How we treat the data you trust us with.

Prostay Limited is the data controller for the prostay.com marketing site, the Prostay product and any data your team submits when contacting us.

Address: Suite C, Level 7, World Trust Tower, 50 Stanley Street, Central, Hong Kong.
Contact: office@prostay.com.

When you operate Prostay on behalf of a property, we act as a processor for the guest data you upload (reservations, folios, payments, messaging). The property remains the controller of that data.

We split data into three categories so it is obvious which one you are looking at.

Account data

• Name, work email and role, when you create an account or request a demo.
• Property name, country and basic operational profile (room count, brand affiliation).
• Billing details processed by our PCI-compliant payment partners. We never store full card numbers.

Operational data

• Reservations, room assignments, folio postings, housekeeping status, payments and refunds you create inside Prostay.
• Guest profile data (name, contact details, ID document references) that you choose to capture.
• Messaging history with guests through channels you have connected (WhatsApp, Booking.com, Expedia and email).

Telemetry

• Device and browser metadata, IP address and the URLs you visited on prostay.com.
• Errors and performance traces from the product, scrubbed of any guest data before they leave your tenant.

We only collect data we need to do one of four things.

• Run your account. Authenticate users, provision properties, render the product, take payment.
• Operate the platform safely. Detect fraud, recover from incidents, audit access.
• Improve Prostay. Aggregate, anonymous usage signals tell us which features need work.
• Communicate with you. Account notifications, security alerts and the occasional product update if you opt in.

We share data only with the categories of recipient listed below.

• Sub-processors. Cloud infrastructure, email delivery, payments, customer support and observability vendors that operate under written DPAs.
• Connected channels. When you connect Booking.com, Expedia, WhatsApp or another channel, the messages and reservations you exchange flow through their systems under their own terms.
• Authorities. Where required by law, with the minimum data necessary, and only after legal review.

• Active customer data is kept for as long as your subscription is active.
• Closed-account data is kept for 90 days, then deleted unless a longer retention period is required by law (typically 7 years for financial records).
• Marketing and prospect data is kept for up to 24 months from your last interaction.

Depending on where you live, you have the right to access, correct, export or delete your personal data. You can also object to certain processing or withdraw consent.

Submit any of these requests to office@prostay.com. We respond within 30 days, faster on most days.

For account data inside the product, you can self-serve most of these rights from Settings → Privacy.

• Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).
• Access to production systems is limited to a small on-call rotation, behind SSO and hardware-backed MFA.
• We run continuous vulnerability scanning, third-party penetration tests and ship security patches within published SLAs.

You can find our trust posture at discover-prostay and request a copy of our most recent security questionnaire from your account team.

We update this policy when our practices change. Material changes are communicated to admins inside the product at least 30 days before they take effect.