Stays · Saudi Arabia
Privacy Policy
Last updated: 2026-06-01
1. Who we are
Stays is a short-term rental marketplace operating in the Kingdom of Saudi Arabia. This policy explains what personal data we collect, why, how we keep it secure, and the rights you have under the Saudi Personal Data Protection Law (PDPL).
Data controller: Stays (the company name and CR number will appear here on launch).
Contact: privacy@staysplt.com
Data controller: Stays (the company name and CR number will appear here on launch).
Contact: privacy@staysplt.com
2. Data we collect
- Account & identity: phone number, name, email (optional), language preference, national ID or Iqama for host verification.
- Bookings & payments: reservations, prices, refunds, the last 4 digits and brand of any card used (full PANs are never stored — they live with PCI-DSS-certified gateways).
- Listings: photos, descriptions, approximate and exact addresses, tourism / Baladi license numbers.
- Communications: messages with hosts/guests and support tickets (encrypted at rest, archived after 30 days of guest checkout — spec #71).
- Device & log data: IP address, device model, OS version, push token, app crashes.
- Location: coarse location for nearby-stays search (only when you grant permission); exact location is revealed only after a booking is confirmed.
3. Why we use it (legal basis)
- Provide the service: process bookings, deliver SMS OTP, route messages.
- Safety & fraud prevention: identity verification, anti-laundering, dispute resolution.
- Legal & regulatory: tax invoices to ZATCA, Tourism Ministry reporting.
- Service quality: aggregated analytics on app usage and crash reports (no profiling).
4. Sharing
We share the minimum data necessary with:
- Payment gateways (Mada / HyperPay / PayTabs / Tabby / Tamara) — for charge authorisation only.
- SMS provider (Authentica) — only your phone number + OTP delivery details.
- Hosting (Saudi cloud) — operational data; encrypted at rest.
- Government bodies — when legally compelled (ZATCA invoices, Tourism Ministry, Shomoos, judicial orders).
5. Retention
- Account data: kept while your account is active. After deletion: anonymised within 30 days.
- Bookings & invoices: 10 years (Saudi commercial / tax law).
- Messages: 30 days after the related booking checkout.
- Identity documents: retained only as long as required for verification.
6. Your rights (PDPL)
You have the right to:
- Access a copy of your data (in-app: Profile → Export my data).
- Correct inaccurate fields (Profile → Personal info).
- Delete your account (Profile → Delete account; 30-day grace period).
- Object to specific uses; contact privacy@staysplt.com.
- Withdraw consent for optional processing at any time.
- Complain to the Saudi Data & AI Authority (SDAIA) if a request is unmet.
7. Security
We protect your data with: TLS 1.3 in transit, AES-256 at rest, OTP hashed with bcrypt, JWT short-lived access tokens with separate refresh secrets, 2FA on host bank-detail changes, rate limiting on authentication, audit logs on every administrative action, and annual penetration testing.
8. Children
Stays is not intended for users under 18. We don't knowingly collect data from minors. Contact us at privacy@staysplt.com if you believe a minor has signed up.
9. Cross-border transfers
Stays stores personal data within the Kingdom of Saudi Arabia. Cross-border transfers occur only to PCI-compliant payment networks when you make a card payment, with PDPL transfer safeguards in place.
10. Changes
We post the latest version of this policy at this URL. For material changes we notify you in-app and via push notification 30 days before the change takes effect.
11. Contact
For privacy requests:
Email: privacy@staysplt.com
Postal: Stays (address to be filled on launch), Riyadh, Saudi Arabia
Email: privacy@staysplt.com
Postal: Stays (address to be filled on launch), Riyadh, Saudi Arabia
This policy is provided in English for international clarity. The Arabic version, when published, will govern in case of conflict.