Privacy Policy
Last updated: April 2026
1. Introduction
PropertyHunt.ai ("we", "our", "the platform") is an AI-powered property search platform for premium European coastal real estate markets. We are committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and applicable national data protection laws.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, how long we retain it, and what rights you have as a data subject.
Data controller: PropertyHunt.ai
Contact: privacy@propertyhunt.ai
2. Personal Data We Collect
2.1 Account data
When you create an account we collect your email address and, if you use Google or Apple Sign In, the name and profile picture associated with that account. We use this data to authenticate you and communicate with you about your account.
2.2 Preference profile
During onboarding and when you interact with properties, we collect your property search preferences: budget, target regions, property types, bedroom requirements, amenity preferences (pool, sea view, etc.), and deal-breakers. This data is used to score and rank properties for you.
2.3 Property interactions
We record your interactions with property listings: views, saves, rejections, and contact requests. These signals improve your personalised match scores and help the AI assistant (Mr. Pennyworth) understand your preferences.
2.4 Chat conversations
If you use the AI chat feature, your conversation messages are stored to maintain context across sessions and to improve the quality of responses. Chat data is not used to train external AI models.
2.5 Technical data
We collect standard server logs including IP address, browser type, and timestamps for security, debugging, and rate-limiting purposes. We use minimal cookies: a session authentication cookie and, with your consent, an analytics cookie.
3. Legal Basis for Processing
| Purpose | Legal basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Property matching and AI scoring | Legitimate interests (Art. 6(1)(f)) — providing the core service you signed up for |
| Match alert emails and price-drop notifications | Consent (Art. 6(1)(a)) — you can withdraw at any time in Profile > Notifications |
| Agent subscriptions (V1.5) | Contract (Art. 6(1)(b)) |
| Security logs and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
4. Data Sharing and Sub-processors
We do not sell your personal data. We share data only with the following processors under appropriate Data Processing Agreements (DPAs):
- Supabase — database, authentication, and file storage. Data stored in the EU region.
- Vercel — application hosting (EU edge nodes). Serverless function logs are retained for 3 days.
- OpenRouter / Anthropic — AI language model processing for chat and property analysis. Prompts sent to OpenRouter for processing are not retained for model training.
- Resend — transactional email delivery (match alerts, price-drop notifications, magic link sign-in).
- Google Maps Platform — map rendering, geocoding, and location-based features. Your IP address and approximate location are processed by Google when maps are displayed.
- AWS S3 & CloudFront (eu-west-1) — property media storage and CDN delivery. No personally identifiable data is stored here; only public property images.
If you are an agent, your contact details are shared with buyers only when a buyer explicitly requests a property viewing or contact. Buyer intent scores and browsing behaviour are never shared with agents without buyer consent.
5. Data Retention
We retain your personal data for as long as your account is active. If you delete your account, all personal data is permanently deleted immediately (see Section 7 — Your Rights). Anonymised, aggregated analytics data (not linked to your identity) may be retained indefinitely for platform improvement.
Server and runtime logs are retained according to our hosting provider's defaults (see Section 4) and then automatically deleted.
6. International Data Transfers
All personal data is stored and processed within the European Union. Some of our sub-processors (OpenRouter, Vercel) may process data outside the EU in the course of providing their services; in such cases, transfers are governed by the EU Standard Contractual Clauses (SCCs) or an EU adequacy decision.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of all personal data we hold about you. Use the "Export my data" button in Profile > Privacy, or call
GET /api/v1/account/export. - Right to rectification (Art. 16) — correct inaccurate data in Profile > Preferences.
- Right to erasure (Art. 17) — delete your account and all associated data permanently. Use the "Delete my account" button in Profile > Privacy, or call
DELETE /api/v1/account. Deletion is immediate and irreversible. - Right to restrict processing (Art. 18) — contact us to restrict processing of your data in specific circumstances.
- Right to data portability (Art. 20) — export your data as a machine-readable JSON file (see Right of access above).
- Right to object (Art. 21) — object to processing based on legitimate interests by contacting us at privacy@propertyhunt.ai.
- Right to withdraw consent — withdraw marketing consent at any time in Profile > Notifications or via the unsubscribe link in any email we send.
To exercise any right, email us at privacy@propertyhunt.ai. We will respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority. For France, this is the CNIL. For Spain, the AEPD. For Italy, the Garante per la Protezione dei Dati Personali. For Portugal, the CNPD.
8. Cookies
We use the following cookies:
| Cookie | Purpose | Retention |
|---|---|---|
| sb-* | Supabase authentication session | Session / 1 week |
| NEXT_LOCALE | Language preference | 1 year |
We do not use third-party advertising cookies. Analytics cookies, if enabled in a future version, will require your explicit consent.
9. Data Security
All data is transmitted over HTTPS (TLS 1.2+). Data at rest in Supabase is encrypted using AES-256. We apply Row Level Security (RLS) policies so users can only access their own data. We conduct regular security reviews and have a breach notification process that meets the GDPR 72-hour reporting requirement (Art. 33).
10. Children's Privacy
PropertyHunt.ai is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@propertyhunt.ai and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in the platform or applicable law. Material changes will be notified by email to registered users at least 14 days before taking effect. The "Last updated" date at the top of this page shows when the policy was last revised.
12. Contact Us
For privacy questions, data subject requests, or to contact our Data Protection Officer:
- General privacy enquiries: privacy@propertyhunt.ai
- DPA / legal notices: dpa@propertyhunt.ai
© 2026 PropertyHunt.ai. All rights reserved. Back to home