Legal
Privacy Policy
Last updated: July 8, 2026
This Privacy Policy explains how Sudoplz S.R.L., a company incorporated in Romania operating the Nineflat platform (“Nineflat”, “we”, “us”), collects, uses, and protects personal data when you visit nineflat.com or use the platform at app.nineflat.com (the “Service”), in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and applicable national law. For privacy questions: legal@nineflat.com or support@nineflat.com.
1. Our Roles: Controller or Processor
Nineflat acts in two distinct roles:
- As a data controller for your own account data (registration details, subscription billing, settings, usage and security data, support communications, website and marketing data).
- As a data processor for the data that landlords and property managers (our customers) enter and manage through the Service — e.g. tenant details, tenancies, rent payments. The controller for that data is the respective landlord/manager; our processing is governed by the Data Processing Addendum (DPA).
If you are a tenant with questions about how your landlord or property manager handles your data, contact them first; we will assist in fulfilling your rights as the DPA provides.
2. Data We Collect
- Account data: name, email, phone, avatar, language, and settings. Authentication is handled by Clerk (including Google/social sign-in if you choose it).
- Workspace data: properties, tenancies, contacts (tenants, vendors, etc.), charges, invoices, payments, maintenance requests, documents you upload.
- Payment data: card processing is performed by Stripe — we do not store card numbers. We keep transaction records (amounts, dates, status) and, for manual methods, the IBAN details entered by the operator.
- Tenant screening data: if you voluntarily participate in a screening, the documents and information you submit (e.g. proof of income and employment, lease, bank statements) and the data extracted from them.
- E-signature data: signed documents and signature metadata (time, signer, verification details).
- Communications: email/SMS/Viber notifications sent through the Service, delivery status, bounce/spam reports, and unsubscribe records.
- Usage & security data: audit logs of account actions, IP addresses, device/browser information, error reports.
- Website data: cookies and identifiers as described in section 10.
3. Purposes & Legal Bases
- Providing the Service (account, workspaces, payments, notifications, support) — performance of a contract (Art. 6(1)(b) GDPR).
- Tenant screening — you participate at your own initiative through an explicit submission; processing rests on the contract with you and, where required, your consent (Art. 6(1)(a), (b)), which you may withdraw.
- Compliance with legal obligations (tax and accounting records, myDATA transmission on instruction, responding to lawful authority requests) — Art. 6(1)(c).
- Security, fraud prevention, product improvement, and usage measurement — legitimate interests (Art. 6(1)(f)), balanced against your rights.
- Analytics/advertising cookies and marketing communications — consent (Art. 6(1)(a)), which you can withdraw at any time.
4. Tenant Screening & Artificial Intelligence
During tenant screening we use artificial intelligence services (Google Cloud Vertex AI) to extract data from the documents you submit. The following applies:
- Documents are submitted by you, at your initiative; you see in advance what is requested.
- No decision is made by solely automated means (Art. 22 GDPR): the score is assistive and the letting decision is made by a human — the landlord/manager.
- Your data is not used to train general-purpose AI models.
- Retention: screening evidence documents are deleted automatically 30 days after submission (with hard purge from storage within a further 7 days). The summary result is kept as long as needed for the relevant application.
5. Who We Share Data With
We do not sell personal data. We share data only: (a) with members of your workspace, according to the access permissions its administrator configures; (b) with the subprocessors below, to the extent needed to operate the Service; (c) with authorities, where legally required; (d) with the Greek tax authority (AADE myDATA), only on the instruction of the user who triggers the transmission.
- Stripe — payment processing and payouts.
- Clerk — authentication and session management.
- Amazon Web Services (Frankfurt, eu-central-1) — hosting, database, file storage (S3), metrics.
- Mailgun — notification email delivery.
- Infobip — SMS and Viber Business Message delivery.
- Google Cloud (Vertex AI) — data extraction from screening documents.
- Sentry — error and performance monitoring.
- Google Analytics / Google Ads, Meta Pixel — website measurement and advertising, only with your consent (see section 10).
- PostHog — cookieless product usage analytics.
In a corporate transaction (merger, acquisition), data may be transferred to the successor entity under equivalent protections, with prior notice to you.
6. International Transfers
Our primary systems and databases are hosted in the EU (Frankfurt). Some providers (e.g. Stripe, Clerk, Sentry, Google, Meta, Mailgun) may process data in the US or elsewhere outside the EEA. In those cases we rely on European Commission adequacy decisions (including the EU–US Data Privacy Framework) or Standard Contractual Clauses, with supplementary measures where required.
7. Data Retention
- Account data: for as long as the account is active; after deletion it is anonymized (see deletion instructions).
- Financial and tax records (payments, invoices, charges): retained as long as tax and accounting law requires.
- Tenant screening documents: automatic deletion 30 days after submission (+7 days hard purge).
- Email unsubscribe/suppression records: as long as needed to honor your preference.
- Audit logs and backups: backups rotate within 30 days; audit logs are retained for a reasonable period for security and accountability.
- After a customer account terminates: export is available for 30 days, then data is deleted from primary systems (see the DPA).
8. Security
We apply appropriate technical and organizational measures: encryption in transit (TLS) and at rest, least-privilege access controls, audit logging, per-resource and field-level permissions, and restricted engineer access to production systems. No system is perfectly secure; in the event of a breach posing a risk to your rights, we will notify the competent authority and — where required — you, in line with GDPR Articles 33–34.
9. Your Rights
Under the GDPR you have the right to:
- access your data and obtain a copy;
- rectify inaccurate data;
- erasure (“right to be forgotten”), subject to statutory retention obligations;
- restriction of processing and objection to processing based on legitimate interests;
- portability — you can export your data yourself from Settings → Data export;
- withdraw consent at any time, without retroactive effect.
You can delete your account yourself from Settings → Profile, or write to us at legal@nineflat.com. We respond within one month. You also have the right to lodge a complaint with the Romanian supervisory authority ANSPDCP (www.dataprotection.ro) — our lead authority — or with the authority of your place of residence, e.g. the Hellenic Data Protection Authority (www.dpa.gr) in Greece.
10. Cookies & Similar Technologies
We use the following categories:
- Strictly necessary (no consent required): the authentication session cookie (Clerk), the locale preference (nf_locale), and the cookie storing your consent choice (nf_consent).
- Analytics and advertising(consent only): Google Analytics 4, Google Ads, and the Meta Pixel. Until you choose, all related storage stays off (Google Consent Mode v2 defaults to “denied”). If you click “Reject” in the banner, they are never activated.
- Cookieless product analytics: we use PostHog in cookieless mode for aggregate usage measurement.
You can change your choice by clearing the site’s cookies (the banner will reappear) or by contacting us. Rejecting optional cookies does not affect your use of the Service.
11. Email, SMS & Viber Communications
Operational notifications (payment reminders, receipts, tenancy updates) are sent on behalf of your landlord or property manager. You can unsubscribe from optional notifications via the unsubscribe link in any email, and from SMS/Viber by replying STOP. If an email bounces or is marked as spam, the address is automatically added to a suppression list so it receives no further sends. Critical account alerts and payment confirmations are always sent.
12. Children
The Service is not directed at persons under 18, and we do not knowingly collect minors’ data. If you become aware of such collection, let us know and we will delete it.
13. Changes to This Policy
We may update this Policy. For material changes we will notify you by email or a prominent notice on the platform before they take effect. The “Last updated” date at the top reflects the current version.
14. Contact
Data controller: Sudoplz S.R.L., 37C Hagi Dina str., 052161, Bucharest, Romania (Trade Registry no. J2024037446006, VAT no. RO50815930, share capital 200 RON fully paid up), operator of the Nineflat platform. For any privacy matter or to exercise your rights: legal@nineflat.com or support@nineflat.com. We aim to reply within 3 business days and at most within one month for rights requests.