Privacy Policy

Last updated: July 16, 2025

---

This Privacy Policy describes how StayForm ("Service") collects, uses, and protects your personal data.

Data Controller and Data Processor

In the context of this service, two roles must be distinguished:

• Guest Data Controller: This is you, the User (Property Owner). By registering with the Service, you entrust us with the processing of your guests' data to fulfill a legal obligation.
• User Data Controller and Data Processor: The controller of your data (as a User of the Service) and the processor of your guests' data on your behalf is StayForm.net, email: [email protected].

What data do we process and for what purpose?

We process the following categories of data:

• User Data (Property Owners):
  • Scope: Email address, password (in encrypted form - hash).
  • Purpose: To enable login, account management, and provide the main functions of the Service. The legal basis is the necessity to perform a service agreement (Article 6(1)(b) of the GDPR).
• Guest Data (on your behalf):
  • Scope: First name, last name, date of birth, gender, nationality, type and number of identity document, home address, optionally email and phone.
  • Purpose: To enable you (as the Guest Data Controller) to fulfill the legal obligation arising from the Spanish Citizen Security Law, which requires guest registration and reporting to the relevant authorities. Our Service acts as a tool to collect this data and generate the required XML file.
• Technical Data:
  • Scope: IP address, browser User-Agent header.
  • Purpose: To ensure the security of the Service, diagnose technical problems, and for statistical analysis. The basis is our legitimate interest (Article 6(1)(f) of the GDPR).

Data Security and Sharing

We use appropriate technical and organizational measures to protect your data. Passwords are stored in encrypted form. Your data is not shared with third parties, except where required by law. Your guests' data is accessible only to you, and you are responsible for its further transfer to the Spanish authorities.

Your Rights

According to GDPR, you have the right to access your data, rectify it, erase it ("right to be forgotten"), restrict its processing, and object to its processing. To exercise your rights, please contact us at the email address provided in section 1.

Cookies

The Service uses only necessary session cookies, which are required to maintain the session after logging in. We do not use tracking or marketing cookies.