Privacy Policy

Last updated: June 24, 2026

1. Overview

Spindrift Bookings (the “Service”, “we”, “our”, or “us”) is a private, invitation-only tool for coordinating bookings at the Spindrift family property. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

We do not sell, rent, or share your personal information with third parties for marketing. No information you provide to Spindrift Bookings is used for advertising or shared with affiliates or business partners.

2. Information We Collect

We collect the minimum information needed to operate the Service:

We do not collect: payment information, government IDs, precise geolocation, advertising identifiers, cross-site tracking or browser-fingerprinting data, health information, or biometric data. (We log the IP address of an SMS opt-in solely as consent proof, as noted above — never to track or locate you.)

3. How We Use Your Information

4. Who We Share Information With

We share information only with the limited set of vendors that host or transmit it on our behalf:

These providers process the information solely to operate the Service on our behalf and under contractual confidentiality obligations. No mobile information — including text-messaging opt-in data and consent — will be shared with any third parties or affiliates for any purpose. Information sharing with the subcontractors that operate the Service on our behalf (such as our SMS provider) is limited to delivering the messages you have requested. Text-messaging originator opt-in data and consent are never shared with third parties for marketing or promotional purposes.

We may also disclose information if required by law (for example, in response to a valid subpoena), or to protect the rights, safety, or property of Spindrift Bookings or any user of the Service.

5. Your Choices

6. Data Retention

We keep your member record (name, branch, hashed PIN, phone number) for as long as you remain an invited family member of Spindrift Bookings. SMS consent records are retained for as long as we may need them to demonstrate that you opted in (and for a reasonable period afterward), as required by mobile-carrier rules. Magic-link login tokens and PIN-reset codes are automatically deleted after they expire. Booking records are kept for as long as needed to operate the season calendar.

7. Security

All connections to the Service use TLS (HTTPS). Database access is restricted by Postgres Row Level Security; family members can only read and modify their own bookings. PINs are stored as bcrypt hashes. Magic-link login tokens are single-use and expire after a short window. We have not designed the Service to be hardened against nation-state attackers — this is a private family tool — but we follow industry-standard practices appropriate to that scope.

8. Children

The Service is intended for adult family members. We do not knowingly collect information from children under 13. If you believe a minor has registered, please contact an administrator and we will remove the record.

9. Changes to This Policy

We may revise this Privacy Policy from time to time. The “Last updated” date above reflects the most recent revision. Material changes will also be announced in-app or by SMS.

10. Contact

Privacy questions? Contact Spindrift Bookings at admin@spindriftbookings.com.

See also: Terms of Service.