Staymulate — Privacy Policy
Version 1.0 first draft. Status: AWAITING LAWYER REVIEW.
This is the company-level privacy policy covering Staymulate's relationship with anyone who interacts with Staymulate directly — visitors to the website, prospective customers, signed customers, and people who contact support. For the data of property owners' guests and staff (which the Customer controls and we process under the DPA), see
data_processing_agreement.md.
§1 — Who we are
Staymulate is a hospitality operating system. Our parent legal entity is currently Akas Resorts (GSTIN 05BZHPK9331F1ZE) and a separate Staymulate entity will be incorporated before the first non-Akas customer signs.
Founder + data protection contact: Harpreet Sobti. Email and contact form on the Staymulate website.
§2 — What this policy covers
This policy covers personal data that Staymulate collects, uses, and stores about you when you:
- Visit the Staymulate website
- Sign up for a Staymulate account
- Use the Staymulate webapp or staff bot
- Contact Staymulate support
- Receive marketing or product communications from us
§3 — What this policy does NOT cover
This policy does NOT cover:
- The personal data of your guests or your staff at your property — that data is controlled by you (the property owner) and processed by us under the DPA. See
data_processing_agreement.md. - The data Staymulate processes for properties run by Akas Resorts (which is currently the only Staymulate customer). For Akas Resorts properties the privacy notice published by the property itself applies.
- Sub-processors' own privacy policies. Each sub-processor (Google for Vertex AI / Gemini models hosted in asia-south1 / Mumbai, Telegram for messaging, etc) has its own policy for data they collect about end users beyond what we send them.
§4 — What data we collect about you
| Category | Examples | When |
|---|---|---|
| Account data | Name, email, phone, password hash, MFA token | When you sign up |
| Property data | Property name, location, type, room count, sale mode | During onboarding |
| Communication data | Messages you send to our staff bot or webapp | Whenever you interact |
| Voice recordings | Audio from voice messages | Only when you choose to send a voice note. Raw audio deleted within 24 hours after transcription. |
| Photos | Bills, food, damage, content | Only when you choose to upload |
| Usage data | Webapp page visits, button clicks, error reports | Whenever you use the webapp |
| Payment data | Last 4 of card, billing address, invoice history | When you pay |
| Marketing data | Marketing email opt-in, marketing message opt-in | When you provide it |
| Support tickets | Your name, email, issue description, our reply | When you contact support |
§5 — How we use your data
We use your data to:
- Provide the service — without your account data we cannot give you the product
- Process payments — billing and tax compliance
- Communicate with you — service updates, support replies, account notifications
- Improve the service — anonymized usage metrics for product decisions
- Make AI-driven inferences about your property data per
ai_disclosure.mdanddata_processing_agreement.md§4 (joint controller activities) - Comply with law — tax filings, regulator requests, court orders
- Prevent abuse — rate limiting, content moderation, security incidents
- Marketing — only if you opt in. We do not send marketing without explicit consent.
§5a — Automated decision-making
Some Staymulate features make automated decisions about your property data:
- Routing of inbound messages to the correct topic (maintenance, finance, purchase, emergency)
- OCR extraction of bill fields
- Generation of suggested replies and content captions
- Burnout-check signals based on observed staff activity
- Property DNA extraction from interview answers
These are subject to the AI Disclosure (ai_disclosure.md). You have the right to:
- Be informed that AI is being used (proactive disclosure on first contact)
- Request human review of any specific automated decision
- Object to automated processing where it has legal or significant effects on you
- Receive an explanation of the logic involved (we provide the prompt + model name on request)
§6 — Lawful basis for processing
We process your personal data on the following lawful bases:
| Purpose | Lawful basis |
|---|---|
| Account management | Performance of contract |
| Service delivery | Performance of contract |
| Payment processing | Performance of contract + legal obligation |
| AI-driven inferences | Performance of contract + legitimate interest (joint controller — see DPA) |
| Marketing communications | Consent (opt-in only) |
| Compliance | Legal obligation |
| Abuse prevention | Legitimate interest |
| Security incidents | Legitimate interest + legal obligation (breach notification) |
For Customers in markets that require consent for specific categories (sensitive personal data, biometric data, children's data), we collect explicit consent before any such processing.
§7 — Who we share your data with
We share your data with:
| Party | What | Why |
|---|---|---|
| Sub-processors per DPA §5 | Per the DPA | Technical service delivery |
| Payment processor | Billing data | Process your payments |
| Tax authorities | Invoice data | Legal obligation |
| Cloud hosting provider | Database storage | Technical service delivery |
| Telegram | Message metadata + content | Message delivery |
| Google (Vertex AI — Gemini models, asia-south1 / Mumbai) | Photos, text snippets, structured data | AI inference (region-pinned in India) |
| Lawyers / accountants | Only when required for legal advice or audit | Legal obligation or legitimate interest |
| Acquirers / successors | All your data | Only if Staymulate is sold or restructured, with prior notice and your right to terminate |
| Government / regulators | Only when legally required | Legal obligation |
We do NOT sell your data to third parties. We do NOT share your data with marketing networks, ad platforms, or data brokers.
§8 — Cross-border data transfers
Staymulate uses sub-processors hosted in multiple countries (see DPA §5). Cross-border transfers are governed by:
- Standard contractual clauses (SCCs) where applicable
- Adequacy decisions where the destination country has been recognised as adequate by the source country's regulator
- Per-market addenda for specific transfer rules (especially Indonesia UU PDP and Quebec Law 25)
§9 — How long we keep your data
Per the DPA §7 retention schedule. Summary:
- Account data: duration of contract + 1 year
- Voice recordings (raw): 24 hours
- Messages and logs: 7 years (financial compliance)
- Photos (bills): 3 years
- Photos (people): until consent revoked or 1 year after stay
- Audit trails: permanent (compliance evidence, never deleted, no PII)
- Marketing opt-ins: until revoked
§10 — Your rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data (subject to retention requirements)
- Restriction — limit our processing of your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest or for direct marketing
- Withdraw consent — for any processing based on consent
- Object to automated decisions — request human review of significant automated decisions
- Lodge a complaint with your local data protection authority
To exercise any right, contact us at privacy@staymulate.com. We respond within the legally required window (typically 30 days under DPDP / GDPR / PDPA).
§11 — Children
Staymulate is not intended for use by children under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it.
§12 — Cookies and analytics
The Staymulate webapp uses minimal cookies — strictly necessary for authentication (the magic link session token) and a single analytics cookie if the user opts in. We do NOT use third-party advertising cookies, tracking pixels, or fingerprinting.
§13 — Security
We maintain reasonable security measures per the DPA §9. No system is 100% secure — if a breach occurs, we notify affected users within 72 hours per the DPA §10.
§14 — Changes to this policy
We may update this policy with 30 days' notice. Material changes require re-acceptance from active customers; non-material changes take effect after the notice period.
§15 — Contact
For privacy questions, contact: privacy@staymulate.com
For data subject rights requests, contact: privacy@staymulate.com
For security incidents or breach reports, contact: security@staymulate.com
For Customers in the EU/UK: we will appoint a representative if/when we have customers in those markets (currently not in the supported market list).
---
Where this document is linked from
- The Staymulate website footer
- The webapp signup screen (acceptance gate)
- All Staymulate marketing emails
- Sub-processor disclosures in the DPA §5
---
Source: standard SaaS privacy policy structure adapted to Staymulate's joint-controller and AI-disclosure context. Version 1.0, awaiting lawyer review.