Privacy Policy

Last updated: February 10, 2026

Introduction

WelcomeDeck ("we," "us," or "our") is a UK-based company that provides a digital guest guide and upsell platform for short-term rental hosts. This Privacy Policy explains how we collect, use, store, and protect personal information when you use our website, application, and services (collectively, the "Service").

This policy applies to two types of users:

  • Hosts — short-term rental operators who create accounts and use WelcomeDeck to build digital welcome guides for their guests.
  • Guests — visitors who view welcome guides, access property information, and may purchase upsell services such as late checkout or early check-in.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are a Host, you are also responsible for informing your Guests about how their data is used in connection with WelcomeDeck.

Information We Collect

We collect different types of information depending on whether you are a Host or a Guest.

Information from Hosts

  • Account information: Your name, email address, and profile photo, collected through our authentication provider when you create an account.
  • Property details: Property names, addresses, cover photos, house rules, WiFi network names and passwords, and access codes that you enter into the platform.
  • Payment information: Your Stripe Connect account ID and subscription details. We do not store your bank account numbers or card details directly — these are handled entirely by Stripe.
  • Subscription data: Your plan type, billing cycle, and payment history related to your WelcomeDeck subscription.

Information from Guests

Guests do not create accounts on WelcomeDeck. Guest data is provided to us by Hosts when they create personalised welcome links.

  • Guest details: Name, email address (if provided by the Host), check-in and check-out dates.
  • Purchase history: Records of any upsell services purchased (e.g., late checkout, early check-in, pet fees), including transaction amounts and payment status.
  • Technical information: IP address, browser type, device type, and user agent collected automatically when a Guest views a welcome guide.

Information Collected Automatically

  • Usage data: Page views, WiFi password copies, guide opens, and interactions with upsell cards. This helps us understand how the Service is used and improve it.
  • Server logs: Our hosting provider may automatically log IP addresses, request timestamps, and user agent strings for security and performance monitoring.

How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: Creating and displaying digital welcome guides, processing upsell purchases, and managing Host accounts and subscriptions.
  • Payment processing: Facilitating transactions between Guests and Hosts through Stripe Connect, including calculating and collecting platform application fees.
  • Communication: Sending Hosts account-related notifications, subscription updates, and transactional emails (such as purchase confirmations).
  • Security and fraud prevention: Detecting and preventing unauthorised access, abuse, or fraudulent activity on the platform.
  • Service improvement: Analysing usage patterns (page views, feature adoption) to improve the platform, fix bugs, and develop new features.
  • Legal compliance: Meeting our obligations under applicable laws, including UK data protection regulations and the GDPR.

We do not use your personal information for third-party advertising, and we never sell your data to anyone.

Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share data only with trusted service providers who are necessary for the operation of the Service:

Service Providers

  • Authentication provider— Handles Host sign-up, login, and session management. Receives and stores Host email, name, and profile photo.
  • Stripe (payments) — Processes all financial transactions between Guests and Hosts via Stripe Connect. Stripe receives payment details, email addresses, and transaction amounts. See Stripe's Privacy Policy.
  • Database provider— Our PostgreSQL database is hosted on managed cloud infrastructure. All property details, guest information, and transaction records are stored here.
  • Hosting provider— Hosts and serves the WelcomeDeck application. Our hosting provider may collect server logs including IP addresses and user agents for performance and security purposes.

Other Disclosures

We may also disclose your information in the following circumstances:

  • Legal requirements: When required by law, regulation, or legal process (e.g., a court order or subpoena).
  • Protection of rights: To protect the rights, safety, or property of WelcomeDeck, our users, or the public.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would be transferred to the successor entity under the same privacy protections.

Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect it:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
  • Sensitive data encryption: WiFi passwords and access codes are stored encrypted in our database.
  • Secure authentication: Host accounts are protected through our authentication provider's infrastructure, which supports secure session management.
  • Payment security: Financial data is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. We never store credit card numbers on our servers.
  • Infrastructure security: Our database is hosted on managed cloud infrastructure with automatic backups, and our application is deployed on a platform with built-in DDoS protection.

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents and notifying affected users as required by law.

Data Sub-Processors

To deliver the Service, WelcomeDeck relies on the following third-party data processors. Each processes personal data only as necessary to provide their specific service and is bound by appropriate data protection agreements.

ProviderPurposeData location
StripePayment processing (Host-Managed Mode only)US / EU
ClerkHost authentication and session managementUS / EU
NeonDatabase hosting (properties, guests, requests)EU
ResendTransactional email deliveryEU
VercelApplication hosting and edge deliveryUS / EU

Your Rights

Under the UK GDPR and other applicable data protection laws, you have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can ask us to correct any inaccurate or incomplete data.
  • Right to erasure: You can request that we delete your personal data, subject to our legal obligations to retain certain records (e.g., transaction history for tax purposes).
  • Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
  • Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
  • Right to object: You can object to processing of your data where we rely on legitimate interests as the legal basis.

For Hosts

You can update or delete your account information at any time through your Dashboard settings. If you delete your account, we will remove your personal data and property information, though we may retain anonymised transaction records as required by law.

For Guests

Since Guests do not create accounts on WelcomeDeck, your data is provided to us by your Host. To exercise any of the rights listed above, please contact us at support@welcomedeck.app and we will respond within 30 days. You may also contact the Host directly to request changes to your data.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Cookies and Tracking

WelcomeDeck uses a minimal set of cookies and tracking technologies:

Essential Cookies

These are required for the Service to function and cannot be disabled. They include:

  • Authentication cookies: Set by our authentication provider to manage Host login sessions and keep you signed in.
  • Security cookies: Used to prevent cross-site request forgery and other security threats.

Analytics

We collect basic, anonymised usage data (such as page views, WiFi copy events, and guide opens) to understand how the Service is used and improve it. This data is not linked to individual identities and is not shared with third-party advertising networks.

What We Do Not Use

  • We do not use third-party advertising or retargeting cookies.
  • We do not use tracking pixels from ad networks.
  • We do not share browsing data with social media platforms or data brokers.

Data Retention

We retain your personal data only for as long as necessary to provide the Service and fulfil the purposes described in this policy:

  • Host account data: Retained for the duration of your account. Deleted within 30 days of account closure, except where retention is required by law.
  • Guest data: Retained for 12 months after the check-out date associated with the guest link, then automatically deleted.
  • Transaction records: Retained for 7 years to comply with UK tax and financial reporting requirements.
  • Server logs: Retained by our hosting provider in accordance with their data retention policies, typically for up to 30 days.

International Data Transfers

WelcomeDeck is a UK-based company. Our service providers process data in the following regions:

  • Authentication provider — US-based (GDPR compliant)
  • Stripe (payments) — US-based
  • Hosting provider — US-based
  • Database provider — UK (London region)

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the UK ICO, or reliance on the provider's compliance with the UK-US Data Bridge or equivalent adequacy frameworks.

Children's Privacy

WelcomeDeck is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe that a child has provided us with personal data, please contact us at support@welcomedeck.app and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify Hosts by email or through the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your information is handled, please contact us:

We aim to respond to all privacy-related enquiries within 30 days.