Untervermietung
Start for free
Back to home

Privacy Policy

Untervermietung · As of: May 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Marvin Brüheim

Marienstr. 45

50825 Cologne, Germany

Email: business.svenmarvin@gmail.com

Phone: +49 163 2705561

2. Principles of Data Processing

We process personal data only to the extent necessary for the provision of the Platform, or where the user has given explicit consent. The legal bases are in particular:

  • ·Art. 6(1)(a) GDPR – Consent
  • ·Art. 6(1)(b) GDPR – Performance of a contract / pre-contractual measures
  • ·Art. 6(1)(f) GDPR – Legitimate interests of the controller

3. Data Collected and Purposes

3.1 Registration and User Account

Upon registration, we collect the following data:

  • ·Email address
  • ·Password (stored encrypted, never in plaintext)
  • ·User role (landlord / tenant)
  • ·Timestamp of registration

Purpose: Provision and management of the user account
Legal basis: Art. 6(1)(b) GDPR

3.2 Usage Data (Log Data)

Each time the Platform is accessed, technical data is automatically recorded:

  • ·IP address (anonymised)
  • ·Browser type and version
  • ·Operating system
  • ·Date and time of access
  • ·Pages / functions accessed

Purpose: Technical operation, error resolution, security
Legal basis: Art. 6(1)(f) GDPR

3.3 User Content (Tenant and Tenancy Data)

Users may upload the following content to the Platform:

  • ·Apartment data (address, facilities)
  • ·Handover protocols including photos
  • ·Meter readings
  • ·Uploaded documents (rental agreements, receipts, etc.)
  • ·Digital signatures

Purpose: Core function of the Platform (management of subletting relationships)
Legal basis: Art. 6(1)(b) GDPR

Note: The uploading user is solely responsible for content that contains personal data of third parties (e.g. tenants).

3.4 Communication

When users contact us by email, we store the transmitted data (name, email, message content) for the purpose of processing the enquiry.
Legal basis: Art. 6(1)(f) GDPR

4. Third-Party Services and Processors

4.1 Supabase (Database, Authentication, File Storage)

We use Supabase Inc. as backend infrastructure for database, authentication, and file storage. Supabase processes personal data on our behalf.

Provider: Supabase Inc., 970 Toa Payoh North, Singapore

Privacy Policy: supabase.com/privacy

Third-country transfer: Yes (USA) – safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR

4.2 Vercel (Hosting)

The Platform is hosted via Vercel Inc. (USA). Vercel processes access logs and IP addresses.

Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA

Privacy Policy: vercel.com/legal/privacy-policy

Third-country transfer: Yes (USA) – safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR

4.3 Google OAuth (optional)

If the user signs in using a Google account, data is transferred to Google LLC.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Privacy Policy: policies.google.com/privacy

Use of Google OAuth is optional. Sign-in by email is available as an alternative.

5. Cookies and Local Storage

The Platform uses technically necessary cookies and local browser storage (LocalStorage / SessionStorage) exclusively for:

  • ·Authentication tokens (session management)
  • ·User preferences (e.g. display settings)

These cookies are strictly necessary for the operation of the Platform and cannot be disabled. Consent is not required pursuant to Art. 6(1)(b) GDPR.

No tracking or analytics cookies are used.

6. Retention Periods

Personal data is deleted once the purpose of storage no longer applies:

  • ·User account data: until deletion of the account by the user
  • ·Log data: after a maximum of 30 days
  • ·Uploaded content: until actively deleted by the user or upon account closure
  • ·Contact enquiries: upon completion of processing, at most after 2 years

Statutory retention obligations remain unaffected.

7. Rights of Data Subjects

Every user has the following rights vis-à-vis the controller:

  • ·Right of access (Art. 15 GDPR): information about processed data
  • ·Right to rectification (Art. 16 GDPR): correction of inaccurate data
  • ·Right to erasure (Art. 17 GDPR): "right to be forgotten"
  • ·Right to restriction (Art. 18 GDPR): restriction of processing
  • ·Right to data portability (Art. 20 GDPR): data export in machine-readable format
  • ·Right to object (Art. 21 GDPR): objection to processing based on legitimate interests
  • ·Right to withdraw consent (Art. 7(3) GDPR): at any time with effect for the future

To exercise these rights, please send an email to: business.svenmarvin@gmail.com

8. Right to Lodge a Complaint

Users have the right to lodge a complaint with a data protection supervisory authority. A list of German supervisory authorities is available at: bfdi.bund.de

9. Data Security

We implement technical and organisational measures to protect personal data, including:

  • ·Encrypted transmission via TLS/HTTPS
  • ·Encrypted password storage (bcrypt)
  • ·Row Level Security (RLS) in the database – users can only access their own data
  • ·Access controls at database level

Complete protection against all attacks cannot be guaranteed.

10. Minors

The Platform is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has created an account, the data will be deleted without delay.

11. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy in response to changes to the Platform or applicable law. The current version is always available on the Platform. The date of the last update is noted at the beginning of this document.