Security
Your data, your guests' data and your passwords are protected by industry-standard controls. Below is an overview of the key measures we apply.
Encryption in transit
All traffic between users and the platform runs over HTTPS (TLS 1.3). No data leaves our server in the clear.
Encryption at rest
Database backups are encrypted. The production database is reachable only from a private network, with no public exposure.
Hashed passwords
Passwords are stored hashed with bcrypt (cost factor 10). Not even PrimeStay staff can read them.
Single-session enforcement
One active session per user. A new login automatically invalidates the previous session — if a device is compromised, signing in from your own device boots the attacker out.
Role-based access (RBAC)
Four roles: ADMIN, MANAGER, STAFF, OWNER. Each role sees only the data relevant to it. Multi-tenant isolation prevents any cross-organisation access.
PCI DSS for payments
PrimeStay never receives or stores payment card data. Paddle as Merchant of Record handles all payments in accordance with PCI DSS standards.
Mobile app
JWT tokens are stored in the device's secure system storage (Capacitor Preferences API — NSUserDefaults on iOS, SharedPreferences on Android), never in localStorage.
72-hour breach notification
In line with the GDPR, if a data breach threatens user rights we notify affected users and the supervisory authority within 72 hours.
Reporting a security issue
If you discover a security vulnerability, please send us a discreet report at info@primestay.rs. Please do not publicly disclose the issue before giving us reasonable time to fix it. We appreciate researchers who help keep the platform safe.