← Back home

Privacy Policy

Last updated: May 4, 2026

Template notice: this is a starting-point Privacy Policy. Have a lawyer review it for GDPR, CCPA, and any other jurisdictions you serve before relying on it.

1. Who we are

Directly (“we”, “us”) operates a SaaS platform that lets vacation rental property managers run a direct-booking website. This policy explains what personal data we collect from property managers who sign up for Directly, and from guests who interact with sites built on Directly.

2. Data we collect from property managers

  • Account: name, email, hashed password (handled by Clerk).
  • Business: company name, branding, custom domain, billing details (handled by Stripe; we never see card numbers).
  • PMS credentials: API keys for your PMS, encrypted at rest with AES-256-GCM.
  • Mailing-list credentials: Mailchimp / ConvertKit / Klaviyo / etc. API keys, encrypted at rest.

3. Data we collect from guests on tenant sites

  • Newsletter signups: email address, plus user-agent, referring URL, and IP address (for spam prevention) when a guest submits the popup.
  • Property views: if the property manager enables analytics, anonymized usage metrics (page views, unique visitors, country) — no personally identifying data.
  • Bookings:we don't collect booking details. The property manager's PMS handles guest checkout directly.

4. How we use data

  • To run the Service for property managers.
  • To forward newsletter signups to the property manager's configured mailing-list provider.
  • To diagnose errors and improve the product (aggregated / anonymized).
  • To send service-related emails — outages, updates, billing.

We do not sell personal data to advertisers.

5. Sharing & subprocessors

We share data only with the subprocessors needed to run the Service:

  • Vercel — hosting
  • Railway — Postgres database
  • Clerk — authentication
  • Stripe — billing (when enabled)
  • Sentry — error monitoring (no PII sent)
  • The mailing-list provider you configure for your tenant (Mailchimp, ConvertKit, etc.)

6. Your rights (GDPR / CCPA)

You can request access, correction, deletion, or export of your personal data at any time by emailing privacy@directly.com. Property managers can export their newsletter subscribers as CSV from the Subscribers tab.

7. Cookies

The Directly dashboard uses essential cookies for authentication. Tenant marketing sites do not set tracking cookies by default. If a property manager enables analytics (a future feature), a separate consent banner will be shown to guests where required by law.

8. Data retention

We retain account data while your subscription is active and for 90 days after cancellation, after which it's deleted unless legal obligations require longer retention. Database backups are kept for 7 days.

9. Security

All traffic is encrypted in transit (HTTPS). Sensitive credentials (PMS keys, mailing-list keys) are encrypted at rest. We monitor errors and unusual activity, and follow common security best practices.

10. Changes to this policy

We'll post material changes at this URL and email account holders.

11. Contact

Questions? Email privacy@directly.com.