Privacy policy — PreArrive

At a glance

This policy describes how PreArrive actually handles data today. Plain language; no dark patterns. If anything here is unclear, email [email protected] — a human reads it. For the specific list of browser cookies we set (and which require your consent), see the cookie policy. Last updated: May 20, 2026.

01Who we are

PreArrive is run by Parameter LLC.

PreArrive is a product of Parameter LLC, a US software company based in the State of Florida. Parameter LLC is the data controller for the information described here. Questions about this policy go to [email protected]; security matters go to [email protected].

02What we collect

Two kinds of data pass through the product.

Host account data. When you sign up we store your email address and name, the properties and packets you build (house rules, itemized fees, welcome content), the reservations you enter, and your billing status. Sign-in is passwordless — we do not store passwords.

Guest data. When a host sends a packet, the guest reviews and signs it. To do that we collect the guest's name and email address, the IP addresses recorded when they open and when they sign, the drawn-signature image, and a two-event audit trail of the open and sign events. We also store a SHA-256 hash of the exact packet text the guest signed. Guests are not PreArrive account holders — their data is collected on behalf of the host who sent the packet.

We also keep ordinary server logs and first-party analytics about how the marketing site and app are used. We do not run third-party ad or tracking pixels.

Bot-challenge signals. The help-widget escalation form runs Cloudflare Turnstile to block automated abuse. Turnstile collects the visitor's IP address and a set of browser and device signals (challenge solve patterns, hardware characteristics, header values) to score whether the request looks human. We do not see those signals; Cloudflare returns only a pass/fail token. Cloudflare's processing of this data is governed by the Cloudflare Turnstile Privacy Addendum, which is incorporated into this policy by reference.

03Why we collect it

Each field has a job.

Host account data exists to run the service: to let you sign in, build packets, send reservations, and manage billing. Guest data exists to produce one thing — a tamper-evident certificate that records that a specific guest read and acknowledged a specific set of rules and fees before check-in. The IP addresses, timestamps, signature image, and content hash are what make that certificate evidentiary rather than decorative. We do not use guest data for marketing.

04Who else touches the data

A short list of sub-processors.

We keep the vendor list small and name it plainly:

Cloudflare — hosting, the D1 database, KV storage, and the Access gateway that guards the operator panel. Data is stored in US-region infrastructure.
Cloudflare Turnstile — privacy-friendly bot challenge on the help-widget escalation form. Processed under the Cloudflare Turnstile Privacy Addendum; see §02 above for the signals involved.
Stripe — payment processing for paid tiers. Card details go directly to Stripe; PreArrive never sees or stores full card numbers.
Mailgun — transactional email: sign-in links, guest packet emails, and receipts.
Teamwork Desk — support ticketing for messages submitted through the help-widget escalation form (your email + the message you typed).

Each of these processes data only to provide its service to us. We do not sell your data, and we do not share it with marketers, data brokers, or insurance carriers.

05How long we keep it

Certificates are kept for about seven years.

Signed certificates and their audit trails are retained for roughly seven years from the sign date — long enough to cover the longest US statute-of-limitations window for a small-claims property dispute. Host account data is kept while the account is active. If an account closes, past certificates stay exportable for 90 days and are then archived for the rest of the retention window. If a certificate is deleted on request, the content hash and audit-trail metadata stay on the reservation so the deletion itself remains traceable.

06Your choices

Access, export, and deletion.

Hosts can export their data — including certificates and audit trails — from the product. If you want a copy of the data tied to your account, or you want it redacted or deleted, email [email protected] and a person will handle it. Guests whose data was collected through a host's packet can ask us, or the host who sent the packet, for access or deletion. We honor those requests subject to the retention rules above — some audit-trail metadata is kept so a deletion stays provable.

07How we protect it

Security posture, stated plainly.

Data is stored on US-region Cloudflare infrastructure. The operator admin panel sits behind Cloudflare Access — operator access requires an authenticated identity and is logged. Packet text is hashed with SHA-256 at send time, so any later change to a packet is detectable. No system is perfectly secure, but we keep the surface small on purpose: no ID scans, no biometrics, no third-party trackers. Report a vulnerability to [email protected].

08Changes and contact

If this policy changes.

If we change this policy we will update the date at the top of this page; material changes will be communicated to active hosts by email. Questions, requests, or corrections go to [email protected].

Plain policy. Plain product.

If the privacy story above sounds right, the product follows the same posture. One property runs free, no card.

Get started free See trust & security