Last updated: April 2026 ยท UAE Federal Decree-Law No. 45 of 2021 (PDPL)
Stay71 is committed to the responsible collection, processing, storage, and protection of personal data in full compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and all applicable UAE regulations. This Policy sets out our data protection framework, obligations, and your rights as a data subject.
The data controller responsible for your personal data is: Al Wafaa Group / Daidu.ai Operating platform: Stay71 (www.stay71.com) Data Protection Contact: privacy@stay71.com WhatsApp: +971 50 631 9579
This Policy applies to all personal data processed by Stay71 in connection with: โ The operation of the Stay71 platform (www.stay71.com) โ All registered users including Tenants, Hotel Partners, and administrators โ All booking, payment, and communication transactions โ All marketing and customer support activities This Policy applies regardless of whether data is processed in the UAE or transferred to a third country for processing by our service providers.
3.1 Tenant Data: โ Identity data: full name, nationality, Emirates ID or passport details (where required) โ Contact data: email address, WhatsApp number, phone number โ Booking data: check-in/out dates, room preferences, stay type, number of guests โ Payment data: transaction records (card details are processed by Stripe and never stored by Stay71) โ Communication records: messages and correspondence related to bookings 3.2 Hotel Partner Data: โ Business identity: hotel name, trade licence number, DTCM licence number โ Contact details: authorised representative name, email, phone โ Property data: room types, prices, photos, amenities, availability โ Financial data: bank account details for commission payouts โ Booking and revenue data 3.3 Technical Data (all users): โ IP address, device type, browser information โ Platform usage data and session logs โ Cookie and tracking data (see our Privacy Policy for details)
4.1 We process personal data for the following purposes and on the following legal bases under UAE PDPL: PURPOSE โ LEGAL BASIS Providing the Stay71 platform service โ Contractual necessity Processing bookings and payments โ Contractual necessity Sending booking confirmations and receipts โ Contractual necessity Verifying Hotel Partner licences and compliance โ Legal obligation Fraud prevention and platform security โ Legitimate interests Improving platform features and UX โ Legitimate interests Sending marketing emails or WhatsApp messages โ Consent (opt-in only) Complying with UAE government requests โ Legal obligation Resolving disputes and enforcing Terms โ Legitimate interests / Legal obligation 4.2 We do not engage in automated decision-making or profiling that produces legal effects for users.
5.1 Stay71 collects only the personal data that is necessary for the purposes described in this Policy. We do not collect data speculatively or for undefined future use. 5.2 We take reasonable steps to ensure that personal data we hold is accurate and kept up to date. Users are encouraged to update their profile information promptly if it changes. 5.3 Hotel Partners are responsible for ensuring that all data they submit to the platform (including property descriptions, pricing, and availability) is accurate, current, and not misleading.
6.1 Storage infrastructure: All Stay71 data is stored on Supabase (PostgreSQL database hosted in Frankfurt, Germany โ EU jurisdiction), which provides enterprise-grade security, encryption at rest, and access controls. 6.2 Security measures implemented by Stay71: โ TLS/SSL encryption for all data in transit โ Row-level security (RLS) policies on database tables โ Role-based access controls (RBAC) โ Service role key management for sensitive operations โ Regular dependency and security updates โ Secure environment variable management via Vercel 6.3 Payment security: All payment data is processed by Stripe, which is PCI DSS Level 1 compliant. Stay71 does not store, transmit, or have access to full payment card details. 6.4 Staff access: Access to personal data is restricted to authorised Stay71 personnel on a strict need-to-know basis. All staff with access to personal data are bound by confidentiality obligations. 6.5 Breach notification: In the event of a data breach affecting your personal data, Stay71 will notify affected users and the relevant UAE regulatory authorities within the timeframes required by UAE PDPL.
Stay71 uses the following third-party data processors. Each is bound by data processing agreements and may only process data for the purposes specified: PROCESSOR โ PURPOSE โ LOCATION Supabase โ Database hosting and storage โ Germany (EU) Vercel โ Platform hosting and deployment โ USA (adequacy measures in place) Stripe โ Payment processing โ USA / Global (PCI DSS compliant) Resend โ Transactional email delivery โ USA 360dialog โ WhatsApp business messaging โ Germany (EU) We do not share personal data with any other third parties except: โ Where required by UAE law or court order โ With the relevant Hotel Partner for booking fulfilment โ In connection with a business merger or acquisition (with prior notice)
Some of our service providers process data outside the UAE. Where this occurs, Stay71 ensures that: โ Appropriate contractual safeguards are in place (data processing agreements) โ The receiving country provides an adequate level of data protection, or โ Standard contractual clauses or equivalent mechanisms are used Stay71 does not transfer personal data to countries that do not provide adequate data protection without implementing appropriate safeguards.
We retain personal data only for as long as necessary: DATA TYPE โ RETENTION PERIOD Account profile data โ Duration of account + 3 years after closure Booking records โ 5 years (UAE commercial records requirement) Payment transaction records โ 5 years (UAE financial regulations) Communication logs โ 2 years Marketing consent records โ Until consent withdrawn + 1 year Hotel Partner licence data โ Duration of partnership + 3 years Security and fraud logs โ 1 year After the relevant retention period, data is securely deleted or anonymised.
Under UAE PDPL, you have the following rights regarding your personal data: 10.1 Right of Access: You may request a copy of the personal data we hold about you. 10.2 Right to Rectification: You may request that inaccurate or incomplete data be corrected. 10.3 Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal obligations to retain certain records. 10.4 Right to Restriction: You may request that we restrict processing of your data in certain circumstances. 10.5 Right to Object: You may object to processing based on legitimate interests, including direct marketing. 10.6 Right to Data Portability: You may request your data in a structured, machine-readable format. 10.7 Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, submit a written request to privacy@stay71.com. We will acknowledge your request within 5 working days and respond fully within 30 days.
Stay71 does not knowingly collect or process personal data from individuals under the age of 18. If you believe a minor has provided personal data through our platform, please contact us at privacy@stay71.com and we will promptly delete the relevant data.
Stay71's data protection practices are subject to oversight by the UAE Data Office established under Federal Decree-Law No. 45 of 2021. If you believe your data protection rights have been violated and we have not adequately resolved your complaint, you have the right to lodge a complaint with the UAE Data Office or the relevant data protection authority in your jurisdiction.
We review and update this Data Protection Policy at least annually or whenever significant changes occur in our data processing activities or applicable laws. We will notify registered users of material updates via email or platform notification. The current version of this Policy is always available at www.stay71.com/data-protection
Terms & Conditions ย ยทย Privacy Policy ย ยทย Refund Policy