HostelHackBack to Home

Privacy Policy

Last updated: March 26, 2026

1. Introduction

HostelHack ("we," "us," or "our") operates the website hostelhack.com and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, password (hashed), profile photo, headline, bio, skills, and location when you register.
  • Proposal data: hostel names, proposed terms, deliverables, and messages you create through the proposal system.
  • Communications: messages, emails, and other content you send or receive through the unified inbox feature.
  • Payment information: processed by our third-party payment processor; we do not store full payment card details.

2.2 Information Collected via OAuth

When you connect a Gmail or Microsoft Outlook account, we request access to read and send email on your behalf. We store OAuth access and refresh tokens securely. We access only the minimum scopes required:

  • Gmail: read, compose, send, and modify messages and labels
  • Outlook: read and send mail, access mailbox settings

You may disconnect your email account at any time from Settings, which revokes our access and deletes stored tokens.

2.3 Information Collected Automatically

  • Usage data: pages visited, features used, timestamps, and referring URLs.
  • Device data: browser type, operating system, and screen resolution.
  • Cookies: session cookies for authentication and preferences. See Section 7.

3. How We Use Your Information

  • Operate, maintain, and improve the Service.
  • Match digital nomads with hostels using our AI-powered discovery engine (Gemini 2.0).
  • Send and receive emails on your behalf through connected email accounts.
  • Generate AI-powered hostel dossiers and personalized pitches.
  • Verify hostel contact information through our email verification pipeline.
  • Process proposals and facilitate skill-for-stay exchanges.
  • Send transactional emails (account confirmations, proposal updates).
  • Analyse aggregated, de-identified usage patterns to improve features.
  • Enforce our Terms of Service and protect against fraud.

4. How We Share Your Information

We do not sell your personal information. We may share data with:

  • Hostels you contact: your profile information and proposal details are shared with hostels you send proposals to.
  • Service providers: Clerk (authentication), Supabase (database hosting), Vercel (hosting), Google Cloud (AI services), Inngest (background jobs). These providers process data on our behalf under contract.
  • Legal obligations: when required by law, regulation, or legal process.
  • Business transfers: in connection with a merger, acquisition, or sale of assets.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Email data synced through connected accounts is retained until you disconnect the account or delete your profile. You may request deletion of your account and associated data at any time by contacting us.

6. Data Security

  • All data is encrypted in transit (TLS 1.3) and at rest.
  • OAuth tokens are stored in a Supabase database with Row-Level Security ensuring only the owning user can access them.
  • Authentication is handled by Clerk, a SOC 2 Type II certified provider.
  • Supabase infrastructure is SOC 2 Type II certified and encrypted at rest.
  • We conduct regular security reviews and follow OWASP best practices.

7. Cookies

We use the following types of cookies:

  • Essential cookies: required for authentication and session management (Clerk session tokens). These cannot be disabled.
  • Functional cookies: remember your preferences (e.g., sidebar state, theme).
  • Analytics cookies: help us understand usage patterns. You may opt out through your browser settings.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your personal data ("right to be forgotten").
  • Export your data in a portable format.
  • Withdraw consent for optional data processing.
  • Object to processing based on legitimate interests.
  • Disconnect email accounts and purge synced data.

To exercise any of these rights, contact us at privacy@hostelhack.com.

9. International Data Transfers

Your information may be processed in countries other than your own. Our infrastructure providers (Vercel, Supabase, Google Cloud) operate globally. We ensure appropriate safeguards are in place for cross-border transfers in accordance with applicable law.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected such information, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: