Legal

Privacy Policy

Last updated: March 19, 2026

1. Who We Are

Vanio AI Ltd. ("Vanio", "we", "us") operates vanio.ai, an AI-native property management platform for vacation rental operators. This policy explains how we collect, use, store, and protect personal data when you use our Service.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Name and email address
  • Company/business name
  • Phone number (optional)
  • Password (hashed, never stored in plain text)

2.2 Property and Operational Data

To provide the Service, we process:

  • Property listings, descriptions, amenities, and photos
  • Reservation data (dates, pricing, guest details, platform source)
  • Guest information (names, contact details, booking history)
  • Task and maintenance records
  • Payment transaction data (processed via Stripe)
  • Knowledge base articles and operational procedures
  • Smart lock access codes and device status
  • Messages between you and your guests across all channels

2.3 Usage Data

We automatically collect:

  • Log data (IP address, browser type, pages visited, timestamps)
  • Feature usage analytics
  • AI interaction logs (queries, tool calls, responses)
  • Voice call recordings (when voice features are enabled)

2.4 Third-Party Data

When you connect integrations, we receive data from:

  • Airbnb, Booking.com, VRBO (reservations, messages, calendar)
  • Stripe (payment status, card details are handled by Stripe and never stored by us)
  • Smart lock providers (device status, access logs)
  • Email providers (when email inbox features are enabled)

Gmail Integration

When you connect your Gmail account, Vanio AI accesses your email data to:

  • Read incoming emails and display them in your dashboard for guest communication management
  • Send email replies on your behalf through your connected Gmail account

Vanio AI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We do not use Gmail data for advertising, market research, or any purpose unrelated to providing the Vanio AI service. Email content is processed solely to facilitate property management communication. You can disconnect your Gmail account at any time from Settings, which immediately revokes our access.

3. How We Use Your Data

  • Provide the Service: Process reservations, manage guest communications, dispatch tasks, control smart locks, process payments, and run automations
  • AI features: Power AI-generated responses, shadow mode suggestions, automated guest messaging, and voice agent conversations
  • Improve the Service: Analyze usage patterns, fix bugs, develop new features, and improve AI quality
  • Security: Detect fraud, prevent abuse, and protect your account
  • Communication: Send service updates, billing notifications, and product announcements (you can opt out of non-essential communications)

4. AI and Machine Learning

  • AI processing: Your data is processed by AI models (including third-party models from OpenAI and Anthropic) to generate responses, classify messages, and automate operations
  • Context: When AI processes a query, it receives relevant context (property details, reservation data, guest info, knowledge base articles) to generate accurate responses
  • No cross-tenant training: Your proprietary data is not used to train models for other customers. AI models may be improved using aggregated, anonymized usage patterns
  • Voice recordings: Voice call recordings are stored for quality assurance, dispute resolution, and service improvement. You can disable recording in settings

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Service providers: Supabase (database hosting), Vercel (application hosting), Stripe (payments), Twilio (voice/SMS), OpenAI and Anthropic (AI processing), smart lock providers
  • OTA platforms: Airbnb, Booking.com, VRBO — only to sync reservations and messages as directed by you
  • Your team: Data is shared with team members you invite to your account
  • Legal requirements: When required by law, court order, or to protect our rights

6. Your Role as Data Controller

For guest personal data, you are the data controller and we are the data processor. You are responsible for:

  • Having a legal basis to collect and process guest data
  • Informing guests about data processing (e.g., via your booking terms or privacy notice)
  • Responding to guest data access, deletion, or portability requests
  • Ensuring your use of AI features complies with applicable privacy laws

7. Data Retention

  • Active accounts: Data is retained for the duration of your subscription
  • After cancellation: Data is retained for 30 days to allow reactivation, then permanently deleted
  • Financial records: Payment records are retained for 7 years as required by tax and accounting regulations
  • Voice recordings: Retained for 90 days unless a longer period is required for dispute resolution
  • Backups: Backup copies may persist for up to 30 days after deletion from primary systems

8. Data Security

  • All data is encrypted in transit (TLS 1.2+) and at rest
  • Database access is restricted with row-level security policies
  • API keys are hashed and scoped to individual accounts
  • Payment card data is handled entirely by Stripe (PCI DSS Level 1 compliant) and never touches our servers
  • Access to production systems is restricted to authorized personnel with multi-factor authentication
  • We conduct regular security reviews of our infrastructure and code

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data
  • Portability: Request your data in a machine-readable format
  • Restriction: Request restriction of processing
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

10. Cookies

  • Essential cookies: Required for authentication and core functionality. Cannot be disabled.
  • Analytics cookies: Google Analytics (GA4) to understand usage patterns. You can opt out via your browser settings or a cookie consent tool.
  • We do not use advertising or tracking cookies.

11. International Transfers

Your data may be processed in the European Union, United States, and other countries where our service providers operate. We ensure appropriate safeguards are in place (Standard Contractual Clauses, adequacy decisions, or equivalent protections) for any transfers outside the EEA.

12. Children

The Service is not intended for individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or through the Service. The "last updated" date at the top reflects the most recent revision.

14. Contact

For privacy-related questions or requests, contact us at: