Privacy policy · SipnStay

Plain summary: we collect the bare minimum to run SipnStay — your name, email, arrival date, what you ordered. We store it in the EU, never sell it, and you can delete it whenever you want. The lawful detail follows below.

Who we are

SipnStay(“we”, “us”) is the data controller for the personal data we collect through this site and service.

For any privacy-related question you can write to hello@sipnstay.fr.

Data we collect

We collect only what we need to provide the service:

If you order as a guest

Your name, email, and (optional) phone number
Your arrival date and any notes you write to your host
The items in your order and the amount paid
Technical data: IP address, browser, device type, pages visited

If you sign up as a host

Name, email, phone, password (hashed, never stored in plain text)
Your property name, city, and the welcome message you write
Your tax identification, if legally required

How we use your data

To provide the ordering service (matching your order to your host, confirming, fulfilling)
To process your payment for an order
To send transactional emails (order confirmation, password resets, support replies)
To detect fraud and protect the platform
To improve the product (only if you give us analytics consent)
To comply with French tax and accounting law

We do not profile you for advertising, sell your data to third parties, or use automated decision-making that significantly affects you.

Legal basis

Under Article 6 GDPR, we rely on:

Contract — to fulfil the order you placed or the host agreement you signed
Legal obligation — to comply with tax, anti-money-laundering, and accounting rules
Legitimate interests — to secure the platform, prevent fraud, and operate normal business analytics in aggregate
Consent — for non-essential analytics and any marketing communications. You can withdraw at any time.

Who we share data with

We share strictly what each provider needs to function. They each act as processors under our instructions and signed data-processing agreements.

Stripe — payment processing and fraud detection. Stripe is the controller of the card data you enter.
Supabase — our database and authentication provider, hosted in the EU.
Resend — transactional email delivery.
Vercel — hosting infrastructure, set to the EU region.
Hosts — when you place an order, your host receives your name, email, arrival date, items, and any notes so they can prepare the apartment. They do not receive your payment details.

International transfers

Your data is stored on EU servers. Where a processor is incorporated in the United States (Stripe, Resend, Vercel) we rely on the EU-U.S. Data Privacy Framework and the Standard Contractual Clauses approved by the European Commission for any cross-border transfer.

How long we keep data

Order records — 10 years (French commercial law)
Invoicing data — 10 years
Email logs — 12 months
Server access logs — 6 months
Account data — for as long as your account is active, then 3 months after closure unless we are legally required to keep it longer

Your rights

Under the GDPR you can:

Ask for a copy of the data we hold about you (right of access)
Correct anything that is wrong (rectification)
Have it deleted, subject to legal retention obligations (erasure)
Ask us to stop or limit processing (restriction)
Receive it in a portable format (portability)
Object to processing based on legitimate interests
Withdraw consent at any time, for the parts that rely on it
Lodge a complaint with the CNIL (the French data-protection authority)

See Your GDPR rights for instructions on exercising each one.

Cookies and similar storage

We use three categories of storage, each gated by your choice in the consent banner you see on first visit:

Strictly necessary — needed for the site to work. Your cart, your host session, our anti-CSRF tokens. We do not ask consent for these because the ePrivacy Directive does not require it.
Analytics — off by default. If you opt in, we measure how the product is used in aggregate.
Marketing — off by default and currently unused.

You can change your choices anytime — clear your browser storage to be re-prompted, or write to us at hello@sipnstay.fr.

Security

Traffic is encrypted in transit (TLS 1.3)
Data at rest is encrypted (AES-256)
Passwords are hashed with bcrypt
Payment data never reaches our servers (Stripe handles it)
Access to production data is limited to named staff with two-factor authentication

Changes to this policy

If we materially change what we collect or who we share it with we will update this page and bump the version of our consent banner so you are asked again. For non-material changes we update the “last updated” date above.

Contact

For any privacy question, or to exercise any of your rights, write to hello@sipnstay.fr. We respond within 30 days as required by the GDPR.

This page is a draft pending review by counsel. SipnStay is preparing for launch and the controller entity name above will be replaced with the registered company once incorporation is complete.

Who we are

SipnStay(“we”, “us”) is the data controller for the personal data we collect through this site and service.

For any privacy-related question you can write to hello@sipnstay.fr.

Data we collect

We collect only what we need to provide the service:

If you order as a guest

Your name, email, and (optional) phone number
Your arrival date and any notes you write to your host
The items in your order and the amount paid
Technical data: IP address, browser, device type, pages visited

If you sign up as a host

Name, email, phone, password (hashed, never stored in plain text)
Your property name, city, and the welcome message you write
Your tax identification, if legally required

How we use your data

To provide the ordering service (matching your order to your host, confirming, fulfilling)
To process your payment for an order
To send transactional emails (order confirmation, password resets, support replies)
To detect fraud and protect the platform
To improve the product (only if you give us analytics consent)
To comply with French tax and accounting law

We do not profile you for advertising, sell your data to third parties, or use automated decision-making that significantly affects you.

Legal basis

Under Article 6 GDPR, we rely on:

Contract — to fulfil the order you placed or the host agreement you signed
Legal obligation — to comply with tax, anti-money-laundering, and accounting rules
Legitimate interests — to secure the platform, prevent fraud, and operate normal business analytics in aggregate
Consent — for non-essential analytics and any marketing communications. You can withdraw at any time.

Who we share data with

We share strictly what each provider needs to function. They each act as processors under our instructions and signed data-processing agreements.

Stripe — payment processing and fraud detection. Stripe is the controller of the card data you enter.
Supabase — our database and authentication provider, hosted in the EU.
Resend — transactional email delivery.
Vercel — hosting infrastructure, set to the EU region.
Hosts — when you place an order, your host receives your name, email, arrival date, items, and any notes so they can prepare the apartment. They do not receive your payment details.

International transfers

How long we keep data

Order records — 10 years (French commercial law)
Invoicing data — 10 years
Email logs — 12 months
Server access logs — 6 months
Account data — for as long as your account is active, then 3 months after closure unless we are legally required to keep it longer

Your rights

Under the GDPR you can:

Ask for a copy of the data we hold about you (right of access)
Correct anything that is wrong (rectification)
Have it deleted, subject to legal retention obligations (erasure)
Ask us to stop or limit processing (restriction)
Receive it in a portable format (portability)
Object to processing based on legitimate interests
Withdraw consent at any time, for the parts that rely on it
Lodge a complaint with the CNIL (the French data-protection authority)

See Your GDPR rights for instructions on exercising each one.

Cookies and similar storage

We use three categories of storage, each gated by your choice in the consent banner you see on first visit:

Strictly necessary — needed for the site to work. Your cart, your host session, our anti-CSRF tokens. We do not ask consent for these because the ePrivacy Directive does not require it.
Analytics — off by default. If you opt in, we measure how the product is used in aggregate.
Marketing — off by default and currently unused.

You can change your choices anytime — clear your browser storage to be re-prompted, or write to us at hello@sipnstay.fr.

Security

Traffic is encrypted in transit (TLS 1.3)
Data at rest is encrypted (AES-256)
Passwords are hashed with bcrypt
Payment data never reaches our servers (Stripe handles it)
Access to production data is limited to named staff with two-factor authentication

Changes to this policy

Contact

For any privacy question, or to exercise any of your rights, write to hello@sipnstay.fr. We respond within 30 days as required by the GDPR.

This page is a draft pending review by counsel. SipnStay is preparing for launch and the controller entity name above will be replaced with the registered company once incorporation is complete.