Account Deletion

Account deletion is permanent. All properties, bookings, guests, expenses and tasks are removed from the active database after a short grace period and then permanently erased — the operation CANNOT be undone after that grace period expires.

If you have an active subscription, it is automatically cancelled on deletion (the Paddle subscription is cancelled before the organisation row is deleted). Past invoices are retained for 10 years as an accounting obligation (Section 5 below).

If you only want to sign out from every device without deleting — you can do that from Settings → Account → Trusted Devices, no deletion required.

Log in to app.primestay.rs (web) or the mobile app.

Open Settings → Account → scroll to "Danger Zone" → click "Delete organisation".

You are asked to confirm by: (a) entering your current password, and (b) typing the exact organisation name. This prevents accidental deletion.

Deletion runs immediately: your session ends, the subscription is cancelled via Paddle, data enters a 30-day soft-delete window (in case you clicked by mistake), and is then permanently erased.

During the 30-day soft-delete window you may contact support@primestay.rs to restore. After 30 days, data is no longer recoverable.

Note: this route requires the ADMIN role on the organisation. If you are MANAGER / OWNER / STAFF, ask your organisation's ADMIN, or use Route 2.

Use this route if: you forgot your password and the forgot-password flow does not work, you lost access to the email, you are not the ADMIN but you are a data subject exercising erasure (GDPR Art. 17), or in-app deletion is blocked for any reason.

Email: support@primestay.rs

Subject: Account deletion

In the body include: The email address on the account, the organisation name if you remember it, and a short explanation of why the in-app route is not possible (forgotten password, lost access, etc.).

We verify account ownership by sending a confirm link to the email address on the account (industry-standard pattern — prevents someone who only knows your email from triggering deletion for you).

After verification, deletion is performed within 30 days (GDPR Art. 17). In practice: 2-7 business days.

We send you a confirmation when deletion is complete.

User account: email, name, password hash, language preference, notification toggles, role.

Organisation: name, signupSource (UTM), billing customer ID, plan and subscription status.

Operational content: all properties, bookings, guests and their contacts, expenses, tasks, payouts, rent obligations, refunds, directory contacts.

Security artefacts: all refresh tokens, push tokens (iOS APNs + Android FCM), Trusted Device entries, email-change pending state, security audit log entries tied to your account.

Notifications: every in-app notification, dispatch history, per-channel preferences.

Accounting records — 10 years: The Serbian Accounting Act (Art. 13) requires retention of invoices, receipts and payment records for 10 years. This covers: Paddle invoice ID, amount, currency, billing period, plan, date. Deletion before that window would violate the law, so we retain the minimum necessary for tax obligations. These records are NOT used for marketing or any other processing.

AdminAuditLog — 5 years: Append-only record of platform-admin actions (who suspended an account, who impersonated for support, etc.). Your data is pseudonymised (userId → opaque string), but the full audit trail is retained for forensics and compliance. After 5 years it too is deleted.

Database backups — up to 30 days: Backups rotate over 30 days. During that period your data may be technically present in a backup, but is not used outside operational disaster recovery. After 30 days the backup is overwritten and the data is gone.

In-app deletion: Immediate (session ends at once). 30-day soft-delete buffer in case you change your mind.

Email request: Up to 30 days from ownership verification. In practice: 2-7 business days.

Backup expiry: 30 days after deletion.

Accounting records: 10 years (Art. 13 of the Serbian Accounting Act).

Beyond erasure, you have every other right under GDPR Art. 15-22: access (Art. 15), rectification (Art. 16), restriction of processing (Art. 18), data portability in JSON (Art. 20), objection (Art. 21).

For any of these requests, write to support@primestay.rs. We respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority: Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (poverenik.rs). EU/EEA residents may contact the supervisory authority of their country of residence.

Deletion requests + all privacy questions: support@primestay.rs

Postal address: Filip Ivanović PR PrimeStay, Katanićeva 18, 11000 Belgrade, Republic of Serbia (VAT ID 115504426, Company ID 68417422).