Is availability real?

Yes. Each property page checks current availability before showing a price or allowing you to submit a request.

When do I see the total price?

Before payment. The total shows nights, cleaning, and applicable charges, including pets only on properties that allow them.

Which properties allow pets?

Only Cabañita Entreaguas and Cabaña Entreaguas allow pets. The fee is US$7 per pet per night. The Hojarasca apartments do not allow pets.

It is a private, voluntary profile for saving preferences, getting pre-arrival help, and building recognition on eligible direct stays. You can book without joining. Benefits are not automatic and are subject to rules, availability, reservation value, and CAXA approval.

Privacy Policy — CAXA Stays

Ver versión en español. In case of conflict, the Spanish version controls where Colombian consumer or data-protection law applies; this English version is provided for convenience.

ETERNUS LLC, doing business as CAXA Stays ("CAXA", "we", "us", "operator") manages short-term rental properties in Medellín and El Retiro, Antioquia, Colombia, and provides direct booking through caxastays.com and www.caxastays.com. This Privacy Policy is also our privacy notice and data-processing policy for Colombian personal-data purposes.

By submitting a booking request, completing digital check-in, communicating with us, or staying at a CAXA-managed property, you authorize the processing described here. If you provide information about other guests, including minors, you represent that you are authorized to provide it and to share this policy with them.

1. Controller and contact

Data controller / responsable del tratamiento: ETERNUS LLC dba CAXA Stays.
Operations: Medellín and El Retiro, Antioquia, Colombia.
Privacy contact: zach@caxastays.com.

2. Data we collect

Booking and stay data: name, email, phone, selected property, check-in and check-out dates, adult/child/pet counts, selected add-ons or requests, booking status, price, currency, cancellation status, guest messages, incident notes, and support history.
Payment and fraud-control data: Stripe checkout session ID, payment intent ID, setup intent ID, saved payment method reference, amount, currency, payment status, refund status, chargeback/dispute records, billing metadata, IP address, user agent, and timestamps. We do not receive or store full card numbers, CVV, or card expiry.
Identity and legal-registration data: full legal name, document type and number, date of birth, nationality, country/city of residence, passport or ID image where provided, and related check-in form fields required to verify identity and comply with Colombian TRA/SIAT and SIRE guest-registration obligations.
Sensitive or higher-risk data: identity-document images, nationality, date of birth, and any biometric information that may be visible in an ID image. We collect this only where needed for identity verification, lodging safety, legal compliance, dispute defense, or government reporting, and we do not request unrelated sensitive information.
Website and analytics data: device, browser, IP-derived region, referral source, page views, booking funnel events, Google Ads click identifiers (for example gclid, gbraid, wbraid), cookie/local-storage identifiers, and timestamps.
Operational records: access logs, audit logs, compliance task status, automated system events, security alerts, and records needed to administer the property, prevent fraud, and document consent.

3. Purposes and legal bases

We process data only for defined purposes. Depending on the context, our basis is your consent, performance of the booking contract, legal obligation, legitimate operational interest, or protection of guests, staff, property, and legal rights.

Quote prices, check availability, receive booking requests, authorize payment, approve or decline requests, confirm stays, and provide guest support.
Charge, refund, reconcile, invoice, prevent fraud, respond to payment disputes, and defend against chargebacks or legal claims.
Collect and submit mandatory lodging records, including Tarjeta de Registro de Alojamiento (TRA/SIAT) for guests and Sistema de Información para el Reporte de Extranjeros (SIRE) for foreign guests.
Verify identity, enforce house rules, investigate incidents, document damages, protect neighbors and property, and cooperate with competent authorities when legally required.
Operate, secure, troubleshoot, and improve our website, booking flow, compliance automation, and internal operations.
Measure advertising and booking funnel performance. We do not sell guest personal data.

4. Mandatory information

Booking contact, payment, occupancy, and legal-registration data are required to request or complete a stay. If you or any guest refuses to provide mandatory identity or registration data, we may decline the request, cancel the reservation, deny check-in, or terminate the stay as described in the Terms of Booking. Some data submitted to government systems cannot be deleted by us because it becomes part of official records.

5. Who we share data with

We share data only as needed for booking, payment, property operations, legal compliance, security, analytics, or dispute defense:

Stripe, Inc. — payment authorization, capture, refund, fraud screening, disputes, and tax/payment records. stripe.com/privacy
Hostaway — reservation management, calendar sync, guest messaging, digital check-in, and channel operations. hostaway.com/privacy-policy
Supabase and Fly.io — database, application hosting, logs, and backend automation. supabase.com/privacy · fly.io/legal/privacy-policy
Vercel — static website hosting and edge delivery. vercel.com/legal/privacy-policy
Google — analytics, tag management, advertising attribution, and conversion measurement. policies.google.com/privacy
Mincit / SIAT / TRA, Migración Colombia / SIRE, DIAN, courts, police, administrative authorities, insurers, lawyers, accountants, banks, card networks, and property owners or homeowners' associations — only where required or reasonably necessary for legal compliance, lodging administration, incident handling, accounting, insurance, dispute resolution, or enforcement of our rights.

We do not sell or rent guest identity data. We may disclose aggregated, de-identified, or anonymized operational data that cannot reasonably identify a natural person.

6. International transfers

Our business uses cross-border infrastructure and service providers. Your data may be processed in Colombia, the United States, Brazil, the European Economic Area, and other countries where our processors operate. By booking with us or providing data, you authorize these transfers for the purposes described in this policy. We rely on processor contracts, access controls, security commitments, and data minimization to protect transferred data.

7. Retention

We keep data only as long as necessary for the purpose collected, legal retention, dispute defense, accounting, tax, tourism compliance, fraud prevention, and auditability. Booking, payment, consent, tax, and compliance records may be retained for up to ten (10) years or longer where a claim, investigation, legal obligation, chargeback, or government requirement remains open. Security logs are generally retained for shorter operational periods unless needed for investigation. Government records submitted to TRA/SIAT, SIRE, DIAN, courts, police, or other authorities are retained by those authorities under their own rules.

8. Security

Payment data is handled by Stripe. Our systems use TLS, role-based access, limited administrative access, audit logs, environment-secret controls, and row-level security where available. We limit access to people and processors with an operational need. No online system can be guaranteed perfectly secure, but we maintain reasonable administrative, technical, and organizational safeguards for the size and nature of the business.

9. Your rights

Subject to legal limits, you may request access, correction, update, proof of authorization, information about how your data has been used, deletion, revocation of consent, and a copy of your personal data. Deletion or consent revocation may be denied or limited when we must retain data for the booking contract, legal compliance, government reporting, accounting, fraud prevention, security, chargeback defense, or legal claims.

To exercise rights, email zach@caxastays.com with the subject "Habeas Data request" and enough information to verify your identity and locate the booking. We will respond to consultations and claims within the time periods required by applicable Colombian data-protection law. If you believe your request was not handled properly, you may contact the Superintendencia de Industria y Comercio after first submitting your request to us.

10. Children and minors

Only adults 18+ may book. Minors may stay only with a responsible adult. We may collect minors' identity data where legally required for lodging registration, safety, or compliance. The adult booking guest is responsible for providing any necessary authorization, and we process minors' data only for defined lodging, safety, compliance, and dispute-defense purposes with their best interests in mind.

11. Cookies and advertising identifiers

We use cookies, local storage, and similar technologies to operate the website, remember attribution identifiers, measure booking funnel performance, and improve our service. Browser settings may allow you to block or delete cookies, but parts of the booking flow may not work correctly without essential storage.

12. Updates

We may update this policy from time to time. The version posted when you submit a booking request governs that request unless a later version is required by law or is more protective of your rights. Material changes will be posted here with a new "Last updated" date.