1. Introduction
This Privacy Policy describes how Palm Stays ("we," "us," or "our") collects, uses, discloses, and safeguards personal information when you use our website, mobile applications, and related services (collectively, the "Platform").
We are committed to protecting your privacy and handling your data responsibly, in compliance with the Bahrain Personal Data Protection Law (PDPL) — Law No. 30 of 2018, the EU General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018, where applicable.
This Privacy Policy is publicly accessible at palmstays.co/privacy and does not require an account or login to view.
2. Who We Are
Palm Stays operates through two legal entities that jointly act as data controllers of your personal information:
| Entity | Details |
|---|---|
| Palm Stays Real Estate Rental Platform Primary operator — Bahrain | Commercial Registration: 153813-1 Registered in the Kingdom of Bahrain Regulated by the Ministry of Industry and Commerce |
| Palm Stays LTD International operations — United Kingdom | Company Number: 17171694 Registered in England & Wales |
For most users in Bahrain and the GCC, Palm Stays Real Estate Rental Platform is the primary data controller. For users in the UK, EU, and international markets, Palm Stays LTD acts as joint controller.
3. Data We Collect
3.1 Information You Provide
- Account information: Name, email address, phone number, password (hashed), profile photo, date of birth.
- Identity verification: Government-issued ID (passport, CPR, driver's licence) when required for trust and safety or host verification.
- Booking details: Check-in/check-out dates, guest count, special requests, travel purpose.
- Payment information: Payment details collected and processed directly by our PCI-DSS compliant payment providers. We never store full card numbers — see Section 8.
- Host information: Property details, bank account or IBAN for payouts, tax identifiers, property ownership documents.
- Communications: Messages exchanged with hosts, guests, or our support team; reviews you write; support tickets.
3.2 Information We Collect Automatically
- Device data: IP address, device type, operating system, browser type, language settings, unique device identifiers.
- Usage data: Pages viewed, search queries, listings clicked, time spent on pages, referral URLs.
- Location data: Approximate location (from IP) and precise location (with your consent) to show nearby properties.
- Cookies and similar technologies: See Section 13 below.
3.3 Information from Third Parties
- Social sign-in providers: If you sign in via Google or Apple, we receive your basic profile information (name, email address, profile picture) as permitted by your settings with those providers.
- Payment processors: Transaction status, fraud signals, tokenised payment references, and confirmation data from providers such as Stripe, Tap Payments, and Benefit.
- Identity verification services: Verification results (not the underlying documents where possible).
- Public sources: Public records for fraud prevention and compliance (sanctions, PEP screening).
4. How We Use Your Data
We use your personal data for the following purposes:
- Providing the service: Creating accounts, processing bookings, facilitating payments, enabling host-guest communication.
- Trust and safety: Verifying identities, preventing fraud, detecting suspicious activity, enforcing our Terms of Service.
- Customer support: Responding to questions, resolving disputes, investigating complaints.
- Personalization: Showing relevant properties, remembering your preferences, improving search results.
- Communications: Sending service notifications (booking confirmations, check-in reminders, payment receipts) and, with your consent, marketing communications. See Section 12 for detail.
- Legal compliance: Meeting tax, accounting, anti-money-laundering, and regulatory obligations.
- Analytics and improvement: Understanding how users interact with the Platform to improve features and performance.
- Fraud prevention and security: Monitoring for fraud, chargebacks, account compromise, and prohibited activity. See Section 10.
- AI and automation: Using automated tools to improve support, assist with booking management, detect fraud, and improve operational efficiency. See Section 11.
5. Legal Basis for Processing (GDPR)
For users subject to GDPR or UK DPA, our lawful bases are:
- Contract: To fulfil your booking and account obligations.
- Legitimate interest: To operate, secure, and improve our Platform, prevent fraud and financial crime, and communicate service messages.
- Consent: For marketing communications, precise location, and non-essential cookies. You may withdraw consent at any time.
- Legal obligation: To comply with tax, AML, financial regulation, and other regulatory requirements.
- Vital interests: In rare emergencies involving health or safety.
7. Host & Guest Interactions
Palm Stays facilitates communication between hosts and guests. All messages must flow through the Platform before, during, and after a stay. This is both for your safety and to allow us to mediate disputes.
- We store messages exchanged through the Platform to enable support and dispute resolution.
- Do not share personal contact details, payment information, or off-platform links before a booking is confirmed.
- Hosts and guests must not use data received through the Platform for any purpose outside the booking (e.g., marketing, solicitation).
- Bypassing the Platform to communicate or transact off-platform is a violation of our Terms of Service and may result in account suspension.
8. Payments & Financial Data
8.1 Guest Payments
Payment card details are collected and processed by PCI-DSS compliant payment providers, which may include Stripe, Tap Payments, and Benefit. Palm Stays never stores full card numbers on our servers. We retain only tokenised payment references, the last four digits of the card, card brand, and limited transaction metadata required for accounting and dispute resolution.
Your payment information is transmitted directly to the relevant payment provider using encrypted connections. Palm Stays personnel cannot view or retrieve your full card number.
8.2 Host & Service-Provider Payouts
To process payouts, hosts and service providers must provide bank account details (such as an IBAN or account number). This information is encrypted at rest and accessible only to authorised personnel. Where required for payout processing, this information may be securely shared with regulated payout providers — such as Stripe Global Payouts — solely for the purpose of disbursing funds and complying with applicable financial regulations.
Payout providers process this information under applicable financial regulations and their own privacy policies. Palm Stays shares only the minimum data necessary to complete a payout.
8.3 Financial Records
Transaction records, invoices, and associated financial data are retained for the periods required by tax and accounting regulations in Bahrain and the United Kingdom (typically a minimum of 7 years). See Section 14 for full retention periods.
9. Payment & Payout Providers
Palm Stays partners with regulated payment and payout providers to facilitate secure payment processing and host payouts. These providers are independently regulated under applicable financial laws and operate their own privacy policies and security programmes.
By using the Platform, you acknowledge that payment and payout processing is performed by these third-party providers and that your payment data is subject to their respective privacy policies in addition to this one. We encourage you to review those policies when making a payment or setting up payout details.
We select payment and payout providers that hold appropriate licences and certifications (such as PCI-DSS compliance) and that offer protections consistent with our obligations under applicable law. The specific providers we use may change over time; any change will be reflected in Section 6.2.
10. Fraud Prevention & Platform Safety
Palm Stays monitors Platform activity to detect and prevent fraud, financial crime, and misuse. This monitoring serves both to protect individual users and to meet our legal and regulatory obligations. Activities we monitor for include:
- Payment fraud and unauthorised transactions
- Chargeback abuse and friendly fraud
- Account compromise and identity theft
- Money laundering and sanctions evasion
- Listing fraud and misrepresentation
- Prohibited activities under our Terms of Service
We may use automated systems, third-party fraud-detection services, and human review to investigate suspicious activity. Where we identify a potential violation, we may take action including placing a hold on a payout, temporarily restricting an account, or disclosing information to relevant authorities as required by law.
The legal bases for this processing are our legitimate interests in protecting the security and integrity of the Platform and our legal obligations under anti-money-laundering and financial crime regulations.
11. Artificial Intelligence & Automated Systems
Palm Stays may use artificial intelligence (AI) and automated processing technologies to improve the quality and safety of our services. These systems may be used to:
- Improve customer support: Assisting with responses, routing queries, and suggesting resolutions.
- Assist with booking management: Optimising availability, pricing suggestions, and scheduling.
- Detect fraud and suspicious activity: Identifying patterns associated with fraudulent bookings, payments, or account access.
- Improve operational efficiency: Automating routine tasks and processing to improve Platform performance.
Where automated processing may produce decisions that have a significant effect on you (such as account suspension or payout holds), we apply appropriate human oversight and provide you with the right to request a human review. You may contact us at privacy@palmstays.co to request a review of any automated decision that affects you.
12. Communications & Notifications
Palm Stays may contact you through the following channels:
- Email: Booking confirmations, receipts, account alerts, and (with consent) marketing.
- SMS: Verification codes, booking reminders, and urgent service notifications.
- Push notifications: In-app alerts for booking updates, messages, and (with consent) promotional content.
- WhatsApp: Where available and where you have opted in, we may use WhatsApp to send booking updates and support communications.
12.1 Service Communications
Service communications (booking confirmations, payment receipts, check-in instructions, security alerts, and similar operational messages) are sent as part of delivering the service and do not require separate consent. You cannot opt out of essential service communications while your account is active.
12.2 Marketing Communications
Marketing communications (promotional offers, new feature announcements, newsletters) are sent only with your explicit consent. You may withdraw consent at any time by:
- Clicking the unsubscribe link in any marketing email
- Updating your notification preferences in your account settings
- Contacting us at privacy@palmstays.co
Withdrawing marketing consent does not affect your receipt of service communications.
14. Data Retention
We keep your data only as long as necessary for the purposes described in this policy:
- Account data: While your account is active and up to 2 years after closure.
- Booking and financial records: At least 7 years (tax and accounting obligations in Bahrain and UK).
- Messages between users: 3 years after the related booking, for dispute resolution.
- Marketing preferences and logs: Until you withdraw consent, plus a short record of the withdrawal.
- Identity verification documents: Up to 12 months unless required longer by law.
- Fraud prevention records: As long as necessary to protect the Platform and meet legal obligations, which may exceed standard retention periods in cases of confirmed or suspected fraud.
After these periods, data is deleted or irreversibly anonymised.
15. Security Measures
We implement industry-standard measures to protect your data:
- Encryption in transit (TLS 1.2+) and at rest for sensitive fields.
- Row-level security, least-privilege database access, and audit logs.
- Multi-factor authentication for staff and privileged accounts.
- Regular backups, vulnerability scanning, and security reviews.
- Incident response procedures and breach notifications in line with PDPL and GDPR.
No system is 100% secure. If we become aware of a data breach that risks your rights or freedoms, we will notify you and the relevant regulator within the legally required timeframes.
16. International Data Transfers
Your data may be processed in Bahrain, the United Kingdom, the European Union, the United States, or other countries where our service providers operate. Where we transfer data across borders, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions.
Payment and payout providers may process data in their own operating jurisdictions in accordance with applicable financial regulations and their own data transfer safeguards.
17. Your Rights
Depending on your jurisdiction, you have the following rights:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your data (subject to retention rules above).
- Restriction — limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests or direct marketing.
- Withdraw consent — where we rely on consent, at any time.
- Human review of automated decisions — request a human review of any significant automated decision affecting you.
- Complain — lodge a complaint with a supervisory authority.
To exercise any of these rights, email privacy@palmstays.co. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice to you).
18. Children's Privacy
The Platform is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
19. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to you by email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the latest version.
20. Contact & Complaints
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your data:
- Email: privacy@palmstays.co
- General support: team@palmstays.co
You also have the right to lodge a complaint with the Personal Data Protection Authority of Bahrain or, if you are in the UK, with the Information Commissioner's Office (ICO) at ico.org.uk.
