← koohost.ai

Koohost.ai ("Koohost", "we", "us") is a short-term-rental operations dashboard for property hosts. This Privacy Policy describes — in plain English — what data we collect, why we collect it, who we share it with, and how to exercise your privacy rights.

Plain-English summary: you give us API access to your existing host tools (channel managers, smart locks, thermostats, cameras, messaging providers). We pass your data through those services on your behalf, store the operational metadata in our database (encrypted), and use OpenAI to draft replies. We don't sell your data and we don't use your guests' messages to train any model — yours or anyone else's.

1. Who is the data controller

For data you provide directly (your account email, password, payment info), Koohost is the controller. For data about your guests that flows through Koohost on your behalf (their messages, contact info, reservation details), Koohost is a processor — you, the host, are the controller. You're responsible for telling your guests how their data is handled, and for having a lawful basis to process it under whatever law applies in your jurisdiction.

2. What we collect

2.1 Account data (provided by you)

• Your name, email, password (stored as a salted pbkdf2 hash — we cannot read it)
• Workspace name + slug
• Optional: phone number, profile photo, time-zone, quiet-hours preferences
• Last sign-in timestamp, last-seen device user-agent

2.2 Property & operations data (provided by you)

• Property names, addresses, photos, amenities, rules, check-in / check-out times
• WiFi network names & passwords (encrypted at rest)
• Door-code policy (length, last-4-of-phone vs random)
• Knowledge base entries you write for the AI ("the hot tub heater is in the shed")
• Bills, scheduled tasks, contact list (cleaners, vendors)
• Owner-statement data (gross, payout, fees, expenses) computed from your bookings

2.3 Connected-service credentials (with your explicit consent)

You can optionally connect Koohost to:

• Channel managers / PMSs: Hospitable, Lodgify, Smoobu, Guesty, Hostaway, OwnerRez, Hostfully, Beds24. We store an API key or OAuth refresh token per service, encrypted at rest.
• Pricing: PriceLabs, DPGO, Wheelhouse.
• Smart locks: Yale, August, Schlage, Aqara, Eufy, Igloohome, Kwikset, Lockly, Nuki, Wyze, plus SmartThings / Hubitat / Home Assistant hubs.
• Thermostats: Google Nest, ecobee, Honeywell, Sensi, Mysa, Tado, Wyze.
• Cameras: Ring, Arlo, Blink, Eufy, Reolink, Ubiquiti Protect, Wyze, Nest Cam.
• Messaging providers (BYOP): Twilio, Telnyx, Plivo (SMS / voice); SendGrid, Mailgun, Postmark, generic SMTP (email).
• Mesh WiFi: TP-Link Deco.

Every credential listed above is encrypted at rest using AES-128 (Fernet) with a tenant-isolated key. We never display the raw credential back to you in the UI after first save.

2.4 Guest data (relayed through your connected channels)

When you connect a channel manager, Koohost reads the data your guests have already provided to that channel:

• Name, email, phone, profile photo URL, prior-host review counts
• Reservation arrival / departure dates, party size, payout, channel fees
• Inbound & outbound message threads (Airbnb / VRBO / Booking.com / direct)

We do not contact guests directly — every outbound message goes back through your channel manager's API, so the guest only ever sees your hosting brand. The only exception is BYOP voice/SMS calls (Section 4 below) which you explicitly configure.

2.5 Smart-home data

• Lock status, battery level, access-code list, lock/unlock events
• Thermostat current temperature, setpoint, mode, eco status
• Camera motion events, doorbell rings, snapshot URLs (transient — see 3.1 below)

2.6 Push notification tokens

• iOS: APNs device tokens (registered via Apple)
• Android: FCM registration tokens (registered via Google Firebase)
• Web: VAPID push subscription endpoints

2.7 Payment data

If you subscribe to a paid plan, billing is handled by Stripe. We store your Stripe customer ID and subscription status. We never see or store your credit-card number — that data lives only with Stripe.

2.8 Technical / log data (collected automatically)

• IP address (used for rate limiting and audit logging — not for tracking)
• User-agent string (browser / app version)
• HTTP request logs (path, status code, response time) — retained 30 days for debugging
• AI agent activity log (which tools Koo called, what it decided) — retained 90 days

3. How we use AI / large language models

3.1 What gets sent to OpenAI

We send the minimum context needed to draft a reply or answer your question. Specifically:

• The current guest message
• The last few messages in the same thread
• Property facts relevant to the property in question (WiFi network name, check-in time, house rules — never the WiFi password unless you explicitly ask Koo to share it)
• Your own past replies on similar topics, used to mimic your writing voice
• Camera snapshots when you ask "what's happening at <property>?" — sent to GPT-4o-mini vision, then discarded (not retained on our end after the response is logged)

OpenAI's API is configured to not retain prompts for training per their Enterprise / API data-handling policy. We have no separate fine-tune of guest-specific data.

3.2 What does NOT get sent to OpenAI

• Your password, API keys, OAuth tokens, lock credentials
• Guests' email addresses or phone numbers (we strip these before sending)
• Other guests' messages or reservations (Koo only sees the thread it's currently in)
• Your billing / Stripe data

3.3 Style training ("Train Koo")

If you opt in to style training, your past 200–1,000 sent replies are sent to OpenAI once to extract a writing-style profile (tone, length, sign-off). The profile is stored on our side; the original replies are not re-sent on every future request. You can clear the profile any time via Settings → Train Koo.

4. Bring-your-own-provider (BYOP) messaging

If you configure your own Twilio / Telnyx / Plivo / SendGrid / Mailgun / Postmark account inside Koohost, outbound SMS / voice / email is sent through that account using credentials you provided. The recipient sees your phone number / your sender domain, not Koohost's. The recipient's number / email is also stored by your provider per their own privacy policy.

5. Storage, security, and isolation

5.1 Where your data lives

• Database: Postgres on Railway (US-East). All connections TLS-only.
• Application server: Railway (US-East), with a cold-standby Fly.io app (US-Central, region ord) for disaster recovery. Both fronted by Cloudflare for DDoS protection and TLS termination.
• Backups: gzipped Postgres dumps written every 6 hours to Cloudflare R2 (object storage). Backups inherit the same TLS-only, encrypted-at-rest guarantees.
• Push: Apple APNs servers (US/EU) and Google FCM servers (global), to deliver push notifications to your devices.
• Static assets: Cloudflare CDN edge, globally cached.

5.2 Encryption

• Data in transit: TLS 1.2+ end-to-end.
• Data at rest: Postgres-level encryption (Railway-managed). Sensitive Setting rows (API keys, OAuth refresh tokens, lock credentials, mesh-WiFi tokens, encryption keys) are additionally encrypted at the application layer via Fernet (AES-128-CBC + HMAC-SHA256) using a key not stored in the database.
• Passwords: pbkdf2-SHA256 with per-user salt and 600,000 iterations (Werkzeug default).

5.3 Multi-tenant isolation

Every host's data row is tagged with their workspace ID. Every read query filters by that workspace ID. Even with database access, you cannot accidentally retrieve another host's data through the application — and we run automated cross-tenant leak tests on every deploy.

6. Who we share data with

We share data only with the third parties below, only as needed to operate the Service:

• OpenAI (LLM API) — guest message text + property context + your past replies. Privacy policy.
• Stripe (billing) — your name, email, subscription details. We send no card data — Stripe collects it directly. Privacy policy.
• Apple (APNs push) — APNs token + push payload (push title and body — generally a guest's first name + truncated message). Privacy policy.
• Google (FCM push) — FCM token + push payload, same as APNs. Privacy policy.
• Cloudflare (CDN / DDoS) — IP address, request URL. Privacy policy.
• Railway (primary hosting / Postgres database) — all server-side state. Privacy policy.
• Fly.io (cold disaster-recovery standby) — receives the same application image; only handles traffic during a Railway outage. Privacy policy.
• Cloudflare R2 (encrypted off-site database backups, 6-hour cadence, 30-day retention). Privacy policy.
• SendGrid (transactional auth / receipt emails Koohost itself sends — separate from the BYOP email-provider you configure for guest comms) — your email address. Privacy policy.
• Your connected channel managers, smart-home brands, and BYOP messaging providers — see Section 2.3. Each operates under its own privacy policy.

We do not sell, rent, or trade your personal data, ever.

7. Privacy of your guests (host-side rules)

Koo is bound by hard-coded rules in its system prompt:

• Never reveal another guest's phone, email, full name, or booking dates in a reply to a different guest.
• Never share the host's personal phone, email, or home address (only what's already listed publicly on the channel).
• Door codes rotate per booking and are revoked at checkout — never reused across guests.
• Camera snapshots are only retrievable when the host explicitly asks "what's happening at X?" — never delivered automatically to a guest, never stored long-term.

8. Data retention

• Account & property data: as long as your workspace is active, plus 30 days after deletion (soft delete) before permanent purge.
• Guest messages: as long as your workspace is active.
• AI activity log: 90 days, then auto-purged.
• HTTP request logs: 30 days.
• Camera snapshots: never stored long-term — fetched on demand and discarded after the AI vision call returns.
• Guest-risk profile cache: 14 days, then re-fetched.
• Backups: encrypted gzipped Postgres dumps to Cloudflare R2 every 6 hours, 30-day rolling window, then deleted. RPO (recovery-point objective): ~6 hours.

9. Cookies and tracking

We use exactly one cookie: session, scoped to .koohost.ai. It contains a signed identifier that lets us know you're signed in. We do not use analytics cookies, ad-tracking cookies, or third-party trackers of any kind. We do not fingerprint visitors. The marketing site (koohost.ai) sets no cookies until you sign in.

10. Your rights

Regardless of where you live, you can request any of the following by emailing support@koohost.ai:

• Access — a machine-readable export of every record we hold about you (also available self-serve via Settings → Export Workspace).
• Correction — fix any inaccurate data.
• Deletion — close your workspace and erase all associated data (executed within 14 days; backups expire on the rolling 30-day cycle).
• Portability — JSON export of your data structured for import elsewhere.
• Restriction or objection — limit how we process your data.
• Withdraw consent — revoke any connected service's access at any time.

If you're in the EU/UK (GDPR), the EEA, California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), or any other jurisdiction with privacy law, the rights above apply to you in addition to whatever your local law grants. We respond to verified requests within 30 days.

11. International transfers

Koohost servers are located in the United States. If you're accessing the Service from outside the US, your data is transferred to and processed in the US. We rely on the EU-US Data Privacy Framework (where applicable) and standard contractual clauses to provide an adequate level of protection.

12. Security incident response

If we discover a personal-data breach affecting you, we'll notify you within 72 hours via email, including: what happened, what data was affected, what we're doing about it, and what you should do.

13. Children

Koohost is a business tool for adult short-term-rental hosts. The Service is not intended for, marketed to, or knowingly used by anyone under 18. We don't knowingly collect personal data from minors. If you believe a minor has signed up, email us and we'll delete the account.

14. Changes to this policy

We'll update this page and bump the "Last updated" date at the top whenever this policy changes. For material changes (new data we collect, new third parties we share with), we'll email everyone with an active workspace at least 14 days before the change takes effect.

15. Contact

Questions, requests, or complaints? support@koohost.ai