1. Who we are
Beyond Stays Group Ltd is the data controller for personal data collected through this website (beyondstays.co.uk), our booking systems, and communications with you.
If you have any questions about this policy or your data, email matt@beyondstaysgroup.co.uk.
2. What we collect
We collect only what we need to handle your enquiry, take a booking, deliver the stay, and comply with the law. Specifically:
- Contact details: name, email, phone number.
- Booking details: arrival and departure dates, guest count, property preference, purpose of stay.
- Payment details: processed directly by Stripe. We never see or store your card numbers.
- Communications: messages you send us by form, email, WhatsApp, SMS or through booking platforms (Airbnb, Booking.com, Vrbo) when they route enquiries to us.
- Technical data: IP address, device type, browser, referrer, pages viewed. Collected by our analytics tools (see cookies policy).
We do not knowingly collect data from anyone under 18. If you believe a minor has submitted data, contact us so we can delete it.
3. Why we use it
- To respond to enquiries you submit through the site, email, WhatsApp or platforms.
- To confirm and manage bookings, take payment, and send arrival information.
- To keep in touch during your stay and resolve any issues.
- To meet legal obligations, including tax records and accommodation-provider guest registers.
- To improve the site and our service, using anonymised analytics.
We do not use your data for third-party advertising and we do not sell it to anyone.
4. Lawful basis
We rely on the following lawful bases under UK GDPR:
- Contract: processing bookings and taking payment.
- Consent: for our enquiry form and any marketing you actively opt in to.
- Legitimate interests: improving our service, preventing fraud, resolving disputes.
- Legal obligation: tax records, guest registers, safeguarding.
5. Who we share it with
We share only what is necessary, and only with:
- Stripe for payment processing.
- Guesty as our property management system (holds bookings, calendars, messaging).
- Google Workspace for email and calendar hosting.
- Cloudflare for site hosting, DNS and email routing (Resend).
- HMRC and other regulators where required by law.
Where our service providers are outside the UK, we ensure appropriate safeguards are in place (Standard Contractual Clauses).
6. How long we keep it
- Enquiries that do not lead to a booking: 12 months, then deleted.
- Booking records: 6 years after the stay, for tax and accounting.
- Marketing consents: until you unsubscribe.
- Analytics data: 26 months (Google Analytics default), aggregated.
7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Correct anything that is wrong.
- Delete your data (subject to legal retention requirements).
- Restrict or object to certain processing.
- Withdraw consent at any time for anything you consented to.
- Data portability (receive your data in a structured format).
- Complain to the ICO (ico.org.uk) if you are unhappy with how we have handled your data.
To exercise any of these rights, email matt@beyondstaysgroup.co.uk. We respond within 30 days.
8. Security
Your data is stored on services with recognised security standards (Cloudflare, Google, Stripe, Guesty). Access to booking records is restricted to Beyond Stays operational staff. We use two-factor authentication on all admin accounts.
9. Changes to this policy
We may update this policy from time to time. The date at the top shows the last revision. Material changes will be signposted on the site.