Privacy Policy
Introduction
WOHNO is an online platform that brings together housing seekers and providers of residential space. The protection of your personal data is a central concern for us. In this privacy policy, we inform you in accordance with Art. 13 and 14 GDPR about which personal data we process in connection with the use of our platform and website, for which purposes and on which legal basis this is done, and which rights you are entitled to. Where reference is made below to 'WOHNO', 'we' or 'us', this refers to the entity named in the 'Data Controller' section.
Data Controller
The party responsible for data processing on this platform within the meaning of the General Data Protection Regulation (GDPR) is:
Applicable Legal Bases
We process personal data exclusively on the basis of the statutory provisions. Depending on the processing situation, we rely on one of the following legal bases:
- Your consent (Art. 6 para. 1 lit. a GDPR) – e.g. for non-essential cookies, the newsletter, or providing particularly sensitive documents.
- Performance of the usage contract and pre-contractual measures (Art. 6 para. 1 lit. b GDPR) – e.g. for registration, listings, search profiles, chat, appointment scheduling, and paid services.
- Compliance with legal obligations (Art. 6 para. 1 lit. c GDPR) – e.g. for commercial and tax retention obligations.
- Safeguarding our legitimate interests (Art. 6 para. 1 lit. f GDPR) – e.g. for the security and stability of the platform, abuse and fraud prevention, and the needs-based further development of our service.
Security Measures
Taking into account the state of the art, implementation costs, and the nature, scope, and purposes of processing, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk and to protect your data against unauthorized access, loss, alteration, or manipulation.
These measures include in particular:
- Encrypted data transmission via TLS/SSL across the entire platform
- Role- and permission-based access concept as well as tenant separation at the database level (Row Level Security)
- Regular, secured backups on geo-redundant infrastructure
- Ongoing security updates, monitoring, and logging of security-relevant processes
- Encrypted or pseudonymized storage of sensitive data and access credentials
Data Processing on the Platform
Server Log Files
Each time our platform is accessed, our hosting service provider automatically collects information and stores it in so-called server log files. This concerns in particular:
- IP address of the requesting device (shortened or deleted promptly)
- Browser type, browser version, and operating system used
- Date and time of access as well as the page accessed
- Referrer URL from which you reached our platform
The processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in the secure, stable, and trouble-free operation of the platform and in defending against attacks and abuse.
The log files are generally deleted automatically after no more than 7 days, unless they are exceptionally required for longer to investigate a specific security incident.
Cookies & Consent Management
We use cookies and comparable technologies to provide the platform and make it user-friendly. Technically necessary cookies (e.g. for login, session management, and security) are required for the operation of the platform and are used for contract performance or on the basis of our legitimate interest.
Cookies and services that are not technically necessary are only used with your prior consent (§ 25 para. 1 TDDDG, Art. 6 para. 1 lit. a GDPR). Your consent is voluntary and can be withdrawn at any time with effect for the future, without this affecting the usability of the essential platform functions.
A detailed overview of all cookies used and the option to manage your consent can be found in our Cookie Policy.
Contacting Us
If you contact us via the contact form, by email, or by telephone, we process the data you provide (in particular name, contact details, and the content of the request) in order to handle your request and answer any follow-up questions. The legal basis is Art. 6 para. 1 lit. b GDPR insofar as your request relates to a contract, otherwise our legitimate interest in handling requests (Art. 6 para. 1 lit. f GDPR). The data is deleted once the request has been conclusively handled and no statutory retention obligations apply.
Registration & User Account
Using the protected areas of the platform requires the creation of a user account. As part of registration and subsequent account use, we process the following data:
- Email address (mandatory; used as login and for communication)
- Password (stored exclusively in encrypted or hashed form)
- Profile data such as name and – optionally – additional information you provide
- Selected user role (housing seeker or provider) and, where applicable, membership of an organization
- Technical metadata such as registration and login timestamps for the security of your account
The processing serves to provide the user account, for authentication, and to perform the usage contract (Art. 6 para. 1 lit. b GDPR). Security-related metadata is processed on the basis of our legitimate interest in abuse-proof operation (Art. 6 para. 1 lit. f GDPR).
The account data is stored for the duration of your user account and removed after its deletion, unless statutory retention obligations exist.
Listings (Providers)
Providers can create listings for residential space on WOHNO. In doing so, we process the data provided in the listing, in particular the property description, address and location, rental or purchase prices, features, and uploaded photos and documents.
Listings are displayed – depending on the visibility chosen by the provider – publicly on the platform and, where applicable, via search engines. Providers are responsible for not including any personal data of third parties in listings without an appropriate legal basis.
The processing is carried out to perform the usage contract with the provider and to provide the platform's intermediary function (Art. 6 para. 1 lit. b GDPR).
Search Profiles & Application Portfolios (Seekers)
Housing seekers can create a search profile and a digital application portfolio. Depending on your input, this may involve processing data such as name, contact details, household size, income and creditworthiness information, employment situation, and uploaded evidence and documents.
Some of this information may be particularly sensitive. You decide for yourself which information you provide and to which providers you transmit your application portfolio. The processing is carried out to perform the usage contract and at your initiative; for particularly sensitive information, additionally on the basis of your explicit consent. You can change, restrict, or delete your information at any time.
The processing serves to create and manage your search profile and application portfolio and to transmit them to the providers you have selected (Art. 6 para. 1 lit. b and, where applicable, lit. a GDPR).
Matching & Score Calculation
To improve matchmaking, we automatically compare search profiles and listings and determine a match score. This serves solely as non-binding guidance and does not lead to a legally binding decision. The respective provider always decides independently on whether to accept an application or allocate an apartment. No decision based solely on automated processing within the meaning of Art. 22 GDPR takes place. The legal basis is contract performance and our legitimate interest in efficient matchmaking (Art. 6 para. 1 lit. b and f GDPR).
Chat & Messages
Seekers and providers can communicate with each other via the platform's internal chat and messaging function. We process the content and metadata of this communication in order to provide the function, ensure delivery, and prevent abuse. Messages are stored for as long as this is necessary for the communication of the parties involved. The legal basis is Art. 6 para. 1 lit. b and lit. f GDPR.
Viewing Appointments
For the scheduling and management of viewing appointments, we process data such as appointment times, the persons involved, the property reference, and any notes you store. The processing serves to organize viewings and to coordinate between seekers and providers (Art. 6 para. 1 lit. b GDPR).
Payments & Paid Services
For paid services, we process the data required for contract handling, in particular the selected service, billing data, and payment status. The actual payment processing is carried out via specialized payment service providers; complete payment data (e.g. credit card numbers) is processed directly by these service providers and not stored permanently by us.
The processing serves to handle paid contracts (Art. 6 para. 1 lit. b GDPR) and to fulfill commercial and tax retention obligations (Art. 6 para. 1 lit. c GDPR).
AI-Assisted Features
WOHNO uses AI-assisted features, for example to create texts and summaries, structure listing data, or support matchmaking. In doing so, content you enter or upload may be transmitted to and processed by specialized service providers.
The processing serves to provide and improve these features on the basis of contract performance or our legitimate interest in a high-performing service (Art. 6 para. 1 lit. b and f GDPR). Automated evaluations serve merely as support; no decision based solely on automated processing with legal effect within the meaning of Art. 22 GDPR takes place.
Map Display & Location Data
To display property locations and to enable radius searches, we integrate map services and process location and address data (geocoding). When maps are loaded, your IP address may be transmitted to the respective map provider. The services used are listed in the overview below. The legal basis is contract performance or our legitimate interest in a clear presentation of locations (Art. 6 para. 1 lit. b and f GDPR).
Newsletter
If you subscribe to our newsletter, we process your email address and the time of subscription in order to send you information about WOHNO. The dispatch is carried out exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR), which you can withdraw at any time with effect for the future via the unsubscribe link in every email or by message to us.
Embedding Listings on Third-Party Sites (Embed Widget)
Providers (e.g. property managers or real estate agencies) can embed individual listings on their own websites using a so-called embed widget. Technically, this loads an iframe from wohno.de that displays the listing data. When you visit such a third-party site with an embedded widget, your IP address is transmitted to our servers — as with any website request — so that the content can be delivered. The widget does not set any cookies.
To measure reach, we record how often an embedded listing is displayed and clicked. We process your IP address exclusively in pseudonymized form: it is hashed using a key that rotates daily, so that no conclusions about your identity and no recognition across multiple days are possible. We additionally store a shortened browser identifier and the originating website (referrer). This individual data is automatically deleted after 90 days; only anonymous daily statistics without any personal reference remain. The legal basis is our legitimate interest in measuring the success of the embedding (Art. 6 para. 1 lit. f GDPR). The embedding provider can fully disable this tracking via the attribute data-wohno-track="false".
Reach Measurement & Usage Analytics
To understand how our platform is used and to improve our offering, we operate our own reach and usage analytics entirely on our own servers (first-party). No data is transmitted to third-party providers such as Google Analytics. Your IP address is never stored in plain text, but processed exclusively as a daily-rotating, irreversible hash value for abuse prevention.
Before and without your consent, we only collect anonymous, aggregated usage statistics (e.g. page views, originating domain, coarse device class). We do not set any cookies or comparable identifiers for this and do not recognize individual persons or sessions. The legal basis is our legitimate interest in data-minimizing reach measurement (Art. 6 para. 1 lit. f GDPR).
Only if you consent to the “Analytics/Statistics” category in the cookie banner do we additionally assign pseudonymous identifiers (session and device ID) to analyze usage flows and returning visits (funnel analysis). The legal basis is your consent (Art. 6 para. 1 lit. a GDPR), which you can withdraw at any time with effect for the future via the cookie settings; the identifiers are then deleted.
The collected individual data is automatically deleted after no more than 14 months. We additionally retain anonymous daily statistics without any personal reference in order to evaluate long-term trends.
Services Used & Processors
For the operation of the platform, we use carefully selected service providers who process personal data on our behalf. Where necessary, we have concluded data processing agreements with these service providers in accordance with Art. 28 GDPR. The overview below shows the main services used, their respective purpose, and the storage period:
| Name | Provider | Purpose | Storage Duration | Category |
|---|---|---|---|---|
| Session- & Authentifizierungs-Cookies | WOHNO (First-Party, via Supabase Auth) | Anmeldung, Sitzungsverwaltung und Schutz vor unbefugtem Zugriff auf das NutzerkontoSession-Token, Refresh-Token, Nutzer-ID | Sitzung bzw. bis zu 7 Tage (Refresh-Token) | Essential |
| Spracheinstellung (NEXT_LOCALE) | WOHNO (First-Party) | Speicherung der gewählten AnzeigespracheSprachcode | 1 Jahr | Essential |
| Darstellungseinstellung (Theme) | WOHNO (First-Party) | Speicherung des Hell-/Dunkel-ModusTheme-Einstellung | 1 Jahr | Essential |
| Cookie-Einwilligung | WOHNO (First-Party) | Speicherung Ihrer Cookie-Entscheidung (Consent-Management)Einwilligungsstatus je Kategorie, Zeitstempel, Version | 1 Jahr | Essential |
| Server-Logs | WOHNO / Hosting-Dienstleister | Gewährleistung des sicheren und stabilen Betriebs, Fehlerdiagnose, Abwehr von AngriffenIP-Adresse, Browser-/Geräteinformationen, Zugriffszeitpunkt, abgerufene URL, Referrer | in der Regel 7–14 Tage | Essential |
| Sicherheits- & Aktivitätsprotokolle (Audit-Logs) | WOHNO (First-Party) | Protokollierung sicherheitsrelevanter Vorgänge (z. B. Anmeldungen, Passwort- und Rechteänderungen) zur Missbrauchserkennung, Nachvollziehbarkeit und IT-SicherheitNutzer-ID, IP-Adresse, User-Agent, Aktion und betroffene Ressource, Zeitstempel | 24 Monate; danach automatisierte Löschung (siehe partition_retention_policies) | Essential |
| Einwilligungs- & Vertragsnachweise (AGB/Datenschutz, AVV) | WOHNO (First-Party) | Revisionssicherer Nachweis erteilter Einwilligungen und abgeschlossener Vereinbarungen (AGB, Datenschutzerklärung, Auftragsverarbeitungsvertrag) gemäß Rechenschaftspflicht (Art. 5 Abs. 2, Art. 7 Abs. 1 DSGVO)Nutzer-ID, IP-Adresse, User-Agent, Dokumentversion und Inhalts-Hash (SHA-256), Zeitstempel | für die Dauer der Geschäftsbeziehung sowie bis zum Ablauf der gesetzlichen Verjährungs- und Aufbewahrungsfristen (i. d. R. bis zu 3 Jahre nach Vertragsende; bei handels-/steuerrechtlicher Relevanz bis zu 10 Jahre) | Essential |
| Vercel (Hosting) | Vercel Inc.USA (EU-Edge-Standorte); Datenübermittlung in die USA | Hosting der Website/Plattform, Auslieferung von Inhalten über ein Content-Delivery-NetworkIP-Adresse, User-Agent, Zugriffsdaten/Logs | siehe Anbieter / Server-Logs | Essential |
| Supabase (Datenbank & Authentifizierung) | Supabase Inc.EU — Frankfurt (eu-central-1) | Speicherung der Konto-, Profil-, Inserats- und Plattformdaten sowie Verwaltung der AnmeldungE-Mail-Adresse, Passwort (gehasht), Profil- und Kontodaten, Inserats-, Bewerbungs- und Nachrichtendaten | bis zur Löschung des Kontos bzw. der jeweiligen Inhalte | Essential |
| Upstash Redis (Rate-Limiting & Caching) | Upstash, Inc.EU — Frankfurt | Schutz vor Missbrauch (Rate-Limiting) und Zwischenspeicherung zur Beschleunigung der PlattformIP-Adresse / Kennung, technische Zähler | kurzfristig (Minuten bis wenige Tage) | Essential |
| Trigger.dev (Hintergrundjobs) | Trigger.dev Ltd.USA; Datenübermittlung in die USA | Asynchrone Verarbeitung, z. B. E-Mail-Versand, Inserats-Import, Bildverarbeitungverarbeitungsabhängige Inhaltsdaten (z. B. Inserats- oder Kontodaten) | nur für die Dauer der Job-Ausführung | Essential |
| Resend (E-Mail-Versand) | Resend, Inc.USA; Datenübermittlung in die USA | Versand von Transaktions- und Service-E-Mails (z. B. Registrierung, Benachrichtigungen, Passwort-Reset)E-Mail-Adresse, Name, Inhalt der E-Mail | bis zu 30 Tage (Versandprotokolle) | Essential |
| Stripe (Zahlungsabwicklung) | Stripe Payments Europe, Ltd. (Irland) / Stripe, Inc. (USA)EU/USA; ggf. Datenübermittlung in die USA | Abwicklung kostenpflichtiger Tarife, Upsells und sonstiger Zahlungen, BetrugspräventionName, E-Mail-Adresse, Rechnungsanschrift, Zahlungsdaten (z. B. Kartendaten — verarbeitet durch Stripe), Transaktions- und Vertragsdaten | für die Dauer der Geschäftsbeziehung sowie gesetzliche Aufbewahrungsfristen (i. d. R. bis zu 10 Jahre) | External Services |
| Anthropic Claude (KI-Funktionen) | Anthropic PBCUSA; Datenübermittlung in die USA | KI-gestützte Funktionen, z. B. Erstellung/Verbesserung von Inseratstexten und Inserats-Import; nur bei aktiver Nutzung dieser Funktionenvon Ihnen eingegebene Inhalte (z. B. Inseratsdaten, Texte, importierte Dokumente) | Verarbeitung nur zur Anfragebearbeitung; keine Nutzung zu Trainingszwecken durch den Anbieter (API-Nutzung) | External Services |
| MapTiler (Karten & Geocoding) | MapTiler AGEU (Schweiz/EWR) | Darstellung von Karten und Umwandlung von Adressen in Geokoordinaten (Geocoding) für Inserate und SucheIP-Adresse, Adress-/Standortangaben, technische Zugriffsdaten | siehe Anbieter | External Services |
| Reichweitenmessung – anonyme Statistik (First-Party) | WOHNO (First-Party, via Supabase)EU — Frankfurt (eu-central-1) | Anonyme, cookielose Messung der Seitennutzung (z. B. Seitenaufrufe, Herkunft, grobe Geräteklasse) zur Verbesserung des Angebots — ohne Wiedererkennung einzelner Personenpseudonymisierte (gehashte) IP-Adresse, aufgerufene Seite (ohne personenbezogene Parameter), Herkunfts-Webseite (nur Domain), grobe Geräte-/Browser-/Betriebssystem-Angabe, UTM-Kampagnenparameter, Sprache | Einzeldaten 14 Monate; danach automatisierte Löschung. Anonyme Tagesstatistiken ohne Personenbezug verbleiben unbegrenzt. | Analytics |
| Produktanalyse – pseudonyme Nutzungsanalyse (First-Party) | WOHNO (First-Party, via Supabase)EU — Frankfurt (eu-central-1) | Analyse von Nutzungsverläufen (Funnel, wiederkehrende Besuche) zur Produktverbesserung — ausschließlich nach Ihrer Einwilligungpseudonyme Kennungen (Sitzungs- und Geräte-ID), ggf. Nutzer-ID (bei angemeldeten Nutzern), Seitenaufrufe und Interaktionen, pseudonymisierte (gehashte) IP-Adresse, grobe Geräte-/Browserangabe | Einzeldaten 14 Monate; danach automatisierte Löschung | Analytics |
| Sentry (Fehler-Monitoring) | Functional Software, Inc. (Sentry)EU (eu.sentry.io) | Erkennung und Analyse technischer Fehler zur Gewährleistung der Stabilität und Sicherheit der PlattformIP-Adresse, Browser-/Geräteinformationen, Fehler- und Diagnosedaten, ggf. Nutzer-ID | in der Regel bis zu 90 Tage | External Services |
Data Transfer to Third Countries
Insofar as individual service providers named above process data outside the European Union or the European Economic Area, we ensure an adequate level of data protection through appropriate safeguards. These include in particular standard contractual clauses adopted by the EU Commission as well as – where applicable – adequacy decisions. You can request a copy of the relevant safeguards from us.
Recipients of the Data
Your personal data is only transmitted to third parties insofar as this is necessary for the purposes of the platform or legally permitted. Recipients may in particular be:
- Other users of the platform – e.g. providers to whom you transmit your application portfolio, or seekers who respond to a listing – to the extent required in each case
- Processors engaged by us (e.g. for hosting, email dispatch, or payment processing), who act exclusively on our instructions
- Other service providers and partners, insofar as this is necessary for contract performance
- Authorities and courts, insofar as we are legally obliged or entitled to provide information
We do not sell your personal data and do not pass it on to third parties for advertising purposes.
Storage Period & Deletion
We process and store personal data only for as long as is necessary for the respective purposes or as long as statutory retention obligations exist. Data of your user account is generally removed upon its deletion. Listings, search profiles, and messages are deleted as soon as they are no longer needed or you initiate their deletion. Statutory retention periods of generally 6 or 10 years apply to invoicing and accounting data; during this period, processing is limited to fulfilling the retention obligation.
Your Rights as a Data Subject
As a data subject, you are entitled to extensive rights vis-à-vis us under the GDPR. To exercise your rights, an informal notification to the contact details named in the 'Data Controller' section is sufficient. Exercising your rights is generally free of charge for you.
Right of Access (Art. 15 GDPR)
You have the right to request confirmation as to whether we process personal data concerning you, as well as to obtain information about this data and a copy of the data.
Right to Rectification (Art. 16 GDPR)
You have the right to request the immediate rectification of incorrect data concerning you and the completion of incomplete data. You can also adjust many details yourself at any time in your user account.
Right to Erasure (Art. 17 GDPR)
You have the right to request the immediate erasure of data concerning you, insofar as its processing is no longer necessary and no statutory retention obligations or other legal grounds prevent it.
Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request the restriction of the processing of your data, for example while the accuracy of the data is being verified or you have objected to the processing.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive the data you have provided in a structured, commonly used, and machine-readable format and – where technically possible – to request its transmission to another controller.
Right to Object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of data concerning you that is carried out on the basis of our legitimate interest. Where processing is for the purpose of direct marketing, you may object at any time without giving reasons.
Withdrawal of Consent Given (Art. 7 para. 3 GDPR)
Insofar as processing is based on your consent, you can withdraw it at any time with effect for the future. The lawfulness of the processing carried out until the withdrawal remains unaffected.
Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)
Without prejudice to any other remedies, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence, place of work, or place of the alleged infringement, if you believe that the processing of your data infringes the GDPR.
Changes to This Privacy Policy
We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services. The version published on the platform at the relevant time applies. In the event of material changes, we will inform you in an appropriate manner.