insurance partners: confirmation of coverage status for bookings that require event insurance.
• Public sources: publicly available information used to verify business identity or validate community listings (e.g., property records, business registrations).

2. How We Use Your Information

We use the information we collect to:

Operate and Deliver the Platform

• Create and manage your account and profile.
• Facilitate booking requests, approvals, and scheduling between Brands and Communities.
• Process payments and disbursements through Stripe.
• Verify insurance requirements and resident-access rules set by Communities.
• Enable in-platform messaging between Brands and Community managers.
• Power AI-assisted search and recommendations (via our chat feature, where applicable).

Communications

• Send transactional notifications: booking confirmations, status updates, payment receipts, and reminders.
• Respond to support requests and inquiries.
• Send product updates and platform announcements (you may opt out of marketing emails at any time).

Trust, Safety, and Legal Compliance

• Detect, investigate, and prevent fraud, abuse, and unauthorized access.
• Enforce our Terms of Service and Community guidelines.
• Comply with applicable laws, regulations, and legal process.
• Resolve disputes between parties.

Platform Improvement

• Analyze usage patterns to improve search, discovery, and booking flows.
• Conduct internal analytics and product research.
• Train and improve platform features (we do not use personal data to train external AI models).

3. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

Between Parties in a Booking

When a booking request is initiated, both the Brand and the Community receive the information necessary to complete the transaction — such as contact details, event specifics, and insurance status. Attendee lists shared with a Community are governed by that Community’s stated access policies.

Service Providers

We work with trusted third-party vendors who process data on our behalf under confidentiality obligations and only as directed by us:

• Stripe — payment processing and disbursement
• Microsoft Azure — cloud hosting, blob storage (community/brand media), and application services
• OpenAI — AI-powered platform features (chat search assistant); content sent to OpenAI is governed by their data processing agreements
• Insurance partners — event coverage verification
• Email / SMS providers — transactional notifications
• Analytics providers — anonymized usage analytics

Legal Requirements

We may disclose information if required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect the rights, property, or safety of hoastnow, our users, or the public.

Business Transfers

In the event of a merger, acquisition, financing, or sale of all or a portion of our assets, user information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the platform before your data becomes subject to a different privacy policy.

4. Payments and Financial Data

All payment transactions on hoastnow are processed by Stripe, Inc., a PCI DSS-compliant payment processor. When you enter payment information, it is transmitted directly to Stripe over an encrypted connection — hoastnow never receives, processes, or stores your full card number, CVV, or bank account credentials.

We retain Stripe-issued identifiers (customer ID, payment method token) to facilitate future bookings and issue refunds. Payout information for Communities (bank account details for disbursements) is stored and managed by Stripe under their own privacy and security policies.

For questions about how Stripe handles your financial data, see stripe.com/privacy.

5. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

You can manage cookie preferences through your browser settings. Note that disabling essential cookies will prevent you from logging in or completing bookings. We do not use advertising cookies or cross-site tracking pixels.

6. Data Retention

We retain different categories of data for different periods:

• Account data: retained for the life of your account plus 3 years after closure, or as required by law (e.g., tax records).
• Booking records: retained for 7 years to satisfy financial, tax, and dispute-resolution obligations.
• Attendee lists: deleted 90 days after the event date, unless an active dispute requires them to be retained longer.
• Insurance certificates: retained for the duration of the booking period plus 3 years.
• Chat and support messages: retained for 2 years from the date of the last message.
• AI chat session data: session history stored in Redis is automatically expired after 30 days of inactivity.
• Server logs: retained for 90 days for security and debugging purposes.

When data is no longer needed, we delete or irreversibly anonymize it. You may request earlier deletion of personal data subject to our legal retention obligations (see Section 8).

7. Data Security

We implement technical and organizational measures designed to protect your personal data against unauthorized access, loss, or misuse:

• All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Passwords are hashed using ASP.NET Core Identity’s PBKDF2 algorithm with per-user salts — we never store plaintext passwords.
• Authentication sessions are protected by anti-forgery tokens and secure, HttpOnly cookies.
• Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified).
• Media assets (community and brand photos) are stored in access-controlled Azure Blob Storage.
• Internal access to production data is role-restricted and audited.

Despite our efforts, no security measure is 100% foolproof. If you believe your account has been compromised, contact us immediately at security@hoastnow.com.

8. Your Rights and Choices

Regardless of where you are located, you have the following rights with respect to your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: update inaccurate or incomplete information (much of which you can do directly in your account settings).
• Deletion: request deletion of your personal data, subject to legal retention requirements and active booking obligations.
• Portability: receive your data in a structured, machine-readable format.
• Objection / Restriction: object to or request restriction of certain processing activities.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.
• Marketing opt-out: unsubscribe from promotional emails at any time using the link in any email we send, or by emailing us directly.

To exercise any of these rights, email privacy@hoastnow.com with “Privacy Request” in the subject line. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.

9. California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:

• Right to Know: the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom we share it.
• Right to Delete: request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: request correction of inaccurate personal information.
• Right to Opt Out of Sale / Sharing: we do not sell or share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information beyond what is necessary to provide our services.
• Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights.

Categories of personal information collected in the past 12 months: identifiers (name, email, IP address); commercial information (booking history, payment records); internet activity (usage data, log data); professional or employment information (company name, brand category); and inferences drawn from the above to understand platform preferences.

To submit a CCPA request, email privacy@hoastnow.com or call us at the number listed in Section 14. We will verify your identity and respond within 45 days (extendable to 90 days with notice).

10. EU / UK Residents — GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to the processing of your personal data.

Legal Bases for Processing

• Performance of a contract — processing necessary to create your account, facilitate bookings, and process payments.
• Legitimate interests — fraud prevention, platform security, improving our services, and direct marketing to existing users (balanced against your rights).
• Legal obligation — retaining financial records, complying with tax law and legal process.
• Consent — non-essential cookies and marketing communications (where separately obtained).

International Transfers

hoastnow is based in the United States. If you use our platform from the EEA or UK, your personal data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism for such transfers. Copies are available upon request.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the Information Commissioner’s Office (ICO). We encourage you to contact us first so we can try to resolve your concern directly.

11. Children’s Privacy

hoastnow is a business-to-business marketplace intended for adults. Our services are not directed to anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a minor has provided us with personal data, please contact us at privacy@hoastnow.com and we will promptly delete it.

12. Third-Party Links

Our platform may contain links to third-party websites, such as insurance provider portals or payment documentation. This Privacy Policy applies only to hoastnow. We are not responsible for the privacy practices or content of third-party sites, and we encourage you to review their policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Send a notification to your registered email address at least 14 days before the changes take effect.
• Display a prominent notice on the platform.

Your continued use of hoastnow after the effective date constitutes acceptance of the updated policy. If you disagree with any changes, you may close your account before they take effect.

14. Contact Us

For any questions, requests, or concerns about this Privacy Policy or your personal data, please reach out to us:

For security-related concerns or to report a suspected data breach, email security@hoastnow.com. We take all reports seriously and will acknowledge receipt within 24 hours.