PRIVACY POLICY

PRIVACYBELEID

HuurAll — Peer-to-Peer Rental Marketplace

Last Updated: [DATE]

Version 1.0

1. Data Controller and Contact Information

HuurAll B.V. (hereinafter “HuurAll”, “we”, “our”) is the data controller within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Dutch Implementation Act of the GDPR (Uitvoeringswet AVG, “UAVG”) for all processing of personal data described in this Privacy Policy.

HuurAll B.V.

Address: [Registered Address], [City], the Netherlands

KvK: [Registration Number]

Email: privacy@huurall.nl

For data protection requests, please contact us at privacy@huurall.nl. You may also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl if you believe your data has been processed unlawfully.

2. Scope of This Policy

This Privacy Policy applies to personal data we collect from and about you when you interact with us, our website (www.huurall.nl), our mobile application, and our services. It describes what data we collect, why we collect it, how we use it, with whom we share it, and what rights you have regarding your data. This policy does not apply to third-party websites or services linked from our Platform.

3. What Personal Data Do We Collect?

3.1 Data You Provide to Us

Account Registration Data: Full name, email address, phone number, residential city, profile photograph, and password (stored as a hash value, never in plain text).

Identity Verification Data: Photograph of identity document (passport, ID card, or driver’s license), date of birth, BSN (only when required by law for DAC7 reporting).

Payment Data: IBAN (bank account number) for Lenders, credit/debit card details for Renters (processed and stored by Stripe, not by HuurAll directly).

Listing Data: Item descriptions, photographs, pricing, location, and category information.

Communication Data: Messages sent through the in-platform messaging system, support inquiries, and dispute documentation.

Review Data: Ratings, written reviews, and feedback provided after completed rentals.

3.2 Data We Collect Automatically

Usage Data: Pages visited, features used, search queries, click behavior, session duration, and interaction patterns.

Device Data: IP address, browser type and version, operating system, device type, and screen resolution.

Location Data: Approximate geographic location derived from IP address or, with your consent, precise location from your mobile device for proximity-based search.

Cookie Data: Information collected through cookies and similar technologies (see Section 9).

3.3 Data from Third Parties

Stripe: Payment confirmation, transaction status, and Stripe Connect onboarding verification results.

Shipping Providers (PostNL/DHL): Delivery status and tracking information.

4. Purposes of Processing and Legal Basis

4.1 Performance of Contract (Article 6(1)(b) GDPR)

We process your personal data for the performance of our contract with you, including: creating and managing your account, facilitating rentals between Lenders and Renters, processing payments and commission deductions via Stripe Connect, enabling the offer/counter-offer negotiation system, providing delivery tracking, enabling in-platform messaging, generating rental agreements, operating the rating and review system, and handling disputes and mediation.

4.2 Legitimate Interests (Article 6(1)(f) GDPR)

We process your data based on our legitimate interests, including: fraud prevention and detection (including AI-powered listing moderation via Claude API), ensuring Platform security and integrity, enforcing our Terms of Use (including rating-based account enforcement), improving the Platform through analytics, sending service-related communications, defending against legal claims, and preventing circumvention of the payment system. We have conducted a legitimate interest assessment and determined that these interests do not override your fundamental rights and freedoms.

4.3 Legal Obligation (Article 6(1)(c) GDPR)

We are required by law to process certain data, including: DAC7 reporting to the Dutch Tax Authority (Belastingdienst) for Lender income exceeding reporting thresholds, tax record retention obligations under Dutch fiscal law (Algemene wet inzake rijksbelastingen), responding to lawful requests from law enforcement or regulatory authorities, and compliance with Dutch anti-money laundering regulations (Wwft).

4.4 Consent (Article 6(1)(a) GDPR)

Where required, we obtain your consent for: marketing communications (email newsletters, promotional offers), non-essential cookies and tracking technologies, precise geolocation data from your mobile device, and processing of special categories of data if ever applicable. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Who Do We Share Your Data With?

We share your personal data with the following categories of recipients, only to the extent necessary for the stated purposes:

5.1 Other Users

When a rental is confirmed, limited personal data is shared between Lender and Renter: the Renter’s name and delivery address are shared with the Lender for shipping purposes, and the Lender’s name and approximate location are visible to Renters. Contact information (phone/email) is masked in the messaging system.

5.2 Service Providers (Processors)

Stripe, Inc. (USA) — Payment processing, escrow, Stripe Connect onboarding, and KYC verification. Stripe’s processing is subject to Standard Contractual Clauses for international transfers.

Vercel, Inc. (USA) — Website and application hosting (EU-west region).

Supabase, Inc. (USA) — Database hosting, authentication, file storage, and real-time messaging infrastructure.

Resend (USA) — Transactional email delivery (registration confirmation, rental notifications, invoices).

Firebase / Google LLC (USA) — Push notification delivery (Firebase Cloud Messaging).

Anthropic (USA) — AI-powered content moderation for listing review (Claude API). Only listing text and images are processed; no personal identification data is shared.

PostNL / DHL — Shipping label generation and delivery tracking.

With each processor, HuurAll has entered into a Data Processing Agreement (Verwerkersovereenkomst) in compliance with Article 28 GDPR, ensuring strict data protection obligations.

5.3 Authorities

Dutch Tax Authority (Belastingdienst) — DAC7 annual reporting of Lender income.

Dutch Police or other competent authorities — In connection with criminal investigations or when legally required.

Autoriteit Persoonsgegevens — In response to regulatory inquiries.

5.4 No Sale of Data

HuurAll does not sell, rent, or trade your personal data to third parties for their own marketing purposes.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. For such transfers, we ensure an adequate level of data protection through: the EU-US Data Privacy Framework (for certified US companies), Standard Contractual Clauses (SCCs) approved by the European Commission, and Transfer Impact Assessments where required. We do not transfer data to countries without adequate protection unless appropriate safeguards are in place.

7. How Long Do We Store Your Data?

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law:

Account data: Retained for the duration of your account and deleted five (5) years after your last login or the end of your last rental, whichever is later.

Transaction and payment data: Retained for seven (7) years after the transaction to comply with Dutch fiscal record-keeping obligations (Article 52 Algemene wet inzake rijksbelastingen).

Identity verification documents: Deleted six (6) months after successful verification.

Communication data (messages): Retained for two (2) years after the conversation for dispute resolution purposes, then deleted.

DAC7 reporting data: Retained for seven (7) years in accordance with Dutch tax law.

Cookie and analytics data: Maximum twenty-four (24) months, depending on the specific cookie.

Server log files: Deleted after seven (7) days, unless required for fraud investigation.

8. Your Rights Under the GDPR

Under the GDPR and the UAVG, you have the following rights regarding your personal data:

Right of Access (Article 15 GDPR): You may request confirmation of whether we process your personal data and obtain a copy of it.

Right to Rectification (Article 16 GDPR): You may request correction of inaccurate personal data.

Right to Erasure (Article 17 GDPR): You may request deletion of your personal data, subject to legal retention obligations.

Right to Restriction (Article 18 GDPR): You may request restriction of processing in certain circumstances.

Right to Data Portability (Article 20 GDPR): You may request your data in a structured, commonly used, machine-readable format.

Right to Object (Article 21 GDPR): You may object to processing based on legitimate interests, including profiling and direct marketing. If you object to direct marketing, processing will cease immediately.

Right to Withdraw Consent (Article 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time.

Right to Lodge a Complaint: You may lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), PO Box 93374, 2509 AJ Den Haag, www.autoriteitpersoonsgegevens.nl.

To exercise any of these rights, please contact us at privacy@huurall.nl. We will respond within one (1) month of receipt. This period may be extended by two (2) months for complex requests, in which case we will inform you of the extension.

9. Cookies and Similar Technologies

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our Platform. We use cookies and similar technologies (pixels, SDKs) to provide, secure, and improve our Platform.

9.2 Categories of Cookies

Strictly Necessary Cookies: Required for the Platform to function (authentication, security, session management). Legal basis: Article 6(1)(f) GDPR / Article 11.7a Telecommunicatiewet. These cannot be disabled.

Functional Cookies: Enable enhanced features such as language preferences and location settings. Legal basis: Your consent (Article 6(1)(a) GDPR).

Analytics Cookies: Help us understand Platform usage through aggregated, anonymized data (e.g., page views, traffic sources). Legal basis: Your consent.

Marketing Cookies: Used to display relevant advertisements and measure campaign effectiveness. Legal basis: Your consent.

9.3 Managing Cookies

You can manage your cookie preferences at any time via the “Cookie Settings” option in the Platform footer. You may also control cookies through your browser settings. Blocking certain cookies may affect Platform functionality.

10. Automated Decision-Making and AI Moderation

HuurAll uses AI-powered content moderation (via the Claude API by Anthropic) to automatically scan listing text and images for prohibited items and inappropriate content. This automated processing may result in the removal of listings and, in serious cases, account suspension.

This processing is based on our legitimate interest in maintaining a safe and legal marketplace (Article 6(1)(f) GDPR). Where automated decisions significantly affect you, you have the right to request human review by contacting support@huurall.nl. No fully automated decisions with legal or similarly significant effects are made based solely on automated processing without the possibility of human intervention.

11. Children’s Privacy

The Platform is not intended for use by persons under the age of eighteen (18). We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Data Security

HuurAll implements appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: encryption of data in transit (TLS/SSL) and at rest, secure password hashing, role-based access control for administrative systems, regular security audits and vulnerability assessments, Supabase Row Level Security (RLS) for database-level access control, and incident response procedures for data breaches. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the Autoriteit Persoonsgegevens without undue delay and within 72 hours where feasible, in accordance with Articles 33 and 34 GDPR.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email and/or a prominent notice on the Platform at least thirty (30) days before the effective date. We encourage you to review this policy periodically.

14. Contact Information

HuurAll B.V.

[Registered Address]

[City, Postal Code], the Netherlands

KvK: [Registration Number]

Privacy inquiries: privacy@huurall.nl

General support: support@huurall.nl

Website: www.huurall.nl

— End of Privacy Policy —