Effective Date: March 2, 2026
Last Updated: May 4, 2026
Entity: MariqueCalcus Ltd, trading as StayHawk (“Company,” “we,” “us,” or “our”)
| What | Details | Full Section |
|---|---|---|
| Who we are | StayHawk, a post-booking portfolio management service | Section 1 |
| What we collect | Account data, booking data, forwarded emails, usage data, payment data | Section 3 |
| Why we collect it | To provide booking tracking, price monitoring, and alert services | Section 4 |
| Legal basis (GDPR) | Contract performance, legitimate interest, consent | Section 5 |
| Who we share with | AWS, Stripe, Kinde, SerpApi, Cloudflare | Section 6 |
| International transfers | US-based processing with Standard Contractual Clauses | Section 7 |
| Your rights | Access, rectification, erasure, portability, objection | Section 9 |
| Retention | Active account + 90 days post-checkout for transient data | Section 8 |
| Contact | privacy@stayhawk.app | Section 13 |
1. Introduction
1.1 Scope
This Privacy Policy (“Policy”) describes how StayHawk collects, uses, stores, shares, and protects your personal data when you use our website, application, and related services (collectively, the “Service”). This Policy applies to all Users, including those on Free, Pro, Agency, and Enterprise plans.
1.2 Applicability
This Policy applies to:
(a) Individuals who create a StayHawk account (“Users”);
(b) Individuals whose booking data is entered into the Service by an Agency-tier User (“Data Subjects”);
(c) Visitors to the StayHawk website who do not create an account (“Visitors”).
1.3 Controller Information
For the purposes of the EU General Data Protection Regulation (“GDPR”), the data controller is:
MariqueCalcus Ltd (trading as StayHawk)
London, United Kingdom
Email: privacy@stayhawk.app
For Agency-tier Users processing client data, StayHawk acts as a Data Processor. The Agency User is the Data Controller for their client data.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data (collection, storage, use, disclosure, erasure).
- Data Subject: The individual to whom personal data relates.
- Data Controller: The entity that determines the purposes and means of processing.
- Data Processor: The entity that processes data on behalf of the controller.
- Workspace: The organizational unit within StayHawk to which data, limits, and permissions are scoped.
3. Data We Collect
3.1 Data You Provide Directly
| Data Category | Examples | Purpose |
|---|---|---|
| Account Data | Name, email address, account preferences | Account creation, authentication, communication |
| Booking Data (Manual Entry) | Hotel name, check-in/out dates, confirmation number, cancellation deadline, booking URL, total price, currency | Core service delivery |
| Payment Data | Billing address, payment method (processed by Stripe) | Subscription billing |
| Agency Client Data | Client names, booking details entered by agency users | Service delivery for agency workspaces |
| Support Communications | Emails, messages sent to our support channels | Customer support |
3.2 Data Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Forwarded Email Content | Full email body of forwarded booking confirmations | Automated booking data extraction |
| Usage Data | Pages visited, features used, timestamps, click patterns | Service improvement, analytics |
| Device and Browser Data | IP address, browser type, operating system, device identifiers | Security, fraud prevention, debugging |
| Log Data | Server logs, error logs, API request logs | System reliability, debugging |
| Browser Extension Page Content | Cleaned HTML from the active browser tab (scripts, styles, and non-content elements removed before transmission) | Booking data extraction when user clicks “Import” |
| Push Notification Token (iOS app only) | Apple Push Notification service (APNs) device token, issued by Apple when you grant notification permission | Deliver cancellation deadline and price-drop alerts to your device. The token is stored against your account and deleted when you sign out or revoke notification permission. |
3.3 Data from Third Parties
| Source | Data | Purpose |
|---|---|---|
| Kinde (Authentication) | User ID, email, authentication tokens, plan tier | Identity verification, access control |
| Stripe (Payments) | Transaction status, subscription status, payment failures | Billing management |
| SerpApi (Price Data) | Hotel pricing information (not linked to individual users) | Price monitoring feature |
| Apple Push Notification service (APNs) | Device push token (issued by Apple, opaque identifier) | Routing notifications to iOS devices |
3.4 Sensitive Data
StayHawk does not intentionally collect sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data, or criminal records). If such data is inadvertently included in forwarded emails, it is processed solely for the purpose of extracting booking information and is not used for any other purpose.
4. How We Use Your Data
4.1 Service Delivery
(a) Extracting and displaying booking information from forwarded emails;
(b) Tracking cancellation deadlines and sending deadline alerts;
(c) Monitoring hotel prices and sending price drop alerts;
(d) Managing Workspace membership, roles, and permissions;
(e) Processing subscription payments through Stripe;
(f) Authenticating users through Kinde.
4.2 Service Improvement
(a) Analyzing usage patterns to improve features and user experience;
(b) Improving email parsing accuracy;
(c) Identifying and fixing technical issues;
(d) Aggregated, anonymized analytics (never sold to third parties).
4.3 Communication
(a) Transactional emails (booking alerts, deadline reminders, price drop notifications);
(b) Account-related notifications (billing, security, policy changes);
(c) Service announcements and product updates (with opt-out).
4.4 Legal and Safety
(a) Complying with applicable laws, regulations, and legal processes;
(b) Protecting against fraud, abuse, and security threats;
(c) Enforcing our Terms and Conditions.
5. Legal Basis for Processing (GDPR)
For Users in the European Union, European Economic Area, and the United Kingdom, we process personal data under the following legal bases:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Account management, booking tracking, alert delivery, payment processing |
| Legitimate Interest (Art. 6(1)(f)) | Service improvement, security, fraud prevention, debugging |
| Consent (Art. 6(1)(a)) | Marketing communications, non-essential cookies, optional analytics |
| Legal Obligation (Art. 6(1)(c)) | Tax records, regulatory compliance, response to legal process |
5.1 Legitimate Interest Assessment
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include maintaining the security and reliability of the Service, improving service quality, and preventing abuse. You may object to processing based on legitimate interest at any time (see Section 9).
6. Data Sharing and Third-Party Processors
6.1 Sub-Processors
We share personal data with the following categories of third-party service providers (“Sub-Processors”) solely for the purposes described:
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, compute, frontend and API hosting (ECS Fargate), email delivery (SES) | All service data | United States (us-east-1) |
| Stripe Payments Europe Ltd | Payment processing (on behalf of StayHawk Ltd as merchant of record) | Billing details, transaction data | Ireland |
| Kinde | Authentication, identity management | Email, user ID, plan tier | Varies (see Kinde DPA) |
| SerpApi | Hotel price data retrieval | Search queries (hotel name, dates — no user PII) | United States |
| Cloudflare | DNS management, DDoS protection, edge CDN | IP address, request metadata | Global |
| Apple Inc. | Push notification delivery (iOS app) | Device push token, message payload | United States |
6.2 No Sale of Personal Data
StayHawk does not sell, rent, or trade your personal data to third parties. We do not share personal data for third-party advertising purposes.
6.3 SerpApi Data Restrictions
Pricing data obtained through SerpApi is used solely for internal service delivery (displaying price comparisons to Users). Per SerpApi’s Terms of Service, this data is not resold, publicly redistributed, or included in any public-facing API response.
6.4 Legal Disclosures
We may disclose personal data if required to do so by law or in good faith belief that such disclosure is necessary to:
(a) Comply with a legal obligation, subpoena, or court order;
(b) Protect and defend the rights or property of StayHawk;
(c) Prevent or investigate possible wrongdoing;
(d) Protect the personal safety of Users or the public.
6.5 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred as part of the transaction. We shall notify you via email and/or prominent notice on the Service of any change in ownership or uses of your personal data.
7. International Data Transfers
7.1 Transfer Mechanisms
StayHawk processes data primarily in the United States (AWS us-east-1 region). For transfers of personal data from the EU/EEA/UK to the United States, we rely on:
(a) EU-US Data Privacy Framework (where applicable and certified);
(b) Standard Contractual Clauses (SCCs) as approved by the European Commission;
(c) Other lawful transfer mechanisms as required.
7.2 Safeguards
We implement appropriate technical and organizational measures to protect personal data during international transfers, including encryption in transit (TLS 1.2+), encryption at rest (AES-256), and access controls.
8. Data Retention
8.1 Retention Periods
| Data Type | Retention Period | Basis |
|---|---|---|
| Account Data | Duration of account + 30 days after deletion request | Contract performance |
| Booking Data | Duration of account or until manually deleted by User | Contract performance |
| Price Check Results | 90 days after booking check-out date (auto-deleted via TTL) | Legitimate interest |
| Alert Records | 90 days after booking check-out date (auto-deleted via TTL) | Legitimate interest |
| Forwarded Email Content | Processed and parsed immediately; raw email stored for 30 days for debugging, then deleted | Legitimate interest |
| Extension Page HTML | 7 days (stored in S3 for debugging, then auto-deleted via lifecycle policy) | Legitimate interest |
| Payment Records | 7 years (tax and regulatory compliance) | Legal obligation |
| Server Logs | 90 days | Legitimate interest |
| Analytics Data | Aggregated and anonymized after 12 months | Legitimate interest |
8.2 Deletion
Upon account deletion request, we shall delete or anonymize your personal data within thirty (30) days, except where retention is required by law (e.g., payment records for tax compliance). Backup copies may persist for up to an additional sixty (60) days in automated backup systems before being purged.
9. Your Rights
9.1 Rights Under GDPR (EU/EEA/UK Users)
You have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Erasure (Art. 17) | Request deletion of your personal data (“right to be forgotten”) |
| Restriction (Art. 18) | Request restriction of processing in certain circumstances |
| Data Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest or direct marketing |
| Withdraw Consent (Art. 7(3)) | Withdraw consent at any time where processing is based on consent |
| Lodge Complaint | File a complaint with your local Data Protection Authority |
9.2 Rights Under CCPA/CPRA (California Residents)
California residents have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
(a) Right to Know: Request disclosure of the categories and specific pieces of personal information collected;
(b) Right to Delete: Request deletion of personal information;
(c) Right to Correct: Request correction of inaccurate personal information;
(d) Right to Opt-Out of Sale/Sharing: StayHawk does not sell or share personal information for cross-context behavioral advertising;
(e) Right to Non-Discrimination: We shall not discriminate against you for exercising your privacy rights.
9.3 Rights Under LGPD (Brazilian Users)
Users in Brazil have rights under the Lei Geral de Protecao de Dados, including confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing.
9.4 Exercising Your Rights
To exercise any of these rights, contact us at privacy@stayhawk.app. We shall respond within thirty (30) days (or the period required by applicable law). We may request identity verification before processing your request.
9.5 Data Export
Users may export their booking data at any time through the Service’s dashboard in structured JSON or CSV format. This satisfies the right to data portability under GDPR Article 20.
10. Data Security
10.1 Technical Measures
We implement the following technical security measures:
(a) Encryption in transit via TLS 1.2 or higher for all data transmissions;
(b) Encryption at rest via AES-256 for data stored in DynamoDB and S3;
(c) Secrets management via AWS Secrets Manager (no hardcoded credentials);
(d) IAM least-privilege access controls for all cloud resources;
(e) JWT-based authentication with token validation on every API request;
(f) Workspace-scoped data isolation ensuring Users cannot access other Workspaces’ data.
10.2 Organizational Measures
(a) Access to personal data is limited to personnel who require it for service delivery;
(b) Sub-processors are bound by Data Processing Agreements;
(c) Security incident response procedures are maintained and tested.
10.3 Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we shall:
(a) Notify the relevant Data Protection Authority within seventy-two (72) hours of becoming aware of the breach (where required by GDPR);
(b) Notify affected Users without undue delay where the breach poses a high risk;
(c) Document all breaches and remedial actions taken.
11. Children’s Privacy
The Service is not directed to individuals under the age of 18 (or the applicable age of majority). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we shall delete such data promptly. If you believe a child has provided us with personal data, contact us at privacy@stayhawk.app.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes shall be communicated via:
(a) Email notification to the address associated with your account;
(b) Prominent notice on the Service (e.g., banner notification);
(c) At least thirty (30) days before the changes take effect.
Your continued use of the Service after the effective date of changes constitutes acceptance. The “Last Updated” date at the top of this Policy indicates the most recent revision.
13. Contact Information
For privacy-related inquiries, data subject requests, or complaints:
MariqueCalcus Ltd (trading as StayHawk)
London, United Kingdom
Email: privacy@stayhawk.app
EU Representative (if applicable): [TO BE APPOINTED if processing significant EU data]
Data Protection Officer (if applicable): [TO BE APPOINTED if required under Art. 37 GDPR]
14. Supplemental Notices
14.1 California “Do Not Track”
StayHawk does not currently respond to “Do Not Track” browser signals. Our Cookie Policy (see separate document) provides controls for managing tracking preferences.
14.2 Nevada Residents
StayHawk does not sell your personal data as defined under Nevada Revised Statutes Chapter 603A.
14.3 Virginia, Colorado, Connecticut, and Other US State Privacy Laws
Residents of states with comprehensive privacy laws (VCDPA, CPA, CTDPA, and similar) have rights analogous to those described in Section 9.2. To exercise these rights, contact privacy@stayhawk.app.
14.4 Chrome Extension (“StayHawk — Booking Import”)
The StayHawk Chrome Extension allows users to import hotel bookings directly from booking confirmation pages. This section describes how the extension handles your data.
Data collected. When you click “Import This Booking,” the extension reads the HTML content of the currently active browser tab. Before transmission, the extension removes scripts, stylesheets, SVG elements, iframes, media elements, inline event handlers, and data-attributes from the page content. The cleaned HTML is sent to our API over HTTPS for booking field extraction. The extension does not read any tab unless you explicitly click the import button (activeTab permission).
Server-side processing. The HTML is parsed to extract structured booking fields (property name, dates, price, etc.) and immediately discarded from memory after extraction. Only the extracted booking fields are stored in your StayHawk account.
Debug archive. A copy of the cleaned HTML is saved to a private S3 bucket for debugging extraction accuracy. This data is automatically deleted after seven (7) days via an S3 lifecycle policy. Debug archives are not accessible to any third party.
Authentication tokens. The extension stores authentication tokens in chrome.storage.session only. Session storage is cleared automatically when the browser is closed. Tokens are never written to persistent disk storage (chrome.storage.local is not used).
No background data collection. The extension does not run content scripts, does not monitor browsing activity, and does not collect data in the background. It activates only when you open the extension popup and click the import button.
No analytics or tracking. The extension contains no analytics SDKs, tracking pixels, or telemetry. No usage data is collected by the extension itself.
Permissions used.
- activeTab: Reads the current tab’s HTML only when you click the extension icon and initiate an import.
- storage: Stores authentication tokens in browser session memory (cleared on browser close).
- scripting: Injects a function to read and clean page content when you click “Import This Booking.” Replaces persistent content scripts to avoid running on every page load.
This Privacy Policy was last reviewed on May 4, 2026.