Privacy Policy | Hyrea

Introduction

Hyrea AB ("Hyrea," "we," "us," or "our") operates a property management platform connecting landlords, property managers, and tenants. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website (www.hyrea.se) and services. We are committed to protecting your privacy in compliance with EU General Data Protection Regulation (GDPR), Swedish Data Protection Act (Dataskyddslagen), UK General Data Protection Regulation (UK GDPR), California Consumer Privacy Act (CCPA/CPRA), and UAE Personal Data Protection Law (PDPL).

Data Controller

Chiranjit Mitra

Enskild Firma (Sole Proprietorship)

Organisationsnummer: 860626-8798

F-skatt registered since: 2024-10-08

Tollare Kaj 6, Lgh 1301, 132 49 Saltsjö-Boo, Sweden

support@hyrea.se

As the sole proprietor, I am the data controller responsible for your personal data under GDPR.

Information We Collect

Account Information

Name (first and last)
Email address
Phone number
Date of birth
Personal identification number (personnummer) - for Swedish users
Profile picture (optional)

Landlord/Property Manager Information

Company name and tax ID (for business accounts)
Property details (address, size, amenities, photos)
Rental terms and pricing
Bank account information (for rent collection)

Tenant Information

Employment status and start date
Rental budget and preferences
Preferred move-in date and location
References (optional)
Pet ownership status

Communication Data

Messages sent through our platform
Support requests and correspondence

Information Collected Automatically

Device and Usage Information:

IP address
Browser type and version
Operating system
Device type (mobile, desktop, tablet)
Pages visited and features used
Time spent on pages
Referring website

Location Information:

Approximate location derived from IP address (city/country level)
Used for security purposes (detecting unusual login locations)

Cookies and Similar Technologies

Essential cookies (authentication, security)
Analytics cookies (with your consent)

Information from Third Parties

Bank account information via Plaid (EU/US) or Lean Technologies (UAE/MENA) with your explicit consent
If you sign in with Google or other OAuth providers, we receive your name and email

How We Use Your Information

To Provide Our Services

Create and manage your account
Connect landlords with potential tenants
Process rental applications
Facilitate communication between parties
Process rent payments and financial transactions
Generate rental agreements and documents

To Improve and Personalize

Analyze usage patterns to improve our platform
Personalize property recommendations
Develop new features based on user needs

To Communicate With You

Send service-related notifications
Respond to your inquiries and support requests
Send important updates about your account or properties
Marketing communications (with your consent)

For Security and Fraud Prevention

Detect and prevent fraudulent activity
Monitor for suspicious login attempts
Verify user identity
Protect against unauthorized access

Legal Compliance

Comply with applicable laws and regulations
Respond to legal requests and court orders
Enforce our terms of service

Legal Basis for Processing (GDPR)

We process your personal data based on:

Purpose	Legal Basis
Account creation and service delivery	Contract performance
Payment processing	Contract performance
Security monitoring and fraud prevention	Legitimate interest
Analytics (with consent)	Consent
Marketing communications	Consent
Legal compliance	Legal obligation

How We Share Your Information

With Other Users

Landlords can see tenant application information
Tenants can see landlord/property contact information
Property managers can access properties they manage

With Service Providers

Provider	Purpose	Data Shared
Supabase	Database hosting	All user data (encrypted)
Vercel	Website hosting	Usage data, IP addresses
Resend	Email delivery	Email addresses, names
PostHog	Analytics (with consent)	Usage behavior, device info
Plaid	Bank verification (EU/US)	Financial data (with consent)
Lean Technologies	Bank verification (UAE)	Financial data (with consent)

For Legal Reasons

To comply with legal obligations
To respond to lawful requests from authorities
To protect our rights, privacy, safety, or property
In connection with a merger, acquisition, or sale of assets

We may share information for other purposes with your explicit consent.

International Data Transfers

Your data may be transferred to and processed in countries outside your residence, including United States (Vercel, PostHog US instance, Plaid) and European Union (Supabase EU region). For transfers outside the EU/UK, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs), Adequacy decisions where applicable, and Binding Corporate Rules where applicable.

Data Retention

We retain your data for as long as necessary to provide our services:

Data Type	Retention Period
Active account data	Duration of account + 2 years
Deleted account data	30 days (recovery period) then permanently deleted
Financial transaction records	7 years (legal requirement)
Login history	90 days
Analytics data	26 months
Support communications	3 years

Your Rights

For All Users

Access: Request a copy of your personal data
Correction: Update inaccurate or incomplete data
Deletion: Request deletion of your data
Data Portability: Receive your data in a portable format

Additional Rights (EU/UK - GDPR)

Restrict Processing: Limit how we use your data
Object to Processing: Object to processing based on legitimate interest
Withdraw Consent: Withdraw consent at any time
Lodge a Complaint: File a complaint with your supervisory authority

Swedish Data Protection Authority (IMY): www.imy.se

Additional Rights (California - CCPA)

Know: What personal information we collect
Delete: Request deletion of your data
Opt-Out: Opt out of sale of personal information (we do not sell data)
Non-Discrimination: Equal service regardless of privacy choices

How to Exercise Your Rights

Or use the in-app settings: Account Settings → Privacy → Data Export, Account Settings → Account → Delete Account

We will respond within 30 days (or as required by applicable law).

Cookies and Tracking

Essential Cookies

Required for basic functionality:

Authentication (keeping you logged in)
Security (CSRF protection)
Language preferences

These cookies are always active and do not require consent.

Analytics Cookies (Consent Required)

With your consent, we use:

Vercel Analytics: Performance monitoring
PostHog: User behavior analytics

You can manage your cookie preferences via the cookie banner on first visit or via Account Settings → Privacy.

We Do NOT Use

Marketing/advertising cookies
Third-party tracking for advertising
Cross-site tracking

Security

We implement industry-standard security measures:

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Authentication: Secure password hashing, optional 2FA
Access Control: Role-based access, principle of least privilege
Monitoring: Automated security monitoring and alerting
Auditing: Regular security assessments

Security Incident Response

In case of a data breach affecting your rights, we will:

Notify affected users within 72 hours
Report to relevant supervisory authorities as required
Take immediate steps to mitigate the breach

Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

Email notification
Prominent notice on our website
In-app notification

The "Last Updated" date at the top indicates when changes were made.

Contact Us

For privacy-related questions or to exercise your rights:

Email: support@hyrea.se

Mail: Chiranjit Mitra, Tollare Kaj 6, Lgh 1301, 132 49 Saltsjö-Boo, Sweden