Effective Date: April 2026 · Operated by Luxnation Hospitality Consulting GmbH, Austria
Masyaf is operated by Luxnation Hospitality Consulting GmbH ("Masyaf", "we", "us", "our"), a limited liability company incorporated under Austrian law. Because we are established in the European Union, this Privacy Policy is prepared in accordance with the EU General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679). We also comply with Egypt's Personal Data Protection Law (Law No. 151 of 2020, "PDPL") as the Masyaf application operates primarily in Egypt.
This Policy explains what personal data we collect through the Masyaf mobile application ("App"), why we collect it, how we use and protect it, who we share it with, and what rights you have.
| Company | Luxnation Hospitality Consulting GmbH |
| Jurisdiction | Austria (European Union) |
| contact@masyaf.app | |
| Registered address | Leutascher Strasse 58, 6100 Seefeld in Tirol, Austria |
For privacy questions or to exercise your rights, contact us at contact@masyaf.app.
When you register, we collect your name, email address, and username. You may optionally provide a profile photo, a cover photo, a short bio, and a phone number. Phone numbers are optional and you control whether other users can see yours through the App's visibility settings. If you register using Apple Sign-In or Google Sign-In, we receive your name and email address from that provider.
When you create a property listing, we collect the listing title, description, photos, nightly price, an optional contact phone number, and the property location (compound and city level). You control whether your listing phone number is visible to other users. Listing photos and your profile avatar are stored in publicly accessible cloud storage (Supabase/AWS) so they can be displayed within the App. Do not upload images that contain personal data you do not wish to be publicly viewable.
We record interactions within the App including: properties you like or save, accounts you follow, listing views, clicks, and shares you generate, and messages you send or receive. This data powers listing performance analytics for Owners and is used to personalise your experience and detect misuse.
The content of messages you send and receive through the in-app messaging feature, notification data, and block lists (records of users you have blocked). Block list data is retained to prevent blocked users from contacting you even if they re-register.
When you pay an Ad Placement Fee, payment card details are entered directly into our payment processor (Stripe). Card details are handled entirely by Stripe and are never transmitted to, stored on, or accessible by Masyaf's own infrastructure. We receive only a transaction confirmation and metadata: amount, date, listing tier, and a listing identifier. Masyaf does not process payments between owners and guests — those are settled directly between the parties outside the App.
Device type, operating system version, app version, session identifiers, in-app navigation and feature usage, and crash or error data. Crash and error reporting is handled by Sentry, which runs on EU-hosted servers (de.sentry.io). We configure Sentry to avoid logging sensitive content such as message text or phone numbers in error contexts.
A device push token used to deliver notifications via Apple Push Notification Service (APNs) for iOS or Firebase Cloud Messaging (FCM) for Android, routed through Expo's notification infrastructure. Push tokens are stored in your account record and refreshed automatically by your operating system.
A future release of the App may introduce optional or mandatory identity verification through a third-party provider. If introduced, we will update this Policy and notify you in advance. No identity verification data is collected in the current version of the App.
If you submit your details through the waitlist form on masyaf.app, we collect your first name, last name, and email address. This data is stored in our Supabase database on AWS infrastructure in Ireland (EU) and is used solely to notify you when the App becomes available. You may request deletion by emailing contact@masyaf.app. Legal basis: consent (Art. 6(1)(a) GDPR).
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation and management | Contract performance — Art. 6(1)(b) |
| Displaying property listings | Contract performance — Art. 6(1)(b) |
| Ad Placement Fee processing | Contract performance — Art. 6(1)(b) |
| In-app messaging | Contract performance — Art. 6(1)(b) |
| Listing analytics (views, clicks, saves) | Contract performance — Art. 6(1)(b) |
| Block lists and user safety | Legitimate interests — Art. 6(1)(f) |
| Message retention for safety / disputes | Legitimate interests — Art. 6(1)(f) |
| Fraud prevention and security | Legitimate interests — Art. 6(1)(f) |
| App performance monitoring (Sentry) | Legitimate interests — Art. 6(1)(f) |
| Push notifications | Consent — Art. 6(1)(a) |
| Compliance with legal obligations | Legal obligation — Art. 6(1)(c) |
Where we rely on legitimate interests, you have the right to object to that processing (see Section 9).
We engage the following sub-processors who are contractually bound to process your data only as we direct:
| Provider | Service | Data location | Transfer safeguard |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, edge functions | AWS eu-west-1, Ireland (EU) | Within EEA — no transfer required |
| Sentry, Inc. | Crash reporting and error monitoring | EU servers (de.sentry.io) | Within EU — no transfer required |
| Expo, Inc. | App delivery, OTA updates, push notification tokens | USA | SCCs |
| Apple Inc. | Push notifications — iOS (APNs) | USA | EU–US DPF / SCCs |
| Google LLC (FCM) | Push notifications — Android | USA | EU–US DPF / SCCs |
| Stripe, Inc. | Ad Placement Fee processing | USA / EU | SCCs / DPA |
We do not sell personal data to third parties and we do not share personal data with advertisers.
Luxnation Hospitality Consulting GmbH is an EU-based controller. GDPR protections apply to all personal data we process, regardless of where our users are located.
The majority of user data is stored by Supabase on AWS infrastructure in Ireland (eu-west-1), within the EEA. Error monitoring runs on Sentry's EU servers. No international transfer safeguards are required for these services.
Certain providers are based outside the EEA: Expo (USA), Apple APNs (USA), Google FCM (USA), and Stripe (USA/EU). For transfers to these providers, we rely on Standard Contractual Clauses ("SCCs") and, where applicable, the EU–US Data Privacy Framework ("DPF").
Egypt is not currently subject to an EU adequacy decision. As an Egyptian user, your data is governed by an EU-based controller and subject to full GDPR protections.
| Data category | Retention period |
|---|---|
| Account and profile data | Duration of account, plus 30 days after deletion request |
| Listing data | Until you delete the listing or close your account |
| Activity data (likes, saves, follows, views) | Duration of account |
| Message content and conversations | Duration of user relationship; deleted within 30 days of valid erasure request |
| Chat media (images sent in messages) | Deleted automatically after a defined period |
| Block lists | Until you unblock the user or close your account |
| Payment and billing records | 7 years (Austrian statutory accounting obligation) |
| Push notification tokens | Duration of account or until your device refreshes the token |
| Usage and analytics data | 24 months, then anonymised or deleted |
| Crash and error logs (Sentry) | 90 days |
When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
Egyptian users also have rights under the Egyptian PDPL including the right to be informed, the right of access, the right to rectification, and the right to erasure. To exercise any of these rights, contact us at contact@masyaf.app.
We will respond within 30 days and may need to verify your identity. Account and listing deletion can also be performed directly within the App.
We deliver push notifications via Expo's notification infrastructure, routing through Apple APNs (iOS) and Google FCM (Android). You will be asked for permission when you first use the App. You may withdraw consent at any time through your device's notification settings or within the App.
If you sign in using Apple Sign-In or Google Sign-In, those providers share your name and email address with us solely for account creation. We do not receive your password or payment details from these providers.
Providing a phone number is optional. Where you include a phone number in your profile or listing, you control its visibility through the App's privacy settings. We recommend reviewing your visibility settings before publishing a listing.
The App is intended solely for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. Contact contact@masyaf.app if you believe a minor has registered.
We implement appropriate technical and organisational measures to protect personal data, including TLS-encrypted data transmission, database access controls and row-level security within Supabase, EU-located infrastructure for core user data, and Sentry configured to exclude sensitive content from error reports. In the event of a personal data breach, we will notify the Datenschutzbehörde and affected users as required under GDPR Article 33.
We may update this Policy to reflect changes in our services, infrastructure, or legal requirements. We will notify you of material changes by in-app notification or email at least 14 days before they take effect.
For all privacy-related questions, data subject requests, or complaints:
contact@masyaf.app