Asking Guests for ID Isn't the Problem. Asking Badly Is.
A booking platform may verify the person who books. The property may still have to identify every person staying, report the required data and avoid retaining ID copies longer than necessary.
by Pierantonio Pozzi, founder of StayFast and host in Caspoggio
Questo articolo è pubblicato in inglese.
A booking platform may verify the person who books. The property may still have to identify every person staying, report the required data and avoid retaining ID copies longer than necessary.
Italy provides a clear example. Properties covered by Article 109 of the public-security law must submit guest details through Alloggiati Web within 24 hours of arrival. When a stay lasts less than 24 hours, the information must be sent upon arrival.
A platform's identity verification does not replace the property's legal obligations. Airbnb may verify an account holder but does not share that government ID with the host. Where local law requires additional identification and the requirement was disclosed before booking, the property must collect what it needs for its own compliance.
Rules differ between countries — the framework described here is primarily Italian. The operational principle does not change: guests need to know what will be requested, why it is needed and how their data will be handled.
The request feels different when it is expected
Consider two arrivals.
In the first, a family reaches the property after a long trip and learns at the door that everyone must photograph their documents and send them through WhatsApp before receiving the keys.
In the second, the listing explains that Italian law requires guest identification and reporting. After confirmation, the guest receives a clear message: a personal link will collect the required data before arrival; identity will be verified at check-in; any temporary document copies will not be kept longer than necessary.
The duty is the same. The experience is not.
Not every guest will be comfortable sharing personal information. A request that is disclosed, proportionate and explained is nevertheless very different from an improvised demand.
Disclosing it before booking is necessary, but not sufficient
A sentence buried inside the house rules is not a complete process. Still, any legal or compliance requirement for additional identity information should be disclosed before booking.
Airbnb explicitly allows a host to request ID after confirmation for legal or compliance reasons when the listing has explained what is required and why.
After confirmation, a second, practical message is needed:
Italian law requires guest identification and reporting. Before arrival, you will receive a personal link for the required details. We will complete the identity check at check-in.
Disclosure creates the expectation. The check-in journey lets the guest complete the task.
Vuoi vedere come appare a un ospite reale?
Esplora una demo StayFast: stessa esperienza che vedrebbe chi soggiorna nella tua struttura.
Pre-collecting data does not mean registration is already complete
Pre-arrival is the right time to gather details, find missing information and prepare check-in. It should not be described as if the legal process had finished days before arrival.
A sound process separates at least three moments:
- pre-collection of the required data;
- identity verification when the guest accesses the property;
- reporting within the deadline triggered by arrival.
In 2025, Italy's Council of State clarified that receiving an ID in advance and then automatically sending a door code is not enough. The property must check that the person entering matches the photograph on the document.
That check may occur:
- in person, in front of the host or an operator;
- remotely, through a real-time video connection arranged at access and capable of comparing the person with the document.
Digital check-in remains possible. It needs to be a complete process: data before arrival, verification at access and reporting within the statutory deadline. Readers outside Italy should confirm the rules that apply in their jurisdiction.
"Every guest" does not mean the same document scan from everyone
The reporting duty concerns the people who actually stay, not only the booking holder.
That does not mean a system should indiscriminately demand a full ID image from every person. Required fields may vary for individual guests, families and organized groups.
A well-designed flow should:
- collect only required data;
- distinguish a family or group leader from other members;
- avoid unnecessary fields;
- prevent technical convenience from becoming excessive collection.
The principle is simple: every person must be properly recorded, but data should not be duplicated without a reason.
A passport photo sent through WhatsApp is not a secure process
In April 2026, the Italian Data Protection Authority issued a direct reminder to hotels, B&Bs, guest houses and other accommodation providers.
The law permits processing the data needed to identify guests and report them to public authorities. It does not authorize properties to build permanent archives of ID photographs and scans.
The practical requirements include:
- do not collect document photographs through personal phones or messaging services such as WhatsApp;
- protect the information with appropriate safeguards;
- properly govern service providers that process the data;
- delete digital copies or destroy paper copies once the reporting system issues its receipt;
- retain the Alloggiati Web receipt for five years.
This changes how check-in software should be evaluated. Reading a passport is not enough. The system must know why the document was acquired, who can access it, how long it remains available and when it is deleted.
Digital check-in is not an isolated form
A credible journey connects separate steps without confusing them:
- disclosure before booking;
- a personal protected link;
- collection of only the required data;
- temporary document capture where necessary;
- identity verification in person or by live video at access;
- contract signing online or in person where required;
- preparation and reporting of the required data;
- receipt of the completed submission;
- deletion of document copies under the applicable rule.
Contract signing, identity verification and public-authority reporting remain different operations. They may live in one journey, but one does not automatically prove the others.
How Flow is taking shape
Flow is in advanced development as the StayFast layer for check-in and operational compliance.
The aim is not to add another disconnected form outside the guest guide. It is to build a booking-linked sequence:
- pre-arrival request in the guest's language;
- structured data for every person staying;
- clear status for missing steps;
- real-time online or in-person identity verification;
- contract signing within the same check-in journey, online or with an operator;
- preparation of the information required for reporting;
- management of receipts and document-deletion rules;
- release of sensitive access information only when the required steps are complete.
The precise methods for reporting, verification and retention will need to match the property type, jurisdiction and integrations actually available.
Flow is not yet a production feature. It is the natural continuation of the StayFast journey: from the living guest guide to the check-in that makes that journey operationally complete.
Not another management system imposed on everyone
StayFast is not designed to replace every PMS, channel manager or hotel-management platform. It supports two different paths.
For a property that is growing
A property can begin with the public guide, add the personal Stay Hub and Boost services, and then bring check-in and compliance into Flow. Later, Sync is intended to expand integration and operational continuity.
The goal is to prevent every new need from requiring another account, another interface and another isolated data store. A property growing with StayFast can add capabilities while preserving one coherent journey for staff and guests.
Flow is in advanced development. Sync belongs to a later roadmap and must not be presented as currently available.
For an already structured operator
A property that already relies on a PMS or channel manager should not have to replace it.
Boost Connect is designed to sit downstream of the existing system. It uses booking and unit context to power the Stay Hub, Concierge AI, Extras and stay-related communication.
The PMS remains the operational system of record and source of truth. StayFast handles the layer that reaches the guest.
The distinction is deliberate: Flow and, later, Sync help growing properties avoid a stack of disconnected point solutions; Boost Connect connects StayFast to operators that already have established systems.
Not a universal PMS. A coherent guest-experience and stay-operations layer.
Where to start
- Explain in the listing what will be requested and why.
- Describe the process immediately after confirmation.
- Pre-collect the information that can be prepared before arrival.
- Verify identity at access, in person or through an appropriate live-video method.
- Stop requesting document photographs through WhatsApp.
- Define who can access data, when copies are deleted and which receipt is retained.
- Keep identity verification, contract signing, police reporting, statistics and tourist tax as distinct steps.
- Provide assisted check-in for guests who cannot complete the digital journey.
The rule that prevents most mistakes
Before requesting an ID, the property should be able to answer four questions:
Why do we need it? How do we verify the person? Who can see the data? When is it deleted?
When one answer is missing, the problem is not a suspicious guest. It is an incomplete process.
Conclusion
Guest registration should not appear at the door as an unexpected obstacle. It also cannot be reduced to a form submitted days before arrival.
A sound check-in prepares data during pre-arrival, verifies who actually enters, reports what the law requires and deletes what should not remain.
That is the direction of Flow: not replacing systems a property already owns, but preventing growing operators from building their process by gluing together disconnected apps.
Note: This article provides an operational overview focused mainly on Italian rules in force at publication. It does not replace guidance from competent authorities or qualified legal and privacy professionals.
Want to follow Flow's development?
Explore the StayFast roadmap for check-in, contracts and guest registration. Flow is in advanced development; Sync belongs to a later stage of the roadmap.
