Contents
1. Who we are
Delft Dibs ("we", "us", "our") is a housing-alert service operated as a sole proprietorship / small business registered in the Netherlands. We monitor publicly available rental listings and email matched alerts to subscribers.
We are the data controller for personal data processed under this policy. Our contact details are in section 11.
2. Data we collect
We collect only what is strictly necessary to provide the service:
| Category | Specific data | When collected |
|---|---|---|
| Account data | Email address, hashed password, first name, last name (name is collected at registration and editable in your dashboard) | Registration |
| Alert preferences | Cities monitored (e.g. Delft, Rotterdam, Den Haag), rent range, minimum size, room count, property type, neighborhoods, listing sources, furnished preference, pets allowed, registration possible, availability date, lease duration, tenant profile, maximum bike commute time, alert frequency, and email alerts on/off | Setup / filter configuration |
| Billing data | No billing data is collected during the current free launch period. When a paid plan is introduced, Stripe will handle payment processing and store card details on our behalf — we will not store card numbers ourselves. | Not yet applicable — will update before billing begins |
| Usage data | Login timestamps, number of alerts sent per day, page-view counts (stored as a pseudonymised daily hash of IP + browser — not linked to your account) | Service use |
| Technical data | IP address (anonymised after 30 days), browser type, error logs, audit log of account changes (e.g. password reset, name update) | Each request to our servers |
| Communications | Content of support emails you send us | When you contact us |
We do not collect: phone number, date of birth, national ID, or any special category data (health, ethnicity, etc.).
3. Legal basis (GDPR Art. 6)
Every processing activity has a lawful basis under the General Data Protection Regulation:
| Processing purpose | Legal basis |
|---|---|
| Delivering email alerts matched to your filters | Contract (Art. 6(1)(b)) — necessary to perform the service you signed up for |
| Processing payments via Stripe (not yet active — will apply when a paid plan is introduced) | Contract (Art. 6(1)(b)) |
| Maintaining account security, preventing fraud | Legitimate interest (Art. 6(1)(f)) — we have a legitimate interest in keeping the service secure |
| Service-level analytics (aggregate, anonymised) | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c)) |
| Sending marketing or product-update emails | Consent (Art. 6(1)(a)) — only if you have explicitly opted in |
4. How we use your data
- Sending alerts: Your email and filter preferences are used exclusively to match new listings and dispatch alert emails.
- Account management: Your email is used for login, password reset, and transactional notifications (e.g. email verification, account changes).
- Billing: The service is currently free. No billing data is collected or shared with Stripe at this time. This will be updated before any paid plan is introduced.
- Service improvement: Aggregate, anonymised data (e.g. "40% of alerts sent between 22:00–02:00") helps us optimise scraper schedules and infrastructure.
- Legal compliance: We retain invoices and payment records as required by Dutch tax law (7-year retention).
We will never sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Retention periods
| Data | Retention period | Reason |
|---|---|---|
| Account data (email, password hash, filters) | Until you delete your account, then 30 days | Accidental-deletion grace period |
| Sent alert records | 90 days | Deduplication — to avoid sending the same listing twice |
| Payment / invoice records | 7 years | Dutch tax law (Belastingdienst) |
| Server logs (IP, timestamps) | 30 days, then anonymised or deleted | Security monitoring |
| Support correspondence | 2 years after last contact | Reference for ongoing issues |
| Anonymised analytics | Indefinite | No personal data remains after anonymisation |
6. Third-party processors
We use a small number of carefully selected processors. Each has signed a Data Processing Agreement (DPA) where required by GDPR:
| Processor | Purpose | Data transferred | Location |
|---|---|---|---|
| Stripe (not yet active) | Payment processing & subscription management — will be used when a paid plan is introduced | Email, billing address (if provided), card details — not currently shared | EU / USA (SCCs in place) |
| Email delivery provider (transactional email) |
Sending alert and transactional emails | Email address, alert content | EU |
| Cloud hosting provider | Running our servers and database | All data at rest and in transit | EU (Netherlands / Germany) |
| Google (OAuth) | Optional "Sign in with Google" authentication | Email address, first and last name (from your Google account, only if you choose this sign-in method) | EU / USA (SCCs in place) |
| OpenRouteService | Calculating estimated cycling time from a listing to TU Delft campus, shown in alert emails | Listing coordinates (public property address data, not your personal data) | EU (Germany) |
| Nominatim / OpenStreetMap | Geocoding listing addresses to coordinates for the above routing calculation | Listing addresses (public property address data, not your personal data) | EU |
We do not use Google Analytics, Facebook Pixel, or any advertising trackers on our service.
Where processors are located outside the EEA (e.g. Stripe and Google in the USA), transfers are made under the European Commission's Standard Contractual Clauses (SCCs) per GDPR Art. 46.
8. Your rights
Under the GDPR (and the Dutch UAVG implementing law), you have the following rights regarding your personal data. You can exercise most of them directly from your dashboard:
Access (Art. 15)
Request a copy of all personal data we hold about you.
Rectification (Art. 16)
Correct inaccurate or incomplete data. Update your email and filters in your dashboard at any time.
Erasure (Art. 17)
Request deletion of your account and all associated personal data, subject to retention obligations (e.g. tax records).
Portability (Art. 20)
Receive your data in a structured, machine-readable format (JSON / CSV) to transfer to another service.
Restriction (Art. 18)
Ask us to pause processing of your data while a dispute or complaint is being resolved.
Objection (Art. 21)
Object to processing based on legitimate interest. We will stop unless we can show compelling legitimate grounds.
Withdraw consent (Art. 7)
Where processing is based on consent (e.g. marketing emails), withdraw it at any time without affecting prior processing.
Complaint (Art. 77)
Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your rights have been violated.
We will respond to rights requests within 30 days. Complex requests may take up to 90 days — we will notify you within the initial 30 days if this applies.
We may need to verify your identity before processing a request. We will not charge a fee unless the request is manifestly unfounded or excessive.
9. Security
We implement appropriate technical and organisational measures to protect your data:
- All data in transit is encrypted via TLS 1.2+.
- Passwords are hashed using bcrypt with a cost factor of 12 or higher — we never store plaintext passwords.
- Database access is restricted to application servers within a private network; no direct public access.
- No payment card data is collected during the current free launch period. When billing is introduced, all card processing will be handled exclusively by Stripe — never stored on our servers.
- Access to production systems is limited to authorised personnel and requires multi-factor authentication.
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users without undue delay, as required by GDPR Art. 33–34.
10. Changes to this policy
We may update this policy from time to time to reflect changes in the service, applicable law, or our practices. When we make material changes we will:
- Update the "Last updated" date at the top of this page.
- Send a notice to your registered email address at least 14 days before the changes take effect.
Your continued use of the service after a change takes effect constitutes acceptance. If you do not accept the updated policy you may close your account before the effective date.
Prior versions of this policy are available on request.
11. Contact & complaints
For any privacy-related question, a data subject rights request, or to report a potential data breach, contact us at:
Delft Dibs — Privacy
Email: privacy@delftdibs.nl
Response time: Within 5 business days for general enquiries; within 30 days for formal rights requests.
If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens (AP)
autoriteitpersoonsgegevens.nl
Telephone: +31 (0)70 888 85 00
Bezuidenhoutseweg 30, 2594 AV Den Haag
This policy was written in plain language, but the authoritative version is the English text above. In case of a dispute, Dutch law applies and the competent court is the District Court of The Hague (Rechtbank Den Haag).