Effective Date: May 2026 · Operated by Luxnation Hospitality Consulting GmbH, Austria
Masyaf is operated by Luxnation Hospitality Consulting GmbH ("Masyaf", "we", "us", "our"), a limited liability company incorporated under Austrian law. Because we are established in the European Union, this Privacy Policy is prepared in accordance with the EU General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679). We also comply with Egypt's Personal Data Protection Law (Law No. 151 of 2020, "PDPL") as the Masyaf application operates primarily in Egypt.
This Policy explains what personal data we collect through the Masyaf mobile application ("App"), why we collect it, how we use and protect it, who we share it with, and what rights you have.
| Company | Luxnation Hospitality Consulting GmbH |
| Jurisdiction | Austria (European Union) |
| [email protected] | |
| Registered address | Leutascher Strasse 58, 6100 Seefeld in Tirol, Austria |
For privacy questions or to exercise your rights, contact us at [email protected].
When you register, we collect your name, email address, and username. You may optionally provide a profile photo, a cover photo, a short bio, and a phone number. Phone numbers are optional and you control whether other users can see yours through the App's visibility settings. If you register using Apple Sign-In or Google Sign-In, we receive your name and email address from that provider.
When you create a property listing, we collect the listing title, description, photos, nightly price, an optional contact phone number, and the property location (compound and city level). You control whether your listing phone number is visible to other users. Listing photos and your profile avatar are stored in publicly accessible cloud storage (Supabase/AWS) so they can be displayed within the App. Do not upload images that contain personal data you do not wish to be publicly viewable.
We record interactions within the App including: properties you like or save, accounts you follow, listing views, clicks, and shares you generate, and messages you send or receive. This data powers listing performance analytics for Owners and is used to personalise your experience and detect misuse.
The content of messages you send and receive through the in-app messaging feature, notification data, and block lists (records of users you have blocked). Block list data is retained to prevent blocked users from contacting you even if they re-register.
When you pay an Ad Placement Fee, payment card details are entered directly into our payment processor (Stripe). Card details are handled entirely by Stripe and are never transmitted to, stored on, or accessible by Masyaf's own infrastructure. We receive only a transaction confirmation and metadata: amount, date, listing tier, and a listing identifier. Masyaf does not process payments between owners and guests — those are settled directly between the parties outside the App.
Device type, operating system version, app version, session identifiers, in-app navigation and feature usage, and crash or error data. Crash and error reporting is handled by Sentry, which runs on EU-hosted servers (de.sentry.io). We configure Sentry to avoid logging sensitive content such as message text or phone numbers in error contexts.
A device push token used to deliver notifications via Apple Push Notification Service (APNs) for iOS or Firebase Cloud Messaging (FCM) for Android, routed through Expo's notification infrastructure. Push tokens are stored in your account record and refreshed automatically by your operating system.
A future release of the App may introduce optional or mandatory identity verification through a third-party provider. If introduced, we will update this Policy and notify you in advance. No identity verification data is collected in the current version of the App.
If you submit your details through the waitlist form on masyaf.app, we collect your first name, last name, and email address. This data is stored in our Supabase database on AWS infrastructure in Ireland (EU) and is used solely to notify you when the App becomes available. You may request deletion by emailing [email protected]. Legal basis: consent (Art. 6(1)(a) GDPR).
To understand how users discover the App and to measure the effectiveness of our advertising campaigns, we use AppsFlyer, a mobile attribution and marketing analytics provider. When you install or use the App, AppsFlyer's software development kit ("SDK") collects technical and device information including device type and model, operating system version, language and timezone, IP address (which provides approximate location), and mobile advertising identifiers — the Identifier for Advertisers ("IDFA") on iOS and the Google Advertising ID on Android. It also records app installs and certain in-app events, such as completing registration or publishing a listing. AppsFlyer states that this data does not generally contain information that directly identifies an individual, such as your name or address.
On iOS, the advertising identifier (IDFA) is collected only if you grant permission through Apple's App Tracking Transparency prompt. If you decline, no IDFA is collected and attribution operates in an aggregated, privacy-preserving form through Apple's SKAdNetwork. You can change this choice at any time in your device settings. Section 11 explains your choices and how this data is used and shared in full.
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation and management | Contract performance — Art. 6(1)(b) |
| Displaying property listings | Contract performance — Art. 6(1)(b) |
| Ad Placement Fee processing | Contract performance — Art. 6(1)(b) |
| In-app messaging | Contract performance — Art. 6(1)(b) |
| Listing analytics (views, clicks, saves) | Contract performance — Art. 6(1)(b) |
| Block lists and user safety | Legitimate interests — Art. 6(1)(f) |
| Message retention for safety / disputes | Legitimate interests — Art. 6(1)(f) |
| Fraud prevention and security | Legitimate interests — Art. 6(1)(f) |
| App performance monitoring (Sentry) | Legitimate interests — Art. 6(1)(f) |
| Advertising attribution — mobile advertising identifier (IDFA) | Consent — Art. 6(1)(a) |
| Advertising attribution — install and in-app event data | Legitimate interests — Art. 6(1)(f) |
| Push notifications | Consent — Art. 6(1)(a) |
| Compliance with legal obligations | Legal obligation — Art. 6(1)(c) |
Where we rely on legitimate interests, you have the right to object to that processing (see Section 9).
We engage the following sub-processors who are contractually bound to process your data only as we direct:
| Provider | Service | Data location | Transfer safeguard |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, edge functions | AWS eu-west-1, Ireland (EU) | Within EEA — no transfer required |
| Sentry, Inc. | Crash reporting and error monitoring | EU servers (de.sentry.io) | Within EU — no transfer required |
| Expo, Inc. | App delivery, OTA updates, push notification tokens | USA | SCCs |
| Apple Inc. | Push notifications — iOS (APNs) | USA | EU–US DPF / SCCs |
| Google LLC (FCM) | Push notifications — Android | USA | EU–US DPF / SCCs |
| Stripe, Inc. | Ad Placement Fee processing | USA / EU | SCCs / DPA |
| AppsFlyer Ltd. | Mobile install attribution and marketing analytics | Processed globally, including outside the EEA | SCCs / DPA |
We do not sell your personal data to anyone. To measure how users discover the App and how our advertising performs, we share limited attribution data — mobile advertising identifiers and app install or in-app event data — with our attribution provider, AppsFlyer, which processes it as our data processor on our instructions. At our instruction, AppsFlyer in turn shares limited install and event data with the advertising network a given install or event is attributed to (Meta, TikTok, Google, or Apple Search Ads), so that network can measure and improve its campaigns. This is described in full in Section 11. Apart from this attribution data, we do not share your personal data with advertisers.
Luxnation Hospitality Consulting GmbH is an EU-based controller. GDPR protections apply to all personal data we process, regardless of where our users are located.
The majority of user data is stored by Supabase on AWS infrastructure in Ireland (eu-west-1), within the EEA. Error monitoring runs on Sentry's EU servers. No international transfer safeguards are required for these services.
Certain providers process data outside the EEA: Expo (USA), Apple APNs (USA), Google FCM (USA), Stripe (USA/EU), and AppsFlyer (processing may occur outside the EEA). For transfers to these providers, we rely on Standard Contractual Clauses ("SCCs") and, where applicable, the EU–US Data Privacy Framework ("DPF"). AppsFlyer makes its Data Processing Agreement and Standard Contractual Clauses available to its customers and applies SCCs to transfers governed by its agreements.
Egypt is not currently subject to an EU adequacy decision. As an Egyptian user, your data is governed by an EU-based controller and subject to full GDPR protections.
| Data category | Retention period |
|---|---|
| Account and profile data | Duration of account, plus 30 days after deletion request |
| Listing data | Until you delete the listing or close your account |
| Activity data (likes, saves, follows, views) | Duration of account |
| Message content and conversations | Duration of user relationship; deleted within 30 days of valid erasure request |
| Chat media (images sent in messages) | Deleted automatically after a defined period |
| Block lists | Until you unblock the user or close your account |
| Payment and billing records | 7 years (Austrian statutory accounting obligation) |
| Push notification tokens | Duration of account or until your device refreshes the token |
| Usage and analytics data | 24 months, then anonymised or deleted |
| Advertising attribution data (AppsFlyer) | Retained for the period needed to measure campaign performance, then aggregated or deleted; handled by AppsFlyer under its own data retention policy |
| Crash and error logs (Sentry) | 90 days |
When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
Egyptian users also have rights under the Egyptian PDPL including the right to be informed, the right of access, the right to rectification, and the right to erasure. To exercise any of these rights, contact us at [email protected].
We will respond within 30 days and may need to verify your identity. Account and listing deletion can also be performed directly within the App.
We deliver push notifications via Expo's notification infrastructure, routing through Apple APNs (iOS) and Google FCM (Android). You will be asked for permission when you first use the App. You may withdraw consent at any time through your device's notification settings or within the App.
We advertise the App on third-party platforms, including Meta, TikTok, Google, and Apple Search Ads. To understand which campaigns lead to installs and to avoid wasted advertising spend, we use AppsFlyer as our attribution provider. AppsFlyer acts as our data processor: it processes data only on our instructions and under a Data Processing Agreement, and it is deemed the data processor while Masyaf is the data controller.
The data involved is described in Section 3.10 — device and technical information, mobile advertising identifiers, and records of app installs and in-app events. At our instruction, AppsFlyer shares limited install and event data with the advertising network to which a given install or event is attributed, so that network can measure and optimise its campaigns. AppsFlyer shares this data with advertising networks only at our request. We do not sell personal data, and AppsFlyer does not sell the data it processes for us.
Your choices on iOS. When you first open the App on an iOS device, Apple's App Tracking Transparency prompt asks whether you allow tracking. If you decline, no advertising identifier (IDFA) is collected, and attribution falls back to Apple's aggregated, privacy-preserving SKAdNetwork. You can change your choice at any time under Settings → Privacy & Security → Tracking.
Your choices on Android. You can reset or delete your Google Advertising ID, or opt out of ad personalisation, under Settings → Google → Ads on your device.
You may also object to attribution processing carried out on the basis of our legitimate interests, withdraw any consent you have given, or exercise your other rights, by contacting us at [email protected] (see Section 9).
If you sign in using Apple Sign-In or Google Sign-In, those providers share your name and email address with us solely for account creation. We do not receive your password or payment details from these providers.
Providing a phone number is optional. Where you include a phone number in your profile or listing, you control its visibility through the App's privacy settings. We recommend reviewing your visibility settings before publishing a listing.
The App is intended solely for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. Contact [email protected] if you believe a minor has registered.
We implement appropriate technical and organisational measures to protect personal data, including TLS-encrypted data transmission, database access controls and row-level security within Supabase, EU-located infrastructure for core user data, and Sentry configured to exclude sensitive content from error reports. In the event of a personal data breach, we will notify the Datenschutzbehörde and affected users as required under GDPR Article 33.
We may update this Policy to reflect changes in our services, infrastructure, or legal requirements. We will notify you of material changes by in-app notification or email at least 14 days before they take effect.
For all privacy-related questions, data subject requests, or complaints:
[email protected]