This Privacy Policy explains how StayShare+ (“StayShare”, “we”), the operator of stayshareplus.com and the StayShare+ apps, collects, uses, shares, and protects your personal data. StayShare is the data controller for the Platform. This document is published in English; translations are provided for convenience and the English version governs.
1. Data we collect
Data you give us
- Account: name, email address, phone number, password (stored hashed), profile photo, and language preference.
- Bookings: stay dates, guest count, and messages you exchange with hosts or support.
- Payments: handled by Stripe. Card details go directly to Stripe — we never see or store your full card number. We keep the booking amount, currency, and Stripe’s payment reference.
- Hosting: listing details, payout onboarding status (via Stripe Connect), and verification data if you claim an imported listing (phone number for a one-time code, or a verification token).
- Support: the content of help requests and reports you submit.
Data collected automatically
- Technical: IP address, device and browser type, and security events (such as sign-ins from a new country) used for fraud prevention.
- Usage analytics: only with your consent (see the Cookie Policy) — page views and product-usage events, used to improve the Platform.
2. Why we process it (legal bases)
- To perform our contract with you: operating your account, processing bookings and refunds, host payouts, and messaging.
- Legitimate interests: securing the Platform, preventing fraud and abuse, providing support, and improving core functionality.
- Consent: analytics and marketing cookies, and any marketing communications — each can be withdrawn at any time.
- Legal obligations: tax, accounting, and lawful requests from authorities.
3. Who we share data with
We do not sell your personal data. We share it only with the service providers needed to run the Platform, and with your booking counterparty:
- Hosts and guests: when a booking is made, each party sees the information needed for the stay (name, profile photo, stay details, messages).
- Processors: Stripe (payments and payouts), Supabase (database and authentication hosting), Vercel (web hosting), Twilio (SMS/WhatsApp verification codes), Resend (transactional email), Mapbox (maps), Sentry (error monitoring), and PostHog (consent-gated analytics). Each processes data under contract and only on our instructions.
- Authorities: where required by law or to protect the safety of our community.
Some providers process data outside your country (including the EU/EEA, UK, and United States). Where required, transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses or an adequacy decision.
4. How long we keep it
- Account data: for as long as your account is open.
- Booking and payment records: retained after account closure as required for tax, accounting, and dispute-resolution obligations, then deleted.
- Security logs: up to 12 months.
- Analytics: per the consent and retention settings of the analytics tool.
5. Your rights and the tools we give you
- Access & portability: download a copy of your data any time from Account settings (“Export my data”) — no support ticket needed.
- Correction: edit your profile and account details directly in the app.
- Deletion: request account deletion from Account settings. We delete or anonymise your data except records we must keep by law.
- Consent management: change cookie and analytics choices any time via the cookie preferences (see the Cookie Policy).
- Objection & restriction: contact us via the Help Center to object to or restrict processing based on legitimate interests.
- Complaints: you can lodge a complaint with your local data protection authority (for example the CNIL in France or the FDPIC in Switzerland).
6. Security
All traffic is encrypted in transit (TLS/HSTS). Access to personal data is restricted by row-level security in our database and by role-based staff access with audit logging. Payments are isolated with Stripe (PCI DSS Level 1). No system is perfectly secure — if we learn of a breach affecting your data, we will notify you and the competent authority as required by law.
7. Children
The Platform is not directed at children and accounts require users to be at least 18 years old. We do not knowingly collect data from minors.
8. Changes and contact
We will post any changes to this policy here and, for material changes, notify you by email or in-product. Privacy questions or requests: contact us via the Help Center.