Privacy Policy

01.Scope & Acceptance

This Privacy Policy ("Policy") governs the collection, use, storage, and disclosure of information by SyncStays ("SyncStays," "we," "us," or "our") in connection with the SyncStays hotel management platform — including the website available at www.syncstays.com, the web-based dashboard, the SyncStays mobile application distributed via the Google Play Store, and all related services (collectively, the "Services").

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, please discontinue use of the Services.

02.Data Controller

For the purposes of applicable data protection laws — including the Digital Personal Data Protection Act, 2023 (India) and, where applicable, the EU General Data Protection Regulation (GDPR) — SyncStays acts as the Data Controller for personal data collected directly through its website and mobile application from hotel operators (account holders).

Where a hotel operator uses SyncStays to record information about its own guests, employees, or vendors, the hotel operator acts as the Data Controller for such information, and SyncStays acts as a Data Processor processing that information on the hotel operator's behalf and instructions.

03.Definitions

• Personal Data / Personal Information — any information that identifies, relates to, or could reasonably be linked with an identifiable natural person.
• Account Holder — the hotel, guesthouse, or business that has registered for the Services.
• Authorised User — any individual (such as a manager, receptionist, or housekeeping staff member) granted credentials by an Account Holder to access the Services.
• Guest — an end customer of an Account Holder whose information is recorded in the Services for booking, billing, food ordering, or compliance purposes.
• Processing — any operation performed on Personal Data, whether or not by automated means.

04.Information We Collect

A. Information You Provide

• Account & Hotel Information: hotel name, business address, contact number, email address, GSTIN (where applicable), room configuration, tax preferences, currency, time zone, and payment-related metadata.
• Authentication Credentials: email address and password (stored as a one-way bcrypt hash), Firebase authentication identifiers, and session tokens.
• Staff Records: names, usernames, roles, and attendance data for Authorised Users created by the Account Holder.
• Guest Information: name, phone number, address, identification document type and number, check-in / check-out dates, payment mode, and billing details — entered by the Account Holder.
• Identification Documents & Photographs: scanned images of government-issued identity documents (such as Aadhaar, PAN, Driving Licence, Passport, Voter ID) and guest photographs, where uploaded by the Account Holder for compliance.
• Food Order Data: guest phone number (for verification), order contents, room number, and order timestamps.
• Communications: messages submitted through contact forms, WhatsApp, email, or support channels.

B. Information Collected Automatically

• Device & Technical Data: IP address, browser type and version, operating system, device model, language preference, time-zone setting, application version, and crash diagnostics.
• Usage Data: pages or screens viewed, features used, request paths, timestamps, and approximate duration of sessions, collected for security, performance, and product-improvement purposes.
• Log Data: server logs of API requests (including slow-request diagnostics, rate-limit events, and panic recovery traces) used for operational monitoring.

C. Information from Third Parties

• Optical Character Recognition (OCR): when an Account Holder uses the ID-scan feature, the document image is transmitted to Google Cloud Vision API solely to extract textual fields (such as name and identification number). The extracted text is returned to SyncStays and stored against the corresponding booking record.
• Authentication Providers: when login is performed via Firebase Authentication, we receive the user's unique identifier and verified email address.

05.How We Use Information

We process Personal Data for the following purposes:

• To create, authenticate, and maintain Account Holder and Authorised User accounts.
• To deliver the core functionality of the Services — including room booking, check-in / check-out, housekeeping, maintenance, billing, invoicing, food ordering, attendance, and analytics.
• To enable Account Holders to comply with statutory obligations such as guest registration, GST invoicing, and law-enforcement record-keeping.
• To send transactional communications — such as service notifications, security alerts, billing receipts, and changes to the Services.
• To prevent fraud, abuse, and unauthorised access, including through rate-limiting, session validation, and IP-based monitoring.
• To monitor performance, diagnose errors, and improve the reliability and usability of the Services.
• To respond to support enquiries and resolve disputes.
• To comply with applicable legal obligations, court orders, or governmental requests.

We do not sell Personal Data, and we do not use Guest information for advertising or marketing purposes.

06.Legal Bases for Processing

Where applicable, we rely on one or more of the following legal bases to process Personal Data:

• Contract: processing necessary to perform the agreement under which we provide the Services to the Account Holder.
• Legitimate Interests: securing our platform, preventing abuse, improving the product, and operating our business — balanced against the rights and freedoms of data subjects.
• Consent: where required by law (for example, optional features that involve additional processing), processing is carried out on the basis of the data subject's freely given consent, which may be withdrawn at any time.
• Legal Obligation: processing necessary to comply with applicable laws, including tax, anti-money-laundering, and hospitality-sector record-keeping requirements.

07.Sharing & Disclosure

SyncStays shares Personal Data only as described below:

• With the Account Holder: all data entered into a hotel's account is accessible to that hotel's administrators and the Authorised Users they create.
• With Service Providers: we share data with trusted infrastructure providers who process information on our behalf (see Section 8), subject to confidentiality and data-protection obligations.
• For Legal Reasons: we may disclose information when we believe in good faith that disclosure is required by law, regulation, legal process, or governmental request, or to enforce our terms or protect the rights, property, or safety of SyncStays, our users, or the public.
• In a Business Transfer: if SyncStays is involved in a merger, acquisition, restructuring, or sale of assets, Personal Data may be transferred to the successor entity, subject to commitments equivalent to those in this Policy.

We do not sell, rent, or trade Personal Data to third parties for monetary or other valuable consideration.

08.Third-Party Services

The Services rely on the following third-party processors. Each provider's processing of your data is governed by its own privacy policy:

• Google Firebase (Authentication, Cloud Firestore, Cloud Storage) — primary hosting and database backend. Firebase Privacy
• Google Cloud Vision API — server-side text extraction from uploaded identification documents. Vision Data Usage
• Google Cloud Platform — application hosting, networking, and storage. GCP Privacy Notice
• Google Fonts & Tailwind CDN — content delivery for typography and styling assets.

We periodically review our sub-processors to ensure they maintain adequate security and privacy practices.

09.Mobile App Permissions

The SyncStays mobile application may request the following device permissions. Each is requested only for the functionality described, and may be revoked at any time through your device settings:

• Internet & Network State: required for the app to communicate with the SyncStays backend.
• Camera: optional — used solely to capture photographs of guest identification documents or guest photos for upload to the Account Holder's records.
• Photos / Media / Storage: optional — used to select existing images from the device gallery for upload.
• Notifications: optional — used to alert kitchen staff of new food orders and to deliver transactional notifications.
• Foreground Service / Wake Lock: used to maintain real-time order notifications while the app is in use.

The application does not collect contacts, SMS messages, call logs, precise location, microphone audio, or device-wide advertising identifiers.

10.Data Storage & Security

Personal Data is stored on Google Cloud infrastructure with the following safeguards:

• All network traffic between the client and the SyncStays servers is encrypted using TLS 1.2 or higher.
• Passwords are stored using a one-way bcrypt hash with per-user salts; we never store passwords in clear text.
• Session tokens are generated using a cryptographically secure random source.
• Server-side rate-limiting, panic recovery, and per-IP throttling are applied to mitigate brute-force and denial-of-service attempts.
• Access to production data is restricted to authorised personnel on a strict need-to-know basis, governed by role-based access controls.
• Data at rest within Firestore and Cloud Storage benefits from Google's default AES-256 server-side encryption.

No system can be guaranteed to be 100% secure. While we apply commercially reasonable safeguards, we cannot warrant absolute security of information transmitted to or stored on the Services.

11.Data Retention

We retain Personal Data only for as long as is necessary to fulfil the purposes set out in this Policy, including any legal, accounting, or reporting requirements:

• Account Data: retained for the duration of the account, and for a reasonable period thereafter for backup, audit, and dispute-resolution purposes.
• Booking & Guest Records: retained for the period required to satisfy applicable hospitality, tax, and compliance obligations of the Account Holder, and in any event for no longer than 2 years from the date of the stay, after which records are securely deleted or anonymised unless a longer period is mandated by law.
• Identification Documents: retained for the period mandated by applicable law, after which they are securely deleted upon request.
• Activity Logs & Diagnostic Logs: automatically purged after 30 days unless required for ongoing investigations.
• Session Tokens: retained until logout or session expiry.

Upon termination of an account, Account Holders may request export and deletion of their data by contacting us as set out in Section 18.

12.International Data Transfers

SyncStays primarily processes data on infrastructure located in regions selected for performance and compliance. Because our service providers (notably Google Cloud) operate globally, your Personal Data may be transferred to, stored in, or processed in countries other than your country of residence. Where such transfers occur, we ensure that appropriate safeguards — such as Standard Contractual Clauses or equivalent legal mechanisms — are in place to protect your data.

13.Your Rights

Subject to applicable law, you may have the following rights in respect of your Personal Data:

• Right of Access: request confirmation of whether we process your data, and a copy of that data.
• Right of Rectification: request correction of inaccurate or incomplete data.
• Right of Erasure: request deletion of your data, subject to legal retention obligations.
• Right to Restrict Processing: request that we limit how we use your data in certain circumstances.
• Right to Data Portability: receive your data in a structured, commonly used, machine-readable format.
• Right to Withdraw Consent: where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Object: object to processing carried out on the basis of legitimate interests.
• Right to Lodge a Complaint: file a complaint with a competent data-protection authority.

If you are a Guest whose data has been recorded by a hotel using SyncStays, please direct your request to that hotel in the first instance. We will reasonably assist the hotel in fulfilling your request.

Account Holders and Authorised Users may exercise these rights by contacting us at the address in Section 18. We will respond within the timelines required by applicable law.

14.Children's Privacy

The Services are intended for use by hotel businesses and their authorised staff, and are not directed to children. We do not knowingly collect Personal Data directly from individuals under the age of 18. If we become aware that we have inadvertently collected such data without verifiable parental consent, we will take steps to delete it promptly.

15.Cookies & Tracking

Our website and dashboard use a minimal set of essential cookies and browser storage (including localStorage) to maintain authenticated sessions, remember user preferences such as theme selection, and improve usability. We do not use cross-site advertising cookies or third-party analytics that profile individual users for marketing purposes.

You may disable cookies through your browser settings; however, doing so may impair the functionality of the Services.

16.Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified through the Services or by other reasonable means at least seven (7) days before they take effect. The "Last Updated" date at the top of this page indicates when the Policy was most recently revised. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.

17.Grievance Officer

In accordance with the Information Technology Act, 2000 and the rules made thereunder, and the Digital Personal Data Protection Act, 2023, the name and contact details of the Grievance Officer are provided below. Any concern, complaint, or request relating to the processing of your Personal Data may be addressed to:

18.Contact Us

If you have any questions about this Privacy Policy, our data-handling practices, or wish to exercise any of the rights described above, please contact us using the details below. We welcome your feedback and aim to respond to all enquiries in a timely manner.

This Privacy Policy constitutes an electronic record under the Information Technology Act, 2000 and the rules thereunder, and does not require any physical or digital signature.