Flatable Privacy Policy  

(GDPR & Swiss FADP Compliant)

Effective Date: October 8, 2025

Introduction

Welcome to Flatable! We are a Switzerland-based mobile app that helps students and young professionals find and manage shared living arrangements. Your privacy is very important to us. This Privacy Policy explains what personal data we collect, how we use and share it, and your rights. We comply with the EU General Data Protection Regulation (GDPR) and Switzerland’s data protection laws in handling your information. By using Flatable, you agree to the practices described in this Policy. If you have any questions, please contact us using the details at the end of this document.
‍

Personal Data We Collect

We collect various types of personal information when you use Flatable, including:

‍Profile and Account Information: When you create a profile, we collect information like your name, email address, profile photo, and other details you choose to add about yourself (e.g. bio, interests, roommate preferences). This is needed to set up your account and let other users know who you are.
‍
‍Location Data: With your permission, we may collect your device’s approximate or precise location. For example, you might enable location services to find nearby flatshares or show your city on your profile. Location data is considered personal data under GDPR, so we will only collect it if you consent via your device settings. You can disable location access at any time in your device or app settings.

‍Shared Living Details: If you list or join a flatshare, we may collect information about the accommodation and living arrangement, such as the address or neighborhood (for mapping purposes), rent amount, and any preferences or house rules you specify.

‍Messages and Communications: Flatable allows you to send messages and chat with potential roommates or flatmates. We process the content of these messages and any attachments or images you send through the app, as well as metadata like the time and recipients. We need to handle this data to deliver your messages to the intended users. Please note: private messages are visible only to the participants, but we may review content if required for safety (e.g. if a message is reported for violating our terms).

‍Usage Data: We collect information about how you use the app. This includes your interactions and activities on Flatable (e.g. swiping on profiles, joining a group chat, scheduling a viewing), timestamps of logins, and features you use. We also collect technical data like your device model, operating system, unique device identifiers, IP address, app version, and crash logs. This usage and device information helps us understand performance and improve our services.

‍Cookies and Similar Technologies: If you use our website or if our app integrates web views, we may use cookies or similar tracking technologies. These help remember your preferences, keep you logged in, and analyze usage of our site/app. For example, we might use a cookie to save your language preference or a mobile ad identifier to measure app installs. You can control cookies through your browser settings and control mobile tracking via your device’s privacy settings. (See Cookies & Tracking section below for more details.)

‍Social Login Data: If you sign up or log in via a third-party account (like Sign in with Google, Facebook, or Apple), we receive certain profile information from that provider – for example, your name, email, and public profile ID. We only use this information for account creation and authentication. Social login is optional, and the social network’s privacy policy will also apply to the data they provide.

‍Payment Information: If in the future Flatable offers paid features (such as premium subscriptions or processing rent payments), any payment transactions may be handled by third-party payment processors. We would collect only the necessary information to facilitate payment (e.g. your subscription selection or transaction ID) while sensitive payment details like credit card numbers are handled directly by the secure third-party processor (such as Stripe or PayPal). We do not store your full payment card details on our systems; we only receive confirmation of payment or basic billing info as needed for accounting.

We collect only the data that is necessary to provide our services and fulfill the purposes described in this Policy. You always have the choice not to provide certain info; however, some features (for example, creating a profile or using location-based search) may require that information to function.
‍

How We Use Your Personal Data

We use the collected data to operate, provide, and improve the Flatable app and services. Specifically, we may use your personal information for the following purposes:

‍Providing the Service: To register you as a user, create your account and profile, and enable you to use the app’s features. For example, we use your profile info and preferences to match you with potential roommates or flatshares, and your messaging data to deliver chats to other users. This processing is necessary to perform our contract with you (the Terms of Service) by connecting you with shared living opportunities.

‍Matching and Social Features: To suggest compatible roommates or living arrangements, we might use algorithmic matching based on the information you provide (such as lifestyle preferences or housing needs). We also display parts of your profile to other users (e.g. your first name, age, photo, interests) so that you can socialize and connect. Any content you post on your profile or in group forums will be visible to others in the app as appropriate.

‍Geolocation Uses: If you have agreed to share location, we use your location data to show nearby listings or to display your general area on your profile (for instance, showing the city/neighborhood you are in). This makes it easier to find local housing matches. You can control whether location is shown or used, by adjusting your settings (consent can be withdrawn at any time).

‍Communication: To send you service-related communications. We will use your email address or in-app notifications to send confirmations, updates about matches or messages (for example, “You have a new message from a potential roommate”), and important account or transaction information. These are not marketing messages, but rather essential communications to operate the service (e.g., verifying your email, notifying you of changes to our terms or privacy policy, or updates about a housing application you submitted). You cannot opt out of these essential service communications, as we send them to fulfill our contract with you.

‍Marketing and Newsletters: If you have opted in, we may use your contact information to send you marketing communications, such as our newsletter, special offers, surveys, or promotions about Flatable’s services. We might also send push notifications for promotional purposes if you allow it. We only send marketing emails or show marketing notifications with your consent or as otherwise permitted by law. You have the right to opt out of marketing at any time (see Marketing Communications & Choices below). We will make it easy to unsubscribe or withdraw consent.

‍Analytics and Product Improvement: To analyze how users behave on our app and improve our platform. We monitor usage data, device information, and cookies/SDK data to understand app performance, user engagement, and trends. For instance, we might track which features are most used or if the app crashes on certain devices. This helps us fix bugs, optimize the user experience, and develop new features. We typically rely on legitimate interests for this processing – improving our product is beneficial for our users and our business, and we do it in a privacy-conscious manner (often using aggregated or anonymized data). We may use third-party analytics tools to assist with this (see Third-Party Tools & SDKs section).

‍Safety and Trust & Support: To maintain a safe and trustworthy community. We may process personal data to prevent fraud, scams or illegal activities on the app and to enforce our community guidelines. For example, we might use ID verification or check profile photos to reduce fake accounts, and use automated systems to detect scam messages. If we detect potentially harmful or suspicious activity (like someone sending spam or harassment), we may review the relevant data and take appropriate action (which could include warning, blocking or reporting users as needed). We also keep logs and records as needed to investigate or handle any user reports or disputes. This is based on our legitimate interest in keeping Flatable safe and may also be necessary for legal compliance (e.g. if we need to cooperate with law enforcement).

‍Payments and Transactions: If you make or receive payments via Flatable (for example, paying a roommate-finding success fee or splitting bills through a future management feature), we use your data to facilitate that transaction. This includes processing payments via our third-party payment processor and keeping records of transactions. Such processing is done to perform the contract (providing the service you requested) and to meet legal obligations (like financial record-keeping and fraud prevention).

‍Legal Compliance: To comply with applicable laws, regulations, and legal processes. We may process and retain some of your information as necessary to fulfill our legal obligations – for instance, keeping records for tax/audit purposes, or responding to lawful requests by public authorities. If we are under a legal duty to disclose data (e.g., a court order or government demand), we will only disclose what is required by law.

‍Other Purposes with Consent: If we want to use your data for a purpose that is not covered above, we will explain it to you and ask for your consent. For example, if in the future Flatable wants to use your testimonial or profile in marketing material, we would ask for your permission. You are free to refuse or revoke consent at any time for such purposes.

We always ensure we have a valid lawful basis for processing your data (see Legal Bases below). We do notuse your personal data for any profiling or automated decision-making that produces legal or similarly significant effects without human involvement. If we ever introduce automated decisions that could significantly affect you, we will comply with GDPR’s safeguards, and you would have the right not to be subject to such decisions without intervention.
‍

Cookies & Tracking Technologies

Like many apps and websites, Flatable and our partners use cookies and similar tracking technologies to recognize you and collect information. Here’s how we use them:

‍On Our Website: If you visit our website (for example, to read this policy or learn about Flatable), we may place small data files called cookies in your browser. These cookies allow the site to function (e.g., keeping you logged in or remembering your language preference) and to collect analytics about site usage. We may use both session cookies (which expire when you close your browser) and persistent cookies (which remain for a set period or until deleted). You can control or delete cookies through your browser settings. Note that if you disable certain cookies, parts of our site might not work properly (for example, you might not be able to log in via the web interface if we offer one).

‍In the Mobile App: Mobile apps do not use “cookies” in the traditional sense, but we and our third-party providers use equivalent tools in the app environment. For instance, we use mobile SDKs and device identifiers to collect usage data. Your device has an advertising identifier (such as Apple’s IDFA or Google’s Advertising ID) which we or our analytics partners might use to understand how users found our app (e.g., to measure ad campaign effectiveness) and whether you engage with certain content. We may also store small amounts of data locally in the app’s storage (similar to cookies) to remember your in-app preferences and login state.

‍Analytics: We utilize third-party analytics services (described more in the next section) that may set their own cookies or tracking tech. For example, if we use Google Analytics on our web landing page, Google may set cookies to collect website traffic stats. In the app, analytics SDKs collect information like how often you use the app, what screens or features you visit, and crash reports. This information helps us improve the app’s functionality and performance. These tools might use both device identifiers and server logs to track user activity.

‍Push Notification Tokens: When you install Flatable, your device may generate a push notification “token” (a unique ID) so that we can send push notifications to your device. This token is stored and used by us (via Apple’s or Google’s push notification service) to deliver notifications. It isn’t a human-readable piece of data, but it is unique to your device+app combination. We use it purely to send you notifications you’ve enabled (for example, a new message alert). You can disable push notifications anytime in your device settings if you no longer want to receive them.

‍Advertising Cookies: Currently, Flatable does not host third-party ads within the app. If in the future we introduce advertising, we will update this policy to explain any ad-related cookies or trackers. Any such trackers would only be used in compliance with privacy laws (for example, obtaining consent if required).

‍Your Choices: Most web browsers allow you to refuse cookies or alert you before accepting them. On mobile, you can usually limit ad tracking or reset your device’s advertising ID. Flatable honors the settings you configure. Additionally, if we ever implement an in-app preferences center for analytics or marketing cookies, we will inform you and allow you to opt in/out easily.

By using our site or app with cookies enabled, you consent to our use of cookies and similar technologies as described here. For more details or questions about our use of cookies, feel free to contact us.
‍

Third-Party Tools & SDKs

Flatable integrates several third-party services and Software Development Kits (SDKs) to provide important functionality. We want to be transparent about these third parties, what data they collect, and how they use it:

‍Analytics Providers: We use third-party analytics tools (such as Google Analytics for Firebase, or similar services) to understand how users engage with Flatable. These tools may automatically collect data like your device identifiers, usage times, pages or screens viewed, and interactions within the app. This information helps us diagnose issues and improve user experience. The analytics providers process this usage data on our behalf and are bound by contractual privacy obligations. For example, Google’s analytics SDK might record events (like “opened app” or “sent message”) and provide us aggregated reports. We do not use analytics data to identify you personally – it’s mainly statistical. You can opt out of certain analytics by disabling them in app settings (if available) or by enabling “Limit Ad Tracking” on iOS / “Opt out of Ads Personalization” on Android, which some SDKs honor for limiting tracking.

‍Crash Reporting and Performance: To maintain app stability, we may use tools like Firebase Crashlytics or Sentry. These tools automatically report app crashes or bugs to us, along with device information (like model, OS version) and the state of the app when the crash happened. This helps us fix issues quickly. Crash reports may include user IDs or session IDs but do not intentionally collect your message content or profile data – they focus on technical diagnostics.

‍Payment Processors: If you make payments through Flatable (for example, paying a subscription or a fee), payments are processed by third-party payment gateways such as Stripe, PayPal, or in-app purchase systems (Apple App Store, Google Play). These third parties will receive the data necessary to process the payment (such as your credit card info, billing name, and transaction amount). We ensure that our payment processors are PCI-DSS compliant and reputable. They may store your payment data to facilitate recurring payments (like subscription renewals), but this is governed by their own privacy policies. We do not store full payment details ourselves, though we keep records of transactions (date, amount, product) for accounting.

‍Social Login Providers: As noted, if you choose to log in via a social network or third-party account (Google, Facebook, Apple, etc.), those providers handle the authentication and ask your permission to share certain data with us (such as your name and email). We use that data to set up your Flatable profile quickly. We do not post anything to your social profiles. Be aware that those providers may collect information about your log-in to Flatable (for instance, Facebook could know you used their login on our app). This interaction is governed by the third-party’s privacy terms. You can revoke Flatable’s access via your social account settings at any time.

‍Map Services: To enhance location-based features, we might use mapping or location services (for example, Google Maps SDK) to show map previews of listings or help you visualize distances. If so, when you use a map feature, Google (or the map provider) may collect data such as your IP address or location coordinates to provide the map tiles and geocoding. This is similar to how any web map integration works. The map views are provided by the third party under their terms (e.g., Google’s Privacy Policy), and we only use them to help you interact with our service (like showing a pin on a map for a flat’s neighborhood).

‍Push Notification Service: Our app uses Apple Push Notification Service (APNS) for iOS devices and Firebase Cloud Messaging (FCM) for Android to deliver push notifications. These are third-party systems by Apple and Google respectively. In order to send a push, we must share the device push token (a random identifier) with these services, and they will handle delivering the message to your device. The content of notifications (like “You have a new message on Flatable”) is created by us but delivered by Apple/Google systems. Both Apple and Google claim not to use push notification data for any other purposes than delivering the message, but technically your device may contact their servers to receive the push.

‍Other Service Providers: We rely on additional trusted third parties to run Flatable: for example, cloud hosting providers (to host our servers and databases), email service providers (to send out verification or newsletter emails), and customer support tools (to help manage user inquiries). These providers only process your data on our instructions and for our purposes. We do not sell your personal data to any third parties. All service providers are subject to strict data protection agreements which bind them to keep your information confidential and secure. We host our infrastructure on Digital Ocean servers located in Frankfurt (Germany) to ensure data stays within privacy-compliant jurisdictions.

In all cases, we carefully vet our third-party partners to ensure they have strong privacy and security practices. We list the main categories of third-party tools above; if you would like more detail on specific providers (e.g. the exact analytics or payment services we use), feel free to contact us. We will update this Privacy Policy if we add or change significant third-party integrations.
‍

Messaging and Social Features

Flatable is a social platform for shared living, so please be aware of how your information is shared within the app:

‍Profile Visibility: By default, certain profile details you provide (first name, age, pronouns if added, profile picture, bio, lifestyle tags, etc.) will be visible to other registered users of Flatable. This is necessary for the matching process – others need to see who you are in order to connect. Sensitive contact info like your email or phone number is not displayed to others by Flatable. We encourage you to be mindful of what information you put in free-text fields like your bio or chat messages – do not include contact details or anything you wouldn’t want to share.

‍Search and Matching: Other users can discover your profile through search or our swipe/matching feature if your preferences align. For example, if you’re looking for a flat in Zurich, your profile might appear in the results for others seeking roommates in Zurich. You can control some visibility through app settings (for instance, maybe toggling whether your profile is visible when you’re marked as “actively looking” – refer to app options, if available).

‍Messaging: When you send a message through Flatable’s chat, the recipients will see the messages and any information you include in them. Messages are intended to be private between you and the other user(s) in that chat. We do not publish your messages publicly. However, we cannot prevent recipients from saving or sharing the messages you send them. For example, someone could take a screenshot of a chat. Please communicate respectfully and be cautious about sharing sensitive personal information in chats. Flatable is not responsible for what recipients do with information you send them.

‍Group Living Arrangements: If Flatable has features like group chats for a specific flatshare or events, the information you share in those group settings will be visible to all members of that group. For instance, if you join a group chat for “Flat #5 at Example Street,” all other roommates or applicants in that group chat will see your messages and profile name/photo.

‍Social Networking Connections: Flatable might allow you to link or display your social media profiles (such as linking your Instagram handle on your profile). This is completely optional. If you choose to share that, you understand that anyone viewing your Flatable profile can see and potentially visit your social link. We encourage caution in linking accounts and recommend you review those platforms’ privacy settings as well.

‍User-Generated Content: Any content you post on public or semi-public areas of the app (for example, a forum or Q&A section if available) will be viewable by others. Content you post could potentially be indexed by search engines if those sections are public on the web (though currently, Flatable is primarily an app, so most user content stays within the app’s community). We may moderate or remove content that violates our policies, but we are not responsible for personal data you voluntarily post publicly.

‍Inviting Friends: If you use a referral feature to invite friends to Flatable, you might provide us someone else’s email or phone number. In such cases, you should only invite people you know and who would expect to receive an invite. We will only use that information to send the invitation on your behalf. They may contact us to request deletion of their contact info from our system if they do not wish to join.

‍Behavior Monitoring: To maintain a safe community, our system may monitor certain activities. For example, we may have automated systems that flag potentially inappropriate language or images in profiles or messages (as part of scam prevention and safety). These tools are in place to protect users (e.g., to catch scams asking for money or detect when someone under 18 might be using the service in violation of our terms). In general, we do not read your chats; any review of user communications will be targeted and rule-based (such as when a message is reported by a user or flagged by automated systems for review). By using the messaging feature, you acknowledge that we may process message content for these limited security purposes. We will never use your message data for advertising.

‍Interacting with Other Users: Please remember to treat your fellow users’ data with care. The Privacy Policy governs how we as Flatable handle your data, but it does not cover what other users do with information you share with them. For instance, if you give your phone number to a roommate through the chat, we cannot control how they might use it. We advise using Flatable’s in-app chat for initial communications and only sharing contact details once you feel comfortable. Report any misuse of personal data by other users to us so we can take appropriate action.

In summary, Flatable is designed to share information with others by your direction – that’s the nature of a roommate-finding platform. We strive to give you control and clarity over what you share and with whom. If you ever have questions about how a feature works or how your info is visible, check our FAQs or reach out to us.
‍

Marketing Communications & Choices

We would like to send you updates about Flatable, but you are in control of if and how you receive marketing from us:

‍Email Newsletters and Promotions: With your consent, we will use your email address to send you occasional marketing emails. These may include newsletters with housing tips, product updates, special promotions or events (e.g. a contest or an offer from a partner relevant to students/young professionals), or general announcements about Flatable’s growth. We will only send you such emails if you have opted-in during sign-up or in your account settings, or if you have a pre-existing relationship with us that legally permits sending such emails. We make sure our marketing practices comply with applicable law (GDPR and e-Privacy Directive, and Swiss law). That generally means we either get your explicit consent or rely on a soft opt-in basis for existing users, as allowed, and always provide an easy opt-out. Each marketing email will contain an “Unsubscribe” link at the bottom. You can click that link at any time to stop receiving future marketing emails from us. You can also change your preferences in the app settings to opt out of newsletters, or contact us directly to be removed from the mailing list. We will process opt-out requests promptly.

‍Push Notifications: Aside from emails, we may send marketing or promotional offers via push notifications on your device, such as notifying you of a new feature or a special in-app event. Push notifications will only be sent if you have allowed notifications for Flatable on your device. When you first install the app, you will be asked if you want to enable push notifications. You can choose “Don’t Allow” if you prefer not to receive any. Even if you initially allow them, you can disable push notifications at any time in your phone’s settings for our app. For example, on iOS, you can go to Settings > Notifications > Flatable and turn them off; on Android, you can go to App Info > Notifications for Flatable and switch them off. We separate notification types where possible – for instance, we might have in-app controls so you can turn off marketing notifications but keep notifications for new messages from other users. We will only send you marketing-related pushes in accordance with your preferences and consent.

‍In-App Advertisements or Messages: Currently, Flatable does not display third-party ads. If that changes, we will give you appropriate notice and controls. We may, however, show you in-app banners or messages about our own services (for example, a prompt about a new premium feature). Such in-app messages are part of the product experience, but you can dismiss them. If any in-app message is truly promotional, we’ll treat it with the same regard for consent/opt-out as other marketing channels.

‍SMS Messages: We generally will not send promotional SMS/text messages. We may use SMS only for critical account issues (like sending a verification code to your phone if you opt for SMS verification). If in some scenario we consider SMS for marketing, we would obtain specific consent (which is not our current practice).

‍Marketing to Minors: We do not intentionally target any marketing communications to users under 18. If you are under 18 (and especially if under 16), you should not receive marketing emails or pushes from us – if you do, it may be because we were not aware of your age or you represented that you had guardian consent. Let us know if you believe you are receiving marketing in error due to age, and we will rectify that.

‍Third-Party Marketing: Flatable does not sell or rent your data to third-party marketers. We might occasionally include content in our communications on behalf of partners (for example, a student housing fair sponsored by a university, or a discount code from a moving service). But those communications come from us, and your contact details are not handed over to those third parties. If we ever plan to share your contact info with an external partner for their direct marketing, we will get your explicit consent.

‍Your Rights to Object/Opt-Out: You have the right under GDPR to object at any time to processing of your personal data for direct marketing purposes, including profiling related to direct marketing. In practice, this means if you say “stop” to us (unsubscribe or email us with a request to opt out), we will cease all direct marketing efforts toward you. We will also not send you any further marketing if you have opted out, unless you later explicitly request or consent (like if you re-subscribe). Opting out of marketing communications will not affect your ability to use Flatable for non-marketing purposes. You will still receive essential service messages as described earlier.
‍

Sharing of Data and Disclosures

We treat your personal data with care and do not share it with third parties except in the following circumstances:

‍Service Providers (“Processors”): We share information with third-party companies that provide services on our behalf. These include cloud hosting providers, database and IT support, analytics services, payment processors, email service (for sending messages or newsletters), push notification services, and verification services. These providers only use your data under our instructions and for the purpose of providing their service to us. They are not allowed to use your data for their own purposes. For example, our cloud storage provider stores our database securely; our email provider sends out the emails we draft; our analytics provider processes usage data to give us reports. We have contracts in place (including Data Processing Agreements as required by GDPR) with these processors to ensure your data is protected.

‍Other Users of Flatable: As described in the Messaging and Social Features section, some of your data is shared with other Flatable users by the nature of the service (profile info, messages, etc.). This isn’t a “third-party” disclosure in the traditional sense (we’re not giving data to an unrelated company), but it is important to reiterate: any information you voluntarily share on your profile or in communications with other users will be visible to them. They may use that information or disclose it further as they see fit, which is outside our control. Please only share what you are comfortable with. If another user requests personal data that you’re not ready to share (like asking for your social media or financial info), you are under no obligation to provide it. Use the in-app tools and safety guidelines to keep control over your information.

‍Legal Requirements: We may disclose your information if we are required to do so by law or if such disclosure is reasonably necessary to (i) comply with a legal obligation, subpoena, or request from authorities, (ii) respond to legal claims or to protect our legal rights, (iii) enforce our Terms of Service or investigate/prevent illegal activities (such as fraud or data security incidents). We will only share the data that is necessary in each case. For instance, if law enforcement provides a lawful order to provide data about a certain account involved in a scam, we may provide the requested registration and communications records for that account. We carefully review each request to ensure it has proper legal basis.

‍Protection of Rights and Safety: In extraordinary circumstances, we might share data to protect vital interests – for example, to prevent an imminent threat of serious harm. If we believe in good faith that disclosing certain information will help prevent harm or financial loss, or is necessary to investigate suspected illegal activity, we may share data with appropriate entities (this could include law enforcement, governmental agencies, or involved third parties). For example, if we suspect a scammer is targeting users, we might share relevant data with police or alert platforms like banking institutions to prevent fraud. We would do this only within the bounds of applicable law.

‍Business Transfers: If Flatable undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of its assets, your personal data may be transferred to the successor or acquiring entity as part of that deal. We would ensure that any new owner continues to honor the commitments we have made in this Privacy Policy. We will notify you (for example, via email or a prominent notice in the app) if your data will become subject to a new privacy policy or materially different use as a result of a business transition. Similarly, in the unlikely event of bankruptcy or insolvency, data could be considered an asset and handled accordingly, but any purchaser would be bound to the same protections.

‍With Your Consent: Apart from the above, we will ask for your consent before sharing your personal data with any third party for purposes not covered by this Policy. For instance, if you want us to share your details with a partner housing agency to expedite an application, we would do so only with your explicit request or approval. You are in control – we will not randomly send your data to external parties without a lawful basis.

‍Aggregated or De-Identified Data: We may share aggregated information that cannot be used to identify you (for example, statistical insights about how many users in a city are looking for housing, or aggregated rent price trends). This kind of data contains no personal identifiers and may be shared with researchers, partners, or public in reports to illustrate trends. For instance, we might publish an insight like “Average roommate search time in 2025 was 3 weeks in Zurich,” which is derived from user data but no individual is identifiable.

We want to reassure you: We do not sell your personal data. We also do not share your information with third-party advertisers or ad networks at this time. Any data sharing that occurs is either at your direction, for a specific purpose of providing the service, or under a legal obligation/legitimate interest as described. If you have questions about third parties that may have access to your data (for example, if you want to know which cloud provider we use), you can contact us for more info.
‍

Your Rights Under GDPR (and Swiss Law)

If you are in the EU/EEA or Switzerland (or similar jurisdictions with data protection laws), you have certain rights regarding your personal data. Flatable is committed to respecting these rights. Your principal rights are:

1. Right of Access: You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it. This means you can ask us to confirm if we’re processing your data, and if so, provide you with a copy of that data along with details like the purposes of processing, the categories of data, the third parties with whom it’s shared, and how long we retain it.

2. Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or updated. For example, if your name is spelled wrong in our records or you changed your email, you can ask us to fix it. (You can also correct most information on your profile by editing it directly in the app.) We will update your data and notify you once done.

3. Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data in certain circumstances. If you no longer want to use Flatable, you can delete your account via the app (if available) or contact us to delete your data. We will then erase your personal information, provided we don’t have a legitimate reason to keep it (for example, we may retain some records if needed for legal obligations or dispute resolution). We’ll let you know if any data cannot be fully deleted (and the reason, e.g. “we must retain transaction records for 7 years due to financial regulations”). Keep in mind that when your account is deleted, some content you provided to other users (such as messages you sent or profile information that others have seen) may not be completely erased from their devices or accounts – we can delete data from our active systems, but we cannot magically delete data from another user’s account or backups. However, your profile will no longer be visible in the app and will be disassociated from content.

4. Right to Restrict Processing: You have the right to ask us to limit or “pause” the processing of your data in certain situations. For instance, if you contest the accuracy of your data or object to us processing it on legitimate interest grounds, you can request restriction. While restricted, we will store your data but not use it (other than to secure it and as necessary for the dispute). This right is typically exercised while a complaint or issue is being resolved.

5. Right to Data Portability: You have the right to obtain your personal data in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible. In plain terms, you can ask for an export of the data you provided to Flatable (and data arising from your use of the service), so that you can, for example, import it into another service. We will provide this either directly to you (so you can pass it on) or directly to another service if you request and if it’s technically possible. For example, you might request a JSON or CSV file of your profile details and messages. (Note: This right applies to data processed by us by automated means, and typically to data you provided or that we observed from your usage, not to any resulting analyses or internal notes, etc.)

6. Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests or public interest (we don’t process on the latter, but mentioning for completeness). If you object, we must stop processing your data for that purpose unless we can demonstrate compelling legitimate grounds that override your interests, or if we need to continue for legal claims. Importantly, you always have the right to object to processing of your data for direct marketing – as noted in the Marketing section, if you object to marketing use, we will cease. If we were, for example, processing your data for analytics under legitimate interest and you object, we would consider if our need truly overrides your privacy rights; if not, we’d stop or find an alternative.

7. Right to Withdraw Consent: In cases where we rely on your consent to process data (such as for optional uses like marketing emails, using precise location, or linking a social account), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we did based on your consent before withdrawal. For example, you can turn off location services to withdraw consent for location data, or use the unsubscribe link to withdraw consent for marketing. Once consent is withdrawn, we will stop the related processing promptly.

8. Right not to be Subject to Automated Decisions: As mentioned, you have rights relating to automated decision-making and profiling. Flatable does not make any legal or similarly significant decisions about you purely by algorithms (without human review). If that changes, we will inform you and ensure your right to request human intervention, to express your point of view, or contest the decision. This is a safeguard mostly for things like credit approvals or scoring; our roommate “matching suggestions” are algorithmic but non-binding and have no legal effect on you, so this likely isn’t applicable in a strict sense.

9. Right to Be Informed: You have the right to clear and transparent information about how your data is used – that is exactly the purpose of this Privacy Policy. We aim to keep you informed at all times about our data practices (this is an ongoing obligation we have under GDPR to be transparent). If anything is unclear, please ask us.

10. Right to Complain: If you believe we have infringed your data protection rights or processed your data unlawfully, you have the right to lodge a complaint with a Supervisory Authority. You can do this in the EU country where you live, where you work, or where the issue occurred. For Swiss users, you can contact the Federal Data Protection and Information Commissioner (FDPIC). We would appreciate the chance to address your concerns directly first, so we encourage you to reach out to us, but you are free to complain to the authorities at any time.

‍Exercising Your Rights: It’s easy to make a request regarding any of the above rights. You can contact us at our privacy contact (see Contact Information below) with your request. To protect your security, we may need to verify your identity before fulfilling certain requests (for example, by confirming you control the email associated with your account, or asking for some identifying info). This is to ensure we don’t disclose or delete someone else’s data by mistake. We will respond to your request as soon as possible and at least within one month, as required by GDPR. For complex requests or multiple requests, we might need up to an additional two months, but we’ll let you know if that is the case. Generally, we will not charge a fee for handling your request. If a request is manifestly unfounded or excessive (e.g., repetitive), the law does allow us to either refuse or charge a reasonable fee, but we’ve never had to do that and will try our best to accommodate all legitimate requests.

We may guide you on how to exercise some rights directly: for example, we might build a tool for you to download your data (portability) or delete your account in-app (erasure). Where available, using those self-service tools can be the fastest way. Otherwise, simply email us and we’ll take care of it. We are committed to honoring your rights and ensuring you have control over your personal information.
‍

Legal Bases for Processing

We want you to know the lawful grounds on which we process your personal data, as required by the GDPR. Depending on the specific data and purpose, we rely on one or more of the following legal bases:

‍Performance of a Contract (GDPR Art. 6(1)(b)): Most of the data processing we do is to provide you with the Flatable services under our Terms of Service (which is a contract). When you create an account and use our app, there is an agreement between you and us that we will deliver certain functionality. We need to process your data to fulfill our obligations in that contract. For example, using your profile and preference data to match you with roommates, or sending your messages to intended recipients, is done because it is necessary to perform our contractual services. Without this data, we cannot provide the core features of Flatable.

‍Your Consent (GDPR Art. 6(1)(a)): In some cases, we ask for your consent to process your data. Consent is typically used for optional or additional features that are not strictly necessary for the main service. For example, we seek your consent to use your precise location, to send marketing emails, or to send push notifications. We might also ask consent to collect certain analytics or to integrate with other accounts. When we rely on consent, you have the right to withdraw it at any time (which will not affect processing that has already occurred). We ensure that any consent we obtain is informed, freely-given, and specific (for instance, separate opt-in for marketing vs. strictly necessary communications).

‍Legitimate Interests (GDPR Art. 6(1)(f)): We process some data under the basis of legitimate interests. This means we have assessed that our legitimate business or third-party interest in the processing is not overridden by your privacy rights. We only do this for purposes that users can reasonably expect and that have minimal privacy impact, and we always consider your rights. Examples include: using analytics to improve our app (we have a legitimate interest in understanding our product usage), ensuring security and preventing fraud (we have an interest in keeping our platform safe), sending limited direct marketing to existing users (we have an interest in promoting our services, within legal bounds), and sharing data in a business transfer (interest in continuity of service). Whenever we rely on this basis, you have the right to object (see Your Rights above), and we will carefully consider that objection. We do not use legitimate interest as a basis when your interests and rights carry more weight – for instance, we wouldn’t use it to track your precise location or to send you third-party ads without consent, since those would not likely meet the balancing test.

‍Legal Obligation (GDPR Art. 6(1)(c)): Some processing is necessary for us to comply with a legal obligation. For example, financial and tax laws might require us to keep transaction records for a certain period; if you purchase something, we may retain payment records to meet accounting rules. We may also process or disclose data when required by law (like responding to a lawful subpoena). In these cases, the law is the basis for processing. We only do what the law strictly requires while protecting your privacy as much as possible.

‍Vital Interests (GDPR Art. 6(1)(d)): This basis applies rarely – it’s used to protect someone’s life or prevent serious harm. We don’t foresee routine processing under this, except in an emergency situation (e.g., if we had information about a user in immediate danger, processing or disclosing data to help could fall under vital interests).

‍Public Interest (GDPR Art. 6(1)(e)): This is generally not applicable to our private business (it’s more for governmental tasks). We do not process data for any task carried out in the public interest or exercise of official authority.

To summarize in simpler terms, the main bases are contract and consent for what you directly do with Flatable, legitimate interest for our internal improvements and safety measures, and legal obligation for compliance matters. We will explicitly inform you (typically via this Policy and just-in-time notices) when we rely on consent and for what. If you ever have questions about the legal basis for a particular processing activity, feel free to ask us. We aim to be fully transparent about why we collect and use your data.
‍

Data Retention

We retain your personal data only for as long as it is necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. The duration for which we keep different types of data can vary:

‍Account Information: We keep your profile and account data while your account is active. This allows us to provide the service to you continuously. If you decide to delete your account, we will initiate deletion of your personal data from our production systems. In many cases, account deletion is processed promptly (within a few days). However, our backups and archives may still hold fragments of your data for a period, as is common with database backups. We have retention schedules to purge or anonymize data from backups safely. Typically, routine backups are rotated and purged within [e.g. 30-60 days]. Once those backups cycle out, your data will be gone from all our storage. We will also disassociate you from any content that remains (for example, your messages in someone else’s inbox might be labeled “Deleted User”).

‍Shared Content: Content you have shared with others (such as messages or group posts) may be retained as part of their account data. We generally do not scrub your messages from someone else’s inbox when you delete your account, because those messages form part of their conversation history. The messages will no longer be linked to your profile, and the other user may just see an anonymized sender or no profile photo. If you want us to delete specific messages you sent (and not the whole account), you can request that, but both you and the other party may lose access to that content if we delete it.

‍Analytics Data: Aggregate analytics data (which does not directly identify individuals) may be retained indefinitely for historical analysis. However, raw personal data used for analytics is either anonymized or deleted once it’s no longer needed. For example, server logs containing IP addresses are typically rotated and deleted after a few weeks or months, unless kept longer for security analysis.

‍Legal and Safety Retention: We might retain certain information for longer if we have a legitimate reason. For instance, if we deactivated an account for fraud or safety reasons, we may keep certain information (like the email, phone, and IP of that account) to prevent repeat abuse. Likewise, if we are handling a dispute or legal claim involving your data, we will retain relevant information until it is resolved.

‍Financial Records: If you conducted any financial transactions, we retain those records for the period required by financial regulations and tax laws. In Switzerland and many jurisdictions, transaction records must be kept for a number of years (e.g., 7 or 10 years). This might include receipts, invoices, or logs of payments you made through Flatable. We restrict access to such data and only use it for those regulatory purposes.

‍Inactive Accounts: If you stop using Flatable without deleting your account, we may eventually classify your account as “inactive.” We might send a reminder email after a long period of inactivity. If the account remains unused, we reserve the right to delete or anonymize the data after a very extended period (for example, 2 years of inactivity) to reduce storage. We will try to notify you (if contact info is available) before deleting an inactive account.

‍Backup & Recovery: As mentioned, data may persist in backups for a limited time. Our backup storage is secured. Any personal data in backups is protected and not actively processed – it’s only restored if needed for disaster recovery. We have policies to ensure backup data isn’t kept longer than necessary.

When we delete data, we use commercially reasonable measures to ensure the data is irrecoverable. For example, we might employ secure deletion or encryption overwriting for physical storage retiring. In cases where we anonymize data instead of deleting (which might be done for things like analytics), we remove or irreversibly alter any personal identifiers such that the data can no longer be associated with any individual.

In summary, we retain your personal data for as long as needed to provide our services and as required by law. Once the data is no longer needed for those purposes, we either delete it or anonymize it. If you have specific questions about our retention practices for a certain type of data, please contact us. Inactive accounts are anonymized after 24 months of inactivity. Server logs are stored for a maximum of 90 days before automatic deletion.
‍

Data Security

We take the security of your personal information seriously. Flatable implements a variety of technical and organizational security measures to protect your data from unauthorized access, loss, misuse, or alteration. These measures include:

‍Encryption: We use encryption to protect data in transit and at rest. For example, our app and website are served over HTTPS, which encrypts the data transmitted between your device and our servers (preventing eavesdropping on the network). Sensitive personal data and passwords are stored in encrypted form in our database. We follow industry best practices for encryption protocols and key management.

‍Access Controls: We limit access to personal data to authorized personnel who have a legitimate need to know. Our team members and contractors who need to process user data (for example, customer support or engineers debugging an issue) are subject to strict access controls. We use authentication, role-based permissions, and administrative safeguards to ensure only the necessary people can access sensitive systems. All staff are trained on data protection and are bound by confidentiality obligations.

‍Secure Infrastructure: We host our servers and databases with reputable cloud providers that have strong security certifications and standards. Our servers are protected by firewalls, network security monitoring, and other protective measures. We keep our software and frameworks up-to-date to patch vulnerabilities. Regular security audits and penetration tests are conducted to assess and improve our security posture.

‍Anonymization & Pseudonymization: Where possible, we pseudonymize personal data in our system. For example, user IDs are used internally instead of directly using names. We separate certain identifying information from usage data. In analytics, we often use aggregated data without personal identifiers. This minimizes exposure of personal data even within our environment.

‍Monitoring and Prevention: We have systems in place to detect and prevent malicious activities. This includes anti-virus/anti-malware protection, DDoS protection services, and automated alerts for unusual system behavior. If we detect suspicious logins or activities on your account, we may notify you and prompt for account verification to ensure it’s really you.

‍Physical Security: Although we are a digital service, any physical facilities (like data centers of our cloud provider) are secured with measures like access badges, surveillance, and security personnel. Our own offices (if any) are access-controlled as well.

‍Data Minimization: We only collect the data that we need, and we don’t keep it longer than necessary (as described in Retention). By limiting the quantity and duration of personal data, we reduce the risk in case of any security issue.

‍Incident Response: We have a data breach response plan. Despite best efforts, no system can be 100% immune to security breaches. In the unlikely event of a data breach, we will act promptly to contain and investigate it. We will also notify affected users and authorities as required by law (GDPR has a 72-hour breach notification rule for significant breaches). Our plan includes steps to remedy the situation and prevent future occurrences.

‍User Responsibilities: We also advise you to take steps to protect your own account security. Choose a strong, unique password for Flatable and do not share it. Consider enabling any additional security features we might offer (like two-factor authentication if available in the future). Be cautious of phishing – Flatable will never ask for your password via email. Always make sure you’re using our official app or website. If you suspect any unauthorized access to your account, notify us immediately.

While we strive to safeguard your information, it’s important to acknowledge that no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of data. However, we continuously update and enhance our security measures to meet or exceed industry standards. By using Flatable, you understand that there is some risk inherent in any online service, but know that we are doing our utmost to protect you. If you have questions about the security of Flatable, or if you need to report a security incident, please contact us at our security/privacy contact email.
‍

International Data Transfers

Flatable is based in Switzerland, but we may process data in other countries as part of providing our services. Many of our users are in the European Union, and we also plan to operate in other regions (like the UK or possibly the US). Your personal data may be transferred or accessed internationally by our service providers or by Flatable team members, under strict controls:

‍Switzerland and EEA: Switzerland is not an EU member, but it is recognized by the EU as providing an adequate level of data protection (under the previous adequacy decision). We treat data of EU users in compliance with GDPR and the Swiss Federal Act on Data Protection (FADP). Data may flow between Switzerland and EEA countries freely, as both regions have strong privacy protections. For example, if we host data on servers in the EU, or if a Swiss-based developer accesses data of an EU user, this is covered under mutual adequacy and our internal policies.

‍United States: Some of our third-party processors (like cloud or analytics providers) may be in the United States or other countries outside Switzerland/EEA. The privacy laws in these countries may not be as strict as GDPR or Swiss law. However, when we transfer personal data internationally, we take steps to ensure it remains protected. For transfers from Switzerland/EU to the US (or any country without an EU adequacy decision), we rely on approved legal mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs) or the new Swiss-US Data Privacy Framework, as applicable. These are contractual commitments that require the recipient to safeguard your data according to EU-level standards. In some cases, we may rely on your explicit consent for certain transfers (though generally we aim to have safeguards so consent isn’t needed just for routine transfers).

‍Other Countries: Similarly, if we need to transfer data to, say, India (where perhaps a development contractor might be located) or any other country, we will use SCCs or other lawful bases (e.g., if it’s necessary for our contract with you, such as routing data where you are located, or to establish/defend legal claims). We examine each such transfer and ensure compliance with Articles 44-49 of the GDPR. Our goal is that your data receives a continuous level of protection, no matter where it is processed.

‍Intra-Group Transfers: If Flatable establishes subsidiaries or affiliates in different countries (for example, an EU branch in the future), we will have an intra-group data transfer agreement in place, utilizing SCCs or binding corporate rules if applicable, to move data between our entities legally.

‍Disclosure for Law Enforcement: Note that data stored in one jurisdiction might be subject to lawful access requests by governments of that jurisdiction. For instance, data stored on US servers could potentially be accessed by US authorities under US law. We account for this in our risk assessments and will be transparent with users if any such broad requests occur (when permissible). Our policy is to challenge unlawfully broad or extraterritorial requests. We have not had any to date, and we minimize such scenarios by preferring storage in privacy-strong jurisdictions (Switzerland/EU) when feasible.

‍Your Perspective: We understand that international transfers can sound concerning, but please rest assured: regardless of where your data is processed, we apply the same protections described in this policy. We hold any partner handling your data to high standards via contracts. If an adequate level of protection cannot be ensured in a given transfer, we will not proceed with that transfer.

If you want more information about our international data transfer safeguards, please contact us. We can provide copies of relevant contractual clauses or details of frameworks on request (subject to commercial confidentiality). By using Flatable, you acknowledge that your data may be processed in countries outside of your own, but always in line with this Policy and applicable law.
‍

Children’s Privacy and Age Restrictions

Flatable is intended for users who are 18 years of age or older, or the age of majority in your country. However, we recognize that some younger users (minors) may be interested in shared living (for example, students under 18). Our policy regarding minors is as follows:

‍Users Under 18: If you are under 18, you must have the consent of your parent or legal guardian to use Flatable. During the signup process, we may ask you to confirm that you have obtained such consent. We reserve the right to request verification or proof of parental consent for users we suspect are minors. By using Flatable, you affirm that you either are 18+ or have appropriate guardian consent if you are younger. We take this requirement seriously for legal and safety reasons – minors in housing situations should involve guardians.

‍Users Under 16 (EU) / Under 13: In compliance with GDPR and similar laws, we do not knowingly allow children under the age of digital consent to register on Flatable without parental authorization. The default age of consent under GDPR is 16, but it can be lower (not below 13) depending on country. For simplicity, Flatable currently requires all users under 18 to have guardian consent, which covers this rule. If you are under 16, you definitely need a parent/guardian to sign up on your behalf or supervise your signup. If you are under 13, you are not permitted to use Flatable at all. The service is not directed to children under 13, and we do not intentionally collect any personal data from children under 13. This aligns with laws like COPPA in the US (even though we are Swiss/EU focused, we choose to abide by these protections globally).

‍No Child-Oriented Content: Our platform and content are geared toward late teens and adults (students, professionals). We do not market to children, and our communications are intended for a general audience. We expect that any under-18 users are using the service with awareness of a guardian.

‍Parental Supervision: We encourage parents or guardians of minors using Flatable to actively supervise and guide their use. Discuss with your teens about safe online practices, what not to share, and how to handle communications on the app. If you are a parent/guardian who has given consent, you have the right to withdraw it and request deletion of the minor’s account at any time. Contact us, and we will promptly remove the minor’s data.

‍Discovery of Underage Users: If we learn that we have collected personal information from a child under 13, or under 18 without parental consent, we will take action to delete that information as soon as possible. For example, if a 12-year-old signs up falsifying their age, once detected, we will terminate the account and remove personal data. If you suspect that a user is underage or if a child has provided us information without consent, please alert us at our contact email. We will investigate and, if appropriate, purge that data.

‍Guardian Rights: If you are a parent or guardian and you have concerns about your child’s use of our service or you want to exercise their privacy rights on their behalf, you can contact us. We may require verification of your relationship to the child for safety (to ensure we are not giving data to an unrelated person). We will honor requests from guardians to access or delete a minor’s data, consistent with applicable law.
‍
Age Verification Limitations: We do not have an automated age verification for every user (we rely on honesty at sign-up and community reporting). However, we do take reports seriously and may implement age verification mechanisms if needed (such as asking for ID in some cases). Our aim is to prevent children from unsafe usage while not collecting unnecessary data from everyone just for age checks.

In summary, Flatable does not knowingly collect data from children under 13, and requires minors 13-17 to have parental consent to use the platform. If you are not old enough or don’t have consent, please do not use our app. This is for your own safety and legal compliance. We are happy to work with families and authorities to ensure minors are protected.
‍

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make changes, we will notify you in accordance with applicable law. For minor or non-material changes (such as clarifications or typo corrections), we may simply post the revised Policy with a new effective date. For significant changes that affect your rights or how we use data, we will provide a more prominent notice – for example, an email to your registered address or an in-app notification – prior to the change becoming effective. We encourage you to review this Policy periodically for the latest information on our privacy practices.

Any changes will be effective when posted, unless stated otherwise. If you continue to use Flatable after a new Privacy Policy takes effect, it will signify that you have read and understood the changes. Of course, if the changes require new consent from you (for example, if we start processing data for a new purpose that needs consent), we will obtain that consent separately.

The “Effective Date” at the top of this Policy indicates when the current version came into force. Previous versions of our Privacy Policy (if applicable) will be archived and available upon request for reference.