Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Synrfy (“we”, “us”, “our”) collects, uses, and protects your personal data when you use Staklio (“the Service”). We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller responsible for your personal data is:

Synrfy
The Netherlands
Email: privacy@staklio.com

2. Data We Collect

We collect the following categories of personal data:

  • Identity data: name, email address, phone number, physical address
  • Financial data: bank account details (IBAN, SWIFT/BIC) for settlement processing
  • Technical data: IP address, browser type, device information, session data
  • Property management data: reservation data, booking information, and revenue data synchronized from your Property Management System (PMS)
  • Usage data: how you interact with the Service, features used, pages viewed

3. Purposes and Legal Bases

We process your personal data for the following purposes:

Purpose Legal Basis
Account creation and management Performance of contract (Art. 6(1)(b) GDPR)
Settlement calculations and financial reporting Performance of contract (Art. 6(1)(b) GDPR)
PMS data synchronization Performance of contract (Art. 6(1)(b) GDPR)
Sending transactional emails (notifications, statements) Performance of contract (Art. 6(1)(b) GDPR)
Payment processing Performance of contract (Art. 6(1)(b) GDPR)
Service improvement and fraud prevention Legitimate interest (Art. 6(1)(f) GDPR)
Marketing communications (where applicable) Consent (Art. 6(1)(a) GDPR)

4. Third-Party Processors

We share data with the following trusted processors who act under our instructions and are bound by data processing agreements:

  • Stripe, Inc. — Payment processing
    United States. Data transfer covered by EU Standard Contractual Clauses (SCCs). Privacy policy
  • Twilio SendGrid — Transactional email delivery
    United States. Data transfer covered by EU Standard Contractual Clauses (SCCs). Privacy policy
  • Cloudbeds / Mews (PMS providers) — Property Management System integration
    Data originates from and remains with your PMS provider. We read reservation data via their API under your authorization. Please refer to your PMS provider’s own privacy policy.

We do not sell your personal data to any third party.

5. Cookies

We use strictly necessary cookies to run the site, and — only with your consent — analytics cookies (Google Analytics) to understand how the site is used. Analytics cookies are not set until you accept them in the cookie banner, and you can decline without affecting how the site works.

Cookie Purpose Duration
staklio_sessionid Maintains your authenticated session 24 hours
staklio_csrftoken Protects against cross-site request forgery attacks Session
_ga, _ga_*, _gid Google Analytics — measures site usage (only set after you accept) Up to 2 years

The first two cookies are strictly necessary and always set. Analytics cookies are only set if you accept them; you can change your choice by clearing your browser's site data.

6. Data Retention

  • Account data: retained while your account is active. Deleted within 90 days of account closure.
  • Financial records: retained for 7 years as required by Dutch accounting law (Burgerlijk Wetboek, boek 2).
  • Usage logs: retained for up to 90 days for security and operational purposes.

7. Your Rights (GDPR)

Under GDPR Articles 15–22, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”), subject to legal retention requirements.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to restriction (Art. 18): Request that we limit how we process your data.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@staklio.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit using TLS (HTTPS) for all data transfers
  • Encrypted storage for sensitive data (IBAN and bank details)
  • Role-based access controls limiting who can access personal data
  • Regular security reviews

9. International Transfers

Some of our processors are based in the United States (Stripe, SendGrid). Transfers to these processors are covered by EU Standard Contractual Clauses (SCCs) as approved by the European Commission, providing an adequate level of protection for your personal data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “last updated” date at the top of this page. For significant changes, we will notify you by email or through a notice in the Service. We encourage you to check this page periodically.

11. Contact Us

For any questions about this Privacy Policy or our data practices:

Email: privacy@staklio.com

We use essential cookies to run the site and, with your consent, analytics to understand how it's used. Privacy