This policy applies to:
- Property operators (managers and staff) who use ResortLog to run their property.
- Guests whose information is entered into the app by property operators during check-in or booking.
2.1 — Account & Authentication Information
When you register or log in to ResortLog, we collect:
- Email address
- Password (stored as a secure hash via Firebase Authentication — we never store plain-text passwords)
- Authentication tokens (stored locally on-device for persistent login sessions)
2.2 — Property Information
Information you provide about your property:
- Property name, tagline, address, city, state, PIN code
- Contact phone number and email address
- GSTIN and PAN (for GST-compliant invoice generation)
- Property logo image
- Check-in / check-out times and other property-level settings
- Configurable add-on services and billing preferences
2.3 — Room Information
Details about rooms at your property:
- Room number, name, type (Standard, Deluxe, Suite, Cottage, etc.)
- Floor, bed type, capacity (adults and children)
- Base price per night and weekend price
- Amenities list and description
- Room-level check-in and check-out times
2.4 — Guest Information
Guest details entered by property operators during booking or check-in:
- Full name, phone number, WhatsApp number, email address
- Date of birth, gender, nationality
- Full address (street, city, state, PIN code)
- Government-issued ID proof type (Aadhaar, Passport, Driving Licence, Voter ID, PAN) and ID number
- Photographs of ID documents (front and back images) — stored locally on-device
- Face photograph of the guest — optionally captured during check-in for identification purposes
- Emergency contact name and phone number — collected during check-in
- Vehicle details (e.g. registration number) — optionally collected during check-in
- Guest tags (VIP, Repeat, Corporate, Blacklisted)
- Internal notes added by the property operator
Note: Guest information is entered solely by the property operator for the purpose
of guest registration and legal compliance with local hospitality regulations (Form C requirements).
ResortLog does not independently collect guest data directly from guests.
2.5 — Booking & Stay Information
Records of bookings created in the app:
- Check-in and check-out dates and actual arrival/departure timestamps
- Number of adults and children
- Room assigned and booking reference number
- Booking status (Pending, Confirmed, Checked-In, Checked-Out, Cancelled, No-Show)
- Booking source (Walk-in, Phone, OTA)
- Add-on services added to the stay
- Special requests and internal notes
2.6 — Billing & Payment Information
Financial records associated with bookings:
- Room charges, add-on charges, fees (early check-in / late checkout)
- GST amounts (CGST, SGST) if billing is enabled
- Discounts applied and reasons
- Total amount, amount paid, balance due
- Payment mode (Cash, UPI, Card, Bank Transfer, Cheque)
- Payment timestamps
Important: ResortLog does not collect, store, or transmit full
credit/debit card numbers, CVV codes, UPI PINs, or bank account numbers. Payment mode labels
(e.g. "Card", "UPI") are stored for record-keeping only.
2.7 — Subscription & Billing Information
When you purchase a subscription through the app:
- Subscription plan type (Monthly, Quarterly, etc.) and status (Active, Trial, Expired)
- Purchase transaction identifiers provided by Google Play (anonymised; no card details)
- Entitlement status shared with RevenueCat (our subscription management provider) — see Section 6
Important: ResortLog does not collect, store, or process payment card numbers or UPI credentials for subscription billing. All billing is handled securely by Google Play.
2.8 — Device & Technical Information
- Device type and operating system (Android)
- App version
- Crash logs and error data (used internally to improve app stability — not shared with third parties)
- Push notification token (used solely to deliver in-app and system notifications — not used for marketing)
ResortLog requests the following Android device permissions. Each permission is used only for its stated purpose:
-
📷
Camera
Used during check-in to capture photographs of guest ID documents (front and back) and an optional face photo of the guest. Also used to capture the property logo image.
-
🖼️
Media Library / Photo Gallery (Read)
Allows selecting images from the device gallery as an alternative to the camera when capturing ID documents, guest photos, or the property logo.
-
💾
Media Library / Storage (Write)
Used when you choose to save a generated invoice PDF or a guest ID image to your device's storage or gallery.
-
🌐
Internet Access
Required for Firebase Authentication (login/register) and for syncing property data to the cloud.
-
🔔
Push Notifications (POST_NOTIFICATIONS)
Used to send you operational alerts such as overdue booking reminders (bookings past their check-in date that have not been actioned). Notifications are generated entirely on-device and are not used for marketing.
No unnecessary permissions.
ResortLog does not request access to your contacts, location, microphone, call logs, or SMS.
All permissions are requested only when the relevant feature is first used.
ResortLog uses a local-first storage model. All data is stored on your device by default. Cloud sync via Firebase is used for account authentication:
| Data Type | Where Stored |
|---|
| Rooms, guests, bookings, payments, property settings |
SQLite database on-device (primary, offline-first) |
| ID document photos, guest photos, property logo |
On-device local storage (file system) |
| Login credentials / authentication |
Firebase Authentication (Google) |
| Session tokens |
On-device secure storage (Android Keystore-backed — never leaves the device) |
| Generated invoice PDFs |
On-device (temporary, in app cache; saved to gallery only on your explicit request) |
Authentication is handled by Firebase (Google Cloud) and is subject to
Google's Privacy Policy.
All data transmitted to Firebase is encrypted in transit via TLS/HTTPS.
We use the information collected to:
Provide the service — manage rooms, bookings, guests, and billing for your property.
Authentication — verify your identity and keep your account secure.
Reporting — generate occupancy reports, revenue summaries, and billing statements for your own use.
Invoice generation — produce GST-compliant PDF invoices using booking and payment data stored locally on-device.
App improvement — use anonymised crash and error logs to diagnose and fix bugs.
We do not:
- Sell, rent, or trade your data or your guests' data to third parties.
- Use guest data for advertising or marketing purposes.
- Profile guests or property operators for commercial use.
- Share data with any third party except as described in Section 6 below.
We do not share personal data with third parties except in the following limited circumstances:
- Firebase / Google: For authentication services. Only email address and authentication tokens are shared with Firebase. Booking, guest, and payment data is stored locally on your device and is not sent to Firebase.
- RevenueCat: For subscription management. When you purchase or restore a subscription, your anonymised Google Play purchase receipt and entitlement status are shared with RevenueCat to verify and manage your subscription. RevenueCat does not receive guest data, booking records, or personal property information. See RevenueCat's Privacy Policy for details.
- Google Play: Subscription billing is processed by Google Play. Your payment details are governed by Google's billing terms. ResortLog does not receive or store your card or UPI credentials.
- WhatsApp / Share Sheet: When you tap Share Invoice in the checkout screen, the generated PDF is shared via Android's share sheet to apps of your choice (e.g. WhatsApp, email). This sharing is initiated entirely by you. Sahoo Soft Technologies does not transmit or receive the shared file — it goes directly from your device to the recipient app.
- Legal obligations: If required by applicable law, court order, or government authority in India.
- Account data: Retained in Firebase as long as your account is active.
- Booking, guest, and room records: Stored on-device indefinitely until you delete them within the app or uninstall the app.
- Records deleted within the app: Removed from local storage immediately upon deletion.
- Account deletion: Upon receiving a valid data deletion request (see Section 9), all associated data is permanently deleted within 7 business days.
As a property operator using ResortLog, you have the following rights:
- Access — view all data stored in the app at any time within the app itself.
- Correction — edit any inaccurate or incomplete guest, booking, or property data directly within the app.
- Deletion — delete individual records (guests, bookings) within the app, or request full account deletion (see Section 9).
- Export — export your booking and guest data as CSV files using the Reports screen.
- Withdrawal of consent — discontinue use of the app at any time. As data is stored locally, uninstalling the app removes all local data.
Guest rights: If a guest requests access to or deletion of their data, the property operator is responsible for fulfilling that request using the tools available within the app (edit/delete guest profile).
If you wish to permanently delete your account and all associated data, please send an email to:
Please include the following in your email:
- The email address registered with your ResortLog account
- Your property name (for verification)
We will process your request within 7 business days and send a confirmation
once deletion is complete. Deletion is irreversible — all data will be permanently
removed from Firebase and cannot be recovered.
ResortLog is intended for use by adult property operators and managers (18 years and above).
We do not knowingly collect personal information from children under the age of 13.
Guest records may include children's details (e.g. number of children in a booking) as required
for hospitality management — these are entered by the adult property operator and not by the child.
If you believe a child's personal information has been improperly entered, please contact us
using the deletion email in Section 9.
We take reasonable steps to protect your data, both in transit and at rest:
- In transit: all data exchanged with Firebase is encrypted using HTTPS / TLS.
- At rest on your device: ResortLog's local database and images are saved in app-private storage, which Android isolates from every other app on the device. On Android 10 and later, this storage is additionally protected by the device's file-based encryption, which is active whenever a screen lock (PIN, pattern, password, or biometric) is set.
- Authentication tokens: session tokens are stored using expo-secure-store, which is backed by the Android Keystore system — a hardware-backed secure enclave on most modern devices.
- Passwords: Firebase Authentication stores passwords only as secure one-way hashes. Plain-text passwords are never transmitted to or stored on our servers.
- Access control: Firebase Security Rules restrict cloud reads and writes so that only the authenticated property account can access its own records.
- ID proof images in the cloud: when ID document photographs are uploaded for backup, they are stored in Firebase Storage, which is encrypted at rest by Google using AES-256.
- Data minimisation: only the data required for the feature you are using is transmitted. Where the app can operate offline (viewing rooms, creating bookings, generating invoices), it does so without a network round-trip.
Why we do not add a separate database password.
The local SQLite database is already protected by two layers: Android's per-app sandbox
(which prevents other apps from accessing it) and, on modern Android versions, the device's
own file-based encryption (which protects the storage when the device is locked). Adding a
separate database-level password would provide little additional protection against realistic
threats but would introduce significant risk of data loss during upgrades. We have assessed
this trade-off and consider the current design a reasonable security safeguard as envisaged
under the Digital Personal Data Protection Act, 2023.
Your role matters.
To keep data safe, please:
- Set a screen lock (PIN, pattern, password, or biometric) on the device that runs ResortLog — this activates Android's built-in encryption.
- Use a strong, unique account password and do not share your login credentials.
- Keep your device's operating system and the ResortLog app up to date.
- If a device used for ResortLog is lost or stolen, notify us immediately using the email in Section 9 so access can be revoked.
No method of electronic storage or internet transmission is fully secure. We continuously
review our security posture and will update this policy to reflect meaningful changes.
In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code)
Rules, 2021, and applicable Indian data protection regulations, we have appointed a Grievance Officer
to address any complaints or concerns regarding the processing of your personal data.
This Privacy Policy is governed by and construed in accordance with the laws of India, including
the Information Technology Act, 2000 and the Information Technology (Amendment) Act, 2008, and
applicable rules thereunder.
Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts
of India.
We may update this Privacy Policy from time to time. When we do, we will update the
"Last updated" date at the top of this page. We encourage you to review this policy
periodically. Continued use of the app after changes constitutes your acceptance of the
revised policy.
If you have questions or concerns about this Privacy Policy or how your data is handled, please contact us:
ResortLog