Privacy Policy
Effective date: [date of publication]
This Privacy Policy is provided in English. Where we offer a translation, the English version is authoritative and prevails in case of any inconsistency.
1. Who we are
GetApt ("we", "us") is operated by Dmitrii Petukhov as a sole proprietor based in Munich (München), Germany.
Contact: support@getapt.app
Postal address: [street + house number], [PLZ] München, Germany — a c/o or business address is fine; a Postfach is not]
2. What this document covers
This Privacy Policy explains what personal data GetApt collects, why, how long we keep it, who we share it with, and your rights under the General Data Protection Regulation (GDPR). It applies to the web application at getapt.app, the Chrome browser extension "GetApt", and emails sent from notify.getapt.app. It does not apply to third-party rental portals (Funda, ImmoScout24, etc.) — those have their own policies.
3. Data we collect
3.1 — Data you provide. Account data (email, name, password hash or OAuth identifier); profile data (locale, message-tone preference, optional avatar); applicant profile (household composition, income, employer, contract type, move-in window, target cities, budget, optional "about us" text); household data (name, member roles, invites); listings you save (address, price, size, photo URL, description, your notes/status); application messages you generate and edit.
3.2 — Data collected automatically. Authentication session tokens (Supabase Auth); a random install_id the extension uses to de-duplicate pairing; AI-usage counts for quota/billing; anonymised analytics events (PostHog, §3.5); error metadata (Sentry — no message bodies or listing contents); email open/click tracking (opt out via the unsubscribe link in every email).
3.3 — Data the extension reads from rental portals. When you click the GetApt button on a supported listing page, the extension reads the publicly visible content of the page you are viewing, extracts listing details, and sends them to our servers for AI analysis and saving to your account. The extension does not crawl pages you haven't opened, read sites outside its permitted list, access your other tabs or browsing history, or submit forms on your behalf.
3.4 — What we do NOT collect. Government IDs, passports, or SCHUFA scores; bank or payment-card details (we don't take payments yet); real-time location; the contents of pages outside the supported rental portals; anything you haven't explicitly saved into GetApt.
3.5 — Analytics (PostHog). We use PostHog (EU instance) to understand how the product is used (page views, clicks, feature usage). Personal data in events is limited to your user ID and action metadata — never listing or message contents. Analytics loads only after you accept cookies; without consent, no analytics data is collected.
4. Why we process this data (Art. 6 GDPR)
| Data | Purpose | Lawful basis |
|---|---|---|
| Account + profile | Operating the service | Contract — Art. 6(1)(b) |
| Applicant profile | Personalising scores & messages | Contract — Art. 6(1)(b) |
| Household data | Operating household features | Contract — Art. 6(1)(b) |
| Saved listings | Core product functionality | Contract — Art. 6(1)(b) |
| AI-usage events | Quota enforcement, billing | Legitimate interest — Art. 6(1)(f): preventing abuse, enforcing fair-use quotas |
| Analytics | Improving the product | Consent — Art. 6(1)(a) |
| Error reports | Reliability | Legitimate interest — Art. 6(1)(f): keeping the service secure and reliable |
| Transactional emails | Account operation | Contract — Art. 6(1)(b) |
5. Automated analysis and AI (profiling)
GetApt uses automated analysis (AI) to score listings against your preferences (0–100), summarise landlord "peculiarities", draft application messages in the landlord's language, and translate them. This is profiling within the meaning of Art. 4(4) GDPR — automated processing of personal data to evaluate aspects relating to you and your household.
- Inputs: the listing's content and your household's applicant profile, including the income, employer and contract type you entered. These are sent to our AI sub-processor to produce the result.
- The output is advisory. You always see it, can edit it, and decide what to do. GetApt does not make — and no landlord or other third party receives — any automated decision about you based on the score, so it produces no legal or similarly significant effect within the meaning of Art. 22 GDPR.
- No training. Our AI sub-processor (currently the [Lovable AI Gateway — update when migrating]) processes these inputs only to return the result for your request and does not use your data to train AI models. [Confirm a data-processing agreement with a no-training clause is in place before publishing.]
6. Who we share data with (sub-processors)
Each provider below is contractually bound to process data only as instructed and in line with GDPR.
| Sub-processor | Purpose | Location |
|---|---|---|
| Lovable Cloud | Hosting, database, email pipeline, AI gateway | EU / global edge |
| Supabase | Database, authentication | EU (Frankfurt) |
| Cloudflare | CDN, edge compute | Global edge |
| PostHog | Analytics | EU (Frankfurt) |
| Sentry | Error tracking | EU |
| Google / Apple / Microsoft | OAuth sign-in (only if you choose) | USA |
We do not sell your personal data, do not use it for advertising or ad targeting, and do not allow it to be used to train AI models.
International transfers. Some sub-processors (the OAuth providers; possibly the AI gateway) process data in the USA. Where this occurs we rely on the EU–US Data Privacy Framework (where the provider is certified — e.g. Google, Apple, Microsoft) and/or EU Standard Contractual Clauses under Art. 46 GDPR. [Confirm the actual mechanism per US-touching processor before publishing.]
7. How long we keep your data
| Data | Retention |
|---|---|
| Account (active) | Until you request deletion |
| Account (after deletion request) | 30 days, then permanently deleted |
| Saved listings | Same lifecycle as your account |
| AI-usage & analytics events | 12 months |
| Error reports | 90 days |
| Email delivery logs | 90 days |
| Backups | 30 days (rolling) |
8. Your rights under GDPR
You have the right to:
- Access the data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data — "right to be forgotten" (Art. 17)
- Restrict processing (Art. 18)
- Receive your data in a machine-readable format — portability (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent for analytics or any consent-based processing, at any time
- Complain to a data protection authority. Our competent authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), the supervisory authority for the private sector in Bavaria. If you are in the Netherlands you may instead contact the Autoriteit Persoonsgegevens.
To exercise any of these, email support@getapt.app; we respond within 30 days (Art. 12(3)). Account deletion is also self-serve at getapt.app/app/settings. Where one household member stores another person's details (e.g. a partner's income), the member who entered them is responsible for having a basis to do so.
9. Cookies
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Supabase session | Keep you signed in | Necessary | 1 hour (refresh) |
| Consent record | Remember your cookie choice | Necessary | 1 year |
| PostHog distinct_id | Anonymous analytics | Consent-gated | 1 year |
| PostHog session | Session analytics | Consent-gated | 30 minutes |
The Chrome extension uses chrome.storage.local (not cookies) for the pairing token and install ID — local to your browser, transmitted only to GetApt servers.
10. Security
- HTTPS for all traffic; encryption at rest (Supabase, Cloudflare)
- Per-household row-level security — other users cannot read your data
- Server-only secrets, never exposed to browsers; regular dependency updates
No system is perfectly secure. If you believe your account is compromised, email support@getapt.app immediately.
11. Children
GetApt is for adults (18+). We do not knowingly collect data from children. If you believe a child has provided data, email support@getapt.app and we will delete it.
12. Chrome Web Store Limited Use
GetApt's use of information received from the GetApt browser extension adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically, the data the extension reads from rental-portal pages, and the applicant profile (including income, employer, and contract type) used to score listings and draft application messages, are used only to provide and improve these user-facing features. We do not sell this data, do not use it for advertising, and do not use it to train AI models. Before the extension first sends your applicant profile to our AI provider, it shows an in-product notice and asks for your explicit consent.
13. Changes to this policy
When this policy changes materially we update the effective date above and notify current users by email at least 14 days before the change takes effect. Minor clarifications may be made without notice.
14. Contact
Privacy questions: support@getapt.app. You may also contact our competent supervisory authority directly: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach — lda.bayern.de.