This Privacy Policy explains what personal data StayCare collects, why we collect it, and the rights you have under the EU General Data Protection Regulation (GDPR) and similar laws.
1. Data controller
StayCare, a sole proprietorship based in Calgary, Alberta, Canada, is the organization responsible for personal information about hosts and for the operational metadata of guest orders. Hosts are independently responsible for the guest information they collect through their Guest Hub (names, delivery addresses, dietary notes, etc.). Contact: staycare@mail.com.
2. Data we collect
From hosts
- Account: name, email, password hash, login timestamps.
- Business: property details, Stripe Connect account ID, payout configuration.
- Usage: pages viewed, products created, orders processed.
From guests
- Order data: name, email, delivery address, items ordered, payment status.
- Optional preferences (language, allergies, arrival time) if the guest provides them.
- Technical: IP address, browser, click events on affiliate service links.
We do not collect payment card data. All card data is handled directly by Stripe.
3. Why we use your data
- To provide the service (process orders, send confirmation emails, route payments).
- To prevent fraud, abuse and platform misuse.
- To comply with legal obligations (tax records, anti-money-laundering).
- To improve the product — using aggregated, non-identifying analytics.
4. Legal basis for collection
We collect and use personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA). Where users are located in the EU/UK, we also rely on the GDPR equivalents below.
- Performance of a contract — to operate your account or fulfil a guest order.
- Legitimate business interests — fraud prevention, analytics, security.
- Legal obligation — tax and accounting records under Canadian law.
- Consent — where required, e.g. optional marketing emails. Consent may be withdrawn at any time.
5. Sharing
We share data only with the processors required to run StayCare:
- Stripe — payment processing and Connect onboarding.
- Supabase — hosting, database, authentication, file storage (North America region).
- Mailgun / Lovable Emails — transactional email delivery.
- Hosts — guest order data is shared with the host fulfilling the order.
We never sell personal data.
6. Retention
- Host account data: retained while the account is active, plus 7 years for tax records after deletion.
- Guest order data: retained for 7 years for tax and dispute purposes.
- Email send logs: 12 months.
- Suppression list (bounces, unsubscribes): indefinite, to protect deliverability.
7. Your rights
Under PIPEDA, Alberta PIPA, and (where applicable) GDPR you can request access to, correction of, or deletion of your personal information, and you can withdraw consent. Email staycare@mail.com with the subject "Data request" and we will respond within 30 days.
8. International transfers
Our primary data location is North America. Some processors (e.g. Stripe) may transfer limited data across borders under contractual safeguards consistent with PIPEDA and, where applicable, GDPR Standard Contractual Clauses.
9. Security
We use TLS in transit, encryption at rest, row-level security in the database, and least-privilege access controls. No system is perfectly secure; please use a strong, unique password.
10. Cookies
StayCare uses strictly necessary cookies for authentication and session management only. We do not use third-party advertising cookies.
11. Changes
We will notify hosts by email of material changes at least 14 days in advance.
12. Complaints
You have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, or your local data-protection authority.