Data Policy
Purpose & Scope
This policy defines how Link N' Sync collects, processes, stores, and disposes of data related to its vacation‑rental platform. It applies to all employees, contractors, and third‑party vendors handling data in the United States and Mexico.
- Covers User Data, Organization Data, Property Data, PMS Data, and ICAL Data.
- Applies to production, staging, and development environments.
Data Classification & Encryption
Data is classified as Sensitive PII when it includes personal identifiers such as name, email, or phone number. All Sensitive PII is encrypted at rest using industry‑standard AES‑256 encryption. Non‑PII data (e.g., public property URLs) is stored without encryption but is still subject to access controls.
- User Data (Full Name, Email, Phone, Role) – Encrypted
- Organization Data (Org Name, COID) – Encrypted
- Property Data (address fields, photos, ICAL details) – Encrypted
- ICAL Data – Encrypted when stored; exported only via secure channels
Access Control & Ownership
Access to data is granted on a least‑privilege basis. Ownership of data resides with the business function that created it.
Third-Party Management
Link N' Sync relies on several external services.
- ImitateEmail – Email transmission only, no storage of PII.
- ImageBB – Stores only image binaries; URLs are not PII.
- ClerkJS – Handles authentication.
- Supabase (PostgreSQL) – Primary data store; encrypted at rest.
- Vercel – Hosts the web UI; no data persistence.
Retention, Log Management & Disposal
Operational logs are retained for 7 days and then securely deleted. Data that is no longer required for business or legal purposes is purged in accordance with the retention schedule.
Enforcement & Training
Compliance with this policy is mandatory. Violations may result in disciplinary action up to termination of services. Ongoing training ensures all stakeholders understand their responsibilities.