Privacy Policy

Last updated: May 4, 2026

1. Who we are

DormSpot VOF, registered with the Dutch Chamber of Commerce under KVK number 42047298, is the data controller for personal data processed via dormspot.nl. For any question about this policy or your data, contact us via the contact page or by email at dormspotnl@gmail.com.

DormSpot VOF

KVK: 42047298

Eindhoven

dormspotnl@gmail.com

2. Scope

This policy applies to personal data we process when you visit dormspot.nl, create an account, configure housing alerts, or contact us. It does not cover third-party websites we link to.

3. Data we collect

  • Account data: your email address, plus a bcrypt-hashed password if you sign up with email and password, or your name and email if you sign in with Google.
  • Alert preferences: the cities, price range, number of bedrooms, and other criteria you save.
  • Billing metadata: a Stripe customer ID, subscription status, and invoice history. Your card number, CVC, and full PAN are handled by Stripe and never touch our servers.
  • Technical data: IP address, user-agent string, and timestamps written to server logs for security and debugging.
  • Usage analytics: page views and basic events collected via Google Analytics 4 with IP anonymization, only if you accept analytics cookies.

4. Legal basis (Article 6 GDPR)

  • Contract performance (Art. 6(1)(b)): account creation, running your alerts, and processing your subscription.
  • Legal obligation (Art. 6(1)(c)): retaining invoices and billing records under Dutch tax law.
  • Legitimate interest (Art. 6(1)(f)): keeping the service secure, preventing abuse, and debugging issues. We balance this against your privacy and only keep what is necessary.
  • Consent (Art. 6(1)(a)): analytics cookies and any marketing email. You can withdraw consent at any time without affecting prior processing.

5. Processors and international transfers

We use the following processors. They only see the data they need to do their job and are bound by data processing agreements.

ProcessorPurposeRegionTransfer mechanism
Google (OAuth)Sign-in with GoogleUSSCCs
StripePaymentsIE / USSCCs
MongoDB AtlasDatabase hostingEU (Frankfurt)No transfer
VercelWeb hosting and CDNEU edge / USSCCs
Google Analytics 4Usage statisticsUSSCCs

Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and additional safeguards as needed. We do not sell personal data and we do not use it for advertising.

6. How long we keep it

  • Account and alert data: while your account is active and up to 30 days after you close it.
  • Billing and invoice records: 7 years, as required by Dutch tax law.
  • Server logs: up to 90 days, then deleted or anonymized.
  • Analytics events in Google Analytics 4: 14 months from the date of collection.
  • Support emails: up to 24 months after the last reply.

7. Your rights (Articles 15 to 22 GDPR)

You have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased (right to be forgotten);
  • restrict processing in certain circumstances;
  • receive your data in a portable, machine-readable format;
  • object to processing based on legitimate interest;
  • withdraw consent at any time, where processing is based on consent;
  • not be subject to a decision based solely on automated processing.

To exercise any of these rights, contact us via the contact page. We will respond within one month, as required by Article 12 GDPR.

8. Security

All traffic to dormspot.nl is encrypted with TLS. Data at rest sits in managed services (MongoDB Atlas, Vercel, Stripe) protected by access controls and regular patching. We restrict admin access to the minimum number of people who need it. We never store full card numbers; payment data is processed by Stripe.

9. Children

DormSpot is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided data to us, contact us and we will delete it.

10. Cookies

We use a small number of cookies, listed in detail on our Cookie Policy page. Essential cookies (the NextAuth session token) are always set so the site can function. Analytics cookies are only set after you accept them via the cookie banner, and you can change your choice at any time.

11. Complaints

If you believe we have mishandled your personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

12. Changes to this policy

We may update this policy as the service evolves. The date at the top of the page always reflects the latest version. Material changes will be announced by email or via an in-app notice before they take effect.

13. Contact

Questions, requests, or concerns? Reach us via the contact page or by email at dormspotnl@gmail.com.