Contents
1. Who we are
Delft Dibs ("we", "us", "our") is a housing-alert service operated as a sole proprietorship / small business registered in the Netherlands. We monitor publicly available rental listings and email matched alerts to subscribers.
We are the data controller for personal data processed under this policy. Our contact details are in section 11.
2. Data we collect
We collect only what is strictly necessary to provide the service:
| Category | Specific data | When collected |
|---|---|---|
| Account data | Email address, hashed password | Registration |
| Alert preferences | City, max rent, min size, property type, availability date | Setup / filter configuration |
| Billing data | Stripe customer ID, subscription status, last-4 of card (stored by Stripe, not by us) | Payment / subscription |
| Usage data | Email open/click events (via email provider), login timestamps | Service use |
| Technical data | IP address (anonymised after 30 days), browser type, error logs | Each request to our servers |
| Communications | Content of support emails you send us | When you contact us |
We do not collect: real name, phone number, date of birth, national ID, or any special category data (health, ethnicity, etc.).
3. Legal basis (GDPR Art. 6)
Every processing activity has a lawful basis under the General Data Protection Regulation:
| Processing purpose | Legal basis |
|---|---|
| Delivering email alerts matched to your filters | Contract (Art. 6(1)(b)) — necessary to perform the service you signed up for |
| Processing payments via Stripe | Contract (Art. 6(1)(b)) |
| Maintaining account security, preventing fraud | Legitimate interest (Art. 6(1)(f)) — we have a legitimate interest in keeping the service secure |
| Service-level analytics (aggregate, anonymised) | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c)) |
| Sending marketing or product-update emails | Consent (Art. 6(1)(a)) — only if you have explicitly opted in |
4. How we use your data
- Sending alerts: Your email and filter preferences are used exclusively to match new listings and dispatch alert emails.
- Account management: Your email is used for login, password reset, and transactional notifications (subscription receipts, cancellation confirmations).
- Billing: Your subscription status is checked before each alert is sent. We pass your email to Stripe to create a customer record. We do not store full card numbers.
- Service improvement: Aggregate, anonymised data (e.g. "40% of alerts sent between 22:00–02:00") helps us optimise scraper schedules and infrastructure.
- Legal compliance: We retain invoices and payment records as required by Dutch tax law (7-year retention).
We will never sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Retention periods
| Data | Retention period | Reason |
|---|---|---|
| Account data (email, password hash, filters) | Until you delete your account, then 30 days | Accidental-deletion grace period |
| Sent alert records | 90 days | Deduplication — to avoid sending the same listing twice |
| Payment / invoice records | 7 years | Dutch tax law (Belastingdienst) |
| Server logs (IP, timestamps) | 30 days, then anonymised or deleted | Security monitoring |
| Support correspondence | 2 years after last contact | Reference for ongoing issues |
| Anonymised analytics | Indefinite | No personal data remains after anonymisation |
6. Third-party processors
We use a small number of carefully selected processors. Each has signed a Data Processing Agreement (DPA) where required by GDPR:
| Processor | Purpose | Data transferred | Location |
|---|---|---|---|
| Stripe | Payment processing & subscription management | Email, billing address (if provided), card details | EU / USA (SCCs in place) |
| Email delivery provider (transactional email) |
Sending alert and transactional emails | Email address, alert content | EU |
| Cloud hosting provider | Running our servers and database | All data at rest and in transit | EU (Netherlands / Germany) |
We do not use Google Analytics, Facebook Pixel, or any advertising trackers on our service.
Where processors are located outside the EEA (e.g. Stripe in the USA), transfers are made under the European Commission's Standard Contractual Clauses (SCCs) per GDPR Art. 46.
8. Your rights
Under the GDPR (and the Dutch UAVG implementing law), you have the following rights regarding your personal data. You can exercise most of them directly from your dashboard:
Access (Art. 15)
Request a copy of all personal data we hold about you.
Rectification (Art. 16)
Correct inaccurate or incomplete data. Update your email and filters in your dashboard at any time.
Erasure (Art. 17)
Request deletion of your account and all associated personal data, subject to retention obligations (e.g. tax records).
Portability (Art. 20)
Receive your data in a structured, machine-readable format (JSON / CSV) to transfer to another service.
Restriction (Art. 18)
Ask us to pause processing of your data while a dispute or complaint is being resolved.
Objection (Art. 21)
Object to processing based on legitimate interest. We will stop unless we can show compelling legitimate grounds.
Withdraw consent (Art. 7)
Where processing is based on consent (e.g. marketing emails), withdraw it at any time without affecting prior processing.
Complaint (Art. 77)
Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your rights have been violated.
We will respond to rights requests within 30 days. Complex requests may take up to 90 days — we will notify you within the initial 30 days if this applies.
We may need to verify your identity before processing a request. We will not charge a fee unless the request is manifestly unfounded or excessive.
9. Security
We implement appropriate technical and organisational measures to protect your data:
- All data in transit is encrypted via TLS 1.2+.
- Passwords are hashed using bcrypt with a cost factor of 12 or higher — we never store plaintext passwords.
- Database access is restricted to application servers within a private network; no direct public access.
- Payment card data is never stored on our servers — all card processing is handled exclusively by Stripe.
- Access to production systems is limited to authorised personnel and requires multi-factor authentication.
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users without undue delay, as required by GDPR Art. 33–34.
10. Changes to this policy
We may update this policy from time to time to reflect changes in the service, applicable law, or our practices. When we make material changes we will:
- Update the "Last updated" date at the top of this page.
- Send a notice to your registered email address at least 14 days before the changes take effect.
Your continued use of the service after a change takes effect constitutes acceptance. If you do not accept the updated policy you may close your account before the effective date.
Prior versions of this policy are available on request.
11. Contact & complaints
For any privacy-related question, a data subject rights request, or to report a potential data breach, contact us at:
Delft Dibs — Privacy
Email: privacy@delftdibs.nl
Response time: Within 5 business days for general enquiries; within 30 days for formal rights requests.
If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens (AP)
autoriteitpersoonsgegevens.nl
Telephone: +31 (0)70 888 85 00
Bezuidenhoutseweg 30, 2594 AV Den Haag
This policy was written in plain language, but the authoritative version is the English text above. In case of a dispute, Dutch law applies and the competent court is the District Court of The Hague (Rechtbank Den Haag).