STR ProTerms of Service

Privacy Policy

Last updated: June 2026

1. Overview

Wellstone Software (“we”, “us”, “our”) operates STR Pro, a direct booking marketplace and property management platform. This Privacy Policy explains what data we collect, how we use it, and your rights.

2. Data We Collect

Account Information

When you create an account via Clerk, we receive your email address, name, and a unique identifier. Authentication is handled by Clerk.

Property and Financial Data

You may enter property details, financial transactions, reservations, activity logs, and related data. This data is stored in our database and used solely to provide the Service.

Guest Information

Guest personal information (email addresses, phone numbers) is encrypted at rest using AES-256-GCM before storage. Guest names, booking details, and message content are also encrypted. This data is accessible only to the property host and our platform.

Messaging Data

All message bodies (guest-host messages, inquiry replies, support tickets) are encrypted with AES-256-GCM before storage. Message reactions and read receipts are stored in plaintext. Host personal contact information is never exposed to guests.

Booking & Payment Data

Booking details (dates, amounts, guest info) are stored in our database. Payment processing is handled entirely by Stripe. We store Stripe customer IDs, payment intent IDs, and payment method IDs — we never store credit card numbers, CVVs, or full card details. Guest payment methods may be saved by Stripe (via setup_future_usage) for potential post-stay damage charges.

Rental Agreement Acceptance

When a guest accepts a rental agreement, we log the acceptance timestamp, IP address, and a SHA-256 hash of the agreement text version for audit purposes.

Bank Account Data (Plaid)

If you connect a bank account, the connection is made through Plaid. We store an encrypted access token — we never see or store your bank credentials or full account numbers. You can disconnect at any time in Settings.

Channel Manager Data (Hospitable)

If you connect Hospitable, we store an encrypted OAuth access token and sync reservation, guest, and message data. You can disconnect in Settings at any time.

Location & Geocoding

Property addresses are sent to OpenStreetMap Nominatim (a free geocoding service) to obtain latitude/longitude coordinates for map display on the /stays directory. Only the address is sent — no personal data.

Photos & Media

Property photos uploaded by hosts are stored on Vercel Blob Storage. Photos imported from Airbnb listings are fetched from publicly accessible URLs and re-hosted on our storage. Photos are publicly accessible by URL.

Usage & Error Data

We use Sentry for error tracking and may collect server logs including IP addresses, request timestamps, and feature usage patterns for service reliability and improvement.

3. How We Use Your Data

  • To provide and operate the Service including bookings, messaging, and payouts
  • To send transactional emails (booking confirmations, check-in instructions, pre-arrival reminders, post-stay follow-ups, review requests, inquiry notifications, support replies, weekly digests, REP milestone alerts)
  • To process payments, manage subscriptions, and facilitate host payouts via Stripe Connect
  • To auto-categorize bank transactions using AI (Anthropic Claude — data is not used to train models)
  • To geocode property addresses for map display
  • To suggest lodging tax rates based on property state
  • To improve the Service and diagnose technical issues
  • To comply with legal obligations

We do not sell your personal data to third parties. We do not use your financial, property, or guest data for advertising purposes.

4. Third-Party Service Providers

We use the following providers:

  • Clerk — authentication and user management
  • Stripe — payment processing, subscription billing, Connect payouts, stored payment methods
  • Plaid — bank account connectivity
  • Hospitable — channel manager data sync (Airbnb, VRBO)
  • Resend — transactional email delivery
  • Neon — PostgreSQL database hosting
  • Vercel — application hosting, serverless functions, blob storage, custom domains
  • Anthropic — AI transaction categorization and content generation (data is not used to train models)
  • OpenStreetMap Nominatim — free geocoding for property addresses
  • Sentry — error tracking and monitoring

Each provider has its own privacy policy. We only share the minimum data necessary for each feature.

5. Data Security

We implement multiple layers of security:

  • Encryption at rest: Guest PII (email, phone), message bodies, bank tokens, and channel manager tokens are encrypted with AES-256-GCM
  • Encryption in transit: All data in transit is encrypted via TLS/HTTPS
  • Rate limiting: API endpoints are rate-limited to prevent abuse (distributed via Upstash Redis)
  • No email exposure: Host personal email and phone are never shared with guests
  • Token-based access: Guest portals use non-guessable tokens (CUIDs), not passwords
  • Magic link auth: Guest login uses short-lived encrypted JWT tokens (1-hour expiry)

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at support@strpro.io

6. Data Retention

We retain your data for as long as your account is active. If you delete your account (Settings → Account → Delete Account), we delete your personal data and associated records within 30 days, except where required for legal or compliance purposes. Connected bank accounts (Plaid) are revoked immediately upon deletion.

Guest booking records and message history are retained for the duration of the host's account to support dispute resolution and financial reporting.

7. Guest Privacy

If you are a guest who has booked through STR Pro:

  • Your email and phone are encrypted and only accessible to the property host through our platform
  • Your payment method may be stored by Stripe for damage claims (you are notified at checkout)
  • Your messages are encrypted and only visible to you and the host
  • You can access your booking via the guest portal link or the “Find My Booking” magic link flow
  • You can submit support tickets from the guest portal without creating an account

8. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your account and associated data
  • Opt out of non-essential email communications (via Settings)
  • Disconnect third-party integrations at any time via Settings
  • Request export of your data

To exercise these rights, email support@strpro.io

9. Children's Privacy

The Service is intended for adults (18+). We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice. Continued use constitutes acceptance of the revised policy.

11. Contact

Questions about this Privacy Policy? support@strpro.io