Stay Orbis is a vacation rental property management system (PMS) that helps owners and managers increase bookings, automate operations, and maximize revenue across Airbnb, VRBO, Booking.com, and direct booking channels.

Does Stay Orbis integrate with Airbnb and VRBO?

Yes, Stay Orbis provides a channel manager that syncs listings, availability, and pricing in real-time across Airbnb, VRBO, Booking.com, and other major platforms to prevent double bookings.

How does dynamic pricing work?

Stay Orbis uses AI-powered dynamic pricing that automatically adjusts your nightly rates based on demand, seasonality, local events, competitor pricing, and historical booking data to maximize revenue.

Is there a free trial?

Yes, Stay Orbis offers a free trial so you can experience the full platform before committing. No credit card required to start.

Pigeon Forge Wedding Packages & Mountain Venue

1. Purpose

This Data Retention and Disposal Policy (“Policy”) establishes the requirements and procedures for the retention, archival, and secure disposal of data collected, processed, and stored by Stay Orbis, LLC (“Stay Orbis,” “we,” “our,” or “us”). This Policy ensures compliance with applicable federal and state data privacy laws, including the Maryland Personal Information Protection Act (Md. Code, Com. Law § 14-3501 et seq.) and other regulatory requirements.

2. Scope

This Policy applies to all data collected through the Stay Orbis property management platform, marketing website, and related services (collectively, the “Services”), including but not limited to:

Personal information of users, guests, and property owners;
Financial and payment data;
Bank account data obtained via third-party integrations (e.g., Plaid);
Reservation and booking records;
Communication records;
Usage and analytics data;
System logs and audit trails.

3. Data Classification

Stay Orbis classifies data into the following categories to determine appropriate retention periods and disposal methods:

Classification	Description	Examples
Sensitive	Data requiring the highest level of protection	Financial credentials, Plaid access tokens, encryption keys, passwords
Confidential	Personal or business data with restricted access	Bank transactions, tax records, guest identity documents, payment data
Internal	Operational data for internal business use	Reservation records, property data, communication logs, user profiles
Public	Data intended for public access	Published property listings, marketing content, public reviews

4. Retention Periods

Data is retained only for as long as necessary to fulfill its intended purpose or as required by law. The following retention periods apply:

4.1 Account and User Data

Data Type	Retention Period	Justification
User account profiles	Duration of active account + 3 years	Business continuity, legal disputes
Authentication credentials	Duration of active account	Deleted upon account closure
2FA/TOTP secrets and recovery codes	Duration of active account	Deleted upon 2FA disable or account closure
Marketing consent records	Until withdrawal + 1 year	Regulatory proof of consent

4.2 Financial and Payment Data

Data Type	Retention Period	Justification
Transaction records	7 years	IRS requirements, tax regulations
Invoices and receipts	7 years	Tax and accounting compliance
Stripe payment metadata	7 years	Financial reconciliation, dispute resolution
1099 tax forms	7 years	IRS filing requirements

4.3 Plaid / Bank Account Data

Data Type	Retention Period	Justification
Plaid access tokens	Until disconnection	Deleted immediately upon bank account disconnection
Bank account identifiers	Until disconnection + 30 days	Grace period for reconnection
Bank transaction records	7 years	Tax/accounting regulations
Account balance snapshots	1 year	Reconciliation purposes

4.4 Reservation and Guest Data

Data Type	Retention Period	Justification
Reservation records	7 years	Financial records, dispute resolution
Guest contact information	Duration of account + 3 years	Business operations, legal requirements
Guest communications	3 years	Dispute resolution, service quality

4.5 Technical and Operational Data

Data Type	Retention Period	Justification
Application logs	90 days	Debugging and incident response
Audit trails	3 years	Security investigations, compliance
Usage analytics	2 years	Product improvement
Error tracking (Sentry)	90 days	Bug resolution

5. Data Disposal Procedures

When data reaches the end of its retention period or a valid deletion request is received, the following disposal procedures are applied based on data classification:

5.1 Sensitive Data Disposal

Plaid access tokens: Cryptographically deleted from the database; the associated encryption key material is invalidated;
Authentication credentials: Permanently deleted from all datastores, including backups within 30 days;
Encryption keys: Rotated and prior keys securely destroyed.

5.2 Confidential Data Disposal

Database records: Hard-deleted from production database with cascade deletion of related records;
File storage: Files permanently removed from cloud storage with verification of deletion;
Backups: Data removed from backups within the backup rotation cycle (maximum 30 days).

5.3 Internal Data Disposal

Operational records: Soft-deleted (marked as deleted) with permanent removal after 30-day grace period;
Analytics data: Anonymized or aggregated rather than deleted where possible for continued business intelligence use.

5.4 Disposal Verification

All disposal actions are:

Logged in the system audit trail with timestamp, data type, and method of disposal;
Verified to ensure complete removal from production systems;
Tracked through backup rotation cycles to ensure removal from backup media.

6. User-Initiated Data Deletion

Users may request deletion of their data at any time by contacting privacy@stayorbis.com. Upon receiving a valid deletion request:

Acknowledgment: We acknowledge receipt within 5 business days;
Verification: We verify the identity of the requestor;
Processing: Eligible data is deleted within 45 days;
Confirmation: We confirm completion of deletion to the requestor;
Exceptions: Data required for legal compliance (e.g., 7-year financial records) is retained with restricted access until the legal retention period expires, at which point it is permanently deleted.

Users may also disconnect third-party integrations (e.g., Plaid bank accounts) at any time through their account settings, which triggers immediate deletion of associated access tokens and credentials.

7. Third-Party Data Processors

Data shared with third-party processors is subject to their respective retention and disposal policies. Our key processors include:

Supabase (Database): Data retained per our instructions; encrypted at rest with AES-256 on SOC 2 compliant infrastructure;
Stripe (Payments): Payment data retained per Stripe's data retention policy and PCI-DSS requirements;
Plaid (Banking): Access tokens revoked upon disconnection; Plaid retains data per their end user privacy policy;
Twilio (SMS): Message logs retained per Twilio's retention policy; no message content stored by Stay Orbis;
Vercel (Hosting): Application logs retained for 30 days; no persistent user data stored;
Sentry (Error Tracking): Error reports retained for 90 days; personally identifiable information is scrubbed before transmission.

8. Security Controls During Retention

While data is retained, the following security controls are enforced:

Encryption at rest: All data encrypted using AES-256; sensitive credentials (Plaid tokens) additionally encrypted at the application level using AES-256-GCM;
Encryption in transit: All data transmitted over TLS 1.2+;
Access controls: Role-based access control (RBAC) with principle of least privilege;
Authentication: Multi-factor authentication (TOTP-based 2FA) available for all user accounts;
Monitoring: Audit logging of all data access and modifications;
Rate limiting: Authentication endpoints protected against brute-force attacks.

9. Policy Review and Updates

This Policy is reviewed and updated:

Annually: Comprehensive review of all retention periods, disposal procedures, and regulatory requirements;
Upon regulatory changes: Updated when applicable privacy laws or regulations change;
Upon significant platform changes: Updated when new data types are collected or new third-party integrations are added;
After security incidents: Reviewed following any data breach or security incident to determine if policy changes are warranted.

The Privacy Officer is responsible for maintaining this Policy and ensuring organization-wide compliance.

10. Legal Basis and Compliance

This Policy is designed to comply with:

Maryland Personal Information Protection Act (Md. Code, Com. Law § 14-3501 et seq.);
Maryland Consumer Protection Act;
IRS record retention requirements (26 CFR § 1.6001-1);
Payment Card Industry Data Security Standard (PCI-DSS);
California Consumer Privacy Act (CCPA), where applicable;
Federal Trade Commission Act (Section 5) regarding unfair or deceptive practices.

11. Contact

For questions about this Policy or to submit a data deletion request:

Stay Orbis, LLC
Attn: Privacy Officer
Email: privacy@stayorbis.com

Related Policies: This Policy should be read in conjunction with our Privacy Policy, Terms of Service, and any applicable data processing agreements.

Data Retention & Disposal Policy