Tavvolo Privacy Policy

Last Updated: April 4, 2026

Tavvolo, Inc. ("Tavvolo," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our community-specific vacation rental platform, including our website, mobile applications, and related services (collectively, the "Service").

Please read this Privacy Policy carefully. By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with this Privacy Policy, you may not access or use the Service.

1. Information We Collect

1.1 Information You Provide to Us

Account Information: When you create or update an account, we collect information such as your name, email address, phone number, password, and profile photo (optional).

Tavvolo does not independently process or store biometric identifiers. Identity verification services, including biometric processing, are provided by Stripe Identity and governed by Stripe's privacy policies and applicable law.

Property and Listing Information: If you are a Host, we collect information related to your property listings, including property addresses, descriptions, photos, amenities, house rules, pricing, availability calendars, and related content.

Payment Information: Payment card information, bank account details, and billing addresses are collected and processed by Stripe, our payment processor. Tavvolo does not store full payment card numbers on its servers, but may retain limited payment references (such as the last four digits of a card) for recordkeeping and customer support purposes.

Communications: We collect the content of messages you send through the Service, including messages between Hosts and Guests, customer support inquiries, reviews and other inquiries.

User-Generated Content: We collect content you choose to submit to the Service, such as photos, reviews, ratings, comments, and other materials.

1.2 Information Collected Automatically

Device Information: We automatically collect device type, operating system, unique device identifiers, mobile network information, and device settings.

Usage Information: We collect information about your interactions with the Service, including pages viewed, links clicked, features used, search queries, booking history, and time spent on the Service.

Location Information: With your permission, we collect precise geolocation data from your mobile device. We may also derive approximate location information (such as city or region) from your IP address.

Log Information: Our servers automatically record information including IP addresses, browser type and language, access times, pages viewed, app crashes, and system activity.

Cookies and Similar Technologies: We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your browsing activities and preferences. Additional details are provided in Section 6 below.

1.3 Information from Third Parties

Third-Party Services and Integrations: If you connect your Tavvolo account to third-party services (such as social media platforms or external integrations), we may receive information from those services in accordance with their privacy policies and your privacy settings.

Background and Trust-Related Information: If you provide consent where required, we may receive information from third-party providers related to identity verification, trust, or fraud prevention.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information, including confirmations, receipts, and invoices
  • Verify your identity and prevent fraud, spam, and abuse
  • Send you technical notices, updates, security alerts, and administrative messages
  • Respond to your comments, questions, and customer service requests
  • Send you promotional communications, newsletters, and marketing materials (with your consent where required)
  • Personalize and customize your experience, including showing you relevant property listings and content
  • Monitor and analyze trends, usage, and activities in connection with the Service
  • Detect, investigate, and prevent fraudulent transactions and other illegal activities
  • Facilitate communication between Hosts and Guests
  • Enforce our Terms of Service and other policies
  • Comply with legal obligations and resolve disputes
  • Carry out any other purpose described to you at the time the information was collected

3. How We Share Your Information

We may share your information in the following circumstances:

3.1 With Other Users

When you make or accept a booking, we share relevant information with the other party, including names, contact information, property addresses, and booking details. Your public profile information may be visible to other users of the Service.

3.2 With Service Providers

We share information with third-party service providers who perform services on our behalf, including:

  • Payment Processing: Stripe (stripe.com) processes all payment transactions and identity verification
  • Cloud Hosting: Supabase (supabase.com) provides our database, authentication, and backend infrastructure
  • Communication Services: Resend (resend.com) delivers transactional and marketing email communications
  • Analytics: Vercel Analytics (vercel.com) provides website performance and usage analytics. We also operate a custom analytics system on our Supabase infrastructure to understand how users interact with the Service
  • Customer Support: Tawk.to (tawk.to) provides live chat functionality on our website
  • Security: Google reCAPTCHA (google.com/recaptcha) provides bot detection and spam prevention
  • Advertising & Conversion Tracking:
    • Meta (Facebook) Pixel (meta.com) measures ad performance and conversion events across our website and app
    • Google Ads (google.com/ads) tracks conversions and measures advertising campaign effectiveness
    • Reddit Pixel (reddit.com) measures ad conversions and campaign performance on the Reddit platform

These service providers are contractually obligated to protect your information and use it only for the purposes for which it was disclosed.

3.3 For Legal Reasons

We may disclose your information if required by law or in response to valid legal requests, including:

  • To comply with a subpoena, court order, or other legal process
  • To respond to lawful requests from government authorities
  • To protect our rights, property, or safety, or that of our users or the public
  • To investigate, prevent, or take action regarding illegal activities, suspected fraud, or potential threats

3.4 Business Transfers

If we are involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

3.5 With Your Consent

We may share your information with third parties when you explicitly authorize such sharing for a specific purpose, such as when you authorize third-party integrations or participate in promotional activities.

3.6 Aggregated or De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you, such as statistics about Service usage or demographic trends.

4. Data Retention

Retention periods are determined based on the applicable legal requirements, contractual obligations, operational needs, dispute resolution considerations, and legitimate business purposes. The length of time we retain information varies depending on the type of information and how it is used, including:

  • Account Information: Retained for the duration of your account plus a reasonable period thereafter
  • Transaction Records: Retained for at least 7 years to comply with tax and financial regulations
  • Communications: Retained for a reasonable period to resolve disputes and provide customer support
  • Marketing Data: Retained until you unsubscribe or request deletion
  • Verification Data: Identity verification data is retained according to Stripe's retention policies and applicable regulations
  • Analytics Data: Website analytics events and visitor identifiers are retained for up to 24 months, after which they are anonymized or deleted

5. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your information from unauthorized access, use, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Encryption of sensitive data at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication requirements
  • Employee training on data protection and security practices
  • Monitoring for unauthorized access or suspicious activity

However, no system is completely secure, and we cannot guarantee the absolute security of your information. Users are responsible for maintaining the security of their devices, passwords, and account credentials.

6. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar technologies to collect information about your browsing activities and preferences. These technologies help us:

  • Remember your preferences and settings
  • Authenticate your account
  • Analyze Service usage and performance
  • Deliver targeted advertising
  • Prevent fraud and enhance security

Types of cookies we use:

  • Essential Cookies: Required for the Service to function properly, including authentication session cookies managed by Supabase
  • Functional Cookies: Remember your settings and choices. This includes our tavvolo_variant cookie (duration: 90 days), which is used to assign you to a landing page variant for testing purposes
  • Analytics Cookies: Help us understand how you use the Service. Vercel Analytics sets cookies to track page views and performance. Google reCAPTCHA may set cookies for bot detection purposes
  • Third-Party Cookies: Our live chat provider (Tawk.to) may set cookies to enable chat functionality and track support interactions
  • Marketing Cookies:
    • Meta (Facebook) Pixel: Sets cookies including _fbp (browser identifier, 90 days) and _fbc (click identifier, 90 days) to measure ad conversions, build audiences, and optimize ad delivery
    • Google Ads: Sets cookies including _gcl_au (conversion linker, 90 days) and _gac_* (campaign data, 90 days) to track ad clicks and measure conversions
    • Reddit Pixel: Sets cookies including _rdt_uuid (user identifier, 90 days) to measure ad conversions and attribute signups to Reddit campaigns

Local Storage and Similar Technologies

In addition to cookies, we use browser local storage to maintain a randomly generated visitor identifier (visitor_id) and session identifier (session_id) for analytics purposes. The visitor identifier persists across browser sessions until you clear your browser's local storage. These identifiers are not linked to your account and are used solely to understand aggregate usage patterns.

Conversion Tracking & Event Data

When you interact with our website or app after clicking an advertisement, our advertising partners may collect conversion event data. This includes actions such as account signups, booking completions, and page views. This data is shared with Meta, Google, and Reddit in hashed or anonymized form to measure ad campaign effectiveness and optimize ad delivery. We do not share personal messages, listing details, or other private content with advertising platforms.

Data Retention for Advertising

Advertising data is retained by each platform according to their respective policies. Meta retains ad-related data in accordance with Meta's Data Policy. Google retains conversion data in accordance with Google's Privacy Policy. Reddit retains pixel data in accordance with Reddit's Privacy Policy. You may manage your advertising preferences directly with each platform through their respective privacy settings. On iOS 14.5 and later, you can manage app-level tracking through Settings > Privacy > Tracking.

Your Choices

Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies. You can clear local storage through your browser's developer tools or settings. However, disabling cookies or clearing local storage may affect your ability to use certain features of the Service. Mobile device users can manage tracking through device settings.

We honor Do Not Track (DNT) browser signals. If your browser sends a DNT signal, we will not set non-essential cookies or collect analytics data via our custom tracking system.

We will obtain your consent before setting non-essential cookies (functional, analytics, and third-party cookies) where required by applicable law, including the EU ePrivacy Directive and GDPR. You may withdraw your consent at any time through the cookie preferences available on our website.

7. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your personal information. These rights may be subject to limitations and exceptions under applicable law.

7.1 Access and Portability

You have the right to access the personal information we hold about you and where required by law and technically feasible, to receive a copy in a portable format. You can access and review most of your information directly through your account settings.

7.2 Correction and Update

You have the right to request correction of inaccurate personal information or update incomplete information. Most account information can be updated through your account settings.

7.3 Deletion

You have the right to request deletion of your personal information, subject to certain legal and operational exceptions, such as compliance with legal obligations, pending transactions, dispute resolution, and fraud prevention. To request deletion, contact us at privacy@tavvolo.com. Please note that some information may be retained in backup systems for a limited period consistent with our data retention and disaster recovery practices.

7.4 Objection and Restriction

You have the right to object to or request restriction certain processing activities, including processing for direct marketing purposes. You can opt out of marketing communications at any time by using the unsubscribe link in our emails or by adjusting your communication preferences in your account settings.

7.5 Withdraw Consent

Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing based on consent prior to the withdrawal.

7.7 Complaints

You have the right to lodge a complaint with a data protection authority about our collection and use of your personal information. We encourage you to contact us first so we can address your concerns directly.

To exercise any of these rights, contact us at privacy@tavvolo.com. We will respond within the timeframe required by applicable law (typically within 30 days).

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 16 (or such other age as required by applicable law). If you are a parent or legal guardian and believe your child has provided us with personal information in violation of this policy, please contact us at privacy@tavvolo.com, so that we can investigate and take appropriate action.

9. International Data Transfers

Your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws different from your country. By using the Service, you consent to such transfers. We implement appropriate safeguards to protect your information when it is transferred internationally, including standard contractual clauses and other mechanisms approved by regulatory authorities.

10. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of personal information, subject to certain exceptions
  • Right to Opt-Out: Opt out of the sale or sharing of personal information. We do not sell personal information in the traditional sense, but sharing with third parties for targeted advertising may be considered a "sale" under CCPA
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit: Limit the use and disclosure of sensitive personal information
  • Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

To exercise these rights, contact us at privacy@tavvolo.com or call [phone number]. You may designate an authorized agent to make requests on your behalf.

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

Legal basis for processing: We process your information based on:

  • Contract: Processing necessary to perform our contract with you
  • Consent: Where you have given explicit consent
  • Legitimate Interests: For our legitimate business interests, such as fraud prevention and service improvement
  • Legal Obligation: To comply with legal requirements

Data Protection Officer: For questions about our GDPR compliance, contact our Data Protection Officer at dpo@tavvolo.com.

12. Third-Party Links and Services

The Service may contain links to third-party websites, applications, and services that are not operated by us. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of third parties, and we encourage you to review their privacy policies before providing them with any information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Privacy Policy with a new "Last Updated" date. Material changes will be communicated through email notification or a prominent notice on the Service. Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@tavvolo.com

Data Protection Officer: dpo@tavvolo.com

Customer Support: support@tavvolo.com

Website: www.tavvolo.com

Mailing Address: Tavvolo, Inc., [Address to be determined]

* * *

By using Tavvolo, you acknowledge that you have read and understood this Privacy Policy.