Privacy Policy

1. Information We Collect

We may collect the following types of personal data:

• Name, email, and phone number
• Booking and stay information
• Payment details (handled securely by third-party processors)
• Browser data, IP address, and cookies
• Communication preferences

2. How We Use Your Information

We use your data to:

• Process bookings and transactions
• Send confirmations, updates, and support messages
• Improve our services and user experience
• Provide promotional offers and loyalty rewards
• Ensure platform security and legal compliance

2A. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Contract Performance (GDPR Article 6(1)(b)): Processing booking information, guest details, payment data, and order history is necessary to fulfill our contract with you when you make a reservation.
• Consent (GDPR Article 6(1)(a)): Analytics tracking (PostHog, Sentry), marketing communications, and non-essential cookies require your explicit consent, which you can withdraw at any time via our cookie consent banner or account settings.
• Legitimate Interests (GDPR Article 6(1)(f)): Fraud prevention, security monitoring, and service improvement are based on our legitimate business interests, balanced against your rights and freedoms.
• Legal Obligation (GDPR Article 6(1)(c)): Retaining transaction records for tax and accounting purposes as required by law.

3. Who We Share It With

Your information may be shared with:

• Partner hotels to fulfill bookings
• Payment and technology providers who support our operations
• Legal authorities if required by law

We do not sell or rent your personal information.

3A. Third-Party Service Providers

We use the following third-party services to operate our platform:

• Stripe: Payment processing (PCI DSS compliant)
• Hostex: Property management system integration
• Supabase: Authentication and user data storage
• AWS S3: File storage for profile images
• PostHog: Analytics (requires consent)
• Sentry: Error tracking and monitoring (requires consent)
• Cloudflare: Security and bot protection

These providers process data on our behalf under data processing agreements and are required to maintain appropriate security standards.

4. Cookies & Tracking Technologies

We use cookies and similar tracking technologies with your consent. When you first visit our site, you will see a cookie consent banner allowing you to choose which cookies to accept:

• Necessary Cookies: Essential for site functionality (always enabled)
• Analytics Cookies: Help us understand site usage (PostHog, Sentry) - requires consent
• Marketing Cookies: Used for personalized advertising - requires consent
• Preference Cookies: Remember your settings and preferences - requires consent

You can change your cookie preferences at any time by clearing your browser cookies and revisiting our site. Analytics tracking will only begin after you grant consent through our cookie banner.

4A. Data Retention

We retain your personal data for the following periods:

• Active Account Data: Retained while your account is active
• Booking Records: 7 years after transaction (for accounting and tax compliance)
• Payment Information: Managed by Stripe per their retention policy
• Marketing Consent: Until you withdraw consent or 2 years of inactivity
• Analytics Data: Managed by PostHog and Sentry per their policies

After these periods, we securely delete or anonymize your data. You may request earlier deletion by contacting us, subject to legal retention requirements.

5. Your Rights (GDPR & Privacy Laws)

Under GDPR and other privacy laws, you have the following rights:

• Right to Access (Article 15): Request a copy of your personal data
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing (Article 18): Limit how we use your data
• Right to Data Portability (Article 20): Receive your data in a machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw cookie and marketing consent at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at: support@staysuitely.com We will respond within 30 days.

6. Data Security

We maintain industry-standard security measures to safeguard your data, including encryption, secure payment processors, and access controls.

7. International Data Transfers

As we operate a global platform, your personal data may be transferred to and processed in countries outside your country of residence, including the United States.

Services with International Data Transfers:

• AWS S3 (United States): Profile images and file storage
• PostHog (United States or EU): Analytics data (with consent)
• Sentry (United States): Error tracking and monitoring (with consent)
• Stripe (United States): Payment processing
• Cloudflare (Global CDN): Security and performance optimization

Legal Safeguards:

• We ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission
• Our service providers maintain certifications and comply with applicable data protection frameworks
• Data transfers only occur when necessary to provide our services or fulfill legal obligations

If you have concerns about international data transfers, please contact us at support@staysuitely.com

8. Data Breach Notification

We take data security seriously and have implemented measures to prevent unauthorized access, loss, or disclosure of your personal information.

In the Event of a Data Breach:

• Notification Timeline: We will notify affected users within 72 hours of discovering a breach, as required by GDPR Article 33
• Information Provided: Nature of the breach, categories of data affected, potential consequences, and remedial actions taken
• Communication Method: Direct email notification to your registered email address and/or a prominent notice on our website
• Regulatory Reporting: We will also notify relevant data protection authorities as required by law

Your Actions:

• Monitor your account for suspicious activity
• Change your password immediately if credentials may have been compromised
• Review your booking history and payment statements
• Contact us with any concerns or questions

If you suspect unauthorized access to your account, please contact us immediately at support@staysuitely.com

9. Children's Privacy

Our site and services are not intended for individuals under 18. We do not knowingly collect information from minors.

10. Contact Us

If you have questions about this Privacy Policy, please contact: