Privacy Policy

Caution

Template pending legal review — replace placeholders before launch.

Effective date: [EFFECTIVE_DATE]

This Privacy Policy explains how [LEGAL_ENTITY_NAME] (“Staying API”, “we”, “us”) collects, uses, and shares personal data in connection with our website, API, MCP server, and dashboard (the “Service”). It covers data about our account holders and site visitors. For our role when you send personal data through the API as part of your own application, see the Data Processing Addendum.

1. Data we collect

Account data. When you sign up we collect your email address, name or company name, and authentication details. Authentication is handled by our identity provider, [AUTH_PROVIDER, e.g. Supabase Auth]; we store the resulting user record and session metadata.

Billing data. When you purchase a paid plan or credits, our payment processor ([PAYMENT_PROCESSOR, e.g. Stripe]) collects and processes your payment details. We do not store full card numbers; we retain billing metadata such as plan, invoices, and the last four digits of your card.

Usage and API data. We log API requests associated with your account — including timestamp, endpoint, request ID, status code, units consumed, and response time — to operate the Service, enforce rate limits, bill usage, debug issues, and detect abuse.

Technical data. We collect standard server logs and, on the marketing site, limited analytics such as IP address, user agent, referrer, and pages viewed.

Communications. If you email support, we retain the correspondence to respond and keep records.

2. Cookies and analytics

We use strictly necessary cookies to keep you signed in and to operate the dashboard. [If applicable] we use [ANALYTICS_PROVIDER] to understand aggregate site usage; configure or disable this here: [COOKIE_SETTINGS_OR_BANNER_REFERENCE]. We do not sell personal data, and we do not use cross-site advertising trackers unless disclosed in an updated version of this policy.

3. How we use data

We use personal data to: provide and secure the Service; authenticate you; process payments and prevent fraud; meter and bill usage; provide support; send service and transactional messages; and comply with legal obligations. Our legal bases (where GDPR/UK GDPR applies) are performance of a contract, legitimate interests (security, fraud prevention, product improvement), consent (where required, e.g. non-essential analytics), and legal obligation.

4. Processors and sharing

We share personal data with service providers (“processors”) who act on our instructions, including:

• [AUTH_PROVIDER] — authentication and account database;
• [PAYMENT_PROCESSOR] — billing and payments;
• [HOSTING_PROVIDER] — application and edge hosting;
• [EMAIL_PROVIDER] — transactional and support email;
• [ANALYTICS_PROVIDER, if used] — aggregate site analytics.

We may also disclose data when required by law, to enforce our Terms, or in connection with a merger or acquisition (with notice where required). We do not sell your personal data.

5. International transfers

We and our processors may process data in [PRIMARY_DATA_REGION] and other countries. Where personal data is transferred out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, where relevant, the UK International Data Transfer Addendum. See the Data Processing Addendum for details.

6. Data retention

We retain account and billing data for as long as your account is active and as required to meet legal, tax, and accounting obligations. We retain API request logs for [LOG_RETENTION_PERIOD]. When data is no longer needed, we delete or anonymize it.

7. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing or withdraw consent. California residents have rights under the CCPA/ CPRA, including the right to know and the right to delete, and the right not to be discriminated against for exercising them. To exercise any right, email support@stayingapi.com. We will respond within the timeframe required by applicable law. You may also lodge a complaint with your local data protection authority.

8. Security

We use industry-standard safeguards including encryption in transit (TLS), access controls, and scoped credentials. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify affected users of a breach as required by law.

9. Children

The Service is not directed to children and is intended for users who are at least the age of majority in [JURISDICTION]. We do not knowingly collect data from children.

10. Changes

We may update this policy. Material changes will be reflected in the effective date above, and we will take reasonable steps to notify you.

11. Contact

Data controller: [LEGAL_ENTITY_NAME], [REGISTERED_ADDRESS]. Privacy contact: support@stayingapi.com. [If you appoint one] Data Protection Officer / EU or UK representative: [DPO_OR_REPRESENTATIVE_CONTACT].

---

StayingAPI is not affiliated with, endorsed by, or sponsored by Airbnb, Inc. Airbnb is a registered trademark of Airbnb, Inc.