Privacy Policy for AirStay Properties

Last updated: February 1, 2026

1 – Who we are and how to contact us

AirStay Properties Inc. ("AirStay", "we", "our" or "us") manages and markets short‑term rental properties on behalf of their owners. We are committed to protecting the privacy of our guests, customers and visitors and to operating in accordance with applicable data protection laws including the Personal Information Protection and Electronic Documents Act (PIPEDA), provincial privacy legislation, the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) and other relevant laws.

Our website is https://airstayproperties.com


If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at info@airstayproperties.com. 

2 – Scope and consent

By using our website, booking a stay, entering into a rental agreement or otherwise providing us with personal information, you agree that your information will be handled as described in this policy. We may update this Privacy Policy from time to time to reflect changes to our practices or legal requirements; the "Last updated" date at the top of the page indicates when the policy was last revised. Your continued use of our services after the revised policy becomes effective means that you accept the updated policy.

3 – Information we collect

3.1 Information you provide directly

We collect personal information that you provide to us when you interact with AirStay Properties, for example when you: book accommodation, submit an enquiry, provide feedback, sign our rental agreement or request property management services. The information we collect may include:

  • Contact details – your name, email address, postal address and phone number.
  • Reservation details – the dates of your stay, the property booked, number of guests, and any preferences or requirements you communicate to us.
  • Payment information – billing address and partial payment card details (cardholder name, card type, last four digits and expiry date). Payments for direct and Vrbo reservations are processed through PCI‑compliant providers (e.g. Stripe), and a CAD $500 pre‑authorization hold may be taken to cover incidental damage; Airbnb and Expedia bookings are handled by those platforms and do not require a deposit from AirStay.
  • Identity verification – to protect our guests and hosts from fraud and to comply with our payment processor’s verification requirements, we require guests to provide a scanned copy of a government‑issued photo ID (e.g. driver’s licence or passport) and a real‑time selfie when they book. We use this information solely to confirm that the person making the booking matches the identification document. We do not use the photographs to create biometric templates or for any automated decision making. Once verification is complete, the copies of your ID and selfie are deleted or irreversibly anonymised, unless we are required to retain them by law. Regulatory guidance from the Office of the Privacy Commissioner of Canada emphasises that organizations should limit the collection and retention of biometric information to what is strictly necessary and implement strong security safeguards; we follow these principles when handling identity documents and selfies.
  • Communications – records of your correspondence with us (e.g. emails, chat messages, telephone calls) and any feedback you provide.
  • Preferences and marketing – your marketing preferences and responses to promotional offers.

3.2 Information we collect automatically

When you visit our website or interact with our online services, we collect certain technical information automatically. This may include:

Log data – IP address, browser type, operating system, referring/exit pages, date/time stamps and pages viewed. We use this information to analyse trends, administer the site and maintain security. These logs do not identify individual users.

Cookies and similar technologies – small data files stored on your device that allow us to recognise your browser and capture certain information. We use:

  • Essential cookies that are necessary for core website functionality (e.g. enabling you to log in or remember your booking details).
  • Performance cookies to help us understand how visitors use the site and improve its usability.
  • Marketing cookies to deliver relevant advertisements through our partners. You can control or disable cookies via your browser settings; however, essential cookies cannot be disabled without affecting site functionality.

3.3 Information from third parties

We may receive information about you from other sources, including:

  • Booking platforms and travel partners – if you book through Airbnb, Vrbo, Expedia or another platform, they may provide us with your contact details, booking dates, payment status, rating history and other information necessary to process your reservation and comply with their terms. We handle this information as described in this policy and subject to the privacy obligations of those platforms.
  • Payment processors and identity verification services – our payment processor (Stripe) may share limited information about your payment method and verification status to confirm that your transaction has been completed.
  • Service providers – such as cleaning companies, maintenance providers or contractors, who may report information about the property condition or incidents during your stay.

4 – How we use your information

We use the personal information collected for the following purposes:

  1. Providing and managing our services – processing reservations, communicating with you about your stay, managing your account, and providing customer support.
  2. Identity verification and fraud prevention – comparing the selfie and photo ID you provide to ensure that the person making the booking is the same individual identified in the document. We do this to protect our guests and property owners and to comply with payment processor requirements. The Office of the Privacy Commissioner of Canada encourages organizations to limit the collection, use, disclosure and retention of biometric information to what is necessary and to implement strong safeguards.
  3. Processing payments and security deposits – charging or pre‑authorising your payment method for the full booking amount at the time of reservation, including placing a CAD $500 pre‑authorization hold (for direct and Vrbo bookings) to cover accidental damage. Expedia and Airbnb handle all charges and deposits through their own systems.
  4. Legal and contractual obligations – complying with applicable laws (such as anti‑money laundering and tax requirements), responding to lawful requests by public authorities, or defending our legal rights.
  5. Improving our website and services – analysing usage patterns, testing new features and enhancing our offerings.
  6. Marketing and promotions – sending you promotional communications or newsletters about our properties and offers, in accordance with your preferences and applicable marketing laws. You can opt out at any time.
  7. Safety and security – detecting, investigating and preventing fraud, unauthorised access, property damage or other harm.

We will not use your personal information for purposes incompatible with those outlined above without your consent.

5 – Lawful bases for processing and justification

We collect and process personal information only where we have a valid legal basis under applicable data protection law. Depending on the context, our lawful bases may include:

  • Performance of a contract – to process your reservation, provide accommodation and fulfil our obligations under the rental agreement.
  • Legitimate interests – to verify identities, prevent fraud and protect our property and guests, provided that these interests are not outweighed by your rights and freedoms. The Privacy Commissioner’s guidance notes that businesses must justify the use of biometric or sensitive information, ensuring that the purpose is necessary and proportionate.
  • Compliance with legal obligations – to meet regulatory requirements (e.g. anti‑money laundering laws), maintain financial records, or respond to lawful requests.
  • Consent – for marketing communications and, where required by law, for collecting sensitive information. You may withdraw consent at any time by contacting us; however, if you decline to provide required identification or verification documents, we may be unable to honour your booking.

6 – How we share your information

We may share your personal information with third parties in limited circumstances:

1. Property owners – we share booking details (e.g. dates, guest count, rating) so that owners can prepare their property and comply with their own legal obligations.

2. Booking platforms – for reservations made through third‑party platforms (Airbnb, Vrbo, Expedia), we share and receive information necessary to manage the booking. Each platform has its own privacy policy which applies to your data on that platform.

3. Payment processors – we use secure, PCI‑compliant processors (such as Stripe) to handle payments. We share your name, billing address and partial card details with them. Stripe may also handle identity verification; we require them to use information only for verifying identity and to implement strong safeguards as recommended by the Privacy Commissioner.

4. Identity verification providers – if we use third‑party services to match your selfie and ID, we contractually require them to limit use of the information to identity verification and to implement appropriate security measures. We do not permit such providers to retain or repurpose your biometric or identification information beyond the verification purpose.

5. Service providers – we engage trusted partners to perform services on our behalf (e.g. cleaning, maintenance, customer support, analytics). These providers have access only to the information needed to perform their services, and they are contractually bound to protect your data and not to use it for any other purpose.

6. Legal and regulatory authorities – we may disclose personal information if required to do so by law or if we believe such action is necessary to comply with a legal obligation, protect our rights or property, or prevent harm to our guests or the public.

We do not sell or rent your personal information. We may transfer personal data outside of Canada (for example, to service providers in the United States or the European Union); when we do, we take steps to ensure that adequate safeguards are in place, such as standard contractual clauses or other lawful transfer mechanisms.

7 – Data retention and deletion

We retain personal information only as long as necessary to fulfil the purposes described in this policy or as required by law. In particular:

  • Identity documents and selfies – we retain scanned IDs and selfies only until verification is completed, unless we are required to retain them for legal or compliance purposes. The Privacy Commissioner’s guidance recommends destroying or de‑identifying biometric and sensitive personal information once the purpose has been fulfilled.
  • Payment and booking records – we retain financial and transaction information for the period required by accounting, tax and anti‑money laundering laws (typically seven years).
  • Marketing and communications data – we retain your contact preferences and marketing history until you withdraw consent or we no longer need the information for legitimate business purposes.
  • Log data – we retain log and analytical data for up to two years to monitor site performance and security.

When we no longer need personal information, we securely delete or anonymise it, including from backups, as recommended by privacy regulators.

8 – Data security

We take the security of your data seriously. In accordance with privacy‑by‑design principles, we implement technical and organizational measures to safeguard personal information against loss, theft, unauthorized access or disclosure. These measures include:

  • Encryption of data in transit using HTTPS and TLS, and encryption of sensitive data at rest where appropriate.
  • Access controls – restricting access to personal information to authorized personnel who need it to perform their duties, and using multi‑factor authentication where practical.
  • Secure storage – storing identification documents and selfies only on secure systems for as long as needed for verification, and ensuring they are not retained in plain view or shared beyond the verification purpose.
  • Regular assessments – monitoring our systems for vulnerabilities, conducting periodic risk assessments and training staff on privacy and security practices.
  • Incident response – maintaining procedures to respond to and notify you and regulators of data breaches when required by law.

The Office of the Privacy Commissioner of Canada notes that biometric information is inherently sensitive and calls for heightened safeguards, including encryption and strict access controls. We adhere to these recommendations when handling identity documents and selfies.

9 – Your rights

Depending on your place of residence, you may have the following rights:

9.1 Residents of Canada (PIPEDA)

Under PIPEDA, you have the right to:

  • Access – request a copy of the personal information we hold about you.
  • Correction – request correction of inaccurate or incomplete personal data.
  • Withdraw consent – withdraw your consent to our collection or processing of your personal information, subject to legal or contractual restrictions.
  • Complain – file a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights are being violated.

9.2 California residents (CCPA)

If you reside in California, you have the right to:

  • Request access to personal information we have collected about you.
  • Request deletion of your personal information, subject to certain exceptions.
  • Opt out of the sale of personal information (we do not sell personal data).

9.3 European residents (GDPR)

If you reside in the European Economic Area or the United Kingdom, you have rights under the GDPR, including:

  • Right of access – obtain confirmation of whether we process your personal data and access to that data.
  • Right to rectification – request correction of inaccurate or incomplete personal data.
  • Right to erasure – request deletion of your personal data under certain conditions.
  • Right to restrict processing – request that we limit processing of your data.
  • Right to object – object to certain processing activities, such as direct marketing.
  • Right to data portability – receive a copy of your data in a structured, commonly used format, and have it transferred to another controller.

To exercise any of these rights, please contact us at info@airstayproperties.com. We may request verification of your identity before fulfilling your request. We will respond as required by applicable law, typically within 30 days.

10 – Children’s privacy

Our services are not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe that a child has provided us with personal data, please contact us immediately so we can remove it.

11 – Third‑party links and services

Our website may contain links to third‑party websites, plug‑ins or services. We are not responsible for the privacy practices of third parties. We encourage you to read their privacy policies before providing them with personal information.

12 – Contact us

If you have any questions, concerns or complaints about this Privacy Policy or our handling of your personal information, please contact us at:

AirStay Properties
Email: info@airstayproperties.com 

We aim to respond to all inquiries promptly and to resolve any privacy issues in accordance with applicable law.