Chat2Stay
Version 1.0 | 12 March 2026
Chat2Stay (trade name of KOROMPLIS C2S LIMITED PARTNERSHIP, hereinafter "Chat2Stay", "We" or "the Company") is a Software as a Service (SaaS) platform that provides an AI-powered communication assistant for short-term rental property owners and managers.
The service enables management of guest communications via WhatsApp, email or other channels, providing automated responses, information, and workflow automation.
Company Details:
Chat2Stay
Registered address: Poseidonos 16, Saronida, Attica, Greece
Tax ID (AFM): 803208654
Business Registry (GEMI): 192166203000
Email: contact@chat2stay.com
Phone: +30 697 9077762
Chat2Stay acts as Data Controller pursuant to Article 4(7) of the GDPR.
We collect and process only the personal data necessary to provide and improve the service:
Chat2Stay collects the following conversation data to deliver the service:
Guests who communicate via the QR code do not create an account on Chat2Stay. For them we collect only:
The BSUID is classified as pseudonymous personal data under Article 4(5) GDPR. Guest data is not linked to any user account and is automatically and permanently deleted after 90 days (see Section 7).
Chat2Stay processes personal data on the following legal bases under Article 6 GDPR:
We process your data to provide the Chat2Stay service you agreed to upon registration. This covers: account data (name, email, phone), subscription management, AI chatbot service provision, and technical support.
We process certain data based on legitimate interests, provided these do not override your rights. This includes: improving the AI model and responses, system security and fraud prevention (IP logs, login attempts), spam prevention and abuse detection, and platform performance analysis.
We have assessed that these interests do not adversely affect your rights, as: no profiling or automated decision-making takes place; data is processed securely with minimisation; and you may object at any time (see Section 8).
We request your explicit consent for: sending newsletters and marketing emails, use of non-essential cookies and similar technologies (analytics, preferences — see Section 10), and promotional communications.
You may withdraw consent at any time without affecting the lawfulness of prior processing.
We process certain data to comply with applicable law, including: retention of tax records (10 years under Greek law), invoices and accounting documents, and transaction records.
Your data is used for the following purposes:
We do not use your data for:
To deliver automated responses, Chat2Stay uses Google Gemini AI, which acts as a third-party data processor under Article 28 GDPR.
Limited and strictly necessary conversation content may be transmitted to Google's systems solely for the technical processing and generation of the AI assistant's response. This may include the guest's pseudonymous Business-Scoped User Identifier (BSUID) where needed to maintain conversational context, but never the guest's phone number. Additionally, when the property owner uses the URL auto-fill feature, the public content of the page they submit is sent to Google Gemini solely to automatically extract information about their property.
Processing is carried out in accordance with Google's privacy policy, terms of service, and Data Processing Agreement (DPA). Chat2Stay does not control how Google processes data beyond what is required to deliver the service.
Chat2Stay applies data minimisation principles, technical security measures, and encryption, so that only strictly necessary data is transmitted.
Guest consent mechanism: When a guest initiates a conversation via the WhatsApp business account, the first automated response includes a direct link to this Privacy Policy together with an explicit acknowledgment line. By continuing to interact with the assistant, the guest provides unambiguous affirmative consent (within the meaning of Article 4(11) and Recital 32 GDPR) to the processing described in this Section. Legal basis for AI-assisted responses rests on Article 6(1)(b) (performance of a contract — the guest's booking) and Article 6(1)(f) (legitimate interest in automated customer support). The guest may withdraw consent at any time simply by ceasing to interact; no further processing occurs after the last received message.
EU AI Act Compliance (Regulation 2024/1689): Chat2Stay falls within the "limited-risk AI system" category. Under Article 50 of the EU AI Act, the User is required to inform guests that they are interacting with an automated AI system before or at the start of the interaction. Chat2Stay provides ready-made disclosure messages for this purpose.
Chat2Stay transfers data only to necessary partners acting as processors under GDPR-compliant agreements:
| Provider | Service | Country | Safeguards |
|---|---|---|---|
| Meta Platforms (WhatsApp Business API) | Guest message delivery/receipt | USA / EU | Standard Contractual Clauses (SCCs) |
| Google Cloud (Gemini AI) | AI response generation (see Section 5) | USA / EU | DPA + SCCs |
| Stripe | Payment processing | USA / EU | PCI DSS + DPA + SCCs |
| Viva Wallet | Payment processing | Greece / EU | PCI DSS certification |
| Google Cloud Platform (GCP) | Infrastructure hosting | USA / EU | DPA + SCCs |
We do not sell, rent, or exchange user data.
When a guest communicates via WhatsApp, message content is transmitted to and processed by Meta Platforms' WhatsApp Business API in accordance with Meta's own Privacy Policy. Chat2Stay does not access data beyond what is required to deliver the service.
We retain personal data only for as long as necessary:
Retained until: account deletion by the user, or 12 months after continuous inactivity (no login). We notify you 30 days before deletion due to inactivity.
Retained for 10 years in accordance with Greek tax law (Law 4308/2014). Includes: invoices, receipts, transaction history.
Backups: Data deleted from live systems may remain in backup copies for up to 30 additional days, after which it is permanently purged.
After the above periods: personal data is permanently deleted; statistical data is anonymised.
You may request a copy of all personal data we hold about you.
You may request correction of inaccurate data or completion of incomplete data.
You may request deletion of your data, unless a legal obligation requires retention (e.g. tax records). Guests communicating via WhatsApp may exercise this right by emailing contact@chat2stay.com and identifying themselves by the WhatsApp phone number or Business-Scoped User Identifier (BSUID) used in the conversation; we will locate and delete the relevant records within the response time below. Note that all guest conversation data is in any event automatically deleted 90 days after the last interaction (see Section 7).
You may request that we "freeze" processing of your data under certain conditions.
You may receive your data in a structured format (JSON) via the dashboard, or request an alternative format at contact@chat2stay.com.
You have the right to object at any time to processing based on legitimate interests (Article 6(1)(f)). Chat2Stay will cease processing unless it can demonstrate compelling legitimate grounds that override your rights.
You have the right not to be subject to decisions based solely on automated processing, including profiling, producing legal or similarly significant effects. Chat2Stay declares that it does not carry out decisions of this kind.
Where you have given consent (e.g. for newsletter or cookies), you may withdraw it at any time without affecting the lawfulness of prior processing.
Response time: We respond within 30 days of receipt. In complex cases we may require up to 60 additional days, and will notify you promptly.
Right to lodge a complaint: You may complain to the Hellenic Data Protection Authority (HDPA), 1-3 Kifisias Ave., 115 23 Athens, contact@dpa.gr, www.dpa.gr — or with the supervisory authority of your country of residence.
We implement appropriate technical and organisational measures in accordance with Article 32 GDPR:
Encryption: SSL/TLS (HTTPS) for all transmissions; bcrypt password hashing; encryption at rest for sensitive data.
Access management: Role-based access control (RBAC); secure session management (JWT tokens with HTTP-only cookies); regular credential rotation.
Backup & Recovery: Daily automated backups; secure encrypted storage; regular disaster recovery testing.
Monitoring & Logging: Real-time monitoring for suspicious activity; audit logs; automated security incident alerts.
Payments are processed exclusively by Stripe or Viva Wallet, both certified to PCI DSS. Chat2Stay does not store or process credit card numbers.
Important note: Despite robust security measures, no Internet data transmission method is entirely secure.
Chat2Stay uses cookies and similar storage technologies (such as localStorage) to operate and improve the service.
Cookies: Small text files stored on your device and sent to the server with each request.
localStorage: Browser-based storage. Unlike cookies, localStorage data is not automatically sent to the server. Under the ePrivacy Directive (2002/58/EC, Article 5(3)), localStorage is a "similar technology" subject to the same rules.
Essential for the Platform to function. Do not require consent (Article 5(3) ePrivacy Directive).
| Technology | Name | Purpose | Duration |
|---|---|---|---|
| HTTP Cookie | refresh_token | Secure session renewal. HTTP-only, Secure, SameSite=Lax. | 7 days |
| localStorage | gdpr_consent | Stores your cookie consent choice. | Persistent |
Store preferences for improved experience. Require consent.
| Technology | Name | Purpose | Duration |
|---|---|---|---|
| localStorage | theme | Stores dark/light mode preference. Not sent to server. | Persistent |
We use a strictly first-party, privacy-first analytics system. No cookies are stored, no fingerprinting is performed, and no third-party trackers (such as Google Analytics or Meta Pixel) are used.
| Technology | Name | Purpose | Provider | Duration |
|---|---|---|---|---|
| Server-side analytics (first-party) | analytics_events | Aggregated measurement of visits, CTA clicks and completed signups. Unique visitors are identified via an irreversible daily code that rotates every 24 hours and is permanently deleted after 48 hours — making it impossible to match the same visitor across different days. No IP, User-Agent or other device-side technical information is stored. | Chat2Stay (self-hosted) | 90 days raw / 365 days aggregated |
Note: Since this system does not use cookies or any other device-side storage, and identification is impossible beyond the current day, no consent is required under the ePrivacy Directive (EDPB Guidelines 2/2023). We also respect the Do-Not-Track (DNT) signal — if enabled in your browser, nothing is recorded.
On first visit a cookie banner offers: "Accept All", "Reject Optional", "Customise". You may change preferences at any time via the "Cookie Settings" link in the footer.
You may also manage cookies via browser settings. Disabling strictly necessary cookies may affect login functionality.
We do not use third-party analytics trackers. Our first-party system automatically respects the Do-Not-Track (DNT) browser signal.
When using certain features you may be redirected to third-party platforms (e.g. Stripe, Viva Wallet) which use their own cookies. Chat2Stay does not place third-party cookies on your device and does not use advertising cookies or tracking pixels.
Chat2Stay reserves the right to update this Privacy Policy to reflect changes in law, our practices, or service features.
The latest version is always at: https://www.chat2stay.com/privacy-policy
Material changes: For significant changes we will notify you by email (at least 30 days in advance), in-app notification, and website banner update.
Continued use after the effective date constitutes acceptance.
Email: contact@chat2stay.com (Subject: "Data Protection" or "GDPR Request")
Phone: +30 697 9077762
Postal address: Chat2Stay, Poseidonos 16, Saronida, Attica, Greece
Response time: Within 30 days
Data Controller:
Chat2Stay, AFM: 803208654, GEMI: 192166203000
Chat2Stay is fully committed to compliance with Regulation (EU) 2016/679 (GDPR) and applicable data protection legislation, processing all personal data with respect, transparency, and security.