Enquiry Genie
Log InSign Up

Privacy Policy

Last updated: 3 November 2025

This privacy policy has been updated to reflect our comprehensive data handling practices for Google OAuth Tier 2 CASA assessment compliance.

1. Introduction

Welcome to Enquiry Genie (“we,” “our,” or “us”). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

This policy complies with the UK Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and other relevant UK privacy laws. By accessing or using our service, you consent to the practices described in this policy.

2. Data Controller

Enquiry Genie is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@enquirygenie.co
Address: [Your UK Business Address]

3. Information We Collect

We collect several types of information from and about users of our web application and Chrome extension, including:

3.1 Personally Identifiable Information (PII)

Personal data refers to any information that identifies or can be used to identify you. Through our web application and Chrome extension, we may collect:

  • Contact and Identity Information: Name, email address, phone number, postal address, age, and identification numbers
  • Account Information: Username, password, and account preferences
  • Business Information: Property details, booking information, and rental management data
  • Payment Information: Processed through Stripe, our secure third-party payment processor (we do not store full payment card details)
  • Profile Information: User preferences, settings, and customization choices

3.2 Gmail Data via Google OAuth

When you sign in with Google, we request access to your Gmail data through the following OAuth 2.0 scopes:

  • gmail.modify: Allows us to read your guest inquiry emails, send AI-generated responses on your behalf, and manage email labels for organization. This scope is essential for our core email automation functionality.
  • gmail.settings.basic: Allows us to access your Gmail signature to personalize AI-generated responses to match your communication style.
  • userinfo.email: Your Google email address for account identification and authentication.
  • userinfo.profile: Your basic Google profile information (name, profile picture) for account personalization.

Important: We adhere to Google’s API Services User Data Policy and Limited Use requirements. Gmail data is used solely to provide our email automation service and is never sold, used for advertising, or shared with third parties except as necessary to provide our service (specifically OpenAI for AI processing, as detailed below).

3.3 Authentication Information

Our Chrome extension and web application collect authentication information to provide seamless integration with booking platforms:

  • Google OAuth Tokens: Access tokens (valid for 1 hour) and refresh tokens (long-lived) for Gmail API access, stored encrypted in our Supabase database with row-level security.
  • Platform Cookies: With your explicit consent, our Chrome extension extracts session cookies from Airbnb.com and Booking.com to link guest inquiries with your property listings. These cookies are stored locally in your browser using Chrome’s secure storage API and encrypted in our database.
  • Session Tokens: NextAuth.js JWT session tokens (valid for 30 days) stored in secure, HttpOnly cookies with SameSite protection.
  • Browser Authentication: Chrome extension identity tokens for seamless authentication between extension and web application.

3.4 Email Communications and Content

We process various forms of communications to provide our email management and AI response generation services:

  • Email Content: Full text of guest inquiry emails retrieved from Gmail, including sender, recipient, subject, body content, and attachments (if any).
  • Email Metadata: Timestamps, message IDs, thread IDs, labels, and Gmail-specific identifiers for message tracking and organization.
  • Gmail Signature: Your Gmail signature text extracted for AI response personalization.
  • Communication Analysis Data: Sentiment analysis, tone classification, question extraction, and response time metrics processed by our AI systems.
  • Property Identification Data: Property references extracted from emails to link inquiries with your property listings.

AI Processing Notice: Email content is sent to OpenAI (GPT-4o model) for AI processing to generate personalized responses, extract questions, analyze tone, and identify properties. OpenAI processes this data according to their data processing agreement and does not use customer data to train their models. We do not currently implement additional anonymization of email content before OpenAI processing.

3.5 Platform Cookie Extraction

Important: Our Chrome extension, with your explicit opt-in consent, extracts session cookies from the following booking platforms:

  • Airbnb.com and Airbnb.co.uk: Session cookies used to access your property listings and link them with guest inquiries.
  • Booking.com: Session cookies for property listing integration.
  • VRBO.com: Session cookies for platform integration (if enabled).

Cookie extraction is optional and requires your explicit consent through the extension settings. These cookies enable us to match guest inquiries from Gmail with specific properties you manage on these platforms. Extracted cookies are:

  • Stored encrypted in your browser using Chrome’s secure storage API
  • Transmitted to our servers over HTTPS and stored encrypted in our Supabase database
  • Automatically refreshed when you visit the booking platforms while the extension is active
  • Deleted when you revoke consent or uninstall the extension

3.6 Usage Data

We automatically collect usage data when you access our web application or use our Chrome extension, including:

  • Web Application Data: IP address, browser type and version, device information, pages visited, and features used
  • Chrome Extension Data: Extension usage patterns, activated features, and interaction with booking platforms
  • Platform Integration Data: Which booking platforms you connect to and frequency of data synchronization
  • Performance Data: Time and date of visits, session duration, and response times
  • Referral Data: Referring website addresses and navigation patterns
  • Diagnostic Data: Error logs, crash reports, and performance metrics (without sensitive data)

3.7 Cookies and Similar Technologies

We use cookies and similar tracking technologies across our web application to track activity and store information. This includes:

  • Essential Cookies: NextAuth.js session cookies required for authentication and basic functionality (HttpOnly, Secure, SameSite=Lax)
  • Preference Cookies: To remember your settings, theme preferences, and customizations
  • Analytics Cookies: To understand usage patterns and improve our services (no personally identifiable information shared with third parties)

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use authentication-dependent features of our service.

4. How We Use Your Information

We use the information we collect through our web application and Chrome extension for various purposes, including to:

4.1 Service Provision and Management

  • Core Service Delivery: Provide, maintain, and improve our web application and Chrome extension functionality
  • Platform Integration: Connect and synchronize data with Airbnb.com, Booking.com, and other booking platforms using your authentication credentials
  • Email Processing: Analyze and manage your guest communications, including emails, texts, and chat messages
  • Automated Responses: Generate and send automated responses to guest inquiries based on your communication patterns

4.2 Data Analysis and Insights

  • Communication Analysis: Process personal communications to provide insights on response times, guest satisfaction, and booking patterns
  • Performance Analytics: Analyze your property performance, booking rates, and guest engagement metrics
  • Personalization: Customize your experience and deliver content relevant to your property management needs

4.3 Administrative and Legal

  • Account Management: Process transactions, manage subscriptions, and send related information
  • Communications: Send administrative information, updates, security alerts, and support messages
  • Support Services: Respond to your comments, questions, and requests
  • Security and Compliance: Monitor usage patterns, detect and prevent technical issues, and comply with legal obligations

5. Legal Basis for Processing

Under UK GDPR, we must have a legal basis for processing your personal data. We rely on the following legal bases:

  • Contractual necessity: Processing necessary for the performance of a contract with you
  • Legitimate interests: Processing necessary for our legitimate interests, provided those interests are not overridden by your rights
  • Legal obligation: Processing necessary to comply with our legal obligations
  • Consent: Processing based on your consent

6. Data Sharing and Disclosure

We may share your information in the following circumstances:

6.1 Service Providers and Partners

We share your data with the following specific third-party service providers:

  • Supabase (Database and Authentication): Our primary database provider (PostgreSQL) stores all user data, properties, emails, embeddings, and OAuth tokens. Data is stored in encrypted format with row-level security (RLS) policies ensuring users can only access their own data. Supabase is SOC 2 Type II certified and GDPR compliant. Location: US and EU regions.
  • OpenAI (AI Processing): Email content, property information, and user questions are sent to OpenAI’s GPT-4o model and embeddings API for AI response generation, question extraction, tone analysis, and semantic search. OpenAI processes data as a data processor under their Business Agreement and does not use customer data to train models. Important: Email content containing guest inquiries (which may include guest PII) is sent to OpenAI without additional anonymization.
  • Stripe (Payment Processing): Payment information, subscription management, and billing data. Stripe is PCI DSS Level 1 certified. We do not store full payment card details; Stripe handles all payment card processing.
  • Upstash (Rate Limiting): Redis-based rate limiting service to protect API endpoints from abuse. Only anonymized request metadata is shared (no PII).
  • Vercel (Hosting and CDN): Next.js web application hosting and content delivery. Access logs may contain IP addresses and user agent strings.
  • Google (OAuth and Gmail API): OAuth authentication provider and Gmail API for email access. We access Gmail data only with your explicit consent via OAuth 2.0 scopes.

6.2 Platform Integration

  • Booking Platforms: We interact with Airbnb.com, Booking.com, and other integrated platforms using your authentication credentials to provide our services
  • Third-party APIs: Integration with calendar services, property management systems, and other tools you choose to connect

6.3 Legal and Business Requirements

  • Legal Compliance: When required by law, court order, or regulatory authority
  • Rights Protection: To protect our rights, property, or safety, or that of our users or others
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with appropriate data protection measures)
  • Consent-Based Sharing: With your explicit consent, we may share data with business partners to offer additional products or services

6.4 Data Protection in Sharing

When sharing data with third parties:

  • Contractual Protections: All service providers are bound by strict data processing agreements
  • Data Minimization: We only share the minimum data necessary for the specific purpose
  • Security Requirements: Third parties must maintain appropriate security measures
  • Purpose Limitation: Data can only be used for the specific purposes we authorize

6.5 International Transfers

Your information may be transferred to and processed in countries other than the UK, including for Chrome extension functionality and platform integrations. These countries may have data protection laws that are different from UK laws. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the UK authorities
  • Adequacy decisions where applicable
  • Additional security measures for sensitive authentication data
  • Regular review of international data transfer practices

7. Data Security

We implement comprehensive security measures to protect your personal data, authentication information, and personal communications:

7.1 Technical Security Measures

  • Encryption in Transit: All data transmitted between your browser, our Chrome extension, and our servers uses HTTPS with TLS 1.3 encryption. No sensitive data is transmitted over unencrypted connections.
  • Encryption at Rest: All data stored in our Supabase PostgreSQL database is encrypted using AES-256 encryption. OAuth tokens and platform cookies are additionally encrypted before storage.
  • Security Headers: Our web application implements comprehensive security headers:
    • Content-Security-Policy (CSP) to prevent XSS attacks
    • Strict-Transport-Security (HSTS) to enforce HTTPS
    • Permissions-Policy to restrict browser features
    • Referrer-Policy to control referrer information leakage
  • Row-Level Security (RLS): Database queries enforce row-level security policies ensuring users can only access their own data. Cross-user data access is impossible at the database level.
  • Rate Limiting: API endpoints are protected by multi-tier rate limiting using Upstash Redis to prevent abuse, brute-force attacks, and denial-of-service attempts.
  • Input Validation: All user input is validated using Zod schemas to prevent injection attacks. SQL injection is prevented through parameterized queries.
  • Chrome Extension Security: Extension enforces Content Security Policy (script-src 'self'; object-src 'self') and uses Chrome's secure storage API for local data.
  • Session Security: Session tokens are HttpOnly, Secure, and SameSite=Lax cookies to prevent XSS and CSRF attacks. Sessions expire after 30 days of inactivity.

7.2 Access Control and Authentication

  • OAuth 2.0 Authentication: User authentication via Google OAuth 2.0 with industry-standard authorization code flow.
  • Token Management: Access tokens expire after 1 hour. Refresh tokens are securely stored and automatically rotated. Token revocation is immediate upon account deletion.
  • API Authentication: All API endpoints require valid JWT session tokens. Unauthenticated requests are rejected.
  • Authorization Checks: Every API request validates user permissions and enforces row-level security before data access.
  • Minimal Privilege: Application code runs with minimal database privileges. No direct database access from client-side code.

7.3 Organizational Security Measures

  • Secure Development Lifecycle: TypeScript strict mode enabled. Automated linting and security checks in CI/CD pipeline.
  • Dependency Management: Regular dependency updates and vulnerability scanning using npm audit.
  • Access Limitation: Production database access restricted to authorized personnel with audit logging.
  • Incident Response: Established procedures for detecting, responding to, and reporting security incidents within 72 hours (GDPR requirement).
  • Data Backup: Automated daily encrypted backups with 30-day retention. Regular backup restoration testing.
  • Monitoring and Logging: Error logs automatically redact sensitive data. Logs retained for 30 days, then automatically deleted.

7.4 Third-Party Security

  • Supabase: SOC 2 Type II certified, GDPR compliant, enterprise-grade PostgreSQL hosting with encryption and access controls.
  • OpenAI: Business Agreement in place. OpenAI does not use customer data to train models. Data processing agreement ensures GDPR compliance.
  • Stripe: PCI DSS Level 1 certified payment processor. We never handle or store full payment card details.
  • Vercel: Enterprise hosting with DDoS protection, automatic SSL certificates, and global CDN.

While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We continuously monitor and improve our security practices to protect your information.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. Specific retention periods:

8.1 Retention Periods by Data Type

  • Account Data: Retained while your account is active. Deleted 30 days after account deletion request (to allow for accidental deletion recovery).
  • Gmail Data (Email Content): Retained while your account is active for AI training on your communication style. Deleted immediately upon account deletion or OAuth revocation.
  • OAuth Tokens: Access tokens expire after 1 hour. Refresh tokens retained until revoked or account deleted. Deleted immediately upon account deletion.
  • Platform Cookies (Airbnb, Booking.com): Retained while account is active and consent is granted. Automatically refreshed when you visit platforms. Deleted immediately when consent is revoked or account is deleted.
  • Property Information: Retained while your account is active. Deleted immediately upon account deletion.
  • Email Embeddings (AI Vector Data): Retained for semantic search functionality. Deleted immediately upon account deletion.
  • Subscription and Payment Data: Stripe retains customer records for 7 years for tax and legal compliance (we cannot delete this data). Subscription metadata in our database is deleted upon account deletion.
  • Audit Logs: Account deletion requests are logged permanently for compliance purposes (contains user email, deletion timestamp, and request ID only).
  • Usage and Analytics Data: Aggregated, anonymized analytics retained indefinitely. User-specific usage data deleted after 90 days or upon account deletion.
  • Error Logs and Diagnostics: Retained for 30 days, then automatically deleted. Sensitive data is redacted from error logs.

8.2 Automatic Data Cleanup

We implement automatic data cleanup processes:

  • Expired OAuth access tokens are automatically purged
  • Old error logs are automatically deleted after 30 days
  • Session tokens are automatically expired after 30 days of inactivity
  • Inactive accounts (no login for 2+ years) are flagged for review and potential deletion

9. Your Data Protection Rights

Under UK data protection laws, you have the following rights:

  • Right to access: The right to request copies of your personal data
  • Right to rectification: The right to request that we correct inaccurate or complete incomplete information
  • Right to erasure: The right to request that we delete your personal data in certain circumstances
  • Right to restrict processing: The right to request that we restrict the processing of your personal data
  • Right to data portability: The right to request the transfer of your personal data to another organization
  • Right to object: The right to object to our processing of your personal data
  • Rights related to automated decision-making: The right not to be subject to a decision based solely on automated processing

To exercise any of these rights, please contact us using the details provided in the “Data Controller” section. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

9.1 Account Deletion (Right to Erasure)

We provide a comprehensive GDPR-compliant account deletion process. When you request account deletion through your account settings:

  • Step 1 - Confirmation: You will be presented with a confirmation dialog explaining what data will be deleted and offering a data export option.
  • Step 2 - OAuth Revocation: Your Google OAuth tokens are immediately revoked, terminating our access to your Gmail account.
  • Step 3 - Database Deletion: All your data is deleted from our Supabase database, including:
    • User settings and profile information
    • Properties and property knowledge bases
    • Email data, messages, and communication history
    • Email embeddings and AI training data
    • Email tone classifications
    • Platform cookies (Airbnb, Booking.com)
    • Experiments and analytics data
    • Subscription metadata (note: Stripe retains payment records for legal compliance)
  • Step 4 - Stripe Cleanup: Active subscriptions are cancelled. Stripe retains customer records for 7 years for tax and legal requirements (we cannot delete this data, but it is anonymized where possible).
  • Step 5 - Session Termination: All active sessions are terminated, and you are logged out from all devices.
  • Step 6 - Audit Logging: The deletion request is logged in our audit_logs table (containing only your email address, deletion timestamp, and request ID) for compliance purposes.

Deletion Timeline: Most data is deleted immediately. Some data may be retained in encrypted backups for up to 30 days, after which backups are automatically rotated and permanently deleted.

Important: Account deletion is irreversible after 30 days. If you change your mind, contact us within 30 days to request account recovery.

9.2 Data Export (Right to Data Portability)

You can request a complete export of your personal data at any time through your account settings. The data export includes:

  • Account Information: Your profile, email address, and account settings
  • Properties: All property information, descriptions, FAQs, and knowledge base data
  • Email Data: All extracted email data, including sender, recipient, subject, and content (excluding attachments)
  • Communication Analysis: Tone classifications, sentiment analysis, and response metrics
  • Subscription Information: Subscription status, plan details, and billing history metadata

Data is provided in JSON format for easy portability to other systems. The export is generated asynchronously and provided as a downloadable link within 24 hours. The download link expires after 7 days for security purposes.

Note: Data export does not include OAuth tokens (for security), encrypted platform cookies (platform-specific), or audit logs (internal compliance records).

10. Third-Party Services

Our service may contain links to third-party websites, services, or applications that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy of every site you visit.

11. Chrome Extension and Platform Integration

11.1 Chrome Extension Permissions

Our Chrome extension (Manifest V3) requests the following browser permissions, used exclusively for the stated purposes:

  • identity & identity.email: For Google OAuth authentication to access your Gmail account via the Gmail API.
  • storage: To securely store user settings, OAuth tokens (encrypted), and platform cookies locally in your browser using Chrome’s secure storage API.
  • tabs: To detect when you navigate to booking platform websites (Airbnb, Booking.com) to refresh platform cookies.
  • sidePanel: To display the Enquiry Genie interface in Chrome’s side panel for easy access while browsing Gmail.
  • scripting: To inject content scripts on Gmail and booking platform pages to extract data and provide enhanced functionality.
  • cookies: To read session cookies from Airbnb.com, Booking.com, and VRBO.com (with your explicit consent) to link properties with guest inquiries.
  • alarms: To schedule periodic background tasks for token refresh and data synchronization.
  • idle: To detect user activity and optimize background tasks.

Host Permissions: The extension can access specific domains only: mail.google.com (Gmail), googleapis.com (Google APIs), supabase.co (our database), api.openai.com (AI processing), enquirygenie.co/com (our web application), and booking platform domains (Airbnb, Booking.com, VRBO) when you explicitly enable those integrations.

11.2 Chrome Extension Data Handling

Our Chrome extension is designed to integrate with booking platforms while maintaining strict data privacy standards:

  • Local Processing: Authentication credentials and platform cookies are processed locally in your browser using Chrome’s secure storage API (chrome.storage.local) before encrypted transmission.
  • Secure Transmission: All data transmitted to our servers uses HTTPS/TLS 1.3 encryption. OAuth tokens and platform cookies are additionally encrypted before storage.
  • Minimal Data Collection: We only collect the minimum data necessary to provide our services. Content scripts do not extract data from arbitrary web pages.
  • No Unauthorized Access: We do not access or collect data from websites other than those explicitly integrated with our service (Gmail, Airbnb, Booking.com, VRBO).
  • Content Security Policy: The extension enforces a strict Content Security Policy: script-src 'self'; object-src 'self' to prevent code injection attacks.
  • User Control: You can revoke OAuth permissions, disable cookie extraction, and disconnect platform integrations at any time through your account settings or by uninstalling the extension.

11.3 Booking Platform Integration

Our integration with Airbnb.com, Booking.com, and other platforms involves:

  • Cookie Extraction (Opt-In): With your explicit consent, extracting session cookies to authenticate and link your property listings with guest inquiries.
  • Property Data Retrieval: Accessing your property listings, descriptions, and availability to match with email inquiries.
  • Data Synchronization: Retrieving booking information, guest communications, and property data to provide comprehensive property management features.
  • Automated Actions: Performing actions on your behalf (with your explicit consent) such as responding to messages via the Gmail API (not directly on booking platforms).
  • Cookie Refresh: Automatically updating platform cookies when you visit booking platforms with the extension active to maintain uninterrupted service.

Important: We do not store your booking platform passwords. Cookie extraction requires you to be already logged in to the platforms. You can revoke cookie extraction consent at any time.

11.4 Google OAuth and Gmail API Compliance

When you sign in using Google OAuth, we adhere to Google’s API Services User Data Policy, including the Limited Use requirements. We request the following Gmail API scopes:

  • gmail.modify: Used exclusively to read guest inquiry emails, send AI-generated responses on your behalf, and organize emails with labels. This is the minimum scope required for our email automation features (gmail.readonly would not allow sending replies).
  • gmail.settings.basic: Used exclusively to access your Gmail signature for personalizing AI-generated responses to match your communication style.
  • userinfo.email and userinfo.profile: Used for account identification, authentication, and personalization.

Google Limited Use Commitments:

  • We only request access to the minimum Gmail data necessary to provide our email automation service
  • We only use Gmail data for the purposes explicitly described in this Privacy Policy
  • We do not sell your Gmail data to anyone
  • We do not use your Gmail data for advertising purposes
  • We do not transfer Gmail data to third parties except: (1) As necessary to provide our service (specifically, email content sent to OpenAI for AI processing), (2) With your explicit consent, (3) For security purposes, or (4) To comply with applicable law
  • We do not mislead you about the data we access or how we use it
  • We implement and maintain appropriate security measures including encryption, access controls, and regular security audits

Token Security: OAuth access tokens expire after 1 hour and are automatically refreshed. Refresh tokens are stored encrypted in our Supabase database with row-level security. You can revoke our access at any time via your Google Account settings or through our account deletion process.

11.5 Chrome Web Store Compliance

Our Chrome extension fully complies with the Chrome Web Store Developer Program Policies:

  • User Data Privacy: We follow all user data privacy requirements and obtain appropriate permissions
  • Manifest V3 Compliance: Our extension uses Manifest V3 with appropriate security measures
  • Permission Justification: We only request permissions necessary for our stated functionality
  • Data Transparency: We clearly disclose what data we collect and how it is used
  • User Consent: We obtain explicit user consent before accessing sensitive data

12. Children's Privacy

Our service is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we take steps to remove that information from our servers.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

14. Complaints

If you have a complaint about our use of your personal data, please contact us first using the details provided in the “Data Controller” section, and we will do our best to resolve the issue. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).