to the AvantStay Guest Agreement
Effective Date: June 10th, 2026 | Version 1.1
This Biometric Data & Surveillance Addendum (this "Addendum") is incorporated by reference into, and forms part of, the AvantStay Guest Agreement (the "Agreement") between AvantStay, Inc. ("AvantStay", "we", "us", or "our") and the guest identified in the Agreement ("Guest", "you", or "your"). Capitalized terms not otherwise defined herein have the meanings given in the Agreement.
AvantStay uses a third-party identity-verification platform (currently Persona Identities, Inc., www.withpersona.com, "Persona") to verify Guest identity through facial-scan technology at or before check-in at certain properties. AvantStay does not independently collect, store, or retain the facial-scan data generated during that process; Persona collects and processes such data as a service provider acting on AvantStay's behalf. In addition, certain AvantStay properties are equipped with video surveillance cameras for safety and security purposes.
This Addendum discloses those practices, obtains required consents, and describes applicable rights under U.S. biometric privacy laws and the European Union General Data Protection Regulation.
BY ACCEPTING THE AGREEMENT THAT INCORPORATES THIS ADDENDUM, GUEST ACKNOWLEDGES HAVING READ, UNDERSTOOD, AND AGREED TO ITS TERMS.
1.1 "Biometric Data" means facial geometry or facial-scan data — i.e., a mathematical representation derived from a scan of facial geometry used to verify identity — as collected or processed through the Persona platform in connection with Guest identity verification.
1.2 "Surveillance Data" means video and associated metadata recorded by closed-circuit television ("CCTV") or other on-property security cameras at AvantStay properties. Surveillance Data does not constitute Biometric Data under this Addendum unless AvantStay expressly activates facial-recognition processing against such footage, which it does not currently do.
1.3 "Applicable Biometric Law" means, as applicable to a particular Guest or property:
1.4 "Persona" means Persona Identities, Inc., AvantStay's third-party identity-verification service provider, accessible at www.withpersona.com.
1.5 "Controller", "Processor", and "Special Category Data" have the meanings given in the GDPR.
When identity verification is required for a booking, AvantStay directs Guest to the Persona platform. Through that platform, Persona captures a facial scan (facial geometry data) and compares it against the photo on a government-issued ID document supplied by Guest. AvantStay receives from Persona a verification result (pass / fail / review) together with identity-document metadata. AvantStay does not receive, store, or retain the underlying facial-scan template or raw biometric data.
Persona acts as:
Guests are encouraged to review Persona's Privacy Policy (www.withpersona.com/legal/privacy-policy) for information about how Persona collects, uses, retains, and deletes biometric and identity data on its platform.
Biometric Data is processed solely for the following purposes:
AvantStay does not currently collect fingerprints, iris or retina scans, voiceprints, hand-geometry data, or any other biometric identifier in connection with Guest stays. If AvantStay introduces additional biometric modalities in the future, this Addendum will be updated and Guests will be notified and re-consented as required by Applicable Biometric Law.
AvantStay obtains written consent as required by BIPA (740 ILCS 14/15(b)), CUBI (§ 503.001(b)), and comparable state laws before causing Biometric Data to be collected through Persona. This Addendum, when accepted as part of the Agreement, constitutes written consent for the purposes described herein. The stated purpose of collection and the maximum retention period are disclosed in Sections 2.3 and 4 respectively, as required by BIPA § 15(b)(2)-(3).
For Guests resident in the EEA or UK, AvantStay relies on the following legal bases:
AvantStay does not independently retain Biometric Data. AvantStay retains only the identity-verification result (pass / fail / review) and associated metadata (e.g., document type, verification timestamp) for the duration of the Guest relationship and for a period thereafter as required by law or legitimate record-keeping purposes, but no longer than 1 year from the date the Booking concludes.
Biometric Data (facial geometry templates, ID document images) is retained by Persona in accordance with Persona's data retention policies and any applicable contractual restrictions AvantStay has imposed via its DPA with Persona. AvantStay has contractually required Persona to:
Neither AvantStay nor, to AvantStay's knowledge, Persona sells, leases, trades, or otherwise profits from Biometric Data, consistent with BIPA § 15(c).
AvantStay will not disclose Biometric Data to Third Parties other than Persona except:
Where Biometric Data originating in the EEA or UK is transferred outside the EEA/UK — including to Persona's servers located in the United States — AvantStay relies on:
Biometric Data will never be disclosed to any Third Party for advertising, marketing, or commercial profiling purposes.
Certain AvantStay properties are equipped with exterior and/or interior security cameras ("Cameras") in common areas, entry points, driveways, and other locations disclosed in the property listing and/or posted on-site. Camera placement complies with applicable state disclosure laws. Cameras are not installed in bedrooms, bathrooms, or other areas where Guests have a reasonable expectation of privacy.
Surveillance Data is collected and retained for the following purposes:
AvantStay does not currently apply facial-recognition or other biometric-analysis technology to Surveillance Data. Accordingly, Surveillance Data is not treated as Biometric Data under this Addendum. If AvantStay introduces such processing in the future, this Addendum will be updated, required consents obtained, and required regulatory steps taken (including GDPR Article 35 DPIA and biometric law compliance) before deployment.
Surveillance Data is retained for a maximum of 180 days from the date of recording, after which it is automatically overwritten or deleted, unless retained for longer in connection with a specific incident, legal hold, insurance claim, or law-enforcement request. For EEA/UK Guests, this retention period is proportionate to the security purposes served, consistent with GDPR Article 5(1)(e).
For EEA/UK Guests, AvantStay processes Surveillance Data on the basis of its legitimate interests (Article 6(1)(f) GDPR) in protecting property and ensuring Guest safety, which have been balanced against Guests' privacy interests. AvantStay has conducted a Legitimate Interests Assessment ("LIA") for CCTV processing, available upon request. Guests have the right to object to this processing (see Section 7.2).
Surveillance Data is accessible only to authorized AvantStay personnel, designated property managers, and — where legally required — law enforcement. AvantStay will not voluntarily disclose Surveillance Data to third parties except as permitted by Section 5.1 (applied mutatis mutandis to Surveillance Data).
Subject to identity verification, all Guests may:
Submit requests to:
Response timelines: BIPA/CCPA/CPRA requests — within 45 days (extendable by 45 days with notice); GDPR requests — within 30 days (extendable by 60 days in complex cases with notice). For requests relating to data held by Persona, AvantStay will facilitate the request or direct Guest to Persona's data-subject request process at privacy@withpersona.com.
8.1 AvantStay implements appropriate technical and organizational measures to protect the identity-verification result data it holds, including encryption at rest and in transit, role-based access controls, regular security assessments, and employee training. AvantStay has contractually required Persona to maintain equivalent or higher standards for Biometric Data.
8.2 Data Breach Notification. In the event of a breach affecting Biometric Data or Surveillance Data, AvantStay will notify Guests and relevant supervisory authorities in accordance with GDPR Articles 33-34, applicable U.S. state breach-notification laws, and any specific requirements of Applicable Biometric Law.
For Illinois residents: (a) This Addendum constitutes the written release under 740 ILCS 14/15(b)(3). (b) AvantStay's biometric data retention schedule and destruction guidelines are set out in Section 4. (c) AvantStay will not sell, lease, trade, or profit from Biometric Data (§ 15(c)). (d) Disclosure to Persona is permitted under § 15(d)(2) as Persona completes identity verification on AvantStay's behalf. (e) AvantStay uses a reasonable standard of care in transmitting Biometric Data to Persona, consistent with § 15(e).
For Texas residents: AvantStay obtains consent before capture (§ 503.001(b)); does not retain biometric identifiers longer than necessary (§ 503.001(c)); will not sell or disclose except as permitted (§ 503.001(d)); and uses reasonable care in storage and transmission (§ 503.001(e)).
For Washington residents: AvantStay obtains consent before enrollment of biometric data (RCW 19.375.020); complies with applicable deletion obligations; and has implemented a reasonable security program.
Biometric data and facial-geometry data are "sensitive personal information" under CCPA/CPRA Cal. Civ. Code § 1798.140(ae)(1)(B). AvantStay does not sell or share such data. Guests may request limitation of use to identity-verification purposes only. AvantStay's CCPA Privacy Notice is incorporated by reference.
This Section applies to EEA- and UK-resident Guests; in the event of conflict with other sections regarding such Guests, this Section prevails.
AvantStay, Inc. is the Data Controller.
Contact: legal@avantstay.com or 9901 Brodie Lane, Ste 160 #6012 Austin, TX 78748.
Facial biometric data is Special Category Data under GDPR Article 9. It is processed only on the basis of explicit consent (Article 9(2)(a)).
AvantStay has conducted a Data Protection Impact Assessment under GDPR Article 35 for biometric identity-verification processing. The DPIA is available to the competent supervisory authority on request.
Where required by national law or guidance, AvantStay displays signage at or before the entrance of surveilled areas disclosing the identity of the Controller and contact details for exercising data subject rights.
EEA Guests may complain to their national supervisory authority. UK Guests may complain to the ICO (www.ico.org.uk).
AvantStay does not knowingly collect Biometric Data from individuals under the age of 13. In the United States, parental or guardian consent is required for biometric verification of guests under 16. For EEA/UK Guests, AvantStay complies with applicable national law on children's data. A consenting adult Guest who books on behalf of minors represents that they have authority to act on the minor's behalf.
AvantStay may update this Addendum at any time. Material changes affecting biometric processing will be communicated at least 30 days before taking effect (or such longer period as required by law). EEA/UK Guests will be asked to provide fresh explicit consent where required by GDPR. Continued use of AvantStay properties after the effective date constitutes acceptance for non-EEA/UK Guests.
This Addendum is part of and subject to the Agreement. In case of conflict regarding biometric or surveillance data, this Addendum controls.
If any provision is found invalid or unenforceable, the remaining provisions remain in full force.
To the extent not governed by Applicable Biometric Law, this Addendum is governed by the laws of Delaware without regard to conflict-of-law principles.
legal@avantstay.com, AvantStay, Inc., Attn: Legal Team, 9901 Brodie Lane, Ste 160 #6012 Austin, TX 78748.