Privacy Policy

1. Introduction and Responsible Party

AutoStays (Pty) Ltd (“AutoStays”, “we”, “our”, or “us”) operates the hospitality financial management platform at www.autostays.co.za. We are the responsible party as defined in the Protection of Personal Information Act, 2013 (POPIA) for the personal information we process.

2. Definitions

• Operator (You) — A hospitality business (guesthouse, lodge, hotel, B&B) that uses AutoStays to manage operations.
• Guest — A person whose booking, contact, or payment information is processed through AutoStays on behalf of an Operator.
• User — Any person who creates an account on AutoStays (owners, managers, accountants, staff).
• Personal Information — As defined in POPIA Section 1 — any information relating to an identifiable, living natural person or juristic person.

3. Personal Information We Collect

3.1 Account Information (Users)

• Full name, email address, password (hashed)
• Role within the organisation (Owner, Manager, Accountant, Staff)
• Telegram chat ID and WhatsApp number (if linked)

3.2 Organisation & Property Information

• Business name, VAT number, physical address
• Property details (rooms, rates, banking information for invoices)

3.3 Guest Information (processed on behalf of the Operator)

• Guest name, email address, phone number
• Booking dates, room allocation, booking source
• Payment amounts and proof of payment images

3.4 Financial Data

• Bank statements uploaded for reconciliation (FNB, ABSA, Nedbank, Standard Bank, Capitec)
• Transaction records, invoices, receipts
• OTA payout data (Booking.com, Airbnb, Lekkerslaap)
• Payroll data (employee salaries, UIF, PAYE, advances)

3.5 Communication Data

• WhatsApp messages exchanged via the WhatsApp Business API for booking intake
• Telegram messages exchanged with the AutoStays staff bot

3.6 Technical Data

• IP address, browser type, device information
• Usage logs and error reports

4. Lawful Basis for Processing (POPIA Section 11)

We process personal information under the following lawful grounds:

5. Guest Data — Operator Responsibility

This means:

• You must have a lawful basis for collecting guest data (typically contract or legitimate interest)
• You are responsible for informing guests about how their data is used
• You must respond to guest data access, correction, or deletion requests
• AutoStays will process guest data only on your instructions and for the purposes of providing the platform

We will assist you in fulfilling your POPIA obligations. Contact us at support@autostays.co.za for data subject requests related to guest information.

6. How We Use Your Information

• To provide, maintain, and improve the AutoStays platform
• To process bookings, generate invoices, and reconcile transactions
• To send booking confirmations and reservation notifications to guests via email
• To send daily digest messages, payslips, and operational alerts via WhatsApp and Telegram
• To calculate payroll, PAYE, and UIF contributions
• To generate financial reports (P&L, cash flow, KPIs, budget vs actual)
• To import and reconcile bank statements and OTA payouts
• To respond to support requests

7. Third-Party Service Providers

We share personal information with the following processors, all bound by data processing agreements:

8. Cross-Border Data Transfers (POPIA Section 72)

Some of our service providers operate outside South Africa. We ensure that cross-border transfers comply with POPIA Section 72 by verifying that recipient countries have adequate data protection laws or that appropriate contractual safeguards are in place.

Your database is hosted on Neon in the EU (AWS eu-west-2, London), which is subject to GDPR — a data protection framework recognised as adequate.

9. Data Security

We implement appropriate technical and organisational measures to protect your information:

• All data transmitted over HTTPS (TLS 1.3)
• Passwords hashed with bcryptjs (12 rounds)
• Authentication via signed JWT tokens (HMAC-SHA256)
• Finance section protected by PIN with signed access tokens
• Rate limiting on authentication endpoints
• Security headers (CSP, X-Frame-Options, HSTS)
• Soft deletes throughout — no data is permanently destroyed without request
• Role-based access control (Owner, Manager, Accountant, Staff)

10. Data Retention

We retain personal information for as long as:

• Your account is active
• Required to provide the service
• Required by South African tax law (financial records: 5 years per the Tax Administration Act)
• Required for BCEA compliance (payroll records: 3 years after employment ends)

When you close your account, we will delete or anonymise your personal information within 30 days, except where retention is required by law.

11. Your Rights Under POPIA

As a data subject, you have the right to:

• Access — Request a copy of the personal information we hold about you
• Correction — Request correction of inaccurate or incomplete information
• Deletion — Request deletion of your personal information (subject to legal retention requirements)
• Objection — Object to the processing of your personal information on grounds of legitimate interest
• Restriction — Request restriction of processing in certain circumstances
• Data portability — Request your data in a machine-readable format (CSV export is available within the platform)
• Withdraw consent — Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, email us at privacy@autostays.co.za. We will respond within 30 days as required by POPIA.

12. WhatsApp & Telegram Messaging

AutoStays uses the WhatsApp Business API (via Meta) and Telegram Bot API to send and receive messages on behalf of Operators. By opting in to these integrations:

• You consent to messages being processed through Meta's and Telegram's infrastructure
• Message content may be processed by AI (OpenAI) for booking extraction and natural language understanding
• You can opt out at any time by unlinking your account in Settings
• Employee payslip delivery via WhatsApp/Telegram requires explicit employee opt-in

13. Cookies & Tracking

AutoStays uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics. No cookie consent banner is required as we only use strictly necessary cookies.

14. Children’s Information

AutoStays is a business-to-business platform and is not intended for use by persons under 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

15. Data Breach Notification

In the event of a data breach that may compromise your personal information, we will:

• Notify the Information Regulator as required by POPIA Section 22
• Notify affected data subjects as soon as reasonably possible
• Take immediate steps to contain and remediate the breach
• Document the breach and our response measures

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of AutoStays after changes constitutes acceptance of the updated policy.

17. Complaints & the Information Regulator

If you are not satisfied with how we handle your personal information, you have the right to lodge a complaint with the South African Information Regulator:

18. Contact Us

For any questions about this Privacy Policy or your personal information: