Privacy Policy>
Villario · a trading name of Cyridium Ltd · ICO registration: ZC135949
This Privacy Policy explains how Villario, operated by Cyridium Ltd (registered in England and Wales; registered office 19 Brambles Crescent, Blythe Valley, Solihull, B90 8DJ), collects, uses, and protects personal data when you use Villario to search, book, list, or manage accommodation. We process data in accordance with UK GDPR and the Data Protection Act 2018.
Two roles, in one document. For most of the data described below — your account, bookings, payments, messages, and reviews — Villario is the Data Controller: we decide why and how that data is processed, because Villario itself operates the marketplace you're transacting on. For one specific category — guest identity documents collected because a Host's jurisdiction requires it — Villario acts as Data Processor on behalf of the Host, who is the Controller for that data. Section 6 explains this distinction and what it means for you in practice.
1. Who we are
Cyridium Ltd, trading as Villario
Registered office: 19 Brambles Crescent, Blythe Valley, Solihull, B90 8DJ
Email: privacy@villario.com
ICO registration: ZC135949
2. Data we collect and why
Category | Data | Purpose | Lawful basis |
|---|---|---|---|
Account & profile | Display name, bio, avatar, phone, address, languages spoken, preferred locale, whether you're a Host | Operate your account; show Listing content in your preferred language; enable Host features once you list a property | Contract (Art. 6(1)(b)) |
Verification status | Which verification checks you've completed (email, phone, identity document) | Build trust between Guests and Hosts; some Hosts may require verified Guests for Instant Book | Legitimate interests (Art. 6(1)(f)) / Contract |
Bookings | Check-in/out dates, guest counts, special requests, selected add-ons, pricing and tax breakdown, cancellation history | Create and manage your reservation; itemise your receipt; resolve cancellations and disputes | Contract (Art. 6(1)(b)) |
Payments | Payment status, amounts, currency, refund history. Card and bank details are processed and stored by our payment provider (Stripe) — Villario does not store full card numbers. | Process Booking payments, damage deposits, refunds, and Host payouts | Contract (Art. 6(1)(b)) |
Messages & enquiries | Content of messages between Guests and Hosts, scoped to a Booking or a pre-booking enquiry | Enable communication needed to arrange and manage a stay; support and abuse investigations | Contract / Legitimate interests |
Reviews | Ratings and written comments you submit about a completed stay, and any Host response | Help other Guests choose a Property; help Hosts improve | Legitimate interests (Art. 6(1)(f)) |
Guest identity documents | Name, date of birth, nationality, document number/expiry/issuing country, address, place of birth, and a scan of the document, where a Property's jurisdiction legally requires guest ID collection | Statutory guest-registration compliance in the Property's jurisdiction | Legal obligation (Art. 6(1)(c)) — processed by Villario as Processor for the Host; see Section 6 |
Usage & device data | IP address, browser/device type, pages viewed, referral source | Security, fraud prevention, and understanding how the Service is used | Legitimate interests (Art. 6(1)(f)) |
3. Who we share data with
We do not sell personal data. We share it only as needed to run the Service:
Recipient | Purpose | Location |
|---|---|---|
The Host of a Property you book (or the Guest, for a Host) | Names, booking dates, guest counts, special requests, and messages needed to fulfil the stay; for Hosts, the minimal identity fields described in Section 6 | Varies by Host |
Stripe, Inc. | Payment processing, fraud detection, Host payouts | United States — UK/EU Standard Contractual Clauses in place |
Postmark (Wildbit, LLC) | Transactional email (booking confirmations, ID-collection links, password resets) | United States — UK/EU Standard Contractual Clauses in place |
Linode, LLC (Akamai Technologies) | Cloud hosting and infrastructure, including encrypted storage of identity document scans | Data stored in UK/EU regions |
We may also disclose data where required by law, to a relevant regulator or law-enforcement authority, or to protect the rights, safety, or property of Villario, our users, or others.
4. International transfers
Where personal data is transferred outside the UK to a Sub-Processor in a third country (for example, the United States), we rely on an appropriate safeguard — typically the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
5. How long we keep data
Data type | Retention period |
|---|---|
Account/profile | For as long as your account is active, plus 90 days after closure to allow reactivation, then deleted or anonymised |
Booking & payment records | 7 years from the Booking date, to meet accounting and tax record-keeping obligations |
Messages | 2 years after the associated Booking is completed or cancelled |
Reviews | Retained indefinitely as part of the public Listing history unless removed for a policy violation or at your request where we have no overriding reason to keep it |
Guest identity documents | Set by the country-specific regulation applicable to the Property (typically 3 years from submission unless local law specifies otherwise); see Section 6 |
6. Guest identity verification — how it works, and why Villario is a Processor here
Some countries legally require accommodation providers to collect and retain identification details from every guest. Where this applies to a Property you've booked, we email you a secure, one-time link — valid for 30 days — where you submit the required fields and, if needed, a scan of your document directly to Villario. We never ask you to send this information by ordinary message or email, and the link cannot be reused once you've submitted your details.
Encryption: Submitted data is encrypted at rest (AES-256-GCM); document scans are stored in access-controlled storage and are never returned to the Host.
What the Host can see: Only your first name, last name, date of birth, and nationality are ever made visible to the Host — and only for a limited operational window after your checkout date (typically 14 days), after which the Host's view is withdrawn entirely. Your document number, expiry date, issuing country, address, place of birth, and the document scan itself are never shown to the Host under any circumstances; they are accessible only to Villario platform administrators, and only for the purpose of responding to a lawful authority request.
Audit trail: Every access to your stored identity data — whether granted or denied — is logged, including denials caused by an expired host-access window or a record that has already been purged.
Retention and deletion: Your data is automatically and permanently purged once the statutory retention period for the Property's jurisdiction has passed, independently of (and regardless of) the earlier host-access window described above.
Why Villario is the Processor, not the Controller, for this data: the legal duty to collect and retain this information belongs to the Host (as the accommodation provider registered in that jurisdiction), not to Villario. We process it strictly on the Host's documented instructions, under a Data Processing Agreement the Host must accept before collection can be enabled — see our Guest ID Data Processing Agreement. If you have a query about how your identity data specifically will be used by a Host, the Host is the correct point of contact as Controller; Villario remains available to assist as set out in that Agreement.
7. Cookies
Villario uses cookies for authentication, security, and (where you consent) analytics. See our Cookie Policy for full details and how to manage your preferences.
8. Your rights
Under UK GDPR, you have the right to:
Access a copy of the personal data we hold about you;
Rectification of inaccurate data;
Erasure of your data in certain circumstances (note: identity documents subject to a statutory retention period cannot be erased early, and completed Booking/payment records may be retained to meet accounting obligations);
Restriction of how we use your data;
Portability of data you provided under a contract or consent, in a machine-readable format;
Object to processing based on legitimate interests;
Withdraw consent at any time where we rely on it, without affecting processing already carried out.
To exercise these rights, email privacy@villario.com. We aim to respond within one month and may need to verify your identity first. Where a request relates to guest identity data for which a Host is the Controller (Section 6), we will forward it to the relevant Host without undue delay.
9. Children
Villario accounts are for people aged 18 and over. We do not knowingly collect personal data from children. Children may of course appear as guests on a Booking (e.g. as part of the guest count) — that limited data (age category, not identity) is handled as part of the Booking record described in Section 2.
10. Complaints
If you're unhappy with how we've handled your personal data, contact us first at privacy@villario.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Helpline: 0303 123 1113
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or an in-product notice. The date at the top of this page reflects the last revision.
12. Contact
Cyridium Ltd, trading as Villario
19 Brambles Crescent, Blythe Valley, Solihull, B90 8DJ
Email: privacy@villario.com
ICO registration: ZC135949