Draft — not yet in force. Last edited [DATE].
This policy explains what personal data SpotView collects, why, and what rights you have over it. SpotView is pre-launch: today we only process the details you submit through our waitlist and early-access forms. The sections below describe the full service so they are ready when bookings open.
The data controller is [LEGAL ENTITY NAME], [LEGAL FORM], registered with the Dutch Chamber of Commerce under KvK number [KVK NUMBER], at [REGISTERED ADDRESS].
For any question about this policy or your data, contact [PRIVACY CONTACT EMAIL]. [If a Data Protection Officer is appointed, name and contact them here — an obligation to appoint one should be assessed against Art. 37 GDPR.]
Waitlist and early-access forms: your name, email address, phone number, country, and anything you write in the free-text fields.
Account data: your email address and authentication identifiers. If you sign in with Apple or Google, we receive the identifiers that provider returns to us.
Booking data: the viewing address, date, listing link, the questions you want asked, and the report produced for you — including photos, video, checklist answers and the viewer's written verdict.
Viewer data: identity verification data required to onboard a viewer, their approximate location at check-in, and the ratings they accumulate.
Messages you exchange with your viewer or our team through the app.
Technical data your browser or device sends when you use the service, such as IP address and device information. [Confirm exactly what is logged, by which service, and for how long.]
To deliver a booking you asked for, including matching you with a viewer and producing your report — performance of a contract (Art. 6(1)(b) GDPR).
To verify a viewer's identity before they can accept work — [legal basis to confirm: likely legitimate interest in platform safety and fraud prevention under Art. 6(1)(f), to be assessed; note that identity documents may engage Art. 9 if biometric data is involved].
To contact you about early access after you submit a waitlist form — consent (Art. 6(1)(a)), which you can withdraw at any time.
To meet our legal obligations, such as tax and accounting record-keeping — Art. 6(1)(c).
We do not sell your personal data.
We use processors to run the service: [Supabase — database, authentication and file storage; confirm the hosting region and whether an EU region is in use], [Vercel — website hosting], [Didit or the chosen KYC provider — identity verification], [Firecrawl — reading the public listing page you link to], [Google Fonts — the font is currently requested from Google's CDN, which discloses visitor IP addresses to Google; see section on international transfers].
A data processing agreement must be in place with each of these before launch. [Confirm signed DPAs and record them.]
Your viewer receives the information they need to attend your viewing — the address, the date, and the questions you want asked.
[Some processors listed above may process data outside the European Economic Area. For each one, identify the transfer and the safeguard relied on — an adequacy decision, Standard Contractual Clauses, or another Chapter V GDPR mechanism — and state it here. Do not publish this page until each transfer is mapped.]
Waitlist and early-access submissions: [RETENTION PERIOD].
Account and booking data: [RETENTION PERIOD].
Identity verification data: [RETENTION PERIOD — should be the shortest period that meets the verification purpose].
Records we must keep by law, such as invoices: for the period Dutch law requires (currently seven years for accounting records).
You have the right to access your data, to have it corrected, to have it erased, to restrict or object to our processing of it, and to receive it in a portable format. Where we rely on consent, you can withdraw it at any time without affecting processing that already happened.
To exercise any of these, write to [PRIVACY CONTACT EMAIL]. We will respond within one month.
If you are not satisfied with our response, you can lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the supervisory authority where you live.
[Audit what the site actually stores on a visitor's device before completing this section. At the time of writing the app stores a language preference and an authentication session in your browser's local storage; both are needed for the service to work. If any analytics or marketing technology is added, a consent mechanism is required before it loads.]
If we change this policy we will update the date at the top of this page. [Decide and describe how material changes will be communicated to existing users.]