Privacy Policy

Effective Date: 1 September 2025  ·  Last Updated: May 2026

1. Introduction

This Privacy Policy explains how OH-Stay.com ("OH-Stay", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use our website, mobile applications, and services (together, the "Platform"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and all other applicable European data protection laws.

By using the Platform, you confirm that you have read and understood how we handle your personal data as set out below. If you have any concerns, please contact us at the address in Section 16 before using our services.

2. Data controller

The data controller responsible for your personal data is:

O.H OWNERS-HUB LTD (trading as OH-Stay.com)
Registered address: Thiseos 7, 2042, Nicosia, Cyprus
Email: contact@oh-stay.com

If you have any questions about how we handle your personal data, or wish to exercise your rights under GDPR, please contact us at the address above.

3. The data we collect

3.1 Data you provide directly

• Account information. Your name, email address, phone number, date of birth, nationality, and profile picture when you create an account.
• Identity verification. Passport, national identity card, or driving licence details. Required for host KYC (Know Your Customer) verification and for guest registration under Spanish Royal Decree 933/2021 where applicable.
• Payment information. Credit and debit card details, bank account information, and IBAN. Payment data is processed by our payment service provider, Stripe, and is not stored on OH-Stay's servers. See Section 6 for details.
• Listing information. Property address, descriptions, photographs, pricing, availability, house rules, and amenity details provided by hosts.
• Booking information. Check-in and check-out dates, number of guests, guest names, and any special requests.
• Communications. Messages between hosts and guests, emails to our support team, reviews, and feedback.
• Tax information. Tax Identification Number (TIN), VAT registration number, and country of tax residence. Collected from hosts and affiliates to comply with EU Council Directive 2021/514 (DAC7) and related tax reporting obligations. See Section 5.5 for details.

3.2 Data we collect automatically

• Usage data. Pages visited, links clicked, search queries, time spent on pages, referral source, and session duration.
• Device and browser data. IP address, browser type and version, operating system, device type, and screen resolution.
• Location data. Approximate location derived from your IP address; precise location only if you explicitly enable location services on your device.
• Cookies and similar technologies. We use cookies, local storage, and similar tracking technologies to operate the Platform, remember your preferences, and analyse usage. See our Cookie Policy for full details.

3.3 Data we receive from third parties

• Payment service provider. Transaction confirmation data from Stripe relating to completed payments and refunds.
• Identity verification services. Results of identity checks and sanctions screening performed during KYC verification.
• Imported reputation data. If you choose to import your reputation from another platform (such as review ratings and counts), we process the data you voluntarily provide for this purpose.

4. Legal basis for processing

We process your personal data on the following legal grounds under GDPR Article 6:

• Performance of a contract (Article 6(1)(b)). Processing necessary to provide our services to you — including facilitating bookings, processing payments, managing listings, and communicating about reservations.
• Legal obligation (Article 6(1)(c)). Processing required to comply with applicable laws, including tax reporting (DAC7), anti-money laundering regulations, guest registration requirements (Spanish Royal Decree 933/2021), and responding to lawful requests from authorities.
• Legitimate interests (Article 6(1)(f)). Processing necessary for our legitimate business interests, including fraud prevention, platform security, service improvement, analytics, and enforcing our Terms of Service. We balance our interests against your rights and freedoms before relying on this basis.
• Consent (Article 6(1)(a)). Where we rely on your consent — for example, for marketing communications, non-essential cookies, or the use of precise location data. You may withdraw your consent at any time by contacting us or adjusting your account settings.

5. How we use your data

5.1 Providing our services

• Processing and managing bookings between guests and hosts.
• Facilitating payments through Stripe Connect, including holding funds during cancellation windows and transferring payouts to hosts.
• Verifying host and guest identities through our KYC process.
• Enabling communication between hosts and guests before, during, and after a stay.
• Managing listings, calendars, pricing, and availability.

5.2 Safety and security

• Detecting and preventing fraud, unauthorised access, and other illegal activities.
• Screening hosts against sanctions and Politically Exposed Persons (PEP) databases as part of our KYC process.
• Enforcing our Terms of Service and Platform rules.
• Investigating and resolving disputes, complaints, and damage reports.

5.3 Improving our services

• Analysing usage patterns to improve the Platform's functionality and user experience.
• Conducting research and analysis to develop new features.
• Personalising search results, recommendations, and content based on your preferences and activity.

5.4 Communications

• Sending booking confirmations, payment notifications, and other transactional communications.
• Responding to your enquiries and providing customer support.
• With your consent, sending promotional and marketing communications. You can opt out at any time.

5.5 Tax reporting (DAC7)

Under EU Council Directive 2021/514 (DAC7), OH-Stay is required to collect certain information from hosts and affiliates and report their earnings to EU tax authorities annually. The data reported includes your name, address, date of birth, Tax Identification Number, VAT number (if applicable), IBAN, total earnings per quarter, number of transactions, and property addresses. Reports are filed by 31 January each year covering the previous calendar year. For full details, please refer to our DAC7 FAQs available on our website.

5.6 Guest registration (Spain)

For bookings at properties located in Spain, OH-Stay collects guest identification data as required by Spanish Royal Decree 933/2021. This data — including name, nationality, identity document number, and home address — is submitted to the Spanish Ministry of the Interior via the SES.HOSPEDAJES platform within the legally required timeframe. This processing is carried out under Article 6(1)(c) (legal obligation).

5.7 Automated decision-making

OH-Stay uses automated systems for search result ranking (based on factors including pricing, availability, reviews, and guest preferences) and for fraud detection scoring. These systems do not make decisions that produce significant legal effects on you without human review. If you believe an automated decision has adversely affected you, you may contact us to request a manual review.

6. Payment data and Stripe

OH-Stay uses Stripe, Inc. and Stripe Payments Europe, Ltd. as our payment service provider. When you make a payment or receive a payout through the Platform:

• Your card details are collected and processed directly by Stripe. OH-Stay does not store your full card number, expiry date, or CVC on our servers.
• Hosts are onboarded through Stripe Connect Express accounts. Stripe collects and verifies host identity and bank account details directly. OH-Stay receives confirmation of verification status but does not access or store the underlying identity documents submitted to Stripe.
• Stripe acts as a data processor on our behalf for payment processing, and as an independent data controller for its own compliance and fraud prevention purposes.

Stripe's privacy policy is available at stripe.com/privacy. We encourage you to review it.

7. Who we share your data with

We share your personal data only where necessary and on a lawful basis:

• Hosts and guests. When you make a booking, we share relevant details with the host (guest name, contact information, booking dates, number of guests). When a host accepts a booking, we share their contact details and property information with the guest.
• Stripe. Payment and identity data as described in Section 6.
• Service providers. Third-party companies that help us operate the Platform, including hosting providers, email delivery services, analytics tools, customer support software, and identity verification services. These providers process data only on our instructions and are bound by data processing agreements.
• Tax authorities. Host and affiliate earnings data as required by DAC7 and applicable tax laws. See Section 5.5.
• Spanish authorities. Guest registration data as required by Royal Decree 933/2021. See Section 5.6.
• Law enforcement and regulators. Where we are legally required to do so, or where necessary to protect the safety of our users, prevent fraud, or defend our legal rights.
• Business transfers. In the event of a merger, acquisition, or sale of all or part of OH-Stay, your data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to how your data is handled.

We do not sell your personal data to third parties. We do not share your data with advertisers or data brokers.

8. International data transfers

OH-Stay is based in Cyprus (within the EEA). Where we transfer your personal data outside the European Economic Area, we ensure appropriate safeguards are in place, including:

• Transfers to countries that have received an adequacy decision from the European Commission.
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• The EU–US Data Privacy Framework, where applicable.

You may request a copy of the safeguards we use by contacting us.

9. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specific retention periods are as follows:

• Account data: retained for the duration of your account, then deleted within 30 days of account closure unless retention is required by law.
• Booking records: retained for 7 years after the stay, as required for tax and accounting purposes.
• Payment records: retained for 7 years, as required by anti-money laundering and tax regulations.
• KYC and identity documents: retained for 5 years after the end of the business relationship, as required by anti-money laundering regulations.
• DAC7 tax reporting data: retained for 5 to 10 years, as required by the relevant tax authority.
• Guest registration data (Spain): retained for 3 years, as required by Spanish law.
• Communications and support tickets: retained for 3 years after the last interaction.
• Analytics and usage data: retained in anonymised form indefinitely; identifiable usage data deleted after 26 months.
• Marketing consent records: retained for 3 years after consent is withdrawn, as evidence of prior consent.

When data is no longer required, it is securely deleted or anonymised so that it can no longer be linked to you.

10. Your rights under GDPR

Under GDPR and UK GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15). You may request a copy of the personal data we hold about you.
• Right to rectification (Article 16). You may ask us to correct inaccurate or incomplete personal data.
• Right to erasure (Article 17). You may request that we delete your personal data, subject to our legal obligations to retain certain records.
• Right to restriction (Article 18). You may ask us to restrict the processing of your data in certain circumstances.
• Right to data portability (Article 20). You may request your data in a structured, commonly used, machine-readable format, and have it transmitted to another controller.
• Right to object (Article 21). You may object to processing based on legitimate interests, including profiling. You may also object to direct marketing at any time.
• Rights related to automated decision-making (Article 22). You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. See Section 5.7.
• Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.
• Right to lodge a complaint. You may lodge a complaint with a supervisory authority. See Section 15.

To exercise any of these rights, please contact us at contact@oh-stay.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

11. Cookies and tracking technologies

We use cookies and similar technologies for the following purposes:

• Strictly necessary cookies required for the Platform to function (for example, session management and security tokens). These cannot be disabled.
• Functional cookies that remember your preferences — such as language and currency — to improve your experience.
• Analytics cookies that help us understand how visitors use the Platform so we can improve it. We use anonymised analytics where possible.
• Marketing cookies used to deliver relevant advertisements and measure campaign effectiveness. Only set with your consent.

You can manage your cookie preferences at any time through the cookie consent banner on our website or through your browser settings. For full details, please see our Cookie Policy.

12. Children's privacy

OH-Stay's services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child under 18 has provided us with personal data, please contact us and we will delete it promptly.

13. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Access controls limiting data access to authorised personnel on a need-to-know basis.
• Regular security audits and vulnerability assessments.
• Secure development practices and code review processes.
• Incident response procedures for data breaches.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform you without undue delay where required by law.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. Where changes are significant, we will notify you by email, or through a prominent notice on the Platform, at least 28 days before the changes take effect.

The Last Updated date at the top of this policy indicates when it was most recently revised. We encourage you to review this policy periodically.

15. Supervisory authority

You have the right to lodge a complaint with the data protection supervisory authority in your country of residence, or where the alleged infringement occurred:

• Cyprus: Commissioner for the Protection of Personal Data — dataprotection.gov.cy
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• Other EEA countries: a full list of supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en

16. Contact us

If you have any questions or concerns about this Privacy Policy, or wish to exercise your data protection rights, please contact us:

OH-Stay.com
O.H OWNERS-HUB LTD
Thiseos 7, 2042, Nicosia, Cyprus
Email: contact@oh-stay.com

OH-Stay  |  O.H OWNERS-HUB LTD  |  contact@oh-stay.com