Privacy Policy

Last updated: May 15, 2026

Introduction

OurSharedPlace ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at oursharedplace.com and our companion mobile application (together, the "Service").

Information We Collect

Information You Provide

We collect information that you voluntarily provide when using the Service:

  • Account information: email address, password (stored only in hashed form), first and last name, and an optional display name.
  • Profile information: avatar image, color preferences for the calendar, and notification preferences.
  • Property information: property name, description, address, photos, optional public page settings, calendar export configuration, and timezone.
  • Membership information: the people you invite, their role (admin, member, or guest), and any auto-approval settings or annual booking quotas you configure.
  • Bookings and reservations: reservation dates, status, number of guests, notes, and the type of booking (reservation, maintenance, cleaning, or external).
  • Financial transactions: expense and revenue records you enter, including amount, date, category, description, who paid, and how the amount is split between members. We do not collect or store your bank account or credit card details — payment information for subscriptions is handled directly by Stripe (see below).
  • Content: blog posts, to-do items, checklists, contacts, vendor information, messages, photos, YouTube video links, and documents you upload to your property's file storage.
  • Public booking inquiries: if you turn on your property's public booking page, prospective guests can submit inquiries that include their name, email, phone (optional), party size, date range, and a free-text message.
  • Guest access codes: if you generate guest access codes for short-term visitors, those records may include the guest's name and email and the valid date range.
  • Support communications: messages you send to us for support or feedback.

Automatically Collected Information

When you use the Service we automatically collect certain information:

  • Usage data: pages and screens visited, features used, and approximate session duration.
  • Device information: browser type, operating system, and (on mobile) general device type. We do not collect precise location.
  • Log data: IP address, access times, and referring URLs. IP address is also used by our bot-protection systems on public forms (signup, password reset, public booking inquiry).
  • Bot-protection signals: for public-facing forms we collect a Google reCAPTCHA v3 score, a form-timing signal, and honeypot field values. These are used solely to detect automated abuse.

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Create and manage your account, including authentication.
  • Coordinate bookings, expense tracking, communications, and other property-management activities among the members of your property.
  • Send you transactional emails (booking requests, approvals, published blog posts, document uploads, password resets, and account confirmations).
  • Process subscription payments (via Stripe; see "Service Providers" below).
  • Respond to your support requests, comments, and feedback.
  • Detect, prevent, and address security threats, fraud, spam, and automated abuse.
  • Measure the effectiveness of our advertising campaigns (see "Reddit advertising" below).
  • Comply with legal obligations.

Information Sharing and Disclosure

Within Your Property Group

Information you add to a property — bookings, blog posts, photos, contacts, to-dos, checklists, messages, documents, and financial transactions — is shared with other members of that property according to the role and visibility settings you choose. Administrators can see all property data, members can see member-level content, and guests can only see guest-visible content. Financial transactions and member balances are visible to admins and members but never to guests.

Service Providers

We share information with third-party service providers who perform services on our behalf. Each is contractually obligated to protect your information and use it only for the purposes we specify.

  • Supabase: hosts our database, file storage, and authentication system. Data is stored on Supabase's infrastructure in the United States.
  • Postmark: delivers our transactional emails (booking requests, password resets, account confirmations, notifications). We share recipient email addresses and the email content with Postmark.
  • Stripe: processes subscription payments and manages the billing portal. When you upgrade or manage your subscription you are redirected to Stripe's hosted checkout, and Stripe collects your payment details directly. We receive only a subscription identifier and status from Stripe — never your card number.
  • Google reCAPTCHA v3: we use reCAPTCHA on public forms (signup, password reset, public booking inquiry) to detect automated abuse. Google may collect device and usage information as described in Google's privacy policy.
  • Vercel: hosts the website and the API. Vercel processes IP addresses and HTTP request metadata as part of serving traffic.
  • Reddit advertising: if you arrived at our website from a Reddit ad, we send a conversion event to Reddit when you sign up so we can measure ad effectiveness. This includes a hashed version of your email address. See the "Reddit advertising" section below for details and opt-out information.

Reddit advertising

We use Reddit's conversion API to attribute signups to Reddit advertising campaigns. When you create an account, we send Reddit a "SignUp" conversion event that includes a one-way hashed version of your email address. Reddit may use this to measure ad performance and to improve audience targeting. We do not share your name, password, property data, or any other content with Reddit. You can disable cross-site tracking in your browser or device settings, and you can also adjust your ad personalization settings on Reddit directly.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (for example, a court order or subpoena).

Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. If a transfer occurs, we will notify you and give you the opportunity to delete your data before the transfer is completed.

What We Do Not Do

  • We do not sell your personal information.
  • We do not rent your personal information to third parties.
  • We do not use third-party advertising trackers on the Service itself (the Reddit conversion event is sent once at signup — we do not embed third-party advertising or analytics cookies on our pages).

Mobile Application

Our iOS companion app uses the same backend as the website. When you sign in on the app, your authentication token is stored securely on the device by iOS. The mobile app reads and writes the same data described above. We do not collect contacts, photos from your camera roll, location, or any other information from your device beyond what you explicitly upload (for example, a photo you choose to add to your property gallery, or a document you choose to upload).

Apple itself may collect device identifiers for the purpose of distributing the app and providing crash reports. Refer to Apple's Privacy Policy for details.

Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes:

  • Encryption of data in transit using HTTPS / TLS.
  • Encryption of data at rest in our databases.
  • Row-level security policies in our database so that members of one property cannot read another property's data.
  • Bot protection (reCAPTCHA, honeypot, timing, and rate limits) on public forms.
  • Regular backups of your data.
  • Limited employee access to production systems on a need-to-know basis.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account (see below), we delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, accounting, or regulatory purposes (for example, invoice records).

Property data is retained for as long as the property exists. When a property is deleted by its administrator, all data belonging to that property — bookings, photos, blog posts, documents, financial transactions — is permanently deleted.

Booking requests are kept even when declined, so that property members can review their booking history. Soft-deleted financial transactions are kept for audit purposes and removed when the property is deleted.

Your Rights and Choices

You have the following rights regarding your personal information:

  • Access: you can view your account information, property data, and transactions at any time inside the Service.
  • Correction: you can edit your name, avatar, property details, and other information at any time inside the Service.
  • Deletion: you can delete your account (see the next section).
  • Data portability: you can request a copy of your personal data in a portable format by contacting us.
  • Email opt-out: you can adjust your notification preferences inside the Service. Some service-related emails (security alerts, password resets, account confirmations) cannot be disabled while your account is active.

Account Deletion

You can delete your account at any time from inside the Service. In the web app, go to Profile → Danger Zone → Delete Account. The mobile app offers the same option from the profile screen.

Deleting your account is permanent: your profile, your authentication credentials, and your personal preferences are removed. You are signed out immediately, and any active sessions on other devices are invalidated.

What happens to property data:

  • Properties you share with other administrators: content you authored (bookings, blog articles, photos, contacts, and financial transactions) is reassigned to another administrator of that property so the remaining members keep a complete history. You are removed from the property's member list.
  • Properties where you are the sole administrator: the property itself is permanently deleted along with all of its data — every booking, article, photo, contact, expense record, document, and any other content. Other members of those properties will lose access. You are warned and asked to explicitly confirm this before the deletion is carried out.

If you would rather keep a property you currently sole-administer, transfer admin rights to another member from the property's Members page first, then delete your account.

You can also remove yourself from a single property without deleting your account — visit the property's Members page.

Deletion is processed immediately. Backup copies of your data may persist in our infrastructure for up to 30 days before they are also overwritten.

Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can delete it.

International Data Transfers

Your information is processed and stored in the United States. If you access the Service from outside the United States, you consent to the transfer of your information to the United States, which may have data protection laws that are different from the laws of your country. We use service providers that maintain appropriate safeguards for international data transfers.

Cookies and Tracking Technologies

We use essential cookies and similar tracking technologies to maintain your session and provide core functionality, including:

  • Authentication session cookies (issued by Supabase) so that you remain signed in across pages.
  • Cookies used by Google reCAPTCHA on public forms to detect automated abuse.

We do not use third-party advertising cookies, social media tracking pixels, or cross-site analytics cookies on the Service itself. You can control cookies through your browser settings, but disabling essential cookies will prevent you from staying signed in.

Third-Party Links

The Service may contain links to third-party websites or services (for example, links to YouTube videos embedded in blog posts, or links you save in your contacts list). We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please use our contact form.

California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected, used, shared, or sold.
  • Right to delete personal information.
  • Right to opt-out of the sale of personal information. We do not sell personal information.
  • Right to non-discrimination for exercising your CCPA rights.

To exercise these rights, please use our contact form.

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR) and equivalent laws:

  • Right to access your personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure ("right to be forgotten").
  • Right to restrict processing.
  • Right to data portability.
  • Right to object to processing.
  • Right to withdraw consent.

Our legal basis for processing your personal data is primarily the performance of our contract with you (to provide the Service) and, for marketing communications and bot-protection signals, your consent or our legitimate interest in operating a secure service. To exercise your rights or file a complaint with a supervisory authority, please contact us.