Host Ledger

Privacy Policy

Effective Date: March 2, 2026

This Privacy Policy describes how Host Ledger (“we,” “us,” or “our”) collects, uses, stores, and shares your information when you use our accounting automation service (the “Service”). This policy applies to all users of the Service, including visitors to our website at hostledger.ai.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

1. Who We Are

Host Ledger is operated by James Clayton and Erik Taheri, doing business jointly as Host Ledger from New York. For privacy-related inquiries, contact us at support@hostledger.ai.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: email address, first name, and last name (provided through Clerk authentication or Google OAuth sign-in)
  • Uploaded data: payout CSV files from online travel agencies (Airbnb, VRBO, Booking.com). The full contents of uploaded CSV files are parsed and stored, including payout amounts, dates, currency, OTA payout reference IDs, guest names, confirmation codes, financial breakdowns, and bank account last 4 digits.
  • Feedback and communications: messages you send to us, survey responses, and feature requests

2.2 Information Collected Through Integrations

When you connect third-party services, we collect and store the following:

  • Hospitable: reservation details (guest names, confirmation codes, check-in/check-out dates, financial breakdowns including accommodation, cleaning fees, taxes, and adjustments), property information (names, addresses, OTA listing IDs), and the raw API response data
  • QuickBooks Online: chart of accounts, class lists, vendors, and deposit/journal entry data created by the Service
  • OAuth credentials: access tokens, refresh tokens, and API keys for connected services. These are encrypted with AES-256-CBC (with a random initialization vector per encryption operation) before database storage.

2.3 Information Generated Through Your Use

  • Organization data: if you create an organization within the Service, we store the organization name, settings, member roles, and posting preferences
  • Interpretation data: AI-generated categorized line items from your payouts, along with any corrections you make and the reasons you provide for those corrections
  • Audit trail: all actions taken within the Service (approvals, rejections, corrections) with the actor’s email, action performed, timestamps, and details
  • Cached QuickBooks metadata: chart of accounts, classes, and vendor lists from your QuickBooks Online account, cached locally to improve performance

2.4 Information Collected Automatically

  • Usage analytics (logged-in users): page views, button clicks, and feature usage, collected via PostHog with person-level profiles linked to your user identity (email, name, organization ID)
  • Usage analytics (visitors): anonymous aggregate events (such as page views) are collected for non-logged-in visitors without person-level profiles
  • Error and performance data: exception reports and error logs to help us identify and fix bugs
  • Server logs: standard web server request logs maintained by our hosting provider (Vercel)

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: processing payouts, matching reservations, generating accounting entries, and posting to QuickBooks Online
  • AI classification: sending payout descriptions to Anthropic’s Claude AI when automated matching is insufficient, to classify and categorize line items. Only the minimum data necessary for classification is sent (payout descriptions and context), not your full financial records.
  • Improving the Service: analyzing usage patterns, reviewing user corrections to AI-generated interpretations, fixing bugs, and developing new features
  • Communications: sending you service-related notices, responding to your inquiries, and providing support
  • Anonymized analytics: creating de-identified, aggregated data for product research, benchmarking, and general business purposes

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 Service Providers

We use the following third-party service providers who process data on our behalf:

ProviderPurposeData Shared
VercelHosting, serverless functions, cron jobsApplication code, request logs
NeonPostgreSQL database (US East, Virginia)All stored application data (encrypted at rest)
ClerkAuthentication and user managementEmail, name, organization membership
InngestBackground job orchestrationEvent payloads (payout references, organization IDs)
PostHog (US instance)Product analytics and error trackingUser ID, email, name, org ID, page views, click events, exceptions
Anthropic (Claude)AI classification (fallback)Payout descriptions when automated matching is insufficient
SvixWebhook signature verificationWebhook payload signatures (HMAC verification)
MintlifyDocumentation siteNo user data
GitHub ActionsCI/CDSource code (no user data)

4.2 Connected Platforms

When you authorize integrations, data flows between Host Ledger and the connected platforms:

  • Hospitable: We read reservation, property, and financial data from your Hospitable account.
  • QuickBooks Online (Intuit): We read your chart of accounts, class lists, and vendors, and write deposits and journal entries that you have approved.

4.3 Legal and Safety

We may disclose your information if required by law, regulation, legal process, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

If Host Ledger is acquired, merges with another entity, or forms a business entity, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

5. Data Security

We implement technical and organizational measures to protect your information:

  • Encryption in transit: All data is transmitted over TLS/HTTPS (enforced by Vercel). Clerk webhook payloads are verified via HMAC signatures through Svix.
  • Encryption at rest (application level): OAuth tokens and API keys are encrypted with AES-256-CBC using a 256-bit encryption key, with a random initialization vector generated per encryption operation, before database storage.
  • Encryption at rest (infrastructure level): Our database provider (Neon, hosted in US East/Virginia) uses AWS-managed encryption at rest for all storage volumes by default.
  • Not individually encrypted: Payout amounts, guest names, raw CSV data, and reservation details are protected by Neon’s infrastructure-level encryption but are not individually encrypted at the application level.
  • Authentication: Managed by Clerk with support for email/password and Google OAuth. We never store or have access to your passwords.
  • Access controls: Organization-level multi-tenancy with role-based member access

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Upon account termination, we will retain your User Data for thirty (30) days, after which it will be deleted from our active systems. Some data may persist in encrypted backups for a reasonable period consistent with our backup rotation schedule.

Anonymized and aggregated data that does not identify you may be retained indefinitely.

7. Your Rights and Choices

7.1 All Users

Regardless of where you are located, you have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Disconnect integrations: Revoke OAuth access to Hospitable or QuickBooks Online at any time through those platforms’ settings

To exercise any of these rights, contact us at support@hostledger.ai. We will respond within thirty (30) days.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • No Sale of Personal Information: We do not sell your personal information as defined by the CCPA. We do not “share” your personal information for cross-context behavioral advertising.

7.3 European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal basis for processing: We process your personal data based on: (a) your consent (for analytics and marketing communications); (b) performance of our contract with you (to provide the Service); (c) our legitimate interests (to improve the Service and ensure security); and (d) compliance with legal obligations.

In addition to the rights listed in Section 7.1, you also have the right to:

  • Data portability: Receive your personal data in a structured, commonly used, machine-readable format
  • Restriction: Request restriction of processing in certain circumstances
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time where processing is based on consent
  • Lodge a complaint: File a complaint with your local data protection authority

International data transfers: Our Service and service providers are primarily based in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses and other appropriate safeguards as required by applicable law for international data transfers.

8. Cookies and Tracking Technologies

We use PostHog (US instance at us.posthog.com) for product analytics, reverse-proxied through our domain (via the /ingest path) to improve reliability. PostHog uses cookies and similar technologies to identify users across sessions.

For logged-in users, PostHog creates person-level analytics profiles linked to your identity (email, name, organization ID). For visitors who are not logged in, only anonymous aggregate events (such as page views) are collected without person-level profiles.

We do not use Google Analytics, Mixpanel, Hotjar, or other third-party advertising or analytics trackers. We do not engage in cross-site tracking or targeted advertising.

Cookie consent: We are implementing a cookie consent mechanism. In the meantime, if you wish to opt out of analytics tracking, you may use your browser’s cookie settings or contact us at support@hostledger.ai.

9. Children’s Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information. If you believe a child under 13 has provided us with personal information, please contact us at support@hostledger.ai.

10. Guest and Third-Party Data

Through your use of the Service, we may process information about your short-term rental guests (such as guest names from reservation data and payout CSVs). This data is processed solely to provide the Service to you and is treated with the same security measures as your own personal information.

You are responsible for ensuring that your collection and sharing of guest data with the Service complies with applicable privacy laws and any agreements you have with your guests or the platforms through which they booked.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least fourteen (14) days before changes take effect. The “Effective Date” at the top of this policy indicates when it was last updated. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Host Ledger

Email: support@hostledger.ai

Website: https://hostledger.ai

We will respond to privacy-related inquiries within thirty (30) days.