Privacy Policy

We only collect what we need to deliver and improve our service. Specifically:

• Identity & contact: name, email, phone number, country of residence, and (where required by law) passport or ID details for stays.
• Booking details: dates of stay, guest count, apartment type, special requests, and any messages exchanged with our team.
• Payment information: processed by our payment partner; we receive a token plus the last four digits, never your full card number.
• Account information: if you create an account, your sign-in credentials (managed by Clerk) and saved preferences (display currency, language).
• Technical data: IP address, device, browser, pages visited, and referrer — collected automatically through standard server logs.
• Communications: records of your enquiries, support tickets, reviews, and any messages you send us.

• To process and confirm your booking, take payment, and issue receipts.
• To send service messages — booking confirmations, check-in instructions, change notices, and follow-up after your stay.
• To comply with local laws, including hospitality and tourism regulations in AE.
• To prevent fraud, abuse, and unauthorised access to your account.
• To respond to enquiries and improve the site based on aggregated, non-identifying analytics.
• To send marketing emails — only with your prior consent, and only until you ask us to stop.

We do not sell or rent your personal information to third parties.

We process your data on one of the following lawful bases, depending on the activity:

• Performance of a contract — to deliver the booking you have made with us.
• Legal obligation — to meet record-keeping, tax, and tourism-authority requirements.
• Legitimate interest — to operate, secure, and improve the service in ways you would reasonably expect.
• Consent — for optional marketing communications and non-essential cookies. You can withdraw consent at any time.

We share data only with vendors who help us run the service, and only to the extent they need to perform their role. Each is bound by a data processing agreement.

• Hosting & infrastructure — Vercel (site delivery), Supabase (database, file storage).
• Authentication — Clerk (sign-in and account management).
• Payments — Stripe (card processing). Stripe is PCI-DSS Level 1 certified; we never see full card numbers.
• Email delivery — transactional email providers for booking confirmations and service messages.
• Authorities — government bodies where disclosure is legally required (e.g. to comply with court orders or hospitality regulation in AE).

Some of our vendors are based outside AE (e.g. in the EU or US). Where data is transferred internationally, we rely on standard contractual clauses or equivalent safeguards to ensure your data continues to be protected to the standard described in this policy.

We retain personal data only as long as needed for the purpose it was collected, plus any period required by law:

• Booking and financial records: typically 7 years for tax and audit purposes.
• Account data: until you ask us to close the account, then up to 90 days for backups.
• Marketing preferences: until you unsubscribe.
• Server logs: rotated within 90 days.

All traffic is encrypted in transit via HTTPS. Stored data is encrypted at rest by our hosting providers. Access to production data is limited to staff who need it for their role and is logged. We review our security practices on an ongoing basis.

No system is perfectly secure. If a breach affects you, we will notify you and the relevant authorities as required by law.

You have the right to:

• Access the data we hold about you and receive a copy.
• Correct any inaccurate or incomplete information.
• Ask us to delete your data, subject to legal retention obligations.
• Object to or restrict certain types of processing.
• Receive your data in a portable format.
• Withdraw any consent you have previously given.
• Lodge a complaint with the UAE Data Office or your local supervisory authority if you are based in the EU/UK.

To exercise any of these, email us at stay@burjvista.example. We respond within 30 days.

The service is not directed at children under 16. We do not knowingly collect personal data from children. Bookings can only be made by adults aged 18 or older.

We use a small set of cookies to keep you signed in and to remember preferences. See our Cookie Policy for details and how to manage them.

When we update this policy we will revise the “Last updated” date at the top of the page. Significant changes will be communicated by email to registered users where appropriate.

For privacy questions or requests, email stay@burjvista.example. Postal address: Burj Vista Tower 1 Downtown Dubai, UAE.