Austrian company, EU data residency, GDPR by design. No dark patterns, no data resale, no surprises.
TLS 1.3 in transit. AES-256 at rest. Smoobu API keys encrypted at the column level with a separate key from the auth JWT secret, so a compromised token doesn't expose integrations.
All operational data lives on EU servers. Guest messages, apartment guides, reservations — none of it leaves the EU. Gemini inference routes through Google's EU endpoints.
Right to access, rectify, erase — all supported. Request full account deletion in-app; we process within five business days and confirm via email. No dark patterns, no friction.
Card details never touch our servers. Stripe is PCI-DSS Level 1 certified and holds all payment data; we only see the customer ID and invoice references. Refunds + cancellations go through Stripe's official API.
14-day full refund guaranteed by Austrian consumer law — enforced in the product as a single one-click button, not hidden behind customer-service emails.
Export your apartments, guides, guest message history, and invoices at any time. One click from the settings page generates a JSON archive you can download.
Four commitments for how guest information flows through Virtual Host AI.
Your guest communications are yours. We use them to run the product you're paying for. We do not train public AI models on them, sell them, or share them with third parties for advertising.
The Smoobu apartment ID is our global-unique anchor. If an apartment is already managed in our system, a second account cannot claim it. This prevents cross-account data leakage and abuse of our 14-day refund.
When you request account deletion, we remove user records, subscription history, apartment bindings, message references, and Smoobu API keys. Anonymized operational logs (error rates, performance metrics) are retained up to 90 days.
We use: Google (Gemini inference), Stripe (payments), cPanel/AltusHost (hosting in the EU), Telegram (host notifications only — guest messages never flow through Telegram). Full list and DPAs available on request.
We'd rather answer than hide. Write to us for DPA requests, security questionnaires, or specific compliance checks.
Email security team