Privacy Policy
Last updated: July 6, 2026
Turnpilot is an operations platform for short-term rental teams, available at turnpilot.app with the application at dashboard.turnpilot.app (together, the “Service”). This Privacy Policy explains what personal data we process when you use the Service, why we process it, and the rights you have over it.
1. Who we are (data controller)
The data controller responsible for personal data processed through the Service is Turnpilot.
If you have questions about this policy or your data, you can reach us through the support option in your Turnpilot account.
Where your organization uses Turnpilot to manage its own team and operations, your organization determines what operational data is entered into the Service, and Turnpilot processes that data to provide the Service to your organization.
2. Data we process
Account data
When you create an account or are invited to one, we process your name, email address, chosen language, and your role and organization membership within the Service.
Operational data
The Service exists so that teams can run their day-to-day operations. Your organization enters and manages data such as properties and units, cleaning and maintenance tasks, checklists, inventory and supplies, schedules, notes, and work logs. Some of this data may identify individual team members — for example, who completed a task and when.
Photos and videos
Team members may upload photos and videos as part of their work — for example, walkthrough videos, task evidence, or training material. These files are stored and streamed so they can be viewed by authorized members of the same organization.
Usage and technical data
We collect technical logs generated by your use of the Service, such as sign-in events, IP addresses, device and browser information, and error and diagnostic logs. We use this data to keep the Service secure, diagnose problems, and understand how the Service is used at an aggregate level.
Payment data
Subscription payments are handled by Stripe. Your card details are entered directly with Stripe and never touch Turnpilot's systems. We receive only limited billing information from Stripe, such as your subscription status, invoice history, and the last digits of your card for display purposes.
3. Purposes and legal bases
We process personal data under the General Data Protection Regulation (GDPR) on the following bases:
- Performance of a contract (Art. 6(1)(b) GDPR) — to create and manage your account, provide the features of the Service, store the content your organization uploads, and handle billing.
- Legitimate interests (Art. 6(1)(f) GDPR) — to secure the Service, prevent abuse and fraud, maintain technical logs, and improve reliability and performance. We balance these interests against your rights and use the minimum data needed.
- Legal obligations (Art. 6(1)(c) GDPR) — to keep accounting and tax records related to payments, and to respond to lawful requests from authorities.
- Consent (Art. 6(1)(a) GDPR) — where we ask for it explicitly for a specific purpose. You can withdraw consent at any time without affecting processing that took place before withdrawal.
4. Subprocessors and service providers
We use a small number of carefully selected providers to run the Service. They process data on our behalf, under agreements that require them to protect it:
- Supabase — database hosting and authentication.
- Vercel — application hosting and content delivery.
- Stripe — payment processing and subscription billing.
- Bunny.net — video storage and streaming for uploaded videos.
- Anthropic — AI features, such as generating training tests from documents your organization provides. Content is sent to Anthropic only when you actively use an AI feature.
We do not sell personal data, and we do not share it with third parties for their own advertising or marketing purposes.
5. International transfers
Some of our providers process data outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards recognized under the GDPR, such as the European Commission's Standard Contractual Clauses and, where applicable, adequacy decisions (including the EU–US Data Privacy Framework for certified providers).
6. Retention
We keep personal data for as long as your account or your organization's account is active. When an account or organization is deleted, associated data is removed from active systems, and residual copies are deleted from backups within a limited period as backup cycles rotate. We may retain limited data for longer where the law requires it — for example, invoicing records kept for accounting purposes — or where it is necessary to establish, exercise, or defend legal claims.
7. Cookies and similar technologies
The Service uses only functional cookies and similar browser storage: keeping you signed in (session and authentication) and remembering your language preference. We do not use advertising cookies, cross-site tracking, or third-party analytics trackers.
8. Security
We apply technical and organizational measures appropriate to the risk, including encryption in transit, access controls that restrict data to members of your own organization, and the security practices of our infrastructure providers. No system is perfectly secure, but we work to protect your data against unauthorized access, alteration, and loss.
9. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data (“right to be forgotten”), subject to legal retention obligations;
- Receive your data in a portable, machine-readable format;
- Object to processing based on legitimate interests, and to restrict processing in certain circumstances;
- Lodge a complaint with a supervisory authority — in particular in the EU member state of your residence, place of work, or where an alleged infringement occurred.
To exercise these rights, contact us through the support option in your Turnpilot account. If your data was entered by your organization, we may direct your request to your organization's administrator, since they control that data.
10. Children
The Service is intended for business use and is not directed at children. We do not knowingly process personal data of anyone under 16 through account registration.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email before the changes take effect. The “Last updated” date at the top shows when this policy was last revised.