BaseNest LLC Privacy Policy
This Privacy Policy explains how BaseNest LLC collects, uses, shares, and protects your personal information when you use our Platform. By using the Platform, you agree to this Privacy Policy.
BaseNest LLC is not affiliated with, endorsed by, or acting on behalf of the United States Department of Defense or any federal agency.
1. Introduction & Scope
BaseNest LLC ("BaseNest,' "we,' "our,' or "us') operates a verified short-term rental marketplace serving U.S. service members, Veterans, DoD civilians, and government contractors. This Privacy Policy applies to all users of the Platform - both Guests (users who book lodging) and Hosts (users who list lodging). Where data practices differ between Guests and Hosts, this Policy identifies the difference.
2. Information We Collect
2.1. Account & Profile Data
| Data Element | Purpose |
|---|---|
| Full name | Account identification and communications |
| Email address | Account management, notifications, and marketing (with consent) |
| Phone number | Account security and support communications |
| Pay grade | E-1 through O-10, Warrant Officer, GS schedule, or equivalent — extracted from verification document |
| Branch of service or agency | Extracted from verification document |
| Duty station / installation | Used to match Guests with relevant listings |
| Verification status | Approved, denied, or pending — retained for the life of the account |
| User role | Guest, Host, or both |
2.2. Identity Verification Data
Guest Verification (Staff Review)
Guests verify eligibility by submitting one of the following military documents, listed in order of preference:
- Leave and Earnings Statement (LES) — preferred
- Permanent Change of Station (PCS) Orders
- Temporary Duty (TDY) Orders
Guest verification is conducted by BaseNest staff — it is a human review process, not automated. No biometric data is collected from Guests.
Document handling
- Submitted documents are temporarily stored in BaseNest's AWS S3 infrastructure (U.S.-based) while under review
- The document is permanently and securely deleted from AWS S3 upon completion of review, regardless of approval or denial
- BaseNest does not retain the document itself after verification is complete
Data extracted and retained
| Data Element | Purpose |
|---|---|
| Name | Confirmed against account registration name |
| Pay grade | E-1 through O-10, Warrant Officer, GS schedule, or equivalent |
| Branch of service or agency | Army, Navy, Marine Corps, Air Force, Space Force, Coast Guard, DoD civilian, contractor |
| Verification status | Approved or denied |
SSN ADVISORY: LES documents frequently contain a full or partial Social Security Number (SSN). BaseNest does not collect, store, record, or use SSN data. Guests are strongly encouraged to redact their SSN before uploading.
Host Verification (Stripe Identity — Automated)
Hosts verify identity through Stripe Identity, which uses automated government document capture and biometric face-matching. Stripe Identity processes and manages all verification data within Stripe's own infrastructure. BaseNest does not independently store Host identity verification documents or biometric data.
2.3. Booking & Transaction Data
| Data Element | Description |
|---|---|
| Booking confirmation number | Unique identifier for each reservation |
| Property details | Name, address, nightly rate, and booking dates |
| Guest and Host names | Associated with each transaction |
| Total amounts charged | Including base rate, taxes, and fees |
| Cancellation tier applied | Tier 1/2/3 or military orders release — recorded as part of the transaction record |
| Cancellation fees assessed | Late-cancellation fee, early-departure fee, or fee waiver under military orders release |
| Payment method type | Card type; full card numbers are not stored by BaseNest |
| Military orders (if submitted) | Submitted for SCRA or orders-based cancellation requests; deleted after processing |
| Receipts | DTS-compliant itemized receipts generated for each completed stay |
2.4. Communications & Support Data
Platform messages between Hosts and Guests; support tickets; cancellation dispute mediation records; and review and rating content submitted after a stay.
2.5. Device & Usage Data
IP address and approximate geolocation (city/state level)
- Browser type, version, and operating system
- Pages visited, features used, and time spent on the Platform
- Referral source
- Session and device identifiers
2.6. Marketing Engagement Data
When you receive communications from BaseNest via Customer.io: email open and click events; unsubscribe and opt-out actions; and subscription topic preferences.
3. How We Use Your Information
| Purpose | Description |
|---|---|
| Account management | Create and maintain your account; authenticate identity; manage verification status |
| Eligibility verification | Confirm qualifying military or government status; conduct OFAC/SDN screening |
| Guest document review | BaseNest staff reviews submitted LES or orders documents to confirm eligibility; document deleted after review |
| Host automated verification | Stripe Identity processes Host identity documents and biometric data per 5 |
| Booking & transactions | Process reservations, payments, refunds, and cancellations; apply cancellation tiers and military orders releases; generate DTS-compliant receipts |
| Communications | Transactional emails; promotional content with consent; cancellation and refund status notifications |
| Platform improvement | Analyze usage; improve features; detect and prevent fraud and abuse |
| Legal & compliance | Comply with applicable law; respond to legal process; enforce Terms; maintain required records |
| Dispute resolution | Review Platform communications, booking records, and cancellation records to facilitate Host-Guest disputes |
| Tax collection | Calculate, collect, and remit applicable lodging taxes as a marketplace facilitator |
4. Third-Party Service Providers & Data Processors
| Provider | Users | Purpose |
|---|---|---|
| Stripe Identity (stripe.com/identity) | Hosts only | Automated identity verification for Hosts only. Processes Host government ID documents and biometric face-match data. Stripe manages and stores Host verification data. NOT used for Guest verification. |
| Stripe Payments (stripe.com) | All users | Payment processing for all transactions. Receives payment method data. BaseNest does not store full card numbers. |
| Customer.io (customer.io) | All users | Email marketing and transactional notifications. Receives: name, email, pay grade, branch, duty station, verification status, and booking event data. |
| Neon (neon.tech) | All users | PostgreSQL database hosting (U.S.-based). Stores user accounts, profiles, booking records, cancellation records, and verification status. |
| Heroku (heroku.com) | All users | Backend server and API hosting (U.S.-based). Processes Platform requests. Does not independently store persistent user data. |
| Vercel (vercel.com) | All users | Web application hosting (U.S.-based). Receives standard web traffic data including IP addresses. |
| AWS S3 (aws.amazon.com) | Guests (temporary); all users (media) | U.S.-based AWS regions. Guest identity verification and orders documents stored TEMPORARILY during staff review (deleted upon completion). Property photos, receipts, and booking documentation stored per retention schedule. |
We may also share information with law enforcement pursuant to valid legal process; successors in the event of a merger or acquisition (with advance notice); and professional advisors under confidentiality obligations.
5. Automated Decision-Making & Biometric Data
Booking & transactions Process reservations, payments, refunds, and cancellations; apply cancellation tiers (Flexible/Standard/Late) and military orders releases; generate DTS-compliant receipts and documentation Communications Transactional emails; promotional content with consent; cancellation and refund status notifications Platform improvement Analyze usage; improve features; detect and prevent fraud and abuse Legal & compliance Comply with applicable law; respond to legal process; enforce Terms; maintain required records Dispute resolution Review Platform communications, booking records, and cancellation records to facilitate Host-Guest cancellation and refund disputes Tax collection Calculate, collect, and remit applicable lodging taxes as a marketplace facilitator
5.1. Guest Verification — Human Review (No Automation)
Guest Verification - Human Review (No Automation) Guest eligibility is determined by BaseNest staff reviewing submitted LES or orders documents. This is a human decision-making process. No automated algorithms, machine learning, or biometric processing are used for Guest verification. Guests have no automated decision to appeal because no automated decision is made.
5.2. Host Verification — Stripe Identity (Automated)
Host Verification - Stripe Identity (Automated) Host identity is verified through Stripe Identity, which uses machine learning to: (a) verify that a submitted government ID document is authentic and unaltered; and (b) compare a live selfie to the photo on the submitted ID (biometric face-matching). This processing involves biometric data as defined under applicable state law.
5.3. Host Biometric Consent
By completing Host identity verification, Hosts provide affirmative consent to the biometric processing in
5.4. Host Opt-Out Rights (Biometric)
Florida Hosts have the right to opt out of biometric data collection during Stripe Identity verification. Texas Hosts may opt out under the TDPSA. Contact support@basenest.io to request manual verification.
5.5. Host Appeal of Automated Decisions
If Stripe Identity results in denial of Host access, Hosts may request human review by contacting support@basenest.io within thirty (30) days of a denial notice. BaseNest will respond within five (5) business days.
6. Marketing Communications & Consent
6.1. Transactional Messages (Cannot Be Opted Out)
Booking confirmations, modifications, and cancellation notices
- Cancellation tier determination and refund processing updates
- Military orders release confirmations and refund status
- DTS-compliant receipts and payment confirmations
- Account security alerts
- Dispute notifications and determinations
- Verification status notifications
6.2. Promotional & Lifecycle Messages (Opt-Out Available)
Welcome series, platform tips, promotional offers, and re-engagement messages. To opt out, click the Unsubscribe link in any promotional email. Opting out does not affect transactional messages.
6.3. SMS & Phone Marketing (TCPA)
If BaseNest sends marketing SMS messages, we will obtain your prior express written consent as required by TCPA, U.S.C. 227. Revoke consent at any time by replying STOP. Message and data rates may apply.
6.4. CAN-SPAM Compliance
All promotional emails include BaseNest's physical mailing address, clear identification as a BaseNest communication, and a working unsubscribe mechanism. Unsubscribe requests are honored within ten (10) business days.
7. Cookies & Tracking Technologies
7.1. Cookie Categories
| Category | Description |
|---|---|
| Strictly Necessary | Required for Platform function. Cannot be disabled. Includes: authentication tokens, CSRF protection, load balancing. |
| Functional | Remember preferences (language, saved searches). Can be disabled; may affect Platform functionality. |
| Analytics | Measure usage patterns to improve performance. Data aggregated and anonymized where possible. |
| Marketing | Used only with consent. BaseNest does not currently use third-party advertising cookies. |
7.2. Global Privacy Control (GPC)
BaseNest honors GPC signals as a valid opt-out of data sale and sharing under applicable state privacy laws including CCPA/CPRA. If your browser sends a GPC signal, we process it as an opt-out of non-essential data sharing and provide confirmation.
7.3. Managing Cookies
You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will prevent login and Platform use.
8. Data Retention Schedule
| Data Category | Retention Period |
|---|---|
| Guest verification documents (LES / PCS Orders / TDY Orders) | Deleted permanently from AWS S3 upon completion of staff review. Not retained after verification is complete. |
| Host verification data | Processed and retained by Stripe Identity per Stripe's policies. Not stored by BaseNest. |
| Extracted verification fields (name, pay grade, branch, status) | Life of account, plus 3 years following account closure |
| Booking & transaction records | Minimum 7 years from transaction date, per federal recordkeeping requirements. Includes cancellation tier, fees, and military orders release records. |
| Military orders submitted for SCRA / cancellation processing | Deleted from AWS S3 upon completion of cancellation processing. Confirmation record retained 7 years as part of the transaction record. |
| Cancellation dispute mediation records | 3 years from resolution date |
| Account profile data | Life of account, plus 3 years following account closure or last Platform activity |
| Platform messages (Host-Guest communications) | Life of account, plus 2 years; longer if subject to active dispute or legal hold |
| OFAC screening logs | Minimum 5 years per Bank Secrecy Act requirements |
| Marketing preferences & consent records | Life of account plus 3 years |
| Device & usage / analytics data | 24 months from collection, unless retained in aggregated/anonymized form |
| Support tickets & dispute records | 3 years from resolution date |
9. Data Security
Encryption in transit: TLS on all data transmitted between your browser and the Platform
- Encryption at rest: AES-256 or equivalent for data stored in Neon and AWS S3
- PCI-DSS 4.0.1 compliance: Payment data handling meets PCI-DSS Version 4.0.1 (mandatory since March 31, 2025). Stripe is a PCI-DSS certified processor; BaseNest does not store cardholder data directly.
- Access controls: Access to user personal data is limited to personnel with a legitimate business need, governed by role-based access controls
- Vendor security: All third-party processors are evaluated for security practices and operate under data processing agreements
9.1. Security Incident Notification
In the event of a security incident involving your personal data, BaseNest will contain and investigate the incident, notify affected users and applicable regulatory authorities within timeframes required by applicable law, and provide details of the incident and remediation steps. To report a suspected security vulnerability, contact support@basenest.io.
10. Your Privacy Rights
| Right | Description |
|---|---|
| Right to Know / Access | Request a copy of the personal data we hold about you |
| Right to Correct | Request correction of inaccurate or incomplete data |
| Right to Delete | Request deletion, subject to legal retention obligations (e.g., 7-year transaction records) |
| Right to Portability | Request a machine-readable copy of your personal data |
| Right to Opt-Out of Data Sale | BaseNest does not sell personal data. GPC signals honored. |
| Right to Opt-Out of Automated Decisions | Applies to Hosts only (Stripe Identity). Guests are verified by human review; no automated decision to appeal. |
| Right to Non-Discrimination | Exercising any privacy right will not result in denial of service or different pricing |
To exercise these rights, submit a DSAR as described in 12.
11. State-Specific Privacy Rights
11.1. California (CCPA/CPRA)
Right to limit use of sensitive personal information, including military service data
- Right to correct inaccurate personal information
- DROP mechanism: data deletion may also be requested via privacy.ca.gov
- GPC signals honored per 7.2
11.2. Texas (TDPSA)
Right to access, correct, delete, and port personal data
- Right to opt out of biometric processing during Host verification (5.4)
- Guest verification is human-conducted; no automated decision rights apply to Guests under this section
11.3. Florida (FDBR)
Hosts have the right to opt out of biometric data collection during Stripe Identity verification
- Guests are verified by staff review; no biometric data is collected from Guests
- BaseNest will respond to Florida DSAR requests within 45 days (one 15-day extension permitted with notice)
11.4. Virginia (VCDPA)
Right to access, correct, delete, and port personal data - Right to opt out of profiling for decisions producing legal or significant effects
11.5. Colorado (CPA)
Right to access, correct, delete, and port personal data; right to opt out of profiling and targeted advertising
11.6. Indiana, Kentucky & Rhode Island
Right to confirm data processing, access personal data, correct inaccuracies, and obtain a portable copy
11.7. Montana, Maryland & Delaware
Access, correction, deletion, and portability rights consistent with 10
11.8. North Carolina
All-in pricing transparency: no hidden fees without prior disclosure in checkout - Data access, correction, and deletion rights consistent with 10
12. Data Subject Access Request (DSAR) Process
Email: support@basenest.io
Subject line: Privacy Request
Include: Full name, account email address, and description of the right(s) you wish to exercise.
12.1. Identity Verification
Before processing a DSAR, BaseNest will verify your identity. We may request confirmation of the email address on your account and one additional verification factor.
12.2. Response Timelines
| Request Type | Timeline |
|---|---|
| Standard response | 45 days from receipt of a verified request |
| Extension (if needed) | Additional 45 days with written notice before the initial deadline |
| Florida FDBR | 45 days; one 15-day extension permitted with notice |
| Denial notice | Reason provided within 45 days if request cannot be fulfilled |
12.3. Appeal Process
If your DSAR is denied, appeal to support@basenest.io with subject line "Privacy Appeal' within thirty (30) days of the denial. BaseNest responds within sixty (60) days.
12.4. Limitations on Deletion
Transaction records (including cancellation records) must be retained 7 years minimum
- OFAC screening logs must be retained 5 years minimum
- Data subject to an active legal hold, dispute, or law enforcement investigation will not be deleted until resolved
13. OFAC & Compliance Screening
BaseNest screens all users against the OFAC SDN List and other restricted-party lists at account creation and on subsequent transactions. Screening records are retained for a minimum of years per Bank Secrecy Act requirements. OFAC screening results are not shared with other users.
14. Children's Privacy (COPPA)
The Platform is intended solely for users eighteen (18) years of age or older. BaseNest does not knowingly collect personal information from persons under 18. If we become aware that a minor's data has been collected, we will delete it promptly. Contact support@basenest.io with subject "Minor Data Concern.'
15. U.S.-Based Data Storage & Processing
| Service | Location / Notes |
|---|---|
| Neon (database) | U.S.-based PostgreSQL hosting |
| Heroku (backend server) | U.S.-based |
| Vercel (web hosting) | U.S.-based CDN and compute |
| AWS S3 (file storage) | U.S.-based AWS regions |
| Stripe / Stripe Identity | U.S.-based; see Stripe's privacy policy for data center details |
| Customer.io | U.S.-based email infrastructure |
16. No Government Agency Status
BaseNest is a private entity and does not represent the DoD, VA, or any federal agency. Verification of military status does not imply a security clearance check or DoD affiliation. BaseNest cannot guarantee DTS voucher approval or reimbursement of any lodging expense. Receipts are provided in a format intended to support DTS voucher submission but do not guarantee approval. Verify entitlements with your finance or travel office.
17. Changes to This Policy
BaseNest may update this Privacy Policy at any time. When material changes are made, we will post the updated Policy with a new effective date and send email notification to registered users at least thirty (30) days before changes take effect where required by applicable law. Continued use of the Platform after the effective date constitutes acceptance.
18. Contact Us
BaseNest LLC
113 S. Perry Street, Suite 206, Lawrenceville, GA 30046
General & Privacy Requests: support@basenest.io
Phone: 904-206-7553
Website: www.basenest.io
This Privacy Policy was last updated on May 14, 2026 and supersedes all prior versions.