This Privacy Policy explains how Stey collects, uses, shares, and protects personal data when you use Stey’s international websites, mobile applications, and related guest services (together, the “Services”). It also explains your privacy rights and how to contact us.

1) Who we are (Controller)

For the Services described in this Policy, the data controller is:

Stey Nordics AS (org. no. 932047233)
Rådhusgata 23, 0158 Oslo, Norway
Email: [privacy@stey.com] (placeholder)
Support: [support@stey.com] (placeholder)

Data Protection Officer (DPO)

Stey Nordics has not appointed a Data Protection Officer unless explicitly stated here. If a DPO is appointed, Stey will publish the DPO contact details in this Policy and/or in the Services.

EU representative

Stey Nordics AS is established in Norway (EEA). Stey does not appoint an “EU representative” for GDPR purposes on that basis.

2) Scope

This Policy applies to:

• visitors to Stey websites and users of the Stey app;

• direct booking customers (website/app);

• guests using in-stay features (PIN access, messaging, smart-room controls, billing);

• users of community features where you can post content.

If you book through an online travel agency (OTA), the OTA may process your data as a separate controller under its own privacy policy. We still process personal data to deliver your stay and any Services you use.

3) Personal data we collect

We collect personal data:

• you provide to us directly;

• generated when you use the Services;

• obtained from partners (e.g., OTAs, payment processors) when needed to provide your booking or stay.

3.1 Data you provide

Account and profile

• name, email, phone number, password (or login token), language preferences

• profile picture, nickname, bio, and other optional profile fields (if you add them)

Booking and stay

• booking details (property, dates, room type, rate, number of guests, special requests)

• guest names (including additional guests) and contact details where provided

• invoices/receipts, billing references, and communication about bookings

Identity/verification

• identity document details (e.g., passport/ID number, nationality) where required by law or necessary for check-in/self check-in/security/fraud prevention

• where legally required, we may collect/record check-in registration information required by local authorities

Support and communications

• messages to/from front desk or support, call logs (if you call us), and attachments you send

Community / UGC

• content you post (text, photos, comments), reactions, reports, and moderation-related records

3.2 Data collected automatically

Device and usage

• IP address, device identifiers, device type/model, operating system, app version, browser type

• approximate location derived from IP (city/region level)

• usage events (pages/screens viewed, clicks, session timestamps, referring URLs)

Cookies and similar technologies (web)

• cookie identifiers and related analytics/advertising signals (as configured in your cookie choices)

In-app operational events

• delivery status for in-app messages and push notifications (e.g., delivered/failed)

• security and fraud signals (e.g., unusual login patterns)

3.3 Data from partners

• OTAs / travel partners: reservation details needed to honor your booking (dates, guest name, contact, rate plan, preferences)

• Payment service providers (PSPs): confirmation of payment status, transaction references, and chargeback/dispute information. Stey does not store full payment card details when you pay via a PSP.

• Identity verification providers (if used): verification outcome/status and limited supporting data depending on the method (details will be listed once vendors are confirmed).

4) Why we process your data (purposes)

We use personal data to:

1. Provide the Services (create accounts, enable guest features, show booking info, provide PIN access, facilitate messaging).

2. Process and manage bookings and stays (confirm, modify, cancel bookings; manage check-in/out; issue invoices; handle incidentals and additional services).

3. Operate payments via PSPs (send necessary transaction data to PSPs and reconcile payments).

4. Provide customer support and handle disputes/complaints.

5. Ensure safety, security, and fraud prevention (account security, access control, misuse detection, protecting guests/staff/property).

6. Comply with legal obligations (e.g., local guest registration obligations, accounting/tax requirements).

7. Improve and develop Services (analytics, debugging, performance monitoring).

8. Community features (publish content, enable interactions, enforce rules, moderation).

9. Marketing and communications (send offers/news where permitted and according to your preferences/law; measure campaign performance).

5) Legal bases (EEA/UK) and similar grounds (Switzerland)

Where GDPR/UK GDPR applies, we process personal data under one or more of these legal bases:

• Contract: to provide bookings, stays, and requested Services.

• Legal obligation: to meet legal requirements (e.g., accounting, local guest registration where applicable).

• Legitimate interests: security, fraud prevention, service improvement, and maintaining Service functionality (balanced against your rights).

• Consent: where required (e.g., certain cookies, some marketing in certain jurisdictions, optional device permissions).

• Vital interests: where necessary to protect someone’s life.

For Switzerland, we process personal data in line with the Swiss FADP principles and, where relevant, aligned mechanisms for cross-border transfers.

6) Cookies and similar technologies

We use cookies and similar technologies on our websites for:

• essential site functionality;

• analytics and performance;

• personalization;

• (if enabled) marketing measurement/advertising.

You can manage cookie preferences via [cookie banner / cookie settings link placeholder]. Some cookies are essential and cannot be disabled.

7) Sharing your data

We share personal data only as necessary for the purposes above, including with:

Hotels / property operators and service teams

• to fulfill your booking and provide on-property services (front desk, housekeeping, security, billing).

Service providers (processors)

• hosting, analytics, customer support tooling, messaging/push providers, fraud prevention, identity verification (if used), and other IT vendors that process data on our instructions.

PMS / platform service providers (including group companies)

• Stey uses technology providers to operate its property management and guest services platform. For example, Stey Nordics may use a group company based outside the EEA to provide PMS/platform services to Stey Nordics as a processor, under Stey Nordics’ instructions and contractual safeguards.

Payment service providers

• to process your payment and manage disputes/chargebacks. Stey receives payment status and transaction references from the PSP.

Professional advisors

• lawyers, auditors, insurers, and consultants as needed.

Authorities

• where required by law or to respond to lawful requests.

Corporate transactions

• if we are involved in a merger, acquisition, or asset sale, personal data may be transferred subject to appropriate protections and notices.

No sale of personal data

We do not sell your personal data. We may share personal data with vendors acting on our behalf (processors) for Stey’s purposes only.

8) International transfers

Stey is based in Norway (EEA). Some service providers and group companies may be located outside the EEA/UK/Switzerland.

Where personal data is transferred internationally, we use appropriate safeguards such as:

• adequacy decisions where applicable; and/or

• Standard Contractual Clauses (SCCs) and supplemental measures; and/or

• other lawful transfer mechanisms recognized under applicable law.

You can request more information about transfer safeguards via the contact details in Section 14.

9) Data retention

We retain personal data only as long as necessary for the purposes in this Policy, including:

• Bookings, invoices, and accounting records: retained for statutory periods required by applicable law.

• Guest communications/support records: retained as needed for support, dispute resolution, and quality control.

• Security logs: retained for a limited period appropriate for security and fraud prevention.

• Community content: retained until you delete it or your account is closed, subject to backups, moderation records, and legal requirements.

Retention periods may vary by country/property and legal requirements.

10) Security

We use technical and organizational measures designed to protect personal data, such as access controls, encryption in transit, logging, and vendor security reviews. No system is perfectly secure; you should also protect your account credentials and devices.

11) Your rights

Depending on your location and applicable law (including GDPR/UK GDPR), you may have rights to:

• access your personal data;

• correct inaccurate data;

• delete data (subject to legal/contractual limits);

• restrict or object to processing (including for direct marketing);

• portability of certain data;

• withdraw consent where processing is based on consent (without affecting prior lawful processing);

• lodge a complaint with a supervisory authority.

How to exercise rights: contact [privacy@stey.com] and specify your request. We may need to verify your identity.

12) Marketing preferences

You can opt out of marketing emails via the unsubscribe link in emails or by contacting us. Transactional communications (booking confirmations, check-in messages, billing notices, security alerts) may still be sent as they are necessary to provide the Services.

We do not sell your personal data to third parties for their own marketing.

13) Children/minors

Our Services are intended for adults. If we learn that we have collected personal data from a child in a manner that is not permitted by applicable law, we will take steps to delete it and/or obtain appropriate consent where required.

14) Children/minors

Our Services are intended for adults. If we learn that we have collected personal data from a child in a manner that is not permitted by applicable law, we will take steps to delete it and/or obtain appropriate consent where required.

15) Cookies and similar technologies
We use cookies and similar technologies (such as pixels and SDKs) to operate our websites and support certain features in our Services. Cookies are small text files stored on your device. Some cookies are set by us (first-party) and some are set by our service providers (third-party).

16) Strictly necessary cookies
These cookies are required for the website to function and to provide the services you request. They help with secure login and session management, fraud prevention, load balancing, and storing your cookie preferences. Strictly necessary cookies are always active. You can set your browser to block these cookies, but parts of the website may not work.

17) Optional cookies
With your permission (where required), we may also use optional cookies for:

• Preferences (e.g., remembering language or region settings),

• Analytics (to understand how the website is used and improve performance),

• Marketing (to measure the effectiveness of our advertising and, if enabled, to show relevant offers).

18) Contact and complaints

Privacy contact: [privacy@stey.com] (placeholder)
Postal address: Stey Nordics AS, Rådhusgata 23, 0158 Oslo, Norway

If you are in the EEA/UK, you may lodge a complaint with your local supervisory authority. In Norway, this is typically the Norwegian Data Protection Authority (Datatilsynet).

19) Updates to this Policy

We may update this Policy from time to time. We will post the latest version in the Services and update the “Effective date.” If changes are material, we will provide additional notice where appropriate.