Privacy Policy

1. Introduction

Stayz LTD ("we", "us", "our", or "Stayz") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our mobile application ("App"), visit our website at stayzltd.com ("Website"), and related services.

This Privacy Policy is designed to comply with:

• EU General Data Protection Regulation (GDPR)
• UK Data Protection Act 2018
• California Consumer Privacy Act (CCPA)
• Other applicable data protection laws

By using our App or Website, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and sharing of your information as described herein.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration and Profile:

• Full name
• Email address
• Password (stored in hashed/encrypted format)
• Phone number (optional)
• Date of birth (for age verification)
• Profile photo (optional)
• Preferences and interests (optional)

Booking Information:

• Guest names (for all travelers in the booking)
• Contact details (phone, email, emergency contacts)
• Arrival and departure dates
• Property selection
• Special requests or requirements (accessibility needs, dietary preferences, etc.)
• Number of guests (adults and children)

Payment Information:

• Payment card type
• Last 4 digits of card number
• Card expiry date
• Billing address

Note: Full payment card details are processed and stored securely by our payment processor (Stripe) in compliance with PCI-DSS standards. We do not store complete payment card details on our servers.

Communication Data:

• Messages exchanged through in-app chat, website contact forms, support tickets, or feedback forms
• WhatsApp communications with our AI assistant or support team
• Voice messages (if sent via WhatsApp)
• Email correspondence
• Phone call records (if you contact our support line)
• Reviews and ratings of properties

Identity Verification (if required):

• Government-issued ID or passport (for verification purposes only)
• Proof of address documents

2.2 Information Collected Automatically

Device Information:

• Device type, model, and manufacturer
• Operating system and version
• Unique device identifiers (e.g., IMEI, device ID, advertising ID)
• Mobile network information (carrier, network type)
• IP address
• Browser type and version
• Screen resolution

Usage Data:

• App features used and frequency of use
• Pages or screens viewed (both app and website)
• Time spent on different sections
• Search queries within the App and Website
• Booking patterns and preferences
• Navigation paths through the App and Website
• Interactions with notifications
• Crash reports and error logs
• Performance data (app load times, website page load times, responsiveness)

Location Data (with your permission):

• Precise GPS location (when you enable location services)
• Approximate location (based on IP address)

Location information is collected for features such as:

• Finding nearby properties
• Providing directions to properties
• Offering location-based recommendations
• Emergency support services

You can control location permissions through your device settings.

Cookies and Similar Technologies:

• Session cookies (for maintaining your logged-in state)
• Functional cookies (for remembering your preferences)
• Analytics cookies (for understanding app usage)
• Advertising cookies (if we implement advertising in the future)

For detailed information about cookies, see Section 8.

2.3 Information from Third Parties

Eviivo Property Management System:

• Property availability and pricing
• Booking status and modifications
• Guest reservation history
• Access codes and check-in instructions

Payment Processors (Stripe):

• Payment transaction status
• Payment verification results
• Fraud detection signals

Social Media (if you choose to link accounts):

• Profile information from Facebook, Google, or Apple Sign-In
• Email address and name from social login

Analytics Providers:

• Aggregated usage statistics
• App performance metrics
• User behavior patterns

3. How We Use Your Information

3.1 Legal Bases for Processing (GDPR)

We process your personal data based on the following legal grounds:

a) Contractual Necessity (to fulfill our contract with you):

• Processing bookings and reservations
• Providing access to properties
• Managing your account
• Delivering customer support
• Processing payments and refunds

b) Legitimate Interests (where necessary for our business operations):

• Improving and personalizing the App experience
• Conducting analytics and research
• Fraud prevention and security
• Marketing our services (with opt-out options)
• Business development and strategy
• Network and information security

c) Consent (where you have given explicit permission):

• Sending promotional marketing communications
• Using location data for enhanced features
• Placing non-essential cookies
• Sharing data with third parties beyond what's necessary for service provision

d) Legal Obligations (to comply with laws and regulations):

• Tax reporting and financial record-keeping
• Responding to legal requests (court orders, subpoenas)
• Anti-money laundering (AML) compliance
• Preventing illegal activities

3.2 Specific Purposes

We use your information for the following purposes:

Booking and Reservation Management:

• Processing and confirming bookings
• Sending booking confirmations and reminders
• Managing changes, cancellations, and refunds
• Coordinating check-in and check-out
• Providing property access information (codes, keys)
• Facilitating communication between guests and property managers

Customer Service and Support:

• Responding to inquiries and support requests
• Resolving disputes and complaints
• Providing in-stay assistance
• Managing service requests (maintenance, housekeeping)
• Handling emergency situations

AI Assistant Services:

• Providing automated responses to common questions
• Facilitating booking modifications
• Offering personalized recommendations
• Improving AI response accuracy through machine learning

Note: Voice messages are transcribed for processing; original audio may be retained for quality assurance

Personalization and User Experience:

• Remembering your preferences and settings
• Customizing property recommendations
• Providing location-based suggestions
• Tailoring content based on your interests
• Saving favorite properties and searches

Analytics and Improvement:

• Understanding how users interact with the App
• Identifying bugs, errors, and performance issues
• Testing new features and improvements
• Conducting market research and trend analysis
• Measuring effectiveness of our services

Security and Fraud Prevention:

• Detecting and preventing fraudulent bookings
• Protecting against unauthorized access
• Monitoring for suspicious activity
• Verifying user identity when necessary
• Enforcing our Terms and Conditions

Marketing and Communications:

• Sending promotional offers and special deals (with your consent)
• Sharing updates about new properties or features
• Requesting reviews and feedback
• Conducting customer satisfaction surveys
• Sending newsletters (with opt-out options)

Legal Compliance:

• Maintaining records for tax and accounting purposes
• Responding to legal requests and court orders
• Complying with regulatory requirements
• Protecting our legal rights and interests
• Investigating potential violations of our Terms

Business Operations:

• Managing relationships with property owners
• Processing partner payments and commissions
• Planning business strategy and growth
• Mergers, acquisitions, or sale of assets
• Internal reporting and audits

4. How We Share Your Information

4.1 Sharing with Service Providers (Data Processors)

We share your information with trusted third-party service providers who help us operate our business. These providers are contractually obligated to protect your data and use it only for specified purposes:

Eviivo (Property Management System):

• Purpose: Managing property inventory, availability, bookings, and guest information
• Data Shared: Booking details, guest names, contact information, check-in/out dates, payment status
• Location: UK/EU
• Safeguards: Data Processing Agreement (DPA) in place, GDPR-compliant

Stripe (Payment Processing):

• Purpose: Securely processing payments and refunds
• Data Shared: Payment card information, billing address, transaction amounts
• Location: US with EU operations
• Safeguards: PCI-DSS Level 1 certified, Standard Contractual Clauses (SCCs)

Google Cloud Platform (Hosting and Infrastructure):

• Purpose: Hosting our application, database, and backend services
• Data Shared: All data stored in our systems
• Location: EU (London region)
• Safeguards: ISO 27001 certified, GDPR-compliant, EU-based servers

Zoho Suite (Customer Support):

• Zoho Desk: Managing support tickets and customer inquiries
• Zoho SalesIQ: Live chat and conversation management
• Zoho CRM: Customer relationship management (limited use)
• Data Shared: Contact information, support conversations, booking references
• Location: EU data centers
• Safeguards: GDPR-compliant, DPA in place

WhatsApp Business Platform (Meta):

• Purpose: Enabling WhatsApp-based customer communication and AI assistant
• Data Shared: Phone numbers, message content, conversation metadata
• Location: US with EU storage options
• Safeguards: End-to-end encryption, Standard Contractual Clauses

Analytics Providers:

• Google Analytics for Firebase (planned):
• Purpose: Understanding app usage, user behavior, and performance
• Data Shared: Anonymized usage data, device information, crash reports
• Location: US with EU processing
• Safeguards: Data anonymization, IP masking, Google's EU-US Data Privacy Framework certification

4.2 Sharing with Property Owners

When you make a booking, we share necessary information with the property owner or manager:

• Guest names and contact details
• Arrival/departure dates and times
• Number of guests
• Special requests or requirements
• Payment confirmation status

Property owners are independent data controllers for their own operations and may have separate privacy policies.

4.3 Legal and Regulatory Sharing

We may disclose your information when required by law or to protect our rights:

• In response to valid legal requests (subpoenas, court orders, warrants)
• To comply with tax, accounting, and regulatory obligations
• To enforce our Terms and Conditions
• To protect the safety, rights, or property of Stayz, our users, or the public
• In connection with fraud investigation or prevention
• To defend against legal claims or litigation

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, asset sale, or bankruptcy:

• Your information may be transferred to the successor entity
• You will be notified via email and/or prominent notice in the App
• The successor will be bound by this Privacy Policy unless you consent to a new policy

4.5 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you:

• Industry trends and statistics
• Market research insights
• App usage patterns
• Performance benchmarks

This data sharing does not constitute personal data sharing under GDPR.

4.6 With Your Consent

We may share your information with third parties when you give explicit consent, such as:

• Sharing your review publicly on the App or website
• Participating in third-party promotions or contests
• Connecting your account with third-party services

You can withdraw consent at any time through App settings or by contacting us.

5. International Data Transfers

5.1 Data Storage Location

Your data is primarily stored on servers located in the European Union (specifically, our primary data center is in London, UK). This ensures compliance with GDPR and UK data protection standards.

5.2 Transfers Outside the EU/UK

Some of our service providers may process data outside the EU/UK. When this occurs, we ensure appropriate safeguards are in place:

• Adequacy Decisions: We prioritize countries with EU adequacy decisions (deemed to provide adequate data protection)
• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with providers in non-adequate countries. These are legally binding contracts ensuring GDPR-level protection
• Additional Safeguards: Encryption of data in transit and at rest, access controls and security measures, regular audits and compliance reviews, certifications (ISO 27001, SOC 2, etc.)

Specific Transfers:

• Stripe (US): EU-US Data Privacy Framework participation + SCCs
• WhatsApp/Meta (US): SCCs + end-to-end encryption
• Google Cloud Platform: EU-based servers, but Google (US parent) may access for support; SCCs in place

5.3 Your Rights Regarding Transfers

You have the right to:

• Request information about cross-border data transfers
• Object to transfers that don't meet GDPR standards
• Request that your data be processed only within the EU/UK (subject to feasibility)

6. Data Security

6.1 Security Measures

We implement robust technical and organizational measures to protect your personal data:

Technical Measures:

• Encryption: All data transmitted between your device and our servers uses TLS 1.3 encryption (HTTPS)
• Data at Rest: Database encryption using AES-256 encryption standards
• Password Security: Passwords are hashed using bcrypt with strong salt
• Access Controls: Role-based access control (RBAC) limits employee access to data
• Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS)
• Regular Security Audits: Penetration testing and vulnerability assessments
• Secure Development: Code reviews, security testing in CI/CD pipeline
• API Security: Authentication tokens, rate limiting, input validation

Organizational Measures:

• Employee training on data protection and security
• Confidentiality agreements with all staff and contractors
• Background checks for employees with data access
• Incident response plan and data breach procedures
• Regular review and update of security policies
• Physical security of server facilities (handled by GCP)

Third-Party Security:

• All service providers must demonstrate appropriate security measures
• Regular vendor security assessments
• Data Processing Agreements (DPAs) requiring security standards
• Compliance certifications (ISO 27001, SOC 2, PCI-DSS where applicable)

6.2 Security Limitations

Despite our best efforts, no system is completely secure. We cannot guarantee:

• Absolute security of data transmission over the internet
• Complete prevention of unauthorized access by sophisticated attackers
• Security of your device or account if you share credentials

6.3 Your Security Responsibilities

You are responsible for:

• Keeping your password confidential and secure
• Using a strong, unique password for your Stayz account
• Logging out of the App on shared devices
• Notifying us immediately if you suspect unauthorized access
• Keeping your device and operating system up to date
• Using secure internet connections (avoid public Wi-Fi for sensitive transactions)

6.4 Data Breach Notification

In the event of a data breach affecting your personal data:

• We will investigate and contain the breach promptly
• Notify supervisory authorities within 72 hours (as required by GDPR)
• Notify affected users without undue delay if there is a high risk to your rights
• Provide information about the breach, potential consequences, and mitigation measures
• Take steps to prevent future breaches

7. Data Retention

7.1 Retention Principles

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.2 Specific Retention Periods

Account Data:

• Retained while your account is active
• After account deletion: 30 days (to allow for reactivation in case of accidental deletion)
• Certain data may be retained longer for legal compliance (see below)

Booking and Transaction Data:

• Active bookings: Retained until completion of stay plus 90 days
• Completed bookings: 7 years (for tax, accounting, and legal purposes as required by UK law)
• Payment records: 7 years (for financial compliance)
• Invoices and receipts: 7 years (tax regulations)

Communication Data:

• Support tickets and messages: 3 years (for quality assurance and dispute resolution)
• AI assistant conversations: 2 years (for improvement and training purposes; can be deleted upon request)
• Voice messages: 1 year (transcriptions retained for 2 years)
• Marketing communications: Until you unsubscribe or 3 years of inactivity

Technical and Usage Data:

• Log files: 90 days (for security and troubleshooting)
• Analytics data: 26 months (aggregated, in line with Google Analytics standards)
• Cookie data: As specified in cookie banner (typically 12 months)

Legal and Compliance Data:

• Dispute-related data: 6 years after resolution (UK limitation period)
• Fraud investigation data: 7 years
• Legal hold data: Duration of legal proceedings plus 1 year

7.3 Data Deletion

After retention periods expire:

• Personal data is securely deleted or anonymized
• Deletion is permanent and irreversible
• Backups containing old data are overwritten in regular backup cycles (maximum 90 days)
• Anonymized data may be retained indefinitely for statistical purposes

7.4 Early Deletion Requests

You can request deletion of your data before the standard retention period expires (see Section 9 – Your Rights). However, we may need to retain certain data for legal compliance, fraud prevention, or to resolve disputes.

8. Cookies and Tracking Technologies

8.1 What Are Cookies

Cookies are small text files stored on your device when you use the App or Website. We also use similar technologies such as:

• Local Storage: Data stored in your device's browser
• SDKs (Software Development Kits): Code embedded in the App for functionality and analytics
• Pixels and Beacons: Small images used for tracking (primarily for web interfaces)
• Device Identifiers: Unique identifiers like Advertising ID (IDFA on iOS, AAID on Android)

8.2 Types of Cookies We Use

Strictly Necessary Cookies:

• Purpose: Essential for app and website functionality (login sessions, security)
• Duration: Session-based (deleted when you close the app/browser) or until logout
• Examples: Authentication tokens, session IDs
• Legal Basis: Legitimate interest (required for service provision)
• Can be disabled: No (app and website will not function without these)

Functional Cookies:

• Purpose: Remember your preferences and settings
• Duration: Up to 12 months
• Examples: Language preference, currency selection, property search filters
• Legal Basis: Legitimate interest or consent
• Can be disabled: Yes (through app settings)

Analytics and Performance Cookies:

• Purpose: Understand app and website usage, identify errors, improve performance
• Duration: Up to 26 months
• Examples: Google Analytics for Firebase (planned), Google Analytics for Web
• Data collected: Page views, session duration, crash reports, feature usage
• Legal Basis: Consent (required for non-essential analytics)
• Can be disabled: Yes (through app settings, website settings, or device settings)

Advertising Cookies (if implemented in future):

• Purpose: Deliver relevant advertisements
• Duration: Up to 12 months
• Examples: Ad network SDKs, retargeting pixels
• Legal Basis: Consent (required)
• Can be disabled: Yes (through app settings, device settings, or opt-out of personalized ads)

8.3 Managing Cookies and Tracking

In-App Settings:

• Navigate to Settings > Privacy > Cookie Preferences
• Toggle analytics and advertising tracking on/off
• Note: Strictly necessary cookies cannot be disabled

Device-Level Settings:

iOS:

• Settings > Privacy & Security > Tracking > Toggle off "Allow Apps to Request to Track"
• Settings > Privacy & Security > Apple Advertising > Toggle off "Personalized Ads"
• Limit Ad Tracking (older iOS versions)

Android:

• Settings > Google > Ads > Toggle on "Opt out of Ads Personalization"
• Settings > Privacy > Ads > Delete Advertising ID

Browser (for website):

• Most browsers allow you to manage cookies through settings
• You can block all cookies, but this may affect website functionality
• Website cookie preferences can be managed through our cookie banner

8.4 Third-Party Tracking

Some third-party services may use their own cookies or tracking technologies:

• Google Analytics (with IP anonymization)
• Firebase Crashlytics
• Advertising networks (if implemented)

These parties are governed by their own privacy policies.

8.5 Do Not Track Signals

Currently, the App does not respond to "Do Not Track" browser signals. We honor your cookie preferences set within the App, Website, or device settings.

9. Your Rights Under GDPR and Data Protection Laws

9.1 Overview of Rights

As a user in the EU/UK, you have the following rights regarding your personal data:

9.2 Right of Access (Article 15 GDPR)

You have the right to request:

• Confirmation of whether we process your personal data
• Access to a copy of your personal data
• Information about how we use your data

How to exercise:

• In-app: Settings > Privacy > Download My Data
• Email: [email protected] with subject "Data Access Request"
• Response time: Within 1 month (extendable by 2 months for complex requests)

9.3 Right to Rectification (Article 16 GDPR)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to exercise:

• In-app: Update your profile information directly
• For booking data: Contact [email protected]
• For other data: Email [email protected]
• Response time: Within 1 month

9.4 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your personal data when:

• Data is no longer necessary for its original purpose
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• Data was unlawfully processed
• Legal obligations require deletion

Limitations: We may retain data when necessary for:

• Legal compliance (tax records, financial data)
• Establishing, exercising, or defending legal claims
• Fulfilling contractual obligations

How to exercise:

• In-app: Settings > Account > Delete My Account
• Email: [email protected] with subject "Data Deletion Request"
• Response time: Within 1 month; deletion completed within 30 days after approval

9.5 Right to Restriction of Processing (Article 18 GDPR)

You have the right to restrict processing when:

• You contest the accuracy of data (restriction during verification)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (restriction pending verification of legitimate grounds)

How to exercise: Email [email protected] with subject "Restriction Request"

9.6 Right to Data Portability (Article 20 GDPR)

You have the right to:

• Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• Transmit this data to another service provider

This applies to data:

• You provided to us
• Processed based on consent or contract
• Processed by automated means

How to exercise:

• In-app: Settings > Privacy > Download My Data (exports to JSON)
• Email: [email protected] with subject "Data Portability Request"
• Response time: Within 1 month

9.7 Right to Object (Article 21 GDPR)

You have the right to object to processing based on:

• Legitimate interests: You can object at any time; we must stop unless we demonstrate compelling legitimate grounds
• Direct marketing: You can object at any time; we must stop immediately

How to exercise:

• Marketing emails: Click "Unsubscribe" in any marketing email
• In-app: Settings > Notifications > Marketing Communications (toggle off)
• Email: [email protected] with subject "Objection to Processing"

9.8 Rights Related to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

Our practices:

• Our AI assistant provides recommendations but does not make binding decisions
• Booking approvals and pricing are not based solely on automated profiling
• Fraud detection systems may flag suspicious activity, but human review occurs before action

How to exercise: If you believe you've been subject to inappropriate automated decision-making, contact [email protected]

9.9 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time:

• Marketing communications: Unsubscribe links or app settings
• Location services: Device settings
• Analytics cookies: App or device settings
• General consent: Email [email protected]

Withdrawal does not affect the lawfulness of processing before withdrawal.

9.10 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you can:

• Contact us first: [email protected] (we will investigate and respond within 30 days)
• Lodge a complaint with your supervisory authority:
  • UK: Information Commissioner's Office (ICO) – https://ico.org.uk/
  • EU: Your local Data Protection Authority – https://edpb.europa.eu/about-edpb/board/members_en

You have the right to lodge a complaint even if you haven't contacted us first.

9.11 How to Exercise Your Rights

General Process:

• Submit a request via email ([email protected]) or in-app where available
• We may request identity verification to prevent unauthorized access
• We will respond within 1 month (extendable by 2 months for complex requests)
• We will inform you if we cannot fulfill your request and explain why

No Fee: Exercising your rights is generally free of charge. We may charge a reasonable fee for repetitive, excessive, or manifestly unfounded requests.

Response Format:

• Electronic format by default (email or in-app)
• Physical copy available upon request

10. Children's Privacy

10.1 Age Restrictions

The Stayz App and Website are not intended for children under the age of 18. We do not knowingly collect personal data from children under 18.

10.2 Bookings for Minors

While only adults (18+) can create accounts and make bookings, parents or legal guardians may book on behalf of minors who meet property age requirements. When booking for minors:

• The adult account holder is responsible for providing accurate information
• The adult is responsible for the minor's use of the property and compliance with rules
• The adult consents to data processing on behalf of the minor

10.3 Parental Rights

If you are a parent or guardian and believe your child has provided us with personal data:

• Contact us immediately at [email protected]
• We will delete the data within 30 days upon verification
• We will take steps to prevent future access

10.4 Verification

If we discover we have collected data from a child under 18 without proper consent:

• We will delete the data promptly
• We will terminate the account
• We will implement additional verification measures

11. AI Assistant and Machine Learning

11.1 How Our AI Assistant Works

Our AI assistant uses machine learning and natural language processing to:

• Understand and respond to your questions
• Provide booking assistance and recommendations
• Offer personalized support during your stay
• Automate routine inquiries

11.2 Data Used for AI

The AI assistant processes:

• Your current message and conversation history
• Your booking information (to provide context-aware responses)
• Property information and availability
• Knowledge base articles and FAQ content
• Historical conversation data (for training and improvement)

11.3 Voice Message Processing

When you send voice messages via WhatsApp:

• Messages are transcribed using automated speech recognition
• Transcriptions are processed by our AI assistant
• Original audio may be retained for up to 1 year for quality assurance
• Transcriptions are retained for up to 2 years for AI training
• You can request deletion of voice messages at any time

11.4 AI Training and Improvement

We use conversation data to improve our AI:

• Training data: Past conversations (anonymized where possible) are used to train AI models
• Model improvement: Feedback on AI responses helps improve accuracy
• Human review: Some conversations may be reviewed by staff for quality assurance
• Privacy measures: Personal identifiers are removed or pseudonymized when possible

11.5 Limitations and Human Oversight

• AI responses are automated and may contain errors
• Critical decisions (refunds, cancellations, disputes) involve human review
• You can request a human agent at any time
• We are not liable for AI errors unless they result from our negligence

11.6 Opting Out of AI Training

If you do not want your conversations used for AI training:

• Email [email protected] with subject "Opt Out of AI Training"
• We will flag your account to exclude conversation data from training datasets
• This will not affect your ability to use the AI assistant

12. Marketing Communications

12.1 Types of Marketing

We may send you marketing communications about:

• Special offers and promotional discounts
• New properties and destinations
• App updates and new features
• Travel tips and recommendations
• Seasonal campaigns and loyalty programs
• Surveys and feedback requests

12.2 Legal Basis for Marketing

• Email marketing: Based on consent (opt-in) or legitimate interest for existing customers
• Push notifications: Based on consent (you can disable in device settings)
• In-app messages: Based on legitimate interest (can be disabled in app settings)
• WhatsApp marketing: Only with explicit opt-in consent

12.3 Opting Out

You can opt out of marketing at any time:

• Email: Click "Unsubscribe" in any marketing email
• In-app: Settings > Notifications > Toggle off marketing categories
• Push notifications: Device settings > Stayz > Notifications
• WhatsApp: Reply "STOP" or manage in app settings
• All marketing: Email [email protected] with "Unsubscribe from All Marketing"

Opting out does not affect transactional communications (booking confirmations, support messages, etc.).

12.4 Personalized Marketing

We may personalize marketing based on:

• Your booking history and preferences
• Properties you've viewed or favorited
• Your location (if you've granted permission)
• General usage patterns

You can opt out of personalized marketing while still receiving general marketing.

12.5 Third-Party Marketing

We do not sell or rent your personal data to third parties for their marketing purposes. We will never share your email or phone number with third parties for unsolicited marketing without your explicit consent.

13. Third-Party Links and Services

13.1 External Websites and Apps

The Stayz App and Website may contain links to third-party websites, services, or apps:

• Property owner websites
• Local attraction and tour booking sites
• Transportation services
• Review platforms

We are not responsible for the privacy practices or content of these third parties. We encourage you to review their privacy policies.

13.2 Social Media Integration

If you choose to link your Stayz account with social media:

• We may receive information from your social media profile (name, email, profile picture)
• Your social media provider's privacy policy governs their data practices
• You can disconnect social media links at any time in app settings

13.3 Third-Party Analytics and Advertising

Third-party services may collect data about your use of the App:

• Google Analytics: https://policies.google.com/privacy
• Firebase: https://firebase.google.com/support/privacy
• Stripe: https://stripe.com/privacy

These services operate under their own privacy policies.

14. Updates to This Privacy Policy

14.1 Changes to Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• Industry best practices

14.2 Notification of Changes

We will notify you of material changes via:

• Email to your registered email address
• In-app notification
• Website notification
• Prominent notice on the App home screen and Website
• Updated "Last Updated" date at the top of this policy

14.3 Continued Use

Continued use of the App or Website after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you should stop using the App and Website and may request account deletion.

14.4 Material Changes Requiring Consent

For material changes that require new consent (e.g., new data uses, new third-party sharing), we will seek your explicit opt-in consent before implementing the change.

15. Contact Us

15.1 Privacy Questions and Requests

For any privacy-related questions, concerns, or to exercise your rights:

• Email: [email protected]
• Subject Line: Please specify (e.g., "Data Access Request", "Privacy Inquiry")
• Response Time: We aim to respond within 5 business days (1 month for formal rights requests)

15.2 Data Protection Officer

• Email: [email protected]
• Postal Address:
• Data Protection Officer
• Stayz LTD
• 15A Norfolk Place
• London W2 1QJ
• United Kingdom

15.3 General Inquiries

• Support: [email protected]
• Legal: [email protected]
• Website: https://stayzltd.com
• Phone: +44 20 3695 1081

15.4 Supervisory Authority (UK)

If you are not satisfied with our response, you can contact:

• Information Commissioner's Office (ICO)
• Website: https://ico.org.uk/
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

15.5 EU Data Protection Authorities

For EU residents, find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

16. Special Provisions for California Residents (CCPA)

16.1 CCPA Rights Summary

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected, used, shared, or sold
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the "sale" of personal information (Note: We do not sell personal information)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising CCPA rights

16.2 Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, phone, IP address)
• Commercial information (booking history, payments)
• Internet/network activity (usage data, device information)
• Geolocation data (with consent)
• Audio/visual information (voice messages, profile photos)
• Inferences (preferences, characteristics)

16.3 Sources of Information

• Directly from you
• Automatically from device/app usage
• From third parties (Eviivo, payment processors)

16.4 Business Purposes

See Section 3 for detailed purposes.

16.5 Data Sharing

We share information with service providers for business purposes as outlined in Section 4. We do not "sell" personal information as defined by CCPA.

16.6 Exercising CCPA Rights

Submit Requests:

• Email: [email protected] with "CCPA Request" in subject
• Phone: +44 20 3695 1081
• In-app: Settings > Privacy > CCPA Rights

• Verification: We will verify your identity before processing requests
• Response Time: 45 days (extendable by 45 days)
• Authorized Agent: You may designate an authorized agent to make requests on your behalf

Appendix A: Glossary

• Data Controller: The entity that determines the purposes and means of processing personal data (Stayz LTD)
• Data Processor: An entity that processes personal data on behalf of the data controller (e.g., Eviivo, Stripe)
• Data Subject: An identifiable individual whose personal data is processed (you, the user)
• GDPR: General Data Protection Regulation – EU data protection law
• Personal Data: Any information relating to an identified or identifiable person
• Processing: Any operation performed on personal data (collection, storage, use, sharing, deletion)
• Pseudonymization: Processing data so it can no longer be attributed to a specific person without additional information
• Anonymization: Irreversibly altering data so it can no longer identify an individual

Appendix B: Data Processing Activities

Summary of Processing Activities (Article 30 GDPR Record):