Makestays.
A field manual · Section IV

The small print, written plainly.

Last updated 24 May 2026. Drafted under the Digital Personal Data Protection Act, 2023 (“DPDPA”).

We try to collect the minimum data needed to run the platform, store it securely, and never sell it. This page describes what we collect, why, who we share it with, and what rights you have under the DPDPA.

1. Who we are

Direct (“we,” “us”) is the data fiduciary for personal data processed through our platform. Our registered business address and Data Protection Officer contact are below in section 12.

2. What we collect

From hosts:

  • Account info: name, email, phone, password hash, Google sign-in token if used.
  • KYC: PAN, last 4 digits of Aadhaar, GSTIN (optional), business name, address, business type. Files you upload for verification.
  • Payment info: Razorpay key IDs (encrypted), bank account details (only at Razorpay, not with us), Razorpay Linked Account IDs if you opt into the network.
  • Property data: photos, descriptions, calendar / pricing / amenities you enter.
  • Activity logs: pages visited in the dashboard, API calls, audit log of edits.

From guests booking through your tenant site:

  • Name, email, phone (mandatory for booking).
  • Country / nationality, optional ID proof at host’s discretion.
  • Stay dates, number of guests, special requests.
  • Payment details — collected by Razorpay, not by us. We see only the order ID, payment status, and last 4 digits of the card if applicable.
  • Tracking pixel data (Meta Pixel, GA4) only if the host has enabled those. We don’t set our own marketing cookies on tenant sites.

Cookies:

  • Session cookies for authentication (Supabase Auth).
  • A preference cookie remembering language / theme on tenant sites.
  • No third-party marketing cookies set by us. Tenant sites may have them if the host adds pixels — your consent options are listed in your relationship with the host.

3. Why we collect each thing

Our legal bases under the DPDPA:

  • Performance of contract — account info, payment info, KYC, booking data. We cannot run a booking platform without this.
  • Consent — marketing emails, pixel tracking on tenant sites if the host enables them.
  • Legal obligation — KYC for payment regulation, GST invoicing, transaction reporting to authorities if requested.
  • Legitimate interest — security logging, abuse prevention, anonymised analytics for product improvement.

4. Who we share data with

We use a small number of vendors, each of whom acts as a data processor on our behalf. Each has a Data Processing Agreement with us and processes data only for the purposes we instruct:

  • Supabase — database + auth hosting (ap-south-1, Mumbai).
  • Vercel — application hosting + custom domains.
  • Razorpay — payment processing (independent data controller).
  • Resend — transactional email.
  • Interakt — WhatsApp message delivery (independent data controller, governed by Meta’s terms).
  • Apify / listing-import provider — one-time scrape of host’s existing Airbnb listing at onboarding.
  • Google Cloud / Meta — only if the host has enabled Google Sign-In, Google Ads pixel, or Meta Pixel on their tenant site.

We do not sell personal data. We don’t share it with advertisers. Hosts only see contact details of guests who book their own properties (or, in the cross-host network, properties they’ve agreed to sell). Hosts only see other hosts’ contact details after a mutual connection request is accepted.

5. Where data is stored

Primary database is in Mumbai (Supabase ap-south-1). Application servers run on Vercel, which may route through global edge locations for low-latency reads. Sensitive operations (auth, payments, KYC) always hit the Mumbai database directly.

6. How long we keep it

  • Active account data — for as long as your account exists.
  • Booking + payment records — 8 years after the booking ends (Income Tax Act retention).
  • GST invoices — 8 years (CGST Act).
  • KYC documents — 5 years after account closure (PMLA retention).
  • Logs — 90 days for product logs; 1 year for security / audit logs.

After these periods we delete or fully anonymise the data.

7. Your rights under the DPDPA

As a data principal, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correct — fix anything inaccurate.
  • Erase — ask us to delete your data (subject to the retention obligations above).
  • Withdraw consent — for any processing based on consent.
  • Grievance redressal — write to our DPO and we’ll respond within 30 days.
  • Nominate — appoint someone to exercise your rights in case of death or incapacity.

Exercise any of these by emailing privacy@makestays.com. If you’re unhappy with our response, you may complain to the Data Protection Board of India under the DPDPA.

8. Security

We use TLS for everything in transit, encrypted Razorpay key secrets with AES-256-GCM, Row Level Security on Postgres, and role-scoped access for our team. We log security events. Our incident-response process is to notify affected users within 72 hours of confirming a breach.

9. Children

Direct is not for users under 18. We don’t knowingly collect data from minors. Bookings by minors must be made by their legal guardians.

10. International transfers

We host primarily in India. Some processors (Vercel, Resend) may operate edge infrastructure outside India for performance. Any cross-border transfer is governed by adequate-protection commitments under the DPDPA framework as it evolves.

11. Changes

We’ll announce material privacy changes by email and post the updated policy here. We’ll never reduce your existing privacy protections without your explicit consent.

12. Contact

Data Protection Officer
Direct.
New Delhi, India.
privacy@makestays.com
Response within 30 days.

This is a plain-English draft. Before launch, have a lawyer review the legally binding version. We’ll point a real lawyer at this same text.