Last updated: December 22, 2025
This Policy explains how Shortstay stores, restricts, anonymizes, or deletes personal data linked to the platform, reservations, contracts, payments, check-in/check-out, documents, identity validation, customer service, inspections, maintenance, cleaning, security, and fraud prevention. It should be read in conjunction with the Privacy Policy.
We retain personal data only for as long as necessary to fulfill the purposes disclosed to the User, in compliance with legal, contractual, tax, accounting, security, fraud prevention, collection, and rights defense obligations.
Account deletion does not mean immediate and complete erasure of all data when there is a legal basis for retention. In such cases, which data is retained and why is expressly indicated in this Policy (item 5).
If the User has never made, requested, confirmed, canceled, signed, paid for, or participated in any reservation, and there are no pending registration, financial, contractual, legal, or security issues, the account will be deleted within 15 business days following receipt of the request and identity validation.
The request is made through the official form: https://forms.shortstay.com.br/r/delete-account
In this case, we retain only the minimum technical records necessary to evidence the request and prevent abuse, for a limited period and exclusively for that purpose.
If there is an active reservation, valid contract, ongoing stay, pending check-in/check-out, pending payment, deposit under review, open inspection or maintenance, outstanding charges, dispute, chargeback, or any obligation related to the stay, complete account and data deletion is not performed at this time.
In such cases, we may deactivate non-essential access, limit functionalities, or block the account, but we retain the data necessary for contract execution, continuity of the stay, billing, security, and legal obligations. Deletion, restriction, or anonymization is evaluated after reservation termination and completion of pending matters, in accordance with the timeframes in item 4.
If there is a history of closed, canceled, refused, expired, or completed reservation, only essential data is retained for the timeframes indicated in the table below. The timeframe is calculated from the reservation closure, check-out, cancellation, last financial obligation, or completion of the applicable pending matter — whichever occurs last.
Data Category | Purpose | Legal Basis (example) | Maximum Retention Period |
Contracts and Electronic Agreements | Contract Execution and Proof | Contract; Defense of Rights | 5 years after the end of the relationship |
Reservation Records, Check-in/Check-out | Service Proof, Dispute | Legal Obligation; Defense of Rights | 5 years |
Invoices, Receipts, Tax/Accounting Records | Tax/Accounting Obligation | Legal Obligation | Applicable Tax Legislation (typically 5 years) |
Payment, Deposit, Collection, Chargeback | Collection, Dispute, Fraud Prevention | Defense of Rights; Legal Obligation | 5 years or while dispute is ongoing |
Identification Documents | Identity Validation, Fraud Prevention | Legal Obligation; Legitimate Interest | Relationship + applicable obligation period |
Selfie / Biometric Validation Image | Identity Validation Act Only | Consent; Fraud Prevention | Deleted upon validation completion; maximum 90 days |
Validation Result (non-biometric record) | Record of "Validated / Not Validated" | Fraud Prevention | 5 years (without the image) |
Access Logs, Security and Fraud Prevention | Security, Abuse Investigation | Civil Rights Framework; Legitimate Interest | Minimum Civil Rights Framework Periods – maximum 1 year |
Inspection, Maintenance, Damage and Incidents | Proof of Responsibility | Defense of Rights | Until obligation resolution + applicable statute of limitations |
Messages and Support Requests | Proof | Defense of Rights | Related Operation + 5-year limit |
Selfie rule: the validation image is not retained permanently; it is deleted as soon as validation is completed (maximum 90 days). In the long term, only the non-biometric record of "validated" is retained. In the event of fraud or active dispute, the selfie is retained only during and within the limits of that process.
Deadlines are extended only when there is a legal proceeding, formal complaint, investigation, fraud, chargeback, default, property damage, order from a competent authority, or concrete need to defend rights — and only for the period that such proceeding requires. Once the proceeding is concluded, the data returns to the regime of item 5 or is deleted.
Once the retention period for data has expired, and there is no other applicable legal basis, the data is deleted or irreversibly anonymized through a periodic review cycle.
Deletion from backups may occur gradually, due to technical necessity, and is completed within a maximum of [e.g., 6 months].
Anonymization is the processing that renders data no longer associable with an identified person by reasonable technical means. Anonymized data is no longer subject to the LGPD and is used only for purposes unrelated to individuals, such as statistics and service improvement.
Requests for access, deletion, correction, restriction, or anonymization are not processed automatically; each request is validated before being fulfilled. This validation exists to protect the User and prevent data from being delivered to the wrong person.
Identity and authority verification. In every request, the identity of the data subject is confirmed through a secure channel. When the request is made by a representative, attorney-in-fact, or lawyer, the data subject's document, the representative's document, and specific powers for the request are also required. Generic, incomplete, unverifiable powers of attorney, those without specific powers, or those with undefined scope are refused.
Refused requests. Requests are not processed if they:
seek to obtain another person's data without valid authority;
are made with false identity, false documents, or through spoofing;
are based on claims of kinship, relationship, or "also used the account" without proof;
arrive through informal message, verbal claim, or unverified email;
are repeatedly reopened to overwhelm the system or pressure the reversal of a decision.
Valid judicial and administrative orders. The validation above does not prevent nor may be used to delay compliance with a valid order from a competent authority or court. In the event of a valid judicial order, administrative request, or legal obligation, the requested data are presented to the authority in the proper form. The retention periods of this Policy do not constitute grounds or an obstacle to such order.
Duty of preservation (legal hold). When data is the subject of — or there is a reasonable expectation that it will be the subject of — litigation, investigation, formal complaint, or preservation order, the normal retention/deletion cycle for that data is suspended, and the data is preserved until the conclusion of the proceedings, even if the retention period has already expired.
Following analysis, we provide one of the following responses: account deleted; account deactivated; data partially deleted; data anonymized or restricted; data retained due to legal obligation, contractual obligation, fraud prevention, collection, or defense of rights; or request pending identity validation or additional information. The result is communicated with the respective justification.
You have the right to access, correct, anonymize, port, obtain information about the retention period, and request the deletion of your data; in the event of refusal to exercise a right, the justification is provided.
Deletion requests are made through the official form. Other requests relating to personal data and the contact information of the Data Protection Officer (DPO) are available through the privacy channel indicated in the Privacy Policy. Your right to petition the National Data Protection Authority (ANPD) is always reserved.