Privacy Policy
How we collect, use, store, and protect your personal data. Kirya is committed to GDPR compliance and transparent data practices.
Last updated: February 2026
13 sections covering data collection, legal basis, your rights, retention, international transfers, and contact details.
Kirya ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our platform. It also outlines your rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Who We Are
Kirya is a property platform operated from Malta. We are the data controller for the personal data processed through our platform. For any questions about how we handle your data, you can reach us at support@mykirya.com.
2. Information We Collect
Account information
Name, email address, phone number, profile photo, and password when you create an account.
Property listing data
Property descriptions, photos, pricing, availability, and location data provided by hosts.
Booking data
Dates, guest counts, special requests, and communication between hosts and guests.
Payment data
Payment card details are processed securely by Stripe and are never stored on our servers.
Usage data
How you interact with the platform, including pages visited, search queries, and device information.
Communications
Messages sent through our platform, support inquiries, and feedback.
Developer Services data
Lead attribution records, reservation agreements, and commission calculations for property developers using our Developer Services product.
3. How We Use Your Information
- To provide and operate the Kirya platform
- To process bookings and facilitate communication between hosts and guests
- To process payments through our payment partner (Stripe)
- To send booking confirmations, reminders, and important account notifications
- To calculate and display Host Scores and reliability metrics
- To enforce cancellation policies and process associated fees
- To improve our platform based on usage patterns and feedback
- To prevent fraud, detect suspicious activity, and ensure platform security
- To comply with legal obligations under Maltese and EU law
4. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:
Contract performance
Processing necessary to fulfil our agreement with you, such as managing your account, processing bookings, and handling subscription billing.
Legitimate interests
Processing necessary for our legitimate business interests, such as improving the platform, fraud prevention, and enforcing our Terms of Service, provided these interests do not override your rights.
Legal obligation
Processing required to comply with applicable laws, including tax reporting under Maltese law, responding to legal requests, and maintaining records as required by regulation.
Consent
Where you have given us explicit consent, such as for marketing emails or optional analytics. You can withdraw consent at any time.
5. Information Sharing
We share your information only as necessary to provide our services:
Between users
Host details are shared with guests for confirmed bookings, and guest details are shared with the relevant host. Only the information necessary for the booking is shared.
Payment processors
Stripe processes payments on our behalf. Stripe is PCI DSS Level 1 certified and operates under its own privacy policy.
Service providers
We may use third-party services for hosting, analytics, email delivery, and customer support. These providers process data on our behalf under strict data processing agreements.
Legal requirements
We may disclose data if required by law, court order, or government request. We will notify you where legally permitted to do so.
We never sell your personal data to third parties for marketing or advertising purposes.
6. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS/SSL), secure authentication, access controls, regular security reviews, and encrypted data storage. Payment information is processed by Stripe and never touches our servers. While we take every reasonable precaution, no system is completely secure, and we cannot guarantee absolute security of your data.
7. Cookies and Tracking
We use cookies and similar technologies to improve your experience, remember your preferences, and understand how our platform is used. Essential cookies are necessary for the platform to function and do not require consent under GDPR. Non-essential cookies (analytics, functional) require your consent before being placed. You can manage your cookie preferences through your browser settings. For full details, see our Cookie Policy.
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or any jurisdiction with equivalent data protection laws, you have the following rights:
Right of access
You can request a copy of the personal data we hold about you. We will provide this within 30 days.
Right to rectification
You can ask us to correct any inaccurate or incomplete data.
Right to erasure
You can request that we delete your personal data, subject to legal retention requirements (such as financial records).
Right to restrict processing
You can ask us to limit how we use your data in certain circumstances, such as while a complaint is being investigated.
Right to data portability
You can request your data in a structured, commonly used, machine-readable format (such as CSV or JSON).
Right to object
You can object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent
Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at support@mykirya.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Malta, this is the Information and Data Protection Commissioner (IDPC) at idpc.org.mt.
9. Data Retention
We retain your data for as long as your account is active or as needed to provide our services. Specific retention periods:
Account data
Retained for the lifetime of your account. Deleted within 30 days of account closure upon request.
Booking records
Retained for 7 years after the booking date for legal and accounting purposes under Maltese law.
Messages
Retained for the lifetime of your account. Deleted upon account closure, subject to any active dispute resolution.
Payment records
Retained for 7 years as required by Maltese tax law.
Cancelled accounts
Listing history preserved for 90 days before permanent deletion. Financial records retained as required by law.
Lead attribution data
Retained for the duration of the attribution window (typically 12 months) plus any period required for dispute resolution.
10. International Data Transfers
Your data may be processed in countries outside the EEA. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or processing in countries that have been granted an adequacy decision. Our primary infrastructure is hosted within the EU.
11. Children
Kirya is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will delete it promptly and take steps to prevent further collection.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in technology, legislation, or our business practices. If we make significant changes, we will notify you by email or through a prominent notice on the platform at least 30 days before the changes take effect. We encourage you to review this page periodically. The "last updated" date at the top of this page indicates when the policy was most recently revised.
13. Contact and Data Protection Officer
For questions about this Privacy Policy, to exercise your data protection rights, or to raise a complaint about how we handle your data, contact us at support@mykirya.com or visit our Contact page. You also have the right to lodge a complaint directly with the Information and Data Protection Commissioner (IDPC) in Malta.
Your data is important to us. If you have any questions about how we handle your information, we are here to help.