Privacy policy (RGPD / GDPR)

The controller of personal data processed within the LetFlat.net platform is:

• RILLS OÜ
• Legal form: OÜ
• Country of registration: Estonia
• Registration number: 16842161
• Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Veskiposti tn 2-1002, 10138
• E-mail for all requests, including privacy matters: rills@rills.top

LetFlat.net processes personal data in accordance with the following principles:

• processing is lawful, fair and transparent;
• data is collected only for specified, explicit and legitimate purposes;
• only data that is genuinely necessary is processed;
• data must be accurate and, where necessary, kept up to date;
• data must not be kept longer than necessary for the purposes of processing;
• reasonable technical and organisational measures are applied to protect data.

3.1. User account data

When registering and using an account, LetFlat.net may process:

• name / agency name;
• profile contact e-mail;
• WhatsApp;
• contact type: owner / real estate agency / private individual;
• account role;
• tenant profile flag;
• profile verification status;
• e-mail address;
• password hash;
• hashed verification and password reset codes;
• code expiry and usage status;
• technical session and authentication data.

The profile model still technically contains a phone field, but in the current product flow a public phone number is not used as the main communication channel and is not displayed to tenants in the contact card.

3.2. Listing data

When creating and publishing a listing, the platform processes the data entered by the user in the property card, including:

• title;
• description;
• price;
• address;
• district / arrondissement;
• surface area;
• apartment type;
• number of bathrooms;
• photos;
• other property characteristics if indicated by the user.

3.3. Contact details displayed in listings

Depending on the user’s choice, a listing may make the following available:

• e-mail;
• WhatsApp.

3.4. Data related to paid services

If online payment for paid services is activated on the platform, the platform and/or the payment provider may process the data necessary to process the payment, confirm the purchase, perform accounting and tax obligations and handle refunds, disputes or claims where applicable.

If online payment is activated, LetFlat.net intends to use Stripe as its payment provider. After such a payment flow is activated, part of the data will be processed directly by Stripe within the limits of its own services and legal obligations.

3.5. Data relating to complaints, support and requests

If a user or third party writes to rills@rills.top, the platform may process:

• name;
• e-mail address;
• the content of the request;
• materials attached to the complaint or request;
• information relating to the disputed listing or account.

3.6. Data related to cookies and tracking

As of the publication date of this document, LetFlat.net only uses technical cookies and browser local storage necessary for website operation and user preferences. Analytical and marketing trackers are not active in the current configuration. If they are enabled later, both the policy and the consent interface will be updated separately.

• technical cookies;
• language and interface preferences;
• cookie banner choice;
• technical session state;
• a locally stored list of favourite listings.

These technologies are described in more detail in the separate “Cookies and Tracking Policy”.

3.7. Document scanning and dossier assembly services

LetFlat.net may provide technical document-related services, including document scanning and assembly of a template-based user dossier.

As part of such services, the user may choose to enter or upload data, including documents and information about themselves. Since such information may contain sensitive or high-risk categories of data from the user’s perspective, the platform follows the data minimisation principle and must clearly inform users about the nature of processing, retention periods, deletion options and related risks.

LetFlat.net processes personal data for the following purposes:

4.1. Creation and maintenance of accounts

• user registration;
• account login;
• maintaining access to platform functions;
• identifying the user within the service.

4.2. Publication and display of listings

• publishing property cards;
• displaying listings to other users;
• enabling contact between users through the contact details provided;
• managing listings, moderation and complaints.

4.3. Provision of paid services

• activating listing promotion;
• highlighting listings;
• displaying advertising;
• providing document-related services;
• processing payments and related accounting, if online payment is activated.

4.4. Moderation and platform security

• reviewing listings;
• combating spam, fraud and abuse;
• handling complaints;
• applying restrictive measures in case of breach.

4.5. Compliance with legal obligations

• complying with legal requirements;
• recording payments, if payment infrastructure is activated;
• responding to requests from competent authorities;
• protecting the rights of the platform, users and third parties.

4.6. Analytics, service improvement and marketing

• analysing use of the platform;
• improving the interface and functions;
• measuring the effectiveness of services and advertising;
• personalisation where and to the extent it is used lawfully and with the necessary consents.

LetFlat.net relies on one or more of the following legal bases for processing personal data:

5.1. Performance of a contract or steps prior to entering into a contract

For example:

• registration and account access;
• publication of a listing;
• use of platform functions;
• provision of paid services;
• provision of document-related services.

5.2. Legitimate interests of the platform

For example:

• protection against abuse;
• moderation and fraud prevention;
• service security;
• handling complaints;
• protection of the platform’s rights;
• basic analytics and service improvement where permitted by law.

5.3. Compliance with a legal obligation

For example:

• tax and accounting records;
• responses to lawful requests from authorities;
• performance of obligations arising from applicable law.

5.4. User consent

For example:

• analytical and marketing cookies;
• advertising pixels;
• certain marketing technologies;
• processing for which consent is specifically required by law.

6.1. User account

Account data is retained as long as the user uses the platform and does not request account deletion.

Hashes of verification and password reset codes are retained for their validity period and until the corresponding records are technically cleaned up, after which they are deleted or rendered unusable. The authenticated session token stored in the browser remains there until the user logs out, clears local storage or the system no longer accepts that token.

6.2. Listings

Active listings are retained until the user deletes them or the user account is deleted.

6.3. Deleted listings

Under LetFlat’s business model, deleted listings are intended to be removed. However, the platform may retain the minimum necessary information relating to deletion, disputes, complaints or breaches where this is objectively necessary to protect the platform’s rights, comply with law or resolve a dispute.

6.4. Payment data

Data related to paid operations may be retained longer than ordinary user data to the extent necessary for:

• accounting records;
• tax records;
• confirmation of completed transactions;
• protection of the platform in the event of a dispute, refund or claim.

6.5. Data from document-related services

For document-related services, LetFlat follows the principle of storage minimisation:

• if the user uses a service without saving the result, the data should not be kept longer than necessary to perform the technical operation;
• if the user chooses to save the result, they must be able to delete it themselves;
• the platform should not retain such materials longer than necessary for the stated function and the scenario chosen by the user.

LetFlat.net may transfer personal data to the following categories of recipients:

7.1. Infrastructure and technical service providers

For example:

• hosting and server infrastructure;
• cloud services;
• data storage services;
• analytics tools;
• security tools.

At the current stage, the site infrastructure may be hosted using DigitalOcean.

7.2. Payment providers

In particular, Stripe for payment processing, if online payment is activated.

7.3. Analytics, marketing and advertising tools

For example:

• Google Analytics;
• Meta Pixel;
• TikTok Pixel;
• Hotjar / Microsoft Clarity;
• other equivalent services if they are enabled.

7.4. Competent authorities and persons authorised by law

Where such transfer is required by law, a court decision, a request from a supervisory authority or for the protection of the rights of the platform and third parties.

7.5. Other platform users

Within the limits of the information which the user has chosen to make available in a listing, for example:

• e-mail;
• WhatsApp.

Because LetFlat uses or may use international digital services, some data may be processed outside the user’s country and, in some cases, outside the European Economic Area.

Where international transfers take place, they must be accompanied by the appropriate legal safeguards to the extent required by law, such as standard contractual clauses or other lawful transfer mechanisms.

Within the limits provided by applicable law, the user has the right to:

• obtain confirmation that their data is being processed;
• request access to their data;
• request correction of inaccurate data;
• request deletion of data;
• request restriction of processing;
• object to certain kinds of processing;
• receive data in a portable format where applicable;
• withdraw consent where processing is based on consent;
• lodge a complaint with a competent data protection authority.

To exercise their rights, the user may contact: rills@rills.top

If the user believes that the processing of their personal data breaches applicable law, they may lodge a complaint with the competent data protection authority in their country or in the place of the alleged infringement.

LetFlat.net takes reasonable technical and organisational measures to protect personal data against:

• unauthorised access;
• loss;
• destruction;
• alteration;
• unlawful disclosure;
• abuse.

At the same time, the user understands that no internet infrastructure can guarantee absolute security.

12.1. Document scanning

If the user uses the document scanning service, the platform may temporarily process the uploaded file in order to provide a result. LetFlat aims to minimise storage of such materials and not to use them beyond the stated function without a separate lawful basis.

12.2. Dossier assembly

If the user uses the dossier assembly service:

• the user decides which data to enter;
• the platform does not guarantee that the dossier will be suitable for a specific legal or commercial purpose;
• the user is responsible for the lawfulness of the data and documents included;
• the user must not include unnecessary or third-party personal data without a proper legal basis.

12.3. Storage of results

If the user is given the possibility of saving a dossier or another processing result, the user must be able to delete it themselves.

LetFlat uses or plans to use cookies and similar technologies for:

• technical operation of the website;
• analytics;
• marketing;
• retargeting;
• evaluation of user behaviour;
• improving service efficiency.

Detailed rules are described in the separate “Cookies and Tracking Policy”.

As of the publication date of this document, LetFlat does not rule out using:

• service e-mails;
• marketing messages;
• notifications of promotions and paid services;
• notifications about new listings;
• communications by e-mail and/or other channels if such channels are introduced.

Where any communication requires separate consent by law, such consent must be obtained properly.

15.1. LetFlat.net may update this Privacy Policy.

15.2. The current version is published on the platform and takes effect upon publication unless otherwise specified.

15.3. In the event of material changes, the platform may additionally inform users where appropriate or required by law.

For any question relating to the processing of personal data, the user may contact:

• RILLS OÜ
• E-mail: rills@rills.top