Last updated: April 2026
The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection legislation is: HeyFlats Düsseldorf, Germany Email: info@heyflats.com If you have any questions regarding the processing of your personal data, your rights as a data subject, or this privacy policy, please contact us at the email address above. We will respond to your inquiry within the timeframe required by applicable law.
We collect and process personal data only to the extent necessary to provide a functional platform, fulfil our contractual obligations, and comply with legal requirements. Where processing is not covered by a contractual or legal basis, we will obtain your explicit consent prior to processing. Personal data, as defined in Article 4 of the GDPR, includes any information relating to an identified or identifiable natural person — such as your name, email address, telephone number, IP address, or location data. Our data processing activities are carried out in compliance with the GDPR, the German Federal Data Protection Act (BDSG), the German Telemedia Act (TMG), and any other applicable data protection legislation. The legal bases for our processing activities include: • Article 6(1)(a) GDPR — consent of the data subject. • Article 6(1)(b) GDPR — performance of a contract or pre-contractual measures. • Article 6(1)(c) GDPR — compliance with a legal obligation. • Article 6(1)(f) GDPR — legitimate interests of the controller, provided these are not overridden by the interests or fundamental rights of the data subject. Where we rely on legitimate interest as a legal basis, our interests include the operation, improvement, and security of our platform, fraud prevention, and direct marketing of our own services.
When you access our website, our web servers automatically collect and store technical information transmitted by your browser. This data is required for the technical delivery of the website and to ensure the stability, security, and performance of our systems. The following data is collected automatically: • Browser type and version. • Operating system. • Internet service provider (ISP). • IP address (anonymised after processing). • Date and time of the server request. • Referring URL (the page from which you arrived). • Pages visited and resources accessed. • Amount of data transferred. This data is stored in server log files for a maximum of seven (7) days and is subsequently deleted or anonymised. Log file data is not linked to individual user accounts and is not combined with other data sources. The legal basis for this processing is Article 6(1)(f) GDPR (legitimate interest in ensuring the secure and efficient operation of our platform).
Our platform is hosted by third-party infrastructure providers who process data on our behalf in accordance with Article 28 GDPR. We have concluded data processing agreements (Auftragsverarbeitungsverträge) with all hosting and infrastructure partners to ensure an adequate level of data protection. Property images and media files are stored using Cloudflare R2, a cloud-based object storage service. Cloudflare processes data in compliance with applicable data protection regulations and maintains appropriate technical and organisational security measures. Our servers and storage systems are located within the European Economic Area (EEA). In the event that data is transferred to countries outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as Standard Contractual Clauses or adequacy decisions.
Our platform uses cookies and similar technologies (such as local storage) to ensure core functionality, maintain user sessions, and improve your experience. Cookies are small text files that are placed on your device by your web browser. We use the following categories of cookies: • Strictly necessary cookies: These are essential for the operation of the platform, including authentication, session management, and security. They cannot be disabled without impairing platform functionality. Legal basis: Article 6(1)(f) GDPR. • Functional cookies: These remember your preferences, such as language settings and display options, to provide a personalised experience. Legal basis: Article 6(1)(f) GDPR. • Analytical cookies: These help us understand how visitors interact with our platform by collecting anonymised usage statistics. We use this data to identify areas for improvement and to optimise the user experience. Legal basis: Article 6(1)(a) GDPR (consent). You can manage, disable, or delete cookies at any time through your browser settings. Please note that disabling cookies may affect the functionality of certain features of the platform. For more information about managing cookies, please consult your browser's help documentation.
When you create an account on our platform, we collect and process the following personal data: • Name (first name and last name). • Email address. • Profile information provided voluntarily (e.g., telephone number). Authentication and identity management is provided by Clerk, a third-party identity service provider. Clerk processes authentication data (including email addresses, session tokens, and login metadata) in accordance with their own privacy policy and our data processing agreement. We do not store passwords or authentication credentials directly on our servers. For tenants participating in the vetting process, we may additionally collect and process, with your explicit consent: • Date of birth and nationality. • Employment information (employer name, job title, monthly income). • Identity document type and number (passport, ID card, or residence permit). • Credit check results (SCHUFA-BonitätsCheck score and outcome). • Emergency contact information. This data is collected solely for the purpose of tenant verification and is shared with landlords only to the extent necessary to support booking decisions. The legal basis for processing tenant vetting data is Article 6(1)(a) GDPR (explicit consent) and Article 6(1)(b) GDPR (performance of pre-contractual measures). For landlords, we may additionally collect: • Company name and registration number (for corporate landlords). • IBAN and financial information for commission settlement. • VAT identification number. • Billing address. This data is processed for the purpose of contract performance and commission settlement. The legal basis is Article 6(1)(b) GDPR.
Our platform uses artificial intelligence (AI) and machine learning technologies to provide search functionality, match tenants with suitable properties, and generate property descriptions. These services are provided through third-party AI providers, including Anthropic and OpenAI, accessed via the OpenRouter API gateway. When you use the search function, your search queries are processed by AI models to understand your preferences and return relevant results. Search queries may be converted into mathematical representations (embeddings) and compared against property listings using semantic similarity. These embeddings are stored in our database to enable efficient search operations. The AI processing is designed to assist users in finding suitable properties and does not produce legal effects or similarly significant decisions concerning the data subject within the meaning of Article 22 GDPR. All booking decisions are made by human parties (landlords and tenants). Search queries and AI interactions may be retained for the purpose of improving search quality and platform performance. This data is anonymised or pseudonymised where possible. The legal basis is Article 6(1)(f) GDPR (legitimate interest in providing and improving the search service).
We integrate the following third-party services into our platform. Each service may process personal data in accordance with its own privacy policy: • Clerk (clerk.com) — Authentication, user management, and session handling. Clerk processes email addresses, login metadata, and session information. • Google Maps (Google LLC) — Display of property locations on interactive maps. Google may collect IP addresses, device information, and location data when maps are loaded. Legal basis: Article 6(1)(f) GDPR. • Cloudflare (Cloudflare, Inc.) — Content delivery network (CDN), DDoS protection, and image storage (R2). Cloudflare may process IP addresses and request metadata. • Anthropic / OpenAI (via OpenRouter) — AI-powered search, semantic matching, and natural language processing. Search queries and property data may be transmitted to these providers for processing. No personal identification data is included in AI queries beyond the search text itself. Where these services involve the transfer of personal data to countries outside the European Economic Area (EEA), including the United States, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include Standard Contractual Clauses (SCCs), binding corporate rules, or reliance on adequacy decisions issued by the European Commission. We have concluded data processing agreements with all third-party providers where required by Article 28 GDPR.
When you contact us via email, through the platform's contact page, or through any other communication channel, we process the personal data you provide (typically your name, email address, and the content of your message) for the purpose of responding to your inquiry. This data is stored for the duration of the conversation and, if applicable, for the fulfilment of any resulting contractual or legal obligations. Data related to completed inquiries without further contractual relevance is deleted after six (6) months unless statutory retention requirements apply. The legal basis for processing contact data is Article 6(1)(b) GDPR (pre-contractual measures or contract performance) or Article 6(1)(f) GDPR (legitimate interest in responding to inquiries).
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable statutory retention obligations. The following retention periods apply: • Account data (name, email, profile information): retained for the duration of the account relationship. Deleted within 30 days of account deletion request, subject to the retention periods below. • Booking and tenancy data: retained for the duration of the tenancy and for a period of three (3) years thereafter for the purpose of resolving potential disputes. • Financial and tax-relevant data (invoices, commission records, payment information): retained for ten (10) years in accordance with Section 147 of the German Fiscal Code (Abgabenordnung) and Section 257 of the German Commercial Code (Handelsgesetzbuch). • Server log files: retained for a maximum of seven (7) days. • AI search queries and embeddings: retained for up to twelve (12) months for service improvement purposes, then anonymised or deleted. • Communication records (emails, support inquiries): retained for six (6) months after resolution, unless a longer retention is required for legal or contractual reasons. Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Where deletion is not technically feasible (e.g., in backup systems), the data is marked for deletion and excluded from any further processing.
HeyFlats implements appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to: • Encryption of data in transit using TLS/SSL protocols. • Encryption of sensitive data at rest. • Access controls and role-based permission systems. • Regular security assessments and vulnerability scanning. • Employee training on data protection and information security. • Secure development practices and code review processes. Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data, but we are committed to promptly addressing any security incidents in accordance with applicable notification requirements under the GDPR.
Under the General Data Protection Regulation (GDPR), you have the following rights with respect to your personal data: • Right of access (Article 15 GDPR): You have the right to obtain confirmation of whether your personal data is being processed and, if so, to receive a copy of that data along with information about the purposes, categories, recipients, and retention periods of the processing. • Right to rectification (Article 16 GDPR): You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. • Right to erasure (Article 17 GDPR): You have the right to request the deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, where you withdraw your consent, or where the processing is unlawful. This right is subject to statutory retention requirements and other legal obligations. • Right to restriction of processing (Article 18 GDPR): You have the right to request that the processing of your personal data be restricted in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful but you oppose deletion. • Right to data portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance. • Right to object (Article 21 GDPR): You have the right to object to the processing of your personal data where the processing is based on legitimate interests (Article 6(1)(f) GDPR), including processing for direct marketing purposes. • Right to withdraw consent (Article 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates applicable data protection legislation. The competent supervisory authority for HeyFlats is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen. To exercise any of these rights, please contact us at info@heyflats.com. We will respond to your request within one (1) month, or within the extended period permitted by the GDPR if your request is particularly complex.
HeyFlats reserves the right to update and amend this privacy policy at any time to reflect changes in our data processing practices, the introduction of new services or features, or changes in applicable data protection legislation. Changes will be published on this page with an updated revision date. Where changes are material and significantly affect your rights, we will provide prominent notice on the platform and, where appropriate, notify you by email. We encourage you to review this privacy policy periodically to stay informed about how we collect, process, and protect your personal data. Your continued use of the platform after the publication of any changes constitutes your acknowledgement of the updated policy.