Privacy Policy

Flatlu is operated by The Tidy Troupe S.à r.l.-S, incorporated in Luxembourg. For all data protection matters, contact us at: Email: contact@flatlu.lu Address: Luxembourg City, Grand Duchy of Luxembourg As data controller, we are responsible for the collection and processing of your personal data as described in this policy.

We collect different categories of data depending on how you use Flatlu: Visitors (browsing only): • IP address and approximate location (country/city) • Browser type and device information • Pages visited and time spent (via analytics) • Cookie data (see Cookie section below) Review submitters: • Full name (for verification only — never published) • Email address • Government-issued ID (passport or national ID card) • Rental agreement / tenancy contract • Property address being reviewed • Review content and ratings • Video verification recording (deleted immediately after verification) Contact form users: • Name and email address • Message content

We process your personal data under the following legal bases: Consent (Art. 6(1)(a)): When you voluntarily submit a review or contact form. You may withdraw consent at any time. Legitimate interests (Art. 6(1)(f)): For operating the platform, preventing fraud and fake reviews, and improving our service. Legal obligation (Art. 6(1)(c)): When required by Luxembourg law or EU regulation. For special category data (identity documents): We rely on your explicit consent (Art. 9(2)(a)) for the minimum time necessary to complete verification.

Reviewer verification data is used solely to: • Confirm you are a real person • Confirm you actually lived at the property you are reviewing • Prevent fake or fraudulent review submissions • Cross-reference with Luxembourg Housing Authority records where applicable Contact data is used solely to respond to your inquiry. Analytics data is used to improve the platform's performance and user experience. We do not use your data for advertising, profiling, or sell it to third parties under any circumstances.

We retain your data only as long as necessary: • Identity documents and rental agreements: Permanently deleted within 30 days of successful verification, or immediately upon rejection • Video verification recordings: Deleted within 24 hours of completion • Review content (anonymous): Retained indefinitely as it contains no personal identifiers • Contact form submissions: Deleted after 12 months • Analytics data: Aggregated and anonymised after 26 months • Email correspondence: 3 years for legal compliance You may request immediate deletion of your personal data at any time (see Your Rights section).

We do not sell, rent, or trade your personal data. We may share data with: • Verification service providers (under strict data processing agreements) • Hosting and infrastructure providers (Vercel, located in EU data centres) • Email service providers for transactional emails • Luxembourg housing authorities solely for tenancy confirmation All third-party processors are bound by GDPR-compliant data processing agreements. We do not use Google Analytics or Meta Pixel on this platform.

We implement industry-standard security measures: • All data transmitted via TLS 1.3 encryption (HTTPS) • Identity documents stored with AES-256 encryption at rest • Access to verification data restricted to authorised personnel only • Regular security audits and vulnerability assessments • Incident response procedures compliant with GDPR Art. 33 (72-hour breach notification) Despite these measures, no internet transmission is 100% secure. We will notify you promptly in the event of any data breach affecting your personal data.

As an EU/EEA resident, you have the following rights: • Right of access (Art. 15): Request a copy of all data we hold about you • Right to rectification (Art. 16): Correct inaccurate personal data • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten") • Right to restrict processing (Art. 18): Limit how we use your data • Right to data portability (Art. 20): Receive your data in a machine-readable format • Right to object (Art. 21): Object to processing based on legitimate interests • Right to withdraw consent: At any time, without affecting prior processing • Right not to be subject to automated decision-making (Art. 22) To exercise any of these rights, contact us at contact@flatlu.lu. We will respond within 30 days. There is no fee for exercising your rights.

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with Luxembourg's national data protection authority: Commission Nationale pour la Protection des Données (CNPD) Website: cnpd.public.lu Address: 15, Boulevard du Jazz — L-4370 Belvaux, Luxembourg Phone: +352 26 10 60-1 You may also seek judicial remedy in Luxembourg courts.

We use only essential and analytics cookies: Essential cookies (no consent required): • Session cookies for basic site functionality • Security cookies to prevent CSRF attacks Analytics cookies (consent required): • Anonymous page view tracking to improve our service • No cross-site tracking, no advertising profiles We do not use third-party tracking pixels, social media cookies, or advertising cookies. You can manage cookie preferences via the banner shown on your first visit.

Flatlu is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, contact contact@flatlu.lu and we will delete it immediately.

We may update this privacy policy periodically. When we make significant changes, we will notify registered users by email and display a notice on our website. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of Flatlu after changes constitutes acceptance of the updated policy.