Privacy Policy
Last updated: May 2026
1. Who we are
Haus Together is operated by Koostory UG (haftungsbeschränkt), Akazienstraße 3A, 10823 Berlin, Germany (the "data controller"). For the full legal notice see our Impressum. Questions about this policy: ilmokoo@koostory.net.
2. What data we collect
Web application
- Account information: name, email address, password (stored as a bcrypt hash — never plain text)
- Property listings you add: URL, title, address, price, rooms, size, images, notes
- Project and team data: project names, member relationships, comments
- Subscription information processed via Stripe (we do not store card details)
- Session data for keeping you logged in
Chrome extension
- Your API key, stored locally in your browser using
chrome.storage.local— never sent anywhere except to haustogether.com - Listing data extracted from property portals (title, price, address, description) — only when you actively click Add to Pool
- The extension does not track your browsing history or read pages you have not explicitly chosen to save
3. Legal basis for processing (Art. 6 GDPR)
We process your personal data only where we have a lawful basis to do so:
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — performance of contract |
| Providing the property shortlisting service | Art. 6(1)(b) — performance of contract |
| Processing subscription payments via Stripe | Art. 6(1)(b) — performance of contract |
| Sending transactional emails (invites, password reset, viewing notifications) | Art. 6(1)(b) — performance of contract |
| Sending onboarding emails after signup | Art. 6(1)(f) — legitimate interest (helping users get started) |
| AI analysis of property listing text | Art. 6(1)(b) — performance of contract |
| Security, fraud prevention, and service integrity | Art. 6(1)(f) — legitimate interest |
| Compliance with legal obligations (e.g. tax records) | Art. 6(1)(c) — legal obligation |
4. Data sharing and processors
We share your data only with the following sub-processors required to operate Haus Together:
| Provider | Purpose | Location |
|---|---|---|
| Neon | PostgreSQL database hosting | EU (Frankfurt) |
| Stripe | Payment processing | USA (SCCs apply) |
| Resend | Transactional email delivery | USA (SCCs apply) |
| Cloudflare R2 | Image storage | EU region |
| Anthropic | AI analysis of listing text (no personal data sent) | USA (SCCs apply) |
Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as the appropriate safeguard under Art. 46 GDPR. We do not sell, rent, or share your personal data with any other third parties.
5. Data retention
- Account and listing data — retained for as long as your account is active, then deleted within 30 days of account deletion
- Session tokens — expire after 30 days of inactivity
- Payment records — retained for 10 years as required by German tax law (§ 147 AO)
- Email logs — retained by Resend per their own retention policy (typically 3 days)
To request deletion of your account and data, contact us at ilmokoo@koostory.net. We will process deletion requests within 30 days.
6. Cookies and local storage
We use a single session cookie (session) strictly necessary
to keep you logged in. No third-party tracking, analytics, or advertising cookies are used.
The Chrome extension uses chrome.storage.local to store
your API key — this data never leaves your device except when authenticating with haustogether.com.
Because we use only strictly necessary cookies, no cookie consent banner is required.
7. Automated decision-making
Haus Together uses Anthropic's AI to analyse property listing text (e.g. to extract structured data or generate summaries). This processing is applied to listing content only — not to personal data — and does not produce any decision that has a legal or similarly significant effect on you (Art. 22 GDPR).
8. Your rights (GDPR)
As a data subject you have the following rights under the GDPR:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — correct inaccurate or incomplete data
- Erasure (Art. 17) — request deletion of your data ("right to be forgotten")
- Restriction (Art. 18) — request that we limit how we use your data
- Portability (Art. 20) — receive your data in a structured, machine-readable format
- Objection (Art. 21) — object to processing based on legitimate interest
To exercise any of these rights, contact us at ilmokoo@koostory.net. We will respond within 30 days.
9. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority if you believe your personal data is being processed in violation of the GDPR (Art. 77 GDPR). The competent supervisory authority for Koostory UG is:
Berliner Beauftragte für Datenschutz und InformationsfreiheitFriedrichstr. 219
10969 Berlin
Germany
www.datenschutz-berlin.de
10. Changes to this policy
We may update this policy from time to time. The date at the top of this page reflects the most recent update. For significant changes we will notify you by email at least 14 days in advance.