Privacy Policy
Last updated 31 May 2026
Privacy Policy β Huurwoning Hub
Version: June 2026 | Data Controller: Huurwoning Hub B.V., the Netherlands | Contact: privacy@huurwoninghub.nl
Huurwoning Hub processes personal data in accordance with the General Data Protection Regulation (GDPR / EU 2016/679). This policy explains what data we process, why, for how long, and what rights you have.
1. What personal data do we process?
| Category | Fields | Who |
|---|---|---|
| Account data | Name, email address, password (bcrypt-hashed), language preference, account type, creation date, last sign-in | All users |
| Profile data β tenant | Phone number, date of birth (optional), occupation, net monthly income, household size, pet information, smoking status, preferred move-in date, maximum rent, preferred cities, minimum rooms, visibility settings | Tenants |
| Profile data β landlord | Company name, Chamber of Commerce number, VAT number, company address, response rate, average response time | Landlords |
| Listing data | Address, rent, photos, description, availability date, property features | Landlords |
| Application data | Motivation letter, net monthly income, occupation description | Tenants |
| Payment data | Stripe customer ID, payment intent ID, amount, payment method (type only, no card number), payment status. Card details are processed exclusively by Stripe. | Tenants |
| Communication data | Transactional emails, in-app notifications, email delivery status via Resend | All users |
| Analytics data (own analytics) | Session ID (anonymous UUID, 30 min.), IP address, page path, country, referrer, UTM parameters, device type, browser. No fingerprinting, no cross-site tracking. | All visitors |
| Security & audit log data | Event type (e.g. LOGIN_SUCCESS, ACCOUNT_DELETED), user_id, IP address, user-agent, timestamp (ISO 27001 A.12.4.1) | All users |
| Search alert data | Email address, desired city, maximum rent (no account required) | Visitors |
2. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating, managing and authenticating accounts | Performance of contract (art. 6(1)(b)) |
| Publishing and displaying property listings | Performance of contract (art. 6(1)(b)) |
| Forwarding rental applications to landlords | Performance of contract (art. 6(1)(b)) |
| Processing payments via Stripe | Performance of contract (art. 6(1)(b)) |
| Transactional emails (confirmations, reminders, status updates) | Performance of contract (art. 6(1)(b)) |
| Search email alerts for new properties | Consent (art. 6(1)(a)) β withdrawable via unsubscribe link |
| Marketing emails | Consent (art. 6(1)(a)) β configurable in account settings |
| Platform analytics for service improvement | Legitimate interest (art. 6(1)(f)) |
| Fraud and abuse prevention | Legitimate interest (art. 6(1)(f)) |
| Landlord response score (quality control) | Legitimate interest (art. 6(1)(f)) |
| ISO 27001 audit logging | Legitimate interest (art. 6(1)(f)) |
| Compliance with legal obligations (fiscal retention) | Legal obligation (art. 6(1)(c)) |
| Analytical and marketing cookies (Google Analytics 4, Google Ads) | Consent (art. 6(1)(a)) β only after explicit cookie banner acceptance |
3. Retention periods
| Category | Period |
|---|---|
| Account data | As long as account is active + 12 months after deletion |
| Listing data | Max. 30 days after expiry or deletion |
| Application data (motivation, income) | Max. 90 days after property is assigned or listing expires |
| Payment data | 7 years (statutory fiscal obligation) |
| Transactional email logging | 12 months |
| Audit logs | 12 months (ISO 27001) |
| Platform analytics sessions | 90 days (raw data), then aggregated |
| Search alert data | Until unsubscription |
| Cookie consent record | 12 months |
4. Your rights
Under the GDPR you have the following rights, exercisable via privacy@huurwoninghub.nl or your account settings:
- Right of access (art. 15) β request a copy of the data we process; we respond within 30 days.
- Right to rectification (art. 16) β correct inaccurate data. Profile data editable via Account → Settings.
- Right to erasure (art. 17) β delete your account via Account → Settings → Delete account. Auth data deleted immediately; other data within the retention periods above. Legally required data (payment history) retained in anonymised form.
- Right to restriction (art. 18) β temporary suspension of processing during a dispute.
- Right to object (art. 21) β object to processing based on legitimate interest (analytics, response scores).
- Right to data portability (art. 20) β request a structured copy (JSON/CSV) of data you have provided.
- Withdraw consent β withdraw consent for marketing emails, matching visibility or cookies at any time via the cookie banner or account settings.
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl, tel. +31 88 180 52 50.
5. Account deletion
When you delete your account:
- Authentication data (email, password hash, session tokens) is immediately and permanently deleted from Supabase Auth;
- Your public profile becomes invisible to third parties;
- Active listings linked to your account are set to inactive;
- Payment data is retained for 7 years (statutory obligation) β transaction references only, no card data;
- An audit log entry for the deletion event (ACCOUNT_DELETED) is retained as security evidence (ISO 27001 A.12.4.1);
- Anonymous analytics data (not traceable to you) is not deleted.
6. Transfers to third parties
| Party | Role | Purpose | Location |
|---|---|---|---|
| Supabase Inc. | Processor | Database storage, authentication, file storage | EU (Frankfurt, AWS eu-central-1) β no transfer outside EEA |
| Stripe Inc. | Independent controller | Payment processing | US (EU-US Data Privacy Framework) |
| Resend Inc. | Processor | Transactional email delivery | US (Data Privacy Framework) |
| Landlord | Recipient | Reviewing rental candidates after application submission | Netherlands |
| Google LLC | Processor (optional) | Google Analytics 4 + Google Ads β only after explicit cookie consent | US (Data Privacy Framework + Consent Mode v2) |
We never sell your personal data to third parties and do not use your data for automated decision-making with legal effects.
7. Cookie policy
| Category | Always active | Purpose | Retention |
|---|---|---|---|
| Necessary | Yes | Login, session, language preference | Session up to max. 1 year |
| Analytics | No β consent required | Google Analytics 4 (GTM-5F47JND9) | Up to 2 years |
| Marketing | No β consent required | Google Ads remarketing | Up to 540 days |
Cookie consent is stored in localStorage (12 months). Google Consent Mode v2 is applied. Modify or withdraw consent via the Cookie settings button at the bottom of every page.
Anonymous platform analytics (page views, session duration) are collected server-side without cookie consent β no tracking cookies are placed for this purpose.
8. Security measures
- Transport security: mandatory HTTPS/TLS with HSTS.
- Password security: bcrypt hashing via Supabase Auth; no plaintext storage.
- Access control: Row-Level Security (RLS) on all tables; service-role keys used server-side only.
- HTTP security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, CSP, Permissions-Policy.
- Audit logging: security-relevant events logged with timestamp and IP address (ISO 27001 A.12.4.1).
- Data minimisation: analytics IP addresses deleted after 90 days; bot traffic filtered.
9. Changes to this policy
For material changes, you will receive an email notification and/or a notice on the website at least 14 days in advance. The version date is shown at the top of this document.