Skip to content
Kappability logoKappabilityAccount access
HomeContact Support
Create AccountSign In

Legal

Privacy Policy

Last updated: March 25, 2026

On this page

Who Controls DataInformation We CollectIdentity & E-SignHow We Use InformationMessaging & SupportPayments & SecurityCookies & AnalyticsBrowser StorageGoogle OAuth DataService ProvidersRetention & RedactionRights & SignalsContact
On this page
Who Controls DataInformation We CollectIdentity & E-SignHow We Use InformationMessaging & SupportPayments & SecurityCookies & AnalyticsBrowser StorageGoogle OAuth DataService ProvidersRetention & RedactionRights & SignalsContact
Check AvailabilityContact Host

This policy also covers the public owner-onboarding path on this host, including stored intake materials, generated briefs, and the bounded continuation identifiers used to move a saved preview into protected account setup or drafting.

Who Controls Your Data

The Space Place operates this website and related booking workflows. We are based in Broken Arrow, Oklahoma, United States.

Information We Collect

We collect information needed to run reservations, support guests, support owner onboarding, and maintain website security. This includes:

  • Booking and contact details such as name, email, phone number, SMS opt-in status, stay dates, and guest count.
  • If you choose optional guest autofill, identity profile fields from your OAuth provider (such as Google account subject identifier, name, and email).
  • Reservation and transaction records required to process and support bookings.
  • Guest portal and support records such as cancellation requests, stay-change requests, guest messages, and check-in acknowledgements.
  • Booking-security and support records such as request metadata, reservation access logs, fraud-prevention history, and payment-readiness status when needed to protect reservations and guest accounts.
  • Direct-booking agreement records such as typed signer name, signer email, agreement version/hash, signed timestamp, and limited device/network evidence used to support the electronic signature.
  • For Stripe Identity flows, limited verification metadata such as verification-session identifiers, verification status, and related timestamps. Our checkout systems are designed not to retain raw ID images or live-photo files in our own application storage.
  • Technical and interaction data such as IP address, device/browser type, referrer, routes visited, scroll milestones, and link interactions.
  • Privacy preference data used to remember your optional analytics choice.
  • Booking telemetry such as checkout session identifiers, stay dates, guest counts, quote values, and booking-status events.
  • Security and anti-abuse signals such as rate-limit outcomes, Turnstile verification outcomes, and pseudonymized operational identifiers used for reliability monitoring.
  • If you use the public owner-onboarding flow, onboarding materials such as uploaded files, questionnaire answers, generated property briefs, and the bounded public-intake session or brief identifiers needed to continue that flow into account setup or protected drafting.

Booking Identity Verification and E-Signatures

For direct bookings, the responsible booking adult may be required to complete a Stripe-hosted government ID and live-photo verification step before card collection. Stripe handles the raw verification materials captured during that step.

  • We keep the signed rental agreement artifact and the minimal metadata needed to prove assent, investigate abuse, support disputes, and answer booking support questions.
  • We keep only limited Stripe Identity results metadata on our side, such as session ID, status, and timestamps, rather than storing raw ID images or live photos ourselves.
  • Stripe and its sub-processors may process sensitive identity or biometric information needed to review the document and compare the live photo to the ID. Their handling of that raw verification data is governed by Stripe's own terms and privacy materials.
  • If identity verification is incomplete, unsuccessful, or inconsistent with the booking information provided, we may block payment and request another attempt or decline the booking flow.

How We Use Information

  • Process reservations, confirmations, and stay-related communication.
  • Respond to pre-booking and post-booking support requests.
  • Prevent abuse, enforce policies, and protect website security.
  • Verify the responsible guest, collect typed agreement assent, and support claims, chargeback, incident, and legal-response workflows.
  • Measure and improve site performance when analytics consent is granted.
  • Analyze how visitors navigate the site, how they reached the site, and which outbound booking links they use.
  • If you choose guest autofill, apply returned profile fields to speed up checkout and keep fraud/replay safeguards tied to your checkout session.

Messaging and Support Communications

We may send reservation confirmations, access codes, payment notices, price alerts, check-in and checkout reminders, and support replies by email or SMS. If you opt in to booking texts, we use the phone number you provide and your SMS consent status to send those messages and to handle STOP, START, and HELP requests.

  • Transactional email and SMS delivery may include booking details, reservation access codes, and service notices needed to complete or support a reservation.
  • Guest portal cancellation requests, stay changes, guest messages, and check-in acknowledgements are retained with the reservation record to manage support and dispute workflows.
  • We may use Resend and Twilio to deliver those communications and capture delivery or opt-out events for preference management and evidence.

Payments, Reservations, and Site Security

We use secure service providers to host the site, manage reservations, protect checkout, and process direct-booking payments. Those providers may receive the information needed to confirm availability, process payment, support a reservation, and prevent fraud.

  • Reservation-management providers may receive stay dates, guest contact details, and booking updates needed to create or support a reservation.
  • Payment and identity-verification providers may collect card details and, when required, government ID and live-photo information through their hosted checkout or verification flows.
  • Website security providers help us host the site, filter abusive traffic, and protect checkout availability.

Legal Bases

  • Contract performance for booking-related processing.
  • Legitimate interests for site security and operational reliability.
  • Consent for optional analytics technologies.
  • Legal compliance for tax, accounting, and regulatory requirements.

Cookies and Analytics

We use essential storage/technologies for security and session behavior, plus optional analytics technologies for measurement. On first visit, you can accept or decline optional analytics; this preference is stored in browser local storage and can be changed later from the Privacy settings control shown on the site.

  • When optional analytics is enabled, we send site analytics events to PostHog and Google (via Google Tag Manager / GA4), including page/route views, referrer data, route transitions, scroll milestones, click interactions, outbound destination links, and tenant-aware site context such as tenant, property, site, runtime stage, and page-version identifiers when the active runtime can resolve them.
  • Sensitive checkout query parameters (including sessionId, checkout_session_id, stripe_checkout_session_id, statusToken, and redirectToken and snake_case variants) are redacted before client analytics payloads are sent.
  • Separate server-side operational analytics events are also sent to PostHog for checkout reliability, abuse prevention, and conversion monitoring. These events may include checkout/session/reservation identifiers and pseudonymized IP or email identifiers. These operational events are used even when optional analytics is declined and are used only for reliability, fraud prevention, and conversion monitoring.
  • Advertising-related consent signals are set to denied (ad_storage, ad_user_data, and ad_personalization).

Browser Storage and Session Data

  • We use localStorage to remember your optional analytics consent setting.
  • During checkout, we use sessionStorage to keep the active checkout session identifier plus short-lived checkout status tokens and redirect tokens on your current browser session so the flow can resume after a refresh.
  • If you use price alerts, we may store alert preferences and an alert contact token in localStorage so you can manage alerts without re-entering details each time.
  • You can clear browser storage in your browser settings at any time, which may require re-entering preferences or restarting checkout steps.

Google OAuth and Google API Services

When you choose Use Google Autofill during checkout, The Space Place requests the basic Google profile details needed to fill your name and email. This request is made by our checkout application on our domain using our configured Google sign-in settings.

  • Data requested/received: Google account identifier, email address, first and last name, and display-name profile details needed to complete checkout autofill.
  • Primary use: fill missing checkout guest fields (name and email) and connect the OAuth response to the active checkout session.
  • Secondary operational use: prevent replay/abuse and maintain reliable booking audit records.
  • We do not request Gmail, Drive, Calendar, Contacts, or other non-profile Google API scopes in this guest autofill flow.
  • We store a hashed Google account identifier plus checkout-linked profile records (email and first/last name claims) used for autofill reliability, fraud safeguards, and booking audit records. We do not store Google access tokens or refresh tokens after the exchange completes.
  • Google autofill data follows the sharing and retention rules in this policy and is not sold.

Google autofill is optional. You can always continue checkout manually, and you can revoke The Space Place access in your Google account security settings.

If we plan to request new Google data types or use Google user data for a new purpose, we will update this policy and request consent before that new use.

Service Providers We Use

  • Reservation-management providers used for checkout and reservation operations.
  • Stripe for embedded checkout payments, payment events, hosted identity verification, Stripe Connect onboarding, and, where needed, redaction/deletion handling for raw verification artifacts held in Stripe systems.
  • Cloudflare for hosting, edge security, request handling, and checkout protection.
  • Cloudflare Turnstile for bot-detection checks in checkout flows.
  • PostHog for consented client analytics and server-side operational analytics.
  • Google Tag Manager and Google Analytics (GA4) for optional analytics measurement.
  • Resend for transactional email delivery, reservation access codes, payment notices, and price alerts.
  • Twilio for transactional SMS delivery, SMS reply handling, and STOP/START/HELP preference management.
  • Accounting, tax, and lock-automation providers used for booking operations.

How Information Is Shared

We share data only with service providers needed to operate the site, reservations, payments, messaging, and security. This can include sharing booking identity and payment details with Stripe when direct-booking verification or card processing is required. If you continue to third-party booking pages, we may pass limited technical context (such as a checkout session identifier) to preserve booking continuity. We may also share limited contact and reservation details with email and SMS providers used to deliver booking confirmations, access codes, payment notices, and support messages. We do not sell personal information.

Data Retention and Redaction

We retain data only as long as needed for booking operations, support, fraud prevention, dispute handling, and legal obligations. This includes checkout-linked OAuth profile records used for guest autofill and fraud safeguards, signed rental agreement records, guest messages and requests, SMS or email delivery status and opt-out records, reservation support records, security logs, and limited Stripe Identity results metadata linked to the booking session.

Some booking, payment, tax, and claims-support records may be retained for up to seven years where required. Raw government ID images or live-photo materials are intended to remain with Stripe rather than our own storage systems. When a valid rights request, retention schedule, or operational policy calls for redaction, we may request redaction or deletion of those Stripe-held verification materials subject to legal holds, active disputes, chargebacks, insurance claims, and other obligations that require retention.

Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, or obtain a copy of personal information, and to appeal certain decisions. Depending on applicable law, this can include requests related to signed-agreement evidence, identity-verification metadata, and requests that we seek redaction of Stripe-held verification materials. To make a request, contact us using the details below.

Where required by law, we also process recognized browser-based opt-out preference signals (such as Global Privacy Control or Do Not Track) as requests to opt out of optional analytics and related data sharing.

To stop booking text messages, reply STOP to a text message or contact us for help. Some reservation-critical messages may still be sent when needed to complete or support a booking.

Children's Privacy

This website and booking process are intended for adults arranging travel. We do not knowingly collect personal information directly from children under 13.

Contact and Updates

We may update this policy when business or legal requirements change. For privacy requests, use our Contact page.

Kappability logoKappability

Account access

Handle account setup, sign in, and support in one place.

Kappability keeps account setup, sign in, support, and compliance information in one place when a branded site is not the right place to start.

Create accountSign inSupport
Create AccountSign In

Explore

  • Home
  • Create Account
  • Sign In

Support

  • Contact Support
  • Compliance Center
  • Privacy Policy
  • Terms of Service

Kappability account access

Built for account setup, sign in, and support.