Privacy Policy
1. Who We Are and How to Contact Us
1.1 Data Controller
Flatmaters OÜ, a company incorporated in Estonia under e-residency and trading under the commercial name Flatmaters, is the data controller for all personal data processed through the Flatmaters website, platform, and services.
As a company registered in Estonia, a Member State of the European Union, Flatmaters complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all applicable data protection laws.
1.2 Lead Supervisory Authority
The lead supervisory authority for Flatmaters OÜ is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):
- Website: www.aki.ee
- Address: Tatari 39, 10134 Tallinn, Estonia
- Email: info@aki.ee
Users resident in other EU/EEA Member States also have the right to lodge a complaint with the supervisory authority of their country of habitual residence.
1.3 Contact
For any questions, requests, or concerns relating to this Privacy Policy or the processing of your personal data, please contact us at: contact@flatmaters.com
Flatmaters OÜ acts as an independent data controller in relation to all personal data processed through the Platform. Where Property Owners receive personal data of Students in connection with a confirmed Booking, they act as independent data controllers for that data and are solely responsible for ensuring their own compliance with applicable data protection laws.
We do not currently have a designated Data Protection Officer (DPO), as our core activities do not consist of large-scale systematic monitoring of individuals, nor large-scale processing of special categories of data, as defined under Article 37 GDPR. If our processing activities change in a way that triggers the mandatory designation criteria, we will appoint a DPO and update this Policy accordingly.
2. Personal Data We Collect
2.1 Students
When you register as a Student or make a Booking, we collect and process the following categories of personal data:
| Category | Data | Purpose |
|---|---|---|
| Identity | Full name, nationality, passport or government-issued ID number and, where strictly required by applicable local law or building regulations, a copy of the identification document | Account creation, Rental Agreement generation, property access coordination; only where necessary and proportionate to the specific requirement |
| Contact | Email address, phone number | Account management, booking communications, platform notifications |
| Academic | Name of university or institution, enrollment or acceptance status | Eligibility verification, Booking confirmation |
| Booking | Desired stay dates, selected accommodation, Semester Period | Booking processing, Rental Agreement generation |
| Financial | Payment method, transaction references (no full card data stored by Flatmaters) | Payment processing via third-party providers |
| Contractual | Signed Rental Agreement, correspondence related to the booking | Contract management, dispute resolution |
| Technical | IP address, device type, browser, session data, platform usage data | Platform security, fraud prevention, analytics, user experience improvement |
2.2 Property Owners
When you register as a Property Owner or publish a Listing, we collect and process:
| Category | Data | Purpose |
|---|---|---|
| Identity | Full name, nationality, government-issued ID or equivalent authorization documents | Account creation, Listing Agreement, identity and fraud prevention verification, Rental Agreement generation |
| Contact | Email address, phone number, address | Account management, operational coordination, payment processing |
| Property | Property address, photographs, description, pricing, availability, house rules | Listing publication, Rental Agreement generation, platform promotion |
| Financial | Bank account details (for payment transfers via Wise or bank transfer) | Rental payment transfers |
| Contractual | Listing Agreement, generated Rental Agreements, correspondence | Contract management, commission calculation, dispute resolution |
| Technical | IP address, device type, browser, session data, platform usage data | Platform security, fraud prevention, analytics |
2.3 Website Visitors
When you visit the Flatmaters website without registering, we may collect: IP address, browser type and version, operating system, referring URL, pages visited, time and duration of visit, and cookie data. This data is collected automatically through standard web server logs and analytics tools.
3. How We Collect Personal Data
We collect personal data through the following means:
- Directly from you: when you create an account, complete a registration or booking form, sign a Listing Agreement or Rental Agreement, communicate with us by email or through the platform, or submit documentation for verification purposes
- Automatically: when you access or use our website and platform, through cookies, web server logs, and analytics tools (see Section 10)
- From third parties: in limited cases, from payment processors, identity verification services, or other users who provide your data in connection with a booking (for example, when a Property Owner or Student references your contact details)
Users are responsible for ensuring that any personal data they provide is accurate, complete, and up to date. Where a user provides personal data about a third party (for example, a co-tenant), they warrant that they have the legal right to share such data and that the relevant individuals have been informed of this Privacy Policy and the purposes for which their data will be processed.
Flatmaters applies the principle of data minimisation in accordance with Article 5(1)(c) GDPR: we only collect and process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Where possible, we use anonymized or aggregated data rather than personal data.
4. Purposes and Legal Bases for Processing
We process personal data only when we have a valid legal basis to do so under Article 6 of the GDPR. The table below sets out our processing activities and their corresponding legal bases:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Creating and managing user accounts | Art. 6(1)(b) – performance of a contract |
| Processing Bookings and generating Rental Agreements | Art. 6(1)(b) – performance of a contract |
| Processing payments and managing financial transactions | Art. 6(1)(b) – performance of a contract |
| Sharing Student identity and university data with Property Owners upon Booking confirmation | Art. 6(1)(b) – performance of a contract; necessary for access coordination and local registration requirements |
| Identity verification and fraud prevention checks (including AML/KYC-style verification) | Art. 6(1)(f) – legitimate interests in preventing fraud, ensuring platform security, and verifying identity; supplemented by Art. 6(1)(c) where a specific legal obligation applies |
| Retaining contractual and financial records | Art. 6(1)(c) – compliance with legal obligations (accounting, tax, civil law) |
| Fraud detection and platform security | Art. 6(1)(f) – legitimate interests of Flatmaters and its users in maintaining a secure and trustworthy platform |
| Platform analytics and user experience improvement (Google Analytics) | Art. 6(1)(a) – your consent, obtained via the cookie consent banner on the Platform |
| Customer support and dispute resolution | Art. 6(1)(b) – performance of a contract; Art. 6(1)(f) – legitimate interests |
| Sending service-related communications (booking confirmations, operational updates) | Art. 6(1)(b) – performance of a contract |
| Sending marketing communications (where applicable in the future) | Art. 6(1)(a) – your consent (you may withdraw at any time) |
| Complying with legal and regulatory obligations and responding to lawful requests from authorities | Art. 6(1)(c) – compliance with legal obligations |
4.1 Legitimate Interests Assessment
Where we rely on legitimate interests (Art. 6(1)(f)), Flatmaters has conducted a balancing assessment and determined that such processing is necessary and proportionate, and does not override the fundamental rights and freedoms of users. In particular: fraud prevention and platform security protect all users equally; platform analytics are conducted only on the basis of user consent, with IP anonymization enabled, and do not result in individual profiling or automated decision-making; and dispute resolution is necessary to enforce rights that both parties have under their contracts. Users retain the right to object to processing based on legitimate interests at any time (see Section 8). These assessments are documented internally and may be provided to supervisory authorities upon request.
4.2 Withdrawal of Consent
Where processing is based on your consent (in particular, marketing communications and non-essential cookies), you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To withdraw consent, contact us at contact@flatmaters.com or use the opt-out mechanism in any marketing communication.
5. Who We Share Your Data With
5.1 Sharing with Other Users
Upon confirmation of a Booking, Flatmaters shares the following Student data with the relevant Property Owner, to the extent necessary for the rental relationship:
- full name
- nationality
- university or institution name
- passport or government-issued ID number and, where strictly required by applicable local law or building regulations, a copy of the identification document (Flatmaters does not systematically store copies of identification documents unless strictly required for a specific legal or regulatory purpose)
This sharing is necessary for the performance of the Rental Agreement (access coordination, building registration requirements in the country of the property) and is limited to what is strictly necessary. Property Owners who receive Student personal data act as independent data controllers for that data and are solely responsible for ensuring their own compliance with applicable data protection laws. Property Owners may only process such data strictly for legal and administrative requirements related to the rental relationship and for no other purpose. Flatmaters requires Property Owners to maintain appropriate confidentiality and security measures for any Student data received.
Students are similarly informed that their Property Owner's name and contact details will be shared with them as part of the Rental Agreement and booking process.
5.2 Service Providers (Data Processors)
Flatmaters uses the following categories of third-party service providers who process personal data on our behalf under data processing agreements:
| Provider / Category | Purpose | Location |
|---|---|---|
| Hostinger | Website and platform hosting | EU / international |
| Google (Google Drive, Google Analytics) | Document storage and operational data management; website analytics | USA (EU-U.S. Data Privacy Framework where applicable, and/or Standard Contractual Clauses (SCCs)) |
| Wise | International payment processing and transfers | UK / EU / international |
| Stripe or equivalent payment provider | Card payment processing | USA (EU-U.S. Data Privacy Framework where applicable, and/or Standard Contractual Clauses (SCCs)) |
| Email service providers (current and future) | Transactional and marketing communications | Varies |
| Legal and compliance advisors | Legal advice, contract review, regulatory compliance | Varies |
Flatmaters does not sell, rent, or trade personal data to any third party for commercial purposes.
5.3 Legal Disclosures
We may disclose personal data to competent authorities, courts, or regulators where required by law, in response to a valid legal request, or where necessary to protect the rights, safety, or property of Flatmaters, its users, or third parties. This includes disclosures required under applicable anti-money laundering and counter-terrorism financing legislation.
5.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of Flatmaters or its assets, personal data may be transferred as part of that transaction. Users will be notified of any such transfer and of any changes to this Privacy Policy that result from it.
6. International Data Transfers
Flatmaters is incorporated in Estonia (EU) and its operations involve the transfer of personal data to countries outside the European Economic Area (EEA). We ensure that appropriate safeguards are in place for all such transfers as follows:
6.1 Transfers to Chile
Chile does not currently have an EU adequacy decision under the GDPR. Where personal data is transferred to Chile (for example, when Student data is shared with a Property Owner located in Chile, or when data is processed by service providers based there), Flatmaters relies on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU) as the transfer mechanism. Property Owners located in Chile who receive Student personal data are required to process it in accordance with the terms set out in the Listing Agreement and Rental Agreement.
6.2 Transfers to Argentina
Argentina has been recognized as providing an adequate level of data protection pursuant to European Commission Decision 2003/490/EC. Transfers of personal data to Argentina are therefore permitted under GDPR Article 45 on the basis of this adequacy decision.
6.3 Transfers to Other Third Countries
For transfers to other third countries (including the USA, where service providers such as Google and Stripe are based), Flatmaters relies on: (a) the EU-U.S. Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023, where the relevant provider is certified under the DPF; and/or (b) Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU), supplemented by appropriate technical and organizational measures where required, in accordance with the requirements established by the Court of Justice of the European Union in Case C-311/18 (Schrems II).
6.4 How to Obtain Transfer Documentation
You may request a copy of the Standard Contractual Clauses or other transfer safeguards applicable to your personal data by contacting us at contact@flatmaters.com.
7. How Long We Keep Your Data
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with applicable legal obligations. The following retention periods apply:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, contact details) | Duration of the account + 3 years after last activity or account closure | Legitimate interests; limitation periods for contractual claims |
| Booking and Rental Agreement data (including passport data shared at booking) | Duration of the rental relationship + 5 years where required for legal compliance or dispute resolution purposes | Legal obligation (civil law limitation periods); legitimate interests (dispute resolution) |
| Financial and payment records | 7 years from the date of the transaction | Legal obligation (accounting and tax law in Estonia; applicable local tax law) |
| Identity verification and fraud prevention data | 5 years from the end of the business relationship where required for fraud prevention, dispute resolution, or applicable legal obligations | Art. 6(1)(f) – legitimate interests; Art. 6(1)(c) where a specific legal obligation applies |
| Marketing consent records | Until consent is withdrawn + 3 years (proof of consent) | Legal obligation (accountability under GDPR Art. 7(1)) |
| Technical logs (IP addresses, session data) | 12 months from collection | Legitimate interests (security, fraud prevention) |
| Google Analytics data | 14 months (default Google Analytics retention setting) | Legitimate interests / consent |
| Communications and support tickets | 3 years from last communication | Legitimate interests (dispute resolution) |
At the end of the applicable retention period, personal data is securely deleted or anonymized. Where data is anonymized, it may be retained for statistical or analytical purposes without time limit, as it can no longer identify any individual.
8. Your Rights
Under the GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at contact@flatmaters.com. We will respond within 30 calendar days of receiving your request. In complex or multiple cases, we may extend this period by a further 60 days, in which case we will inform you within the initial 30-day period.
| Right | What it means |
|---|---|
| Access (Art. 15) | You may request a copy of the personal data we hold about you and information about how we process it. |
| Rectification (Art. 16) | You may request that inaccurate or incomplete personal data be corrected or completed. |
| Erasure (Art. 17) | You may request that we delete your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful. This right is subject to legal retention obligations. |
| Restriction (Art. 18) | You may request that we temporarily restrict processing of your data in certain circumstances (e.g., while a correction is being verified). |
| Portability (Art. 20) | Where processing is based on consent or contract and carried out by automated means, you may receive your personal data in a structured, commonly used, machine-readable format, and transfer it to another controller. |
| Objection (Art. 21) | You may object to processing based on legitimate interests or carried out for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately. |
| Withdrawal of consent (Art. 7(3)) | Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing. |
| Lodge a complaint (Art. 77) | You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) or with the supervisory authority in your country of habitual residence. |
9. Automated Decision-Making and Profiling
9.1 No Fully Automated Decisions
Flatmaters does not carry out fully automated decision-making that produces legal effects concerning users or similarly significantly affects them, within the meaning of Article 22 of the GDPR.
While certain Platform processes are partially automated — in particular, the automatic confirmation of a Booking where a Property Owner does not reject a Booking Request within the 24-hour window — these processes always involve the active participation of the relevant parties. The Property Owner retains the right to reject any Booking Request within the applicable window, meaning no legally binding outcome is produced without an opportunity for human review. Accordingly, these processes do not constitute automated decision-making under Article 22 GDPR.
9.2 Fraud and Security Checks
Flatmaters may use automated tools to flag potentially suspicious activity or identity verification concerns for the purposes of fraud prevention and platform security. Any such flags result in a manual review by Flatmaters staff before any action is taken. No account suspension, transaction block, or other significant measure is applied based solely on automated processing without human assessment.
If you believe that an automated process has produced an incorrect outcome affecting you, you may contact us at contact@flatmaters.com to request a manual review.
10. Cookies and Analytics
10.1 Cookies
The Flatmaters website uses cookies and similar technologies in accordance with the EU ePrivacy Directive (2002/58/EC as amended) and applicable national implementing laws. Cookies are small text files stored on your device that help us operate the platform, remember your preferences, and analyze usage. We use the following categories of cookies:
- Strictly necessary cookies: required for the platform to function (e.g., session management, security). These do not require your consent.
- Analytics cookies: used to collect information about how visitors use our website (e.g., pages visited, time spent, referring sources). We use Google Analytics for this purpose. These cookies are only activated with your consent.
- Preference cookies: used to remember your settings and language preferences. These are activated with your consent.
- Marketing cookies: currently not in use. If introduced in the future, these will require your prior consent.
A detailed list of cookies used is available upon request. You can manage your cookie preferences at any time through our compliant consent management platform (CMP) accessible via the cookie consent banner on our website, or by adjusting your browser settings. Withdrawing consent for analytics or preference cookies does not affect strictly necessary cookies.
10.2 Google Analytics
We use Google Analytics, a web analytics service provided by Google LLC (USA). Google Analytics collects data such as your IP address (anonymized by default), browser type, pages visited, and session duration. This data is processed by Google on our behalf under a Data Processing Agreement and is used solely to analyze platform usage and improve our services. IP anonymization is enabled, meaning your full IP address is not stored by Google.
For more information about how Google processes this data, see Google's Privacy Policy. You may opt out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on. Where applicable, Google acts as an independent data controller for certain processing activities carried out in connection with Google Analytics.
10.3 IP Addresses
We collect and log IP addresses automatically when you access the Flatmaters platform or website. IP addresses are used for: platform security and fraud detection; diagnosing technical issues; and, in anonymized form, for analytics purposes. IP addresses are retained for 12 months from the date of collection and are not used to identify you individually beyond security and fraud prevention purposes.
11. Security
Flatmaters implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures include: encrypted data transmission (HTTPS/TLS) for all data in transit; encryption at rest and pseudonymisation where applicable for stored personal data; restricted access controls and role-based permissions for internal systems; multi-factor authentication requirements for platform administration; secure storage with reputable infrastructure providers subject to confidentiality obligations; internal data handling procedures and staff awareness measures; and regular testing, assessment and evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing, in accordance with Article 32 GDPR.
No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Flatmaters will notify the Estonian Data Protection Inspectorate without undue delay and, where required, will notify affected individuals directly. We maintain an internal register of data breaches in accordance with our GDPR accountability obligations.
12. Minors
The Flatmaters platform is intended exclusively for individuals aged 18 years or older. We do not knowingly collect or process personal data of individuals under 18. If we become aware that personal data of a minor has been collected without the required consent, we will take immediate steps to delete it. If you believe that we may have inadvertently collected data from a minor, please contact us at contact@flatmaters.com.
13. Third-Party Links
The Flatmaters platform may contain links to third-party websites or services (for example, university websites, mapping services, or payment providers). Flatmaters is not responsible for the privacy practices, content, or data protection policies of any third-party websites. We encourage you to review the privacy policies of any third-party service before providing your personal data.
14. Changes to This Privacy Policy
Flatmaters reserves the right to update this Privacy Policy at any time to reflect legal, technical, or operational changes. Updated versions will be published on the website with the revised effective date. Where changes are material, we will notify registered users by email or through a platform notification. We encourage you to review this Privacy Policy periodically. Continued use of the platform following the publication of an updated version constitutes acceptance of the changes.
15. Contact
For any questions, requests, or concerns relating to this Privacy Policy or the processing of your personal data:
- Email: contact@flatmaters.com
- General inquiries: contact@flatmaters.com
- Website: www.flatmaters.com
To exercise your rights under Section 8, please submit your request in writing to contact@flatmaters.com, identifying yourself and specifying the right you wish to exercise. We will respond within 30 calendar days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee) or with the supervisory authority in your country of habitual residence.