shortrental.ai

Privacy Policy

Last updated: April 14, 2026

1. Introduction

Shortrental EOOD ("Shortrental", "we", "us") operates shortrental.ai and the Shortrental platform. This policy explains what personal data we collect, why, and how you can exercise your rights under the GDPR and Bulgarian Personal Data Protection Act.

2. Who we are

Shortrental EOOD is registered in Bulgaria, EIK 000000000, headquartered at ул. Шипка 12, 1000 Sofia. Our Data Protection Officer can be reached at privacy@shortrental.ai.

3. Data we collect

We collect (a) account data you provide (name, email, company, phone), (b) operational data you import or we sync (reservations, guest messages, property info, cleaning tasks, payments), (c) usage data (IP, device, pages visited) and (d) payment metadata (never card numbers — handled by Stripe).

4. How we use data

To provide and improve the service, reply to support, send security/operational emails, prevent fraud, comply with law, and (with your consent) send product updates. We never sell your data and never train external AI models on your guests' messages.

5. Legal basis (GDPR art. 6)

We rely on: (a) contract performance for service delivery, (b) legitimate interest for analytics, security and product improvement, (c) consent for marketing emails, and (d) legal obligation for tax and anti-money-laundering records.

6. Sharing with third parties

We share data only with sub-processors necessary to run the service (Supabase/AWS for hosting, Stripe for payments, Resend for email, OTAs you connect). A full list with contracts is in our DPA. We never share data with advertisers or brokers.

7. How long we keep data

Account data for the life of your account + 90 days. Financial records for 10 years (Bulgarian tax law). Backups purged within 35 days of deletion. Marketing emails until you unsubscribe.

8. Your rights

You have the right to access, rectify, erase, restrict processing, port your data, object to processing, and withdraw consent. Contact privacy@shortrental.ai — we respond within 30 days. You may also file a complaint with the Bulgarian CPDP.

9. Security

AES-256 at rest, TLS 1.3 in transit, row-level security in the database, 2FA for team accounts, SOC-2 Type II audit in progress, regular penetration testing. Incidents are notified within 72 hours as required by GDPR.

10. International transfers

Primary data is stored in the EU (Frankfurt). Some sub-processors (e.g. Stripe) may transfer data to the US — we use Standard Contractual Clauses and additional safeguards.

11. Cookies

We use essential cookies for authentication and security, and optional analytics cookies (Plausible, PostHog) that you can decline. We do not use third-party advertising cookies.

12. Changes to this policy

We'll notify you by email and in the dashboard at least 30 days before material changes. Minor edits are logged with a new "last updated" date.

13. Contact

Questions about this policy? Email privacy@shortrental.ai or write to us at the address above.