Hostrail Docs
Legal

Privacy Policy

How Hostrail handles traveler, hotel, API, and MCP data.

Metadata JSONDocs Graph

This policy describes how Hostrail handles data across the public site, booking experience, commerce API, documentation, MCP endpoint, and AI platform integrations.

Data We Process

Hostrail may process:

  • hotel, room, rate, availability, tax, fee, and cancellation policy data
  • quote, hold, booking, payment status, refund, and receipt data
  • traveler contact details needed to complete or manage a booking
  • delegated user context supplied by an AI platform or authorized client
  • API, MCP, audit, security, and operational logs
  • support messages and review/demo account metadata

Hostrail does not ask end users to paste API bearer tokens, payment secrets, or hotel operator credentials into chat prompts.

How We Use Data

We use data to:

  • search hotel availability and create quotes
  • place temporary holds and confirm bookings after explicit user approval
  • cancel bookings, calculate refunds, and issue transaction receipts
  • enforce tenant isolation, authentication, authorization, rate limits, and abuse prevention
  • troubleshoot integration issues and improve reliability
  • satisfy legal, tax, fraud prevention, and payment processor obligations

Quote responses are treated as the current source of truth for price, taxes, fees, cancellation policy, and expiry. Consequential actions such as booking confirmation and cancellation require explicit traveler consent.

AI Platform Integrations

Hostrail exposes tools to AI platforms through MCP and related discovery surfaces. Connected AI platforms may send user requests, tool arguments, and delegated user context to Hostrail when a user chooses to use the integration.

Hostrail returns structured tool responses, including booking details, next actions, errors, and signed receipts. Hostrail does not use AI platform tool traffic to train a general-purpose foundation model.

Sharing

We share data only as needed to operate the booking flow, including with:

  • hotels and property operators
  • payment providers and refund processors
  • channel managers or PMS providers when a property uses them
  • infrastructure, logging, security, and support vendors
  • legal or regulatory parties when required

We do not sell traveler personal data.

Retention

We retain booking, payment, refund, audit, and receipt records for operational, legal, tax, fraud prevention, and dispute-resolution needs. We retain logs for security and reliability for a limited operational period unless a longer period is required to investigate abuse, fraud, or legal claims.

Security

Hostrail uses tenant isolation, scoped credentials, delegated user controls, idempotency, audit logs, and signed receipts to protect booking execution. Integrators are responsible for storing their own client secrets and agent credentials securely.

Choices And Requests

Travelers and operators can contact Hostrail to request access, correction, deletion, or restriction of personal data where applicable. Some records may need to be retained for legal, tax, payment, anti-fraud, or dispute-resolution reasons.

Contact

For privacy questions or data requests, contact privacy@hostrail.dev.

Terms of Service

Terms governing use of the Hostrail platform, APIs, and MCP surfaces.

On this page

Data We ProcessHow We Use DataAI Platform IntegrationsSharingRetentionSecurityChoices And RequestsContact