Legal

Privacy Policy

Version 1.0 · Effective April 17, 2026

1. Who we are

This Privacy Policy explains how the owner and operator of Curran Lake House (“we,” “us”) collects, uses, and protects personal information when you use this website and book a stay. We are the data controller for the information described below.

2. Information we collect

Account information — the name, email address, password (hashed with scrypt), and optional phone number you provide at signup.
Booking information — dates, guest counts, notes, itemized charges, and your agreement to the Terms of Service and House Rules.
Payment confirmation — PayPal order and capture identifiers, transaction amount, and status. We never receive or store your card number, bank account, or full payment credentials; those remain with PayPal under its PCI-DSS Level 1 certification.
Identity document — a photo of a government-issued ID you upload during checkout to verify your identity and age. Images are re-encoded to strip EXIF metadata (including GPS), stored at an unguessable object path, and exposed only through an authenticated admin proxy.
Technical data — IP address, browser user-agent, pages visited, and a single first-party session cookie to keep you signed in. We do not use advertising or tracking cookies.
Audit log — a record of significant account and administrative actions (sign-ins, booking changes, refunds, admin edits) with actor, timestamp, IP, and user-agent for security and dispute resolution.

3. How we use your information

Create and manage your account.
Confirm, service, and settle your booking (including email receipts and check-in instructions).
Verify identity and comply with short-term rental regulations.
Process refunds, security deposit releases, and damage claims.
Detect, prevent, and investigate fraud, abuse, and security incidents.
Comply with tax, lodging, and legal obligations.

4. Legal basis

Where applicable (e.g., GDPR or comparable laws), we process personal data on the bases of (a) performance of a contract (the booking you requested), (b) compliance with a legal obligation, (c) our legitimate interests in operating and securing the Service, and (d) your consent where required, which you may withdraw at any time without affecting processing already performed.

6. Retention

Booking records — retained for 7 years after the stay to meet tax and lodging record-keeping requirements.
Photo ID document — retained while the booking is active and for 90 days after checkout, then automatically purged. Extended retention applies only where required to resolve an active dispute or by law.
Audit log entries — retained for 7 years.
Server access logs — 30 days.
Account data on deletion — when you delete your account, personal identifiers are anonymized on historic bookings rather than erased, so the accounting record of past transactions remains complete and auditable.

7. Security

We apply defense-in-depth measures: passwords hashed with scrypt; sessions bound to http-only, secure, SameSite cookies; strict Content-Security-Policy; HSTS preload; session rotation on privilege changes; rate limiting on authentication and booking endpoints; encrypted transport (TLS) everywhere; server-side payment creation and three-way capture verification; database-level exclusion constraint preventing double-bookings; EXIF stripping on uploaded images; audit-logged admin access to every ID document view. No system is perfect; if we experience a data incident affecting your information we will notify you as required by applicable law.

8. Your rights

Subject to applicable law you have the right to: (a) access the personal data we hold about you; (b) correct inaccurate data; (c) request deletion; (d) object to or restrict certain processing; (e) portability of the data you provided; and (f) lodge a complaint with your supervisory authority. Submit requests by email to the address on your booking confirmation. We will respond within 30 days.

9. Children

The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has submitted information, contact us and we will delete it.

10. International transfers

Our infrastructure providers may process data in the United States or other countries. Where the law requires transfer safeguards we rely on standard contractual clauses or equivalent mechanisms.

11. Cookies

We use a single first-party cookie to keep you signed in. We do not use third-party advertising, analytics, or tracking cookies. You can clear cookies in your browser at any time; doing so will sign you out.

12. Changes

We may update this Policy. Material changes will be communicated by email and by updating the effective date above.

13. Contact

For privacy questions or rights requests, email the Host at the address on your booking confirmation.

2. Information we collect

Account information — the name, email address, password (hashed with scrypt), and optional phone number you provide at signup.
Booking information — dates, guest counts, notes, itemized charges, and your agreement to the Terms of Service and House Rules.
Payment confirmation — PayPal order and capture identifiers, transaction amount, and status. We never receive or store your card number, bank account, or full payment credentials; those remain with PayPal under its PCI-DSS Level 1 certification.
Identity document — a photo of a government-issued ID you upload during checkout to verify your identity and age. Images are re-encoded to strip EXIF metadata (including GPS), stored at an unguessable object path, and exposed only through an authenticated admin proxy.
Technical data — IP address, browser user-agent, pages visited, and a single first-party session cookie to keep you signed in. We do not use advertising or tracking cookies.
Audit log — a record of significant account and administrative actions (sign-ins, booking changes, refunds, admin edits) with actor, timestamp, IP, and user-agent for security and dispute resolution.

3. How we use your information

Create and manage your account.
Confirm, service, and settle your booking (including email receipts and check-in instructions).
Verify identity and comply with short-term rental regulations.
Process refunds, security deposit releases, and damage claims.
Detect, prevent, and investigate fraud, abuse, and security incidents.
Comply with tax, lodging, and legal obligations.

4. Legal basis

6. Retention

Booking records — retained for 7 years after the stay to meet tax and lodging record-keeping requirements.
Photo ID document — retained while the booking is active and for 90 days after checkout, then automatically purged. Extended retention applies only where required to resolve an active dispute or by law.
Audit log entries — retained for 7 years.
Server access logs — 30 days.
Account data on deletion — when you delete your account, personal identifiers are anonymized on historic bookings rather than erased, so the accounting record of past transactions remains complete and auditable.

7. Security

8. Your rights

1. Who we are

2. Information we collect

3. How we use your information

4. Legal basis

5. When we share information

6. Retention

7. Security

8. Your rights

9. Children

10. International transfers

11. Cookies

12. Changes

13. Contact

1. Who we are

2. Information we collect

3. How we use your information

4. Legal basis

5. When we share information

6. Retention

7. Security

8. Your rights

9. Children

10. International transfers

11. Cookies

12. Changes

13. Contact