Effective Date: 15 April
This Data Processing Agreement (“Agreement”) is entered into between Stay (https://stay.com.pk) (“Company”, “we”, “us”, or “our”) and the user (“Client”, “you”, or “your”) and forms part of our Terms and Conditions.
This Agreement is designed to comply with the General Data Protection Regulation (GDPR) and governs how personal data is processed.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable person
- Processing: Any operation performed on personal data (collection, storage, use, etc.)
- Data Controller: The entity that determines purposes and means of processing
- Data Processor: The entity that processes data on behalf of the controller
2. Roles and Responsibilities
- Stay acts as a Data Controller when collecting and using user data
- Stay may act as a Data Processor when handling data on behalf of hosts or partners
3. Types of Data Collected
We may process the following types of personal data:
- Name, email, phone number
- Billing and payment details
- Booking and travel information
- IP address and device data
4. Purpose of Data Processing
Personal data is processed for:
- Managing bookings and reservations
- Customer support and communication
- Payment processing
- Improving platform functionality
- Legal and regulatory compliance
5. Lawful Basis for Processing
We process personal data based on:
- User consent
- Contractual necessity (booking services)
- Legal obligations
- Legitimate business interests
6. Data Subject Rights
Under GDPR, users have the right to:
- Access their personal data
- Request correction of inaccurate data
- Request deletion (“Right to be Forgotten”)
- Restrict or object to processing
- Data portability
Requests can be made via: [Insert Email]
7. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Secure servers
- Encryption protocols
- Access controls
8. Sub-Processors
We may engage third-party service providers (sub-processors) such as:
- Payment gateways
- Hosting providers
- Analytics tools
All sub-processors are required to comply with GDPR standards.
9. International Data Transfers
If personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards such as:
- Standard Contractual Clauses (SCCs)
- Secure processing agreements
10. Data Retention
We retain personal data only as long as necessary to:
- Fulfill contractual obligations
- Comply with legal requirements
- Resolve disputes
11. Data Breach Notification
In case of a data breach, we will:
- Notify relevant authorities within 72 hours (where required)
- Inform affected users if there is a high risk to their rights
12. Audits and Compliance
We maintain records of data processing activities and may conduct audits to ensure compliance with GDPR.
13. Term and Termination
This Agreement remains in effect as long as personal data is processed. Upon termination, data will be securely deleted or returned, unless required by law.
14. Governing Law
This Agreement is governed by applicable data protection laws, including GDPR where applicable.
15. Contact Information
For GDPR-related inquiries:
- Email: [Insert Email]
- Phone: [Insert Number]
By using Stay, you agree to this GDPR Data Processing Agreement.