House M8

Shared living simplified

Privacy Policy

Version: 1.0 — Effective from [GO-LIVE DATE]

1. Data Controller

[Company name / full name], [address], [email]
Privacy contact: privacy@housem8.app

2. Data collected and purposes

DataPurposeLegal basis
Email, first name, last nameAuthentication and identificationArt. 6(1)(b) — Contract performance
Extended profile (bio, job, languages…)Roommate matchingArt. 6(1)(a) — Consent
Gender, smoking habitRoommate compatibilityArt. 9(2)(a) — Explicit consent
Financial data (expenses, bills)Shared cost managementArt. 6(1)(b) — Contract performance
Stripe customer IDSubscription managementArt. 6(1)(b) — Contract performance
JWT session cookiesAuthenticated session maintenanceArt. 6(1)(f) — Legitimate interest
Language preference cookieLanguage preference storageArt. 6(1)(f) — Legitimate interest

3. Sub-processors (Art. 28)

  • Google LLC — OAuth authentication. EU Standard Contractual Clauses.
  • Resend Inc. — Transactional email delivery. EU Standard Contractual Clauses.
  • Stripe Inc. — Payment processing. EU Standard Contractual Clauses.
  • [Hosting provider] — Application hosting. [Indicate DPA].

4. International transfers

Transfers to Google, Resend and Stripe are made under Standard Contractual Clauses approved by the European Commission.

5. Retention periods

  • Active account: data retained until deletion request.
  • Post-deletion: identifying personal data pseudonymised within 30 days.
  • Expired tokens (email verification, password reset): deleted automatically each night.
  • Used invitations: email anonymised immediately on acceptance.
  • Historical financial data: retained in anonymous form for accounting integrity.

6. Your rights (Art. 15-22)

  • Access (Art. 15): Settings › Privacy › Export data
  • Rectification (Art. 16): Settings › Profile
  • Erasure (Art. 17): Settings › Privacy › Delete account
  • Portability (Art. 20): Settings › Privacy › Download JSON/PDF
  • Withdraw consent (Art. 7): Settings › Privacy › Consents
  • Lodge a complaint: Your national data protection authority

7. Cookies

NamePurposeDurationLegal basis
house_m8_access_tokenAuthenticated session JWT15 minutesLegitimate interest
house_m8_refresh_tokenSession renewalSession / 7 days (remember me)Legitimate interest
i18n_localeLanguage preferenceSessionLegitimate interest