Privacy Policy

Introduction

Passflat ("we", "us", "our") is a rental marketplace platform operated from Warsaw, Poland. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services at passflat.com.

We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and applicable Polish data protection laws. By using Passflat, you acknowledge that you have read and understood this policy.

Data We Collect

We collect only the data necessary to provide and improve our services:

Account Data

• Email address and display name (via email or Google OAuth registration through Supabase Auth)
• Authentication tokens and session data

Listing Data

• Apartment address (street, building number, district, postal code)
• Apartment photos you upload
• Cost breakdown (rent, admin fee, estimated utilities) and apartment details (area, rooms, amenities, description)

Cost Report Data

• Building address and apartment size
• Monthly utility costs (electricity, gas, heating, water, internet) — displayed only in aggregated form
• If you previously submitted cost data through an external form (e.g. an early Google Form), we store the email address you provided solely to link that submission to your account when you later sign in with the same email.

Usage & Technical Data

• Pages visited, interactions, and feature usage (collected via PostHog and Google Analytics)
• IP address, browser type, device information, and operating system (standard server logs)

How We Use Your Data

• Providing the service: displaying listings, connecting tenants, showing cost reports
• Sending notifications: email alerts when someone expresses interest in your listing (via Resend)
• Improving the platform: understanding usage patterns, fixing bugs, developing new features
• Ensuring security: preventing fraud, abuse, and unauthorized access

We do NOT sell your personal data to third parties. Ever.

Legal Bases for Processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the service, including displaying listings, tenant matching, and cost reports.
• Legitimate interest (Art. 6(1)(f)) — processing for analytics, platform security, fraud prevention, and platform improvement.
• Consent (Art. 6(1)(a)) — processing for analytics cookies (PostHog) and marketing communications, which you can withdraw at any time.

Imported cost reports

Some early cost reports were collected via a Google Form and are stored anonymized under a system placeholder. When you log in with the email used for that submission, we automatically associate those reports with your account and grant you contributor access. The legal basis is our legitimate interest (Art. 6(1)(f)) in maintaining contributors' access to their own submissions; you can request deletion at any time.

Data Sharing

We share data only in the following, limited circumstances:

• Cost reports are displayed in aggregated, anonymized form
• Listing contact details are shared only with users who express interest through the platform

Data Processors

• Supabase — hosting, database, and authentication
• Vercel — website hosting and serverless functions
• Resend — transactional email delivery
• Stripe — payment processing for promoted listings
• Google Places API — address autocomplete (address data only)
• Mapbox — map rendering (no personal data shared)
• PostHog — product analytics (opt-out available)
• Google Analytics 4 — web traffic/audience analytics (consent-based, opt-in via cookie banner)
• DeepL — automated translation of listing content (EU-based, Germany)

Data Retention

• Account data: retained until you delete your account
• Listings: active for 60 days, then archived for 30 days before deletion
• Cost reports: retained indefinitely in anonymized, aggregated form. Once anonymized, this data is no longer personal data under GDPR (Recital 26) and is maintained to support the community database
• Email addresses from imported submissions are retained until the submission is claimed at login or until you request removal.

Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your personal data ("right to be forgotten")
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — withdraw consent at any time where processing is based on consent
• Right to restriction — request restriction of processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data)

To exercise any of these rights, contact us at contact@passflat.com. We will respond within 30 days as required by GDPR.

Right to lodge a complaint — if you believe your data protection rights have been violated, you have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warszawa, Poland. Website: uodo.gov.pl

Cross-Border Data Transfers

Some of our data processors are located outside the European Union / European Economic Area (EU/EEA). When your data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions.

The following processors may process data outside the EU/EEA: Vercel (US), Resend (US), Stripe (EU and US), Google (US, covering both Places API and Google Analytics), and Mapbox (US) — all operating under Standard Contractual Clauses. Supabase and PostHog data locations depend on instance configuration. DeepL is EU-based (Germany).

Cookies

We use a minimal set of cookies:

• Essential cookies: authentication session tokens (required for the service to work)
• Analytics cookies: PostHog and Google Analytics (optional — you can opt out via browser settings or our cookie banner)

Cookie Details

Automated Decision-Making

Passflat does not engage in automated individual decision-making or profiling as defined by GDPR Art. 22. Listing rankings are based solely on recency, with promoted listings displayed at the top as a paid feature.

Children's Data

Passflat is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the President of the Personal Data Protection Office (UODO) within 72 hours as required by GDPR Art. 33.

If a breach poses a high risk to your rights and freedoms, we will also notify you directly without undue delay, providing information about the nature of the breach and recommended protective measures.

Data Protection Officer

We have assessed the need for a Data Protection Officer (DPO) under GDPR Art. 37 and determined that appointment is not currently required given the nature and scale of our data processing activities. For any data protection inquiries, contact us at contact@passflat.com.

Data Controller & Contact

For privacy questions or to exercise your GDPR rights, contact our data protection team:

• Data Controller: Ilya Apaniuk
• Location: Warsaw, Poland
• Email: contact@passflat.com

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify registered users of significant changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.