Your signed copy after signing

Until the signing page, PreArrive only knew one address: the one you typed when you created the reservation. For Airbnb guests that's usually a *.relay.airbnb.com alias that stops forwarding sometime after checkout, fine for the signing invite, useless for a copy a year later.

On the signing page, the guest fills in a separate "Where should we send your copy?" field. We pre-fill it when the host-provided address looks like a real address (it isn't Airbnb's relay suffix); otherwise the field is blank and required. The completion email goes there, not to the relay.

If the guest skips the field somehow or it doesn't validate, the completion email falls back to the original host-provided address. The signature itself never depends on the email. Even if every send fails, the signature is committed.

Short, transactional. Sender is your sending domain (mail.prearrive.com by default), reply-to points the guest at the Airbnb DM thread so support stays on-platform. The body has one CTA (View your copy) pointing at the durable URL.

Subject line follows the property name pattern: "Your signed copy of the {property name} stay packet." No PDF attachment. Relays strip them and corporate filters quarantine them. The link is the carrier.

The link is shaped like:

• https://prearrive.com/c/<copy_token>: 32 random bytes, base64url-encoded.

No login, no auth, no expiry, no rotation. The token is the credential. We chose a short /c/ path because corporate URL rewriters (SafeLinks, ProofPoint) tend to mangle long paths and query strings more aggressively than short ones. A short path survives more deliveries intact.

A pasted link still works. If the email never lands (relay failed, address typo, spam folder), open the reservation, click Copy guest's copy link, and paste the URL into the Airbnb DM thread. The guest taps and lands on the same page.

The default view is a mobile-friendly HTML certificate: property name, stay window in local time, every rule and fee the guest acknowledged with its individual timestamp, the drawn signature image, and the content hash.

A Download PDF button on the same page hands back the canonical certificate PDF (same one your dashboard exports). The PDF carries the QR code that resolves to the public /verify/<hash> page for cold third-party verification.

Every view of the HTML page and every PDF download writes a row to the reservation's engagement log so you can see when the guest returned, useful when the guest comes back two months later asking what the parking rule said.

Today the /c/ page carries pure PreArrive branding: wordmark, fonts, "Powered by PreArrive" footer. Your custom color and logo do not render on this surface.

That's a deliberate trade-off. The page exists to be tamper-evidently linked back to PreArrive. An adjuster or a small-claims clerk scanning the URL should see PreArrive, not a brand they've never heard of. Custom branding on the durable copy is on the roadmap; for now, the signing page is where your color and logo render.

Plan for at least 24 months of availability. There's no expiry in the code path and no rotation schedule.

If you need to retire a single copy URL (the wrong address received the email, the guest asked to delete the record), contact support. Revocation is internal-only in this release. We set the token to NULL on the signature row and the URL returns a 404. The signature itself stays in place; only the public copy URL is severed.