← Back to Casari Casari

Privacy Policy

Casari ("we", "us", "Casari") provides AI-powered property management software for short-term rental hosts. This Privacy Policy explains what data we collect, how we use it, who we share it with, how long we keep it, and your rights as a user or guest whose data is processed by our customers using Casari.

1. What we collect

• Account data — your name, email, hashed password, and account preferences.
• Property data via integrations — when you connect a third-party service (OwnerRez, Hospitable, Hostaway, PriceLabs, AirROI, SendBlue, Twilio, Microsoft Graph, Gmail, Plaid, QuickBooks, Seam, Zernio, Meta), we read and (where authorized) write the data those services grant us access to. Typical scopes: bookings, guest contact information, guest messages, listing details, pricing, calendar, financial transactions, reviews, lock status, and posts.
• Guest data — when a host using Casari connects a PMS or messaging platform, we process limited data about their guests (name, contact, booking details, message content) solely to render the host's inbox and operate AI assistance the host has enabled.
• Usage data — pages visited, features used, error reports, and basic analytics. We do not use third-party advertising or marketing trackers.

2. How we use it

• To operate the product features you've enabled.
• To draft, send, and route guest communications you've configured Casari to handle.
• To generate AI suggestions (reply drafts, insights, summaries) on your behalf.
• To improve Casari, in aggregate and de-identified form only.
• To send product updates and operational notifications you've opted into.

3. What we don't do

• We do not sell your data, guest data, or any data we receive from integrations.
• We do not share guest data with third parties beyond the sub-processors listed below and beyond what's required to operate the integrations you've connected.
• We do not use guest message content to train AI models. AI calls to Anthropic are made with zero-retention settings where supported by the model provider.
• We do not knowingly collect data from children under 13. Casari is not intended for use by anyone under 18.

4. Sub-processors

We share data only with the following service providers, who help us operate Casari:

• Vercel (US) — hosting and serverless compute
• Upstash (US/EU) — encrypted key-value storage for integration data and credentials
• Anthropic (US) — AI model calls (Claude). Configured with zero-data-retention where supported.
• Plaid (US) — bank transaction sync, when enabled by you
• Microsoft (US/EU) — outbound transactional email via Microsoft Graph
• SendBlue / Twilio (US) — SMS / iMessage delivery for hosts who enable messaging
• Your connected PMS and channel managers (OwnerRez, Hospitable, Hostaway, Airbnb via PMS, etc.) — read and write only the data you authorize

5. Data retention

We keep integration data while your account is active. If you disconnect a specific integration, we delete tokens immediately and the data synced from that integration within 30 days. If you delete your account, all account, property, and integration data is permanently removed within 30 days, except where retention is required by law (e.g., financial transaction records for tax purposes, retained up to 7 years).

6. Security

We protect your data with the following measures:

• Encryption in transit (TLS 1.2+) for all traffic between you, Casari, and our sub-processors.
• Encryption at rest for credentials, tokens, and synced integration data.
• Access controls — only authorized personnel can access production systems, and access is logged.
• OAuth-first integrations — we never ask for or store passwords for connected services.
• Regular security review of dependencies and third-party libraries.

7. Data breach notification

In the event of a confirmed data breach involving your personal data, we will notify you by email and (where applicable) the relevant data protection authority within 72 hours of discovery, in accordance with GDPR Article 33 and equivalent obligations.

8. Your rights

Depending on your jurisdiction (GDPR for EU/UK residents, CCPA/CPRA for California residents, and similar laws elsewhere), you have the right to:

• Access the personal data we hold about you.
• Correct or update inaccurate data.
• Delete your data (the "right to be forgotten").
• Export your data in a portable format (CSV is available from inside the app for most data types).
• Withdraw consent for AI features or specific integrations at any time.
• Opt out of any non-essential communications.

To exercise any of these rights, email privacy@casari.app. We will respond within 30 days.

9. International transfers

Casari is operated from the United States. If you access Casari from outside the US, your data will be transferred to and processed in the US. By using Casari, you consent to this transfer. We rely on Standard Contractual Clauses with our sub-processors where required by GDPR.

10. Children's privacy

Casari is intended for use by businesses and adults age 18 and over. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please email privacy@casari.app and we will delete it promptly.

11. Cookies and local storage

We use a single first-party session cookie for authentication. We store UI preferences (inbox filters, draft caches, recently-viewed pages, integration cache) in your browser's localStorage to make the app fast. We do not use third-party advertising or tracking cookies. We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies and does not collect personally identifiable information.

12. Changes to this policy

We'll post any material changes here and update the "Last updated" date above. For significant changes affecting how your data is used, we'll notify you by email at least 30 days before the change takes effect.

13. Contact

Privacy questions, data access requests, or breach reports: privacy@casari.app
General questions: hello@casari.app