Privacy Policy

PrimeStay is two products under one brand. To be maximally transparent, this policy explicitly separates four layers:

Layer A — Marketing site (primestay.rs): Public pages, contact form, blog, Google Analytics and Google Ads.

Layer B — SaaS Platform (app.primestay.rs): Web application available after registration.

Layer C — Mobile apps (iOS and Android): Capacitor-based application for the same functionality as Layer B.

Layer D — Managed Service: Operational property management in Belgrade through a separate Property Management Agreement (PMA). Effective only if you have signed a PMA with us.

Rule: if a layer doesn't apply to you, that section doesn't concern you.

Filip Ivanović PR PrimeStay, Katanićeva 18, 11000 Belgrade, Republic of Serbia (VAT ID: 115504426, Company ID: 68417422).

PrimeStay processes data in accordance with the Republic of Serbia Personal Data Protection Act and EU Regulation 2016/679 (GDPR) to the extent applicable based on user origin.

Privacy requests and data subject rights: support@primestay.rs

Sales and Managed Service contact: info@primestay.rs

PrimeStay does not have a designated Data Protection Officer (DPO) — our processing does not exceed the thresholds in Article 37 GDPR.

The table below lists every data type PrimeStay processes, with legal basis and the layer it applies to (A/B/C/D).

Email address: Layers A, B, C, D. Purpose: account, login, billing, support, contact form. Legal basis: Art. 6(1)(b) contract. Linked to user: YES. Used for tracking: NO.

Name: Layers A, B, C, D. Purpose: profile, invoices, lead identification. Legal basis: Art. 6(1)(b) contract.

Phone (optional): Layers A, D. Purpose: contact form, managed service. Legal basis: Art. 6(1)(b) contract / Art. 6(1)(a) consent.

Password (bcrypt cost 12 hash): Layers B, C. Purpose: authentication. Legal basis: Art. 6(1)(b) contract. The plain-text password never leaves your device except over TLS-secured transmission.

Device ID (internal UUID): Layers B, C. Stable identifier generated on your device, stored in Keychain (iOS) / EncryptedSharedPreferences (Android) / localStorage (web). Purpose: Trusted Devices, refresh token rotation. Legal basis: Art. 6(1)(f) legitimate interest (security).

Email change pending state: Layers B, C. Activated only when you initiate an email change in Settings → Profile. We store: the new address (pendingEmail), two sha-256 token hashes (one to confirm from the new address, one to revoke from the old), expiresAt (24h from request), requestedAt. The original tokens are NEVER stored — they only exist in the email links we send you. Fields clear on confirm, cancel or a new change request. Legal basis: Art. 6(1)(b) contract + (1)(f) security.

SecurityAuditLog — per-user security events: Layers B, C. Append-only log of security events tied to your account: EMAIL_CHANGE_REQUESTED, EMAIL_CHANGE_CONFIRMED, EMAIL_CHANGE_REVOKED, EMAIL_CHANGE_CANCELED, EMAIL_CHANGE_RESENT (this list grows as we add new security flows). We store: userId, optional actorId (an admin acting on your behalf), kind, IP, JSON payload with event context (e.g. old and new email address), timestamp. Legal basis: Art. 6(1)(f) legitimate interest (forensics + account protection).

User preferences (App Configuration): Layers B, C. App personalisation: notifyEmail and notifyPush (master toggles), notifyOnCheckIn / notifyOnCheckOut / notifyOnNewBooking (granular event toggles), dailyReportHour (preferred daily-report hour), preferredLanguage (SR/EN), mobileTabBarOrder (your custom tab bar layout). You change all of these yourself in Settings. Not shared with third parties. Legal basis: Art. 6(1)(b) contract.

FCM / APNs push token: Layer C. Opaque unique identifier for push delivery. Includes platform (iOS/Android) and Firebase environment (PROD/STAGING). Legal basis: Art. 6(1)(b) contract. PrimeStay does not send promotional / marketing push — all are operational.

IP address: Layers A, B, C. Legal basis: Art. 6(1)(f) legitimate interest (auth, abuse prevention, local geo lookup).

User-Agent: Layers A, B, C. Purpose: Trusted Devices label, debug.

Approximate location (country, city from IP): Layers B, C. Lookup performed against a local MaxMind GeoLite2-City database on our server. Your IP NEVER goes to MaxMind or any third-party API.

Precise location (GPS): NOT COLLECTED. The app never requests location permission.

Operational content (properties, bookings, expenses, tasks): Layers B, C. Legal basis: Art. 6(1)(b) contract. The owner is the controller, PrimeStay is the processor.

Guest data (name, phone, notes): Layers B, C, D. Legal basis: Art. 6(1)(f) owner's legitimate interest (B/C). Layer D — see section 5 if you have signed a PMA with us.

Paddle customer/subscription ID, amount, period, plan: Layers B, C. Echo from Paddle webhook. Legal basis: Art. 6(1)(b) contract + Art. 6(1)(c) legal obligation (accounting).

Payment card numbers: NOT COLLECTED. Paddle processes them directly (PCI scope at Paddle).

Mobile OS crash data (iOS / Android): Layer C. When the system app crashes, the OS-level crash report goes to Apple / Google. PrimeStay does not aggregate or store these. The Sentry FE SDK is NOT installed in the mobile app.

Backend error & performance traces (server-side Sentry): Layers B, C (always active regardless of the device the user accesses from, because it concerns our API server). When the backend throws an error or at the 10% performance trace sample, we send: opaque userId (UUID), organization_id, role, stack trace, URL path, HTTP status. Email is NOT in the payload — a beforeSend hook strips email-shaped tokens from every string field, plus we call setUser with id only (industry pattern Stripe/Linear/Vercel). Legal basis: Art. 6(1)(f) legitimate interest (security + reliability). Sentry as sub-processor — see Section 7.

Contacts, photos, calendar, microphone, camera, health data: NOT ACCESSED.

IDFA / AAID / advertising identifiers: NOT COLLECTED. App Tracking Transparency prompt is not shown because we have nothing to ask for.

Biometric template (fingerprint, face scan): NEVER LEAVES the Secure Enclave / StrongBox of your device. The app receives only a Boolean "succeeded / failed" response.

GA4 event payload (only after consent): Layer A. ID: G-8Z2TTGP38Z. Activated only after "Accept all" in the consent banner (Google Consent Mode v2 default denied). IP anonymised.

Google Ads conversion (only after consent): Layer A. ID: AW-3967715400. Conversion event metadata without PII.

Default behaviour before consent: server log data (IP, User-Agent, path, referrer) — kept for 90 days. Nothing is sent to Google until you click "Accept all".

Form on the site: The site has one form — a contact form (name, email, phone, message). The marketing site is a static SSG export — the form POSTs to a public endpoint on the PrimeStay API server (api.primestay.rs/public/contact) which forwards the lead to the PrimeStay sales inbox at info@primestay.rs via Resend. support@primestay.rs is reserved for technical support, privacy/SAR requests and billing. There is no newsletter or waitlist system — the UI for that has been removed.

UTM attribution forwarding: When you click the "Sign up" CTA, the browser redirects you to app.primestay.rs/signup with attribution parameters (utm_source, utm_medium, utm_campaign, utm_content) in the URL. They are saved into the Organization.signupSource column (max 500 chars) and used solely for internal conversion analytics. They are not shared with third parties and are not used for retargeting.

Cookies: Detailed list in the Cookie Policy. Without consent only essential cookies are active (consent choice, language, theme, sidebar). GA4 and Google Ads activate exclusively after "Accept all" in the consent banner.

What is collected at registration: Email, password, organisation name, role (ADMIN / MANAGER / OWNER / STAFF), preferred language (SR / EN), notification toggles, UTM attribution from the URL.

What is collected on every login (RefreshToken / Trusted Devices): SHA-256 hash of the refresh token (we never store the original); deviceId; deviceLabel ("iPhone 15 Pro", "Chrome on macOS"); userAgent; ipAddress; country and city from local MaxMind database; expiresAt, lastUsedAt, createdAt, revokedAt, revokedReason. Purpose: Trusted Devices — in Settings → Security you see all active sessions and can revoke any of them remotely. Reuse-detection automatically revokes a user's entire session family when it spots theft signs.

Automatic session revocation (protection on security events): All active sessions are revoked at once and every device is forced to log in again in the following cases: (a) when you confirm an email change — prevents an attacker who initiated the change from keeping a session when the email flips; (b) when reuse-detection spots a re-used rotated refresh token — defence against token theft; (c) when you manually click "Sign out from all devices" in the Trusted Devices list.

Forensic block in security notification emails: When someone initiates a sensitive action on your account (e.g. an email change), the notice email sent to the old address contains the requester IP address, approximate location (city, country) from our local GeoIP database, and a precise UTC timestamp. The goal is to let the legitimate owner instantly recognise whether they performed the action. If IP is unavailable (proxy strips it), the forensic block is omitted rather than shown as an empty placeholder. Legal basis: Art. 6(1)(f) legitimate interest (account protection).

Push notifications (mobile only): When you grant the OS-level permission (system prompt on iOS and Android 13+), the app registers an FCM or APNs token with us. All push notifications are operational (Art. 6(1)(b) contract): BOOKING_CREATED, BOOKING_STATUS_CHANGED, BOOKING_CANCELLED, BOOKING_CHECKIN_TODAY, BOOKING_CHECKOUT_TODAY, TASK_ASSIGNED, TRIAL_REMINDER. We do not send promotional / marketing push. Granular off in Settings → Notifications or in the OS.

Biometric authentication: Optional — Face ID, Touch ID, Android BiometricPrompt via our custom Capacitor plugin @primestay/auth-native. The biometric template (fingerprint, face scan) NEVER leaves the Secure Enclave / StrongBox. The app receives only a Boolean response.

Secure storage of tokens on the device: iOS Keychain (kSecClassGenericPassword, flag kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly — NOT included in iCloud Keychain backup, deleted on app uninstall, available only after first-unlock-since-boot). Android EncryptedSharedPreferences with MasterKey (AES256-GCM AEAD, master key in Android Keystore TEE/StrongBox where hardware supports). Web: localStorage (industry-standard compromise for SPA refresh tokens).

Password: bcrypt cost factor 12. The plain-text password never leaves your device except over TLS-secured transmission, and is not stored on the server.

Geographic location from IP: Local MaxMind GeoLite2-City .mmdb database on our Hetzner server (Germany). Your IP NEVER goes to MaxMind or any third-party API. Lookup is a deterministic local file search. Accuracy is at city level (not street).

What we do NOT do: No GA, no Google Ads, no analytics SDK at all in the SaaS app or mobile app. No cross-app tracking. No GPS, camera, microphone, contacts, calendar, photos. No IDFA / AAID / advertising identifiers. No behavioural profiling.

This section becomes effective only once you have signed a Property Management Agreement (PMA) with PrimeStay. If you have not — you can skip it.

PrimeStay currently offers Managed Service as a separate offering alongside the SaaS Platform. Each engagement requires a signed PMA before operations start. The privacy provisions below describe the regime activated by that signature.

Legal position: Once you sign the PMA, PrimeStay directly takes over operations of your property for short-term rental. For guest data you remain the controller (because the property is yours and the rental contract is between you and the guest), and PrimeStay becomes a joint controller (Art. 26 GDPR) because it communicates with guests in its own name and uses guest data to optimise pricing and listings.

Joint Controller arrangement (essence): Details in the PMA. The owner is responsible for: registering the property with the relevant authorities (tourism inspection, eTurista — Central Tourism Information System), reporting guests, paying tourism tax and income tax. PrimeStay is responsible for: lawfulness of the OTA listing, real-time guest communication, fulfilling guest privacy requests when the guest contacts PrimeStay directly, GDPR compliance of the OTA integration.

What is collected in Managed Service context: In addition to Layer B/C data: guest communication via Airbnb / Booking inbox (kept on those platforms; PrimeStay agents access via the operational account); telephone contact with guests; key handover details; operational property photos.

Providing the SaaS service: Art. 6(1)(b) contract performance.

Subscription billing: Art. 6(1)(b) contract performance.

Operational notifications (in-app, email, push): Art. 6(1)(b) contract performance.

Abuse prevention (rate-limit, reuse-detection, audit log): Art. 6(1)(f) legitimate interest.

Trusted Devices and geo lookup: Art. 6(1)(f) legitimate interest — account protection.

Accounting obligations (invoices): Art. 6(1)(c) legal obligation.

Managed service operations (guest communication): Art. 6(1)(b) contract with the owner + (1)(f) towards the guest.

Marketing site analytics (GA4, Google Ads): Art. 6(1)(a) consent (Cookie Consent Banner).

With every processor we conclude a DPA with at least the same level of protection as in our DPA towards clients.

Hetzner Online GmbH: VPS hosting (PostgreSQL, API, GeoIP DB). Location: Germany (EU). Layers: A, B, C, D. DPA — processing within the EU.

Paddle.com Market Ltd: Separate controller — Merchant of Record (billing). NOT our sub-processor; Paddle Data Sharing Addendum explicitly asserts an Art. 26 Controller-to-Controller arrangement. Listed here for data-sharing transparency. Location: UK / EU. Layers: B, C. Paddle Data Sharing Addendum + UK adequacy.

Resend, Inc.: Transactional email (verification, reset, notifications, support). Location: EU + US. Layers: A, B, C, D. DPA + SCC 2021/914.

Google LLC — Firebase Cloud Messaging: Push delivery (Android primarily, iOS via APNs proxy). Location: US. Layer: C. Google Cloud DPA + SCC.

Apple Inc. — APNs: iOS push delivery. Location: US. Layer: C. Apple Developer Agreement + SCC.

MaxMind, Inc.: Distribution of GeoLite2-City .mmdb file. No runtime calls with user data — your IP does not go to MaxMind. Location: US (file download only).

Functional Software, Inc. (Sentry): Backend error tracking + 10% performance traces for our API server. Layers: B, C (server-side). Location: EU (de.sentry.io — the Sentry organisation is configured with Data Storage Region: European Union). What we forward: opaque userId, organization_id tag, role tag, stack trace, URL path, HTTP status. What we do NOT forward: email, IP (sendDefaultPii: false), cookies, request body, passwords (default + custom Data Scrubbers + Advanced regex for email and phone). Legal basis: DPA — processing within the EU, no SCC overhead.

Google LLC — Analytics 4 (G-8Z2TTGP38Z): Marketing site analytics. Layer A only. Activated exclusively after consent via Cookie Banner.

Google LLC — Google Ads (AW-3967715400): Marketing site conversion tracking. Layer A only. Consent required.

Apple App Store / Google Play: Mobile app distribution. Location: US. Layer C.

Live updated list: primestay.rs/legal/sub-processors. You will be notified by email at least 30 days before the introduction of a new sub-processor that processes your personal data.

What we do NOT do: we do not integrate Facebook Pixel, TikTok Pixel, LinkedIn Insight, Mixpanel, Hotjar, Crashlytics (FE), Segment, AppsFlyer, Branch, or any other user-behaviour tracker. Sentry is used solely for backend error and performance traces (server-side, listed above) — no FE SDK, no user-behaviour tracking. We do not sell or rent data to third parties.

Active user account (SaaS): For the duration of the account.

Data after account deletion: Soft-delete 30 days, then permanent deletion (except statutory records).

Accounting records: 10 years (Art. 13 of the Accounting Act of Serbia).

Database backups: 30 days, encrypted at rest.

Push tokens (FCM unregistered response): Deleted immediately; manual sweep at 60 days.

RefreshToken (revoked): 90 days post-revoke (forensics window), then deletion.

Server access logs: 90 days.

AdminAuditLog (platform-admin actions): 5 years.

SecurityAuditLog (per-user security events): 5 years (forensic window — parity with AdminAuditLog). Deleted together with the account after the soft-delete period expires.

Email change pending state (pendingEmail, token hashes): Tokens valid for 24h. After expiry or confirm/cancel, fields are cleared by the next change request or by a periodic cleanup. Any leftover expired rows are functionally inert — the confirm endpoint refuses expired tokens unconditionally.

Email log (Resend): 30 days at Resend; our send record: 90 days.

GA4 data (Layer A only, only after consent): 14 months (GA4 default).

Contact form emails: Until the inquiry is resolved; deleted on request (support@primestay.rs).

Right of access (Art. 15): A copy of all data we hold about you.

Right to rectification (Art. 16): You change most fields yourself in Settings.

Right to erasure / "right to be forgotten" (Art. 17): Account and data deletion, except where we are legally obliged to retain. Detailed instructions for both channels (in-app + email) are at primestay.rs/en/account-deletion.

Right to restriction of processing (Art. 18):

Right to data portability (Art. 20): Structured, machine-readable format (JSON export).

Right to object (Art. 21): Against processing based on legitimate interest.

Right to withdraw consent (Art. 7(3)): Anytime, without explanation. Does not affect lawfulness of processing prior to withdrawal.

How to exercise: support@primestay.rs. We respond within 30 days.

Right to lodge a complaint with a supervisory authority: Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (poverenik.rs). EU/EEA residents: the supervisory authority of your country of residence.

Technical measures: TLS 1.2+ (preferred 1.3). Backups encrypted at rest. bcrypt cost 12. Short-lived JWT access tokens; refresh rotation with reuse-detection. iOS Keychain (NOT in iCloud Keychain backup). Android EncryptedSharedPreferences (AES256-GCM AEAD). Multi-tenant isolation. Auth route rate-limiting.

Organisational measures: Production access limited to authorised team, SSH keys (no password log-in). AdminAuditLog — append-only record of all platform-admin actions. SecurityAuditLog — append-only record of per-user security events (email change and other security flows being added incrementally). Both are append-only — operational admins CANNOT modify or delete entries manually.

Hosting: Hetzner Online GmbH, Germany (EU). DPA in place.

Incident notification: In the event of a breach that endangers your data, we notify you and the Commissioner within 72 hours (Art. 33–34 GDPR).

Some processors are outside the EU/EEA (US — Resend, Firebase, APNs, App Store, Play Store, GA, Google Ads). Legal basis: European Commission Standard Contractual Clauses (Implementing Decision 2021/914) or adequacy decisions (UK). Sentry is NOT in this list — our Sentry organisation is configured with the EU Data Storage Region, so all backend error and performance traces are processed within the EU.

GA and Google Ads activate exclusively after your consent via the Cookie Banner (Art. 49(1)(a) consent).

PrimeStay is a business tool intended for adults running short-term rental operations. Minimum age for use: 18 years (legal capacity required to enter a subscription contract and to process guest personal data). We do not knowingly collect children's data. If we discover that we have inadvertently collected such data, we will delete it immediately.

Major (1.x → 2.x): Material change of processing scope, new sub-processor, change of legal basis. Email + in-app banner, 30 days before effective date.

Minor (2.0 → 2.1): Clarity, typo fix. Effective immediately, in-app banner.

The date of last change and version number are stated at the top of the document.

Privacy requests (SAR, deletion, objection): support@primestay.rs

Technical support: support@primestay.rs

Sales / Managed Service / Demo: info@primestay.rs

Security disclosure (responsible disclosure): support@primestay.rs

Postal address: Filip Ivanović PR PrimeStay, Katanićeva 18, 11000 Belgrade, Republic of Serbia.