Privacy Policy.

Who we are

Veritstay ("Veritstay", "we") is an independent project based in Bar, Montenegro. We are the data controller for personal information collected through the operator dashboard and the marketing website at veritstay.com. For data your guests submit through your branded public booking pages, you are the controller — we act as your processor under a standard data-processing addendum.

Veritstay is not yet incorporated as a legal entity. When that changes, we will update this page with the registered company name, address and tax number, and notify Group Owners by email at least thirty (30) days before the change takes effect.

What we collect

Why we use it

We process personal data to deliver and improve the service: to authenticate accounts, run the booking and calendar engine, send transactional messages, prevent abuse, honour legal obligations, and produce aggregated, non-identifying analytics that help us prioritise the roadmap.

Our legal bases are contract (so we can give you the service you signed up for), legitimate interest (so we can keep the platform secure and useful), legal obligation (for accounting and tax), and consent (for optional features that need it).

Guest data on public pages

When a guest fills in a public booking page or chats with the host, that information belongs to your group as the operator. Veritstay stores and serves it on your behalf. We do not market to your guests, and we don't reuse guest data for any purpose other than running your service.

Who we share it with

• Sub-processors — hosting (Hetzner / OVH within the EU), transactional email, error monitoring, and payment processing. The current list is available on request.
• iCal partners — external booking platforms you connect, in the form of calendar feeds you configure.
• Authorities — only when legally compelled, and we will tell you if we're allowed to.

We never sell personal data.

Where it lives

Production data is stored in PostgreSQL clusters in the European Union. Backups are encrypted and retained for thirty (30) days. If a sub-processor is located outside the EU or Montenegro, we use Standard Contractual Clauses and additional technical measures to keep your data protected.

How long we keep it

While your account is active, we keep operator data for as long as you need it. After termination, we delete production data within thirty (30) days, except where we're required to retain it — typically invoices for ten (10) years for tax and accounting purposes.

Your rights

Under GDPR-equivalent law in Montenegro, you may request access, correction, deletion, or portability of your personal data, and you may object to or restrict processing. You can also withdraw consent at any time without affecting earlier processing. To exercise a right, email privacy@veritstay.com. We respond within thirty (30) days.

You also have the right to lodge a complaint with your national supervisory authority.

Cookies

We use a small set of first-party cookies: a session cookie that keeps you logged in, a preference cookie that remembers your language (English or Serbian) and a minimal analytics cookie that helps us count active operators. No third-party advertising cookies are set on the dashboard.

Security

We use encryption in transit (TLS 1.2+) and at rest, scoped database roles, audit logs, hardened deployment pipelines and least-privilege access for staff. If we discover a personal-data breach that risks your rights and freedoms, we will notify affected Group Owners and the supervisory authority within seventy-two (72) hours of becoming aware of it.

Contact

Data protection enquiries: privacy@veritstay.com.
Postal: Veritstay, Bar, Montenegro.
You can also reach our general support team via the support page.