Privacy Policy

1. Information We Collect

We collect:

• Identity: Name, email, phone, date of birth, government ID
• Profile: Photo, preferences
• Payment: Processed by Razorpay — we never store card numbers or CVV
• Transaction data: Booking history, payment records
• Usage data: Pages visited, searches, listings viewed
• Device data: IP address, browser type, OS
• Location: Only when you grant permission
• Communications: Messages between hosts and guests

2. How We Use Your Information

We use your data to:

• Process bookings and facilitate payments
• Verify identity and prevent fraud
• Send booking confirmations and transactional communications
• Provide customer support and resolve disputes
• Improve our platform through analytics
• Send promotional communications (only with consent)
• Comply with legal obligations under Indian law
• Calculate and remit applicable taxes

3. Information Sharing

We share data only in these circumstances:

• With hosts: Guest first name, photo and contact upon booking confirmation
• With guests: Host full name, address and contact upon booking
• With service providers: Razorpay, Twilio, SendGrid — under strict data processing agreements
• With authorities: When required by law or court order
• Business transfers: In the event of a merger or acquisition

We never sell, rent, or trade your personal information to third parties for their marketing purposes.

4. DPDP Act 2023 Compliance

AllStay is committed to compliance with India's Digital Personal Data Protection Act 2023. As a Data Fiduciary, we:

• Process personal data only for stated purposes
• Maintain reasonable security safeguards
• Allow you to access, correct and delete your data
• Provide dpo@allstay.in for data protection queries (DPO appointment pending company incorporation)
• Notify you of data breaches within 72 hours
• Do not transfer personal data outside India without appropriate safeguards

5. Data Retention

We retain your data as follows:

• Account data: Until deletion + 6 months
• Booking records: 7 years (GST compliance)
• Payment records: 7 years (RBI regulations)
• Communication logs: 3 years for dispute resolution
• Marketing preferences: Until you withdraw consent

6. Your Rights

Under the DPDP Act 2023, you have the right to:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Erasure: Request deletion (subject to legal obligations)
• Nomination: Nominate someone to exercise rights on your behalf
• Withdraw consent: For data processing based on consent
• Grievance: Email dpo@allstay.in — DPO will be formally appointed upon incorporation

To exercise any right, email dpo@allstay.in or use Privacy controls in your account settings.

7. Cookies & Tracking

We use cookies to:

• Keep you logged in across sessions
• Remember your search preferences
• Analyse platform usage
• Show relevant listings based on browsing history

You can manage cookie preferences in your browser settings. We display a cookie consent banner on your first visit as required by applicable law.

8. Data Security

We implement:

• 256-bit SSL/TLS encryption for data in transit
• AES-256 encryption for sensitive data at rest
• Regular security audits and penetration testing
• Two-factor authentication for account access
• Access controls limiting employee data access
• PCI-DSS compliant payment processing through Razorpay

9. Contact & Grievances

Data Protection Officer: [To be appointed] · dpo@allstay.in

Grievance Officer (IT Act 2000): [To be appointed] · grievance@allstay.in

Note: AllStay is in the process of incorporation. DPO and Grievance Officer will be formally designated upon company registration. Until then, all data-related requests can be directed to the emails above.

Response within 72 hours as required under DPDP Act 2023.