πͺπΊ Your data stays in Europe. All Flatly servers are hosted in Germany (Frankfurt), within the European Union, in compliance with the GDPR.
Data Controller
The data controller for personal data collected through the Flatly app and flatly.fr website is:
- Maxime Huot
- Email: hello@flatly.fr
For any questions about how your data is handled, please contact us at the address above.
Data We Collect
2.1 Data you provide
| Data | When collected | Required |
|---|---|---|
| Email address | Account creation | Yes |
| Password (hashed) | Account creation | Yes |
| Username | Profile settings | No |
| Profile picture | Profile settings | No |
| Review content (text, ratings) | Publishing a review | Yes (to publish) |
| Verification documents (lease, bill) | Optional review verification | No |
| Questions and answers | Q&A system | No |
2.2 Data collected automatically
| Data | Purpose |
|---|---|
| IP address | Security, abuse prevention |
| Session identifier | Authentication |
| Address page views | Impact statistics (anonymised) |
| Helpful votes on reviews | Community feature |
π Reviews are published anonymously. Your identity is never publicly displayed on Flatly.
Purposes and Legal Bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Managing your user account | Contract performance (Art. 6.1.b) |
| Publishing and moderating reviews | Contract performance (Art. 6.1.b) |
| Sending transactional emails (account confirmation, review status) | Contract performance (Art. 6.1.b) |
| Fraud and abuse prevention | Legitimate interests (Art. 6.1.f) |
| Legal compliance (Decree 2017-1436, LCEN) | Legal obligation (Art. 6.1.c) |
| Anonymised usage statistics | Legitimate interests (Art. 6.1.f) |
Flatly does not send marketing emails without prior explicit consent, and never sells data to third parties.
Retention Periods
| Data | Retention |
|---|---|
| User account and profile data | Until account deletion + 30 days |
| Published reviews | For the life of the Service, or until deletion on request |
| Verification documents | Until moderation decision, then deleted |
| Security logs (IP, sessions) | Maximum 12 months |
| Transactional emails | Resend history: 90 days |
Deleting your account results in the irreversible anonymisation of your published reviews (reviews remain visible but are no longer linked to your identity) and the deletion of all other personal data.
Who Receives Your Data
Your data is shared only with the technical sub-processors strictly necessary to run the Service:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase | Database, authentication, storage | π©πͺ Frankfurt, Germany (EU) |
| Resend | Transactional email delivery | πΊπΈ United States (SCCs) |
| Google (Places API) | Address search and normalisation | πΊπΈ United States (SCCs) |
| Vercel | flatly.fr website hosting | πΊπΈ United States (SCCs) |
Flatly never sells, rents, or shares your personal data with third parties for commercial, advertising, or any other purposes.
Transfers Outside the EU
Some of our sub-processors (Resend, Google, Vercel) are based in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46 of the GDPR.
Data stored in our primary database (Supabase) remains exclusively in Germany.
Your Rights
Under the GDPR (Articles 15β22), you have the following rights:
Access
Get a copy of your data
Rectification
Correct inaccurate data
Erasure
Delete your account and data
Restriction
Limit certain processing
Portability
Receive your data in a readable format
Objection
Object to certain processing
To exercise these rights, email hello@flatly.fr. We will respond within 30 days.
You also have the right to lodge a complaint with the CNIL (France's data protection authority, cnil.fr) if you believe your rights are not being respected.
If you are based outside France, you may also contact your local supervisory authority within the EU.
Cookies and Trackers
The Flatly mobile app does not use cookies in the traditional sense.
The flatly.fr website uses only:
- Strictly necessary technical cookies (session, security) β exempt from consent requirements;
- No advertising or third-party tracking cookies.
Flatly displays no advertising and does not engage in behavioural tracking for commercial purposes.
Security
Flatly implements the following technical and organisational measures to protect your data:
- Encrypted communications via HTTPS/TLS;
- Hashed passwords (never stored in plain text);
- Database-level access control via Row Level Security (RLS);
- Verification documents stored in a private, publicly inaccessible bucket;
- Restricted admin access.
In the event of a data breach likely to result in a high risk to your rights and freedoms, you will be notified as soon as possible in accordance with Article 34 of the GDPR.
Changes to This Policy
Flatly reserves the right to update this policy at any time. For material changes, you will be notified by email with 30 days' notice.
The current version is always available at flatly.fr/en/privacy.html.
Questions about your data?
We handle every request within 30 days, no exceptions.
Write to hello@flatly.fr