Privacy Policy
Effective date: 4 July 2026
1. Who we are
Stays is an AI-powered short-term rental management service operated by CiphraX, Inc., a Delaware corporation (“CiphraX”, “we”, “us”). Stays creates and publishes property listings on booking channels such as Airbnb, Booking.com and Vrbo, answers guest messages, and coordinates operations on behalf of property owners (“hosts”). For privacy questions or requests, contact privacy@ciphrax.io.
2. Who this policy covers
It covers three groups: hosts who create an account and use Stays; visitors to our websites; and guests whose information we handle on a host’s behalf when they book or message a property managed through Stays. For guest data, the host is the data controller and CiphraX acts as a processor — see section 6.
3. What we collect
- Account data. Your name, email address, company name and password. Passwords are stored only as salted cryptographic hashes — we cannot read them.
- Property and listing data. Addresses, photos, descriptions, amenities, pricing and availability that you provide or approve so we can build and publish your listings.
- Conversations with your AI manager. The messages you exchange with the Stays assistant, kept per account and per conversation so the assistant has context and memory of your properties and preferences.
- Booking and guest data (on your behalf). Guest names, contact details, stay dates, booking amounts and guest messages received from the booking channels, used solely to manage the stay.
- Payment information. Guest payments are processed by the booking channels and their payment providers. We receive booking and payout amounts to calculate our fee and your statements. We never collect or store card numbers or bank credentials.
- Technical data. IP address, browser and device type, and security logs generated when you use the service.
- Cookies. We use only essential storage (such as your sign-in session). We do not run advertising trackers on the Stays platform.
4. How we use your data
We use the data above to operate Stays: to generate and publish your listings, answer guests, synchronise calendars across channels, schedule cleaning, prepare your statements, secure the platform, provide support, and meet legal obligations. We send service emails (such as booking notifications and account messages) as part of the service itself. We send marketing only if you opt in, and every marketing email includes an unsubscribe link. We do not sell personal data.
5. How the AI works with your data
The Stays assistant runs on enterprise AI infrastructure hosted by Microsoft Azure. Your conversations and property details are processed to generate replies, listings and recommendations, and to maintain the assistant’s memory of your account. They are not used to train third-party foundation models. Access by our team is limited to what is needed for support and debugging, under access controls. Where the assistant takes actions with financial consequences (for example refunds above a limit you set), the decision is referred to you — the AI does not make solely automated decisions with legal or similarly significant effects on you.
6. Guest data — hosts are the controller
When we answer a guest or manage a booking, we do so on the host’s instructions, as their processor. We use guest data only to manage the stay, never for our own marketing, and we do not sell it. Guests who wish to exercise privacy rights should contact their host or the booking channel they booked through; we assist hosts in fulfilling such requests.
7. Who we share data with
- Microsoft Azure — cloud hosting, database and AI processing. Our primary infrastructure runs in the European Union (North Europe region).
- Booking channels (for example Airbnb, Booking.com, Vrbo, Expedia) — receive your listing content and availability when we publish for you. They are independent controllers under their own privacy policies.
- Channel-connectivity and operational partners — services that link Stays to the booking channels or coordinate cleaning, bound by contracts limiting use of the data to providing their service to us.
- Authorities — where the law requires it, under valid legal process.
- A buyer or successor — if CiphraX is involved in a merger or acquisition, with notice to you before your data becomes subject to a different policy.
8. International transfers
Our primary processing takes place in the European Union. Where data is transferred outside the EU or the United Kingdom — for example to booking channels or service providers operating globally — we rely on recognised safeguards such as adequacy decisions, the EU Standard Contractual Clauses and the UK Addendum, or the EU–U.S. Data Privacy Framework where the recipient participates in it.
9. How long we keep data
Account, property and conversation data are kept while your account is active. If you close your account, we delete or anonymise personal data within 90 days, except records we must keep for legal, tax or dispute purposes, which are kept only as long as those obligations require. Booking records are retained in line with the host’s legal retention duties. Backups roll off on a fixed cycle. We may keep anonymised, aggregated statistics that no longer identify anyone.
10. Security
All traffic is encrypted in transit (TLS) and data is encrypted at rest. Credentials and keys are held in a managed secrets vault, production access is restricted and logged, and each host’s data is separated by account. No system is perfectly secure, but if we learn of a breach affecting your personal data we will notify you and the relevant authority as the law requires.
11. Your rights
Depending on where you live, you have rights under the GDPR, the UK GDPR, or US state laws such as the California Consumer Privacy Act: to access a copy of your data, correct it, delete it, receive it in a portable format, restrict or object to certain processing, withdraw consent at any time, and not be discriminated against for exercising these rights. We honour these requests regardless of where you live, wherever reasonably possible. To exercise any right, email privacy@ciphrax.io; we will verify your identity and respond within the legal deadline (one month under GDPR, 45 days under the CCPA). You may also complain to your local supervisory authority. California residents: we do not sell or share personal information as defined by the CCPA, and we do not use sensitive personal information to infer characteristics about you.
12. Children
Stays is a business service for adults. We do not knowingly collect data from anyone under 18 as an account holder. If you believe a minor has provided us personal data, contact us and we will delete it.
13. Changes to this policy
If we make material changes, we will tell you through the service or by email before they take effect, and the effective date at the top of this page will change. Minor clarifications may be posted directly. The current version is always available at this address.
14. Contact
CiphraX, Inc. — a Delaware corporation
Registered office: 651 N Broad St, Suite 201, Middletown, DE 19709, United States
Privacy requests: privacy@ciphrax.io
General: hello@ciphrax.io