Issue 05/Legal/Privacy Policy

The data we hold on you.

ArbiBase is built on operator trust. This policy explains exactly what we collect, why we collect it, and what you can do about it. No vague language, no buried opt-outs.

Plain-English Summary
  1. 01
    We collect what we need.

    Name, email, billing details, usage data. Nothing beyond what's required to run the platform.

  2. 02
    We never sell your data.

    No marketing data product. Your operator data is not a revenue line for us, ever.

  3. 03
    You own your data.

    Your comps, notes, and exports belong to you. Cancel and export everything for 90 days.

  4. 04
    Comps are anonymous.

    Market aggregates are cell-suppressed. No single operator or unit can be re-identified.

  5. 05
    You have real rights.

    Access, correct, delete, or port your data. We respond to every request within 30 days.

  6. 06
    We're compliant, verifiably.

    CCPA, GDPR, FIPA, NY SHIELD. We audit annually and maintain records to prove it.

§ 01

Overview & scope

This Privacy Policy describes how ArbiBase, LLC ("ArbiBase," "we," "us," or "our") collects, uses, shares, and protects information when you access or use our website at https://arbibase.com, our portal, APIs, and any related services (collectively, the "Services"). By using our Services, you agree to this Policy and our Terms of Service. If you do not agree, please discontinue use.

This Policy applies to all users of the Services, including property operators, coaches, and landlords. For data collected via our Data Processing Addendum (DPA), the DPA governs where it conflicts with this Policy.

§ 02

Information we collect

Personal information

  • Name, email address, and phone number.
  • Billing and subscription details (processed securely by Stripe).
  • Account preferences, login data, and communication settings.

Business & property information

  • Company or brand name; role (operator, coach, landlord).
  • Property details (address, rent, terms, restrictions, approval status).
  • Verification records (voice, written, or digital consent documentation).
  • Operator-submitted comps: reported ADR, occupancy, and revenue figures.

Usage & device data

  • Pages visited, actions taken, referring URLs, and timestamps.
  • IP address, browser type, device model, and approximate city/region.
  • Cookies and campaign identifiers (UTMs, analytics IDs).

Third-party sources

  • CRM tools, automation, and scheduling integrations you connect.
  • Payment processors (Stripe) — billing and fraud-prevention signals.
  • Partner databases and public property records you authorize us to import.

You may choose not to share certain data, but some features may not function properly without it.

§ 03

How we use information

We use information to:

  • Provide, maintain, and improve our verified-property platform.
  • Operate subscriptions, billing, and customer accounts.
  • Communicate with you about updates, security, or marketing (with consent where required by law).
  • Verify property permissions and maintain database accuracy.
  • Detect fraud, enforce our Terms, and comply with legal obligations.
  • Analyze usage and produce aggregate statistics to improve platform performance.

Anonymized & aggregated use

We may anonymize and aggregate data (e.g., occupancy rates, market ADR trends) for analytics or benchmarking. This data cannot identify any individual user or unit and may be shared publicly or with partners.

Communications & consent

By providing your contact information, you consent to receive service-related emails and texts (e.g., billing, security, support). Marketing messages require opt-in consent where required by law. You may unsubscribe at any time or reply "STOP" to SMS. Standard message and data rates may apply.

We never sell your personal information Operator data is not a revenue line for ArbiBase. We do not have a marketing data product.
§ 05

Sharing of information

We share information only with trusted service providers that support our operations. All vendors must process data under written agreements that mirror our privacy and security standards.

Payments
Stripe (billing, fraud prevention)
Database & backend
Supabase
CRM & outreach
HubSpot
Hosting & CDN
AWS, Cloudflare
Analytics
Privacy-respecting tracking tools
Communications
Email and support platforms

Legal & corporate disclosures

We may share information to comply with applicable law or a valid legal process, to protect the rights, property, or safety of ArbiBase, our users, or others, or as part of a merger, acquisition, or asset sale (in which case we'll notify you and give you the opportunity to object where required by law).

§ 06

Cookies & tracking

We use cookies and similar technologies for authentication, security, analytics, and user preferences. You can control cookies through your browser settings or via our consent banner where required by applicable law.

Essential
Authentication, session management, and core platform features. Cannot be disabled without breaking the Service.
Functional
Performance, customization, and remembered preferences.
Analytics
Usage measurement and aggregate behavioral insights.
Communications
Email and SMS opt-in tracking.

For full details, see our Cookie Policy.

§ 07

Data retention & security

We retain data only as long as needed for operational or legal purposes. After retention ends, data is anonymized or securely deleted.

Account & operator data
90-day export window after cancellation, then deleted from production within 30 days and from backups within 90 additional days.
Billing records
5 years (for tax compliance).
Verification records
Active lifetime of the property listing.
Usage logs & telemetry
Up to 12 months, then anonymized.

Security measures

We use encryption at rest (AES-256) and in transit (TLS 1.2+), role-based access controls, and automated alerting for anomalous activity. No system is 100% secure, but we continuously review and improve our controls. You are responsible for maintaining the security of your own credentials.

§ 08

Data breach notifications

If a data breach occurs that affects your personal information, ArbiBase will promptly investigate, contain, and notify affected users and the appropriate authorities as required by:

  • Florida Information Protection Act (FIPA) § 501.171;
  • California Civil Code § 1798.82; and
  • New York SHIELD Act § 899-bb.

Notification will be sent to the email address on your account. We will include the nature of the breach, the categories of data affected, and steps we are taking to remediate it.

§ 09

Your rights (GDPR / CCPA / CPRA)

Depending on your location, you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that inaccurate information be corrected.
  • Deletion — request that we delete your personal data, subject to legal retention requirements.
  • Portability — receive a machine-readable copy of your data.
  • Withdraw consent — opt out of marketing communications at any time.
  • Opt out of sharing for targeted advertising — as defined under CPRA.
  • Limit use of sensitive data — where applicable under state law.

B2B communications

If you interact with us solely as a business representative (operator, coach, landlord), some consumer privacy rights may not apply, but your data remains protected under this Policy.

Florida & New York residents

We will notify you of any security breach affecting your personal information within the statutory time frames prescribed by FIPA and the NY SHIELD Act.

How to exercise your rights Email privacy@arbibase.com or admin@arbibase.com. We respond within 30 days (45 days where permitted by law). Authorized California agents must provide written proof of authorization.
§ 10

International transfers

ArbiBase is based in the United States. If you access our Services from outside the U.S., your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

Where required by applicable law (e.g., GDPR), we use Standard Contractual Clauses (SCCs) and other appropriate safeguards to protect cross-border data transfers.

§ 11

Children's privacy

The Services are intended for users who are at least 18 years old. We do not knowingly collect personal information from children under 13. If we discover that we have inadvertently collected such data, we will delete it immediately. If you believe we have collected information from a child, please contact us at privacy@arbibase.com.

§ 12

"Do Not Track"

There is currently no universally accepted standard for how websites should respond to browser "Do Not Track" (DNT) signals. We do not currently respond to DNT signals, but we monitor regulatory developments and will update this Policy if a recognized standard emerges.

You can limit tracking at any time through our cookie consent banner and your browser's privacy settings.

§ 13

Automated decision-making & AI use

We do not make decisions with significant legal or similarly significant effects solely through automated means without human review. We may use AI-assisted filters to detect duplicate property submissions, flag potentially fraudulent data, or improve data quality. These systems are human-supervised and limited to internal data quality improvements.

Where EU/UK GDPR applies, you have the right not to be subject to solely automated decisions that produce legal or similarly significant effects. To exercise this right, contact privacy@arbibase.com.

§ 14

Changes to this policy

We may update this Policy periodically. The "Last revised" date at the top of this page reflects the most recent revision. For material changes, we will provide at least 14 days' advance notice to active account holders via email, and for California users at least 30 days' notice where required by law.

Continued use of the Services after a revised Policy takes effect constitutes acceptance. If you do not agree, you may close your account before the effective date.

§ 15

Contact & compliance

To exercise your rights, submit a privacy request, or report a concern, contact us:

ArbiBase, LLC
1111b South Governors Ave STE 48151
Dover, DE 19904 US
privacy@arbibase.com
support@arbibase.com
+1 (844) 939-3594

Compliance statement

ArbiBase complies with:

  • Florida Information Protection Act (FIPA)
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • New York SHIELD Act (§ 899-bb)
  • EU / UK General Data Protection Regulation (GDPR)

We review our data-protection measures annually and maintain auditable records of compliance activities.

Your privacy

Transparent by design.

If anything in this Policy is unclear or you want to exercise a data right, email us directly. We respond to every privacy request personally and within 30 days.

Revision history

  • 2026-05-01v3.0 · Full editorial redesign. Added AI use disclosure, GDPR lawful-basis definitions, and data-retention schedule.
  • 2026-01-10v2.2 · Added NY SHIELD Act and FIPA breach-notification language.
  • 2025-10-14v2.1 · Updated vendor list. Added Supabase as a listed processor.
  • 2025-06-01v2.0 · CPRA compliance update. Added data-portability and sensitive-data opt-out rights.