Skip to content
Legal

Privacy Policy

How Prague Prime Stays collects, uses, and protects your personal data, your GDPR rights, and the processors we rely on.

This Privacy Policy explains how Prague Prime Stays collects, uses, shares, and protects your personal data when you visit our website, make an enquiry, or book a stay with us. It is written for an international audience, and it applies whether you are based in the European Union, the United Kingdom, the United States, or elsewhere. We are committed to handling your personal data lawfully, fairly, and transparently in line with the EU General Data Protection Regulation (GDPR), the UK GDPR, and Czech data-protection law.

Please read this policy together with our Terms and Conditions, Cancellation Policy, and Cookie Notice.

Who we are (data controller)

The data controller responsible for your personal data is:

  • Trading name: Prague Prime Stays
  • Legal entity: Prague Prime Stays s.r.o.
  • Registered seat: Chudenická 1059/30, Hostivař, 102 00 Praha 15, Czech Republic
  • Company ID (ICO): 29615763
  • VAT ID (DIC): [DIC - to be confirmed before launch, or "not VAT-registered"]
  • General and data-request contact: [email protected]

For booking and guest support you can also reach our team:

We have not appointed a statutory Data Protection Officer, as we are not required to do so. All data-protection questions and requests should be sent to [email protected].

What this policy covers

This policy covers personal data we process when you:

  • browse our website and view apartment pages;
  • submit an enquiry or contact form;
  • search availability and complete a booking;
  • communicate with us by email, phone, or message before, during, or after your stay;
  • submit a guest review;
  • stay at one of our apartments (including data we are legally required to record about foreign guests).

It does not cover the separate privacy practices of third-party websites or marketplaces (for example Airbnb or Booking.com) through which you may have booked. If you booked through such a marketplace, that platform's own privacy policy also applies to the data you gave it.

The personal data we collect

We group the data we hold into the categories below. We deliberately describe categories rather than individual database fields.

  • Identity and contact data - your first and last name, email address, phone number, and country. We use this to identify you, to communicate with you, and to manage your guest profile.
  • Booking and transaction data - the apartment booked, your stay dates, number of guests, the total price, payment and refund status, and the reference identifiers that link your booking across our booking and payment systems. We do not store your card details (see "Payments" below).
  • Enquiry data - if you contact us through a lead or enquiry form, the email address, phone number, requested dates, number of guests, and any message you send, together with limited marketing-attribution information about how you reached our site (for example UTM parameters).
  • Communications data - records of the messages, notes, and correspondence we exchange with you, kept in our internal guest-relationship records so that our team can give you continuous support.
  • Review data - if you submit a review, your first name, country, an optional email address, and the title and text of your review, together with its moderation status.
  • Technical and connection data - your IP address and basic request metadata that appear in standard hosting and security logs, and an IP address used transiently to rate-limit our enquiry (lead) form. See "Cookies, IP addresses, and tracking" below.
  • Marketing-consent data - a record of whether you have agreed to receive marketing communications from us. This flag is off by default.
  • Foreign-guest registration data - where legally required, identification details we must record about foreign guests. This is collected separately at or before check-in and is described in its own section below.

Where your data comes from

We collect most of this data directly from you - when you make an enquiry, complete a booking, communicate with us, or submit a review. Some technical data is generated automatically when you use the site.

We also receive booking and guest data indirectly. If you book one of our apartments through an online travel agency or marketplace (for example Airbnb or Booking.com), that platform passes your booking details to us through our booking and channel-management system, Beds24. Data reaching us this way typically falls into the identity and contact, and booking and transaction categories above (for example your name, contact details where the platform shares them, stay dates, and guest counts). The marketplace is the source of this data, and its own privacy policy governs the information you provided to it.

How and why we use your data (purposes and legal bases)

Under the GDPR we must have a lawful basis for each use of your personal data. The table below summarises our main processing activities.

| Purpose | Data categories | Legal basis (GDPR) | | --- | --- | --- | | Responding to enquiries and contact requests | Identity and contact data, enquiry data, communications data | Steps taken at your request prior to entering a contract, Art. 6(1)(b); our legitimate interest in answering you, Art. 6(1)(f) | | Creating and managing your booking and providing the stay | Identity and contact data, booking and transaction data, communications data | Performance of our contract with you, Art. 6(1)(b) | | Taking payment and processing refunds | Booking and transaction data (payment is processed by our payment provider, see below) | Performance of our contract, Art. 6(1)(b) | | Sending booking-related (transactional) emails - confirmation, pre-arrival, booking updates, cancellation, and a post-stay review request | Identity and contact data, booking and transaction data | Performance of our contract, Art. 6(1)(b); legitimate interest in service quality, Art. 6(1)(f) | | Publishing and moderating guest reviews | Review data | Consent when you submit a review, Art. 6(1)(a); legitimate interest in displaying genuine feedback, Art. 6(1)(f) | | Recording foreign-guest details and reporting them where required | Foreign-guest registration data | Compliance with a legal obligation, Art. 6(1)(c) | | Keeping accounting and tax records | Booking and transaction data | Compliance with a legal obligation, Art. 6(1)(c) | | Securing the site, preventing abuse, and rate-limiting the enquiry form | Technical and connection data | Legitimate interest in security and fraud prevention, Art. 6(1)(f) | | Sending marketing communications (only if you opt in) | Identity and contact data, marketing-consent data | Consent, Art. 6(1)(a) | | Handling complaints, disputes, and establishing or defending legal claims | Any relevant category | Legitimate interest in protecting our rights, Art. 6(1)(f); legal obligation, Art. 6(1)(c) |

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms, and you may object to that processing at any time (see "Your rights").

Automated decision-making and profiling

We do not make any decisions about you that produce legal or similarly significant effects based solely on automated processing, within the meaning of Article 22 GDPR. We do not carry out automated profiling that has such effects. Our team makes the decisions that matter to your booking and stay. We use an AI tool only to generate descriptive text for apartment photos, and that tool processes apartment images only and never your personal data (see "Who we share your data with").

Payments

When you book, the full price of your stay is charged at the time of booking. Payment is processed by Stripe, which is integrated and operated through our booking-management provider, Beds24. You enter your card details directly on Stripe's hosted checkout page. Prague Prime Stays never receives, sees, or stores your full card number or other card-security details. We only receive confirmation of payment status and reference identifiers needed to manage your booking and any refund. The amount charged is a single line item equal to the nightly total for your stay (see also the "Fees not collected at booking" note below).

Transactional and marketing emails

We send the following service emails in connection with your booking, all to the guest who made it:

  • a booking confirmation;
  • a pre-arrival email (typically about three days before check-in);
  • booking-update emails if your booking changes;
  • a cancellation email if your booking is cancelled;
  • a post-stay review request.

These are transactional messages that form part of providing your stay. We also send an internal notification to our own staff when a new enquiry is received.

We currently operate no marketing email system and no newsletter. We do not send marketing emails unless and until you give your consent, which is recorded against your profile and is off by default. You can withdraw consent at any time.

Channel isolation. If you booked your stay through an online travel marketplace (for example Airbnb or Booking.com), we do not send you Prague Prime Stays' own transactional or marketing emails. Communications about a marketplace booking are handled through that marketplace.

Who we share your data with (processors)

We do not sell your personal data. We share it only with service providers (processors) who help us run our business and only to the extent needed for the purpose. Each processor acts on our instructions under a data-processing agreement (DPA); where a DPA is still being concluded before launch, this is noted in the table below.

| Processor | What it does | Data shared | Location / transfer basis | | --- | --- | --- | --- | | Supabase | Database, file storage, and admin authentication; our primary store for guest, booking, enquiry, communications, and review records | Identity and contact, booking and transaction, enquiry, communications, review, marketing-consent data | EU region (eu-west-1); data hosted in the EU | | Beds24 | Booking and channel management, and operation of the Stripe payment integration | Identity and contact, booking and transaction data (guest name, email, phone, country, stay dates, guest counts, notes) | Hosting region [to be confirmed before launch]; a data-processing agreement is required and [to be confirmed before launch]. Where data is transferred outside the EEA or the UK, we rely on appropriate transfer safeguards (see "International data transfers") | | Stripe | Card-payment processing, operated via Beds24 | Cardholder and payment data, entered by you directly on Stripe's hosted checkout | The contracting Stripe entity for European customers is Stripe Payments Europe, Ltd. (Ireland), with processing also on Stripe's global infrastructure. Stripe is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses for transfers outside the EEA or the UK [primary processing location to be confirmed before launch] | | Resend | Delivery of transactional emails | Identity and contact data and booking details needed to send the email | Email-delivery infrastructure [transfer region to be confirmed before launch]. Where data is processed outside the EEA or the UK, we rely on appropriate transfer safeguards such as the EU-US Data Privacy Framework or Standard Contractual Clauses [mechanism to be confirmed before launch] | | Anthropic (Claude) | AI generation of apartment-photo alt text and captions | Apartment images only; no guest personal data | Processes apartment images only. Anthropic is a US-based provider; where data is processed outside the EEA or the UK, we rely on appropriate transfer safeguards such as the EU-US Data Privacy Framework or Standard Contractual Clauses [mechanism to be confirmed before launch] | | Google Maps (Google Ireland Ltd) | Map display on apartment pages | The visitor's IP address and device data are shared with Google when a map loads; Google may set its own cookies | Contracting entity Google Ireland Ltd (EU), with processing also on Google's global infrastructure. Google is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses for transfers outside the EEA or the UK | | Vercel | Website hosting and server logs | Technical and connection data (IP addresses, request metadata) appearing in platform logs | Hosting and logging infrastructure. Vercel is a US-based provider; where data is processed outside the EEA or the UK, we rely on appropriate transfer safeguards such as the EU-US Data Privacy Framework or Standard Contractual Clauses [primary processing location to be confirmed before launch] |

Anthropic processes apartment images only and never receives guest personal data. Google Maps is the only third-party embed on the public site, and it appears only on apartment pages; loading a map shares your IP address and device data with Google. See our Cookie Notice for more detail.

We may also disclose personal data to public authorities where the law requires it (for example the foreign-guest registration described below), and to our professional advisers (such as accountants or lawyers) where necessary, under appropriate confidentiality obligations.

Error monitoring. Our codebase contains configuration for an error-monitoring tool (Sentry), but it is not currently used and is not active. If we activate it in future, we will update this policy and ensure an appropriate data-processing agreement and safeguards are in place.

International data transfers

We aim to keep personal data within the European Economic Area (EEA). Our primary database is hosted in the EU. Some of our processors are based in, or process data in, countries outside the EEA and the United Kingdom, including the United States.

Where a processor stores or accesses personal data outside the EEA or the UK, we rely on appropriate safeguards under the GDPR and the UK GDPR. Depending on the processor, these safeguards include:

  • the EU-US Data Privacy Framework (DPF), where the processor is certified under it for transfers from the EEA to the United States, together with the corresponding UK Extension to the DPF for transfers from the United Kingdom; and
  • the European Commission's Standard Contractual Clauses (SCCs), where the DPF does not apply, together with the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs for transfers from the United Kingdom, plus any additional technical and organisational measures required to protect your data.

The specific mechanism that applies to each processor is indicated in the processor table above, and several of these are still being confirmed before launch. You may ask us for more information about the safeguards in place by contacting [email protected].

Foreign-guest registration (legal obligation)

As an accommodation provider in the Czech Republic, we are required by law (zakon c. 326/1999 Sb., on the residence of foreign nationals) to keep a register of foreign guests. For each foreign guest we must record details such as full name, date of birth, nationality, travel-document (passport or ID) number, address, and the dates of stay. We must keep this record for 6 years and may be required to report it to the Czech police, including through the electronic UbyPort system. The lawful basis for this processing is compliance with a legal obligation, Art. 6(1)(c) GDPR.

To be transparent about how this works in practice: our online booking form does not collect your passport or identity-document number, date of birth, or home address. This identification data is collected separately, at or before check-in, specifically for the purpose of meeting this legal obligation. We use it only for the registration and reporting required by law and retain it for the statutory 6-year period.

Czech accommodation fees and deposits

  • Local accommodation fee. Local accommodation fees, such as the Prague accommodation fee (mistni poplatek z pobytu), may apply to overnight stays where required by law. This fee is set by municipal ordinance and is subject to change. It is not currently collected through the online booking flow. [Handling to be confirmed before launch.]
  • Security or damage deposit. A refundable security or damage deposit may be required for certain stays. Where applicable, the amount and the conditions for its return are confirmed at or before check-in. [To be confirmed.] A deposit is not currently charged through the online booking flow.

Fees not collected at booking

The amount you pay online at the time of booking is a single charge equal to the nightly total for your stay. There is currently no separate online charge for tourist or accommodation tax, cleaning, a security deposit, or add-ons. Where any such amount applies, it will be communicated to you separately, as described above.

Cookies, IP addresses, and tracking

We keep our use of cookies and tracking to the minimum.

  • The only cookies we set are strictly necessary authentication and session cookies used in our admin area for staff login. These are essential to operate that secure area and do not track you.
  • We deploy no analytics, advertising, or social-media tracking, and we use no analytics platform (no Google Analytics, Plausible, Vercel Analytics, PostHog, or similar). Because we set no non-essential first-party cookies on the public site, we do not display a cookie-consent banner.
  • The one third-party embed on the public site is Google Maps, which appears only on apartment pages. Loading a map shares your IP and device data with Google and may set Google's own cookies.
  • IP addresses are used transiently to rate-limit our enquiry (lead) form (held in memory, not stored as a profile) and to operate a security allowlist for incoming booking-system notifications. IP addresses and basic request metadata also appear in standard hosting and security logs.

For more detail, see our Cookie Notice.

How long we keep your data (retention)

  • Inactive, non-consented guest profiles. If you have not given marketing consent and have no current or future booking, your guest profile is automatically anonymised 3 years after your last activity with us.
  • Financial and booking records. Records needed for accounting and tax are kept for the statutory periods required by Czech law, even after a profile is otherwise anonymised.
  • Foreign-guest registration records. Kept for 6 years, as required by zakon c. 326/1999 Sb.
  • Enquiries that do not lead to a booking. Kept only for as long as needed to handle the enquiry and any follow-up, and then deleted or anonymised.
  • Reviews. Published reviews are kept while they remain published on our site. You may ask us to remove yours at any time.

Where data is anonymised, it can no longer be linked to you and is no longer treated as personal data.

Your rights

Subject to the conditions and exceptions in the GDPR (and the UK GDPR where it applies to you), you have the right to:

  • access the personal data we hold about you and receive a copy;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten"), where no overriding legal obligation requires us to keep it (for example accounting records or foreign-guest registration);
  • restrict our processing in certain circumstances;
  • object to processing based on our legitimate interests, and to object at any time to direct marketing;
  • data portability - receive certain data in a structured, machine-readable format;
  • withdraw consent at any time where we rely on consent (for example marketing), without affecting processing carried out before withdrawal.

You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects; as explained above, we do not carry out such processing.

To exercise any of these rights, contact us at [email protected]. We will respond within the time limits set by the GDPR (normally within one month). We may need to verify your identity before acting on a request.

Complaints and supervisory authority

If you believe we have not handled your personal data properly, please contact us first at [email protected] so we can try to resolve the matter. You also have the right to lodge a complaint with the Czech data-protection supervisory authority:

  • Urad pro ochranu osobnich udaju (UOOU)
  • Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
  • www.uoou.cz

If you are based in another EU or EEA country, you may also contact the supervisory authority in your country of residence. If you are in the United Kingdom, you may contact the Information Commissioner's Office (ICO).

Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. These include hosting data with reputable providers, restricting staff access to what is needed, securing our admin area behind authentication, and never storing card details ourselves. No system can be guaranteed completely secure, but we work to keep your data protected. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected individuals, in line with our obligations under Articles 33 and 34 GDPR.

Children

Our website and services are intended for adults. We do not knowingly collect personal data from children. A booking must be made by an adult, who is responsible for any minors included in the stay.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or the law. When we make a material change, we will update the "Last updated" date shown with this page and, where appropriate, take additional steps to inform you. We encourage you to review this page periodically. Continued use of our website or services after an update means you have read the current version.

Contact us

For any privacy question or to exercise your rights, contact:

  • ** Prague Prime Stays s.r.o.**, Chudenická 1059/30, Hostivař, 102 00 Praha 10, Czech Republic
  • [email protected]

Last updated