Privacy Policy

Effective date: 12-05-2026
Version: 1.0

This Privacy Policy explains how Stavanger Apartment Hotelldrift AS (“Stey”) collects, uses, shares, and protects personal data when you use Stey’s international websites, mobile applications, and related guest services (together, the “Services”). The Services are made available through Stey's platform (the "Platform") as described in the Terms & Conditions applicable to your use. It also explains your privacy rights and how to contact us.

1) Who we are (Controller)

For the Services described in this Policy, the data controller is:

Stavanger Apartment Hotelldrift AS (org. no. 928823709)
Rådhusgata 23, 0158 Oslo, Norway
Email: privacy@stey.com

Data Protection Officer (DPO)

Stey has appointed a Data Protection Officer (“DPO”), Johanna Albihn, adLegus AB for all privacy-related queries, please use the contact details in Section 18.

EU representative

The platform services are provided by STL HK Ltd, a company registered in Hong Kong SAR (“STL”). As a non-EEA controller/processor subject to GDPR, STL has appointed an EU Representative under Article 27 GDPR. STL’s EU Representative is based in Sweden and can be contacted at: Johanna Albihn, adLegus AB Address: Kungsgatan 29, 111 56 Stockholm, Email: johanna.albihn@adlegus.se, Mobile: +46760280810

2) Scope

This Policy applies to:

  • visitors to Stey websites and users of the Stey app;

  • direct booking customers (website/app);

  • guests using in-stay features (PIN access, messaging, smart-room controls, billing);

  • users of community features where you can post content.

If you book through an online travel agency (OTA), the OTA may process your data as a separate controller under its own privacy policy. We still process personal data to deliver your stay and any Services you use.

Where you make a booking through an OTA, we receive from the OTA the personal data necessary to honour your booking and deliver the Services, including booking details and guest contact information. We process such data on the basis of contract performance (Article 6(1)(b) GDPR) and, where applicable, our legitimate interests in providing and improving the Services (Article 6(1)(f) GDPR). The OTA acts as a separate and independent data controller for its own processing; please refer to the OTA's privacy policy for information about how it handles your personal data.

3) Personal data we collect

We collect personal data:

  • you provide to us directly;

  • generated when you use the Services;

  • obtained from partners (e.g., OTAs, payment processors) when needed to provide your booking or stay. 

3.1 Data you provide

Account and profile

  • name, email, phone number, password (or login token), language preferences

  • profile picture, nickname, bio, and other optional profile fields (if you add them)

Booking and stay

  • booking details (property, dates, room type, rate, number of guests, special requests)

  • guest names (including additional guests) and contact details where provided

  • invoices/receipts, billing references, and communication about bookings

Identity/verification

  • identity document details (e.g., passport/ID number, nationality) where required by law or necessary for check-in/self check-in/security/fraud prevention. Identity document details and nationality are processed on the basis of compliance with a legal obligation (Article 6(1)(c) GDPR) and/or our legitimate interests in preventing fraud and ensuring the security of our guests and properties (Article 6(1)(f) GDPR), as further described in section 5.

  • where legally required, we may collect/record check-in registration information required by local authorities

Support and communications

  • messages to/from front desk or support, call logs (if you call us), and attachments you send.

Community / UGC

  • content you post (text, photos, comments), reactions, reports, and moderation-related records. 

3.2 Data collected automatically

Device and usage

  • IP address, device identifiers, device type/model, operating system, app version, browser type

  • approximate location derived from IP (city/region level)

  • usage events (pages/screens viewed, clicks, session timestamps, referring URLs)

Note: Approximate location derived from your IP address (city or region level) is used to support service delivery, such as displaying relevant property information and time zone settings. Where location data is used for analytics or content personalisation beyond technical service delivery, this is carried out on the basis of our legitimate interests and, where required, your consent as configured in your cookie and privacy settings.

Cookies and similar technologies (web)

  • cookie identifiers and related analytics/advertising signals (as configured in your cookie choices)

In-app operational events

  • delivery status for in-app messages and push notifications (e.g., delivered/failed)

  • security and fraud signals (e.g., unusual login patterns) 

3.3 Data from partners

  • OTAs / travel partners: reservation details needed to honor your booking (dates, guest name, contact, rate plan, preferences). Booking.com, Expedia, Airbnb and Trip.com

  • Payment service providers (PSPs): confirmation of payment status, transaction references, and chargeback/dispute information. Stey does not store full payment card details when you pay via a PSP. Adyen NV

  • Identity verification providers (if used): verification outcome/status and limited supporting data depending on the method (details will be listed once vendors are confirmed). Bank-id

3.4 In-stay operational records

Housekeeping records and operational photographs: records generated in connection with the servicing and inspection of your room during or after your stay, for quality control, damage documentation, and property security. Where such records or photographs can be linked to an identifiable guest (for example, where personal belongings are visible), they constitute personal data. Legal basis: legitimate interests (Article 6(1)(f) GDPR).

3.5 In-app preferences and usage data

Preferences you set via the guest app (such as room temperature, pillow type, or amenity preferences) and data about how you interact with app features. Legal basis: contract performance and/or legitimate interests. Where preference data is used to make automated service decisions that affect you, we will provide further information in accordance with Article 22 GDPR.

3.6 Optional social profile (opt-in guests only)

Profile information you voluntarily provide if you choose to create a social profile within the community features (such as a display name, profile picture, and personal interests). Creating a social profile is entirely optional and has no impact on your ability to book or use the core Services. Legal basis: consent (Article 6(1)(a) GDPR). Where profile information reveals health conditions, religious beliefs, or other data within the special categories under Article 9 GDPR, your explicit consent will be requested (Article 9(2)(a) GDPR). You may withdraw consent and delete your profile at any time.

4) Why we process your data (purposes)

We use personal data to:

  1. Provide the Services (create accounts, enable guest features, show booking info, provide PIN access, facilitate messaging).

  2. Process and manage bookings and stays (confirm, modify, cancel bookings; manage check-in/out; issue invoices; handle incidentals and additional services).

  3. Operate payments via PSPs (send necessary transaction data to PSPs and reconcile payments).

  4. Provide customer support and handle disputes/complaints.

  5. Ensure safety, security, and fraud prevention (account security, access control, misuse detection, protecting guests/staff/property).

  6. Comply with legal obligations (e.g., local guest registration obligations, accounting/tax requirements).

  7. Improve and develop Services (analytics, debugging, performance monitoring).

  8. Community features (publish content, enable interactions, enforce rules, moderation).

  9. Marketing and communications (send offers/news where permitted and according to your preferences/law; measure campaign performance).

Note: Where we process personal data to improve and develop the Services (purpose 7 above), we do so on the basis of our legitimate interests in maintaining and enhancing our platform. Analytics data is processed in anonymised and aggregated form where possible. For marketing and communications (purpose 9 above): we may contact existing guests about relevant offers and updates on the basis of our legitimate interests, subject to your right to opt out at any time. For new guests or where consent is required under applicable law, we will contact you for marketing purposes only with your prior consent.

5) Legal bases (EEA/UK) and similar grounds (Switzerland)

Where GDPR/UK GDPR applies, we process personal data under one or more of these legal bases:

  • Contract: to provide bookings, stays, and requested Services.

  • Legal obligation: to meet legal requirements (e.g., accounting, local guest registration where applicable).

  • Legitimate interests: security, fraud prevention, service improvement, and maintaining Service functionality (balanced against your rights).

  • Consent: where required (e.g., certain cookies, some marketing in certain jurisdictions, optional device permissions).

  • Vital interests: where necessary to protect someone’s life.

Where we rely on legitimate interests as a legal basis, we have carried out a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms. You may request further information about the balancing assessments we have conducted by contacting us at the details in section 18.

For Switzerland, we process personal data in accordance with the revised Swiss Federal Act on Data Protection (nFADP, in force 1 September 2023). Where required, we provide privacy information in the applicable official language and apply equivalent transfer safeguards.

6) Cookies and similar technologies

We use cookies and similar technologies on our websites for:

  • essential site functionality;

  • analytics and performance;

  • personalization;

  • (if enabled) marketing measurement/advertising.

You can manage cookie preferences via https://www.stey.com/privacy-policy. Some cookies are essential and cannot be disabled. For full details of the cookies and similar technologies we use and how to manage your preferences, please see sections 15–17 of this Policy.

7) Sharing your data

We share personal data only as necessary for the purposes above, including with:

Hotels / property operators and service teams

  • to fulfill your booking and provide on-property services (front desk, housekeeping, security, billing).

Service providers (processors)

  • hosting, analytics, customer support tooling, messaging/push providers, fraud prevention, identity verification (if used), and other IT vendors that process data on our instructions.

PMS / platform service providers (including group companies)

  • The Services are operated on a platform provided by STL. STL acts as a data processor on behalf of Stey, providing the property management system (STL PMS), IoT-connected access control, booking engine, guest app, and related platform services. All personal data is stored and processed on Microsoft Azure infrastructure located in the EU (Ireland). STL's China-based engineering team may access the platform for maintenance and incident response purposes under strictly controlled conditions. All such access is governed by the Data Processing Agreement between Stey and STL, which incorporates EU Standard Contractual Clauses (Module Two: Controller-to-Processor) pursuant to GDPR Article 46, supplemented by a Transfer Impact Assessment and technical safeguards in accordance with EDPB Guidelines 05/2021 on transfers via remote access. No personal data is transferred to or stored in China.

Payment service providers

  • to process your payment and manage disputes/chargebacks. Stey receives payment status and transaction references from the PSP.

Professional advisors

  • lawyers, auditors, insurers, and consultants as needed.

Authorities

  • where required by law or to respond to lawful requests.

Corporate transactions

  • if we are involved in a merger, acquisition, or asset sale, personal data may be transferred subject to appropriate protections and notices. Where such a transaction materially affects the processing of your personal data, we will notify you in accordance with Articles 13 and 14 GDPR prior to or at the time of the transfer.

No sale of personal data

We do not sell your personal data. We may share personal data with vendors acting on our behalf (processors) for Stey’s purposes only.

8) International transfers

Stey is established in Norway (EEA). The platform services are provided by STL in Hongkong. Hong Kong does not have an EU adequacy decision. The transfer of personal data from Stey to STL is governed by EU Standard Contractual Clauses (Module Two: Controller-to-Processor), adopted pursuant to European Commission Implementing Decision (EU) 2021/914, supplemented by a Transfer Impact Assessment and technical safeguards including EU data residency, PII masking, and audit logging.

Where personal data is transferred internationally, we use appropriate safeguards such as:

  • adequacy decisions where applicable; and/or

  • Standard Contractual Clauses (SCCs) and supplemental measures; and/or

  • other lawful transfer mechanisms recognized under applicable law.

You can request more information about the transfer safeguards we apply via the contact details in Section 18.

9) Data retention

We retain personal data only as long as necessary for the purposes in this Policy, including:

  • Bookings, invoices, and accounting records: retained for statutory periods required by applicable law.

  • Guest communications/support records: retained as needed for support, dispute resolution, and quality control.

  • Security logs: retained for a limited period appropriate for security and fraud prevention.

  • Community content: retained until you delete it or your account is closed, subject to backups, moderation records, and legal requirements.

Retention periods may vary by country/property and legal requirements.

10) Security

 Stey and its service providers apply appropriate technical and organisational measures (TOMs) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR.

These measures include access controls, encryption of data in transit, audit logging, and regular vendor security reviews. Platform-level security measures applicable to the technology provided by STL are set out in the Data Processing Agreement between Stey and STL. Security measures are reviewed and updated on a regular basis. No system is entirely secure; you should also take care to protect your account credentials and devices.

11) Your rights

Depending on your location and applicable law (including GDPR/UK GDPR), you may have rights to:

  • access your personal data;

  • correct inaccurate data;

  • delete data (subject to legal/contractual limits);

  • restrict or object to processing (including for direct marketing);

  • portability of certain data;

  • withdraw consent where processing is based on consent (without affecting prior lawful processing);

  • lodge a complaint with a supervisory authority;

  • not to be subject to solely automated decision-making, including profiling, that produces legal or similarly significant effects (Article 22 GDPR); and to lodge a complaint with a supervisory authority (see section 18).

How to exercise rights: contact privacy@stey.com and specify your request.We will respond to rights requests within one (1) month of receipt. In complex or high-volume cases, this period may be extended by a further two (2) months; we will notify you of any extension within the first month. We may need to verify your identity before processing your request, in accordance with Article 12 GDPR.

12) Marketing preferences

You can opt out of marketing emails via the unsubscribe link in emails or by contacting us. Transactional communications (booking confirmations, check-in messages, billing notices, security alerts) may still be sent as they are necessary to provide the Services.

We do not sell your personal data to third parties for their own marketing.

Where you are an existing guest, we may send you relevant offers and updates on the basis of our legitimate interests, in accordance with applicable marketing law (including markedsføringsloven § 15 for Norwegian contacts). For new contacts, or where applicable law requires prior consent, we will only send marketing communications with your explicit consent. You may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us

13) Children/minors

Our Services are intended for adults. If we learn that we have collected personal data from a child in a manner that is not permitted by applicable law, we will take steps to delete it and/or obtain appropriate consent where required.

14) Platform provider (STL HK Ltd)

The technology platform underlying the Services is operated by STL, acting as data processor for Stey. As a non-EEA entity subject to GDPR, STL has appointed an EU Representative (Sweden-based) under Article 27 GDPR. STL’s EU Representative can be contacted at Johanna.albihn@adlegus.se. Data subjects may contact either Stey or STL’s EU Representative to exercise their rights under this Policy.

15) Cookies and similar technologies

We use cookies and similar technologies (such as pixels and SDKs) to operate our websites and support certain features in our Services. Cookies are small text files stored on your device. Some cookies are set by us (first-party) and some are set by our service providers (third-party).

16) Strictly necessary cookies

These cookies are required for the website to function and to provide the services you request. They help with secure login and session management, fraud prevention, load balancing, and storing your cookie preferences. Strictly necessary cookies are always active. You can set your browser to block these cookies, but parts of the website may not work.

17) Optional cookies

With your permission (where required), we may also use optional cookies for:

  • Preferences (e.g., remembering language or region settings),

  • Analytics (to understand how the website is used and improve performance),

  • Marketing (to measure the effectiveness of our advertising and, if enabled, to show relevant offers).


For information about how to manage your cookie preferences, please use the cookie settings tool available at https://www.stey.com/privacy-policy or adjust your browser settings.

18) Contact and complaints

Privacy contact: privacy@stey.com
Postal address: Stavanger Apartment Hotelldrift AS, Rådhusgata 23, 0158 Oslo, Norway

If you are in the EEA/UK, you may lodge a complaint with your local supervisory authority. In Norway, this is typically the Norwegian Data Protection Authority (Datatilsynet).

19) Updates to this Policy

We may update this Policy from time to time. We will post the latest version in the Services and update the “Effective date.” If changes are material, we will provide additional notice where appropriate.