Privacy Policy

1. Scope and Our Roles

1.1 Website visitors and prospects

When you visit our Website, request a demo, or contact us, Prostay generally acts as a controller (or equivalent) of personal information we collect for those purposes.

1.2 Customer accounts and Customer Data

Prostay is business-to-business software. Customers (for example, hotels and hospitality businesses) may upload or create data in the Service about guests, reservations, staff, suppliers, and business operations ("Customer Data"). For most Customer Data, our customer controls what is collected and how it is used, and Prostay processes Customer Data on the customer's behalf to provide the Service.

If you are an employee, contractor, or guest of one of our customers and want to exercise rights regarding Customer Data, please contact the relevant customer directly. If we receive such a request, we may refer you to the customer or assist the customer where appropriate.

1.3 Integrations

If you enable integrations (including the QuickBooks integration), we process information from the connected third-party service according to your configuration and permissions. Appendix A describes the QuickBooks-specific processing.

2. Information We Collect

2.1 Information you provide directly

• Contact information: name, email address, phone number, company name, job title, and similar details (for example, when requesting a demo or support).
• Account information: user profile details, role/permission assignments, authentication credentials, and account settings.
• Billing and subscription information: billing contact details, invoice details, tax/VAT details (if applicable), and payment status. Payment card processing is typically handled by our payment processor; we do not intentionally store full card numbers.
• Support and communications: messages, attachments, and information you provide when contacting support, reporting issues, or participating in surveys.
• Customer Data: information uploaded to or created in the Service by you or on your behalf (such as reservation records, guest profiles, operational notes, and files), as controlled by the customer account.

2.2 Information collected automatically

• Device and log data: IP address, device identifiers, browser type, operating system, pages viewed, referring/exit pages, timestamps, and diagnostic logs.
• Usage data: feature usage, clicks and interactions, performance metrics, error events, and similar telemetry.
• Cookies and similar technologies: identifiers and settings stored on your device; see Section 11.

2.3 Session replay and interaction data

We use session replay and behavioral analytics tools to understand how users interact with our Website and to improve usability and performance. These tools may collect interaction data such as page navigation, mouse movements, clicks, scrolling, device information, and error events. We configure these tools to reduce collection of sensitive data and to mask or exclude certain inputs where possible.

2.4 Location information

If the Application offers location-based features, and you enable them, we may process approximate or precise location information depending on your device settings and permissions. You can control location permissions through your device settings.

2.5 Information from third parties

• Service providers: for example, hosting, analytics, communications, security, and customer support tooling providers.
• Integration partners: if you enable an integration, we may receive information from the connected platform as permitted by you and required to provide the integration.

2.6 Sensitive information

We do not intentionally collect special categories of sensitive personal information unless you choose to submit such data into the Service. Customers should avoid uploading sensitive information unless it is necessary for their business purposes and they have a lawful basis and appropriate safeguards.

3. How We Use Information

We use personal information for the following purposes:

• Provide and operate the Service: create and administer accounts, authenticate users, provide core functionality, and deliver requested features.
• Customer support: respond to inquiries, troubleshoot issues, and provide technical support.
• Security and fraud prevention: protect accounts, prevent abuse, detect suspicious activity, and maintain the integrity of our systems.
• Improve and develop: analyze usage to improve performance, reliability, and user experience, and to develop new features.
• Communications: send service notices, administrative messages, security alerts, and product communications.
• Marketing: where permitted by law, send marketing communications and measure campaign effectiveness. You can opt out at any time.
• Billing and account management: process subscriptions, manage invoices, and administer payments.
• Compliance and legal: comply with applicable law, respond to lawful requests, enforce our agreements, and protect our rights and users.
• Integrations: provide and operate integrations you enable, including syncing and reconciliation-related workflows as configured by you.

We do not use Customer Data from one customer account to benefit another customer account, except at a customer's direction (for example, where a customer explicitly connects multiple accounts) or where information is aggregated and de-identified such that it does not identify any customer, user, or guest.

4. Legal Bases (EEA/UK and Similar Laws)

Where applicable law requires a legal basis for processing, we rely on one or more of the following:

• Contract: to provide the Service, administer accounts, and perform our obligations under our agreements.
• Legitimate interests: to secure and improve the Service, prevent fraud, and communicate with customers about the Service (balanced against your rights).
• Consent: for certain cookies, session replay, and marketing/advertising technologies where required by law.
• Legal obligation: to comply with applicable laws and lawful requests.

5. Analytics, Advertising, and Session Replay

5.1 Google Analytics 4 (GA4)

We use Google Analytics 4 to understand Website traffic and usage patterns (for example, page views, referrals, and interactions) and to improve our Website and Service. GA4 uses cookies and similar technologies to collect information about your device and your interactions with our Website.

5.2 Meta Pixel

We use the Meta Pixel to measure the effectiveness of advertising and to understand actions people take on our Website after seeing or interacting with our ads. This may involve cookies and the collection of information about your browser and your interactions with our Website.

5.3 LinkedIn Insight Tag

We use the LinkedIn Insight Tag to measure campaign performance and understand Website interactions associated with LinkedIn ads. This may involve cookies and the collection of information about your browser and Website interactions.

5.4 Microsoft Clarity

We use Microsoft Clarity to analyze how users interact with our Website using behavioral metrics, session replay, and heatmaps. Clarity may collect interaction data such as mouse movements, clicks, scrolling, page navigation, device information, and error events. We configure Clarity to reduce collection of sensitive data and to mask or exclude certain inputs where possible.

5.5 Your choices

You can manage your preferences for analytics and advertising cookies through our cookie preference controls (see Section 11) and through your browser settings. Where required by law, we will collect your consent before using non-essential cookies and similar technologies.

6. How We Share Information

6.1 Service providers

We share information with vendors and service providers that help us operate the Service (for example, cloud hosting, analytics, session replay, customer support tooling, email delivery, security, and payment processing). We require service providers to protect information and use it only for providing services to us.

6.2 Analytics and advertising partners

We may disclose information to analytics and advertising partners (such as Google, Meta, LinkedIn, and Microsoft) through cookies, pixels, tags, SDKs, and similar technologies, to measure performance, improve our Website, and understand the effectiveness of marketing. Where required by law, we do so only with your consent.

6.3 Affiliates

We may share information with our affiliates for internal business operations, subject to appropriate protections.

6.4 Customer-controlled sharing

The Service may allow customers to share information with third parties at the customer's direction (for example, exporting reports, sending invoices, or enabling integrations). Such sharing is controlled by the customer's configuration and user permissions.

6.5 Legal and safety

We may disclose information where we believe it is necessary to comply with law, respond to lawful requests, protect the rights and safety of Prostay, our customers, users, or others, investigate fraud, or enforce our agreements.

6.6 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of all or part of our business or assets, information may be transferred as part of that transaction, subject to appropriate protections.

6.7 No sale of personal information

Prostay does not sell personal information for money. Some privacy laws define "sale" or "sharing" broadly to include certain disclosures for targeted advertising. Where applicable, you may opt out of certain advertising-related disclosures through our cookie preferences and other controls described in Section 10 and Section 11.

7. International Transfers

Prostay is based in Hong Kong and may process information in Hong Kong and other countries where we or our service providers operate. Where required, we use appropriate safeguards for cross-border transfers, such as contractual protections and other mechanisms recognized by applicable law.

8. Security

We implement reasonable administrative, technical, and organizational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. No security measure is perfect, and we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your credentials and for using appropriate access controls and permissions for your Authorized Users.

9. Data Retention

We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, and for legitimate business purposes. Retention periods vary based on the type of information and how it is used.

• Account information: retained while the account is active and for a limited period afterward for administrative, legal, and security purposes.
• Customer Data: retained according to the customer's subscription and configuration; after termination, customers may request export for up to thirty (30) days, after which data may be deleted or anonymized consistent with our Terms and legal obligations.
• Support communications: retained for a reasonable period to track and resolve issues and improve support quality.
• Logs and security records: retained for security, troubleshooting, and audit purposes for a limited period, subject to legal requirements.
• QuickBooks integration tokens: retained only while the integration remains connected, and deleted/invalidated within a commercially reasonable period after disconnect or revocation (see Appendix A).

10. Your Rights and Choices

10.1 Account and marketing preferences

• You can update certain account details within the Service (where available).
• You can opt out of marketing emails by using the unsubscribe link in those messages or by contacting us.
• You can control cookies and similar technologies as described in Section 11.

10.2 Rights under data protection laws

Depending on your location, you may have rights to access, correct, delete, restrict, object to processing, or request portability of your personal information. You may also have the right to withdraw consent where processing is based on consent.

If you are an employee or guest of one of our customers and your request relates to Customer Data, the customer controls that data. Please contact the customer directly. If you contact us, we may forward your request to the relevant customer or assist them in responding.

10.3 California privacy rights

If you are a California resident, you may have rights under the CCPA/CPRA, including the right to know, delete, correct, and to opt out of certain disclosures for cross-context behavioral advertising (sometimes called "sharing"). To submit a request, contact us at office@prostay.com.

You can also opt out of advertising-related cookies and similar technologies through our cookie preferences (see Section 11). Where Prostay processes Customer Data on behalf of a customer, Prostay may act as a service provider/processor and will handle requests consistent with our customer contracts and applicable law.

11. Cookies and Similar Technologies

We use cookies and similar technologies (such as pixels, tags, SDKs, and local storage) to provide the Website and Service, remember preferences, understand usage, improve performance, and measure marketing effectiveness. Where required by law, we present cookie consent controls so you can choose whether to allow non-essential cookies.

11.1 Categories of cookies

• Strictly necessary: required for core functionality, security, and to provide the Website and Service.
• Functional: remember preferences and settings.
• Analytics: help us understand performance and usage (for example, GA4 and Microsoft Clarity).
• Advertising: measure marketing effectiveness and support advertising-related analytics (for example, Meta Pixel and LinkedIn Insight Tag).

11.2 Tools we use

• Google Analytics 4 (GA4) – Website analytics and performance measurement.
• Microsoft Clarity – Website usability analytics, including heatmaps and session replay.
• Meta Pixel – Advertising effectiveness measurement and related analytics.
• LinkedIn Insight Tag – Advertising effectiveness measurement and related analytics.

11.3 Managing cookies and preferences

You can manage cookie preferences using our cookie banner or "Cookie Preferences" controls (if displayed) and through your browser settings. If you disable certain cookies, parts of the Website or Service may not function properly.

11.4 Browser and platform controls

Some browsers and devices allow you to block or delete cookies and manage tracking controls. Your ability to opt out may depend on your browser, device, and applicable law.

11.5 Do Not Track

Some browsers offer a "Do Not Track" ("DNT") setting. There is no industry-standard approach to responding to DNT signals, and our Website may not respond to DNT.

12. Third-Party Sites and Services

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to third parties, and we are not responsible for their practices. Please review the third party's privacy policy before providing information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. If changes are material, we will provide additional notice where appropriate (for example, in the Service or by email to account administrators).

14. Contact

To contact Prostay about privacy matters, email office@prostay.com.

Appendix A: QuickBooks Integration Privacy Notice

This Appendix applies only if you enable the Prostay integration with Intuit QuickBooks (the "QuickBooks Integration"). "QuickBooks" is a third-party service provided by Intuit Inc. Your use of QuickBooks is governed by your agreement(s) with Intuit.

A1. What data Prostay accesses from QuickBooks

When you connect the QuickBooks Integration, you authorize Prostay to access QuickBooks data according to the permissions you grant. Depending on the features you enable and your configuration, this may include information such as your company profile details, chart of accounts, customers, products/services, tax codes, invoices, payments, vendors, bills, journal entries, and related metadata.

A2. Purposes for using QuickBooks data

Prostay uses QuickBooks data only to provide and operate the QuickBooks Integration features you enable, including syncing data between Prostay and QuickBooks, supporting reconciliation-related workflows and reporting as configured by you, and troubleshooting and support for the Integration. Prostay does not use QuickBooks data for advertising or marketing.

A3. Sharing and cross-customer use

Prostay does not share QuickBooks data from one customer account with another customer account. Prostay does not sell QuickBooks data. If Prostay provides benchmarking or comparative insights, Prostay will do so only using aggregated and de-identified data that does not identify any customer, user, or guest.

A4. Tokens, security, and storage

The QuickBooks Integration uses tokens issued by Intuit to access QuickBooks data. Prostay does not request your QuickBooks password. Where Prostay stores tokens (for example, refresh tokens), Prostay protects them using reasonable security controls.

A5. Disconnecting and revoking access

You can disconnect or revoke access to the QuickBooks Integration through Prostay's integration settings and/or Intuit's connections management tools. After revocation or disconnect, Prostay will stop making new API calls to QuickBooks for that connection within a commercially reasonable period and will delete or invalidate stored tokens within a commercially reasonable period.

A6. Data retention after disconnect

Disconnecting the QuickBooks Integration stops ongoing access to QuickBooks. Prostay may retain data previously synced into Prostay as Customer Data (for example, invoices created in Prostay, audit trails, and accounting mappings) until you delete it, your retention settings remove it, or deletion occurs consistent with this Privacy Policy and our Terms of Service.

A7. Trademark notice

Intuit and QuickBooks are registered trademarks of Intuit Inc. Used with permission.