1. ABOUT OUR SERVICE
This privacy policy describes how Shortstay collects, stores, uses, discloses, and processes information about you, as well as how it protects your personal information.
Shortstay provides a short-term rental service, and the application manages the entire relationship between the user and Shortstay for the provision of the service.
This policy generally applies to all Users and potential Users of Shortstay and summarizes how Shortstay may collect, produce, receive, classify, use, access, reproduce, transmit, distribute, process, file, store, delete, evaluate or control information, modify, communicate, transfer, disseminate or extract collected data, including personally identifiable information, in accordance with applicable legal bases and all current privacy and data protection laws.
1. WHO WE ARE
SHORTSTAY provides a service defined as the intermediation of short-term rental contracts for flexible periods (from 30 days onward), connecting property owners and users, payments, contracts, document reviews, and all services related to this type of rental. Authorized users may access and use the Service worldwide, subject to SHORTSTAY’s contract with clients and applicable laws.
1. WHAT INFORMATION WE COLLECT
2. INFORMATION AT THE TIME OF REGISTRATION
When the User registers an account to use Shortstay, they provide information that enables identification. The collection of information is mandatory due to the need to identify the guest(s) who will use the contracted property.
Shortstay clarifies that the user is aware that they provide information consciously and voluntarily by completing the registration and using the functionalities of the Shortstay application.
When the User registers and/or requests a property reservation, certain requested personal data will be kept confidential and will be used for the purposes mentioned in this privacy policy (see purpose table).
Shortstay will have access to user data when the user utilizes the application, or also when using any external digital means linked to Shortstay. Shortstay clarifies that the user's consent will always be required.
Finally, when you use our Apps (iOS and Android), we collect an identifier (e.g., Android Advertising ID) for the purpose of generating usage statistics.
1. WHERE THE PRIVACY POLICY APPLIES
This privacy policy applies to all interactions conducted with the SHORTSTAY application.
1. CONFIDENTIALITY OF INFORMATION
Shortstay will not disclose the personal information received, except in cases expressly provided for by law (in the event of a court order).
Shortstay does not intentionally collect sensitive or special category personal information, such as genetic data, biometric data for the exclusive identification of a natural person, health information or religious information. Shortstay should be used only by adults. If we discover or have reason to suspect that a user is under the age of 18, we will terminate that account.
1. LEGAL GROUNDS FOR DISCLOSURE OF YOUR DATA
Our legal basis for collecting and using personal information will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information only when we have your consent to do so, when we need the personal information to enter into a contract with you, or where processing is in our legitimate interests and is not overridden by your data protection interests or fundamental rights and freedoms.
In some cases, we may also have a legal obligation to collect your personal information. If we ask you to provide personal information to comply with a legal requirement or to enter into a contract with you, we will make this clear at the relevant time. For more information about our legal basis for data processing, please contact us using the details provided at the end of this notice.
In certain circumstances, Shortstay may disclose Personal Data, to the extent necessary or appropriate, to government authorities, advisors, and other third parties for the purpose of complying with applicable law or with a court order or subpoena, or if Shortstay believes in good faith that such action is necessary to:
A. Comply with legislation that requires such disclosure;
B. Investigate, prevent, or take action regarding suspected or actual illegal activities, or to cooperate with public authorities or to protect national security;
C. Enforce its contracts;
D. Investigate and defend against any third-party claims or allegations;
E. Protect the security or integrity of the services (for example, sharing with companies facing similar threats);
F. Exercise or protect the rights, property, and security of Shortstay
Shortstay will notify the respective Users regarding any legal demands that result in the disclosure of personal information, as outlined above, unless such notification is prohibited by law or forbidden by court order, or if the request is urgent. Shortstay may challenge such demands if it considers the requests to be excessive, vague, or made by incompetent authorities.
Shortstay, in order to provide access to the property, is legally required to share your name, check-in and check-out dates with Building Managers, Condominium Administrators, or Remote Concierge Services to ensure your safety.
1. SHARING AND PROCESSING OF PERSONAL INFORMATION – HOW WE USE THE COLLECTED INFORMATION
Sharing may occur, for example, in the situations described below.
User Consent. When you provide your consent, we share your information as described at the time of consent – such as, for example, by authorizing the transfer of personal data to third parties in order to enable participation in events. Consent occurs when, once notified by Shortstay (expressly), the user continues to interact with the platform. Another form of consent is the express acceptance of the platform’s terms of use and privacy policies during the process of creating the user account.
Compliance with the law, prevention of harm, and security. When it is necessary to share personal data with third parties in order to (a) prevent fraud (such as, for example, risk analysis for money laundering), which may involve automated decision-making; (b) verify a list of Users with restrictions; (c) authenticate submitted documentation; (d) enable support services; (e) prevent illegal activities; (f) act in disputes between Users; (g) conduct internal investigations regarding any conduct that may violate the rules of Shortstay’s Terms or Policies.
Between Shortstay companies. Data sharing among Shortstay affiliates may occur, and in this case, the information will be processed as described in this Privacy Policy.
Among third-party business partners. Data sharing may occur with third-party business partners, such as distributors and/or service provider partners, who are involved in providing services to our potential and/or existing clients, in order to fulfill requests and provide information.
Response to legal requests. In certain cases, if necessary, Shortstay may provide the collected data to bodies and entities involved in the investigation or resolution of disputes between Users, or between Users and third parties, such as bodies of the Judiciary, arbitral tribunals, or competent administrative authorities.
Direct Service Providers. Shortstay may also share your personal data with third parties involved in financial, accounting, and legal advisory activities, as well as third parties involved in providing data backup, cloud computing providers, or for conducting analytical studies.
In summary, Shortstay may disclose the Personal Data collected to third parties, in the following situations and within the requirements and authorizations provided by law:
A. With its clients and partners when necessary and/or appropriate for the provision of related services;
B. With companies and individuals hired to perform certain activities and services on behalf of Shortstay;
C. With suppliers and partners for the execution of services contracted with Shortstay (such as building managers, remote concierge services, information technology, accounting, among others);
D. For administrative purposes such as: research, planning, service development, security, and risk management.
E. When required due to a legal obligation, determination by a competent authority, or judicial decision.
In cases of sharing Personal Data with third parties, all subjects mentioned in items “A” to “D” must use the shared Personal Data in a consistent manner and in accordance with the purposes for which they were collected and as determined by this Privacy Policy, other website or country-specific privacy statements, and all applicable privacy and data protection laws.
1. HOW WE USE THE INFORMATION COLLECTED
The information collected will be used as specified in the table of purposes, as follows.
• To manage your account and provide our services to you;
• To provide new Shortstay services to you;
• To improve our services and develop new ones;
• To prevent, detect, and combat fraud and other illegal or unauthorized activities;
• To ensure legal compliance;
• For proper execution of the contract and creation of the user registration;
1. SECURITY OF PERSONAL INFORMATION
All Personal Data will be stored in Shortstay’s database or in databases maintained “in the cloud” by staff from specific internal sectors and/or service providers contracted by Shortstay, all of whom are duly in compliance with the applicable data legislation.
We take all reasonable and appropriate measures to protect your personal information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration, and destruction. We use appropriate technical and organizational measures to safeguard your personal information, which may include: physical access controls, encryption, internet firewalls, intrusion detection, and network monitoring, depending on the nature of the information and the scope of processing. Our team members who may have access to your information are required to keep it confidential.
1. DATA RETENTION
Shortstay has a Personal Data retention policy in line with applicable law. Personal Data are stored only as long as necessary to fulfill the purposes for which they were collected, unless there is any other reason for their maintenance, such as compliance with any legal, regulatory, contractual obligations, or other grounds permitted under the law.
A technical analysis is always performed to determine the appropriate retention period for each type of Personal Data collected, considering its nature, necessity of collection, and the purpose for which it will be processed, as well as any retention needs for compliance with obligations or the protection of rights.
1. INTERNATIONAL DATA TRANSFER
User personal information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws different from those of your country and, in some cases, may be less comprehensive.
Specifically, our website servers are located in Brazil, the United States (San Francisco – California), and the European Union (Amsterdam – Netherlands), and we may process your information in jurisdictions where our affiliates/partners and third-party service providers are located.
The information sharing established in Section 4 involves international data transfers to the United States of America and other jurisdictions that may have different laws regarding data processing. When we transfer personal information outside the EEA (European Economic Area), United Kingdom, Switzerland, or other countries whose data protection laws have been deemed adequate by the European Commission or another competent governmental authority, we use standard contractual clauses (standard contractual clauses are commitments between companies that transfer personal data, binding them to protect the privacy and security of your data) or another appropriate transfer mechanism. At this time, we are reviewing transfers to our vendors and the legal basis associated with the recent decision of the Court of Justice of the European Union regarding personal data transfers to the United States.
We have taken appropriate precautions to require that your personal information remains protected in accordance with this Notice. We have implemented similar safeguards with our third-party service providers and further details can be provided upon request.
1. PURPOSE TABLE
The Brazilian General Data Protection Law (Law 13,709/18), effective as of August 14, 2020, requires companies collecting personal information from residents in Brazil to make certain disclosures about how they collect, use, retain, and disclose such information. This section addresses these requirements. For a description of all our data collection, usage, and disclosure practices, please read this Privacy Notice in its entirety.
The categories of personal information we collect about you and the third parties to whom we disclose such personal information for business purposes are as follows:
Environment Category of Personal Data Purpose Legal Basis
Homepage/Registration Page Full name, email, telephone, address. For account creation, a code will be sent to the provided phone number (via SMS). The Personal Data collected will not be used to send any type of SPAM, but only for specific communications between the User and Shortstay. Legitimate interest of the controller.
Page for contracting a property (by individual with Brazilian CPF). Full name, nationality, email, RG/CPF, profession, complete address, telephone. Data required for registration, issuance of fiscal documents, and user identification. Such data must be mandatorily collected by virtue of legal provisions. These data will be used internally by the financial, commercial, and logistics departments for issuance of fiscal documents, payment processing, and will be shared with service providers responsible for managing the payment area as well as issuing fiscal documents and accounting. Performance of the contract
Page for contracting a property (by foreign individual). Full name, nationality, marital status, email, similar identification document issued by the country of origin, passport number, profession, complete address, telephone. Data required for registration, issuance of fiscal documents, and user identification. Such data must be mandatorily collected by virtue of legal provisions. These data will be used internally by the financial, commercial, and logistics departments for issuance of fiscal documents, payment processing, and will be shared with service providers responsible for managing the payment area as well as issuing fiscal documents and accounting. Performance of the contract
Page for contracting a property (by legal entity). Company Name, registration in the national registry of legal entities (CNPJ), full name and CPF of the representative signing for the company,
name, Telephone and email of the person who will manage the lease,
name, Telephone and email of the person who will manage the payment. Data required for registration, issuance of fiscal documents, and user identification. Such data must be mandatorily collected by virtue of legal provisions. These data will be used internally by the financial, commercial, and logistics departments for issuance of fiscal documents, payment processing, and will be shared with service providers responsible for managing the payment area as well as issuing fiscal documents and accounting. Performance of the contract
Credit card payment environment Credit card information and confirmation of registration data Information required to process payments. For this purpose, payment data will be registered. Contract execution
Page for contracting Shortstay to manage a property. Full name, nationality, email, marital status, RG/CPF, profession, full address, telephone, property data. Information required for registration, issuance of tax documents and user identification. Such data must be collected as required by law. This data will be used internally by finance, commercial, and logistics departments for the issuance of tax documents, processing of payments, and will be shared with service providers responsible for managing payments as well as for tax documentation and accounting purposes. Contract execution
Shortstay does not use or disclose sensitive personal information for purposes other than those permitted by the GDPR (European Union), LGPD (Brazil), PECR (United Kingdom), and the California Consumer Privacy Act (CCPA).
To use the platform and collect the data provided above, it may be necessary to submit documents through the application itself, such as RG/CPF, Passport, Articles of Incorporation, among others. The documents will be collected as explained in the purposes table.
1. LEGAL BASES FOR PROCESSING
Shortstay only processes Personal Data in situations where it is legally authorized or upon your express and unequivocal consent.
As described in this Policy, Shortstay has legal grounds to collect, create, receive, classify, use, access, reproduce, transmit, distribute, process, archive, store, delete, evaluate or control information, modify, communicate, transfer, disseminate, or extract data about the User.
The legal bases include your consent, contracts and pre-contractual procedures, and legitimate interests, provided that such processing does not violate your rights and freedoms, as detailed in the Purposes Table.
Such interests include protecting the User and Shortstay from threats, complying with applicable legislation, the regular exercise of rights in judicial, administrative or arbitral proceedings, enabling the conduct or management of business operations, including quality control, reporting and offered services, managing business transactions, understanding and improving business and customer relationships, and enabling users to find economic opportunities.
The User has the right to refuse or withdraw the consent provided to Shortstay, when consent is the legal basis for the processing of personal data, and Shortstay may terminate the provision of its services to this user if such a request is made.
If you have any questions about the legal bases for the collection, processing, and storage of your personal data, please contact Shortstay via email privacidade@shortstay.com.br.
1. RIGHT TO ACCESS AND CONTROL YOUR PERSONAL DATA
Shortstay offers users several options regarding the processing of your collected, processed, and stored Personal Data, including its deletion and/or correction. The User may:
A. Delete data: The User may delete their Personal Data (for example, if they are no longer necessary to provide services to you). In this case, the existing data will be anonymized so that identification is no longer possible. Deletion is performed by the user directly. If necessary, the user may request account deletion and the deletion of data, which will be finalized within 30 days.
B. Modify or correct data: the User may edit or request the editing of some of their Personal Data. The User may also request updates, modifications, or corrections to their data in certain cases, especially if such data is incorrect.
C. Raise objections, set limits, or impose restrictions on data usage: the User may request the cessation of use of all or some of their Personal Data (for example, if we do not have the right to continue using it), or limit our use of such data (for example, if their Personal Data is incorrect or stored unlawfully), noting that Shortstay may process Personal Data in accordance with the legal bases listed in the Purposes Table.
D. The User has the right to access or retrieve their data: the User may request a copy of their Personal Data and the data provided by the User in a legible format either in print or electronically.
The User may make the above requests by contacting via e-mail privacidade@shortstay.com.br and such requests will be considered in accordance with applicable laws.
1. ON THE ANONYMIZATION OF DATA
The General Personal Data Protection Law defines that anonymized data is data which, originally, was related to a person, but has undergone processes ensuring its disassociation from that person.
The data collected by Shortstay may undergo the anonymization process in two distinct manners. The first occurs when the user deletes their account. In this case, the personal data held by Shortstay (for example, email) will be encrypted (anonymized), and thus will no longer be accessible. The other option will occur upon express request by the user. In this case, Shortstay will analyze the request, and if accepted (based on the rules and regulations contained in this agreement), the data will be encrypted.
1. FOR HOW LONG WE RETAIN YOUR INFORMATION
SHORTSTAY will retain the data for 05 (five) years, considering the purpose of the contracting and the service provided.
1. POLICY AMENDMENTS
If Shortstay modifies this Privacy Policy, such changes will be published in a visible manner on the Shortstay application. This Policy is valid from 11/01/2024. Should the User have any questions regarding the privacy policies, please contact Shortstay through the channels available in the application or via the email privacidade@shortstay.com.br.
1. JURISDICTION
This policy is subject to the law of the Federative Republic of Brazil, in particular Law No. 13.709/2018, and the Court of the District of Curitiba shall have jurisdiction to settle any dispute relating thereto.
