1. Data Controller

The data controller within the meaning of Art. 4(7) GDPR is the operator of the Siedla platform. Contact details are provided in Section 9 below and in the imprint linked from the site footer.

2. Data We Collect

• Account data: Email address (required for sign-in via magic link), first name, last name, phone number (optional), avatar selection, display preferences (locale, theme).
• Community data: Community memberships, unit/apartment information, member role (homeowner, tenant, property manager).
• Content data: Discussions and comments you create, proposals you author, votes you cast, announcements you publish, contact messages you send, documents you upload, and meeting participation records.
• Technical data: IP address, browser user agent, session tokens, request timestamps, and requested URLs. These are processed for security, abuse prevention, rate limiting, and request routing; IP address, user agent, and the requested URL also appear in our infrastructure provider's (Cloudflare) request logs, which are retained for a limited period and not used for tracking. Some URLs embed access tokens — for example calendar-subscription feeds and invitation links — which therefore also appear in these logs. No tracking cookies or analytics scripts are used.
• File uploads: Images (JPEG, PNG, GIF, WebP) and PDFs up to 5 MB per file, stored in Cloudflare R2.

3. Purpose & Legal Basis

• Contract performance (Art. 6(1)(b) GDPR): Providing the community decision-making platform, including sign-in, membership management, discussions, proposals, voting, contact messaging, and announcements.
• Legitimate interest (Art. 6(1)(f) GDPR): Security and abuse-prevention logging by our infrastructure provider (Cloudflare), rate limiting to prevent abuse, audit trail for community governance transparency.
• Consent (Art. 6(1)(a) GDPR): Accepting the privacy policy during registration. You may withdraw consent by deleting your account.

4. Data Retention

Your account data is retained for as long as your account is active. When you delete your account, your data enters a 30-day grace period during which you may cancel the deletion. After 30 days, your personal data is permanently deleted or anonymized. Activity log entries are retained for community governance and audit purposes; personal identifiers are removed once the account is deleted. Session data expires automatically. Where Austrian or EU law requires longer retention (for example, records that form part of a community resolution), the underlying record is kept in anonymized form for the duration of that statutory obligation.

5. Third-Party Processors

• Cloudflare (Workers, D1, R2, Access, Email Service): Infrastructure hosting, database, file storage, network security, and transactional email delivery (magic links, notifications). Data processing agreement in place.
• Anthropic PBC (Claude API): AI-assisted processing for the optional land registry (Grundbuch) extraction feature and for the Gmail email-import feature used by property managers. Only the content actively submitted to these features is forwarded to the API. Per Anthropic's commercial terms, data submitted via the API is not used to train Anthropic's models. Data processing agreement in place.
• Google Ireland Limited (Gmail OAuth): When a property manager actively connects their Gmail account to use the email-import feature, Google authenticates the user and grants the platform read-only access to the connected mailbox. No other user data is shared with Google, and the connection can be revoked at any time from the user's Google account.
• We do not use any advertising networks, analytics services, or social media trackers.

6. Your Rights (GDPR Articles 15–21)

• Right of access: You can export all your personal data from your account settings at any time.
• Right of rectification: You can update your profile information (name, phone, email visibility) in your profile settings.
• Right to erasure: You can delete your account from your account settings. After a 30-day grace period, all personal data is permanently removed.
• Right to restriction of processing: Contact us to request restriction of processing of your data.
• Right to data portability: The data export feature provides your data in a structured, machine-readable JSON format.
• Right to object: You may object to processing based on legitimate interest. Contact us to exercise this right.

7. Cookies

• Session cookie (better-auth.session_token): Strictly necessary for authentication. Cannot be disabled.
• Locale cookie: Stores your language preference (en/de). Strictly necessary for delivering content in your chosen language.
• Theme cookie: Stores your display theme preference (light/dark/system). Strictly necessary for rendering the interface correctly.
• All cookies are strictly necessary for the service to function. No tracking, analytics, or advertising cookies are used. No consent banner is required.

8. Security Measures

All data is transmitted over HTTPS/TLS. Authentication uses magic links (no passwords stored). The platform is protected by Cloudflare Access (Zero Trust). Request-level security telemetry, including IP addresses, is handled by our infrastructure provider (Cloudflare). Session tokens expire automatically.

9. Contact & Complaints

For questions about your data or to exercise your rights, contact us at contact@siedla.com. The full controller details are listed in the site imprint. Requests are answered within one month, in line with Art. 12(3) GDPR. You also have the right to lodge a complaint with a data protection supervisory authority — for users resident in Austria this is the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40–42, 1030 Wien, dsb@dsb.gv.at.