Privacy Policy

Last updated: 29 April 2026 (v2.1) Version: 2.1 Effective date: 29 April 2026

1. Who we are

This Privacy Policy applies to the website www.hauzed.com and the Hauzed mobile application (together, the "Platform") operated by:

GET HAUZED, S.L.
Calle Circumval·lació, 77, 3º 3ª, 08240 Manresa, Barcelona, Spain
Tax ID (CIF): pending allocation
Registered with the Mercantile Registry of Barcelona (registration in process)
Activity code (CNAE): 6312 — Web portals
Sole Director: Neifi Alcantara Meliano
Contact: info@hauzed.com

For the purposes of EU Regulation 2016/679 (the "GDPR") and Spanish Organic Law 3/2018 ("LOPDGDD"), GET HAUZED, S.L. ("Hauzed", "we", "us", "our") is the data controller of the personal data processed through the Platform. The Irish Data Protection Act 2018 ("Irish DPA") may apply only where processing or operations are linked to Ireland and require it.

2. Scope and purpose of this Policy

This Policy explains:

• What personal data we collect and from whom;
• The legal bases on which we process your personal data;
• How we use, share, store and protect your data;
• How we use Artificial Intelligence (AI) and document processing tools;
• Your rights under GDPR and LOPDGDD, and under the Irish DPA where it applies to Ireland-linked operations;
• How to contact us with privacy questions or complaints.

The Platform is currently available to users in Ireland and Spain. The Platform is not directed to children under 18 years of age, and we do not knowingly collect personal data from anyone under 18.

3. Personal data we collect

3.1 Data you provide directly

Category	Examples
Identity & contact	Name, surname, profile photo, date of birth, postal address, country, email, phone number
Account credentials	Username, encrypted password, two-factor authentication tokens
Verification data	Government-issued ID image, selfie, liveness check video, KYC verification result (via Veriff)
Tenant supporting documents	Payslips, employment contracts, landlord references, bank statements, study certificates, residence permits, and any other supporting documentation a tenant chooses to upload to support a rental application
Property data (landlords)	Property address, photographs, rental price, terms, BER rating, tenant requirements
Communications	Messages sent through our chat, attachments, voice/video call audio (when applicable)
Payment data	Payment-method tokens (handled by Stripe; we do not store full card numbers), billing address, deposit transaction records
Preferences and matching data	Move-in dates, budget, preferred districts, lifestyle preferences, group composition

3.2 Data we collect automatically

Category	Examples
Device data	Device manufacturer, OS, browser type and version, screen resolution, language
Connection data	IP address, ISP, network identifier, timestamps
Usage data	Pages visited, search queries, clicks, time on page, navigation paths, conversion events
Approximate location	Country and city, derived from IP address (we do not collect precise GPS without consent)
Cookies and similar technologies	See our Cookies Policy

3.3 Data we receive from third parties

• Identity verification providers (Veriff): name match, document authenticity result, PEP / sanctions list flag.
• Payment processors (Stripe): payment success/failure status, dispute notifications, refund records.
• Authentication providers (if you sign in with Google, Apple or similar): email, basic profile information, depending on the permissions you grant.

4. Special categories of data

Documents that tenants upload to support rental applications (such as payslips or employment contracts) may incidentally contain special category data under Article 9 GDPR, including data revealing trade union membership (where union dues appear on a payslip), health data (where sick-leave deductions appear), or racial or ethnic origin (where employment forms record it).

We process this incidental special-category data only on the basis of your explicit consent, given when you upload the document. You are not obliged to upload documents that contain such information, and you may redact sensitive fields before uploading. Where we detect that a document contains special-category data that is not necessary for the rental application, we will discard that information at the extraction stage and it will not be stored.

5. Legal bases for processing

We rely on the following legal bases under Article 6 GDPR:

Legal basis	Purposes covered
Contract performance (Art. 6(1)(b))	Creating and managing your account; processing your rental application or listing; facilitating chat and viewings; processing escrow deposits when activated.
Legal obligation (Art. 6(1)(c))	Identity verification (KYC) under anti-money-laundering regulations; tax and accounting record-keeping; responding to lawful requests from authorities; complying with the Irish Residential Tenancies Board (RTB) requirements where applicable.
Legitimate interests (Art. 6(1)(f))	Fraud prevention and platform safety; product analytics in aggregated, anonymised form; defending and exercising legal claims; AI-assisted matching and trust signals (where they support, not replace, human decisions). We balance these interests against your rights and freedoms; you have the right to object (see Section 11).
Consent (Art. 6(1)(a))	Marketing communications; non-essential cookies; processing of incidental special-category data in tenant documents (Art. 9(2)(a)); precise location data when applicable. You may withdraw consent at any time.

6. How we use your data

We process personal data for the following specific purposes:

• Account management: registration, login, profile maintenance, password recovery.
• Verification and trust: KYC checks via Veriff, identity badges, profile signals such as "Identity Verified", "Income Evidence Submitted", "References Available", "Trusted Profile". We do not display badges that suggest negative or sensitive conclusions about a user (e.g. "low income" or "high risk"), and we do not use protected characteristics to generate badges.
• Matching and discovery: surfacing properties to tenants and tenants to landlords based on stated preferences, verification status and AI-supported relevance signals.
• Communication: enabling secure chat between users, sending transactional emails, processing voice/video calls when used.
• Payments and deposits: processing payments and, when activated, holding security deposits in regulated escrow via Stripe Connect, with release upon tenant confirmation.
• Fraud prevention and safety: detecting fake listings, identity fraud, suspicious behaviour, and preventing scams.
• Service improvement: aggregated, anonymised analytics to understand product usage and improve features.
• Legal compliance: complying with applicable laws, regulations, court orders and lawful requests.

7. How we use AI and automated tools

We use AI and automation to assist rental workflows. AI on Hauzed does not make final, binding or fully automated decisions about tenant eligibility, access to housing, or acceptance of applications. Final decisions are always made by humans (the landlord, the agent, or you).

A separate AI Disclosure explains in detail which AI agents we run, what data they consume, and how their outputs are used. The most relevant points for this Privacy Policy:

• Document processing: when you upload a supporting document, we first use a comparable enterprise document-processing service to extract structured information from the document (e.g. employer name, declared income range, contract dates). This converts unstructured files into useful data fields for verification, matching and trust signals.
• AI-assisted signals and matching: we may use AI tools to generate signals, scores or recommendations that support - but never replace - human decision-making. These are used to prioritise matches, surface trust badges, detect fraud patterns and improve safety. They are not determinative of any tenancy outcome.
• Enterprise AI providers: when we use third-party AI providers (such as Anthropic and OpenAI), we do so under enterprise or business agreements that prohibit those providers from using our customer data to train their general-purpose models.
• No use of protected attributes: we do not intentionally use protected or sensitive personal attributes (race, ethnicity, religion, sexual orientation, disability, family status, gender identity) to generate signals, scores or matches.
• Right to human review: you have the right to request that any signal, score or recommendation about your profile be reviewed by a human at Hauzed. Contact info@hauzed.com.

For the purposes of Article 22 GDPR, you have the right (a) not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, (b) to obtain human intervention, (c) to express your point of view, and (d) to contest any such decision. As Hauzed does not make final automated decisions about housing access, Article 22 generally does not apply to our service; nonetheless, we honour these rights as a baseline standard.

8. Sharing your data — recipients and sub-processors

We share personal data with the following categories of recipients:

8.1 Other Platform users

• Landlords and agents receive limited information about tenants who apply to their properties (verified profile, application message, declared budget, move-in dates, and any documents the tenant chooses to share through chat). When a tenant shares a document directly with a landlord through chat, the landlord becomes an independent data controller of that copy of the document; we do not control how the landlord stores or uses it after sharing.
• Tenants receive limited information about landlords whose properties they apply to (verified profile, listing details, response time).

You always control what you share through chat. We recommend sharing only what is necessary for the rental application.

8.2 Service providers (sub-processors)

We rely on the following sub-processors to operate the Platform. Each sub-processor is bound by a Data Processing Agreement (DPA) that requires them to process personal data only on our instructions and to apply appropriate security measures.

Provider	Service	Country / region	Safeguards
Vercel	Web hosting, edge functions, ISR	EU regions (Frankfurt)	DPA + Standard Contractual Clauses (SCCs)
Supabase	Database, authentication, file storage	EU region	DPA + SCCs
Enterprise cloud provider	Document processing, file storage, backups, identity/document checks	EEA region	DPA in place
Veriff	Identity verification (KYC)	Estonia (EU)	DPA, GDPR-compliant by default
Stripe	Payments and escrow (Stripe Connect)	EU and US (dual processing)	DPA + SCCs + DPF certification
Anthropic (Claude)	AI assistance under Enterprise / API agreement	US	DPA + SCCs + DPF certification; no training on customer data
OpenAI	AI assistance under Enterprise / API agreement	US	DPA + SCCs + DPF certification; no training on customer data
PostHog	Product analytics	EU region	DPA + SCCs
Resend	Transactional email	EU region	DPA + SCCs
Mailchimp	Newsletter (currently paused)	US	DPA + SCCs + DPF certification
Mailtrap	Email testing in staging environments	EU	DPA + SCCs
IONOS	Domain and DNS hosting	Germany (EU)	DPA
Google (Workspace)	Email infrastructure for the info@hauzed.com address	EU regions	DPA + SCCs + DPF certification

We update this list when we add or remove sub-processors.

8.3 Legal recipients

We may share personal data with regulators, courts, law enforcement and other authorities where required by law (for example, in response to a court order, anti-money-laundering obligations, or tax inspections).

9. International transfers

Some of our sub-processors are located outside the European Economic Area (EEA), in particular in the United States. When we transfer personal data outside the EEA, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• EU-US Data Privacy Framework (DPF) certifications, where the recipient is certified;
• Adequacy decisions of the European Commission, where applicable;
• Additional technical and organisational measures (encryption in transit and at rest, pseudonymisation, access controls).

You have the right to request a copy of the safeguards we apply to a specific transfer by writing to info@hauzed.com.

10. Data retention

We keep personal data only for as long as necessary for the purposes for which it was collected, and in line with the following indicative retention schedule:

Data category	Retention period
Active account data	While the account is active
Inactive account data	30 days after account closure, then deletion (account-closure grace period)
Tenant supporting documents (active application)	While the application is open
Tenant supporting documents (rejected application)	30 days after rejection, then anonymised or deleted
Tenant supporting documents (accepted application / signed tenancy)	Up to 6 years from end of tenancy, for tax, accounting and legal-defence purposes
KYC verification results	5 years from end of relationship (anti-money-laundering compliance)
Chat messages	Active for the duration of the conversation; archived for 2 years after last activity
Marketing data	Until you withdraw consent, then deleted within 30 days
Backups	Up to 90 days after deletion from primary systems, then overwritten
Aggregated, anonymised analytics	Indefinitely (no longer personal data)

You have the right to request deletion of your data before these periods expire (see Section 11), subject to our legal obligations.

11. Your rights

You have the following rights under GDPR and LOPDGDD, and under the Irish DPA where it applies to Ireland-linked operations:

• Access (Art. 15) — receive a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data, including data extracted by our document-processing tools or by any AI tool we use.
• Erasure / "right to be forgotten" (Art. 17) — request deletion of your data, subject to retention obligations described above.
• Restriction of processing (Art. 18) — limit the processing of your data in certain circumstances.
• Data portability (Art. 20) — receive your data in a structured, machine-readable format and transmit it to another controller.
• Object to processing (Art. 21) — object to processing based on legitimate interests, including AI-assisted profiling for matching.
• Withdraw consent (Art. 7) — at any time, where processing is based on your consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Not be subject to automated decision-making (Art. 22) — request human review of any AI-generated signal or recommendation about your profile (see Section 7).

How to exercise your rights: write to info@hauzed.com from the email address linked to your account. We may need to verify your identity before acting on your request. We will respond within 30 days; this may be extended by a further 60 days for complex requests, in which case we will explain the reason.

Right to lodge a complaint: if you are not satisfied with our response, you have the right to lodge a complaint with:

• Spanish Data Protection Agency (AEPD) — www.aepd.es — for matters related to GET HAUZED, S.L. as the controller;
• Irish Data Protection Commission (DPC) — www.dataprotection.ie — for matters related to processing in Ireland.

12. Security measures

We apply appropriate technical and organisational measures under Article 32 GDPR to protect your personal data, including:

• TLS 1.3 encryption for all data in transit;
• AES-256 encryption at rest for stored documents and backups;
• Role-based access control (RBAC) with least-privilege principles;
• Multi-factor authentication for staff accounts;
• Audit logs of access to personal data and tenant documents;
• Regular security reviews and dependency updates;
• Encrypted backups with limited retention;
• Documented incident-response procedure.

No system is completely secure. If you become aware of any security issue, please report it to info@hauzed.com.

13. Personal data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (AEPD or DPC) within 72 hours of becoming aware of the breach, and we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms, in accordance with Articles 33 and 34 GDPR.

14. Children

The Platform is not intended for users under 18. The digital age of consent in Ireland is 16; however, our service requires the legal capacity to enter into rental agreements, which is generally 18. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact info@hauzed.com and we will delete it promptly.

15. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. We will notify registered users by email or in-app notice of material changes at least 30 days before they take effect.

16. Contact

For privacy questions, requests, or complaints:

GET HAUZED, S.L.
Calle Circumval·lació, 77, 3º 3ª, 08240 Manresa, Barcelona, Spain
Email: info@hauzed.com
Phone: +34 936 07 56 78

We currently use info@hauzed.com as the privacy contact. Where we appoint a Data Protection Officer in the future, we will publish their contact details on this page.

---

This Privacy Policy is governed by Spanish data-protection law, including GDPR and LOPDGDD, without prejudice to the Irish DPA 2018 where it applies to Ireland-linked operations. Where a translation is provided in another language, the Spanish version prevails in case of conflict.