Privacy Policy

Chat2Stay

Version 1.0 | 12 March 2026

1. Who We Are

Chat2Stay (trade name of KOROMPLIS C2S LIMITED PARTNERSHIP, hereinafter "Chat2Stay", "We" or "the Company") is a Software as a Service (SaaS) platform that provides an AI-powered communication assistant for short-term rental property owners and managers.

The service enables management of guest communications via WhatsApp, email or other channels, providing automated responses, information, and workflow automation.

Company Details:

Chat2Stay

Registered address: Poseidonos 16, Saronida, Attica, Greece

Tax ID (AFM): 803208654

Business Registry (GEMI): 192166203000

Email: contact@chat2stay.com

Phone: +30 697 9077762

Chat2Stay acts as Data Controller pursuant to Article 4(7) of the GDPR.

2. Data We Collect

We collect and process only the personal data necessary to provide and improve the service:

a) Account Data

  • First name, last name
  • Email address, phone number
  • Password (stored as a secure bcrypt hash — never in plain text)

b) Subscription & Payment Data

  • Payment provider information (Stripe or Viva Wallet) — card numbers are never stored by Chat2Stay; they are held exclusively by the payment provider
  • Payment history and invoices
  • Subscription type and status

c) Conversation Data

Chat2Stay collects the following conversation data to deliver the service:

  • Content of messages exchanged between guests and the AI chatbot via WhatsApp
  • Conversation metadata (date, time, duration, message count)
  • Question categorisation (e.g. "WiFi", "Check-in", "Parking")
  • Anonymous usage statistics (e.g. total conversations per property, peak hours)

d) Technical Data

  • IP address, device type, browser
  • Cookies and similar technologies (see Section 10)
  • Usage and performance logs

e) Guest Data — Clarification

Guests who communicate via the QR code do not create an account on Chat2Stay. For them we collect only:

  • Business-Scoped User Identifier (BSUID) — a pseudonymous identifier provided by Meta WhatsApp (format: CC.alphanum) used to route messages between the guest and the property
  • WhatsApp phone number (where available — under Meta's 2026 WhatsApp Username rollout, phone numbers may not be transmitted for every guest)
  • WhatsApp profile name and/or username (where provided by Meta)
  • Conversation content (to generate AI responses)
  • Conversation metadata as described in (c) above

The BSUID is classified as pseudonymous personal data under Article 4(5) GDPR. Guest data is not linked to any user account and is automatically and permanently deleted after 90 days (see Section 7).

3. Legal Basis for Processing

Chat2Stay processes personal data on the following legal bases under Article 6 GDPR:

a) Performance of a Contract — Article 6(1)(b)

We process your data to provide the Chat2Stay service you agreed to upon registration. This covers: account data (name, email, phone), subscription management, AI chatbot service provision, and technical support.

b) Legitimate Interests — Article 6(1)(f)

We process certain data based on legitimate interests, provided these do not override your rights. This includes: improving the AI model and responses, system security and fraud prevention (IP logs, login attempts), spam prevention and abuse detection, and platform performance analysis.

We have assessed that these interests do not adversely affect your rights, as: no profiling or automated decision-making takes place; data is processed securely with minimisation; and you may object at any time (see Section 8).

c) Consent — Article 6(1)(a)

We request your explicit consent for: sending newsletters and marketing emails, use of non-essential cookies and similar technologies (analytics, preferences — see Section 10), and promotional communications.

You may withdraw consent at any time without affecting the lawfulness of prior processing.

d) Legal Obligation — Article 6(1)(c)

We process certain data to comply with applicable law, including: retention of tax records (10 years under Greek law), invoices and accounting documents, and transaction records.

4. How We Use Your Data

Your data is used for the following purposes:

  • Delivering and operating the Chat2Stay service
  • Managing subscriptions and payments
  • Providing technical support and customer service
  • Service improvement: AI model optimisation (anonymous data), frequent-question analysis, bug detection
  • Sending service-related notifications and updates

We do not use your data for:

  • Automated decisions that affect you
  • Behavioural profiling
  • Sale or sharing with third parties for marketing

5. AI Data Processing

To deliver automated responses, Chat2Stay uses Google Gemini AI, which acts as a third-party data processor under Article 28 GDPR.

Limited and strictly necessary conversation content may be transmitted to Google's systems solely for the technical processing and generation of the AI assistant's response. This may include the guest's pseudonymous Business-Scoped User Identifier (BSUID) where needed to maintain conversational context, but never the guest's phone number. Additionally, when the property owner uses the URL auto-fill feature, the public content of the page they submit is sent to Google Gemini solely to automatically extract information about their property.

Processing is carried out in accordance with Google's privacy policy, terms of service, and Data Processing Agreement (DPA). Chat2Stay does not control how Google processes data beyond what is required to deliver the service.

Chat2Stay applies data minimisation principles, technical security measures, and encryption, so that only strictly necessary data is transmitted.

Guest consent mechanism: When a guest initiates a conversation via the WhatsApp business account, the first automated response includes a direct link to this Privacy Policy together with an explicit acknowledgment line. By continuing to interact with the assistant, the guest provides unambiguous affirmative consent (within the meaning of Article 4(11) and Recital 32 GDPR) to the processing described in this Section. Legal basis for AI-assisted responses rests on Article 6(1)(b) (performance of a contract — the guest's booking) and Article 6(1)(f) (legitimate interest in automated customer support). The guest may withdraw consent at any time simply by ceasing to interact; no further processing occurs after the last received message.

EU AI Act Compliance (Regulation 2024/1689): Chat2Stay falls within the "limited-risk AI system" category. Under Article 50 of the EU AI Act, the User is required to inform guests that they are interacting with an automated AI system before or at the start of the interaction. Chat2Stay provides ready-made disclosure messages for this purpose.

6. Transfers to Third Parties

Chat2Stay transfers data only to necessary partners acting as processors under GDPR-compliant agreements:

ProviderServiceCountrySafeguards
Meta Platforms (WhatsApp Business API)Guest message delivery/receiptUSA / EUStandard Contractual Clauses (SCCs)
Google Cloud (Gemini AI)AI response generation (see Section 5)USA / EUDPA + SCCs
StripePayment processingUSA / EUPCI DSS + DPA + SCCs
Viva WalletPayment processingGreece / EUPCI DSS certification
Google Cloud Platform (GCP)Infrastructure hostingUSA / EUDPA + SCCs

We do not sell, rent, or exchange user data.

When a guest communicates via WhatsApp, message content is transmitted to and processed by Meta Platforms' WhatsApp Business API in accordance with Meta's own Privacy Policy. Chat2Stay does not access data beyond what is required to deliver the service.

7. Data Retention

We retain personal data only for as long as necessary:

a) Account Data (Hosts)

Retained until: account deletion by the user, or 12 months after continuous inactivity (no login). We notify you 30 days before deletion due to inactivity.

b) Conversation Data

  • Automatically deleted after 90 days
  • Or within 30 days upon a deletion request
  • Anonymous statistics are retained for analytics

c) Guest Data

  • Business-Scoped User Identifier (BSUID), WhatsApp phone number (when available), profile name, username, and conversation content: 90 days
  • After 90 days the data is permanently deleted from live systems (hard delete); only anonymous aggregated statistics are retained

d) Payment and Invoicing Data

Retained for 10 years in accordance with Greek tax law (Law 4308/2014). Includes: invoices, receipts, transaction history.

Backups: Data deleted from live systems may remain in backup copies for up to 30 additional days, after which it is permanently purged.

After the above periods: personal data is permanently deleted; statistical data is anonymised.

8. Your Rights

a) Right of Access (Article 15)

You may request a copy of all personal data we hold about you.

b) Right to Rectification (Article 16)

You may request correction of inaccurate data or completion of incomplete data.

c) Right to Erasure — "Right to be Forgotten" (Article 17)

You may request deletion of your data, unless a legal obligation requires retention (e.g. tax records). Guests communicating via WhatsApp may exercise this right by emailing contact@chat2stay.com and identifying themselves by the WhatsApp phone number or Business-Scoped User Identifier (BSUID) used in the conversation; we will locate and delete the relevant records within the response time below. Note that all guest conversation data is in any event automatically deleted 90 days after the last interaction (see Section 7).

d) Right to Restriction of Processing (Article 18)

You may request that we "freeze" processing of your data under certain conditions.

e) Right to Data Portability (Article 20)

You may receive your data in a structured format (JSON) via the dashboard, or request an alternative format at contact@chat2stay.com.

f) Right to Object (Article 21)

You have the right to object at any time to processing based on legitimate interests (Article 6(1)(f)). Chat2Stay will cease processing unless it can demonstrate compelling legitimate grounds that override your rights.

g) Rights Regarding Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, producing legal or similarly significant effects. Chat2Stay declares that it does not carry out decisions of this kind.

h) Right to Withdraw Consent (Article 7(3))

Where you have given consent (e.g. for newsletter or cookies), you may withdraw it at any time without affecting the lawfulness of prior processing.

Response time: We respond within 30 days of receipt. In complex cases we may require up to 60 additional days, and will notify you promptly.

Right to lodge a complaint: You may complain to the Hellenic Data Protection Authority (HDPA), 1-3 Kifisias Ave., 115 23 Athens, contact@dpa.gr, www.dpa.gr — or with the supervisory authority of your country of residence.

9. Data Security

We implement appropriate technical and organisational measures in accordance with Article 32 GDPR:

a) Technical Security Measures

Encryption: SSL/TLS (HTTPS) for all transmissions; bcrypt password hashing; encryption at rest for sensitive data.

Access management: Role-based access control (RBAC); secure session management (JWT tokens with HTTP-only cookies); regular credential rotation.

Backup & Recovery: Daily automated backups; secure encrypted storage; regular disaster recovery testing.

Monitoring & Logging: Real-time monitoring for suspicious activity; audit logs; automated security incident alerts.

b) Payment Security

Payments are processed exclusively by Stripe or Viva Wallet, both certified to PCI DSS. Chat2Stay does not store or process credit card numbers.

c) Data Breach Response

  • We will notify the HDPA within 72 hours
  • We will notify you without undue delay where there is a high risk to you
  • We will immediately implement containment and prevention measures

Important note: Despite robust security measures, no Internet data transmission method is entirely secure.

10. Cookies & Similar Technologies

Chat2Stay uses cookies and similar storage technologies (such as localStorage) to operate and improve the service.

Cookies: Small text files stored on your device and sent to the server with each request.

localStorage: Browser-based storage. Unlike cookies, localStorage data is not automatically sent to the server. Under the ePrivacy Directive (2002/58/EC, Article 5(3)), localStorage is a "similar technology" subject to the same rules.

a) Strictly Necessary

Essential for the Platform to function. Do not require consent (Article 5(3) ePrivacy Directive).

TechnologyNamePurposeDuration
HTTP Cookierefresh_tokenSecure session renewal. HTTP-only, Secure, SameSite=Lax.7 days
localStoragegdpr_consentStores your cookie consent choice.Persistent

b) Functional & Preferences

Store preferences for improved experience. Require consent.

TechnologyNamePurposeDuration
localStoragethemeStores dark/light mode preference. Not sent to server.Persistent

c) Analytics & Performance

We use a strictly first-party, privacy-first analytics system. No cookies are stored, no fingerprinting is performed, and no third-party trackers (such as Google Analytics or Meta Pixel) are used.

TechnologyNamePurposeProviderDuration
Server-side analytics (first-party)analytics_eventsAggregated measurement of visits, CTA clicks and completed signups. Unique visitors are identified via an irreversible daily code that rotates every 24 hours and is permanently deleted after 48 hours — making it impossible to match the same visitor across different days. No IP, User-Agent or other device-side technical information is stored.Chat2Stay (self-hosted)90 days raw / 365 days aggregated

Note: Since this system does not use cookies or any other device-side storage, and identification is impossible beyond the current day, no consent is required under the ePrivacy Directive (EDPB Guidelines 2/2023). We also respect the Do-Not-Track (DNT) signal — if enabled in your browser, nothing is recorded.

d) Cookie Management

On first visit a cookie banner offers: "Accept All", "Reject Optional", "Customise". You may change preferences at any time via the "Cookie Settings" link in the footer.

You may also manage cookies via browser settings. Disabling strictly necessary cookies may affect login functionality.

We do not use third-party analytics trackers. Our first-party system automatically respects the Do-Not-Track (DNT) browser signal.

e) Third-Party Providers

When using certain features you may be redirected to third-party platforms (e.g. Stripe, Viva Wallet) which use their own cookies. Chat2Stay does not place third-party cookies on your device and does not use advertising cookies or tracking pixels.

11. Changes to This Policy

Chat2Stay reserves the right to update this Privacy Policy to reflect changes in law, our practices, or service features.

The latest version is always at: https://www.chat2stay.com/privacy-policy

Material changes: For significant changes we will notify you by email (at least 30 days in advance), in-app notification, and website banner update.

Continued use after the effective date constitutes acceptance.

12. Contact

Email: contact@chat2stay.com (Subject: "Data Protection" or "GDPR Request")

Phone: +30 697 9077762

Postal address: Chat2Stay, Poseidonos 16, Saronida, Attica, Greece

Response time: Within 30 days

Data Controller:

Chat2Stay, AFM: 803208654, GEMI: 192166203000

Chat2Stay is fully committed to compliance with Regulation (EU) 2016/679 (GDPR) and applicable data protection legislation, processing all personal data with respect, transparency, and security.