Privacy Policy

Last updated: 11 July 2026

Plain-English summary: We collect the data you give us when you sign up, plus the data needed to run your bookings (guest names, dates, prices, ID for check-in if you enable it). We don't sell your data. We share it only with the third parties that help run the service. You can ask for an export or deletion anytime.

1. Who is the controller

For your own account data, the controller is the NEXRA Stay operating entity. For guest data you upload, you are the controller and we are your processor under EU/UK GDPR.

2. What we collect

From you (account holder)

  • Identification: name, email, phone, business name.
  • Billing: card details (handled and stored by Stripe — we only see brand + last 4).
  • Property data: listings, photos, pricing, calendar.
  • Account activity: login times, IP for security, audit logs.

About your guests (uploaded by you or pulled from OTAs)

  • Name, email, phone, nationality, booking details.
  • ID documents and check-in details, only if you enable digital check-in.
  • Messages exchanged with the guest through the inbox.

3. Why we use it (legal basis)

  • Contract: running the service you've subscribed to.
  • Legitimate interest: security, fraud prevention, product improvement, aggregated analytics.
  • Consent: marketing emails (you can unsubscribe anytime).
  • Legal obligation: tax records, sanctions screening for payments.

4. Subprocessors

The third parties we share data with to run the service:

  • Channex — channel manager (OTAs, calendar, bookings, messaging).
  • Stripe — payment processing, NEXRA | Pay, billing.
  • Supabase — managed Postgres database & authentication (EU region).
  • Cloudflare — hosting, DDoS protection, edge compute.
  • Resend — transactional email delivery.
  • OpenAI / Lovable AI Gateway — AI message suggestions and pricing recommendations (only the content you submit; never used to train public models).
  • Laferla — only if you opt into NEXRA-distributed insurance.

5. International transfers

Data is primarily processed in the EU. Where a subprocessor is outside the EU/UK, transfers are covered by Standard Contractual Clauses.

6. Retention

  • Active accounts: kept while the account is open.
  • Closed accounts: most data deleted within 90 days; financial records kept for 7 years to meet accounting rules.
  • Guest ID documents: deleted automatically 90 days after check-out.

7. Your rights

Under GDPR you can: access, correct, delete, port, restrict, or object. Email privacy@nexra-stay.com and we'll respond within 30 days. You also have the right to complain to your local data protection authority.

8. Security

Encryption in transit (TLS) and at rest. Row-level security on every customer table. Card details never touch our servers (Stripe-hosted). Regular backups. Access to production data is restricted to engineers under audit.

9. Cookies

We use strictly necessary cookies for login and security, and optional analytics cookies to understand product usage. No third-party advertising cookies.

10. Changes

We'll notify you of material changes at least 30 days in advance by email. The "last updated" date at the top always reflects the current version.

11. Contact

Email privacy@nexra-stay.com.

Note: This is a template generated for the NEXRA Stay platform. Have a privacy lawyer in your jurisdiction review and tailor it (including DPA and processor agreements) before relying on it in production.