Privacy Policy

Your data,
your rules.

A plain-English explainer. The formal version is available on request.

What we collect

Only what's needed to run your stay.

  • Booking data — name, email, phone, dates, room type, payment token (not the card number).
  • Account data (members only) — email verification, sign-in history, saved preferences.
  • Stay data — door-code generation + use logs, message history with our support team.
  • Aggregate analytics — page views and conversion data, processed in a way that can't be tied back to you as an individual.

We don't collect precise location data, we don't have cookies for advertising networks, and we don't sell data to third parties — ever.

How we use it

To deliver the stay. That's it.

Booking data is shared with the property management system (Apaleo) and the payment processor (Adyen/Straumur) because it has to be. Door-code events stay inside our own infrastructure. Support messages are stored for quality and training, deleted after 12 months.

Member accounts are used for rate personalisation and booking history. You can delete your account at any time from My Trips → Profile.

Your rights

Under GDPR, CCPA, and Icelandic data law.

  • Right to access — ask us what we have, get a copy in 30 days.
  • Right to erasure — delete your data, including booking records (we keep invoices for 7 years as tax law requires).
  • Right to portability — export your data as JSON, sent to your verified email.
  • Right to object — opt out of marketing with one click.

Data requests: privacy@askastays.com. Data Protection Officer: same mailbox, reaches the DPO directly.