Privacy Policy

VacayVerify is a property documentation and verification service for vacation-rental owners, currently launched in Pensacola Beach to 30A, Florida. The service is operated by Siteline Digital LLC, a Florida limited-liability company. In this policy, “we,” “us,” and “our” mean Siteline Digital LLCdoing business as VacayVerify, and “you” means the individual whose information we are describing.

Our role under privacy law. For information you submit through the marketing website (lead-form data, analytics) we are the business (CCPA/CPRA), the controller (Virginia / Colorado / Connecticut / Utah / GDPR), and the equivalent first-party data holder under other applicable laws. For information we process from the operator app on behalf of property managers, contractors, or service providers (if applicable in the future), we may act as a service provider or processor under those laws. Where that is the case, our handling is governed by the relevant data processing agreement with the controller, not by this policy alone.

For the regulatory framing of what the service is — and is not — under Florida Statute § 468.8311(1), see our disclaimer.

This policy applies to vacayverify.com (the “Site”), to communications that originate from a form you submit on the Site, and to the owner portal where we deliver the walkthrough record (video, photos, observation notes) to paying customers.

Geographic scope. Our service area is currently Florida. However, vacation-rental property is frequently owned by individuals residing elsewhere in the United States and abroad. We therefore extend rights and disclosures appropriate to your jurisdiction, as described in Sections 9–11, even when the underlying property is located in Florida.

Information you provide directly. When you submit our get-started form, we collect:

• First and last name
• Email address
• Phone number
• Property address (the address of the vacation-rental property you want documented)
• Property type (single-family, condo, townhouse, other) and approximate size
• Property features (pool, dock, detached garage, multiple stories, waterfront — selected from a short list)
• Free-text notes you choose to add
• Preferred contact method
• Best time window for outreach
• Service tier of interest (Standard Watch, Coastal Protection, One-Time Walkthrough, or “not sure yet”)
• Preferred visit cadence (quarterly or monthly) for subscription tiers

When you become a paying customer, we additionally collect, through a separate secure onboarding process (not through the public form):

• Property access information — lockbox codes, smart-lock codes, gate codes, alarm codes, key-handoff arrangements, and other logistics needed to enter the property safely on the scheduled cadence
• Billing details — name on account, billing address, and (handled by our payment processor, not stored on our servers) payment-card or ACH information

Information we generate while performing the service. When we perform a visit, we generate the walkthrough record for the property:

• Video clips (room-by-room walkthrough)
• Photographs
• Plain-language observation notes (text)
• Automated checklist outputs — an internal system auto-fills a structured checklist with pass / needs-attention verdicts per item; these auto-fills are reviewed and confirmed by our operator before release
• Timestamps and visit metadata

This walkthrough record is delivered to the customer through the owner portal at vacayverify.com.

Information collected automatically.

• IP address — hashed and short-lived. When you submit the form, our server briefly handles your IP address only for rate-limiting and structured security logging. Before your IP is written anywhere, it is hashed (SHA-256 plus a server-side salt) and truncated to a 16-character fingerprint. The raw IP is not retained, and the hashed fingerprint appears only in short-lived structured log lines — never in a customer database, never in an email, and never together with your name, address, or other identifying details.
• Bot-protection signals. A hidden honeypot field and a minimum-time-on-form check are used to filter automated submissions. These signals are never logged together with submission content.
• Vercel Analytics and Speed Insights. Aggregate page-view metrics and Core Web Vitals telemetry, provided by our hosting platform.
• Google Analytics 4 (optional). Loaded only when we explicitly enable it for an environment, with anonymize_ip: true so the final octet of your IP is truncated before GA4 processing.
• Cookies and similar technologies. Essential cookies set by our hosting framework for security and routing; analytics cookies as described above; no advertising or retargeting pixels at this time.

What we do not collect.We do not collect: Social Security numbers, driver's license numbers, bank-account or routing numbers, full payment-card numbers (handled by our payment processor), credit-bureau data, income data, biometric identifiers, precise geolocation data from your device, or health information. We do not maintain consumer-facing user accounts on the marketing site — only the gated owner portal for paying customers.

We use the information described above to:

• Respond to your inquiry — by email, text, or phone, per the contact preference you chose.
• Schedule and deliver the documentation service if you engage us.
• Send transactional emails (the confirmation to you and the internal notification to our team) via our email service provider.
• Operate the owner portal, including authenticating you and showing you the walkthrough record for your property.
• Apply rate-limiting and bot-protection so the form stays usable for real owners.
• Operate, maintain, debug, and improve the Site and the service.
• Defend against any future dispute about what was or was not documented on a given visit.
• Comply with applicable laws and respond to lawful requests from authorities.

We do not use the information you submit through the Site to send unsolicited marketing email or text. If we ever launch a newsletter or other marketing program, it will be opt-in only, with a one-click unsubscribe in every message and a postal address in the footer as required by the CAN-SPAM Act.

All commercial emails sent by VacayVerify will:

• Use a “From” line, “To” line, and routing information that accurately identify the sender;
• Use a subject line that accurately reflects the content of the message (no deceptive subject lines);
• Be identifiable as an advertisement where applicable;
• Include a valid physical postal address for Siteline Digital LLC;
• Include a clear, easy-to-find one-click unsubscribe mechanism; and
• Honor opt-out requests within ten (10) business days.

Transactional emails (lead confirmations, visit scheduling, deliverable-ready notifications, invoices) are not commercial messages within the meaning of the CAN-SPAM Act, but we will still honor opt-out requests for any email category to the maximum extent consistent with delivering the service you paid for.

We share personal information only with the small set of service providers we need to operate the Site and the service, and only for the purposes described above. We do not sell, rent, or trade your personal information, and we do not participate in cross-context behavioral advertising. The providers we use today are:

• Resend — transactional email delivery (your form data is transmitted to Resend so that the confirmation and notification emails can be rendered and sent).
• Upstash — managed Redis service used for form rate-limiting; receives only the hashed IP fingerprint and a small counter, not your form content.
• Firebase (Google Cloud) — operator app and owner-portal backend, used to authenticate and store the walkthrough record (video, photos, observation notes) for paying customers.
• Vercel — hosting platform and provider of Vercel Analytics and Speed Insights.
• Google Analytics 4 — used only when explicitly enabled, with anonymize_ip: true.
• Stripe— payment processing for invoices (collects payment-card and ACH details directly under Stripe's own terms; we do not store full card or bank numbers on our servers).

We may also disclose information to comply with applicable law or legal process, to respond to lawful requests from public authorities, to protect the rights, property, or safety of Siteline Digital LLC, our customers, or others, to enforce our agreements, and in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case the recipient will be bound to honor the commitments we have made in this policy with respect to the transferred information.

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction whose laws restrict transfers of personal data to the United States, please note that VacayVerify is established in the United States and that all of our service providers process data in the United States or in regions disclosed in their own policies. By voluntarily submitting information to us, you authorize the transfer of that information to the United States for processing as described in this policy.

For users to whom the GDPR or UK GDPR applies, the legal bases on which we rely are:

• Performance of a contract (Art. 6(1)(b)) — to respond to your inquiry, deliver the service you engaged us for, and send transactional communications associated with that service.
• Legitimate interests (Art. 6(1)(f)) — to operate, secure, debug, and improve the Site and the service (including rate-limiting and bot-protection), and to defend against disputes about what was documented during visits. Where you object to processing on this basis, we will honor the objection unless we have a compelling reason that overrides your interests.
• Consent (Art. 6(1)(a)) — where you opt in to a marketing program. You may withdraw consent at any time with effect for the future.
• Legal obligation (Art. 6(1)(c)) — to comply with law and lawful requests.

We do not engage in fully automated decision-making producing legal or similarly significant effects within the meaning of Art. 22 GDPR.

We retain information only as long as we have a clear reason to keep it. The following retention rules apply:

The seven-year walkthrough-record retention reflects how owners actually use the record — for insurance claims (where some claims surface years after the underlying condition arose), real estate transactions, multi-year condition trending, and litigation defense. Customers who want shorter retention may request deletion at any time using the contact details in Section 12.

If you ask us to delete information we hold about you, we will honor the request unless we are legally required to keep the data (for example, to defend against an active dispute or to satisfy a tax record-keeping obligation).

Depending on the U.S. state in which you reside, you may have the following rights with respect to personal information we hold about you. We will honor rights granted by laws applicable to you, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut Data Privacy Act (“CTDPA”); the Utah Consumer Privacy Act (“UCPA”); and comparable laws as they come into effect.

The Florida Digital Bill of Rights (Fla. Stat. § 501.702) currently applies only to controllers with global gross annual revenues exceeding $1 billion that meet additional statutory criteria. Siteline Digital LLCdoes not meet that threshold, and the FDBR's substantive rights do not apply to it at this time. We will update this policy if our circumstances change.

The rights you may have include:

• Right to know / right of access. Request the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collecting it, and the categories of recipients with whom we have shared it.
• Right to delete. Request that we delete personal information we have collected from you, subject to legal exceptions.
• Right to correct. Request that we correct inaccurate personal information we maintain about you.
• Right to data portability. Request a copy of your personal information in a portable, readily usable format.
• Right to opt out of sale or sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of in this respect, but you may make the request anyway and we will confirm our practice in writing.
• Right to non-discrimination. We will not deny you services, charge different prices, or provide a different level of quality solely because you exercised any of these rights.
• Right to appeal. Where applicable law provides a right of appeal (for example, in Virginia, Colorado, and Connecticut), you may appeal a decision we make on your request.

Sensitive personal information.Under the CPRA, the property address and access credentials we collect for paying customers may qualify as “sensitive personal information” with respect to those customers. We use this information only for the purposes described in Section 4 (delivering the service the customer asked for) and not for inferring characteristics about the customer, profiling, or any other purpose requiring the customer's affirmative consent under CPRA. You may at any time direct us to limit our use of this information; doing so will limit our ability to deliver the service.

Authorized agents.If you use an authorized agent to make a request on your behalf, we will require proof of the agent's authorization and may require you to verify your own identity directly.

How to exercise these rights. Email hello@vacayverify.com with the rights you wish to exercise. We will verify your identity before acting on the request — typically by confirming the email address or phone number associated with your submission — and will respond within the timeframe required by applicable law (typically 45 days for CCPA/CPRA, with one 45-day extension where reasonably necessary).

If you are located in the European Economic Area or the United Kingdom, in addition to the rights described in Section 9 you have:

• Right of access (Art. 15) — to obtain confirmation of whether we process your personal data and, if so, a copy of the data and certain related information.
• Right to rectification (Art. 16) — to have inaccurate personal data corrected.
• Right to erasure(“right to be forgotten”) (Art. 17) — to have your personal data deleted in the circumstances listed in the GDPR.
• Right to restriction of processing (Art. 18) — to require us to stop processing your data in certain circumstances.
• Right to data portability (Art. 20) — to receive personal data you provided in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object (Art. 21) — to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time with effect for the future.
• Right to lodge a complaint (Art. 77) — with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu; the UK supervisory authority is the Information Commissioner's Office (ICO), ico.org.uk.

To exercise these rights, email hello@vacayverify.com. We will respond within one (1) month of receipt; that period may be extended by up to two further months where necessary, taking into account the complexity and number of requests, in which case we will inform you within the first month.

Cross-border transfers. Where we transfer personal data from the EEA or UK to the United States, we rely (as needed) on the EU and UK Standard Contractual Clauses with our service providers, or on derogations available under Articles 49 GDPR / UK GDPR (including your explicit consent to the transfer, and necessity for the performance of a contract you requested).

Our services are intended for adult property owners. We do not knowingly collect personal information from children under 13 (or, where applicable, under 16 in the EEA / UK), and our forms are not directed to children. If you believe a child has submitted personal information through our Site, please contact us and we will take appropriate steps to remove it.

Questions about this policy, requests to exercise rights, or any other privacy-related correspondence:

• Email: hello@vacayverify.com (please put “Privacy” in the subject line)
• Postal mail: Email first; we will provide the current Siteline Digital LLC mailing address by reply.
• EU / UK representative: Not currently appointed. We will appoint a representative under Articles 27 GDPR / UK GDPR if and when our processing activities require one. In the interim, EEA / UK residents may direct inquiries to the email address above.

We use HTTPS across the entire Site and on the form endpoint. Internally, we follow a least-access principle: property-access credentials are restricted to the team member assigned to a customer's property and are collected through a separate secure onboarding flow, not through the public form. We salt-and-hash IP addresses before logging. We keep our hosting platform and dependencies up to date. The walkthrough record is delivered through an authenticated owner portal. No method of transmission over the Internet or electronic storage is ever 100% secure, but we use commercially reasonable safeguards.

The Site may link to third-party websites — for example, the Florida DBPR licensee directory referenced on the disclaimer. Those sites have their own privacy practices, which we do not control, and we encourage you to review them.

We may update this policy from time to time. When we make a material change, we will update the “Last updated” date below and, where appropriate, provide additional notice. Your continued use of the Site or the service after a change becomes effective indicates your awareness of the updated policy.