Houskey ("Houskey", "we", "us") helps people find rental housing in the Netherlands by watching listing sources and alerting you when a home matches your preferences. This policy explains what personal data we process, why, on what legal basis, who we share it with, and the rights you have under the General Data Protection Regulation (GDPR).
1. Who we are
Houskey is a service operated by SIMSOFT IT SRL, a limited liability company registered in Romania. Registration details: unique registration code (CUI) 53085024, trade register (ONRC) number J2025096098005, registered office București, Sector 2, Strada Fabrica de Gheață, Nr. 16-18, Romania.
For any privacy matter, contact us at [email protected]. We are the data controller for the personal data described below.
We have not appointed a Data Protection Officer (DPO): our processing does not meet the Article 37 thresholds (we are not a public authority, and our core activity is not large-scale systematic monitoring or large-scale processing of special-category data). We keep this assessment under review and will appoint a DPO if that changes.
2. The personal data we process
| Category | Source | Lawful basis (Art. 6 GDPR) |
|---|---|---|
| Account data: email, name, password (stored only as a salted hash) | You, at registration | Performance of a contract |
| Phone number | You | Performance of a contract (WhatsApp delivery) |
| Telegram username (when Telegram delivery ships) | You | Performance of a contract |
| Search preferences (location, price, size, amenities, free-text wishes) | You | Performance of a contract |
| Match history & message log | Generated by the service | Performance of a contract |
| Payment metadata (Stripe customer ID, card last 4, subscription status) | Stripe | Performance of a contract |
| Invoice records | Generated by the service | Legal obligation (accounting and tax law) |
| WhatsApp inbound message bodies & delivery statuses | Twilio | Performance of a contract |
We do not intentionally collect special categories of personal data (Art. 9). Please do not include such data in free-text preference fields or messages.
3. How we use your data
- Provide the service: match new listings against your preferences and send you alerts on the channel you chose.
- AI matching and drafting: score how well a listing fits your preferences and, on Premium, draft application letters (see section 7).
- Billing: manage subscriptions, trials and invoices through Stripe.
- Support and security: respond to your requests, prevent fraud and abuse, and keep the service secure.
- Service communications: send you transactional messages (e.g. verification, password resets, billing) and material changes to this policy.
4. Sub-processors
We rely on the following processors, who act on our instructions under a data-processing agreement. Each receives only the data needed for its function.
- Stripe Payments Europe Ltd (Ireland): payment and subscription data. We never see or store your full card number.
- Twilio Ireland Ltd (Ireland): phone numbers, inbound and outbound message bodies, delivery status.
- Anthropic Ireland Ltd (or the applicable Anthropic entity): listing descriptions and your preferences, sent for amenity extraction, match scoring and letter drafting. Anthropic does not train its models on data submitted via its API under its terms.
- Railway Corp. (United States): application hosting. Transfers are covered by Standard Contractual Clauses (see section 8).
- Zyte Ltd (Ireland): listings-ingestion infrastructure. This handles public listing data, not your personal data.
- Cloudflare, Inc. (where used): edge delivery and security.
We update this list in the same release that introduces a new processor.
5. Retention
- Account data: kept while your account is active, then deleted within 30 days of a deletion request (allowing for a short backup-rotation window).
- Match and message logs: up to 24 months, to support fraud detection and to improve matching. You can request earlier deletion.
- Invoices: retained for 10 years, as required by applicable accounting and tax law.
- AI-generated artefacts (drafted letters, amenity payloads): tied to the lifecycle of the accommodation they relate to.
6. Your rights
Under the GDPR you have the right to access, rectification, erasure, restriction, data portability, objection, and to withdraw consent at any time (without affecting prior processing). To exercise any of these, email [email protected]; self-service controls in your account will follow. We respond within one month.
You also have the right to lodge a complaint with a data-protection supervisory authority. Our lead supervisory authority is the Romanian ANSPDCP (Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, dataprotection.ro). You may also complain to the authority in your own EU country. For residents of the Netherlands, that is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
7. Automated decision-making
Houskey uses AI to score how well each new listing matches your preferences, and to help detect fraudulent or spam listings. This filters which alerts you see; it does not produce legal or similarly significant effects about you within the meaning of Article 22. You remain in control: you decide your preferences, and you decide whether to act on any alert.
8. International transfers
Most processing happens within the EU/EEA. Where a processor is outside the EEA (notably Railway, in the United States), the transfer is protected by the European Commission's Standard Contractual Clauses and appropriate supplementary measures. Stripe, Twilio and Anthropic operate through their Irish (EU) entities for our service.
9. Cookies
We use a small set of cookies and similar technologies. Strictly necessary cookies keep you logged in and secure; non-essential cookies load only after you consent. Full detail, and your consent controls, are on our Cookie Notice (linked below).
10. Children
Houskey is not directed at people under 18, and we do not knowingly collect their data. If you believe a minor has provided us personal data, contact [email protected] and we will delete it.
11. Changes to this policy
We may update this policy as the service evolves. For material changes we will notify registered users by email at least 30 days before they take effect. The "Last updated" date above always reflects the current version.
12. Contact
Questions about this policy or your data: [email protected].