Processing Register (Art. 30 GDPR)

Last updated: March 1, 2026

In accordance with Art. 30(1) GDPR, OpenHospi as controller maintains this register of all personal data processing activities.

On this page

1. User profiles
2. Profile photos
3. Room listings
4. Applications
5. Chat messages
6. Session data
7. Moderation data
8. Consent records
9. Push notification subscriptions
10. Calendar subscription feed
11. Error reporting & crash monitoring

1. User profiles

Purpose	Providing the student room platform service
Categories of data subjects	Registered students
Data categories	name, email address, date of birth, gender, study programme, educational institution, bio, lifestyle tags, preferred city, available from date, maximum rent
Legal basis	Performance of a contract (Art. 6(1)(b) GDPR)
Recipients	Other platform users (limited profile view)
Transfers outside EEA	No, all processing within the EU/EEA
Retention	Until account deletion
Security	Row-Level Security (RLS), encrypted transport (TLS), role-based access control

2. Profile photos

Purpose	Profile identification and visual recognition
Categories of data subjects	Registered students
Data categories	up to 5 photos per user
Legal basis	Performance of a contract (Art. 6(1)(b) GDPR)
Recipients	Other platform users (authenticated)
Transfers outside EEA	No, all processing within the EU/EEA
Retention	Until deletion by user or account deletion
Security	Supabase Storage with access policies, encrypted storage

3. Room listings

Purpose	Housing marketplace functionality and geographic search
Categories of data subjects	Registered students (room hosts)
Data categories	address, city, coordinates, rent price, room details, photos, availability
Legal basis	Performance of a contract (Art. 6(1)(b) GDPR)
Recipients	All authenticated users
Transfers outside EEA	No, all processing within the EU/EEA
Retention	Until deletion by owner or account deletion
Security	RLS policies (owner-only editing), encrypted transport

4. Applications

Purpose	Matching seekers with rooms and managing the hospiteren process
Categories of data subjects	Registered students (room seekers)
Data categories	personal message, application status
Legal basis	Performance of a contract (Art. 6(1)(b) GDPR)
Recipients	Room owner and house members of the relevant house
Transfers outside EEA	No, all processing within the EU/EEA
Retention	Until withdrawal by seeker or account deletion
Security	RLS policies restricting access to involved parties

5. Chat messages

Purpose	Communication between seekers and house members
Categories of data subjects	Registered students (conversation participants)
Data categories	end-to-end encrypted message content, timestamps, encrypted session keys
Legal basis	Performance of a contract (Art. 6(1)(b) GDPR)
Recipients	Conversation participants only (content unreadable by OpenHospi)
Transfers outside EEA	No, all processing within the EU/EEA
Retention	Until account deletion
Security	End-to-end encryption (AES-256-GCM with ECDH key exchange), only participants can decrypt

6. Session data

Purpose	Authentication and security monitoring
Categories of data subjects	Registered students
Data categories	IP address, user agent, session token
Legal basis	Legitimate interests (Art. 6(1)(f) GDPR)
Recipients	None (internal use only)
Transfers outside EEA	No, all processing within the EU/EEA
Retention	IP address anonymised 30 days after session expiry; session record deleted after 90 days
Security	Server-side processing only, encrypted storage

7. Moderation data

Purpose	Platform safety and abuse prevention
Categories of data subjects	Registered students (reporters and reported users)
Data categories	reports, blocks, temporarily decrypted message text (provided by reporter)
Legal basis	Legitimate interests (Art. 6(1)(f) GDPR)
Recipients	Admin team only
Transfers outside EEA	No, all processing within the EU/EEA
Retention	Decrypted message text automatically deleted 90 days after resolution
Security	Admin-only access, full audit logging

8. Consent records

Purpose	Demonstrating valid consent (Art. 7 GDPR)
Categories of data subjects	Registered students and website visitors
Data categories	consent purpose, granted/revoked status, IP address, user agent, privacy policy version, timestamp
Legal basis	Legal obligation (Art. 6(1)(c) GDPR)
Recipients	None (internal audit purposes only)
Transfers outside EEA	No, all processing within the EU/EEA
Retention	IP address anonymised after 365 days; consent records retained as long as necessary for evidentiary purposes
Security	Immutable audit trail, encrypted storage

9. Push notification subscriptions

Purpose	Delivering push notifications to users
Categories of data subjects	Registered students who have enabled push notifications
Data categories	endpoint URL, encryption keys for push service
Legal basis	Consent (Art. 6(1)(a) GDPR)
Recipients	Browser push service (technically necessary for delivery)
Transfers outside EEA	No, all processing within the EU/EEA
Retention	Until user unsubscribes or account deletion
Security	Web Push protocol with end-to-end encryption

10. Calendar subscription feed

Purpose	Synchronising hospi events with the user's calendar application
Categories of data subjects	Registered students who have activated the calendar subscription
Data categories	calendar token (UUID), hospi event titles, dates, times, locations
Legal basis	Performance of a contract (Art. 6(1)(b) GDPR): user explicitly activates the subscription
Recipients	User's calendar application provider (Google, Apple, Microsoft, etc.)
Transfers outside EEA	No, all processing within the EU/EEA
Retention	Token exists while account is active; deleted on account deletion
Security	Unguessable UUID token, HTTPS only, revocable by user

11. Error reporting & crash monitoring

Purpose	Ensuring app stability, identifying and resolving technical errors
Categories of data subjects	All app users (anonymised, no user identification possible)
Data categories	Stack traces, device model, OS version, app version, error context
Legal basis	Legitimate interest (Art. 6(1)(f) GDPR)
Recipients	Sentry (Functional Software Inc.): DPA with SCCs in place
Transfers outside EEA	No end-user data transferred. Sentry's internal organisational metadata may be replicated to the US
Retention	90 days
Security	No PII collected, data anonymised by design, EU storage (Frankfurt)