Villario  ·  a trading name of Cyridium Ltd  · ICO registration: ZC135949

This Privacy Policy explains how Villario, operated by Cyridium Ltd (registered in England and Wales; registered office 19 Brambles Crescent, Blythe Valley, Solihull, B90 8DJ), collects, uses, and protects personal data when you use Villario to search, book, list, or manage accommodation. We process data in accordance with UK GDPR and the Data Protection Act 2018.

Two roles, in one document. For most of the data described below — your account, bookings, payments, messages, and reviews — Villario is the Data Controller: we decide why and how that data is processed, because Villario itself operates the marketplace you're transacting on. For one specific category — guest identity documents collected because a Host's jurisdiction requires it — Villario acts as Data Processor on behalf of the Host, who is the Controller for that data. Section 6 explains this distinction and what it means for you in practice.

1. Who we are

Cyridium Ltd, trading as Villario
Registered office: 19 Brambles Crescent, Blythe Valley, Solihull, B90 8DJ
Email: privacy@villario.com
ICO registration: ZC135949

2. Data we collect and why

Category

Data

Purpose

Lawful basis

Account & profile

Display name, bio, avatar, phone, address, languages spoken, preferred locale, whether you're a Host

Operate your account; show Listing content in your preferred language; enable Host features once you list a property

Contract (Art. 6(1)(b))

Verification status

Which verification checks you've completed (email, phone, identity document)

Build trust between Guests and Hosts; some Hosts may require verified Guests for Instant Book

Legitimate interests (Art. 6(1)(f)) / Contract

Bookings

Check-in/out dates, guest counts, special requests, selected add-ons, pricing and tax breakdown, cancellation history

Create and manage your reservation; itemise your receipt; resolve cancellations and disputes

Contract (Art. 6(1)(b))

Payments

Payment status, amounts, currency, refund history. Card and bank details are processed and stored by our payment provider (Stripe) — Villario does not store full card numbers.

Process Booking payments, damage deposits, refunds, and Host payouts

Contract (Art. 6(1)(b))

Messages & enquiries

Content of messages between Guests and Hosts, scoped to a Booking or a pre-booking enquiry

Enable communication needed to arrange and manage a stay; support and abuse investigations

Contract / Legitimate interests

Reviews

Ratings and written comments you submit about a completed stay, and any Host response

Help other Guests choose a Property; help Hosts improve

Legitimate interests (Art. 6(1)(f))

Guest identity documents

Name, date of birth, nationality, document number/expiry/issuing country, address, place of birth, and a scan of the document, where a Property's jurisdiction legally requires guest ID collection

Statutory guest-registration compliance in the Property's jurisdiction

Legal obligation (Art. 6(1)(c)) — processed by Villario as Processor for the Host; see Section 6

Usage & device data

IP address, browser/device type, pages viewed, referral source

Security, fraud prevention, and understanding how the Service is used

Legitimate interests (Art. 6(1)(f))

3. Who we share data with

We do not sell personal data. We share it only as needed to run the Service:

Recipient

Purpose

Location

The Host of a Property you book (or the Guest, for a Host)

Names, booking dates, guest counts, special requests, and messages needed to fulfil the stay; for Hosts, the minimal identity fields described in Section 6

Varies by Host

Stripe, Inc.

Payment processing, fraud detection, Host payouts

United States — UK/EU Standard Contractual Clauses in place

Postmark (Wildbit, LLC)

Transactional email (booking confirmations, ID-collection links, password resets)

United States — UK/EU Standard Contractual Clauses in place

Linode, LLC (Akamai Technologies)

Cloud hosting and infrastructure, including encrypted storage of identity document scans

Data stored in UK/EU regions

We may also disclose data where required by law, to a relevant regulator or law-enforcement authority, or to protect the rights, safety, or property of Villario, our users, or others.

4. International transfers

Where personal data is transferred outside the UK to a Sub-Processor in a third country (for example, the United States), we rely on an appropriate safeguard — typically the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.

5. How long we keep data

Data type

Retention period

Account/profile

For as long as your account is active, plus 90 days after closure to allow reactivation, then deleted or anonymised

Booking & payment records

7 years from the Booking date, to meet accounting and tax record-keeping obligations

Messages

2 years after the associated Booking is completed or cancelled

Reviews

Retained indefinitely as part of the public Listing history unless removed for a policy violation or at your request where we have no overriding reason to keep it

Guest identity documents

Set by the country-specific regulation applicable to the Property (typically 3 years from submission unless local law specifies otherwise); see Section 6

6. Guest identity verification — how it works, and why Villario is a Processor here

Some countries legally require accommodation providers to collect and retain identification details from every guest. Where this applies to a Property you've booked, we email you a secure, one-time link — valid for 30 days — where you submit the required fields and, if needed, a scan of your document directly to Villario. We never ask you to send this information by ordinary message or email, and the link cannot be reused once you've submitted your details.

  • Encryption: Submitted data is encrypted at rest (AES-256-GCM); document scans are stored in access-controlled storage and are never returned to the Host.

  • What the Host can see: Only your first name, last name, date of birth, and nationality are ever made visible to the Host — and only for a limited operational window after your checkout date (typically 14 days), after which the Host's view is withdrawn entirely. Your document number, expiry date, issuing country, address, place of birth, and the document scan itself are never shown to the Host under any circumstances; they are accessible only to Villario platform administrators, and only for the purpose of responding to a lawful authority request.

  • Audit trail: Every access to your stored identity data — whether granted or denied — is logged, including denials caused by an expired host-access window or a record that has already been purged.

  • Retention and deletion: Your data is automatically and permanently purged once the statutory retention period for the Property's jurisdiction has passed, independently of (and regardless of) the earlier host-access window described above.

  • Why Villario is the Processor, not the Controller, for this data: the legal duty to collect and retain this information belongs to the Host (as the accommodation provider registered in that jurisdiction), not to Villario. We process it strictly on the Host's documented instructions, under a Data Processing Agreement the Host must accept before collection can be enabled — see our Guest ID Data Processing Agreement. If you have a query about how your identity data specifically will be used by a Host, the Host is the correct point of contact as Controller; Villario remains available to assist as set out in that Agreement.

7. Cookies

Villario uses cookies for authentication, security, and (where you consent) analytics. See our Cookie Policy for full details and how to manage your preferences.

8. Your rights

Under UK GDPR, you have the right to:

  • Access a copy of the personal data we hold about you;

  • Rectification of inaccurate data;

  • Erasure of your data in certain circumstances (note: identity documents subject to a statutory retention period cannot be erased early, and completed Booking/payment records may be retained to meet accounting obligations);

  • Restriction of how we use your data;

  • Portability of data you provided under a contract or consent, in a machine-readable format;

  • Object to processing based on legitimate interests;

  • Withdraw consent at any time where we rely on it, without affecting processing already carried out.

To exercise these rights, email privacy@villario.com. We aim to respond within one month and may need to verify your identity first. Where a request relates to guest identity data for which a Host is the Controller (Section 6), we will forward it to the relevant Host without undue delay.

9. Children

Villario accounts are for people aged 18 and over. We do not knowingly collect personal data from children. Children may of course appear as guests on a Booking (e.g. as part of the guest count) — that limited data (age category, not identity) is handled as part of the Booking record described in Section 2.

10. Complaints

If you're unhappy with how we've handled your personal data, contact us first at privacy@villario.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or an in-product notice. The date at the top of this page reflects the last revision.

12. Contact

Cyridium Ltd, trading as Villario
19 Brambles Crescent, Blythe Valley, Solihull, B90 8DJ
Email: privacy@villario.com
ICO registration: ZC135949