1. Introduction
This Privacy Policy explains how Stay Reply Limited, a company registered in England and Wales, trading as "StayReply", a subsidiary of T2 Partners Limited ("we", "us", "our"), collects, uses, stores, shares, and protects personal data when you use our AI-powered guest messaging platform ("Service").
We are committed to protecting your privacy and the privacy of the guests whose data is processed through our Service. We comply with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR"), as well as any other applicable data protection legislation.
This Privacy Policy should be read alongside our Terms of Service. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller and Data Processor
The roles and responsibilities for data processing under the Service are as follows:
- Stay Reply Limited as Data Controller: We are the data controller for the personal data of our customers (account holders) — including registration data, billing information, usage data, and communications with us.
- Stay Reply Limited as Data Processor: We act as a data processor on behalf of our customers for the personal data of their guests. Our customers (property managers, hosts) are the data controllers for guest data. We process guest data solely on the instructions of our customers and in accordance with these Terms and any applicable Data Processing Addendum.
- Your obligations as Data Controller: If you are a customer using the Service, you are the data controller for your guests' personal data. You are responsible for ensuring you have a lawful basis to process guest data, providing appropriate privacy notices to your guests, and complying with all applicable data protection laws.
For data protection enquiries, contact our Data Protection Lead at [email protected].
3. Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Account and Registration Data
- Full name, email address, and company/organisation name provided during registration.
- Authentication credentials — passwords are stored in irreversibly hashed form using bcrypt; we never store plaintext passwords.
- Account role and permissions (e.g., admin, team member).
- Billing contact details and subscription plan information.
3.2 Payment and Billing Data
- Payment transactions are processed by Stripe. We do not store, process, or have access to your full card numbers, CVV codes, or card expiration dates.
- We store only Stripe customer IDs, subscription IDs, and payment intent IDs for the purpose of managing your subscription and resolving billing queries.
- Stripe's handling of your payment data is governed by Stripe's Privacy Policy.
3.3 Guest Data (Processed on Your Behalf)
- Guest names, contact details, and booking information synchronised from your property management system (PMS).
- Guest messages, conversation history, and communication timestamps.
- AI-generated reply suggestions and sent communications.
- Message classification data (intent categories, sentiment, urgency flags).
- Upsell interactions and guest journey stage data.
Guest data is processed by us solely as a data processor acting on your instructions. We do not use guest data for our own purposes, and we do not sell, share, or disclose guest data to third parties except as necessary to provide the Service or as required by law.
3.4 Property and Business Data
- Property listings, descriptions, amenities, and house rules synchronised from your PMS.
- Knowledge base entries you create to train the AI (property-specific information, FAQs, policies).
- Automation rules, workflow configurations, and upsell templates.
3.5 Usage and Technical Data
- Service usage patterns, feature interactions, and navigation behaviour.
- AI performance metrics (classification accuracy, auto-send rates, response times).
- Device information, browser type and version, operating system, and screen resolution.
- IP addresses, approximate geolocation (country/region level only), and access timestamps.
- Error logs and diagnostic data for troubleshooting and service improvement.
4. How We Use Your Data
We process personal data for the following purposes:
| Purpose | Legal Basis (UK GDPR) |
|---|
| Providing the Service (AI messaging, property sync, automation) | Performance of contract (Art. 6(1)(b)) |
| Processing guest messages and generating AI replies | Performance of contract; Legitimate interest |
| Account management and authentication | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (billing, security, onboarding) | Performance of contract; Legitimate interest |
| Sending activity digests and performance reports | Legitimate interest (Art. 6(1)(f)) |
| Service improvement, analytics, and debugging | Legitimate interest (Art. 6(1)(f)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (only with explicit consent) | Consent (Art. 6(1)(a)) |
5. AI and Automated Processing
StayReply uses artificial intelligence, including large language models ("LLMs") provided by third-party AI service providers, to process guest messages. This involves:
- Message classification: Inbound guest messages are analysed by AI to determine intent (e.g., check-in query, maintenance request, complaint, upsell opportunity) and urgency level.
- Reply generation: AI generates suggested replies based on the message content, your property knowledge base, and configurable response guidelines.
- Automated sending: When the "auto-send" feature is enabled, AI-generated replies that meet your configured confidence threshold may be sent to guests without manual review.
- Sentiment and safety analysis: Messages are analysed for sentiment, potential safety concerns, and escalation triggers.
Important disclosures about AI processing:
- Guest message content is sent to third-party AI service providers for processing. These providers process the data on our behalf and are contractually prohibited from using it for their own purposes, including training their models.
- We do not use your guest data or conversation history to train, fine-tune, or improve AI models.
- AI processing does not involve solely automated decision-making that produces legal effects or similarly significant effects on individuals within the meaning of Article 22 of the UK GDPR. The AI provides suggestions and classifications; final decisions about guest communications remain with you.
- You have the right to disable automated messaging at any time through your automation settings.
- You may request human review of any AI-generated classification or response by contacting us.
6. Data Sharing and Third-Party Recipients
We share personal data only where necessary to provide the Service or where required by law. We do not sell personal data to third parties. The categories of recipients are:
| Recipient | Purpose | Data Shared |
|---|
| AI service providers | Message classification and reply generation | Message content, property context |
| Stripe (payment processor) | Payment processing and subscription management | Billing details, email, name |
| PMS platforms (Hospitable, Guesty, etc.) | Property and conversation synchronisation | Reply content, booking references |
| Resend (email service provider) | Transactional and notification emails | Email address, name |
| Cloud infrastructure providers | Hosting, storage, and database services | All Service data (encrypted) |
All third-party service providers are bound by data processing agreements and are required to process personal data only in accordance with our instructions and applicable data protection laws. We conduct due diligence on our sub-processors and maintain a list of current sub-processors available upon request.
7. International Data Transfers
Your data may be transferred to and processed in countries outside the United Kingdom, including the United States, where some of our infrastructure providers and AI service providers are located.
Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with the UK GDPR, including:
- Adequacy decisions: Transfers to countries that the UK Secretary of State has determined provide an adequate level of data protection.
- International Data Transfer Agreement (IDTA): Where no adequacy decision exists, we use the UK's International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
- Supplementary measures: Where necessary, we implement additional technical and organisational measures (such as encryption in transit and at rest) to ensure the transferred data is adequately protected.
You may request a copy of the relevant transfer safeguards by contacting [email protected].
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are:
| Data Category | Retention Period |
|---|
| Account registration data | Duration of account + 12 months after closure |
| Guest messages and conversation history | Duration of account + 6 months after closure |
| AI classification and reply data | Duration of account + 6 months after closure |
| Property and knowledge base data | Duration of account + 90 days after closure |
| Billing and payment records | 7 years (UK tax and accounting requirements) |
| Activity and audit logs | 12 months from creation |
| Usage and analytics data | 24 months (aggregated and anonymised where possible) |
| Marketing consent records | Duration of consent + 3 years after withdrawal |
Upon account closure, you may request an export of your data within 90 days. After the applicable retention period, data is securely deleted or irreversibly anonymised.
9. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
- Password security: User passwords are hashed using bcrypt with appropriate work factors. We never store plaintext passwords.
- Access controls: Role-based access controls limit data access to authorised personnel only. Team members can only access data within their assigned permissions.
- Rate limiting: Authentication endpoints and API routes are protected by rate limiting and brute-force detection.
- Session management: Secure, HTTP-only session cookies with appropriate expiration policies.
- Infrastructure security: Our hosting infrastructure is provided by reputable cloud providers with SOC 2 and ISO 27001 certifications.
- Incident response: We maintain an incident response plan and will notify affected users and the ICO within 72 hours of becoming aware of a personal data breach, as required by the UK GDPR.
While we take all reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.
10. Cookies and Tracking Technologies
We use a minimal set of cookies to operate the Service:
- Essential session cookies: Required to maintain your authentication state and session. These are strictly necessary for the Service to function and cannot be disabled.
- Preference cookies: Store your UI preferences (e.g., theme selection, sidebar state). These enhance your experience but are not essential.
We do not use:
- Third-party advertising or tracking cookies.
- Cross-site tracking technologies.
- Social media tracking pixels.
- Fingerprinting or device identification technologies beyond standard session management.
We may use privacy-respecting analytics to understand aggregate usage patterns. This data is anonymised and cannot be used to identify individual users.
11. Your Rights Under the UK GDPR
As a data subject, you have the following rights under the UK GDPR. These rights are not absolute and may be subject to certain conditions and exceptions:
- Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, together with information about how it is processed. We will provide this within 30 days of receiving your request.
- Right to rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data. You can update most account information directly through your account settings.
- Right to erasure (Article 17): You have the right to request deletion of your personal data ("right to be forgotten") where: the data is no longer necessary for the purpose it was collected; you withdraw consent; or the data has been unlawfully processed. This right does not apply where we are required to retain data for legal or regulatory reasons.
- Right to restrict processing (Article 18): You have the right to request that we limit how we process your data in certain circumstances, such as while we verify the accuracy of contested data.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and to transmit it to another controller without hindrance.
- Right to object (Article 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Rights related to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects on you. As noted in Section 5, our AI provides suggestions and classifications; final decisions remain with you.
- Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. In complex cases, we may extend this by a further 60 days, in which case we will inform you of the extension and the reasons for it.
We will not charge a fee for handling your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
12. Guest Data — Information for Guests
If you are a guest whose data has been processed through StayReply, please note:
- Your data was provided to StayReply by your host or property manager, who is the data controller for your personal data.
- StayReply processes your data as a data processor on behalf of your host/property manager.
- To exercise your data protection rights (access, rectification, erasure, etc.), please contact your host or property manager directly in the first instance.
- If you are unable to resolve your concern with your host, you may contact us at [email protected] and we will assist in facilitating your request.
- Some messages you receive may have been generated or suggested by AI. Your host is responsible for all communications sent to you through the platform.
13. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data as soon as reasonably practicable. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected].
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will:
- Notify you via email to the address associated with your account at least 30 days before the changes take effect.
- Display a prominent notice within the Service.
- Update the "Last updated" date at the top of this page.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acknowledgement of the changes.
15. Complaints
If you are not satisfied with how we handle your personal data or your data protection request, you have the right to lodge a complaint with the UK's supervisory authority:
- Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us first at [email protected].
16. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
