Privacy Policy
Last updated: February 2026
Table of contents
1. Data Controller
The controller of your personal data is [TODO: Company Name], NIP: [TODO: NIP], with registered address at [TODO: Registered Address], email: support@ezstay.eu (hereinafter referred to as the "Controller").
The Controller operates the ezStay platform ("Service"), a digital guestbook and guide tool for property hosts, available at ezstay.eu.
We have not appointed a Data Protection Officer as we are not required to do so under Article 37 GDPR. For all data protection matters, please contact us at support@ezstay.eu.
2. Data Collected
We collect and process the following categories of personal data:
- Account data: email address, name (optional), profile photo (optional)
- Property data: property names, addresses, descriptions, photos, WiFi credentials, access codes, and other content you add to your guest arrival guides
- Technical data: IP address, browser type and version, device information, operating system, referring URLs
- Payment data: processed by Stripe — we do not store your full credit card number; we receive billing name, last four digits, and transaction history
- Usage data: pages visited, features used, guest arrival guide view counts, timestamps of actions
- Communication data: content of support requests and feedback you send us
3. Processing Purposes
We process your personal data for the following purposes:
- Account creation and management — to provide and maintain your user account
- Service delivery — to enable you to create, edit, publish, and share digital guest arrival guides and guides
- Payment processing — to handle subscription payments, invoices, and refunds via Stripe
- Content translation — to translate your guest arrival guide content using the DeepL API when you request it
- Weather data — to display weather forecasts for your property location
- Analytics and improvement — to understand how the Service is used and to improve its features
- Communication — to respond to your inquiries, send service-related notifications, and inform you about changes
- Legal compliance — to comply with applicable laws, regulations, and legal processes
4. Legal Basis
We process your personal data based on the following legal grounds under GDPR:
- Article 6(1)(b) — performance of a contract: processing necessary to provide the Service you have signed up for
- Article 6(1)(c) — legal obligation: processing necessary to comply with tax, accounting, and other legal requirements
- Article 6(1)(f) — legitimate interest: processing for analytics, Service improvement, and security, where our legitimate interests are not overridden by your rights
- Article 6(1)(a) — consent: where you have given explicit consent, such as for optional marketing communications
5. Technology & Infrastructure
The Service is built on and relies upon the following technologies and third-party services:
| Technology | Role | Data Processed |
|---|---|---|
| Next.js 16 (React) | Frontend & API | Page renders, API routes |
| Supabase (PostgreSQL) | Database, Auth, Storage | Account data, content, files |
| Stripe | Payment processing | Billing, subscriptions |
| Vercel | Hosting & CDN | Request logs, analytics |
| DeepL API | Content translation | Guest Arrival Guide text |
| Open-Meteo | Weather forecasts | Location coordinates |
All third-party services are selected for their compliance with data protection standards. Data processing agreements are in place where required by GDPR.
6. Data Recipients
Your personal data may be shared with the following categories of recipients:
- Supabase (database hosting and authentication) — processes account and content data
- Stripe (payment processing) — processes payment and billing data
- Vercel (application hosting) — processes technical/request data
- DeepL (translation service) — processes guest arrival guide content text when translation is requested
- Open-Meteo (weather data) — receives location coordinates for weather forecasts
All processors are bound by data processing agreements and are required to protect your data in accordance with GDPR.
7. International Transfers
Some of our service providers (Supabase, Stripe, Vercel) are based in the United States. Data transfers to the US and other countries outside the EEA are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.
8. Data Retention
We retain your personal data for the following periods:
- Account and content data: for the duration of your account. Upon account deletion, your data is removed within 30 days, except where retention is required by law
- Transaction and billing data: for 5 years from the date of the transaction, as required by tax and accounting regulations
- Technical and analytics data: for up to 12 months, or until consent is withdrawn
- Communication records: for up to 3 years after the last interaction, to allow for resolution of any subsequent disputes or legal claims
9. Automated Decision-Making
We do not use automated decision-making or profiling as defined in Article 22 GDPR. No decisions with legal or similarly significant effects are made about you solely by automated means.
Providing your personal data is a contractual requirement necessary to use the Service. If you choose not to provide certain data, you may not be able to use some or all features of the Service.
10. Your Rights (GDPR / RODO)
Under GDPR (in Poland known as RODO — Rozporządzenie o Ochronie Danych Osobowych), you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) — request a copy of your personal data
- Right to rectification (Art. 16 GDPR) — correct inaccurate or incomplete data
- Right to erasure / "right to be forgotten" (Art. 17 GDPR) — request deletion of your personal data and account
- Right to restriction (Art. 18 GDPR) — request that we limit how we use your data
- Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format (JSON or CSV)
- Right to object (Art. 21 GDPR) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal
- Right to lodge a complaint — you may file a complaint with a supervisory authority. In Poland: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl
To exercise any of your rights, contact us at support@ezstay.eu. We will respond to your request without undue delay and within one month of receipt (Art. 12(3) GDPR). This period may be extended by two further months for complex requests, in which case we will inform you within the first month.
If you are located in another EU/EEA Member State, you may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work.
Account deletion: You may delete your account at any time from Settings in the app, or by sending a request to support@ezstay.eu. Upon deletion, all your personal data and guestbook content will be permanently removed within 30 days, except data we are legally required to retain (e.g., billing records for tax purposes — retained for 5 years).
11. Cookies
The Service uses cookies and similar technologies. For detailed information about the types of cookies we use, their purposes, and how to manage your preferences, please see our dedicated Cookie Policy at ezstay.eu/cookies.
You can manage your cookie preferences at any time using the cookie consent banner or through your browser settings.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a notice on the Service at least 30 days before the changes take effect. The updated policy will be effective as of the date indicated at the top of this page.
Where changes affect processing based on your consent, we will seek your renewed consent. For other changes, continued use of the Service after the notice period indicates your acknowledgment of the updated policy.
13. Contact
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your GDPR rights, please contact us at:
[TODO: Company Name] [TODO: Registered Address] Email: support@ezstay.eu
We aim to respond to all inquiries within 3 business days and to resolve data protection requests within one month as required by GDPR.