Security
Your data, your guests' data and your passwords are protected by industry-standard controls. Below is an overview of the key measures we apply.
Encryption in transit
All traffic between users and the platform runs over HTTPS (TLS 1.3). No data leaves our server in the clear.
Encryption at rest
Database backups are encrypted. The production database is reachable only from a private network, with no public exposure.
Hashed passwords
Passwords are stored hashed with bcrypt (cost factor 12). The plain-text password never leaves your device except over TLS — not even PrimeStay staff can read it.
Trusted Devices and refresh token rotation
See all active per-device sessions in Settings → Security and revoke any of them remotely. Refresh tokens rotate on every renewal; reuse-detection automatically invalidates a user's entire session family at the first sign of theft.
Role-based access (RBAC)
Four roles: ADMIN, MANAGER, STAFF, OWNER. Each role sees only the data relevant to it. Multi-tenant isolation on every query prevents any cross-organisation access.
PCI DSS for payments
PrimeStay never receives or stores payment card data. Paddle as Merchant of Record handles all payments in accordance with PCI DSS standards.
Secure storage on mobile
Refresh tokens live in iOS Keychain (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly — NOT included in iCloud Keychain backup) and Android EncryptedSharedPreferences (AES256-GCM AEAD, master key in Android Keystore TEE/StrongBox). Optional biometric login — Face ID, Touch ID, fingerprint — the biometric template never leaves the device's secure enclave.
72-hour breach notification
In line with the GDPR, if a data breach threatens user rights we notify affected users and the supervisory authority within 72 hours.
Reporting a security issue
If you discover a security vulnerability, please send us a discreet report at info@primestay.rs. Please do not publicly disclose the issue before giving us reasonable time to fix it. We appreciate researchers who help keep the platform safe.