Privacy policy

Effective in respect of processing carried out via the letznest service. Luxembourg law applies alongside Regulation (EU) 2016/679 (“GDPR”).

1. Data controller

The controller of your personal data is:

2. Purpose and legal basis

We process personal data only for specific purposes and on a lawful basis under the GDPR.

PurposeLegal basis (GDPR Art. 6)
Providing accounts, authentication (email/password, Google sign-in), security, abuse preventionPerformance of a contract; legitimate interests in securing the platform
Profiles, vibe quiz results, roommate preferences, listings, messages, reviews, Q&A, saved searches, notificationsPerformance of a contract; consent where you opt in to optional features
Payments and billing (e.g. promotions) via StripePerformance of a contract; legal obligation for accounting where applicable
Transactional email (e.g. verification, operational notices) via Zoho MailPerformance of a contract; legitimate interests
Optional AI-assisted text when you use it (OpenAI), only for that session/requestConsent or performance of a contract, as presented in-product
Analytics necessary for service operation, error logs, legal claimsLegitimate interests; legal obligation where applicable

3. Categories of data

  • Identity & account: name, email, password hash (never stored in plain text), profile image, OAuth identifiers from your provider.
  • Profile & preferences: bio, languages, communes, budget, roommate settings, vibe profile / quiz JSON.
  • Listings & content: titles, descriptions, photos, addresses/coordinates you publish, reviews, questions and answers, reports.
  • Messaging: thread metadata and message bodies you send.
  • Technical: IP address, device/browser signals, cookies or similar for sessions (see §8). Push subscription endpoints if you enable web push.
  • Billing: Stripe customer/subscription identifiers; card data is processed by Stripe, not stored on our servers.

4. Recipients and subprocessors

We use vetted service providers who process data on our instructions (see their privacy policies):

  • Hosting / database: your infrastructure provider (where the application and PostgreSQL run).
  • Stripe: payments.
  • UploadThing: user-uploaded files (e.g. photos).
  • Pusher: real-time delivery of messaging events.
  • Zoho Mail: outbound transactional email.
  • Upstash Redis: rate limiting / operational caching where configured.
  • OpenAI: optional AI features only when enabled and used.
  • Google: authentication when you choose that provider.

Some providers are located outside the European Economic Area. Where required, we rely on appropriate safeguards (e.g. EU Standard Contractual Clauses) and, where applicable, adequacy decisions.

5. Retention

  • Account data: kept until you delete your account, then erased or anonymised within a reasonable period unless a longer period is required by law.
  • Listings & messages: kept while your account is active and as needed for dispute resolution; removed or anonymised when no longer necessary.
  • Logs & security: short rolling retention unless a longer period is justified for investigation or legal defence.
  • Legal / tax: invoices and related records according to applicable Luxembourg retention rules.

6. Your rights

Under the GDPR you may: access, rectify, erase, restrict processing, object, and data portability where applicable. You may withdraw consent at any time without affecting prior processing. You may lodge a complaint with:

To exercise rights, contact [email protected]. We may need to verify your identity.

7. Automated decisions

Compatibility or “vibe” scores are informational tools to help you browse. They do not produce legal or similarly significant effects solely by automated processing within the meaning of Article 22 GDPR without human involvement; you remain free to contact other users and use other criteria.

8. Cookies and similar technologies

We use cookies or local storage strictly necessary for authentication (e.g. session) and security. If we introduce non-essential cookies (e.g. analytics), we will request your consent in line with the ePrivacy rules and update this policy.

9. Children

The service is not directed at persons under 16. Do not register if you are under 16. If we learn we have collected such data, we will delete it.

10. Security

We implement appropriate technical and organisational measures (encryption in transit, access controls, hashing of passwords, segregated environments). No method of transmission over the Internet is 100% secure.

11. Changes

We may update this policy. Material changes will be communicated in an appropriate manner (e.g. notice in the product or email where required). Continued use after the effective date may constitute acceptance where permitted by law.

12. Contact

Privacy questions: [email protected]. General contact: [email protected].