Privacy Policy
Last updated: June 24, 2026
1. Overview
Spindrift Bookings (the “Service”, “we”, “our”, or “us”) is a private, invitation-only tool for coordinating bookings at the Spindrift family property. This Privacy Policy explains what information we collect, how we use it, and the choices you have.
We do not sell, rent, or share your personal information with third parties for marketing. No information you provide to Spindrift Bookings is used for advertising or shared with affiliates or business partners.
2. Information We Collect
We collect the minimum information needed to operate the Service:
- Identity: your first name and the family branch you've been assigned to, provided by the administrator when you are invited.
- Phone number: the U.S. mobile number you use to sign in — and, if you choose to opt in, to receive optional text notifications.
- Authentication: a hashed PIN that you set yourself. We store only the bcrypt hash — we do not see or store the plaintext PIN.
- Bookings & messages: your check-in/check-out dates, house selection, guest count, optional notes, and any messages you post to the family message board.
- Operational logs: timestamps for turns, passes, login attempts, and PIN-reset requests, used for the rotation logic and to investigate problems.
- SMS consent record: when you opt in through our sign-up form, we record your mobile number, the exact consent language you agreed to, the date and time, and the IP address and browser user-agent of the submission. This is kept as proof of your consent, as required by mobile-carrier rules.
We do not collect: payment information, government IDs, precise geolocation, advertising identifiers, cross-site tracking or browser-fingerprinting data, health information, or biometric data. (We log the IP address of an SMS opt-in solely as consent proof, as noted above — never to track or locate you.)
3. How We Use Your Information
- Operate the Service: show you your bookings, calendar, and rotation status; authenticate you when you sign in.
- Send transactional SMS: invitations, turn notifications, reminders, the final-warning message before auto-pass, overlap-approval requests, PIN-reset codes, and system-wide announcements (such as the activation of free booking mode). See the Terms of Service for the full SMS-program disclosure.
- Coordinate with other family members: within the Service, other authenticated family members can see your name, family branch, and any bookings or messages you post. Other members cannot see your phone number or PIN.
- Administer the system: administrators can see all members' phone numbers and opt-in/opt-out status in order to invite members and manage the rotation. Administrators cannot see your PIN.
4. Who We Share Information With
We share information only with the limited set of vendors that host or transmit it on our behalf:
- Supabase — database hosting and authentication infrastructure.
- Vercel — application hosting.
- Twilio — sending and receiving SMS messages. Twilio receives the phone numbers, message content, and timestamps required to deliver the message.
These providers process the information solely to operate the Service on our behalf and under contractual confidentiality obligations. No mobile information — including text-messaging opt-in data and consent — will be shared with any third parties or affiliates for any purpose. Information sharing with the subcontractors that operate the Service on our behalf (such as our SMS provider) is limited to delivering the messages you have requested. Text-messaging originator opt-in data and consent are never shared with third parties for marketing or promotional purposes.
We may also disclose information if required by law (for example, in response to a valid subpoena), or to protect the rights, safety, or property of Spindrift Bookings or any user of the Service.
5. Your Choices
- SMS opt-out: reply STOP to any Spindrift SMS, or open the dashboard and choose “Opt out of SMS”. Opting out only stops text messages; your account and booking turns are unaffected. Re-opt in by replying START or using the dashboard toggle.
- Update or remove your phone number: ask an administrator to update or remove your phone in the admin panel.
- Delete your account: contact us at admin@spindriftbookings.com and we will remove your member record. Past bookings may be retained in summary form for the rotation history.
6. Data Retention
We keep your member record (name, branch, hashed PIN, phone number) for as long as you remain an invited family member of Spindrift Bookings. SMS consent records are retained for as long as we may need them to demonstrate that you opted in (and for a reasonable period afterward), as required by mobile-carrier rules. Magic-link login tokens and PIN-reset codes are automatically deleted after they expire. Booking records are kept for as long as needed to operate the season calendar.
7. Security
All connections to the Service use TLS (HTTPS). Database access is restricted by Postgres Row Level Security; family members can only read and modify their own bookings. PINs are stored as bcrypt hashes. Magic-link login tokens are single-use and expire after a short window. We have not designed the Service to be hardened against nation-state attackers — this is a private family tool — but we follow industry-standard practices appropriate to that scope.
8. Children
The Service is intended for adult family members. We do not knowingly collect information from children under 13. If you believe a minor has registered, please contact an administrator and we will remove the record.
9. Changes to This Policy
We may revise this Privacy Policy from time to time. The “Last updated” date above reflects the most recent revision. Material changes will also be announced in-app or by SMS.
10. Contact
Privacy questions? Contact Spindrift Bookings at admin@spindriftbookings.com.
See also: Terms of Service.