Privacy Policy
Last updated: 19 May 2026
This policy explains how Domily collects, uses, stores, and protects personal data across the surfaces we operate. It is written to satisfy the General Data Protection Regulation (GDPR), the German TTDSG (now part of the DDG), and the disclosure obligations under §5 TMG/DDG.
1. Who We Are (Data Controller)
The data controller responsible for the processing described in this policy is:
Aleksandar Balalovski
Berlin, Deutschland
Email: aleksandar@domily.app
For the full §5 TMG/DDG imprint, see /impressum.
2. Scope of This Policy
This policy covers personal data processed across all Domily-operated surfaces:
- domily.app — the marketing site you are reading. Includes the blog, the rental playbook download flow at /checklist, the landlord landing page at /rent-my-apartment, the /join hub, and pricing and feature pages.
- app.domily.app — the rental marketplace where tenants and landlords sign up, build profiles, list properties, apply, schedule viewings, and message each other.
- miete.berlin — the anonymous Berlin rent-cap and Mietspiegel checker. Operated by Domily but designed as a no-account product. See section 12 for the dedicated notice.
3. What We Collect
3.1 Account and profile data (rental marketplace)
When you create an account on app.domily.app we store the fields you provide on your user_profiles record:
- Full name, email address, role (tenant or landlord)
- Profile image (stored in a public Supabase Storage bucket — see section 3.10)
- Preferred language
- Tenant-specific household fields: monthly income, number of occupants, whether you have pets
3.2 Application and viewing data
When you (as a tenant) apply to a listing or request a viewing, we store the application or viewing record including a free-text message you write to the landlord and your intended move-in date. The landlord also creates and stores their property listings (address, photos, descriptions).
3.3 Sensitive documents (uploads)
Some documents tenants upload to support an application include sensitive personal data:
- SCHUFA-Bonitätsauskunft (credit information)
- Payslips and other proof of income
- Copies of ID or passport
- Mietschuldenfreiheitsbescheinigung (no-rent-debt confirmation from a previous landlord)
Files are stored in a private bucket on Supabase Storage. Access is gated by row-level-security: only you, and the landlord on a property you have actively engaged with, can read your documents. Lawful basis: GDPR Art. 6(1)(b) — performance of a (pre-)contract. Retention: see section 9.
3.4 Messages between tenants and landlords
The in-app chat stores messages between matched tenants and landlords on amessages table. Lawful basis: Art. 6(1)(b).
3.5 Payment metadata
Payments are processed by Stripe (see section 6 for Stripe's role as a sub-processor). Domily's own database holds only metadata about each transaction: a reference identifier, amount, currency, provider, status, and type. Card data, bank account numbers, and authentication credentials are handled exclusively by Stripe and never reach our servers. We are in SAQ-A scope for PCI DSS purposes (we do not store, process, or transmit cardholder data).
3.6 miete.berlin checks (anonymous)
The Mietpreisbremse and Mietspiegel checker at miete.berlin is anonymous by design. We do not require an account. Each session is keyed by an httpOnly miete_session cookie with a 180-day TTL, and your check inputs (address, size, rent, equipment, etc.) are stored in a checks table indexed by that session identifier. Lawful basis: Art. 6(1)(f) — legitimate interests (operating an anonymous tool requested by you).
3.7 miete.berlin email-capture leads
If you opt in to receive your check by email or to subscribe to follow-up updates, the email you provide is attached to your most recent check (stored in a JSONB column under a _leads array) and added to our Resend audience. Lawful basis: Art. 6(1)(a) — consent. You may withdraw at any time via the unsubscribe link in every marketing email.
3.8 Address autocomplete
Address autocomplete on app.domily.app and miete.berlin queries our internal addresses table, which is populated from the public Berlin Mietspiegel street directory, and (for free-form addresses) from Nominatim / OpenStreetMap. The address strings you enter are processed but not stored outside the check or listing record they belong to.
3.9 Marketing waitlist (Resend audience)
Sign-ups via /join, /checklist (with the explicit opt-in checkbox ticked), and other landing-page lead forms are stored in a Resend audience. Each contact is tagged with their role (e.g. tenant-newsletter, tenant, landlord) so we can segment broadcasts and never email people who did not opt in to marketing. Lawful basis: Art. 6(1)(a) — consent. UWG §7 applies in Germany; we honour the explicit-opt-in standard.
3.10 Profile images are public
Profile images on app.domily.app are served from a public Supabase Storage bucket. Anyone with the file URL can view the image. We surface profile images inside the app to logged-in users only; the public-bucket setting is a performance choice, not a publishing intent. Do not upload anything as a profile picture you would not want indexed.
3.11 Rental Application Generator (local-only browser storage)
Our free tool at /mietbewerbung-generator lets prospective tenants fill out an applicant profile and download a PDF. While you type, your inputs — full name, contact details, occupation, employer, employment type, net monthly income, renting experience, household details, preferred move-in date, intro text, and an optional profile photo — are persisted exclusively to your browser's localStorage under the key domily.mietbewerbung.v1. Nothing is sent to our servers at this stage. The profile photo is stored as a base64 image data URL (approx. 30 – 80 KB, pre-cropped to a square), again only locally. The PDF is generated entirely in your browser; nothing is uploaded.
You can wipe these inputs at any time via the tool's "Reset" button, or by clearing site data in your browser. If you don't reopen the tool for 30 days, the entry is automatically discarded on the next visit (soft expiry).
What happens if you later create a Domily account? When you sign up at /create, the data sitting in your browser is used once to populate your renter profile, and the photo is uploaded to our profile-images storage. The local entry is then cleared. If you never create an account, the data never leaves your device. Lawful basis for this one-time post-signup processing: Art. 6(1)(b) GDPR (contract performance) plus Art. 6(1)(a) GDPR (consent given by actively clicking "Create account").
3.12 Server logs and IP addresses
Production hosting is on Vercel. Application errors, request metadata, and (briefly) IP addresses are written to Vercel logs for operational and security purposes. Logs are retained for the period set by Vercel for our plan. Lawful basis: Art. 6(1)(f) — legitimate interest in operating a secure service. We use IP-based rate limiting on public endpoints (search, geocode, listings/translate, miete-check). The Court of Justice of the European Union held in C-582/14 (Breyer) that IP addresses are personal data; we declare them as such here.
4. Why We Process (Lawful Bases)
For each category, the lawful basis under Art. 6 GDPR:
- Contract performance (Art. 6(1)(b)) — account creation, profile management, applications, viewing requests, messaging, sensitive-document uploads, payment metadata, providing the matchmaking service.
- Consent (Art. 6(1)(a)) — marketing emails, newsletter sign-ups, miete.berlin email-capture leads, and any non-essential cookies on miete.berlin.
- Legitimate interests (Art. 6(1)(f)) — anonymous miete.berlin checks, server-side error logging, IP-based rate limiting, fraud and abuse prevention, security monitoring, evaluating whether a sent transactional email arrived.
- Legal obligation (Art. 6(1)(c)) — payment record retention under HGB §257, tax-record retention under AO §147, response to lawful information requests.
5. AI Processing of Your Content
Some product features process text you provide through third-party AI providers. We disclose this here under Art. 13(2)(f).
- OpenAI — receives property descriptions for translation and full pasted listings for structured extraction. Region: United States.
- Anthropic — receives landlord descriptions for AI-generated listing copy, free-text search queries (which may contain personal information you choose to type), and pasted listings. Region: United States.
We do not use these inputs to train external models. We send only the content necessary for the feature you triggered. Both providers act as our processors under signed Data Processing Agreements (DPAs) with appropriate transfer safeguards (see section 8).
6. How We Share Data
6.1 Cross-party sharing inside the marketplace
The rental marketplace inherently shares data between tenants and landlords. We rely on Supabase Row-Level Security to scope this strictly to a started interaction:
- When a tenant applies or books a viewing, the landlord on that listing gains read access to the tenant's
user_profilesrow — full name, email, profile image, preferred language, monthly income, number of occupants, has-pets flag — and to anyuser_documentsthe tenant attached to that application. - Reciprocally, the tenant gains read access to the landlord's profile fields (full name, profile image, language) for the property they engaged with.
This sharing is contract performance under Art. 6(1)(b) — it is the service you signed up for — not consent. RLS is enforced server-side; the access ends when you delete the application or your account.
6.2 Sub-processors
We share personal data with the following sub-processors. Each operates under a signed DPA (Art. 28). For US-based providers, transfers are governed by EU Standard Contractual Clauses (SCCs) plus, where applicable, supplementary measures.
| Sub-processor | Purpose | Data region | Transfer mechanism |
|---|---|---|---|
| Supabase | Database (Postgres), authentication, file storage | United States (typically AWS us-east-1) | SCCs |
| OpenAI | Translation, listing extraction (see section 5) | United States | SCCs |
| Anthropic | AI listing copy, search query handling (see section 5) | United States | SCCs |
| Resend | Transactional email + marketing audiences | EU and/or US depending on plan | SCCs (US transfers); intra-EU otherwise |
| Vemetric | Product analytics on miete.berlin (consent-gated) | European Union | Intra-EU; no transfer mechanism required |
| Nominatim / OpenStreetMap | Address geocoding for input fields | European Union | Intra-EU |
| OAuth login on app.domily.app | United States | SCCs | |
| Stripe | Payment processing | United States (with EU presence) | SCCs |
| Vercel | Hosting and runtime, server-side log aggregation | Global edge / United States primary | SCCs |
We update this list when we add or change sub-processors. Changes that materially affect your data are reflected in the version history (section 17).
6.3 Other recipients
- For legal reasons: we may disclose data when required by law, valid court order, or to protect Domily's rights, our users, or the public.
- With your explicit consent: we may share data in other ways if you specifically authorise us to.
We do not sell personal data to third parties.
7. International Transfers
Several of our sub-processors are based in the United States. Where we transfer personal data outside the European Economic Area we rely on the European Commission's Standard Contractual Clauses (SCCs) supplemented, where the provider supports them, by additional technical measures (encryption at rest and in transit, access logging, etc.). The list of US-bound transfers is in section 6.2.
Our primary database (Supabase) is hosted in the US. By using app.domily.app you understand and accept that your data is transferred to and stored in the US under the SCC framework described above. This replaces any prior wording implying mere consent to transfer.
8. Cookies and Similar Technologies
Under §25 TTDSG (and equivalent §25 DDG), storing or accessing information on your device requires either consent (for non-essential storage) or strict necessity for the service you requested (for essential storage). We disclose each cookie or storage entry actually set:
| Name | Surface | Purpose | Provider | Type | Retention |
|---|---|---|---|---|---|
sb-<project>-auth-token | app.domily.app, miete.berlin (where applicable) | Supabase session token (login state) | Supabase | Essential | Session / persistent for the active session |
miete_session | miete.berlin | Anonymous identifier so a check can be retrieved later | Domily | Essential, httpOnly | 180 days |
miete_cookie_consent | miete.berlin | Records your consent decision for the cookie banner | Domily | Essential | 365 days |
miete_locale | miete.berlin | Remembers your language preference | Domily | Functional | 365 days |
| Vemetric cookies | miete.berlin | Product analytics (page views, conversion events) | Vemetric | Analytics, set only after consent | Per Vemetric defaults |
domily_cookie_consent (localStorage) | domily.app (this site) | Records that you have seen and dismissed the essential-cookies notice | Domily | Essential | Until cleared by you |
You can manage browser-level storage at any time through your browser settings, and you can change your miete.berlin choice via the cookie banner controls.
9. Retention Periods
We keep personal data only as long as we need it for the purpose it was collected, plus any periods imposed by law. The retention defaults below are our current draft policy; final values will be confirmed before public launch and updated here.
| Data category | Retention | Reason |
|---|---|---|
| user_profiles | Until deletion + 90 days | Grace period to recover an accidental deletion; then erased. |
| applications | 6 months after final status (rented / withdrawn / declined) | Time window for disputes and confirmations. |
| user_documents (SCHUFA, payslips, ID, etc.) | 90 days after the rental decision is recorded | Strict minimisation given sensitivity. |
| messages (in-app chat) | 12 months from last message in the thread | Operational defence and dispute reference. |
| payments (metadata only) | 10 years | HGB §257 / AO §147 commercial and tax records. |
| checks (miete.berlin) | 180 days | Aligned with the miete_session cookie TTL. |
| email-capture leads (miete.berlin) | 24 months, or until you unsubscribe | Reasonable lifecycle for an opt-in lead; honoured immediately on opt-out. |
| marketing waitlist (Resend) | Until you unsubscribe; then deletion of the contact | Consent-based, you control the duration. |
| Rental Application Generator (localStorage) | Until reset, manual deletion, or 30 days after last edit (soft expiry) — cleared immediately on account creation once the data has been used | Lives only in the user's browser; see 3.11. |
| server logs (Vercel) | Per Vercel plan defaults | Operational and security monitoring. |
10. Your Rights
Under the GDPR you have the rights below. We respond within one calendar month (Art. 12(3)).
- Access (Art. 15) — request confirmation of, and a copy of, the personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure / "right to be forgotten" (Art. 17) — request deletion of your personal data, subject to legal-retention exceptions (e.g. payment records).
- Restriction (Art. 18) — limit our processing while a dispute is resolved.
- Portability (Art. 20) — receive a machine-readable export of the data you provided. We deliver portable data as JSON or CSV (depending on category) within 30 days of request.
- Object (Art. 21) — object to processing based on legitimate interests, including profiling. For direct marketing, your objection is absolute and effective immediately.
- Withdraw consent — for any processing based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. The marketing-newsletter unsubscribe link is the fastest route.
- Lodge a complaint — with the data-protection supervisory authority for your country or region. In Germany, that is the Landesbeauftragte für Datenschutz of your federal state, or the Berlin authority for users in Berlin.
To exercise any of these rights, email aleksandar@domily.app from the address tied to your account, or use the in-app self-service flow once available. Currently a self-serve account-deletion endpoint is being built into /settings; until then we honour deletion requests sent to the email above within 30 days.
11. Marketing Communications
Marketing emails (the weekly tips newsletter, product updates) are sent only to people who explicitly ticked an opt-in checkbox at sign-up — bundled consent is not used. Each marketing email contains a one-click unsubscribe link as required by UWG §7 (3) read with §7 (2) Nr. 3 and by Art. 21 GDPR. Sending occurs through our processor Resend, with the audience-host listed in section 6.2.
Transactional emails (the rental playbook delivery, application notifications, payment receipts) are sent under contract performance and do not require marketing consent. They do not include marketing content.
12. miete.berlin (Anonymous Rent Check)
miete.berlin is a free, anonymous tool. We do not require an account, and we do not collect personally identifiable information unless you specifically choose to provide an email through the email-capture flow.
What we store and why:
- The check inputs you submit (address, size, rent, build period, equipment) are stored in our
checkstable for 180 days, keyed to the anonymousmiete_sessioncookie. This lets us return to a previously-run check on the same device. - If you submit an email to receive your check or to subscribe, that email is attached to your most recent check (under a JSONB
_leadsarray) and added to our Resend audience. This is consent-based (Art. 6(1)(a)). - Address autocomplete sends what you type to the public Berlin Mietspiegel street directory and to OpenStreetMap's Nominatim service. We do not store the queries beyond the lifetime of the request.
- Analytics on miete.berlin are provided by Vemetric and are gated by the cookie banner — they only run after you give consent.
You can clear your check history at any time by clearing the miete_session cookie (or all cookies for miete.berlin) in your browser. To remove an emailed lead, click the unsubscribe link in any email or contact aleksandar@domily.app.
13. Children and the Occupants Field
Domily accounts are not intended for users under the age of 18. We do not knowingly create accounts for children, and we will delete any account we discover was created by a child.
The occupants field on a tenant profile may include the number and ages of children in the household, because German landlords commonly ask. That number is treated as the account holder's data and is shared with a landlord only when an application or viewing is started (see section 6.1). Names, ages, or other identifiers of children should not be entered into free-text fields. We rely on the account holder to keep that field accurate and minimal.
14. Security
We apply technical and organisational measures appropriate to the data we process: encryption in transit (TLS 1.2+) and at rest (Supabase, Vercel), row-level-security policies enforcing access scoping in the database, signed access tokens, principle-of-least-privilege internal access, secret rotation for sub-processor keys, automated dependency monitoring, and incident-response procedures. No system is perfectly secure; we will notify affected users and the competent supervisory authority of a personal-data breach as required by Art. 33–34 GDPR.
15. Cookie Banner Coverage
The miete.berlin cookie banner provides full consent management and gates non-essential storage including analytics. On domily.app (this marketing site) you see only an essential-cookies notice — there is no analytics-consent UI on domily.app or app.domily.app today, because no non-essential cookies are set. If we add analytics or marketing tracking to those surfaces, a consent banner equivalent to the miete.berlin one will be deployed first.
17. Changes to This Policy
We may update this policy as the product evolves or as legal requirements change. Material changes are flagged by updating the Last updated date at the top and adding a row to the version history below. For changes that materially affect rights or processing of existing accounts, we notify you in-product or by email before the change takes effect.
18. Version History
- 19 May 2026 — Added coverage for the Rental Application Generator: local-only browser storage, soft expiry, transfer of data into the user's profile on account creation.
- 29 April 2026 — Comprehensive rewrite covering miete.berlin, sub-processor list, AI processing disclosure, cross-party data sharing, sensitive-document handling, payment scope, retention table, cookie inventory, and Impressum.
- December 2025 — Initial generic SaaS template.
19. Contact
For privacy questions, GDPR rights requests, or anything in this policy, email aleksandar@domily.app. We aim to acknowledge within five business days and respond fully within 30 days.
20. Disclaimer Scope
The disclaimer that appears on the Domily marketing site and blog (informing readers that articles are general information, not legal advice) refers to our content output. It does not limit our obligations as a data controller under GDPR or German law. Where this policy makes commitments about how we handle your data, those commitments are binding on us as the controller.