StayShot← Back to home

Privacy Policy

Last updated: April 29, 2026

1. Who We Are

StayShot ("we," "us," "our") is an AI photo enhancement service for short-term rental hosts, operated by Victoria Dorofeieva, based in Puglia, Italy.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use StayShot.

2. What Data We Collect

Data you provide directly

  • Account information: email address and password when you create an account
  • Payment information: processed by Stripe (we never see or store your full card number)
  • Photos you upload: images of your rental property that you submit for enhancement

Data collected automatically

  • Usage data: pages visited, features used, number of photos enhanced, timestamps
  • Device data: browser type, operating system, screen resolution
  • IP address: used for security, fraud prevention, and approximate location
  • Cookies: essential cookies for authentication and session management (we do not use advertising or tracking cookies)

Data we do NOT collect

  • We do not collect your phone number
  • We do not collect your physical address (beyond what Stripe requires for payment)
  • We do not use advertising cookies or tracking pixels
  • We do not sell your data to third parties

3. How We Use Your Data

We use your personal data for the following purposes:

  • Providing the service: processing your photos through our AI enhancement system, delivering results, managing your account and subscription
  • Payment processing: managing subscriptions, processing payments, issuing receipts through Stripe
  • Security: preventing fraud, detecting abuse, protecting against unauthorized access, enforcing rate limits on account creation
  • Communication: sending transactional emails (password resets, email verification, welcome emails, subscription confirmations)
  • Service improvement: understanding how users interact with StayShot to improve the product (aggregated, non-personal analytics only)

Legal basis for processing (GDPR):

  • Contract performance: processing your photos, managing your account, handling payments — necessary to provide the service you signed up for
  • Legitimate interest: security measures, fraud prevention, service improvement
  • Consent: marketing communications (if any in the future — you can opt out at any time)

4. Your Photos

Your uploaded photos are an important part of our service. Here is exactly what happens to them:

  • Upload: your original photo is uploaded to our secure cloud storage (Supabase, hosted on AWS infrastructure in the EU)
  • Processing: the photo is sent to OpenAI's API for AI enhancement. OpenAI processes the image according to our instructions and returns the enhanced version. Per OpenAI's API data usage policy, images submitted via the API are not used to train their models
  • Storage: both your original and enhanced photos are stored in your account so you can re-download them
  • Deletion: you can delete your photos at any time from your account. When you delete your account, all photos are permanently deleted within 30 days
  • We do not share your photos with anyone other than OpenAI for the purpose of enhancement
  • We do not use your photos for marketing, training, or any purpose other than providing you with enhanced results

5. Third-Party Services

We use the following third-party services that may process your data:

We do not sell, rent, or trade your personal data to any third party.

6. Data Retention

  • Account data: retained as long as your account is active. Deleted within 30 days of account deletion.
  • Photos: retained as long as your account is active. You can delete individual photos at any time. All photos are deleted within 30 days of account deletion.
  • Payment records: retained for 7 years as required by Italian tax law and EU financial regulations.
  • Security logs (IP addresses, signup attempts): retained for 90 days, then automatically deleted.
  • Error logs: retained for 30 days for debugging purposes, then automatically deleted.

7. Your Rights

For all users

  • Access: request a copy of all personal data we hold about you
  • Correction: request correction of inaccurate personal data
  • Deletion: request deletion of your account and all associated data
  • Data portability: request your data in a machine-readable format
  • Withdraw consent: withdraw consent for any processing based on consent at any time

Additional rights for EU/EEA residents (GDPR)

  • Restrict processing: request that we limit how we use your data
  • Object to processing: object to processing based on legitimate interest
  • Lodge a complaint: file a complaint with your local data protection authority (in Italy: Garante per la protezione dei dati personali — gpdp.it)

Additional rights for California residents (CCPA/CPRA)

  • Know: request disclosure of the categories and specific pieces of personal information collected
  • Delete: request deletion of personal information
  • Opt-out: opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination: we will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at support@stayshot.net. We will respond within 30 days (or sooner as required by applicable law).

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • All data is transmitted over HTTPS (TLS encryption)
  • Passwords are hashed using industry-standard algorithms (bcrypt via Supabase Auth)
  • Photos are stored in private cloud storage with access controls
  • Payment data is handled entirely by Stripe (PCI DSS Level 1 certified)
  • We use email verification and rate limiting to prevent unauthorized access
  • Access to production systems is restricted to authorized personnel only

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. If you become aware of any security breach, please contact us immediately at support@stayshot.net.

9. International Data Transfers

StayShot is operated from Italy (EU). Your data may be processed in:

  • EU/EEA: primary data storage and processing (Supabase infrastructure)
  • United States: OpenAI (for photo processing) and Stripe (for payment processing)

For transfers outside the EU/EEA, we rely on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Adequacy decisions where applicable
  • The safeguards provided by our third-party processors' compliance programs

10. Children's Privacy

StayShot is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@stayshot.net and we will delete it promptly.

11. Cookies

StayShot uses only essential cookies required for the service to function:

  • Authentication cookies: to keep you logged in
  • Session cookies: to maintain your session while using the app

We do not use advertising cookies, analytics cookies, or third-party tracking cookies. No cookie consent banner is required because we only use strictly necessary cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you by email if the changes significantly affect how we handle your data
  • Post the updated policy on our website

Your continued use of StayShot after changes are posted constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact us:

For GDPR-related inquiries, you may also contact the Italian Data Protection Authority: