Downwind
Log InGet Started

Privacy Policy

Last updated: May 29, 2026

This Privacy Policy describes how Downwind Software LLC ("Downwind," "we," "us," or "our") collects, uses, and protects information through the Downwind platform.

1. Who This Policy Covers

This policy applies to two types of users:

  • Owners — vacation rental owners who create an account and use Downwind to manage bookings
  • Guests — people who receive a booking link from an owner and use it to review agreements, provide a signature, and make payments

2. What We Collect

From Owners

  • Account information: name, email address, and password (hashed — never stored in plain text)
  • Property and rental details: property name, address, description, pricing, policies, and other information you enter to describe your rental
  • Connected service data: calendar events from your Google Calendar (read/write access you explicitly grant via OAuth) and Stripe Connect account information required to receive guest payments

About Guests

Guest data is provided to us by the property owner when they create a booking. This includes:

  • Contact information: name, email address, and phone number
  • Booking details: check-in/check-out dates and number of guests

When a guest visits their booking page, the only data they provide directly is their signature when e-signing the rental agreement.

Payment information: We do not collect or store payment information. When a guest pays a deposit or balance, they are redirected to Stripe's hosted payment page. Card numbers and bank details are entered on Stripe's site, not ours. See Stripe's Privacy Policy for how Stripe handles payment data.

From All Users

  • Usage data: page views, clicks, and feature usage collected via PostHog, linked to your account
  • Error data: crash reports and diagnostic information collected via PostHog to help us identify and fix bugs
  • Log data: server logs including IP addresses, browser type, and request timestamps, retained for security and debugging purposes

3. AI-Assisted Features and Third-Party AI Providers

Downwind uses third-party AI language models to power certain features:

  • Email-to-booking parsing: When an owner pastes email correspondence into the "Create from email" feature, that text is sent to our configured AI provider (currently Google Gemini; OpenAI GPT-4o as fallback) for structured data extraction. The parsed output pre-fills the booking form for owner review.
  • Pre-arrival email personalization: Property details and booking context are sent to the AI provider to generate personalized pre-arrival emails for guests.

What this means for data: Text submitted to these features — which may include guest names, email addresses, dates, and other booking details — is transmitted to Google (Gemini API) or OpenAI (GPT-4o API) for processing. These providers process the data under their respective API terms of service and data processing agreements. We do not use these features to train third-party AI models. Owners should not paste content into these features that they are not authorized to share.

4. How We Use Your Data

Your data is used to:

  • Provide and operate the Downwind service
  • Process bookings and create payment invoices via Stripe
  • Send transactional emails (booking confirmations, payment reminders, pre-arrival messages) via Resend
  • Sync booking events to the owner's connected Google Calendar
  • Generate AI-assisted content (email parsing, pre-arrival emails) via third-party AI providers
  • Improve the product based on usage patterns
  • Diagnose and fix errors and service issues

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in this policy.

5. Third-Party Processors

We use the following services to operate Downwind. Each processes data on our behalf under their own privacy policies and, where applicable, data processing agreements:

ServicePurpose
SupabaseDatabase hosting and authentication
StripeOwner subscription billing and guest payment collection (payments occur on Stripe's hosted pages)
ResendTransactional email delivery
GoogleCalendar sync (OAuth, Calendar API) and AI text processing (Gemini API)
OpenAIAI text processing (GPT-4o API, fallback provider)
PostHogProduct analytics, error tracking, and crash reporting (their privacy policy)
VercelApplication hosting

6. Cookies

We use a minimal set of cookies:

  • Authentication cookies (Supabase) — required to keep you logged in. These are essential and cannot be disabled.
  • Analytics cookies (PostHog) — used to understand how the product is used. These do not track you across other websites.

We do not use advertising cookies or third-party tracking pixels.

7. Data Retention and Deletion

Your data is retained for as long as your account is active. If you delete your account:

  • We will permanently delete your account data within 30 days
  • Guest booking data associated with your account will be deleted on the same schedule
  • Data may be retained beyond 30 days only where required by law (e.g., financial records for tax compliance)

Transactional records held by Stripe (payment history, invoices) are governed by Stripe's own retention policies and are not deleted by Downwind.

8. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your data, including encrypted connections (TLS), hashed passwords, row-level database security policies, and access controls on internal systems. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and applicable regulatory authorities as required by law. Where required, notification will include the nature of the breach, the data affected, and steps you can take to protect yourself.

10. Children's Privacy

Downwind is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

11. Data Requests

If you have questions about your data, or would like to request access, correction, deletion, or export of your data, email us at privacy@downwinddirect.com. We will respond within 30 days.

Your specific rights depend on where you live — see the sections below for California and European residents.

12. California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you
  • Request deletion of your personal information
  • Opt out of the sale of personal information — we do not sell personal information
  • Not be discriminated against for exercising your privacy rights

To exercise these rights, contact privacy@downwinddirect.com.

13. European and UK Residents (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply to our processing of your personal data.

Our Role

For owner data: Downwind is the data controller. We determine the purposes and means of processing your account and usage data to provide the Service.

For guest data: The property owner is the data controller — they determine why and how guest data is collected (to fulfill a rental agreement) and provide that data to Downwind. Downwind acts as a data processor, processing guest data on the owner's behalf to facilitate the booking. Guests may exercise their data rights by contacting the property owner directly or by contacting us at privacy@downwinddirect.com.

Legal Bases for Processing

  • Contract performance (Article 6(1)(b)) — for owners: providing the booking management service you signed up for
  • Legitimate interest (Article 6(1)(f)) — product analytics, error tracking, and fraud prevention
  • Legal obligation (Article 6(1)(c)) — complying with applicable legal requirements

Your GDPR Rights

Under GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restrict processing — ask us to limit how we use your data
  • Data portability — receive your personal data in a structured, machine-readable format (JSON)
  • Object to processing — object to processing based on legitimate interest
  • Lodge a complaint — file a complaint with your local data protection authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany)

International Data Transfers

Downwind is hosted in the United States. If you are in the EEA or UK, your data is transferred to the US for processing. Our third-party processors maintain appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) where applicable.

Contact for GDPR Requests

To exercise any GDPR right, email privacy@downwinddirect.com with the subject line "GDPR Request." We will respond within 30 days.

14. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you via the email address associated with your account at least 14 days before the changes take effect. Continued use of Downwind after the effective date constitutes acceptance.

15. Contact

Privacy questions? Reach us at privacy@downwinddirect.com.

Downwind

Booking management for independent vacation rental owners. Collect payments, sync calendars, and automate guest emails. We never take a cut of your rental income.

Product

  • How It Works
  • Pricing
  • Get Started

Other Stuff

  • About
  • Contact
  • Blog
  • Privacy Policy
  • Terms of Service

© 2026 Downwind. All rights reserved.