Privacy Policy
Last updated: [Date]
Staypagy (hereinafter "Platform", "we", "us", or "our"), operated by [Company Name], a company registered in Portugal with tax identification number (NIF) [NIF], with registered office at [Company Address], is committed to protecting the privacy and personal data of all users.
This Privacy Policy explains how we collect, use, store, and protect personal data in connection with the Staypagy platform, in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation — "GDPR"), Lei n.º 58/2019 of 8 August (Portuguese GDPR implementation), and other applicable data protection legislation.
1. Data Controller and Contact Information
Data Controller: [Company Name]
Address: [Company Address]
Email: [Email]
NIF: [NIF]
For any questions regarding the processing of your personal data, please contact us at [Email].
2. Scope and Roles
The Staypagy platform serves two categories of users:
- Property Owners ("Hosts"): Individuals or businesses in Portugal that use Staypagy to create and manage their vacation rental property listings.
- Guests: Individuals who browse property listings and inquire about vacation rental accommodations through Staypagy.
Data Controller / Processor Roles
| Context | Controller | Processor |
|---|---|---|
| Property owner account data (registration, login, account management) | Staypagy ([Company Name]) | — |
| Platform usage and analytics data | Staypagy ([Company Name]) | — |
| Guest inquiry data (name, email, phone, message) | The respective Property Owner (Host) | Staypagy ([Company Name]) |
| Property listing data (photos, descriptions, pricing) | The respective Property Owner (Host) | Staypagy ([Company Name]) |
When Staypagy processes guest inquiry data on behalf of a property owner, it acts as a data processor under Article 28 GDPR.
3. Personal Data We Collect
3.1 Data from Property Owners
| Data Category | Examples | Purpose |
|---|---|---|
| Account credentials | Email address, password (hashed) | Account creation and authentication |
| Property information | Property name, address, photos, amenities, pricing, availability | Listing creation and public display |
| Contact information | Phone number, email | Guest communication |
| Usage data | Login history, features used, pages visited | Service improvement and troubleshooting |
3.2 Data from Guests
| Data Category | Examples | Purpose |
|---|---|---|
| Contact data | Name, email address, phone number | Inquiry processing and communication |
| Inquiry data | Message content, dates of interest, number of guests | Matching with property availability |
| Session data | Session cookies, browsing preferences | Platform functionality |
4. Legal Basis for Processing
We process personal data based on the following legal grounds under Article 6(1) GDPR:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| Platform service provision | Performance of contract | Art. 6(1)(b) |
| Guest inquiry processing | Legitimate interest | Art. 6(1)(f) |
| Service improvement and analytics | Legitimate interest | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
5. Data Sharing and Recipients
5.1 Service Providers
| Recipient | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting and infrastructure | Germany (EU) |
| Email service provider | Transactional emails (inquiry notifications) | [EU/EEA] |
5.2 Data Sharing Between Staypagy and Property Owners
- Each property owner has access only to inquiry data related to their own properties.
- Staypagy does not share one property owner's guest data with another property owner.
6. International Data Transfers
All primary data processing occurs within the European Economic Area (EEA). Our servers are located in Germany (Hetzner Online GmbH).
If any data transfer outside the EEA becomes necessary, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Data Retention
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Property owner account data | Duration of the account + 1 year after deletion | Contract performance |
| Guest inquiry data | 3 years from the inquiry date | Legitimate interest |
| Session and cookie data | See Cookie Policy | — |
| Support communications | 3 years after resolution | Legitimate interest |
After the retention period, personal data is securely deleted or anonymized.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data, in accordance with Article 32 GDPR:
- Encryption: Data in transit is encrypted using TLS/SSL. Passwords are hashed using industry-standard algorithms.
- Access controls: Role-based access; property owners access only their own listing data.
- Infrastructure security: Hosted on Hetzner (ISO 27001 certified) in Germany.
- Regular backups: Automated encrypted backups.
9. Your Rights Under GDPR
Under the GDPR and Lei n.º 58/2019, you have the following rights:
| Right | Description | GDPR Article |
|---|---|---|
| Right of access | Request a copy of your personal data | Art. 15 |
| Right to rectification | Correct inaccurate or incomplete data | Art. 16 |
| Right to erasure | Request deletion of your data | Art. 17 |
| Right to restriction | Restrict processing in certain circumstances | Art. 18 |
| Right to data portability | Receive your data in a machine-readable format | Art. 20 |
| Right to object | Object to processing based on legitimate interest | Art. 21 |
| Right to withdraw consent | Withdraw consent at any time | Art. 7(3) |
How to Exercise Your Rights
Send a request to [Email] with the subject line "Data Protection Request." We will respond within 30 days.
10. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 — 1.º
1200-651 Lisboa, Portugal
Website: https://www.cnpd.pt
Email: [email protected]
11. Changes to This Policy
We reserve the right to update this Privacy Policy at any time. Changes will be communicated through a notice on the platform. The updated policy takes effect on the date indicated at the top of the document.
12. Applicable Law
This Privacy Policy is governed by Portuguese law, the GDPR (Regulation (EU) 2016/679), and Lei n.º 58/2019 of 8 August.
[Company Name]
[Company Address]
NIF: [NIF]
Email: [Email]