Privacy Policy

01Who we are

PricePulse is a real-time short-term-rental market intelligence product. It's owned and operated by Hatch Capital Management LLC, a Florida limited liability company. When this policy says "we," "us," or "PricePulse," it means Hatch Capital Management LLC.

You can reach us about anything in this policy at [email protected].

02What we collect, and why

Account info

When you sign up, we collect:

• Email address — for sign-in (we use magic links, no password) and transactional email.
• First and last name — so the agent can address you correctly and so receipts have a name on them.
• Company name and phone — both optional. We ask because some operators run multiple LLCs and want their billing to reflect that.

Telegram identity

If you use the managed agent (the Telegram bot), we store your Telegram user ID and chat ID so the bot can find your account when you send it a message. We do not have access to your Telegram phone number, password, or any other chats.

Integration tokens

To act on your behalf, PricePulse needs read (and sometimes write) access to:

• Your property management system — Hospitable, OwnerRez, etc. We store the API token you generate inside your PMS account.
• Your revenue management system — PriceLabs, Wheelhouse, etc. Same: we store the API token you generate inside your RMS.

These tokens are encrypted at rest with authenticated symmetric encryption (Fernet — AES-128-CBC + HMAC-SHA256) and are never written to application logs in plain text. We use them to read your properties and (with your explicit approval for each price change) to push pricing back to your RMS.

Property data we read from your connected accounts

Once connected, we periodically pull a read-only view of:

• Your property metadata — listing IDs, addresses, bedroom/bathroom counts, amenities.
• Your pricing and calendar state — current nightly rates, minimum nights, blocked dates.
• Your occupancy history and ADR — as needed to compute revenue recommendations.

We do not pull guest personal information (names, emails, phone numbers, payment details) from your PMS. We only need market and operational data, not guest PII.

Billing data

Payments are processed by Stripe. We store your Stripe customer ID and the billing email you give Stripe. We never see or store your payment card number, CVV, or bank details — Stripe holds those.

Chat history with the agent

If you use the managed agent, we store the messages you send the bot and the bot's replies. We use this history so the agent has context for follow-up questions and so we can debug issues you report. You can ask us to delete this at any time.

Usage telemetry

We run self-hosted PostHog on our own infrastructure for product analytics (which pages get viewed, which buttons get clicked, which reports get run). We also use Elu for opt-in session replays of the dashboard, so we can see where users get stuck.

You can opt out of both — see Cookies and tracking below.

03How we use it

We use the data above to:

• Run the product — generate reports, compute pricing recommendations, push approved price changes to your RMS, deliver agent replies on Telegram.
• Bill you — count credits used, charge your Stripe subscription, send receipts.
• Communicate with you — sign-in magic links, billing receipts, support replies, occasional product updates (you can opt out of the last category).
• Improve the product — analyze which features get used, fix bugs, debug what went wrong when you report an issue.
• Comply with the law — respond to lawful subpoenas, keep tax-related billing records as required.

We do not use your data to:

• Train external AI models. Your PMS data, your properties, your chat history — none of it leaves our infrastructure to become training data for OpenAI, Anthropic, or anyone else, except when an LLM call is explicitly required to fulfill a request you made (e.g., the agent generating a recommendation for you). Those LLM calls use providers who contractually do not train on API traffic.
• Sell, rent, or share for advertising or behavioral targeting.
• Tip off competitors, market researchers, or anyone else interested in what STR operators are doing.

04Who we share it with

We never sell or rent your data. We do share specific pieces with a small set of service providers we depend on to operate. Each one only sees what they need to do their job:

We may also share data when legally required (subpoena, court order, lawful government request) or in the unlikely event Hatch Capital Management LLC is acquired or merged — in which case this policy and your data move with the company, and you'll be notified before anything changes.

05How long we keep it

While your account is active, we keep all the data described above so the product works.

If you cancel, we keep your data for 90 days after cancellation. This is a grace window so you can resubscribe without losing your property connections, history, and report library. After 90 days, we purge your operational data — chat history, encrypted tokens, property snapshots, and analytics events.

What we keep longer: the minimum billing and tax records required by US law (typically 7 years) — your name, billing email, Stripe customer ID, and a record of charges and refunds. This is the legal minimum; we don't keep more than required.

You can ask us to accelerate deletion at any time — see Your rights.

06Your rights

Regardless of where you live, you can ask us for any of the following by emailing [email protected] from the email address on your account:

• Access — a copy of what we have on you, in a portable format (JSON or CSV).
• Correction — fix anything that's wrong.
• Deletion — delete your account and operational data. We'll process within 30 days. Note: minimum tax/billing records (above) stay for the legally required retention period.
• Export — your reports, your property data, your chat history.
• Opt-out of analytics — disable PostHog and Elu tracking on your account. The product still works; we just stop collecting usage telemetry from you.
• Opt-out of product update emails — every product email has an unsubscribe link. Transactional email (sign-in links, receipts, billing alerts) can't be opted out of while you have an active account.

We do not currently have a self-serve deletion button — email is how this works for v0.3. If you have a strong reason this isn't workable, tell us.

If you're in a jurisdiction with stronger statutory rights (California, EU, UK), those rights apply on top of what's listed here. We'll honor any lawful request consistent with those laws.

07Cookies and tracking

We use a small number of cookies and tracking technologies:

• Auth cookies (Supabase) — strictly necessary to keep you signed in. Can't be disabled while you're using the product.
• PostHog (self-hosted on analytics.pricepulse.hatch-capital.com) — first-party cookie. Anonymized usage events. Honors browser Do Not Track signals; also disable by setting localStorage.setItem('pp_no_telemetry','1') in your browser console, or by emailing us to opt out account-wide.
• Elu — only loads if you opt in via the dashboard's session-replay toggle. Off by default. Captures clicks, scrolls, and typed input (with form fields and any text marked data-sensitive automatically masked).

We do not use third-party advertising cookies, retargeting pixels, Facebook Pixel, Google Analytics, or anything similar. We never have, and we don't plan to.

08Security

The honest version: we follow standard SaaS security practices, we have not been independently audited, and we don't claim certifications we don't have.

What we actually do:

• Encryption in transit: TLS 1.2+ on every endpoint. We don't accept unencrypted traffic.
• Encryption at rest: integration tokens (PMS, RMS) are encrypted with authenticated symmetric encryption (the Fernet specification — AES-128-CBC with HMAC-SHA256 authentication and rotating per-message IVs) before being stored. The encryption key is stored separately from the database, in a server environment variable accessible only to the application process.
• Log scrubbing: our application logs run through a brand-safety scrubber before being written, which strips API tokens, raw secrets, and other sensitive patterns. No token is ever written to disk in plain text.
• Database access: production database access is restricted to a small list of authorized personnel (founder + named operators) using Supabase's role-based access controls.
• Backups: daily encrypted snapshots, retained for 30 days, stored in a separate Hetzner region.

We have not pursued SOC 2, ISO 27001, or GDPR certification. If you're an enterprise buyer who needs one of these, tell us; we'll talk about what's possible.

If you discover a security issue, please email [email protected] with "SECURITY" in the subject line. We don't have a formal bug bounty yet but we appreciate responsible disclosure.

09Children

PricePulse is a B2B product for short-term-rental operators. It is not directed at children, and we don't knowingly collect personal information from anyone under 18. If you believe a minor has signed up, email us and we'll delete the account.

10International transfers

Our infrastructure is hosted in the United States (Supabase, Cloudflare) and Germany (Hetzner, where the agent backend runs). If you're outside these regions, your data will be transferred to and processed in the US and the EU.

If you're in the EU/UK and want to know more about how we handle international transfers (Standard Contractual Clauses, etc.), email us.

11Changes to this policy

We may update this policy as the product evolves. The "Last updated" date at the top will reflect any change. If we make a material change — one that meaningfully expands what we collect, who we share it with, or how long we keep it — we'll notify you by email at least 30 days before it takes effect.

Past versions of this policy are kept in the pricepulse-landing git history and available on request.

12Contact

We aim to respond to privacy requests within 5 business days, and to fulfill them within 30 days of receipt.