Privacy Policy

Checkinly respects your privacy. This policy explains what data we collect, how we use it, how we protect it, and what your rights are.

1. Data We Collect

For hosts (account owners):

  • Full name, email, phone, company name
  • Encrypted password (bcrypt)
  • Google profile (if you sign in with Google OAuth)
  • Billing data (plan, monthly price, status)

For properties and units:

  • Address, check-in instructions, Wi-Fi password (encrypted AES-256-GCM)
  • Access codes (encrypted AES-256-GCM)

For guests (collected during check-in):

  • First name, last name, email, phone number
  • Nationality, date of birth
  • Document number (encrypted AES-256-GCM)
  • Document photo (front and back) — stored via UploadThing
  • Document type (passport, national ID, driver's license)

Technical data:

  • IP address, user agent (for audit and security)
  • Email logs (send status, email type)
  • Authentication cookie (HTTPOnly, Secure, 7 days)

2. How We Use It

  • To provide and manage the check-in service
  • To send confirmation and instruction emails
  • To enforce plan limits and billing
  • For security: abuse prevention, rate limiting
  • For internal audit and activity tracking

3. Data Storage & Security

  • Database is stored on PostgreSQL servers in Europe (Neon)
  • Sensitive fields (document numbers, Wi-Fi passwords, access codes) are encrypted with AES-256-GCM using a random IV per record
  • Document photos are served only through an authenticated endpoint — CDN URLs are never exposed to the browser
  • Host passwords are stored with bcrypt (cost factor 12)
  • Authentication uses JWT in an HTTPOnly/Secure cookie with a 7-day expiry
  • Rate limiting is applied on authentication and public check-in endpoints

4. Third-Party Services

  • Resend — used for email delivery (check-in confirmation, instructions)
  • UploadThing — storage of guest document photos
  • Neon — PostgreSQL database hosting in Europe
  • Google OAuth — optional authentication method (name, email, profile photo)

Data is shared with third parties only to the extent necessary to deliver the service. We do not sell personal data.

5. Data Retention

Account data is retained for as long as the account is active. Properties and units are soft-deleted (deactivated). Reservations are cancelled but not deleted. Audit logs are retained for security purposes. You may request deletion of your data by contacting us.

6. Your Rights

  • Right of access — to receive a copy of your data
  • Right of rectification — to correct inaccurate data
  • Right of erasure — to request deletion of your data
  • Right of restriction — to limit processing of your data

To exercise these rights, contact: checkinly@duadev.al

7. Cookies & Sessions

We use only essential cookies for authentication. The checkinly_token cookie is HTTPOnly, Secure, and expires after 7 days. We do not use advertising, tracking, or third-party analytics cookies.

8. Policy Changes

This policy may be updated from time to time. Material changes will be communicated via email. The effective date is displayed at the top of this page.

9. Contact

For privacy questions or to exercise your rights: checkinly@duadev.al

Back