Privacy Policy
Information under Articles 13 and 14 EU GDPR and § 4 ff. DSG (Austria)
Last updated: 25 April 2026
1. Controller
Wohni GmbH (in formation)Musterstraße 1, 1010 Vienna, Austria
Email: datenschutz@wohni.at
2. Data Protection Officer
Wohni has not appointed a Data Protection Officer. The thresholds in Article 37(1) GDPR (core activity involving large-scale regular monitoring or large-scale processing of special categories) are not met. For data-protection requests, please contact datenschutz@wohni.at directly.
3. What data we process
When you create an account and use Wohni we process the following categories of personal data:
- Account basics: email, display name, profile picture, short bio, account type (Seeker / Owner / Broker)
- Authentication: Keycloak subject ID (a random token; no password is stored in the application database; Keycloak is a self-hosted component, not an external service provider)
- Search preferences: price range, size, districts, feature wishes
- Activity data: swipes, matches, favourites, saved searches, statistics
- Communication: messages between matched users; optionally translated via DeepL on explicit click
- Listings (owners): title, description, address, photos, price, features
- Tenant profile (optional): net income, employment, employer, household size, children, pets, short bio — only released to landlords with whom you have actively shared (visible and revocable in the profile under “Who can see my tenant profile”)
- Application documents (optional): uploaded documents (Selbstauskunft, Meldezettel, payslips) — a landlord can access them only while at least one active profile share with that same landlord is in effect
- Anti-fraud fingerprint: SHA-256 hash of normalized display name + IPv4 /24 block (or IPv6 /48), generated once at account creation; used solely to detect re-signups of suspended accounts; cleared on account deletion
- Push subscription (optional): browser push endpoint + user-agent — stored when you enable push. When you disable push we mark the subscription as revoked (revokedAt timestamp) and stop sending notifications to it; the row itself remains in the database until account deletion so re-enabling is auditable. Encryption per RFC 8291 (VAPID); plaintext stays on our server
- Session metadata (Active Sessions list): IP address, browser/OS identifier, timestamps — shown in the profile under “Active Sessions” so you can spot and end unfamiliar logins
- Auto-moderation: messages are server-side checked for payment-fraud patterns (e.g. IBAN requests before a viewing booking); suspicious messages are flagged in an internal review queue. The message body itself is NOT copied into the queue — only a reference to the original message
- Technical data / audit log: IP address, user-agent, timestamps of security-relevant actions — kept for at most 12 months, with a daily background purge
- Reports: content and reason of content reports plus their handling status
4. Browser-side storage
Wohni stores only strictly necessary data in your browser. No consent under TKG 2021 § 165 is required for that; we do not set tracking or marketing cookies. The following list is exhaustive:
| Name | Purpose | Lawful basis | Retention |
|---|---|---|---|
| OIDC cookies (Keycloak) | Login and session management (PKCE flow) | Art. 6(1)(b) GDPR (contract performance) | Session lifetime / until logout |
| wohni_viewer (cookie) | Anonymous voting on publicly shared shortlists; prevents double-votes without login | Art. 6(1)(f) GDPR (legitimate interest: spam protection) | 1 year |
| OIDC session data (sessionStorage) | Keycloak token cache and PKCE verifier — default behaviour of the angular-auth-oidc-client library | Art. 6(1)(b) GDPR (contract performance) | Tab lifetime; cleared when the tab closes |
| wohni-theme (localStorage) | Light/dark theme | Art. 6(1)(b) GDPR (contract performance) | Until cleared in the browser |
| wohni.locale (localStorage) | Language selection (German/English) | Art. 6(1)(b) GDPR (contract performance) | Until cleared in the browser |
| Tutorial markers (localStorage) | Remembers which hints you have already seen | Art. 6(1)(f) GDPR (legitimate interest: non-intrusive UX) | Until cleared in the browser |
| Service worker (push) | Receives encrypted push notifications — registered on first visit to your profile page (even when push is off), but stays inactive until you enable push | Art. 6(1)(f) GDPR (legitimate interest: technical preparation of the opt-in path); from activation onwards Art. 6(1)(a) (consent) | Until you remove the service worker in your browser |
No IndexedDB databases are created.
5. Lawful bases
We process your data on the following lawful bases:
- Performance of contract (Art. 6(1)(b) GDPR): account basics, activity data, communication and listings are necessary to use the platform.
- Consent (Art. 6(1)(a) GDPR): optional profile picture and bio, optional tenant profile and per-match sharing, optional credit-check consent, push notifications, optional DeepL translation of messages.
- Legitimate interest (Art. 6(1)(f) GDPR): audit log and IP address for security; anti-fraud fingerprint to detect re-signups of suspended accounts; server-side message moderation against payment-fraud patterns; 30-day cooling-off period before final account anonymisation.
- Legal obligation (Art. 6(1)(c) GDPR): if Wohni falls under the reporting obligation of EU Directive DAC7, we transmit the required information annually to the Austrian tax administration.
A complete mapping of each lawful basis to each specific processing purpose (in particular, the legitimate-interest balancing assessment, "LIA") will be finalised with the lawyer review of this document.
6. Retention
We keep your data only for as long as the respective purpose requires:
- Account data: until the account is deleted.
- Activity data and communication: until the account is deleted or until statutory retention periods expire.
- Audit log: at most 12 months from creation — a daily background purge enforces this.
- Account deletion with a 30-day cooling-off period: after you request deletion we wait 30 days before final anonymisation. You can revoke the deletion at any time during that window. Lawful basis: Art. 17(1) read together with Recital 65 GDPR and Art. 6(1)(f) (legitimate interest: protection against accidental deletion, fraud recovery).
- Anonymised remains: after the 30-day window, email, name, bio and profile picture are replaced with placeholders. Past matches and messages remain visible to your counterparts as “Deleted user” (Art. 17(3)(e) GDPR read with Recital 65: legitimate interests of third parties).
7. Recipients / processors
We do not pass your data to third parties, with the following specific exceptions. Before the public launch (GA) we will have an Article 28 GDPR data-processing agreement in place with every processor; outstanding DPAs are tracked in our internal compliance log.
| Provider | Location | Data transmitted | Role / DPA |
|---|---|---|---|
| Resend | EU data centre | Email address, display name, transactional email content (match notifications, password reset, application-status updates, viewing reminders) | Processor; DPA in place |
| Stripe Payments Europe | Ireland (EU) | Account UUID, listing UUID, boost type, amount — no real names, no password. Stripe collects and stores payment data itself (PCI scope stays with Stripe). | Independent controller for payment processing; DPA per Stripe Terms |
| Hetzner Object Storage | Germany (EU) | Uploaded tenant documents (Selbstauskunft, payslips, etc.) — encrypted in transit; access only via short-lived presigned URLs (5-minute validity) | Processor; DPA in place |
| DeepL SE | Cologne, Germany (EU) | Content of a single message — only on explicit click on "Translate". No use for training. | Processor; DPA per DeepL Pro Terms |
| Browser push service | Operated by the respective browser vendor (e.g. Mozilla, Apple, Google) — assigned dynamically when you subscribe to push | Encrypted push payload (title, short text, link). Content is protected by VAPID/RFC 8291 encryption; the browser vendor cannot read it. | Independent service provider (Web Push standard, no classical DPA required) |
| OpenStreetMap tile servers | United Kingdom (UK adequacy decisions, originally adopted 28 June 2021 and renewed 19 December 2025 through 27 December 2031) | IP address, rendered map area — fetched directly by the browser when rendering the map (not proxied through Wohni servers) | Data source (public maps); no processor relationship |
| Google Fonts (Google Ireland Limited) | Ireland (EU); served via globally distributed CDN | IP address, user-agent — fetched directly by the browser when loading fonts | Independent controller; processing per Google Privacy Policy |
| Stadt Wien Open Government Data | Vienna (EU) | No personal data. We fetch only static geographic data (parks, schools, U-Bahn stations) server-side and serve it cached to your browser. | Data source (public reference data, CC-BY 4.0) |
8. Transfers to third countries
Wohni itself does not actively transfer your data to third countries. Indirectly, the following browser-side connections may have third-country exposure: (1) OpenStreetMap tile servers in the United Kingdom — covered by the EU Commission’s UK adequacy decisions, originally adopted 28 June 2021 and renewed 19 December 2025 through 27 December 2031. (2) Font loading via the Google Fonts CDN — Google may process IP address and user-agent in the United States depending on the edge node serving your request; the contracting party is Google Ireland Limited, with Standard Contractual Clauses applying. (3) Browser push delivery via the browser vendor’s push service (e.g. Mozilla, Apple, Google) — these endpoints may use US infrastructure depending on the vendor. Before GA we are evaluating self-hosting Google Fonts to eliminate that indirect transfer. Every processor named in section 7 (Resend, Stripe, Hetzner, DeepL) operates EU data centres.
9. Your rights
Under EU GDPR you have the right to:
- Access (Art. 15): confirm what data we process about you.
- Rectification (Art. 16): have inaccurate data corrected — directly in the profile or by email.
- Erasure (Art. 17): directly in the profile under “Delete account”. Anonymisation runs after the 30-day cooling-off period (see section 6).
- Restriction of processing (Art. 18).
- Data portability (Art. 20): on request by email to datenschutz@wohni.at; we respond within one month (Art. 12(3) GDPR) with a machine-readable JSON export.
- Object to processing (Art. 21).
- Withdraw consent (Art. 7(3)): at any time by email to datenschutz@wohni.at or directly in the profile (e.g. profile-shares panel, push toggle, credit-check consent). The lawfulness of processing carried out before withdrawal remains unaffected.
- Lodge a complaint with the Austrian Data Protection Authority: dsb.gv.at
Mandatory fields for account creation are email, display name and account type; without them an account cannot be created. Optional fields (profile picture, bio, tenant profile, application documents) have no impact on account creation.
10. Profiling and automated decisions
Wohni performs two automated processing activities that you may classify as profiling within the meaning of Art. 4(4) GDPR:
- Ordering of suggestions: listings are sorted by generic factors (distance from your search preferences, freshness, popularity). A personalised learning component that derives weights from your swipe behaviour is present in the codebase but is currently disabled in production. Activation will only happen after legal review of the lawful basis is finalised and with an explicit consent toggle in the profile.
- Message auto-moderation: incoming chat messages are server-side checked for payment-fraud patterns (e.g. IBAN requests before a viewing booking). Suspicious messages are flagged in an internal review queue; final action is taken by a human moderator. No automatic blocking or deletion happens; no “legal or similarly significant effect” within the meaning of Art. 22 GDPR arises.
11. Minimum age
Wohni is intended for people aged 14 and older (DSG § 4(4)). People under 14 must not create accounts; we delete any such accounts as soon as we become aware of them.
12. Contact
For data-protection questions please contact datenschutz@wohni.at. You may also lodge a complaint directly with the Austrian Data Protection Authority: dsb.gv.at.