Privacy Policy

Important notice

This Privacy Policy describes how StayReply Limited collects, uses, and protects personal data. We encourage you to read it carefully. If you have questions, contact privacy@stayreply.com.

1. What this Privacy Policy covers

This Privacy Policy explains how StayReply Limited ("StayReply", "we", "us", or "our") collects, uses, stores, and shares personal data when you visit our website at stayreply.com, use our application at appstayreply.com, or interact with our related services including support, sales, and marketing communications.

This Policy does not cover third-party websites, services, or integrations linked from our Service. Those third parties operate under their own privacy policies.

This Policy applies in addition to our Terms of Service and Data Processing Agreement.

2. What we mean by personal data

"Personal data" means information that identifies you directly or could reasonably be linked to you.

Depending on context, StayReply acts as either:

• Data Controller — for personal data we collect about you directly as our customer, prospect, or visitor (such as your account details, billing information, and marketing preferences)

• Data Processor — for personal data flowing through the Service on behalf of our customers (such as guest names, message content, and reservation data pulled through your connected integrations)

Different rights and obligations apply depending on our role. The Data Processing Agreement covers our role as Data Processor in more detail.

3. Personal data we collect

The specific information we collect depends on how you interact with our Service. Data is collected in three main ways: information you provide directly, information collected automatically, and information received through integrations.

3.1 Information you provide

When you contact us, subscribe to communications, request a demo, create an account, or use the Service, we may collect:

• Contact details such as name, email address, phone number, and company name

• Account information including profile details and authentication credentials (passwords are stored as one-way hashes)

• Billing details processed by our payment provider; we receive limited metadata such as the last four digits of your card, expiry date, and plan information

• Support communications including messages, attachments, and call notes

• Marketing communications preferences

• Information provided when applying for our affiliate or partner programs

3.2 Information collected automatically

When you use the Service, we automatically collect:

• Device and browser information (browser type, operating system, device type)

• Log data including IP address, timestamps, and referring URLs

• Usage data including pages viewed, features used, and interactions

• Approximate location derived from IP address

• Cookies and similar technologies as described in our Cookie Policy

3.3 Information from integrations and third parties

If you enable integrations (PMS systems, smart locks, payment processors, calendar tools), we receive data from those providers based on the permissions you grant. This may include reservation data, guest messages, listing details, lock event data, and authentication tokens.

3.4 Customer-provided data

When you use the Service to communicate with guests, the Service processes personal data about those guests on your behalf. This data is governed by the Data Processing Agreement rather than this Privacy Policy.

4. Sources of personal data

Personal data may come from:

• You directly when you submit information or use the Service

• Your organisation if it creates an account, manages billing, or invites you as a user

• Your device and browser through standard web technologies

• Third-party integrations you authorise

• Service providers that support our operations (hosting, analytics, communications, payments)

• Publicly available sources where relevant

5. Why we collect personal data and our legal basis

We process personal data for the following purposes:

To provide and operate the Service. We process account, billing, and usage data to deliver the Service, manage your subscription, and respond to support requests. Legal basis: performance of a contract.

To improve the Service. We analyse usage data to diagnose issues, monitor performance, and develop new features. Legal basis: legitimate interest in improving our product.

For security. We process data to prevent fraud, detect abuse, enforce our Terms, and protect platform integrity. Legal basis: legitimate interest in security and legal obligation.

For communications. We may send service updates, billing notifications, security alerts, and marketing communications where you have opted in or where permitted by law. Legal basis: performance of a contract, legitimate interest, or consent.

To comply with legal obligations. We process data to meet tax, accounting, and regulatory requirements. Legal basis: legal obligation.

We do not use customer guest message data, knowledge base content, or PMS data to train AI models for use by other customers. Your data is used only to provide the Service to you.

6. How personal data may be shared

We share personal data with:

Service providers. We work with categories of providers including infrastructure and hosting providers, payment processors, communications providers (email and SMS delivery), analytics tools, support tooling, and affiliate tracking services. These providers process data on our behalf under contractual terms designed to protect it. A current list of subprocessor categories is available on request to privacy@stayreply.com.

Legal and regulatory requirements. We may disclose data when required to comply with law, respond to legal process, protect our rights, or protect the safety of users or the public.

Business transfers. If StayReply undergoes a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be transferred as part of that transaction, subject to applicable legal requirements.

Professional advisors. We may share data with auditors, lawyers, accountants, and similar advisors where necessary and under confidentiality obligations.

With your direction. When you enable an integration, invite collaborators, or export content, data flows according to your direction.

We do not sell personal data. We do not share personal data with third parties for their own advertising purposes.

7. Cookies, analytics, and tracking

We use cookies and similar technologies to operate the Service, remember preferences, measure performance, and support marketing where enabled. Full details are provided in our Cookie Policy at stayreply.com/legal/cookie-policy.

8. Data security

We implement technical and organisational measures designed to protect personal data, including:

• Encryption in transit using TLS 1.3

• Encryption at rest using AES-256

• Encrypted storage for sensitive credentials such as PMS API keys and smart lock tokens using AES-256-GCM

• Access controls and least-privilege policies

• Logging and monitoring of production systems

• Regular security review and incident response procedures

No method of transmission or storage is fully secure. We cannot guarantee absolute security but commit to applying industry-standard safeguards.

9. Data retention

We retain personal data only for as long as needed to provide the Service and for the purposes described in this Policy.

Retention guidelines:

• Active account data is retained for the duration of your subscription

• Customer Content is retained for 30 days following account cancellation, then permanently deleted (you may request immediate deletion at any time)

• Billing and tax records are retained for the period required by UK tax law (currently 6 years)

• Support communications are retained for up to 3 years for quality and audit purposes

• Marketing communication preferences are retained until you change them

• Security logs are retained for up to 2 years

10. Your privacy rights

Depending on your location, you may have the following rights regarding your personal data:

• Access. Request a copy of the personal data we hold about you

• Correction. Ask us to correct inaccurate or incomplete data

• Deletion. Request that we delete your personal data, subject to legal and contractual retention requirements

• Restriction. Request that we restrict processing in certain circumstances

• Portability. Receive your personal data in a structured, machine-readable format

• Objection. Object to processing based on legitimate interests

• Withdrawal of consent. Where processing is based on consent, withdraw that consent at any time

• Complaint. Lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office at ico.org.uk)

To exercise these rights, contact privacy@stayreply.com. We will respond within the timeframes required by applicable law. We may need to verify your identity before responding.

11. Regional privacy disclosures

11.1 For UK and EEA users

Processing of your personal data is subject to UK GDPR and EU GDPR where applicable. Our lawful bases for processing are described in Section 5.

For international data transfers outside the UK or EEA, we use appropriate safeguards including Standard Contractual Clauses and the UK Addendum where required.

You may contact our privacy team at privacy@stayreply.com for any data protection enquiries.

11.2 For California residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to:

• Know what personal information we collect, use, disclose, and share

• Request deletion of personal information

• Opt out of sale of personal information (we do not sell personal information)

• Not be discriminated against for exercising your rights

To exercise these rights, contact privacy@stayreply.com.

11.3 For other jurisdictions

Depending on your jurisdiction, additional rights may apply. Contact privacy@stayreply.com to discuss specific requirements.

12. International data transfers

The Service may involve transferring personal data across borders, including to countries outside the UK and EEA. Where this occurs, we use appropriate safeguards such as Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

13. Children's privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact privacy@stayreply.com and we will delete it.

14. Personal data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and any required supervisory authorities within 72 hours of becoming aware of the breach, where required by law.

15. Changes to this Privacy Policy

We may update this Policy from time to time. Material changes will be communicated through the Service, by email, or by updating this page with a revised effective date.

16. Contact information

For privacy questions or to exercise your rights, contact:

StayReply Limited Data Protection 124-128 City Road London, EC1V 2NX United Kingdom

Email: privacy@stayreply.com

Company number: 17082699