Legal
Privacy Policy
Effective May 26, 2026 · Last updated May 26, 2026
The short version
We collect your email, name, and listing URL when you sign up. We use it to give you a host dashboard, track your referral commissions, and send transactional emails. We don't sell your data. We use Supabase (auth + database) and Plausible (privacy-friendly analytics). You can delete your data anytime by emailing support@refstay.com.
1. Who we are
Refstay ("we", "us", "our") operates the referral platform at refstay.com. We help short-term rental hosts in Miami and Punta Cana earn commissions by referring guests to local activity operators via FareHarbor.
2. What we collect
When you sign up as a host
- Email address — for login, transactional emails, and payout notifications
- Name — to personalize your dashboard and welcome cards
- Password — stored hashed (bcrypt) via Supabase Auth; we never see your plain-text password
- Airbnb listing URL (optional) — to verify you're a real host
- Zone (Miami or Punta Cana) — to show relevant activities
When your guests use your referral link
- Click counts — aggregated per slug, via Plausible Analytics. We don't track individual visitors with cookies.
- Booking attribution — when a guest books, FareHarbor records your slug in their booking reference. We see this in our monthly reconciliation report.
Automatically collected
- Standard server logs (IP address, timestamp, page visited) retained 7 days for security/abuse detection
- Aggregate page-view stats via Plausible — no cookies, no fingerprinting, GDPR-compliant by design
3. How we use your data
- Account management — login, password reset, email verification
- Referral tracking — match bookings to your slug so we can pay you
- Transactional emails — payout confirmations, monthly statements, account updates
- Service improvement — aggregate analytics on which features hosts use most
We do not:
- Sell or rent your data to third parties
- Send marketing emails without your consent
- Track guests across the internet
- Share your data with advertisers
4. Who we share it with (vendors)
- Supabase (auth + database) — stores your account info. Supabase Privacy
- Vercel (hosting) — serves refstay.com. Vercel Privacy
- Plausible Analytics (analytics) — anonymous page views. Plausible Privacy
- Formspree (signup notifications) — receives a copy of new signups so we know to onboard you. Formspree Privacy
- FareHarbor (booking platform) — we don't share your data directly; FareHarbor sees the booking reference (your slug) when your guests book.
- PayPal / Zelle (payouts) — when we pay you, we provide your name and email. Payment processors have their own privacy policies.
5. Cookies and tracking
We use no third-party cookies. We use only:
- A first-party session cookie via Supabase to keep you logged into your dashboard
- Browser localStorage to remember UI preferences
Plausible Analytics is cookie-free.
6. Your rights
You have the right to:
- Access your data — see what we have on file
- Correct inaccurate info (use the "Request update" button in your dashboard, or email us)
- Delete your account and all associated data
- Export a copy of your data (we'll send a JSON file)
- Object to specific uses of your data
- Withdraw consent for marketing emails (we don't currently send any)
To exercise any of these, email support@refstay.com. We respond within 7 business days.
7. Data retention
- Account data — kept while your account is active. Deleted within 30 days of account deletion request.
- Booking + commission records — kept for 7 years (tax/accounting compliance).
- Server logs — 7 days then auto-deleted.
8. Security
We use industry-standard security measures: HTTPS everywhere, hashed passwords (bcrypt), Row-Level Security on our database (each host can only access their own data), encrypted backups. No system is 100% secure — if we discover a breach affecting your data, we'll notify you within 72 hours.
9. International users
Refstay is operated from the United States. If you're in the EU/UK/California, you have additional rights under GDPR / UK GDPR / CCPA. The rights listed above apply to all users regardless of location.
10. Children
Refstay is not intended for users under 18. We don't knowingly collect data from minors. If you believe a minor has signed up, email us and we'll delete the account.
11. Changes to this policy
We'll notify you of material changes via email + a banner on the dashboard. Continued use after changes constitutes acceptance.
12. Contact
Questions about this policy or your data?
Email: support@refstay.com
Mail: Refstay, Miami, FL 33139, USA