Skip to main content
StayByHours
Pay by hours
GDPR CompliantDPDPA 2023 Compliant

Privacy Policy

Effective date: March 2026 · Last reviewed: March 2026

This policy explains what personal data StayByHours collects, why we collect it, how it is protected, and what rights you have under the General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act, 2023 (DPDPA).

Table of Contents

  1. 1. Who We Are
  2. 2. Scope & Applicability
  3. 3. Personal Data We Collect
  4. 4. Lawful Basis for Processing
  5. 5. How We Use Your Data
  6. 6. Data Sharing & Disclosures
  7. 7. International Data Transfers
  8. 8. Data Retention
  9. 9. Security & PII Safeguards
  10. 10. Cookies & Tracking
  11. 11. Your Rights (GDPR & DPDPA)
  12. 12. Children's Privacy
  13. 13. Grievance Officer (India)
  14. 14. Data Protection Officer
  15. 15. Changes to This Policy
  16. 16. Contact Us

1. Who We Are

StayByHours Technologies Private Limited ("StayByHours", "we", "us", or "our") operates the website www.staybyhours.com and related mobile applications that allow users to discover and book hotel stays by the hour ("Platform").

For the purposes of the GDPR, StayByHours acts as a Data Controller for the personal data of users residing in the European Economic Area (EEA) or the United Kingdom. For Indian residents, StayByHours acts as a Data Fiduciary within the meaning of the DPDPA, 2023.

2. Scope & Applicability

This Privacy Policy applies to:

  • Registered users and guests using the Platform.
  • Hotel partners who list properties on StayByHours.
  • Visitors to our website and apps.

It does not apply to third-party websites or services linked from our Platform. We encourage you to review the privacy policies of those third parties directly.

3. Personal Data We Collect

We collect only data that is necessary for the purposes described in this policy (data minimisation principle — GDPR Art. 5(1)(c); DPDPA §4).

CategoryData ElementsSource
IdentityFull name, phone number, email addressProvided by you at registration or booking
BookingHotel, room, check-in / check-out timestamps, duration, number of guestsGenerated during booking flow
PaymentTransaction amount, currency, payment status, Razorpay order/payment IDs. We never store full card numbers or CVVs.Razorpay payment gateway
Device & UsageIP address, browser type, OS, pages visited, search queries, timestampsAutomatically collected via logs and cookies
CommunicationsSupport messages, review content, dispute informationProvided by you voluntarily

⚠️ Sensitive / Special-Category Data

We do not intentionally collect sensitive personal data such as government ID numbers, biometric data, health data, religion, or caste. If any hotel partner requests such data at physical check-in as required by law (e.g., Foreigners Act, Hotel Licensing), that data is collected and processed by the hotel directly and is outside StayByHours' control.

4. Lawful Basis for Processing

Under GDPR (Art. 6) and DPDPA (§4), we rely on the following lawful bases for processing personal data:

Contract PerformanceGDPR Art. 6(1)(b)DPDPA §4(1)(a)

Processing your name, phone, email, and booking details to create and manage your reservation.

Legitimate InterestsGDPR Art. 6(1)(f)DPDPA §4(1)(c)

Fraud prevention, security monitoring, product improvement, and analytics. We have conducted a Legitimate Interests Assessment (LIA) and balanced it against your rights.

Legal ObligationGDPR Art. 6(1)(c)DPDPA §4(1)(b)

Retaining invoices and tax records for 7 years as required by Indian accounting laws (Companies Act, GST Act).

ConsentGDPR Art. 6(1)(a)DPDPA §6

Marketing emails, newsletters, and promotional communications. You can withdraw consent at any time via the unsubscribe link in emails or Account Settings.

5. How We Use Your Data

  • Create and manage your account and hotel bookings.
  • Process payments and issue tax invoices (GST-compliant).
  • Send booking confirmations, reminders, cancellation notices, and receipts.
  • Authenticate you securely via OTP (phone/email verification).
  • Handle disputes, refunds, and customer support requests.
  • Detect and prevent fraud, abuse, and security threats.
  • Improve platform features through aggregated, anonymised analytics.
  • Send marketing communications (with explicit consent only).
  • Comply with court orders, regulatory requests, and applicable laws.

We never use your booking data to create consumer profiles for sale to third-party marketers.

6. Data Sharing & Disclosures

We do not sell your personal data. We share it only as described below:

RecipientData SharedSafeguard
Hotel PartnersGuest name, phone, booking dates, room, guest countData Processing Agreement (DPA); used solely to fulfill reservation
Razorpay (Payment Processor)Transaction amount, currency, booking referencePCI-DSS certified; governed by Razorpay Privacy Policy
SMS/Email Providers (e.g. Twilio, SendGrid)Phone number or email; message contentDPA in place; data used only for delivery
Cloud Infrastructure (e.g. GCP)All data stored on platformSOC 2 certified; data stored in India (asia-south1)
Legal & Regulatory AuthoritiesMinimum required by applicable lawDisclosed only when legally compelled; you will be notified where permitted

7. International Data Transfers

Our primary servers are located in India (GCP asia-south1, Mumbai). We take all reasonable steps to ensure your data remains within India wherever possible.

Where data is transferred outside India or the EEA (e.g., to a global SaaS provider), we ensure adequate safeguards are in place:

  • EU standard contractual clauses (SCCs) for EEA-originating data.
  • Adequacy decisions or equivalent protections recognised under the DPDPA and India's Meity notifications.
  • Recipients are bound by contractual obligations to protect your data to at least the same standard as this policy.

8. Data Retention

Data TypeRetention PeriodReason
Account dataUntil account deletion + 30 daysOperational necessity
Booking & payment records7 years from booking dateGST / Companies Act compliance
Dispute records3 years from resolutionLegal limitation periods
Server / access logs90 days rollingSecurity monitoring
Marketing consent recordsUntil consent is withdrawn + 3 yearsProof of consent (GDPR / DPDPA)
Anonymised analyticsIndefinitelyNo personal data identifiable

After the applicable retention period, data is securely deleted or irreversibly anonymised. You may request earlier deletion (subject to our legal retention obligations) — see Section 11.

9. Security & PII Safeguards

We implement a defence-in-depth approach to protecting your Personally Identifiable Information (PII):

🔒 Encryption in Transit

All communications are encrypted with TLS 1.2 or higher. HTTPS enforced across the Platform.

🔒 Encryption at Rest

Database and storage volumes are encrypted using AES-256. Passwords are never stored — we use OTP-based authentication.

🔒 Access Controls

Role-based access control (RBAC). Employees access personal data on a need-to-know basis only. Admin actions are audit-logged.

🔒 PII Minimisation

We collect only the fields required. Phone numbers and emails are validated before storage. We do not store raw card details — Razorpay tokenises payment instruments.

🔒 Input Validation

All user-submitted data is sanitised and validated on both client and server sides to prevent injection and XSS attacks.

🔒 Breach Response

We maintain an Incident Response Plan. Under GDPR Art. 33, we will notify the supervisory authority within 72 hours of a breach. Under DPDPA §8, we will notify affected Data Principals promptly.

🔒 Vendor Security

All third-party processors are assessed for security posture before onboarding and bound by Data Processing Agreements.

🔒 Regular Audits

Periodic penetration testing, dependency vulnerability scans, and code reviews are performed by internal and external teams.

10. Cookies & Tracking Technologies

We use the following types of cookies:

  • Essential cookies: Required for the Platform to function (session management, CSRF protection). Cannot be disabled.
  • Analytics cookies: Help us understand how users interact with the Platform (e.g., page views, search terms). Collected only with your consent.
  • Preference cookies: Remember your settings (city, language). Persist for 30 days.

You can manage your cookie preferences at any time via your browser settings or our cookie consent banner. Withdrawing consent for non-essential cookies will not affect core functionality.

We do not use cross-site advertising trackers or sell data to ad networks.

11. Your Rights (GDPR & DPDPA)

Depending on your jurisdiction, you have the following rights regarding your personal data:

Right to AccessGDPR Art. 15DPDPA §11

Request a copy of all personal data we hold about you, including the categories, purposes, and recipients.

Right to CorrectionGDPR Art. 16DPDPA §12

Request correction of inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten")GDPR Art. 17DPDPA §12

Request deletion of your personal data where we have no overriding legal obligation to retain it.

Right to Restrict ProcessingGDPR Art. 18DPDPA Implied under §12

Ask us to pause processing your data while a dispute about accuracy or lawfulness is resolved.

Right to Data PortabilityGDPR Art. 20DPDPA §11(b)

Receive a structured, machine-readable copy of data you provided to us (e.g., bookings, profile).

Right to ObjectGDPR Art. 21DPDPA §13

Object to processing based on legitimate interests or direct marketing at any time.

Right to Withdraw ConsentGDPR Art. 7(3)DPDPA §6(4)

Withdraw marketing consent at any time without affecting prior processing. Use the unsubscribe link or Account Settings.

Right to Nominate (DPDPA)DPDPA §14

Indian residents may nominate another individual to exercise rights on their behalf in the event of death or incapacity.

Right to Lodge a ComplaintGDPR Art. 77DPDPA §28–§30

EU/UK residents: lodge a complaint with your local Data Protection Authority. Indian residents: escalate to the Data Protection Board of India.

How to exercise your rights

Submit a request to privacy@staybyhours.com or use the Account Settings → Privacy section on the Platform. We will respond within 30 days (GDPR) / 30 days (DPDPA). We may require identity verification before processing your request.

12. Children's Privacy

The Platform is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If we discover that a user is under 18, we will delete their account and associated data promptly.

Under DPDPA §9, we will not process personal data of children without verifiable parental consent, and will not conduct behavioural tracking of children.

If you believe a child has submitted data to us, please contact privacy@staybyhours.com.

13. Grievance Officer (India — DPDPA §13 & IT Act §5A)

As required under the Digital Personal Data Protection Act, 2023, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer for Indian users:

Name: Grievance Officer, StayByHours

Email: grievance@staybyhours.com

Postal Address: India

Working Hours: Monday–Friday, 10:00 AM – 6:00 PM IST

Complaints must be submitted in writing (email acceptable). We will acknowledge receipt within 24 hours and resolve within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.

14. Data Protection Officer (GDPR Art. 37)

For users in the EEA or United Kingdom, our Data Protection Officer is reachable at:

Email: privacy@staybyhours.com

Subject line: "GDPR Data Subject Request — [Your Name]"

15. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. When we make material changes, we will:

  • Update the "Effective date" at the top of this page.
  • Send an in-app notification and/or email to registered users at least 14 days before the change takes effect (where legally required).
  • For significant changes, re-request your consent where required by law.

Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

16. Contact Us

For any privacy-related questions not covered above:

Company: StayByHours Technologies Private Limited

Address: India

Privacy enquiries: privacy@staybyhours.com

Grievances (India): grievance@staybyhours.com

© 2026 StayByHours Technologies Private Limited. All rights reserved.

Terms of Service