Privacy Policy
BAU ENTERPRISES LLC — Version 2.0 (DRAFT — REQUIRES COUNSEL REVIEW BEFORE PUBLISH) — Effective TBD
1. Introduction
ArrivHQ (“we,” “us,” or “our”) operates the ArrivHQ platform (arrivhq.com and app.arrivhq.com), a tax compliance platform for short-term rental hosts. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.
By using ArrivHQ, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use our services.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, and password when you create an account.
- Property information: Property addresses, descriptions, and operational details you enter to manage your short-term rentals.
- Compliance records: Work logs, mileage logs, expense records, revenue entries, and receipt uploads that you create for tax compliance purposes.
- Reservation information: Guest names, contact details, check-in/check-out dates, and booking details you enter or import.
- Team information: Names and email addresses of team members you invite to your account.
- Billing information: Payment details are collected and processed by Stripe, our payment processor. We do not store credit card numbers.
- Communications: Messages you send through our support channels.
- Guest government identification (optional, host-enabled): When a host configures a “Photo — Government ID” checklist step, guests are asked to upload a photo of a government-issued identification document. We extract identifying information (name, date of birth, document type, expiration) using AI vision and store the photo for 30 days after the guest’s check-out date, after which the photo is permanently deleted. See Section 8 for retention details and Section 9 for biometric-specific disclosures.
- Guest face / biometric information (optional, host-enabled): When a host configures a “Photo — Person” checklist step, guests are asked to upload a photo of their face. We use AI vision to verify the image contains a human face. The photo is stored for 30 days after the guest’s check-out date, after which it is permanently deleted. We do not generate, store, or share a separate biometric template. See Section 9 for Illinois BIPA-specific disclosures and rights.
2.2 Information from Financial Institutions (via Plaid)
When you choose to connect a bank account or credit card through our integration with Plaid Inc. (“Plaid”), we collect the following information from your financial institution(s):
- Account information: Account name, type (checking, savings, credit), institution name, and masked account number (last 4 digits only).
- Transaction data: Transaction date, amount, merchant/vendor name, payment channel, and transaction category for up to 24 months of history.
We use this information solely to import and categorize your business transactions for tax compliance purposes. We access your financial data through Plaid's secure, tokenized API. We never receive or store your bank login credentials. By connecting your accounts, you authorize Plaid to access this information on your behalf in accordance with Plaid's Privacy Policy.
You can disconnect your financial accounts at any time from Settings, which immediately revokes our access to your financial data.
2.3 Information Collected Automatically
- Usage data: Pages visited, features used, and actions taken within the platform.
- Device information: Browser type, operating system, and device identifiers.
- Log data: IP addresses, access times, and referring URLs.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing our services: Operating the ArrivHQ platform, including compliance tracking, expense management, revenue tracking, and tax reporting tools.
- Financial data import: Automatically importing and categorizing bank transactions as business expenses or rental income for IRS Schedule E compliance reporting.
- Account management: Managing your account, authentication, billing, and subscription.
- Communication: Sending transactional emails (password resets, account notifications, export confirmations) and responding to support requests.
- Security: Detecting and preventing fraud, unauthorized access, and other security incidents.
- Improvement: Analyzing usage patterns to improve our platform, fix bugs, and develop new features.
- Legal compliance: Meeting legal, regulatory, and tax reporting obligations.
We do not use your information for:
- Advertising or marketing to third parties
- Selling or renting your personal information
- Building consumer profiles for credit decisions
- Any purpose unrelated to providing our services to you
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
4.1 Service Providers
We use trusted third-party services to operate our platform. These providers only access your data as necessary to perform services on our behalf and are contractually obligated to protect it:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, compliance records, uploaded files |
| Plaid | Bank account connectivity | Financial account tokens (we do not share your ArrivHQ data with Plaid) |
| Stripe | Payment processing | Billing details (name, email, payment method) |
| Railway | API hosting | Data processed in memory during API requests |
| Vercel | Frontend hosting | Session tokens, page requests |
| Resend | Transactional email | Email addresses, email content |
| Anthropic (Claude) | AI-powered transaction classification, government-ID information extraction, and face-detection on guest-uploaded photos (where the host has enabled those features) | Transaction descriptions and amounts; photos of government IDs and guest faces submitted to AI-verified checklist steps. Anthropic processes the data as our subprocessor under their published data-handling terms and does not retain customer content after processing for service operations purposes. |
4.2 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or governmental request, including to comply with IRS reporting requirements or respond to lawful subpoenas.
4.3 Business Transfers
If ArrivHQ is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
4.4 With Your Consent
We may share information with third parties when you explicitly consent to such sharing.
5. Data Security
We implement industry-standard security measures to protect your information:
- Encryption in transit: All data is transmitted over TLS 1.2 or higher.
- Encryption at rest: All data stored in our database and file storage is encrypted at rest. Highly sensitive credentials (such as financial account tokens) receive additional application-level AES-256-GCM encryption.
- Tenant isolation: Your data is isolated from other users at the database level using Row-Level Security policies. Other users cannot access your data, even in the event of an application-level bug.
- Authentication: Secure password hashing, JWT-based session management, and optional TOTP multi-factor authentication.
- Access control: Role-based access control, principle of least privilege, and regular access reviews.
- Audit logging: Security-relevant actions are logged for monitoring and incident response.
For more details, see our Information Security Policy, available upon request.
6. Data Retention
We retain your information for as long as your account is active, plus the following periods after account deletion:
- Account data: Deleted within 30 days of account closure.
- Financial and compliance records: Retained for up to 7 years after deletion request, consistent with IRS record-keeping requirements for tax documentation.
- Financial account connections: Access tokens are revoked immediately upon disconnection or account deletion.
- Audit logs: Retained for 3 years for security and compliance purposes.
- Application logs: Retained for 90 days for operational purposes.
- Guest government ID photos: Deleted within 30 days of the guest’s check-out date. The extracted information (name, date of birth, document type, expiration) is retained on the host’s account for the host’s compliance and audit records.
- Guest face / biometric photos: Deleted within 30 days of the guest’s check-out date. The pass/fail verification result is retained on the host’s account for operational records. No separate biometric template is stored.
7. Your Rights and Choices
7.1 Access and Export
You can access all data in your account through the ArrivHQ dashboard. You can export your compliance data (work logs, mileage, expenses, revenue) as CSV files at any time.
7.2 Correction
You can update your personal information, property details, and compliance records directly through the platform.
7.3 Deletion
You can request deletion of your account and all associated data by contacting us at privacy@arrivhq.com. Upon receiving a verified deletion request, we will delete your data in accordance with the retention schedule above.
7.4 Disconnect Financial Accounts
You can disconnect any linked bank account or credit card at any time from Settings. Disconnecting immediately revokes our access to new transaction data from that institution. Previously imported transactions that you approved remain in your compliance records unless you delete them.
7.5 Opt-Out of Communications
You can opt out of non-essential communications at any time. Transactional emails related to your account security and service operation cannot be opted out of while your account is active.
8. Cookies and Tracking
ArrivHQ uses essential cookies for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that follow you across other websites. We do not serve advertisements in our products.
9. Children's Privacy
ArrivHQ is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will delete it promptly.
9. Illinois Biometric Information Privacy Act (BIPA) Notice
BAU Enterprises LLC is registered in O’Fallon, Illinois. We comply with the Illinois Biometric Information Privacy Act (740 ILCS 14) when handling biometric information.
What constitutes biometric information for ArrivHQ. Where a host has enabled the “Photo — Person” checklist step, guest-submitted facial photos may contain biometric information as defined by BIPA. We use Anthropic Claude AI to determine whether the photo contains a human face. We do not generate, extract, or store a separate biometric template (such as a faceprint or face geometry vector). The original photo is deleted within 30 days of the guest’s check-out date.
Notice and consent. Before a guest uploads a face photo, ArrivHQ presents a written notice describing (a) that biometric information is being collected, (b) the specific purpose (verifying guest identity for property access), (c) the length of time the information will be stored (30 days post-checkout), and (d) the AI subprocessor (Anthropic) involved in the processing. The guest must affirmatively acknowledge the notice and authorize the collection before the upload is accepted. Guests who decline may have their host approve check-in manually instead.
Retention schedule and destruction guidelines. ArrivHQ retains biometric information for a maximum of 30 days following the guest’s check-out date. After 30 days, the original photo is permanently deleted from our storage by an automated retention worker, regardless of host action. We do not retain the photo for the BIPA-prescribed three-year default because the operational purpose of the photo is satisfied at check-out. We do not sell, lease, trade, or otherwise profit from biometric information at any time.
Your rights as an Illinois resident. You may (a) request a copy of any biometric information ArrivHQ holds about you, (b) request immediate deletion of any biometric information ArrivHQ holds about you (independent of the 30-day automatic schedule), and (c) revoke a previously-granted consent. Send any such request to privacy@arrivhq.com with the subject “BIPA request” and the reservation reference (host name, property, and approximate check-in date). We will respond within 30 days.
Disclosure to third parties. We disclose biometric information only to Anthropic, our AI processor, and only for the duration necessary to obtain the face-detection result. Anthropic does not retain the data for service-operations purposes after processing. We do not disclose biometric information to any other third party except as required by law.
The full text of BIPA is available at the Illinois General Assembly website. The above is a summary; in the event of any conflict with the statute, the statute controls.
10. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information we collect, use, and disclose.
- Right to delete your personal information, subject to certain exceptions.
- Right to opt-out of the sale of personal information. We do not sell your personal information.
- Right to non-discrimination for exercising your privacy rights.
To exercise these rights, contact us at privacy@arrivhq.com.
11. International Users
ArrivHQ is operated from the United States. If you access our services from outside the United States, your information will be transferred to and processed in the United States. By using our services, you consent to this transfer.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last Updated” date. For significant changes, we will provide additional notice through the platform or via email.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Email: privacy@arrivhq.com
Website: https://arrivhq.com
BAU ENTERPRISES LLC — O'Fallon, Illinois, United States