Data Processing Agreement
Last updated: 2026-03-18
Effective Date: March 1, 2026
Last Updated: March 1, 2026
This Data Processing Agreement ("DPA") forms part of the StaySpark Terms of Service between StaySpark ("Processor," "we") and you, the host ("Controller," "you"). It describes how StaySpark processes guest personal data on your behalf.
1. Definitions
- Controller: You, the StaySpark host. You determine why and how guest personal data is collected through your direct booking website.
- Processor: StaySpark. We process guest data on your behalf to provide the booking engine, guest CRM, and related services.
- Guest Data: Personal data of guests who book through your StaySpark-generated website, including name, email, phone number, booking details, and payment information.
- Sub-processor: Third-party services that process Guest Data on StaySpark's behalf.
2. Scope & Purpose
StaySpark processes Guest Data solely to:
- Process and confirm guest bookings
- Facilitate payment through Stripe Connect
- Provide guest CRM functionality (communication, guest book)
- Send transactional emails related to bookings (via Resend)
- Store booking records and guest information (via Supabase)
- Host your direct booking website (via Vercel)
We do not process Guest Data for our own marketing, profiling, or any purpose unrelated to providing the Service to you.
3. Your Obligations as Controller
As the data controller, you are responsible for:
- Having a lawful basis to collect guest personal data (e.g., contract performance for the booking)
- Providing guests with a privacy notice explaining how their data is used
- Responding to guest data access, correction, or deletion requests
- Ensuring your use of Guest Data complies with applicable privacy laws (GDPR, CCPA, etc.)
- Not collecting more guest data than necessary for the booking
4. Our Obligations as Processor
StaySpark will:
- Process Guest Data only on your documented instructions (i.e., to provide the Service)
- Not use Guest Data for any purpose other than providing the Service
- Implement appropriate technical and organizational security measures
- Notify you without undue delay (and within 72 hours where GDPR applies) if we become aware of a personal data breach affecting Guest Data
- Assist you in responding to guest data subject requests
- Delete or return Guest Data upon termination of your account (within 90 days), unless legal retention is required
- Make available information necessary to demonstrate compliance with this DPA upon reasonable request
5. Security Measures
We implement the following safeguards for Guest Data:
- Encryption in transit: All data transmitted via TLS/HTTPS
- Encryption at rest: Database and file storage encryption via Supabase
- Access control: Role-based access; Guest Data accessible only to essential personnel
- Authentication: Secure session management via NextAuth.js
- Payment security: Payment data processed by Stripe (PCI DSS Level 1); StaySpark never stores full card numbers
- Infrastructure: Hosted on Vercel with enterprise-grade security
- Monitoring: Regular security reviews and updates
6. Sub-processors
We use the following sub-processors to process Guest Data:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing | Guest payment & booking data | USA |
| Supabase | Database & file storage | All Guest Data | USA |
| Vercel | Website hosting | Guest Data displayed/submitted on site | USA |
| Resend | Transactional email | Guest email address, booking details | USA |
We will:
- Notify you before adding new sub-processors that handle Guest Data (via email, with 30 days' notice)
- Ensure all sub-processors are bound by data protection obligations no less protective than this DPA
- Remain liable for our sub-processors' compliance
If you object to a new sub-processor, you may terminate your account within 30 days of notification.
Note: Guest Data is not sent to OpenAI or Anthropic APIs. AI processing is limited to property listing data for site generation, not guest personal data.
7. International Data Transfers
Guest Data is stored and processed in the United States. For guests located in the EEA or UK:
- We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards
- Our sub-processors maintain their own transfer mechanisms (Stripe, Supabase, and Vercel each publish their transfer documentation)
8. Data Subject Requests
If a guest contacts StaySpark directly with a data access, correction, or deletion request:
- We will redirect them to you (the Controller) when possible
- We will notify you of the request promptly
- We will assist you in fulfilling the request using available platform tools (e.g., deleting a guest record from your CRM)
If a guest contacts you directly, we will provide reasonable technical assistance to fulfill the request.
9. Data Breach Notification
In the event of a personal data breach affecting Guest Data, StaySpark will:
- Notify you without undue delay (within 72 hours for GDPR-covered data)
- Provide details of the breach: nature, categories of data, approximate number of records, likely consequences, and measures taken
- Cooperate with you in notifying affected guests and authorities as required by law
- Document the breach and our response
10. Audits
Upon reasonable written request (no more than once per year), you may:
- Request a summary of our security practices and certifications
- Review our sub-processor list and data flows
- Request evidence of compliance with this DPA
We will cooperate in good faith. On-site audits require 30 days' notice and mutual agreement on scope and timing.
11. Term & Termination
- This DPA is effective as long as your StaySpark account is active
- Upon account termination, we will delete Guest Data within 90 days, except where legal retention is required
- Sections related to confidentiality and data breach notification survive termination
12. Contact
For DPA-related inquiries:
- Email: support@stayspark.io
This Data Processing Agreement was last updated on March 1, 2026.