Privacy Policy
Last updated: June 26, 2026
1. Who We Are
Stayza is a verified accommodation discovery and lead-generation marketplace for Pakistan. We help students and travellers find verified hostels, shared apartments, private rooms, and flats, and connect them with property owners through inquiries. Stayza is not a booking or rental agent — we do not take bookings or collect rent on an owner's behalf.
Stayza ("Stayza", "we", "our", or "us") is operated by [registered legal entity name], a company registered in Pakistan with its registered office at [registered office address]. This Privacy Policy explains how we handle your personal data when you use our website and Services.
Before launch, replace the bracketed company name and registered address above with Stayza's official registered legal entity details.
If you have any questions or concerns about how your data is handled, you can reach our privacy team at privacy@stayza.pk.
2. Definitions
To keep this policy clear, the following terms have specific meanings:
- User
- Any person who accesses or uses Stayza, including students/seekers and property owners.
- Student / Seeker
- A user who browses listings and sends inquiries to find accommodation.
- Property Owner
- A user who lists and manages accommodation on Stayza.
- Personal Data
- Any information that identifies, or can be used to identify, an individual.
- Processing
- Any operation performed on personal data — collecting, storing, using, sharing, or deleting it.
- Listing
- An accommodation published on Stayza by a property owner.
- Inquiry
- A message a student sends to an owner to express interest in a listing.
- Services
- The Stayza website, search tools, inquiry system, owner dashboard, and related features.
3. Information We Collect
We collect information you give us directly, content you create, and a limited amount gathered automatically by your device. We only collect what we genuinely need to run a trustworthy marketplace.
- Information you provide — account details, inquiries you send, and support messages.
- Listing and verification information — for property owners, the details needed to publish and verify a listing.
- Content you create — reviews, ratings, and messages.
- Automatic data — device type, IP address, approximate location, referrer, and the pages you view, used to keep the service secure and reliable.
- Cookies and similar technologies — as described in the Cookies and Analytics section.
4. Account Information
When you create an account, we collect the personal identifiers needed to operate it and keep it secure:
- Full name and preferred title
- Email address — for communication and security alerts
- Phone number — for inquiry confirmations
- Profile picture (optional)
- Account role — whether you are a student/seeker or a property owner
5. Property Owner Verification
To keep the marketplace trustworthy, property owners go through identity verification before their listings can be published.
- What we collect — your CNIC (national identity) number and related verification details.
- Why — to confirm owners are real, prevent fraudulent or duplicate listings, and protect students.
- How it is protected — your CNIC is encrypted before storage and is never shown in full. It is stored only in encrypted form, with a separate one-way hash used solely to detect duplicates.
- Who can access it — only authorised Stayza staff, and only in a masked form, with full reveal limited to verification and fraud-investigation purposes.
- How long — retained while your account is active and for a limited period afterwards for fraud prevention and legal compliance (see Data Retention).
6. Property Listing Information
For property owners, we collect the details needed to list and manage accommodations: the property address and location, registration details, amenities, pricing, room configurations, and photographs. Some photos are captured by our team during verification visits; others are provided by owners.
Most listing information is shown publicly so students can make informed decisions. Do not include private information in public fields such as descriptions or photo captions.
7. Payment & Billing
Stayza is a discovery and lead-generation platform. We do not process payments for stays and never collect rent on an owner's behalf. The only payments we handle are subscription fees from property owners for paid plans.
Owner plan payments are processed by PCI-compliant third-party payment gateways. Stayza does not store full card numbers or CVV codes — we keep only the tokens and references needed to issue invoices, manage your plan, and process refunds.
8. How We Use Your Data
We use your data to provide and maintain the Services, and to keep the marketplace safe and trustworthy. Specifically, we use it to:
- Operate your account and deliver the features you request
- Verify listings and owner identities before they go live
- Connect students with owners through inquiries
- Personalise and rank search results, including AI-assisted search
- Send transactional messages such as confirmations and security alerts
- Detect fraud and protect our community
- Measure usage in aggregate to improve the platform
- Comply with our legal obligations
We never sell your personal data.
9. Legal Basis for Processing
We process personal data only where we have a lawful reason to do so. Depending on the situation, we rely on one or more of the following:
- Contract
- To provide the Services you sign up for, such as operating your account and delivering inquiries.
- Consent
- For optional activities like marketing emails and non-essential cookies, which you can withdraw at any time.
- Legitimate interests
- To keep the platform secure, prevent fraud, verify owners, and improve our Services — balanced against your rights.
- Legal obligation
- To comply with applicable laws, tax and accounting rules, and lawful requests.
10. AI Search Features
Some Stayza features, including AI Search, use automated and AI-assisted techniques to understand your query and recommend relevant listings. To do this we process your search inputs and certain usage signals.
AI-generated results are intended to help you discover options and may not always be complete or accurate. Always review listing details before making a decision.
We do not use your data to make legally significant decisions about you through fully automated means.
12. Communications & Marketing
We send two kinds of messages:
- Transactional (service) messages — inquiry confirmations and notifications, owner lead alerts, plan and payment confirmations, verification status updates, security and account alerts, and important service announcements. These are part of the Services and cannot be turned off while you have an account.
- Marketing messages — optional promotional emails about features, tips, and offers. These are opt-in where required, and every marketing email includes an unsubscribe link.
13. Reviews & User Content
When you post reviews, ratings, photos, or other content, you retain ownership of what you create. By posting, you grant Stayza a non-exclusive licence to host, display, and distribute that content as part of operating and promoting the Services.
Reviews and ratings are shown publicly alongside listings, so please don't include personal or sensitive information in them. We may remove content that is fraudulent, defamatory, or violates our community guidelines.
14. How We Share Data
Stayza does not sell your personal data. We share information only where necessary:
- With the other party to an interaction — an owner receives your name and contact details when you send them an inquiry.
- With service providers who process data on our behalf, under contract.
- To comply with the law, enforce our terms, or protect users' rights and safety.
Our service providers fall into these categories:
- Database, auth & storage
- Supabase (our core backend infrastructure).
- Payments
- PCI-compliant payment gateway(s) for owner plan billing.
- Maps & location
- Third-party mapping providers.
- Analytics
- Privacy-respecting product analytics.
- Email & SMS
- Transactional messaging providers.
- Hosting & delivery
- Cloud infrastructure and content-delivery (CDN) providers.
15. International Data Transfers
Some of our service providers — including our database, hosting, and content-delivery providers — operate servers located outside Pakistan. This means your information may be transferred to, stored in, and processed in other countries.
Where we transfer data internationally, we take reasonable steps to ensure it remains protected to a standard consistent with this policy and applicable law.
16. Data Security
We use a layered set of safeguards to protect your information, including:
- Encryption in transit (TLS/HTTPS) and encryption at rest for sensitive fields such as identity documents.
- Hashed passwords — we never store passwords in plain text.
- Row-level access controls, so users and staff can only access data they are permitted to.
- Multi-factor authentication for administrative access.
- Monitoring, access logging, and rate limiting to detect and limit abuse.
- Regular backups to support recovery.
No system is ever completely secure, so we cannot guarantee absolute security — but we work continuously to protect your data and respond quickly to any incident.
17. Data Retention
We keep personal data only as long as necessary for the purposes set out in this policy. In practice:
- Account data — kept while your account is active.
- Deleted accounts — personal data is removed or anonymised within about 30 days, unless longer retention is legally required.
- Invoices and payment records — retained as required by tax and accounting laws.
- Verification data (e.g. encrypted CNIC) — retained for a limited period to support fraud prevention and legal compliance.
- Security and fraud logs — retained for security investigations.
18. Your Rights
Depending on your location, you have rights over your personal data, including the right to:
- Access the data we hold about you
- Correct or update inaccurate data
- Delete your data (erasure)
- Receive your data in a portable format
- Restrict how we process your data
- Object to certain processing
- Withdraw consent for consent-based processing
- Lodge a complaint with us or a relevant authority
You can exercise most rights directly from your account settings, or by emailing privacy@stayza.pk. We aim to respond within 30 days.
19. Account Deletion
You can delete your account at any time from your account settings, or by contacting us at privacy@stayza.pk. Here's what happens:
- Deleted immediately — your profile is deactivated and removed from public view, including listings and reviews tied to it.
- Removed within ~30 days — your personal data is permanently deleted or anonymised from our active systems.
- Retained where required — certain records (such as invoices and fraud/security logs) are kept for the limited periods described in Data Retention to meet legal obligations.
20. Children & Minors
Stayza is intended for adults. The Services are not directed to children under 16, and we do not knowingly collect their data.
Users under the age of 18 may use Stayza only with the involvement and consent of a parent or legal guardian, who remains responsible for their use of the Services. If we learn we have collected a child's data without appropriate consent, we will delete it promptly.
21. Listing Accuracy & Moderation
While we verify listings where possible, Stayza cannot guarantee that all information provided by property owners is complete, current, or accurate. Always confirm details directly before making any commitment.
We may review, edit, or remove listings and content to protect users — including fraudulent or duplicate listings, misleading information, and illegal or prohibited content. These rights are described further in our Terms & Conditions.
22. Governing Law
This Privacy Policy, and any dispute relating to it, is governed by the laws of Pakistan. Subject to applicable law, the courts of Islamabad, Pakistan have jurisdiction over such disputes.
23. Changes to Policy
We may update this Privacy Policy from time to time as our platform and legal obligations evolve. The "Last updated" date at the top of this page always reflects the most recent revision.
For material changes, we will notify registered users by email and/or with an in-app notice at least 14 days before the changes take effect.
24. Contact & Complaints
If you have questions, requests, or a privacy complaint, our team is here to help — reach out and we'll get back to you.
For formal complaints, email legal@stayza.pk with the details. We aim to acknowledge within 5 business days and resolve within 30 days.
privacy@stayza.pk