Privacybeleid
Version 1.0 — April 2026 · Also available in Français · Nederlands
1. Who we are
Huurly is a rental management platform for private Belgian landlords. The service is operated as a natural person business (pending registration as a BV). For the purpose of this policy, the data controller is:
Huurly
Belgium
Email: privacy@huurly.com
The Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) supervises GDPR compliance in Belgium: www.gegevensbeschermingsautoriteit.be
2. What data we collect and why
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email address | Account login, transactional emails | Contract performance | 5 years after account deletion |
| Full name | Your account profile and document generation | Contract performance | 5 years after account deletion |
| Property address | Rent indexation calculation, document generation | Contract performance | Until deleted by user |
| Tenant data (name, email, phone) | Lease management, tenant portal, email notifications | Contract performance + Legitimate interest | Until deleted by user |
| Payment records | Payment tracking and reporting | Legal obligation (tax records) | 7 years (Belgian accounting law) |
| Language preference | UI localisation (cookie) | Legitimate interest | Session / 1 year |
| Session cookies | Authentication (required for login) | Strictly necessary | Session |
3. Where your data is stored
All data is stored in the European Union exclusively. We use:
- Supabase — PostgreSQL database hosted in Frankfurt, Germany (AWS eu-central-1). Supabase security policy.
- Resend — transactional email delivery. EU data processing agreement in place.
- Cloudflare Workers — edge hosting with data residency controls. No personal data stored at edge nodes.
- Pingen.be — Belgian registered letter delivery service (optional, only when you send a letter).
No data is transferred outside the EEA.
4. Uw rechten (GDPR artikelen 15–22)
You have the right to:
- Inzage — vraag een kopie op van alle gegevens die wij over u bewaren
- Rectificatie
- Verwijdering
- Overdraagbaarheid
- Bezwaar
- Beperking
To exercise these rights: email privacy@huurly.com. We respond within 30 days. You also have the right to lodge a complaint with the Belgian DPA: file a complaint.
5. Cookies
We use only strictly necessary cookies — no tracking, no advertising, no analytics. The only cookies set are:
| Cookie | Purpose | Duration |
|---|---|---|
| sb-access-token | Authentication session token (Supabase) | Session |
| sb-refresh-token | Session refresh token (Supabase) | 1 hour |
| LOCATIO_LOCALE | Language preference | 1 year |
Under Belgian law (Electronic Communications Act 2015 + GDPR), these cookies are classified as strictly necessary functional cookies and do not require consent. No consent banner is shown because there are no non-essential cookies. See our Cookie Policy for details.
6. Data sharing
We never sell your data. Data is shared only with the processors listed in section 3, and only to the extent necessary to deliver the service. When you send a registered letter via Pingen.be, your recipient's name and address are transmitted to Pingen to enable physical delivery — this is required by the service.
7. Security
- HTTPS (TLS 1.3) on all connections
- Database encrypted at rest (AES-256)
- Documents stored in a private Supabase Storage bucket with signed URLs (60 second expiry)
- Row-level security (RLS) — you can only access your own data
- Passwords never stored — authentication via Supabase Auth (bcrypt hashed)
- Magic links expire after 1 hour
8. Contact
Questions about this policy: privacy@huurly.com
Belgian Data Protection Authority: gegevensbeschermingsautoriteit.be · +32 2 274 48 00