The Space Place

Legal

Privacy Policy

Last updated: March 14, 2026

On this page
Who Controls DataInformation We CollectHow We Use InformationCookies & AnalyticsBrowser StorageGoogle OAuth DataService ProvidersRights & SignalsContact
Check AvailabilityContact Host

Who Controls Your Data

The Space Place operates this website and related booking workflows. We are based in Broken Arrow, Oklahoma, United States.

Information We Collect

We collect information needed to run reservations, support guests, and maintain website security. This includes:

  • Booking and contact details such as name, email, phone number, stay dates, and guest count.
  • If you choose optional guest autofill, identity profile fields from your OAuth provider (such as Google account subject identifier, name, and email).
  • Reservation and transaction records required to process and support bookings.
  • Technical and interaction data such as IP address, device/browser type, referrer, routes visited, scroll milestones, and link interactions.
  • Privacy preference data used to remember your optional analytics choice.
  • Booking telemetry such as checkout session identifiers, stay dates, guest counts, quote values, and booking-status events.
  • Security and anti-abuse signals such as rate-limit outcomes, Turnstile verification outcomes, and pseudonymized operational identifiers used for reliability monitoring.

How We Use Information

  • Process reservations, confirmations, and stay-related communication.
  • Respond to pre-booking and post-booking support requests.
  • Prevent abuse, enforce policies, and protect website security.
  • Measure and improve site performance when analytics consent is granted.
  • Analyze how visitors navigate the site, how they reached the site, and which outbound booking links they use.
  • If you choose guest autofill, apply returned profile fields to speed up checkout and keep fraud/replay safeguards tied to your checkout session.
  • Contract performance for booking-related processing.
  • Legitimate interests for site security and operational reliability.
  • Consent for optional analytics technologies.
  • Legal compliance for tax, accounting, and regulatory requirements.

Cookies and Analytics

We use essential storage/technologies for security and session behavior, plus optional analytics technologies for measurement. On first visit, you can accept or decline optional analytics; this preference is stored in browser local storage and can be changed later from the Privacy settings control shown on the site.

  • When optional analytics is enabled, we send site analytics events to PostHog and Google (via Google Tag Manager / GA4), including page/route views, referrer data, route transitions, scroll milestones, click interactions, and outbound destination links.
  • Sensitive checkout query parameters (including sessionId, checkout_session_id, stripe_checkout_session_id, statusToken, and redirectToken and snake_case variants) are redacted before client analytics payloads are sent.
  • Separate server-side operational analytics events are also sent to PostHog for checkout reliability, abuse prevention, and conversion monitoring. These events may include checkout/session/reservation identifiers and pseudonymized IP or email identifiers. These operational events are used even when optional analytics is declined.
  • Advertising-related consent signals are set to denied (ad_storage, ad_user_data, and ad_personalization).

Browser Storage and Session Data

  • We use localStorage to remember your optional analytics consent setting.
  • During checkout, we use sessionStorage to keep short-lived checkout status tokens and redirect tokens on your current browser session.
  • If you use price alerts, we may store alert preferences and an alert contact token in localStorage so you can manage alerts without re-entering details each time.
  • You can clear browser storage in your browser settings at any time, which may require re-entering preferences or restarting checkout steps.

Google OAuth and Google API Services

When you choose Use Google Autofill during checkout, The Space Place requests Google account data through OAuth under scope openid email profile. This request is made by our checkout application on our domain and configured Google OAuth client.

  • Data requested/received: Google account subject identifier (sub), email address, first/last name, and display-name profile claims needed to complete checkout autofill.
  • Primary use: fill missing checkout guest fields (name and email) and connect the OAuth response to the active checkout session.
  • Secondary operational use: prevent replay/abuse and maintain reliable booking audit records.
  • We do not request Gmail, Drive, Calendar, Contacts, or other non-profile Google API scopes in this guest autofill flow.
  • We store a hashed Google subject identifier plus checkout-linked profile records (email and first/last name claims) used for autofill reliability, replay/abuse safeguards, and booking audit records. We do not store Google access tokens or refresh tokens after the exchange completes.
  • Google autofill data follows the sharing and retention rules in this policy and is not sold.

Google autofill is optional. You can always continue checkout manually, and you can revoke The Space Place access in your Google account security settings.

If we plan to request new Google data types or use Google user data for a new purpose, we will update this policy and request consent before that new use.

Service Providers We Use

  • Hospitable for booking checkout and reservation operations.
  • Stripe for embedded checkout payments, payment events, and identity verification.
  • Cloudflare for hosting, edge security, and request handling.
  • Cloudflare Turnstile for bot-detection checks in checkout flows.
  • PostHog for consented client analytics and server-side operational analytics.
  • Google Tag Manager and Google Analytics (GA4) for optional analytics measurement.
  • Resend for transactional and price-alert email delivery.
  • Twilio for transactional SMS delivery and SMS reply handling.
  • Accounting, tax, and lock-automation providers used for booking operations.

How Information Is Shared

We share data only with service providers required to operate the site and reservation workflow. If you continue to third-party booking pages, we may pass limited technical context (such as a checkout session identifier) to preserve booking continuity. We do not sell personal information.

Data Retention

We retain data only as long as needed for booking operations, support, fraud prevention, and legal obligations. This includes checkout-linked OAuth profile records used for guest autofill and replay/fraud safeguards. Some booking and transaction records may be retained for up to seven years where required.

Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, or obtain a copy of personal information, and to appeal certain decisions. To make a request, contact us using the details below.

Where required by law, we also process recognized browser-based opt-out preference signals (such as Global Privacy Control) as requests to opt out of optional analytics and related data sharing.

Children's Privacy

This website and booking process are intended for adults arranging travel. We do not knowingly collect personal information directly from children under 13.

Contact and Updates

We may update this policy when business or legal requirements change. For privacy requests, email support@thespaceplace.us.