Privacy Policy

MagicBNB ("we," "us," or "our") operates the website magicbnb.io and the application app.magicbnb.io (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you use the Service.

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

This policy applies to all information collected through the Service and any related communications, including email, chat, and support interactions.

We collect the following categories of information:

Account Information. When you register, we collect your name, email address, password (hashed — never stored in plain text), and any profile information you provide.

Property & Booking Data. When you connect a property management system (Hospitable, Hostfully), we import your property listings, reservation records, calendar availability, booking history, guest counts, and revenue data from those platforms.

Financial & Banking Data. When you connect a bank account via Plaid, we receive read-only access to your transaction history, account balances, and account metadata (account type, institution name). We do not receive or store your bank login credentials, full account numbers, or routing numbers. Plaid handles all credential management under their own privacy and security framework.

Booking Channel Data. Revenue, payout, and booking data from Airbnb, Vrbo, and direct booking channels is imported via your connected PMS.

Usage Data. We automatically collect data about how you interact with the Service, including pages visited, features used, time spent, clicks, and error logs. This helps us improve the Service.

Device & Technical Data. We collect IP addresses, browser type, device type, operating system, referral URLs, and other standard web analytics data.

Communication Data. If you contact us via email or support, we retain the contents of those communications.

AI Interaction Data. When you use Milo, your queries and the portfolio context provided to the AI are processed to generate responses. These interactions may be reviewed to improve AI quality and safety.

Payment Data. Payment information is processed by Stripe. We receive only a tokenized reference and the last four digits of your card. We do not store full card numbers.

We use the information we collect to:

Service Delivery. Provide, maintain, and improve the Service, including calculating portfolio metrics, generating reports, powering deal analyses, and running Milo's AI responses.

Account Management. Create and manage your account, process subscriptions, send billing notices, and handle authentication.

Personalization. Tailor the Service to your portfolio, preferences, and usage patterns.

Communications. Send transactional emails (account creation, billing, password reset), product updates, and — with your consent — marketing communications. You can unsubscribe from marketing emails at any time.

Safety & Security. Detect and prevent fraud, unauthorized access, abuse, and other harmful activity.

Legal Compliance. Comply with applicable laws, respond to legal requests, and enforce our Terms of Service.

Product Improvement. Analyze aggregated, anonymized usage data to improve features, fix bugs, and develop new capabilities.

We do not sell your personal data. We do not use your data for advertising targeting on third-party platforms.

We share data with third parties only as described below:

Each service provider processes data only on our behalf and under contractual obligations consistent with this policy.

Business Transfers. If MagicBNB is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email or a notice on the Service.

Legal Requirements. We may disclose your data if required by law, court order, or government request, or to protect the rights, property, or safety of MagicBNB, our users, or the public.

With Your Consent. We may share data with third parties when you have explicitly consented.

We do not share, sell, rent, or trade your personal data with third parties for their own marketing purposes.

Because MagicBNB handles sensitive financial and property data, we want to be especially clear about how this data is handled.

Bank Data via Plaid. All bank connections are established through Plaid, an industry-leading financial data network used by major fintech companies. MagicBNB receives read-only access — we can view your transactions and balances, but cannot move money, initiate payments, or modify your bank account in any way. Your bank credentials are entered only on Plaid's secure platform and are never transmitted to or stored by MagicBNB.

PMS Data. When you connect Hospitable or Hostfully, we receive your property and reservation data via their official APIs using OAuth or API key authentication. MagicBNB never receives or stores your PMS password. You can revoke MagicBNB's access to your PMS at any time from within the PMS or from your MagicBNB settings.

Booking Channel Data. Airbnb and Vrbo revenue data flows into MagicBNB via your connected PMS. We do not have a direct connection to Airbnb or Vrbo and do not collect guest personal information beyond booking metadata (booking ID, nights booked, channel, revenue).

Data Minimization. We collect only the financial and property data necessary to provide the analytics, reporting, and deal analysis features of the Service.

Milo is MagicBNB's AI-powered revenue and profit manager. When you interact with Milo:

Context Provided. Milo is provided with context about your portfolio — including property names, financial metrics, and deal analyses — to give relevant, personalized responses. This context is transmitted to our AI model provider to generate responses.

Data Processing. Your queries and the portfolio context are processed by AI systems. We take steps to minimize the personal data included in AI prompts and to ensure that data is handled in accordance with our agreements with AI model providers.

Not Stored as Training Data. We do not use your individual conversations with Milo to train AI models without your explicit consent.

Output Limitations. Milo's responses are AI-generated and may contain errors, inaccuracies, or outdated information. Milo's outputs are informational only and do not constitute financial, legal, tax, or investment advice. Always verify important decisions with a qualified professional.

Opt-Out. If you prefer not to use Milo, you can simply not use that feature. Your portfolio analytics and other features will continue to function.

We use cookies and similar tracking technologies to operate and improve the Service.

Essential Cookies. Required for the Service to function — authentication tokens, session management, security features. You cannot opt out of these while using the Service.

Analytics Cookies. We use analytics tools to understand how users interact with the Service. These collect aggregated, anonymized data (page views, feature usage, session duration). We do not use advertising cookies or sell cookie data to advertisers.

Preference Cookies. Store your settings and preferences (e.g., selected date ranges, filter preferences) to improve your experience.

Managing Cookies. Most browsers allow you to control cookies through their settings. Disabling essential cookies will impair your ability to use the Service. For analytics cookies, you can opt out via your browser settings or our cookie preferences tool.

Do Not Track. We respect browser "Do Not Track" signals for analytics purposes.

We take data security seriously and implement industry-standard measures to protect your information:

Encryption. All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). Sensitive data at rest is encrypted using industry-standard encryption.

Access Controls. Access to user data within MagicBNB is restricted on a need-to-know basis. All employee access is logged and reviewed.

Third-Party Security. Plaid maintains bank-grade security certifications (SOC 2 Type II, PCI DSS). Stripe is PCI DSS Level 1 certified. We review the security practices of all major service providers.

No Password Storage. Passwords are hashed using a modern, secure algorithm before storage. Bank and PMS credentials are never stored by MagicBNB.

Incident Response. In the event of a data breach that affects your personal data, we will notify you as required by applicable law, and no later than 72 hours after becoming aware of the breach where required by GDPR.

Limitations. No security system is impenetrable. While we take reasonable steps to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

We retain your data for as long as your account is active or as needed to provide the Service.

Active Accounts. We retain all account data, property data, transaction history, and analytics data for the duration of your active account.

After Cancellation. Upon account cancellation, we retain your data for 30 days to allow for account recovery. After 30 days, we delete or anonymize your personal data, except as required by law.

Legal Holds. We may retain certain data for longer periods if required by law, legal proceedings, or regulatory requirements.

Aggregated Data. Aggregated, anonymized data derived from your usage may be retained indefinitely for product improvement purposes.

Deletion Requests. You may request deletion of your data at any time by contacting privacy@magicbnb.io. We will process deletion requests within 30 days, subject to any legal retention obligations.

You have the following rights regarding your personal data:

Access. You may request a copy of the personal data we hold about you.

Correction. You may request that we correct inaccurate or incomplete data.

Deletion. You may request deletion of your personal data, subject to legal retention requirements.

Portability. You may request an export of your data in a machine-readable format.

Opt-Out of Marketing. You may unsubscribe from marketing emails at any time by clicking "unsubscribe" in any marketing email or contacting us at privacy@magicbnb.io. You cannot opt out of essential transactional emails (billing, security notices).

Disconnect Integrations. You can disconnect bank accounts, PMS connections, and other integrations at any time from within the Service.

Account Deletion. You may delete your account at any time from account settings or by contacting privacy@magicbnb.io.

To exercise any of these rights, contact us at privacy@magicbnb.io. We will respond within 30 days. We may need to verify your identity before fulfilling requests.

If you are located in the European Economic Area (EEA) or United Kingdom, this section applies to you in addition to the rest of this policy.

International Transfers. MagicBNB is based in the United States. Your data may be transferred to and processed in the US or other countries. Where required, we use Standard Contractual Clauses or other approved mechanisms to ensure adequate protection.

Data Protection Officer. For GDPR-related inquiries, contact us at privacy@magicbnb.io.

Supervisory Authority. You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your GDPR rights.

Additional Rights. Under GDPR, you also have the right to object to processing, restrict processing, and withdraw consent at any time where consent is the legal basis.

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

Right to Know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.

Right to Delete. You may request deletion of personal information we have collected about you, subject to certain exceptions.

Right to Opt-Out of Sale. MagicBNB does not sell personal information as defined under the CCPA.

Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

How to Submit a Request. Submit requests to privacy@magicbnb.io with "CCPA Request" in the subject line. We will respond within 45 days.

Shine the Light. California Civil Code Section 1798.83 allows California residents to request information about disclosure of personal information to third parties for direct marketing. MagicBNB does not share personal information with third parties for their direct marketing purposes.

The Service is not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@magicbnb.io and we will delete that information promptly.

If we become aware that we have collected personal information from a minor without appropriate consent, we will take immediate steps to delete it.

Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated policy. If you do not agree, you must stop using the Service.

The current version is always available at https://magicbnb.io/privacy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@magicbnb.io Website: https://magicbnb.io

For general questions about your account or the Service, contact hello@magicbnb.io.

We take privacy concerns seriously and will respond to all inquiries within 30 days.