If a host requires a photo at signing, here’s what we do with it.

01What this is

Some PreArrive hosts choose to add a photo step to the signing flow. Before you sign the rules and fee schedule, the page asks you to take a quick picture of yourself with the device camera. We store that photo as part of the signed record — the same record that holds the rules you acknowledged and the drawn signature you provided.

It is a photo, not biometric processing. We do not extract face geometry, compute embeddings, match the photo against any ID document, match it against past photos of you or anyone else, or share it with a third-party identity service. We are not asserting who you are; we are recording that a person took a photo when they signed.

02What we do with the photo

• We embed it in the certificate. The signed-acknowledgment PDF that the host receives includes the photo, the timestamp, and the IP address you signed from — and a SHA-256 hash that covers all of the above so any edit is detectable.
• We store it encrypted. The image is encrypted at rest with AES-256-GCM in our object storage (Cloudflare R2). The decryption key is held as a Cloudflare secret and used only server-side at the moment the certificate PDF is built — or by a member of our support team if you or the host opens a dispute about the certificate.
• We strip location. Photo EXIF metadata (including any GPS coordinates the device might embed) is removed before storage.

03What we do NOT do

• We do not run face matching, face recognition, or any biometric comparison.
• We do not use the photo to train any model, ours or a vendor’s.
• We do not sell, rent, or share the photo with advertisers or data brokers.
• We do not ask for an ID document — no driver’s licenses, no passports, no scans.
• We do not infer age, gender, ethnicity, or any other demographic attribute from the photo.

04How long we keep it

By default, the photo is deleted from our storage one year after your checkout date. The cryptographic hash of the photo and the rest of the certificate (timestamps, IPs, your acknowledgments) remain — so the certificate itself is still verifiable, the image just isn’t there anymore. The PDF regenerates with a “photo redacted on {date}” notice in the photo block.

Your host can shorten the retention per property. They cannot extend it beyond the value documented in our service terms. Some hosts on the Pro plan can extend modestly within those terms.

Two situations override the default deletion:

• You ask us to delete it sooner. Use the deletion link in your signing-confirmation email, or write [email protected] from the email address you signed with. If there is no active dispute or legal hold on the reservation, we delete the photo within five business days.
• A legal hold is in place. If the host has opened an active dispute or our operations team has placed a legal hold on the reservation, we keep the photo while the hold is active. We will tell you that, and tell you when the hold lifts.

05Consent

The photo step does not run unless you check the consent box on the signing page. The box is unchecked by default; the page tells you what the photo is for, how long we keep it, and links to this policy. If you decline, the signing flow cannot complete for that property — you can either contact the host (the host can waive the requirement for your specific reservation) or decline to stay.

We log the exact version of the consent paragraph you agreed to alongside the photo, with a timestamp and IP, so the consent record stays linked to the image even if we revise the wording later.

06Where this fits in the rest of our policies

Everything else about how PreArrive handles your data — the general retention schedule for signed certificates, the list of sub-processors, your access and deletion rights, the legal basis for processing under GDPR/CCPA — lives in our privacy policy. The photo policy you’re reading sits under that umbrella; it is not a substitute for the full privacy notice.

Questions, deletion requests, or anything that doesn’t fit a form: [email protected].

This document is operational guidance about a product feature. It is not legal advice. Updates are dated below; older versions are linked from the changelog on /privacy/.