How We Protect Property Owner Contact Info (And What You Can Do Too)

# How We Protect Property Owner Contact Info (And What You Can Do Too)

Before we built Stay The Villages, we studied how rental site scraping actually works — not just theoretically, but by running our own analysis of competing platforms. What we found was eye-opening, and it shaped how we designed every layer of this platform.

Here's what we learned, what we built, and what you can do as an owner to protect yourself everywhere you list.

## The Threat Is Real

Most rental platforms weren't built with scrapers in mind. The result is that owner contact information — phone numbers, email addresses, sometimes home addresses — ends up accessible to anyone willing to write a few hundred lines of code.

We identified four techniques that scrapers use:

**Plain HTML scraping** is the simplest. Crawlers read `tel:` and `mailto:` links directly from page source. If your phone number appears in raw HTML, it can be harvested at scale with no JavaScript, no login, and no rate limit friction.

**Headless browsers** (tools like Playwright and Puppeteer) go further. They execute JavaScript just like a real browser, which means client-side obfuscation — including the popular base64-encoding trick — is decoded automatically in milliseconds. We tested this ourselves: a headless browser decoded a base64-encoded email in under 50ms.

**Unauthenticated REST APIs** are the most embarrassing vulnerability. Several competing platforms expose owner PII through API endpoints that require no authentication. A scraper can loop through property IDs and collect thousands of owner records in minutes.

**Rate limit evasion** defeats naive defenses. Scrapers use residential proxy pools (legitimate home IP addresses), random delays of 2–8 seconds between requests, and browser fingerprint rotation to appear as normal users. Basic IP-rate-limiting doesn't stop them.

## What We Do Differently

We built our defenses knowing exactly how these attacks work.

**Email never appears in any HTTP response.** Your email address is used server-side only — to send you inquiry notifications via our email provider (Resend). It is never included in page HTML, never in JSON API responses, and never base64-encoded in the DOM. There's nothing to scrape.

**Phone is gated by plan and decoded client-side.** Featured and Spotlight subscribers get their phone number displayed on their listing, but only via JavaScript decoding. A plain-HTML crawler — the most common type — sees nothing. This is meaningful friction, even if a headless browser can decode it.

**No public owner API.** There is no unauthenticated endpoint that returns owner contact data. Every route that touches owner information requires a valid signed session.

**Server-side rate limiting, independent of JavaScript.** All public forms (inquiry, newsletter, login, registration) enforce per-IP request limits at the server level. These limits cannot be bypassed by disabling JavaScript, using Playwright, or using FlareSolverr — they're enforced in our database before any processing happens.

**Honeypot fields on every public form.** We add invisible fields that automated tools reliably fill in. When those fields contain data, we silently discard the submission — no error, no feedback to help the scraper adapt.

**PII scoped at the query layer.** For property plans that don't qualify for phone or email display, our database queries return null for those fields. The data never reaches the rendering layer, even if the query cache contains it.

## Practical Tips for Owners

Beyond what we do on our end, here's what you can do to protect yourself — especially on platforms that don't have these protections:

**Use a dedicated rental email.** Create a Gmail address specifically for rental inquiries (e.g., [email protected]). If it gets harvested, you can abandon it without affecting your personal inbox.

**Get a Google Voice number.** Google Voice gives you a free US number that rings your real phone. If it ends up on spam lists, you can change it or filter it. Never list your real cell phone directly.

**Check the other platforms you list on.** View the source of your listings on Airbnb, VRBO, and any other platforms. Search for your phone number and email in the raw HTML. If you find them there, that's a risk you should know about.

**Use "General" map visibility if you're address-sensitive.** On Stay The Villages, you can set your address visibility to "Hidden," "General" (shows only "The Villages, FL"), or "Exact." If your property is your primary residence or you're otherwise address-sensitive, General is the right choice.

## Our Commitment

Your contact information exists between you and your renters. Not between you and a data broker, a spam list, or a competitor's marketing database.

If you ever believe your contact information has been harvested from our platform, or if you find a vulnerability, email us at [email protected]. We'll respond within 48 hours.