Legal & Privacy

Privacy Policy

Last updated: March 2026
Operated by Big Toy Stays LLC (“BTS”), doing business as GuestKey — Wisconsin, United States.
Questions? Email contact us

Note to hosts: This policy covers GuestKey’s practices as a platform operator. We recommend having this policy (and any supplemental notice for your guests) reviewed by qualified legal counsel, particularly if you serve guests in regulated jurisdictions.

1 Who We Are

GuestKey is a guest experience platform for short-term rental hosts. The platform is owned and operated by Big Toy Stays LLC (“BTS,” “we,” “us,” or “our”), a company based in Wisconsin, United States.

GuestKey provides vacation rental hosts with tools to manage guest registration, smart home device access, security deposits, digital guidebooks, and noise monitoring. This Privacy Policy explains how we collect, use, and protect personal information in connection with the GuestKey platform.

By accessing or using GuestKey—whether as a host or as a guest completing registration through a host’s portal—you acknowledge the practices described in this policy.

2 Two Types of Users

GuestKey serves two distinct groups of people, each with a different relationship to the platform:

Hosts

  • Property owners and property managers
  • Direct customers of GuestKey (account holders)
  • Control their own property configurations
  • Determine what data is collected from their guests
  • Act as the data controller for guest data

Guests

  • Travelers staying at a host’s property
  • Complete registration through a host’s GuestKey portal
  • Not direct customers of GuestKey
  • Data is collected on behalf of the host
  • Have rights to access, correct, and delete their data

This distinction is important: when you interact with a GuestKey registration portal as a guest, your information is collected on behalf of the host operating that property. GuestKey acts as a data processor in that context.

3 Data We Collect from Guests

When guests complete a registration form through a host’s GuestKey portal, we collect information necessary to verify identity, manage property access, and fulfill the host’s requirements.

Registration & Identity

  • Full name — as provided during registration
  • Mailing address — home or billing address
  • Email address — verified via one-time passcode (OTP)
  • Phone number — verified via one-time passcode (OTP)
  • Check-in and check-out dates — from the reservation

Smart Home & Device Data

  • Lock access logs — records of door code usage and access times
  • Thermostat interactions — adjustments made via the guest portal

Payment Data

  • Security deposit payment information — processed through Stripe. We never receive, store, or see full card numbers. All payment data is handled directly by the payment processor.

Technical & Location Data

  • IP address — collected at the time of registration
  • Approximate location — used to assist with address autocomplete during form entry; not stored as a precise location record
  • Noise monitoring data — aggregated, property-level noise readings from the host’s monitoring device. This is not individual tracking and does not record audio.

OTP verification of email and phone is required. This step ensures that contact information is accurate and actively controlled by the registrant, preventing fake or reused contact details.

4 Data We Collect from Hosts

Hosts create accounts directly with GuestKey. We collect information necessary to provide the platform, process payments, and support host operations.

Account Information

  • Name and email address
  • Business name and details (where provided)
  • Billing and payment information — for GuestKey subscription payments, processed via our payment processor

Property & Configuration Data

  • Property details — addresses, names, settings configured by the host
  • Smart device configurations — device identifiers, access schedules, and preferences
  • API credentials for connected services — stored with encryption; never shared with third parties or exposed in plaintext
  • Messaging and automation settings — templates, scheduled messages, and notification preferences

5 How We Use Data

We use the data we collect to operate the platform and deliver the services hosts and their guests expect.

  • Process guest registrations — collect, verify, and record guest information on behalf of hosts
  • Verify identity — OTP verification ensures each registered contact is legitimate
  • Manage smart home access — generate and distribute door codes, apply thermostat schedules, and log device interactions
  • Security deposits — collect, hold, and return deposits through the host’s connected payment account
  • Automated messaging — send OTP codes, registration confirmations, check-in instructions, and host-configured notifications via SMS and email
  • Noise monitoring — relay property-level noise data to guests and hosts; distribute noise alert notifications to all registered adult guests (not only the primary booker)
  • Guest registration compliance — assist hosts in collecting data required by local short-term rental registration laws
  • Platform improvement — aggregate, anonymized analytics to improve performance and reliability
  • Host support — respond to support requests and troubleshoot issues

We do not use guest data for advertising, profiling, or any purpose unrelated to the services described above.

6 Who We Share Data With

We share data with third parties only to the extent necessary to deliver the platform. We are specific about our functional partners below.

Smart Lock Providers

  • We share device identifiers and access schedules to manage door codes for guests
  • Data is limited to what is needed to create, activate, and revoke access codes

Payment Processor (Stripe)

  • Guest payment data for security deposit transactions is handled by Stripe, a PCI-compliant payment processor
  • Hosts connect their own Stripe accounts; deposits flow through the host’s account, not ours
  • We never store card numbers or raw payment credentials

Messaging Services

  • Phone numbers and email addresses are shared with SMS and email delivery providers to send OTP verification codes, registration confirmations, and host-configured notifications

Noise Monitoring Platforms

  • Guest names, phone numbers, and stay dates are shared with connected noise monitoring services
  • This enables all registered adult guests (not just the primary booker) to receive noise alerts and be aware of property monitoring during their stay
  • This sharing is host-configured and only occurs when the host has enabled a noise monitoring integration

Property Management Systems (PMS)

  • When a host connects their PMS to GuestKey, reservation data and messaging may be exchanged with that system
  • The scope of data sharing is limited to what is necessary for the integration to function

Cloud Infrastructure

  • All data is stored on US-based cloud infrastructure providers
  • Data is encrypted at rest and in transit
  • Infrastructure providers have access to data only as necessary to provide hosting services and operate under data processing agreements with us
🚫

We do not sell guest data. Ever. GuestKey does not sell, rent, license, or trade personal information to third parties, advertisers, or data brokers. Guest data exists to serve the host–guest relationship—nothing more.

7 Host as Data Controller

Under applicable data protection frameworks, when it comes to guest data collected through a host’s GuestKey portal:

  • The host is the data controller. Hosts determine the purpose for which guest data is collected (e.g., compliance with local registration laws, property access, security deposit management) and the rules that govern it.
  • GuestKey is the data processor. We process guest data on behalf of, and under the instructions of, the host.
  • Hosts control retention. Hosts can configure how long guest data is retained and can delete guest records at any time.
  • Hosts are responsible for having a lawful basis for collecting guest data and for providing guests with appropriate notice under any local privacy laws that apply to their properties.

If you are a guest and have questions about why a particular host collects your data, or how it is used beyond what GuestKey provides, please contact the host directly. You may also contact GuestKey at contact us and we will assist where we can.

8 Data Retention & Host Control

GuestKey gives hosts granular control over how long guest data is retained.

Default Retention

  • Guest registration data is retained for the duration of the host’s active account, plus 30 days following account closure
  • This allows hosts to reference records and complete any outstanding obligations

Host-Configurable Options

  • Custom retention periods — hosts can configure auto-deletion of guest data 90, 180, or 365 days after checkout
  • Data export — hosts can export all guest data at any time in standard formats (CSV and JSON)
  • Individual deletion — hosts can delete a single guest’s record at any time
  • Bulk deletion — hosts can delete all guest records for a property or date range

Account Closure

  • When a host closes their GuestKey account, all associated guest data is permanently and irreversibly deleted within 30 days
  • Hosts are encouraged to export their data before closing an account if they need to retain it

9 Guest Rights

As a guest whose information was collected through a GuestKey portal, you have the following rights regarding your personal data.

Access You may request a copy of the personal information we hold about you. We will provide it in a readable format within a reasonable timeframe.
Deletion You may request that your personal data be deleted. We will process the deletion and notify the relevant host. Note that some data may be required to be retained by the host for legal or regulatory compliance.
Correction If your registration data is inaccurate or incomplete, you may request that it be corrected. Contact us or work directly with your host.
Portability You may request your data in a machine-readable format (JSON). We will provide a structured export of your registration record upon request.

To exercise any of these rights, email contact us with your request. Please include the property name or host name, your approximate stay dates, and the email or phone number you used to register. We will respond within 30 days.

10 Security

We take reasonable and appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, and destruction.

  • Encryption in transit and at rest — all data is transmitted over TLS 1.2 or higher; data stored in our infrastructure is encrypted at rest
  • API credential security — host API credentials for connected third-party services are stored with encryption and never exposed in plaintext
  • Payment security — payment data is handled entirely by our PCI-compliant payment processor; we never store card numbers or raw payment credentials
  • OTP verification — requiring guests to verify both email and phone via one-time passcode prevents fake or reused contact information from entering the system
  • Access controls — access to production data is limited to authorized personnel with a legitimate operational need
  • Audit logging — key actions within the platform are logged to support security review and incident response
  • Regular security reviews — we periodically review our systems, configurations, and third-party integrations for security risks

No method of transmission over the internet or electronic storage is 100% secure. While we work to protect your information, we cannot guarantee absolute security.

11 Cookies & Tracking

GuestKey uses a minimal number of cookies and similar technologies, strictly for the purpose of operating the platform.

  • Session and authentication cookies — used to maintain your logged-in state while you use the platform; required for the service to function
  • No third-party advertising cookies — we do not use cookies that track you across other websites or serve targeted advertisements
  • No cross-site tracking — we do not share browsing behavior with advertising networks
  • Basic analytics — we may collect aggregate, anonymized usage data (page views, feature usage) to improve the platform; this data does not include personal identifiers and is not linked to individual users

Guest registration portals do not set advertising or tracking cookies. If you use a browser that restricts cookies, session management may be affected.

12 Children’s Privacy

GuestKey is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13.

Guest registration is designed for adults 18 years of age and older, consistent with local lodging laws and regulations that apply to short-term rental guests. Hosts may have their own age requirements for guests, which apply independently of this policy.

If you believe that a child under 13 has submitted personal information through GuestKey, please contact us at contact us and we will take steps to delete that information promptly.

13 California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights regarding your personal information.

Know You have the right to know what categories of personal information we collect about you, the purposes for which we use it, and whether it is sold or disclosed to third parties.
Delete You have the right to request deletion of your personal information, subject to certain exceptions required by law or for us to complete transactions.
Opt-Out You have the right to opt out of the sale of your personal information. GuestKey does not sell personal information, so this right is satisfied without any action on your part.
Non-Discrimination You have the right not to receive discriminatory treatment for exercising your CCPA privacy rights. Exercising these rights will not affect your ability to use GuestKey or any host’s property.

To exercise California privacy rights, email contact us. We will verify your identity before processing a request and will respond within the timeframes required by law.

14 International Data

GuestKey is operated in the United States. All data collected through the platform is processed and stored on US-based cloud infrastructure.

If you are located outside the United States and use GuestKey (or register as a guest through a host’s portal), your personal information will be transferred to and processed in the United States. Data protection laws in the US may differ from those in your country of residence.

By using the platform or completing a guest registration, you acknowledge that your data will be transferred to and processed in the United States in accordance with this Privacy Policy.

Hosts with guests subject to international privacy regulations (such as GDPR in the European Economic Area) are responsible for ensuring they have a lawful basis for transferring and processing that data through GuestKey.

15 Changes to This Policy

We may update this Privacy Policy from time to time as the platform evolves or as legal requirements change. When we make changes:

  • Minor updates — corrections, clarifications, and non-material changes will be posted on this page with an updated “Last updated” date
  • Material changes — if we make changes that substantially affect how we collect or use personal data, we will notify active hosts via email with reasonable advance notice before the changes take effect

Your continued use of GuestKey after the effective date of any updated policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you should discontinue use of the platform and contact us to close your account.

We encourage hosts to review this policy periodically and to update any guest-facing notices they provide to reflect any material changes.

16 Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or the handling of your personal information, please reach out. We take privacy inquiries seriously and will respond promptly.

Privacy Inquiries

For data access requests, deletion requests, or general privacy questions:

Contact Us

Big Toy Stays LLC — operating as GuestKey
Wisconsin, United States