Privacy Policy

1. Who We Are

Offer2Stay Ltd("we", "us", "our") is a company registered in England & Wales (company number 17248175), operating the Offer2Stay platform at https://www.offer2stay.co.uk. We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Registered office: 128 City Road, London EC1V 2NX, United Kingdom.
Data-protection postal contact (registered with the ICO): 22 Northumberland Gardens, Newcastle upon Tyne, NE2 1HA, United Kingdom.

Privacy contact: privacy@offer2stay.co.uk

2. What Data We Collect

• Account data: name, email address, phone number, role (guest or host).
• Enquiry data: preferred location, dates, number of guests, budget, amenity requirements.
• Property data (hosts): property address, photos, descriptions, pricing, availability.
• Booking & payment data: booking dates, amounts, Stripe payment references (we do not store full card numbers).
• Messages: content of conversations between guests and hosts on the platform.
• Technical data: IP address, browser type, device info, pages visited, timestamps — collected via server logs and cookies.

3. How We Use Your Data

• To create and manage your account.
• To match guest enquiries with suitable host properties.
• To process bookings and payments via Stripe.
• To send transactional emails (booking confirmations, offer notifications, reminders).
• To provide customer support and resolve disputes.
• To detect fraud and enforce our terms of service.
• To improve our platform through aggregated, anonymised analytics.

4. Legal Bases for Processing

• Contract: processing necessary to provide the platform services you signed up for.
• Legitimate interests: fraud prevention, platform security, service improvement.
• Legal obligation: tax records, regulatory compliance.
• Consent: marketing communications (you can opt out at any time).

5. Data Sharing

We share your data only when necessary:

• Between guests and hosts: to facilitate bookings (name, dates, enquiry details).
• Stripe (Stripe Connect):payment processing via destination charges. A 10% platform fee is deducted before funds are transferred to the host's connected Stripe account. Card details are handled entirely by Stripe and never touch our servers. Governed by Stripe's Privacy Policy.
• Supabase: authentication and database hosting. User credentials are managed via Supabase Auth; application data is stored in a PostgreSQL database hosted by Supabase.
• Resend (UK/EU): transactional email delivery (booking confirmations, offer notifications, password resets).
• Twilio (USA / EU): SMS delivery for phone verification (E.164-format mobile number sent during signup + booking flows) and best-effort booking-confirmation texts. Mobile numbers are sent only when you explicitly request a verification code or have opted in to SMS reminders. Twilio holds the number for the minimum period required by their service ToS.
• Anthropic (USA):our enquiry-assist chatbot on the landing page sends the free-text you type into the “describe your stay” box to Anthropic’s Claude API purely to extract structured fields (location, dates, budget). We do not send your name, email, or account data. Anthropic does not use API inputs for model training.
• Cloudflare (Turnstile): bot-protection challenge on signup and enquiry forms. Cloudflare receives your IP address and browser fingerprint.
• Upstash (Redis): API rate limiting. We store a salted hash of your IP address (not the IP itself) for up to 24 hours to prevent abuse.
• Sentry: application error monitoring. Error reports may include your URL, user ID, and a stack trace. Personal identifiers are scrubbed before transmission.
• Vercel: application hosting and edge delivery. Vercel processes your IP address in server logs for up to 30 days.
• Law enforcement: when required by law or valid legal process.
• HMRC (UK tax authority):hosts’ identifying and earnings data is reported annually where required under the UK’s implementation of OECD Digital Platform Reporting rules (Platform Operators (Due Diligence and Reporting Requirements) Regulations 2023).

We do not sell your personal data to third parties, and we do not use your data for advertising.

5a. International Transfers

Some of our processors are located outside the UK. When we transfer personal data outside the UK we rely on one of the following safeguards under UK GDPR:

• UK adequacy decisions — for transfers to the European Economic Area.
• UK International Data Transfer Addendum (IDTA) or the EU Standard Contractual Clauses together with the UK Addendum — for transfers to the USA (Anthropic) and elsewhere. Copies of our transfer mechanisms are available on request from privacy@offer2stay.co.uk.

5b. AI-Assisted Features

Our landing-page enquiry assistant uses a large language model (Anthropic Claude) to parse the free-text you type into structured search fields. This is not a fully automated decision with legal or similarly significant effects on you (UK GDPR Art. 22) — the parsed fields are shown to you and you confirm them before any enquiry is submitted. You can always skip the assistant and fill in the form directly.

5c. Children

The Offer2Stay platform is intended for users aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact privacy@offer2stay.co.uk and we will delete it.

6. Data Retention

We retain your account data for as long as your account is active. After account deletion, we retain booking and payment records for 7 years for tax and legal compliance. Anonymised analytics data may be retained indefinitely.

7. Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data (subject to legal retention requirements).
• Restrict or object to certain processing.
• Data portability (receive your data in a structured format).
• Withdraw consent at any time (for consent-based processing).
• Lodge a complaint with the Information Commissioner's Office (ICO).

To exercise your rights, email us at privacy@offer2stay.co.uk. We will respond within 30 days.

8. Cookies

We use essential cookies for authentication and session management. We may use analytics cookies (e.g. PostHog) with your consent. You can manage cookie preferences in your browser settings.

9. Security

We implement industry-standard security measures including encryption in transit (TLS), encrypted database connections, role-based access controls, and regular security reviews. However, no system is 100% secure — please use a strong, unique password.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on the platform. Continued use of Offer2Stay after changes constitutes acceptance of the revised policy.

11. Contact

For any questions about this privacy policy or your personal data, email our privacy team at privacy@offer2stay.co.uk.