Last month, HomeAway reportedly contacted several software companies requesting “strategic partnerships” between HomeAway and software providers in which the software companies would share client data with HomeAway to be included in the pilot program for HomeAway’s new revenue management platform known as MarketMaker.
A few days later, at RezFest, HomeAway’s Cliff Vars announced the launch of MarketMaker, which offers users competitive reporting and pricing tools. He also thanked CiiRUS and Streamline for partnering with the company to make this a solution for the whole industry, not just HomeAway users.
As a result, Streamline CEO Carlos Corzo, wrote VRM Intel to emphatically clarify: “We don’t share data with other software providers or industry solutions without [our customers’] consent.”
The discussions between HomeAway and property management system (PMS) providers prompted a renewed interest in the question, “Who owns your data?”
We reached out to several PMS CEOs and company leaders to find out more about their policies and paradigms surrounding privacy and usage of the data being entrusted by vacation rental managers within the PMS. Although HomeAway Software and Kigo have not responded, Barefoot, CiiRUS, LiveRez, NAVIS, RealTimeRental, Streamline, and Virtual Resort Manager (VRM) shared their ideas surrounding data privacy.
We asked the following questions:
- Should VRMs assume that their tech partners are protecting their data?
- Should technology providers be required to disclose to clients all the ways in which their aggregated data is being used?
- What are the potential implications of giving tech companies your data without understanding how they are using it?
- How important is it for VRMs to read and understand End User Agreements and Terms and Conditions?
- Do you think we are beginning to or will see software companies seeking to monetize customer data?
Should VRMs assume that their tech partners are protecting their data?
Ed Ulmer, CEO, Barefoot: Yes. This is in our Barefoot Subscription License Agreement. It is the foundation of our partnership.
4.1 Customer Data/Customer may upload and publish its own content to the Service. The parties acknowledge that all Customer Data used with the Service and the Barefoot Software and all data derived from such Customer Data is and shall remain the property of Customer. Barefoot has no right to use the Customer Data without written permission by Customer.
Josh Parry, CiiRUS: Absolutely. The most crucial part of our service is providing a safe environment for our clients’ data. That means powerful servers, server redundancies, and confidentiality of the data.
Tina Upson, LiveRez: At a minimum, managers should expect that their tech partners are taking every reasonable measure to secure their data. This includes storing their data in high-security data centers with regular backups, ensuring PCI-compliance, securing system logins, having user rights management built into the system, providing an easy way for managers to revoke access to employees, etc.
Kyle Buehner, NAVIS: Yes. First, make sure it is clear in each of your contracts that you are the sole owner of the data, and that any use of your data by your tech partner is limited to noncompetitive purposes. Your data is highly valuable, and you should keep ownership of this asset very clear. Each VRM should also look to work with vendors who can clearly demonstrate their commitment to safeguarding your data from theft.
Joe Testa, RealTimeRental: Yes, vacation rental managers should expect that their tech partners are protecting their data. We make sure to keep up with industry security standards to keep our client’s data safe. RealTimeRental is PCI compliant and utilizes SSL encryption, as well as maintaining a 24/7 firewall protection on our server environment.
Carlos Corzo, Streamline: I would hope so. We spend a lot of resources and money to make sure that our VRMs are protected. To do this, we take advantage of external vaults that tokenize data and provide extra layers of protection. We also employ Amazon Web Services, which provides great tools for monitoring and identifying strange activity. Beyond that, to avoid potential problems from disgruntled employees sharing data with competitors, we keep logs of every single user transaction in our system, which allows us to define anyone who has run specific reports. This year, we started whitelisting IPs for system access and requiring tokens to connect through our API, while also employing a system configuration that puts critical data into servers that are not accessible without the proper access.
To add one final layer of security, we also enforce a strict password policy, where passwords cannot be seen. They can only be reset. What is most surprising to me is that companies are not taking advantage of our double OAuth (Open Authorization) capabilities. This is something that all employees at Streamline have to use, and it takes security beyond just the password. While it may be an inconvenience, it is your data. You need to do anything you can to keep it secure.
Pete Wenk, VRM: Absolutely.
Should technology providers be required to disclose to clients all the ways in which their aggregated data is being used?
Ed Ulmer, Barefoot: Barefoot has always been forthcoming in our agreements, and we have been clear since we started that your data belongs to you. We will always side with our clients about how and when they share their data. For example, we have an opportunity for our clients to share their information with the VRM Intel data analysis project. This will be shared on a by-client basis based on their interest. We strive to act only on our clients’ behalf.
Josh Parry, CiiRUS: Yes. The technology provider should have nothing to hide. If the provider intends to use the client’s data for anything but internal analytics, it should be proposed in the contract.
Tina Upson, LiveRez: All software companies should provide their users with guidelines about how their users’ aggregate data could be used. And, when they do use any aggregate data, these companies should be transparent about how they are using it. We use aggregate data for internal analytics to identify how we can better serve our partners, and even then it is accessible to only an extremely small group of team members. When an integration requires that we share a partner’s data, we’re extremely careful to limit that data to only what is needed to make the service function (and that data is only shared when the partner opts into using the service in question). We also carefully vet any and all integration partners, and for a variety of reasons we have decided to not work directly with certain companies.
Kyle Buehner, NAVIS: Your data is a highly valuable asset of your company. I believe it is imperative that you understand and agree with your technology vendor about its uses, ownership, and protections.
Joe Testa, RealTimeRental: Yes, it is very important for vacation rental managers to understand how their data is being used.
Carlos Corzo: Streamline: Yes. If I were going to store a valuable asset, I would want to know all security measures taken by the facility. If someone does not want to disclose how they protect client data, I would be concerned about the strategies they are using.
Pete Wenk, VRM: If I was a property manager, I would require that.
What are the potential implications of giving tech companies your data without understanding how they are using it?
Ed Ulmer, Barefoot: We have always felt that our clients have absolute control for overseeing their data. We are deep supporters of understanding who, what, and when other entities are accessing your data. Without this, there can be no relationship between a customer and a provider without the trust that an open relationship provides.
Josh Parry, CiiRUS: The implications should be clear, provided you have read the agreement.
Tina Upson, LiveRez: There’s a long list of potential implications. The real questions professional managers should be asking themselves are “Who stands to benefit the most from my data?” and “What potential reward would my software company have for sharing that data?”
Kyle Buehner, NAVIS: The list of negative things that could happen is long and concerning (just talk to your insurance agent about a cybersecurity policy). The companies with which you choose to share your sensitive and valuable data should be companies you trust highly. It is also important to understand how your tech partner can contractually use your data. For example, no VRM would ever want to be surprised that the tech company they partner with actually competes with them and is using their data to market directly to guests or owners.
Joe Testa, RealTimeRental: It is very important to trust the companies you decide to work with. Tech partners should have proper security measures in place and not share or sell client data with third parties without your permission to do so.
Carlos Corzo, Streamline: This is an interesting question. I have learned over the years that companies retain the right to use your data and sometimes claim ownership to the data. Streamline does not believe in using your data without your consent. As most of us know, there is often a correlation between vacation rental software and online booking engines. This is no secret, and these companies legally have access to clients’ data. Property managers need to do their due diligence and understand how their data is being used. If they don’t, many tech partners may be taking your competitive advantage and giving it away. As a property manager in Park City, I don’t want anyone to see or use our data. It gives us the tools to analyze the market and identify strategies from year to year. If someone has the ability to aggregate all the actual data in a market, it makes them extremely powerful.
Pete Wenk, VRM: Loss of control of your inventory and the potential guest; potential for the VRM industry to relinquish booking to OTAs, as in the hotel experience of recent decades.
How important is it for VRMs to read and understand End User Agreements and Terms and Conditions?
Ed Ulmer, Barefoot: Vital to running a business.
Josh Parry, CiiRUS: Extremely, extremely important. For instance, the activation agreement for CiiRUS is five pages of information neatly organized in regular-sized font. It is the least intimidating document in existence, but it still does not get read by all users. It is important to understand your pricing, available features, and terms. You are doing your business a direct disservice by disregarding these agreements and potentially getting yourself in a situation to fall out with your provider very quickly over something that should have been clear via the agreement.
Tina Upson, LiveRez: It’s incredibly important for VRMs to not only read and understand their agreements but also seek clarification if they don’t understand something. That actually helps software companies better understand their customers’ concerns, resolve their issues, communicate more clearly, and sometimes even improve their agreements.
Joe Testa, RealTimeRental: Very important. We have had user agreements for nearly eighteen years. In the early days, every property manager had them reviewed by their council. Today, I believe very few do that.
Carlos Corzo, Streamline: This is becoming more and more crucial. I find myself signing contracts nearly every other day. Every contract goes through our Legal Department, and it is amazing what is discovered. I don’t know that anyone has malicious intent in this industry; however, we all know that data is power. At the end of the day, it is your data, and you need to be comfortable with who gets access to it.
Pete Wenk, VRM: Things can be obfuscated in legalese, so it is vital to read and understand EULAs in the context of what is happening in our industry today. When making a purchasing decision, VRMs should consider the future and how language in the EULA might adversely affect their ability to control their inventory and data down the road.
Do you think we are beginning to or will see software companies seeking to monetize customer data?
Ed Ulmer, Barefoot: Yes.
Josh Parry, CiiRUS: I really hope not. It is our job to sow as much trust as possible with our users, and monetizing their data flies directly in the face of that. I can’t think of any other major contemporary software platform that is currently doing this or would think of proposing this. I don’t think our property managers would let this happen!
Tina Upson, LiveRez: It’s already happening in the general tech space when you look at the ways some free online services leverage your data in selling advertisements on their platforms. In the vacation rental space, data is important for a lot of the same reasons. Your guest lists, owner lists, pricing data, etc. could all be misused by a company to either market directly to your customers (both guests and owners) or to use the aggregate data for a tool that they could then sell or use to influence market economics in their favor. It doesn’t matter if it’s the software company directly doing this, or if it’s the software company providing this data to a third-party it integrates with (or is associated with in any way). And while it’s important to read your agreements and contracts, it’s just as important to do business with companies you can trust. Because, who’s to say what really goes on behind closed doors?
Joe Testa, RealTimeRental: I think it is important for vacation rental managers to be aware of this trend in the industry. It is important that vacation rental managers use trustworthy tech partners. Beware of certain tech companies that offer free services, because often these free services are a way for companies to collect data to sell. We do not monetize customer data, and takes the proper security measures to keep that information safe.
Carlos Corzo, Streamline: This depends on the ultimate goal of a software company. There are many ways to get market data; however, it is no secret that software companies have access to the necessary data to make intelligent decisions. Our focus is on software and doing anything to help our PMs grow and be successful. If we were to use company data to our advantage, we would make sure to get approval from the customer. After all, it is your data!
Pete Wenk, VRM: Yes, particularly in the case of the larger software companies. In our case, we will not attempt to monetize customer data. The customers’ data is, in our concept, strictly controlled by them, and we do not have any claim on it.