Stays by CiphraX

Privacy Policy

Effective date: 4 July 2026

1. Who we are

Stays is an AI-powered short-term rental management service operated by CiphraX, Inc., a Delaware corporation (“CiphraX”, “we”, “us”). Stays creates and publishes property listings on booking channels such as Airbnb, Booking.com and Vrbo, answers guest messages, and coordinates operations on behalf of property owners (“hosts”). For privacy questions or requests, contact privacy@ciphrax.io.

2. Who this policy covers

It covers three groups: hosts who create an account and use Stays; visitors to our websites; and guests whose information we handle on a host’s behalf when they book or message a property managed through Stays. For guest data, the host is the data controller and CiphraX acts as a processor — see section 6.

3. What we collect

4. How we use your data

We use the data above to operate Stays: to generate and publish your listings, answer guests, synchronise calendars across channels, schedule cleaning, prepare your statements, secure the platform, provide support, and meet legal obligations. We send service emails (such as booking notifications and account messages) as part of the service itself. We send marketing only if you opt in, and every marketing email includes an unsubscribe link. We do not sell personal data.

5. How the AI works with your data

The Stays assistant runs on enterprise AI infrastructure hosted by Microsoft Azure. Your conversations and property details are processed to generate replies, listings and recommendations, and to maintain the assistant’s memory of your account. They are not used to train third-party foundation models. Access by our team is limited to what is needed for support and debugging, under access controls. Where the assistant takes actions with financial consequences (for example refunds above a limit you set), the decision is referred to you — the AI does not make solely automated decisions with legal or similarly significant effects on you.

6. Guest data — hosts are the controller

When we answer a guest or manage a booking, we do so on the host’s instructions, as their processor. We use guest data only to manage the stay, never for our own marketing, and we do not sell it. Guests who wish to exercise privacy rights should contact their host or the booking channel they booked through; we assist hosts in fulfilling such requests.

7. Who we share data with

8. International transfers

Our primary processing takes place in the European Union. Where data is transferred outside the EU or the United Kingdom — for example to booking channels or service providers operating globally — we rely on recognised safeguards such as adequacy decisions, the EU Standard Contractual Clauses and the UK Addendum, or the EU–U.S. Data Privacy Framework where the recipient participates in it.

9. How long we keep data

Account, property and conversation data are kept while your account is active. If you close your account, we delete or anonymise personal data within 90 days, except records we must keep for legal, tax or dispute purposes, which are kept only as long as those obligations require. Booking records are retained in line with the host’s legal retention duties. Backups roll off on a fixed cycle. We may keep anonymised, aggregated statistics that no longer identify anyone.

10. Security

All traffic is encrypted in transit (TLS) and data is encrypted at rest. Credentials and keys are held in a managed secrets vault, production access is restricted and logged, and each host’s data is separated by account. No system is perfectly secure, but if we learn of a breach affecting your personal data we will notify you and the relevant authority as the law requires.

11. Your rights

Depending on where you live, you have rights under the GDPR, the UK GDPR, or US state laws such as the California Consumer Privacy Act: to access a copy of your data, correct it, delete it, receive it in a portable format, restrict or object to certain processing, withdraw consent at any time, and not be discriminated against for exercising these rights. We honour these requests regardless of where you live, wherever reasonably possible. To exercise any right, email privacy@ciphrax.io; we will verify your identity and respond within the legal deadline (one month under GDPR, 45 days under the CCPA). You may also complain to your local supervisory authority. California residents: we do not sell or share personal information as defined by the CCPA, and we do not use sensitive personal information to infer characteristics about you.

12. Children

Stays is a business service for adults. We do not knowingly collect data from anyone under 18 as an account holder. If you believe a minor has provided us personal data, contact us and we will delete it.

13. Changes to this policy

If we make material changes, we will tell you through the service or by email before they take effect, and the effective date at the top of this page will change. Minor clarifications may be posted directly. The current version is always available at this address.

14. Contact

CiphraX, Inc. — a Delaware corporation
Registered office: 651 N Broad St, Suite 201, Middletown, DE 19709, United States
Privacy requests: privacy@ciphrax.io
General: hello@ciphrax.io