PX Privacy Policy

1. Scope and Roles

1.1 Controller and Processor Roles

• For personal data we collect about you as a Customer or prospective customer (for example your account profile, billing information, and marketing data), PX acts as a "controller" (or "business") under applicable data protection laws.
• For personal data we process on behalf of Customers about their guests, owners, or staff, including booking and accounting data, PX generally acts as a "processor" or "service provider". In these cases, our processing is governed by our agreement with the Customer, including any Data Processing Addendum ("DPA").

1.2 Applicability

This Privacy Policy applies to personal data we process in connection with the Services and our business operations. It does not apply to websites, services, or products that we do not own or control, or to data you choose to send to third parties through the Services.

2. Personal Data We Collect

We collect the following categories of personal data, depending on how you interact with the Services.

2.1 Account and Business Profile Data

• Name and contact details such as email, phone, and mailing address
• Business name, role, and number of listings or properties
• Account credentials and authentication data
• OAuth tokens, API keys, and other connection credentials you provide to enable integrations, stored in encrypted form

2.2 Owner, Property, and Portfolio Data

• Owner names and contact details
• Property addresses and identifiers
• Property configuration, rules, and financial targets

2.3 Booking, Revenue, and Accounting Data

• Reservation details, channel information, stay dates, and pricing
• Payouts, refunds, fees, and commissions
• Expense data and categorization, including vendor names and invoice references
• Owner statement data, reserves, and payout schedules
• Reconciliation data between PMS, channel payouts, and bank transactions

2.4 Financial and Integration Data

• Connections to PMS, accounting platforms, payment processors, and channel managers
• Tokenized bank or card connection information provided by third-party aggregators such as Plaid and payment processors such as Stripe
• Bank transaction data relevant to STR operations such as deposits, fees, and vendor payments

We do not store your full bank login credentials. Those are handled by our integration partners.

2.5 Guest and Occupancy Tax Data

• Data necessary to calculate and track guest or lodging taxes, such as stay details, tax jurisdictions, tax categories, and amounts collected or remitted
• Information used in returns, worksheets, and informational reports that may include tax identifiers where provided by you

2.6 Communications and Support Data

• Messages and communications with us, including email, in-app messages, and support chats
• Call logs, meeting invitations, and notes from onboarding or strategy sessions
• With your consent where required, recordings and transcripts of sessions used for internal quality assurance, support improvement, and training of PX personnel

2.7 Usage and Device Data

• IP address, device identifiers, browser type, and operating system
• Log data such as pages viewed, features used, error logs, and diagnostic data
• Records of your acceptance of our Terms and your authorization of actions within the Services (for example clicking "Run Audit", "Auto-Fix", "Apply Fix", or similar)
• Cookie and similar identifiers used for authentication, analytics, and marketing where allowed

2.8 Vendor and Contractor Data

• Contact and scheduling information for vendors such as cleaners, maintenance providers, or other third parties that you choose to coordinate through PX

2.9 Sensitive or Special Categories Data (limited)

• In limited cases and only where provided by you, government identifiers, exact property access codes, or sensitive notes needed for operations and tax reporting

We seek to minimize collection of sensitive data and apply additional safeguards where required.

3. Sources of Personal Data

We collect personal data from:

• You directly, for example when you create an account, configure properties, or contact support
• Systems you connect to PX, such as PMS (including OwnerRez and Guesty), OTAs, bank-data providers, payment processors, and accounting systems
• Cookies, SDKs, and similar technologies when you use the Services
• Service providers, partners, and other third parties that support our operations
• Public sources, for example to verify business details and reduce fraud

4. How We Use Personal Data

We use personal data for the purposes described below.

4.1 Providing the Services

• Creating and administering accounts and workspaces
• Automatically creating Admin accounts when PMS configurations are provided by you, using the information associated with those configurations
• Importing and syncing data from PMS, bank feeds, and other integrations
• Generating diagnostics, owner statements, audits, reconciliations, and tax worksheets and reports
• Operating workflows, automations, and user-directed actions you initiate
• Processing your billing information, including credit card, debit card, and bank account details, to charge recurring subscription fees and other applicable charges to your designated payment method

4.2 Improving and Developing the Services for You and All of Our Customers

For as long as you have an account with us, we use data associated with your account and your use of the Services to keep the Services running well and to make them better over time. The goal of this work is simple: to make the product more accurate, more reliable, more secure, and more useful for you and for the rest of our customers. Specifically, we may use this data to:

• Monitor performance, reliability, and quality, and identify and resolve issues
• Diagnose and fix bugs, errors, and security or integration problems
• Design, build, test, validate, and refine features, workflows, automations, classifications, audit checks, mappings, dashboards, exports, and similar tools
• Carry out internal research, analytics, and benchmarking that help us understand how the Services are used and how to improve them
• Train, evaluate, and tune internal rule engines, classifiers, scoring systems, and models that power features such as configuration audits, transaction classification, suggested fixes, content generation, and similar capabilities
• Develop new features, products, and improvements that benefit our customers

We have designed this development work to focus on the patterns, structures, and signals that make the product better, not on the personal details of any individual. In particular:

• Wherever practical, we work with data that has been aggregated, summarized, or stripped of identifiers (often called "de-identified" or "aggregated" data) so that the data we use for development does not identify you, your owners, your guests, or any other individual.
• Access to data used for development is limited to authorized personnel and vetted service providers, who are bound by confidentiality obligations and who use the data only for the purposes described in this Privacy Policy.
• We do not show one customer's identifiable data to another customer in the product. Improvements derived from one customer's usage may benefit all customers (for example a better classifier or a more accurate audit check), but the underlying personal details remain protected.
• We do not sell your personal data, and we do not use your personal data to deliver third-party advertising on other websites or apps.
• Where we use third-party AI providers to support certain features, we contract with those providers to limit their use of your data to providing the requested service to us, and we configure those providers, where the option is available, so that your data is not used to train their generally available models.

In short: while you have an account with us, we use your data to keep the product working and to make it better, with safeguards designed to protect the privacy of individuals along the way. If you would like additional information about how we apply these safeguards in a given context, please contact us.

4.3 Communications

• Sending administrative messages such as notices about changes, security, billing, or service issues
• Responding to support requests and questions
• Sending product updates, events, and marketing communications where permitted by law and your preferences

4.4 Security and Fraud Prevention

• Detecting, investigating, and preventing security incidents
• Protecting against fraudulent, abusive, or unauthorized activity
• Enforcing our Terms and other agreements

4.5 Legal and Compliance

• Complying with legal obligations, including tax, audit, and regulatory requirements that apply to us
• Responding to lawful requests from authorities and resolving disputes

4.6 Legal Bases in the EEA and UK

Where data protection laws apply and require a lawful basis, we rely on:

• Performance of a contract, for example to provide the Services you request
• Legitimate interests, such as providing, securing, supporting, improving, and developing the Services and protecting our customers, where those interests are not overridden by your rights
• Compliance with legal obligations
• Consent, where required for certain processing such as some kinds of marketing or cookies

5. How We Share Personal Data

We share personal data in the following circumstances:

5.1 Service Providers and Subprocessors

We share personal data with trusted third parties who perform services on our behalf, such as:

• Hosting and infrastructure providers
• Analytics, monitoring, and logging providers
• Email, messaging, and notification services
• Payment processors and bank-data integrators (including Stripe and Plaid)
• Identity verification and security services
• Support and ticketing systems
• Recording and transcription providers for meetings, where used
• AI and machine-learning providers (including OpenAI) that support specific features, configured where available so that your data is not used to train their generally available models

These providers process personal data under contracts that limit use to providing services to us and that include appropriate safeguards.

5.2 Integrated Platforms and Tools

When you choose to connect external platforms to PX, we share personal data as necessary to enable those integrations, such as:

• PMS and channel managers, to sync listings, reservations, and payouts
• Accounting systems, to sync accounting entries
• Communication tools, to send notifications or emails

Sharing and subsequent processing by those platforms is governed by their own terms and privacy policies.

5.3 Tax Providers and Advisors

If you purchase or use tax preparation or filing services through or with PX, we will share relevant data with Tax Providers, including:

• Booking, revenue, and tax data necessary to prepare returns or worksheets
• Account and business information that you authorize us to share

Tax Providers handle personal data under their own privacy and engagement terms. PX is not responsible for their independent handling of data beyond our role as a facilitator and processor where applicable.

5.4 Vendors and Operational Partners

If you choose to coordinate vendors such as cleaners or maintenance providers through PX, we may share schedules, property information, and contact details with those vendors at your direction.

5.5 Affiliates

We may share personal data with our corporate affiliates for purposes consistent with this Privacy Policy, such as internal administration, shared development, and shared services.

5.6 Business Transfers

We may share or transfer personal data in connection with mergers, acquisitions, financing, due diligence, reorganizations, or sale of all or part of our business. We will require any successor or acquirer to respect this Privacy Policy or a substantially similar policy.

5.7 Legal, Safety, and Enforcement

We may disclose personal data if we believe in good faith that it is reasonably necessary to:

• Comply with a law, regulation, legal process, or governmental request
• Protect the rights, property, or safety of PX, our users, or the public
• Enforce our Terms or agreements or collect amounts owed

5.8 No "Sale" of Personal Data

We do not "sell" personal data as that term is defined in some privacy laws, and we do not share your personal data for cross-context behavioral advertising in a way that would require an opt-out under those laws, except as described in Section 10. To the extent any of our analytics or marketing practices would be considered "sharing" under California law, you can opt out as described in Section 10.

6. Cookies and Similar Technologies

We use cookies, pixel tags, and similar technologies to:

• Authenticate users and maintain sessions
• Remember preferences and settings
• Perform analytics about usage and performance of the Services
• Support marketing, where allowed by law and your preferences

You can manage cookie preferences using your browser settings and, where provided, in product cookie settings. Blocking certain cookies may affect the functioning of the Services.

Where required by law, we will obtain your consent before using non-essential cookies.

7. Data Retention

We retain personal data for as long as reasonably necessary to:

• Provide the Services and support your use
• Maintain business, billing, audit, and tax records
• Improve, develop, secure, and operate the Services
• Comply with legal and regulatory obligations
• Resolve disputes and enforce agreements

When personal data is no longer needed for these purposes, we will delete or de-identify it, subject to technical limitations and backup retention practices. We may retain de-identified or aggregated data without time limit.

Where we process personal data as a processor on behalf of a Customer, we retain and delete data in accordance with our agreement with that Customer, including any DPA.

8. Security

We implement technical and organizational measures intended to protect personal data, including:

• Access controls, role-based permissions, and authentication
• Encryption in transit and at rest where appropriate, including symmetric encryption of integration credentials
• Network and application-level security controls
• Monitoring, logging, and auditing
• Vendor due diligence and contractual security commitments
• Confidentiality obligations for personnel and contractors

No system or transmission is completely secure. You are responsible for protecting your account credentials, choosing strong passwords, limiting access to authorized personnel, and using appropriate security practices in your own environment.

If we become aware of a security incident involving personal data, we will take steps to investigate, mitigate, and notify affected parties and regulators where required by law or agreement. To the maximum extent permitted by law, our liability for any security incident is governed by, and subject to, the limitations of liability and other risk-allocation provisions of the Terms of Service.

9. International Transfers

PX is based in the United States and personal data may be stored and processed there and in other countries where we or our service providers operate.

Where required by law for transfers of personal data from the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, such as:

• Standard Contractual Clauses approved by the European Commission or UK authorities
• Other lawful transfer mechanisms as they become available

You may contact us for more information about applicable transfer safeguards.

10. Your Privacy Rights

Depending on your location and applicable law, you may have some or all of the following rights regarding your personal data:

• Access to the personal data we hold about you
• Correction of inaccurate or incomplete personal data
• Deletion of personal data, in certain circumstances
• Restriction of or objection to certain processing
• Portability of certain personal data in a structured, commonly used, machine-readable format
• Withdrawal of consent, where processing is based on consent

Customers are primarily responsible for responding to requests from their guests, owners, or staff where we process data as a processor on their behalf. We will assist Customers in handling such requests as required by our agreements and applicable law.

For personal data we control directly (for example your account and marketing data), you can submit requests by contacting us at admin@pxaccounting.com. We may need to verify your identity before fulfilling a request.

If you are in California or another US state with consumer privacy laws, you may have additional rights such as:

• Right to know categories of personal data, sources, purposes, and disclosures
• Right to opt out of certain cross-context behavioral advertising or "sharing"
• Right not to be discriminated against for exercising your rights

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

We may deny requests in certain cases, for example where we cannot verify your identity, where the request would infringe on the rights of others, where the data is no longer linkable to you, or where we are required or allowed by law to retain data.

11. Children

The Services are not directed to children under 16 and we do not knowingly collect personal data from children under that age. If we learn that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete it. If you believe such data has been provided to us, please contact us.

12. Communications and Marketing

12.1 Service Communications

We may send you transactional or service-related communications, such as account, security, and billing notices. You generally cannot opt out of these communications while continuing to use the Services.

12.2 Marketing Communications

Where permitted by law, we may send you promotional emails or other marketing messages about PX. You can opt out at any time:

• By following the unsubscribe instructions included in those messages, or
• By contacting us at admin@pxaccounting.com

12.3 SMS and Phone

If you provide a mobile number and consent to receive SMS or calls, we may send messages related to your use of the Services. Message and data rates may apply. You can reply "STOP" to a SMS message to unsubscribe.

13. Processing as Processor for Customers

Where PX processes personal data on behalf of a Customer as a processor or service provider, we will:

• Process personal data only on the Customer's documented instructions, including as set forth in our agreements and any DPA
• Ensure personnel handling personal data are subject to confidentiality obligations
• Implement appropriate technical and organizational measures to protect personal data
• Use subprocessors subject to written commitments and maintain a list of such subprocessors
• Notify Customers of certain personal data breaches as required by agreement and law
• Assist Customers in meeting their obligations regarding data subject rights and regulatory inquiries, to the extent reasonably possible
• Delete or return personal data at the end of the engagement, subject to legal retention requirements and as specified in our agreements

If you are a guest, owner, or staff member of a Customer, you should direct privacy questions or requests to that Customer.

14. Aggregated and De-identified Data

We may create, retain, and use aggregated, anonymized, or de-identified data derived from personal data and use of the Services for any lawful purpose, including analytics, benchmarking, research, model improvement, product development, marketing, and disclosure to third parties, provided that such data does not, on its own, identify you, your owners, your guests, or any other individual. Such data is not subject to the access, deletion, and similar rights described in Section 10 to the extent it is no longer linkable to an identifiable individual.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you, for example by email or through the Services, and indicate the effective date. Your continued use of the Services after an update becomes effective means you accept the updated Privacy Policy. If you do not agree, you should stop using the Services.

16. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, or wish to exercise your rights, please contact us: