Privacy Policy
- Who We Are
- Who This Policy Applies To
- Information We Collect
- How We Use Your Information
- Push Notifications
- Cookies & Device Tracking
- Data Sharing & Third Parties
- Cross-Border Data Transfers
- Data Storage & Security
- Data Retention
- Your Rights Under POPIA
- Withdrawing Consent
- Children's Privacy
- Changes to This Policy
- Contact & Complaints
1. Who We Are
Staya is a hospitality management and booking platform operated by Bartholos Pty Ltd, a company registered in South Africa.
| Detail | Information |
|---|---|
| Company | Bartholos Pty Ltd |
| Trading as | Staya |
| Address | Korhaan Crescent 67, Hartswater, 8570, Northern Cape, South Africa |
| info@staya.co.za | |
| Website | https://staya.co.za |
2. Who This Policy Applies To
This policy applies to:
- Guests — individuals who use Staya to browse, book, and manage accommodation stays
- Property Partners — guesthouse owners and operators who list their property on the Staya platform
- Visitors — anyone who visits staya.co.za or uses the Staya mobile application
Staya operates as a platform connecting guests with independently owned and operated guesthouses. Each guesthouse partner is responsible for their own data practices regarding their staff and operational data. This policy covers data processed by Bartholos Pty Ltd through the Staya platform.
3. Information We Collect
We collect the following categories of personal information:
| Category | Examples | Purpose |
|---|---|---|
| Identity | Full name | Booking and check-in |
| Contact | Email address, phone number | Booking confirmation, communication |
| Payment | Transaction records (no card details stored) | Payment processing via Yoco |
| Booking | Dates, room, booking code, number of guests | Reservation management |
| Identification | ID or passport number, drivers licence photo | Check-in verification (where required by property) |
| Vehicle | Vehicle registration number | Guest parking management |
| Device | Device type, OS, push notification token | App functionality and notifications |
| Usage | App interactions, message history with Cara bot | Service improvement |
4. How We Use Your Information
We process your personal information for the following lawful purposes:
- Processing and confirming your booking
- Sending booking confirmations, access codes, and check-in instructions
- Processing payments securely via Yoco
- Providing in-app messaging and support through our Cara assistant
- Sending booking updates, reminders, and notifications
- Enabling property staff to manage your stay
- Verifying your identity at check-in
- Improving the Staya platform and services
- Complying with our legal obligations
- Preventing fraud and ensuring platform security
We will only process your information for the purposes stated above, or where we have your explicit consent.
5. Push Notifications
The Staya app may request permission to send you push notifications to your device. These notifications may include:
- Booking confirmations and updates
- Check-in and check-out reminders
- Messages from property staff
- Responses from our Cara assistant
- Important alerts regarding your stay
To enable push notifications, we collect and store a device push token linked to your email address and booking. This token is used solely to deliver notifications to your device.
You can withdraw consent for push notifications at any time through your device settings (iOS: Settings → Notifications → Staya; Android: Settings → Apps → Staya → Notifications). Disabling notifications will not affect your ability to use the app or manage your booking.
6. Cookies & Device Tracking
The Staya web application (staya.co.za) uses the following:
- Essential cookies — required for the application to function (session management, authentication). Cannot be disabled.
- Local storage — used to store your session and booking information on your device for a seamless experience between visits. No tracking or advertising data is stored.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not sell browsing data or engage in behavioural advertising.
The Staya mobile app does not use browser cookies. The app uses device storage (AsyncStorage) to maintain your session between uses.
7. Data Sharing & Third Parties
We do not sell your personal information. We share data only with the following trusted service providers, strictly for the purposes described:
| Provider | Purpose | Data Shared |
|---|---|---|
| Yoco | Payment processing | Transaction details only — card data never reaches our systems |
| Resend | Transactional email delivery | Email address, booking reference, confirmation content |
| Supabase | Secure database and file storage | All personal data (encrypted at rest) |
| Expo (EAS) | App build and push notification delivery | Push notification tokens |
| Firebase (Google) | Push notification infrastructure (Android) | Push notification tokens |
| Property Partners | Managing your stay | Name, contact, booking details, vehicle registration |
| Legal authorities | Where required by law | As required by applicable law |
All third-party providers are contractually bound to protect your information and may not use it for any purpose other than providing services to Staya.
8. Cross-Border Data Transfers
Some of our service providers operate servers outside of South Africa. Your personal data may be transferred to and stored in countries including the United States and the European Union, where our infrastructure partners (Supabase, Resend, Expo, Firebase) maintain their services.
Where such transfers occur, we ensure appropriate safeguards are in place in accordance with Section 72 of POPIA, including contractual protections with each provider. By using Staya, you consent to these transfers as described in this policy.
9. Data Storage & Security
- All personal data is stored on Supabase-hosted servers with encryption at rest and in transit
- Payment data is handled entirely by Yoco — we never receive or store card details
- Access to personal data is restricted to authorised staff and property partners on a need-to-know basis
- Row-level security policies are enforced at the database level
- ID and licence photos are stored in private, access-controlled storage buckets
- All data transmission uses TLS encryption
While we implement industry-standard security measures, no system is completely secure. In the event of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as required by POPIA.
10. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Active booking records | Duration of stay + 5 years | Legal and dispute resolution |
| Payment records | 5 years | SARS tax compliance |
| Inactive accounts | 3 years after last activity | Re-engagement window |
| ID / licence photos | 90 days after checkout | Security verification only |
| Push notification tokens | Until withdrawn or app uninstalled | Notification delivery |
| Message history (Cara) | 2 years | Service improvement and dispute resolution |
After retention periods expire, data is securely deleted or anonymised.
11. Your Rights Under POPIA
As a data subject under the Protection of Personal Information Act (POPIA), you have the following rights:
- Right of access — request a copy of the personal information we hold about you
- Right to correction — request correction of inaccurate or incomplete information
- Right to deletion — request deletion of your information, subject to legal retention requirements
- Right to object — object to the processing of your personal information
- Right to restriction — request that we restrict processing of your information
- Right to data portability — request your data in a structured, commonly used format
- Right to complain — lodge a complaint with the Information Regulator
To exercise any of these rights, contact us at info@staya.co.za. We will respond within 30 days.
12. Withdrawing Consent
Where we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
To withdraw consent:
- Push notifications — disable in your device settings at any time
- Account and booking data — email info@staya.co.za with your request
- Marketing communications — use the unsubscribe link in any email we send
Note: withdrawing consent for essential data processing may affect our ability to provide booking services to you.
13. Children's Privacy
Staya is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us immediately at info@staya.co.za and we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the app or by email at least 14 days before the changes take effect. The updated policy will always be available at staya.co.za/privacy.
Continued use of Staya after the effective date of any changes constitutes acceptance of the updated policy.
15. Contact & Complaints
For any privacy-related queries, requests, or complaints, contact us:
| info@staya.co.za | |
| Address | Korhaan Crescent 67, Hartswater, 8570, Northern Cape, South Africa |
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za
Website: inforegulator.org.za
Summary: We collect only what we need, share only with trusted partners, never sell your data, and you are always in control. For any questions, email info@staya.co.za.