Privacy Policy
Last updated: 1 July 2026
This policy explains what Dormetrics collects, why, and your rights. We are built on data minimisation: we collect as little as possible, we never build a database of property owners, and we never sell your data.
Who we are (data controller)
The controller is DoArt, a sole proprietorship (eenmanszaak) registered in the Netherlands under KVK 58598464, Helmond, Netherlands. Dormetrics (www.dormetrics.com) is a trade name of DoArt. For any privacy question or request, email question.doart@gmail.com.
What we collect and why
The listing you check — the pasted text, an optional listing URL, photos you add, and any hints (price, city, size, IBAN, contact name) — is processed to produce your risk verdict. Uploaded photos are never stored: they are checked within your request and discarded. Email — your account identifier (captured by Stripe at checkout, when you request a magic link, when you sign up with a password, or from Google when you use Sign in with Google). Owner-confirm credits, purchases & a credit ledger — to run your account and meet accounting obligations. Your saved checks — a non-identifying record of each verdict (a listing reference plus the graded band and whether it was a free or paid check), so you can revisit past checks. An anonymous, signed device ID — to count free checks and limit abuse. Session data(a session ID and your browser's user-agent) — to keep you logged in and let you log out everywhere. Your IP address — used transiently for rate-limiting and bot protection, not stored in your account. If you choose password login we store a salted, one-way hash of your password — never the password itself; magic-link and Google sign-in accounts have no password at all. With Sign in with Google we receive only your verified email and account identifier — never your Google password or contacts. The launch waitlist — if you join it, we store the email you give us (and a name and phone number only if you choose to add them) solely to contact you about the Dormetrics launch, based on your consent. It is never shared or sold, and one reply removes you from the list.
The owner-confirm check — how we minimise owner data
When you buy an owner-confirm, you give us the property address and the name the “landlord” gave you. We run a forward, address→owner lookup against the public Dutch Land Registry (Kadaster) and return only a match / no‑match / inconclusive result against the name you supplied. We do notsplash the owner's full identity into the app, we do notkeep the owner's personal data after your request is answered, and we neveroffer a “type a name → see their properties” reverse search. There is no owner database and no “worst-landlord” list. What we retain is only a non‑identifying record of yourcheck: a listing reference, the graded band, and the kind — never the owner's name.
Legal bases (GDPR)
We rely on our (and your) legitimate intereststo run the address→owner verification you requestto protect yourself from rental fraud — a use the EU's highest court has recognised as a valid commercial legitimate interest. We process data to perform our contract with you (account, payments, saved checks); to meet a legal obligation (keeping tax and accounting records under Dutch law); and on your consent where we ask for it (e.g. any non-essential analytics). You can object to, or withdraw consent for, processing at any time.
AI & image processing
To grade a listing we send its text to a third-party AI / large-language-model provider for contract- and script-pattern analysis, and any listing images to a reverse-image / web-detection providerto spot photos stolen from elsewhere. Under those providers' commercial / API terms, your inputs are not used to train their models. These calls return signals to us; they are not a stored profile of you.
Who we share data with (processors)
We use vetted service providers that process data on our behalf under data processing agreements:
- Anthropic (United States) — AI analysis of listing text (contract & script red flags).
- Google Cloud Vision (United States) — reverse-image / web detection on listing photos.
- Kadaster and/or an authorised Kadaster reseller (Netherlands) — the live owner-confirm land-registry lookup you pay for.
- Supabase — database & hosting for your account, credit ledger, and saved-check records.
- Upstash — caching, rate-limiting, and short-lived tokens.
- Vercel — application hosting and serverless functions.
- Stripe (PCI-DSS) — payment processing, billing details, your email.
- Resend — magic-link and transactional email delivery.
- Cloudflare — bot protection (Turnstile) and abuse prevention.
We do not sell or rent your personal data, and there is no third-party ad tracking.
International transfers
Some processors are based outside the EU/EEA. Where data leaves the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and appropriate safeguards. A copy is available on request.
How long we keep your data
- Owner personal data from a confirm — used within your request and not stored afterwards.
- Saved checks — most recent 30 per account; anonymous device records are purged automatically after ~90 days.
- Sessions — about 90 days, or until you log out.
- Magic links — 15 minutes.
- Purchases & credit ledger / tax records — 7 years (legal obligation).
- Other caches — expire automatically (seconds to days).
Your rights (GDPR)
You can request access, rectification, erasure, restriction, portability, and object to processing, and withdraw consent at any time. While logged in you can download all your data and permanently delete your account or saved checks from the account panel (or via /api/account/export and DELETE /api/account). Deletion removes your account, saved checks, and ledger, except minimal payment/tax records we must retain by law. To exercise any right, email question.doart@gmail.com. You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Cookies
We use a small number of first-party cookies only — no third-party ad tracking:
sd_session— keeps you logged in (HttpOnly; about 90 days).sd_device— anonymous device ID for free-check counting and abuse limits (HttpOnly; about 12 months).sd_co— a short-lived checkout security token (HttpOnly).sd_skip_delete_confirm(local storage) — remembers your “don't ask again” choice for deletions.
Security
We protect data with TLS encryption in transit, HMAC-signed tokens, access controls, and PCI-DSS-compliant payment handling via Stripe. If a data breach poses a risk to you, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and affected users where required.
Children
Dormetrics is intended for adults renting or helping someone rent a home. We do not knowingly collect data from children. If you believe a minor has used the service, contact us and we will delete the data.
Changes
We may update this policy; we will post the new version with a revised date. Material changes take effect when posted.
Contact
DoArt (trading as Dormetrics), KVK 58598464, Helmond, Netherlands. Privacy questions: question.doart@gmail.com. Supervisory authority: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).