Privacy Policy

Last updated : June 2nd, 2026

This Privacy Policy explains how Nowistay collects, uses, shares and protects personal data. It applies to our website at www.nowistay.com, to the Nowistay platform and applications (including the host application and the traveler application), and to the integrations and connectors offered through them. Please read it together with our Terms of Use.

Nowistay helps property managers and hosts operate short-term rentals and communicate with their guests. Because of this, we handle data both as a data controller (for our own customers and website visitors) and as a data processor (for the guest data that our customers manage through the platform). This is explained in section 2.

1. Who we are

Unless stated otherwise, the data controller for the processing described in this policy is:

  • Company: Nowistay, Société par actions simplifiée (SAS)
  • Registered office: 2 Place de la Bourse, 33000 Bordeaux, France
  • Registration: RCS Bordeaux 938 031 838
  • Intra-community VAT: FR08938031838
  • Publication director: Bassel Abedi
  • Contact for privacy matters: hello@nowistay.com

2. Our role: controller and processor

Our role depends on whose data is concerned.

  • We act as data controller for the personal data of our customers (account holders and the people they add to their team), for visitors to our website, and for our own billing, security and service-improvement purposes.
  • We act as data processor for the personal data of guests and travelers that our customers collect and manage through the platform. In that case, the customer (the host or property manager) is the data controller and decides why and how that guest data is used. We process it on their instructions in order to provide the service. If you are a guest and want to exercise your rights, please contact the host or property manager responsible for your booking. We will assist them as needed.

3. Personal data we collect

3.1 Website visitors

  • Information you submit through contact or sign-up forms, such as name and email address.
  • Technical data collected automatically, such as IP address, browser type and language, operating system, referring pages, date and time of access, and interactions with the site (see section 11 on cookies).

3.2 Account holders (hosts and property managers)

  • Identity and account data: first name, last name, email address, password (stored only in hashed form), preferred language, role, and account status.
  • Contact and business data: host contact name and phone number, and business name where provided.
  • Property data: property names, addresses, geolocation, capacity, check-in and check-out times, rates and availability rules, images, and listing links.
  • Team members: if you add team members (for example cleaning or maintenance staff), we process their first name, last name, email address, phone number, role, working preferences and notification settings. You are responsible for informing them and for having a lawful basis to share their data with us.
  • Integration settings: identifiers and credentials you provide to connect third-party services you choose to use, such as property management systems, calendars and smart-lock services.
  • Billing data: subscription details and the identifiers issued by our payment provider. We do not store full card or bank account numbers.

3.3 Guests and travelers

This data is generally entered by the host, imported from the booking channel, or provided by the guest during a direct booking. It may include:

  • First name, last name, email address and phone number.
  • Postal address (line, city, postal code, country) where collected.
  • Booking details: arrival and departure dates, check-in and check-out times, number of adults and children, reservation number, booking channel, language and notes.
  • Financial details of the booking: amounts, nightly rate, cleaning fees, applicable taxes, channel commission and currency.
  • Guest communications: the content of messages exchanged between the guest, the host and our automated assistant, including the channel used (for example online travel agency messaging, email or WhatsApp).

3.4 Payment and identity verification data

  • Payments: when payments, deposits or payouts are processed, our payment provider handles card and banking details directly. We receive and store transaction identifiers, amounts and status, not the underlying card or bank data.
  • Identity verification: where a host enables identity verification of a guest, the verification is carried out by a specialized identity-verification provider. We store the verification status and the verified name. Identity documents, date of birth and any biometric checks are processed by that provider in accordance with its own privacy terms.

3.5 Smart-lock and access data

If you connect a smart-lock service, we generate, transmit and store temporary access codes and related device identifiers associated with a specific stay, so that guests can access the property. Access codes are revoked or removed after the relevant stay.

3.6 Technical, log and security data

  • Server and access logs, which may include IP address, request details, timestamps and a request correlation identifier, used for security, fraud prevention and troubleshooting.
  • An activity log of operational events (for example booking, mission and access events) used to operate the service and provide an audit trail.

4. How we use personal data and our legal bases

We use personal data for the following purposes, relying on the legal bases indicated.

  • To provide and operate the service (managing accounts, properties, bookings, calendars, guest messaging, missions, access codes and integrations). Legal basis: performance of a contract, or our legitimate interest in operating the service on behalf of our customers.
  • To process payments, deposits and payouts, and to carry out identity verification where enabled. Legal basis: performance of a contract and compliance with legal obligations.
  • To communicate with you about your account, support requests and important service notices. Legal basis: performance of a contract and our legitimate interest in supporting our customers.
  • To provide automated and AI-assisted features (see section 5). Legal basis: performance of a contract and our legitimate interest in offering automation, or the customer's instructions where we act as processor.
  • To secure the service, prevent fraud and abuse, and maintain the integrity of the platform. Legal basis: our legitimate interest and compliance with legal obligations.
  • To improve our services and develop new features, using aggregated or minimized data where possible. Legal basis: our legitimate interest.
  • To send marketing communications to customers and prospects who have requested them or where permitted by law. Legal basis: consent or legitimate interest. You can opt out at any time.
  • To comply with legal, accounting and tax obligations. Legal basis: compliance with legal obligations.

5. Automated and AI-assisted features

The platform includes features powered by artificial intelligence to help hosts operate their rentals.

  • Automated guest messaging: guest messages and relevant property information (such as the digital welcome guide and frequently asked questions) are processed by a third-party AI language-model provider in order to generate and send replies to guests on the host's behalf.
  • Knowledge base: property information is indexed with that AI provider so the assistant can answer guest questions accurately.
  • Insights and summaries: we may generate aggregated summaries and insights (for example message sentiment and operational briefs) derived from bookings and messages.

These features rely on a third-party AI language-model provider that acts as our sub-processor for this purpose. We do not use your personal data for automated decision-making that produces legal or similarly significant effects on individuals.

6. Connecting third-party AI assistants (MCP connector)

Hosts on an eligible paid plan can connect a third-party AI assistant application to their Nowistay account through a secure connector based on the Model Context Protocol (MCP). This lets the connected assistant read information from, and perform actions in, the host's account on the host's behalf. This section describes that integration, including the inputs the connected assistant can send and the outputs it can receive.

6.1 How the connection is authorized

  • The connection uses an industry-standard authorization flow (OAuth 2.1 with PKCE). The host must be signed in to their Nowistay account and must explicitly approve the connection on a consent screen.
  • The consent screen shows which application is requesting access, the specific permissions requested, and the account being connected.
  • Access is granted through granular read and write permissions (covering properties, calendar, bookings, missions, messages and guides), and is limited to properties owned by the authorizing host that are eligible for the feature.
  • The host can revoke access at any time from their account. Every action performed through the connector is rate-limited and recorded in an audit log.

6.2 What a connected assistant can access (inputs and outputs)

Once connected, and within the permissions granted, the assistant can perform read actions (which return data to the connected application) and write actions (which create or change data in the account, each subject to a preview and confirmation step). The data involved, by area, is:

Properties

  • Inputs: a property identifier or search term, and the fields to update (such as name, host contact name and phone, capacity, check-in and check-out times, rates, and address).
  • Outputs: property details, operating settings and address.

Calendar, availability and rates

  • Inputs: property identifier, date range, and values to apply (availability, price, minimum and maximum stay, and stay restrictions).
  • Outputs: availability, pricing and stay rules for the requested dates.

Bookings

  • Inputs: filters (property, status, channel, dates), or, when creating or updating a direct booking, guest details such as guest name, email, phone, address, number of guests, dates, amounts and notes.
  • Outputs: booking details, which can include the guest's name, email, phone, address, stay dates and financial breakdown, together with related conversation and operational context.

Operational missions and team

  • Inputs: filters, or the details of a task to create or update (type, schedule, assignment and notes).
  • Outputs: task details and completion reports, which can include the assigned team member's name, schedule, comments and photos.

Guest messaging

  • Inputs: a conversation or booking reference, and the content of a message to send to a guest.
  • Outputs: guest conversations and message content, including sender names, timestamps and the channel used. A write action can send a message to a guest through their messaging channel on the host's behalf.

Digital welcome guide

  • Inputs: property or page identifiers, and guide content or images to create or update. When an image is provided as a public link, only the image explicitly provided is downloaded, validated and stored. We do not browse the web or search for images on your behalf.
  • Outputs: welcome guide content and images.

6.3 Data we process to operate the connector

To run the connector securely, we also process: the connected application's name and redirect address, the permissions you approved, authorization and token records (access and refresh tokens are stored only as secured hashes, never in plain text), temporary approval tokens used to confirm write actions, the tool requests and responses exchanged, and audit logs that include the account, the connected application, a request identifier and the IP address. Authorization codes and access tokens are short-lived. Refresh tokens rotate and can be revoked at any time.

6.4 Important information about connected assistants

When a host connects a third-party AI assistant application, the data retrieved through the connector is transmitted to the provider of that application and is then governed by that provider's own privacy policy and terms. Nowistay does not control how that provider processes the data once it is received. A host who connects such an application is responsible for ensuring it has a lawful basis to share the relevant data (including guest data) with that provider, and should review the provider's privacy terms before connecting. If you do not want any data shared in this way, do not connect a third-party assistant, or revoke an existing connection.

7. Who we share personal data with

We do not sell personal data. We share it only as needed to provide the service, with the following categories of recipients, who act as our service providers (sub-processors) or as independent recipients where indicated:

  • Cloud hosting and storage providers that host the platform, store uploaded files and keep system logs.
  • A website hosting provider for our public website.
  • A payment services provider for billing, guest payments, deposits, payouts and identity verification.
  • An AI language-model provider for our automated assistant and related features (see section 5).
  • An email service provider for transactional and marketing emails, and for processing inbound emails forwarded for parsing.
  • A messaging provider for WhatsApp and similar messaging.
  • Mapping, geolocation and website-analytics providers for address lookup, location features and understanding website usage.
  • A channel-management connectivity provider (operating the Nowistay PMS connection) that links your account to online travel agencies and synchronizes bookings, rates and availability.
  • Property management systems and smart-lock services that you choose to connect. These are your own third-party accounts; data shared with them is governed by their own terms.
  • Third-party AI assistant applications that you choose to connect through the connector described in section 6.
  • Professional advisers and competent authorities, where required by law or to protect our rights.
  • A successor entity in the context of a merger, acquisition or reorganization, subject to this policy.

8. International data transfers

Some of our service providers are located outside the European Economic Area, in particular in the United States. Where personal data is transferred outside the European Economic Area, we put in place the appropriate safeguards required by the General Data Protection Regulation, such as the European Commission's standard contractual clauses, together with additional measures where necessary. You can contact us for more information about these safeguards.

9. How long we keep personal data

  • Account and profile data: kept for as long as your account is active, and for a reasonable period afterwards, then deleted or anonymized.
  • Booking, guest and communication data: kept for as long as needed to provide the service and while the related account is active. It is deleted or anonymized when the account is closed, or earlier on request, unless we must keep it longer to meet a legal obligation.
  • Accounting and tax records: kept for the period required by law (up to ten years under French law).
  • Identity verification results: kept for the period needed to evidence the verification and to meet legal obligations.
  • Smart-lock access codes: removed or revoked after the relevant stay.
  • Operational activity logs: kept for a limited period (currently up to 90 days).
  • Connector authorization data: authorization codes and access tokens are short-lived; refresh tokens remain valid until they are revoked or expire.
  • Server, security and audit logs: kept for a limited period necessary for security and troubleshooting.

10. Your rights

In accordance with the French Data Protection Act of 6 January 1978, as amended, and the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Access: obtain confirmation of whether we process your data and a copy of it.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your data in certain circumstances.
  • Restriction: request that we limit the processing of your data.
  • Objection: object to processing based on our legitimate interests, and object at any time to direct marketing.
  • Portability: receive the data you provided in a structured, commonly used, machine-readable format.
  • Withdraw consent: where processing is based on consent, withdraw it at any time, without affecting prior processing.
  • Define instructions regarding the fate of your data after your death.

To exercise these rights, contact us at hello@nowistay.com. We may need to verify your identity before responding. If you are a guest or traveler, please direct your request to the host or property manager responsible for your booking, who is the controller of that data. You also have the right to lodge a complaint with the French data protection authority (CNIL, www.cnil.fr).

11. Cookies and similar technologies

We use cookies and similar technologies on our website and platform.

  • Strictly necessary cookies: required to keep you signed in and to operate core features. These cannot be disabled.
  • Functionality cookies: remember your preferences.
  • Analytics cookies: help us understand how the site is used and improve it. These rely on a website-analytics and tag-management provider.

You can control cookies through your browser settings, including blocking or deleting them. Disabling some cookies may affect how the website and platform work. Where required by law, we seek your consent before placing non-essential cookies.

12. How we protect personal data

We apply appropriate technical and organizational measures to protect personal data, including encryption of data in transit (HTTPS), hashing of passwords, role-based access controls, access restricted to the resource owner, signed and verified webhooks, secrets kept in protected configuration, and monitoring and logging. No method of transmission or storage is completely secure, but we work to protect your data and to address incidents appropriately.

13. Children

The platform is intended for professional and adult use. It is not directed to children, and we do not knowingly collect personal data directly from children. Where guest information concerns minors traveling with adults, it is provided and managed by the host under their responsibility.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the date at the top and, where appropriate, notify you. We encourage you to review this page periodically.

15. Contact

For any question or request regarding this Privacy Policy or your personal data, contact us:

16. Governing law

This Privacy Policy is governed by French law. Any dispute that cannot be resolved amicably will be subject to the jurisdiction of the competent French courts.

Nowistay logo
linkedinyoutubefacebook
© 2026 Nowistay
Help CenterRessourcesTerms of usePrivacyContact usAbout