This architecture demonstrates how to build social features without compromising privacy. By decoupling internal identities from public profiles, engineers can provide granular user control and prevent unintended data leakage across different product contexts.
Discover how Airbnb prioritizes user privacy while building a more connected community, empowering guests to engage socially, connect confidently, and maintain control of their personal data.
By: Joy Jing
At Airbnb, our hosts and guests form the heart of our community. As shared by CEO Brian Chesky, we’re evolving into a more social ecosystem. Airbnb Experiences now highlight the people involved as much as the activity. Guests can see Who’s going on an Experience, message co-guests directly, and view people they’ve met through the Connections section in their Airbnb profile. Guests are able to choose to share their profile for each new Experience. Guests who choose not to share their profile will not have their photo or profile info shared with others outside of their travel group before or during the experience. Our goal is to foster meaningful connections while giving guests control over their privacy.
In this post, we’ll share how we built new social features with privacy by design at their core. You’ll learn about our approach to user privacy, the technical decisions we made, and how we’re empowering guests to control their visibility every step of the way.
At Airbnb, building trust while protecting privacy is fundamental. To achieve this, we’ve made a clear distinction between the concepts of User and Profile.
User represents the complete, internal record we hold about an Airbnb user, including names, email addresses, phone numbers, and account details. This is the information we collect and use when providing our services. Whereas a Profile includes a subset of information about a User and is their public-facing representation. The information displayed on a Profile varies based on whether the user is a host, guest, or both. Users can choose to add as much or little to their profile as they see fit.
For example, as a guest, you might need your host’s phone number for check-in, but other guests reading your review after the stay shouldn’t see any of your contact info.
One user can have multiple profiles. For example, we have Host Profiles for prospective guests to learn more about the host they’ll be staying with.
We also have Guest Profiles for hosts to learn more about the guests they will be hosting.
We now also create Experience-specific Guest Profiles, which manages how a guest’s profile information is shown to other guests on that experience outside their travel group. If a guest chooses not to share their profile, their profile will not be viewable by others looking to book the Experience. Only their first name will be visible to other guests on the Experience outside of their travel group.
To deliver this context-aware experience, we’ve introduced two distinct types of identifiers:
Each user will only have one User ID, but could have multiple Profile IDs that are used in different contexts. By decoupling these, we enable:
Ultimately, this empowers guests to control when their profile data is shared with other guests and hosts, and keeps identity management simple and intuitive.
For example, let’s say Marie chooses to attend an Airbnb Experience called “Pasta Making with Nonna” and decides to remain private. We will create Profile A for Marie, associated with “Pasta Making with Nonna,” which will only surface her first name and will not include her profile photo. If Marie also attends an Airbnb Experience called “Goat Yoga”, we will create a separate Profile B for her associated with “Goat Yoga.” If Marie opts-in to social features on the “Goat Yoga” Airbnb Experience, other co-guests will be able to see her profile photo, guest stats, and other “About me” information, which she can curate from her Profile edit page.
If Alex also attends the Airbnb Experience “Goat Yoga,” he will see Marie’s full Profile B. If Alex happens to browse “Pasta Making with Nonna”, however, he won’t see Marie’s profile photo in the “Who’s going” list. As a result, Alex will not know that Marie from the “Goat Yoga” Airbnb Experience will be attending the “Pasta Making with Nonna” Airbnb Experience as well.
As another example, say Alex is a host of a mountain cabin in the Swiss Alps. When he attends the “Goat Yoga” Experience as a guest, his host profile remains separate from his guest profile for that Experience. This means that fellow guests like Marie won’t be able to tell that Alex also hosts a cabin in the Alps, because Alex’s host profile and guest profile are not linked. If Marie later searches for places to stay in the Swiss Alps, she might come across Alex’s cabin listing. However, if Alex has chosen to remain private on the “Goat Yoga” Airbnb Experience, Marie will only see his first name, and won’t be able to know that his guest profile on “Goat Yoga” and his host profile for the mountain cabin represent the same person.
Airbnb users interact with a range of people: fellow travelers, hosts, Airbnb support personnel, and more. Each interaction requires the right privacy boundaries. We use least-privileged access to ensure everyone sees only the data they need.
To manage these permissions, we use Himeji, our in-house authorization system. Himeji enforces access controls at the data layer, ensuring privacy and security beyond just the user interface. One of Himeji’s key optimizations is its ability to perform configurable relation denormalization at write time, when profile information or permissions change. This makes permission checks at read time extremely fast and scalable, enabling users to have a seamless experience even as privacy needs grow more complex.
In order to launch, work was needed to ensure that Airbnb’s platform utilized the right identifier in the right context.
1. Automated auditing
We developed Python scripts to audit the codebase, searching for known patterns associated with user data access. This gave us a comprehensive list of candidate locations.
2. Determining team ownership
Our scripts mapped each finding to the owning team via the directory structure. This let us assign migration work directly and efficiently.
3. Manual review for context
Code owners manually reviewed findings, determining whether each instance was internal-only or externally used. This hands-on review layer was critical for accuracy and confidence.
4. AI-powered refactoring
We leveraged AI-powered refactoring tools to suggest code changes based on our audit findings. However, engineers always remained in the loop by reviewing, refining, and applying code updates, which ensured correctness and protected nuanced business logic.
5. Company-wide collaboration
Perhaps the most important ingredient was company-wide alignment. Teams across Airbnb (engineering, product, privacy, legal, and beyond) came together with a shared mission. This collective commitment ensured prioritization, smooth coordination, and ultimately, a successful migration.
Strong typing and automated tests were our safety net. We made sure profile IDs and user IDs couldn’t be mixed up accidentally. Code reviews, linters, and type checks enforced boundaries. Progress was tracked in a shared hub, keeping everyone aligned and accountable.
As Airbnb becomes more social, guest privacy stays at the heart of everything we build. Our new context-aware profile IDs lay the groundwork for future features without compromising trust and reflects our commitment to privacy in our Privacy Principles.
If this type of work interests you, check out some of our related positions.
It takes a village to build a robust privacy-oriented infrastructure. Special thanks to:
All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
Privacy-first connections: Empowering social experiences at Airbnb was originally published in The Airbnb Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
Continue reading on the original blog to support the author
Read full articleScaling observability for 1,000+ services requires balancing multi-tenant isolation with operational efficiency. Airbnb's approach to shuffle sharding and automated control planes provides a blueprint for building resilient, petabyte-scale metrics systems that avoid 'flying blind' during outages.
This story highlights the effectiveness of apprenticeship programs in diversifying engineering talent. It also provides insights into Airbnb's security engineering culture, specifically how they manage permissions platforms and integrate LLMs while maintaining high security standards.
Traditional forecasting fails when data structures shift. Airbnb's B-DARMA framework provides a robust way to model compositional data and handle structural breaks, ensuring models remain accurate during global shocks and permanent behavioral shifts in consumer data.
This approach demonstrates how to adapt NLP architectures for travel recommendations by balancing short-term intent with long-term history. It addresses the cold-start problem for dormant users while improving geolocation accuracy through multi-task learning.
