Last updated: 15 April 2026 · Version 2.0
Self Property ("we", "us", "our") operates the selfproperty.eu platform, a property management application for co-owned residential buildings across the European Union.
Self Property is in the process of incorporation in Belgium. Until the company is formally registered, the platform is operated by its founder as a natural person established in Belgium. This Policy will be updated with the company's registered name, address, and Belgian enterprise number (KBO/BCE) once incorporation is complete.
Contact (controller for data subjects): contact@selfproperty.eu
For most of the data we hold, we act as the data controller. However, when a building manager uploads documents, invites members, records meeting minutes, or enters contact details for third parties (e.g. plumbers, locksmiths) into the platform, that manager is the controller of that personal data and Self Property acts as a processor on the manager's behalf. On request, we will provide managers with a written Data Processing Agreement reflecting this relationship.
We collect and process the following categories of personal data:
Name, email address, phone number (optional), and profile picture (optional). Authentication (including password storage) is handled by our identity provider Clerk — we do not see or store your password.
Building name, address, city, postal code, country, number of units, building layout/configuration, unit shares (thousandths), and your role within the building (manager, owner, or tenant).
Content you create within the platform: announcements (title, content, priority, attachments, comments and likes), maintenance requests (title, description, photos, status updates, comments), meeting details (title, date, time, location, online-meeting links, agenda, RSVP responses, meeting minutes and action points).
Messages sent in the building feed and direct messages, including message content, sender identity, role, timestamps, file attachments (images and documents), and shared references to meetings or announcements. Read receipts (timestamp of when a direct message was viewed) are tracked so unread indicators can be displayed.
Files you upload: legal documents, financial records, insurance documents, meeting minutes, maintenance documentation, and other building-related files. Files are stored in Supabase Storage (EU region) and served via signed URLs with time-limited access. Document access is role-based — tenants can only access categories relevant to them (minutes, legal, maintenance, other).
Expenses recorded on the platform, per-unit splits, provisions received, cost groups, and recurring expense schedules. For building managers on a paid plan, we also process billing identifiers issued by Stripe (customer ID, subscription ID, subscription status) — we do not store card numbers.
Building managers may enter contact details (name, phone, email) for emergency services and service providers (plumbers, electricians, locksmiths, etc.) used by their building. These are personal data of non-users entered by a manager. Self Property acts as a processor for this data; the manager is controller. Such contacts are only visible to members of the relevant building.
When a manager invites a new member, we store the invitee's name, email address, role, and (optionally) apartment number, along with an invitation token. Unaccepted invitations are marked as EXPIRED after 7 days and permanently deleted 90 days later.
Email notifications: we log outgoing transactional emails (recipient address, subject, type, send status, send time) for delivery troubleshooting. These logs are automatically purged after 12 months.
Web push notifications: if you grant permission in your browser, we store your push-subscription endpoint (issued by your browser vendor — Apple, Google or Mozilla) and the associated cryptographic keys (p256dh and auth) linked to your user ID. These are used solely to deliver notifications from the platform and are removed when you revoke permission, delete your account, or if the endpoint remains inactive for 12 months.
When you accept our Terms of Service and Privacy Policy we store the date of acceptance and the exact text you agreed to, so we can demonstrate consent (Art. 7(1) GDPR).
Browser type, device information, and cookie preferences. For rate-limiting and abuse prevention, we read your IP address from the HTTP request but do not persist it — it is held only transiently in the memory of the serverless function handling your request. We do not use tracking cookies, analytics cookies, or advertising cookies.
Contract performance (Art. 6(1)(b) GDPR): providing the building-management service, enabling communication between members, processing maintenance requests and meetings, delivering notifications you have subscribed to, and — for managers — processing subscription payments.
Legitimate interest (Art. 6(1)(f) GDPR): security measures (rate limiting, fraud prevention, abuse investigation), service reliability, improving the product, and storing third-party contact details entered by managers so members can reach service providers. You may object at any time (see Section 8).
Consent (Art. 6(1)(a) GDPR): sending marketing communications, web push notifications, and any non-essential cookies. You may withdraw consent at any time with effect for the future.
Legal obligation (Art. 6(1)(c) GDPR): retaining subscription invoices and related billing records for the period required by Belgian tax and accounting law (currently 7 years).
We do not use your personal data for profiling or automated decision-making that produces legal effects on you (Art. 22 GDPR).
The platform provides two types of messaging:
Building feed: group messages visible to all accepted members of a building. Messages include your name and role (manager, owner, or tenant). File attachments and shared references to meetings/announcements are stored alongside messages.
Direct messages: private conversations between two building members. Residents (owners and tenants) can only initiate direct messages with the building manager; managers can message any member of their buildings.
Encryption notice. All platform traffic is encrypted in transit (TLS) and the underlying database and storage buckets are encrypted at rest by Supabase. Messages are not end-to-end encrypted: as the platform operator we are technically able to access message content when strictly necessary for support, security investigations, or compliance with a legal obligation. We do not read messages for any other purpose.
Retention and erasure. Direct messages you have sent are permanently deleted when you delete your account. Building-feed messages you posted are retained to preserve group-conversation context for other members, but your authorship is anonymized (your name is replaced by "Deleted User" and the link to your account is severed). A conversation in which both participants have deleted their accounts is removed in full.
We share data only with the following categories of processors. Each acts under a data-processing agreement and processes your data only on our documented instructions.
Supabase, Inc. — PostgreSQL database and file storage. Region: EU (Frankfurt). Stores all application data including messages, documents, and building information.
Clerk, Inc. — authentication, password storage, social login, account recovery. Based in the United States; relies on the EU-US Data Privacy Framework and Standard Contractual Clauses for EU-to-US transfers.
Vercel, Inc. — hosting and serverless execution of the application. Static assets are served from Vercel's global edge; dynamic server functions for this deployment are routed to Vercel's European region. EU-US transfers, where they occur, are covered by Standard Contractual Clauses.
Stripe Payments Europe, Ltd. — processes subscription payments for building managers only. Based in Ireland. We do not receive or store card numbers.
Resend, Inc. — sends transactional emails (invitations, notifications). Processes recipient email address, subject and message body only.
Push-notification delivery services — when you opt in to web push notifications, messages are delivered through Apple Push Notification service (Apple Inc.), Firebase Cloud Messaging (Google LLC), or Mozilla Push Service (Mozilla Corporation), depending on your browser. We send only the notification payload and your browser-issued endpoint; we do not share any other account data with these services.
We do not sell personal data. We do not share data with advertisers. We do not use third-party analytics or tracking tools (no Google Analytics, no Meta Pixel, no session-replay tools).
Application data is stored in Supabase (PostgreSQL) with servers in the EU. Security measures include: HTTPS/TLS encryption in transit; encryption at rest at the database and storage level; role-based access control enforced both client-side and server-side; rate limiting on all API endpoints; a Content Security Policy; signed, time-limited URLs for uploaded files; and regular security reviews. Access to production systems is limited to the founder pending the build-out of a larger team, and uses single-sign-on and two-factor authentication.
Personal-data breaches. If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours as required by Art. 33 GDPR, and inform affected users without undue delay where the risk is high (Art. 34).
Account data: retained while your account is active. On account deletion, personal data is deleted (or anonymized where legally required for accounting or to preserve group-conversation context — see Section 4) within 30 days.
Building data, documents, expenses, meetings, maintenance: retained while the building is active on the platform. When a building is removed, all associated data is permanently deleted (cascaded).
Messages: see Section 4.
Email delivery logs: automatically purged after 12 months.
Web-push subscriptions: removed on opt-out, on account deletion, or when inactive for 12 months.
Pending invitations: marked EXPIRED after 7 days; the row (with the invitee's name and email) is deleted after a further 90 days if still not accepted.
Consent record: retained for the duration of the account plus 3 years, to evidence compliance.
Billing records (subscription invoices): retained for 7 years as required by Belgian tax law, even after account deletion.
IP addresses: not persisted — used transiently in memory for rate-limiting and discarded with the serverless-function invocation.
As a data subject in the European Union, you have the following rights:
Right of access (Art. 15): you can request a copy of all personal data we hold about you. Use the "Export My Data" feature in Settings, or email us.
Right to rectification (Art. 16): you can update your personal information directly through your profile settings at any time.
Right to erasure (Art. 17): you can request deletion of your account and all associated data. Use the "Delete My Account" feature in Settings, or email us. Deletion is processed within 30 days. Note that building-feed messages you posted are anonymized rather than deleted to preserve conversation context for other members; direct messages you sent are deleted outright.
Right to restriction of processing (Art. 18): you can ask us to temporarily stop using your data in specific circumstances (e.g. while a rectification request is being resolved).
Right to data portability (Art. 20): you can export your data in a machine-readable format (JSON) through the Settings page. The export includes your profile, buildings, announcements, maintenance tickets, comments, meeting attendance, expenses, provisions, messages you authored, and push subscriptions.
Right to object (Art. 21): you can object to processing based on legitimate interest by contacting us.
Right not to be subject to automated decision-making (Art. 22): we do not carry out any such automated decision-making. This right is therefore not engaged, but we state it explicitly for transparency.
Right to withdraw consent (Art. 7(3)): you can withdraw any consent at any time with effect for the future (marketing emails, push notifications, non-essential cookies) through your Settings or by contacting us.
To exercise any of these rights, contact us at contact@selfproperty.eu. We will respond within 30 days. Exercising these rights is free of charge unless requests are manifestly unfounded or excessive.
Essential cookies only. We use cookies strictly necessary for authentication, session management, and security (Clerk session cookies and a cookie recording your consent choice). We do not use advertising, analytics, or third-party tracking cookies.
Local storage. Your browser's localStorage is used to remember UI preferences (language, selected building, notification dismissals, whether you have seen the welcome modal, PWA install prompt). This data stays on your device and is never sent to our servers.
See the Cookie Policy for the full list.
The large majority of processing takes place inside the European Economic Area. Where data is transferred outside the EEA (specifically to US-based providers Clerk and, for global edge serving, Vercel), such transfers rely on the EU-US Data Privacy Framework (where applicable) together with Standard Contractual Clauses approved by the European Commission (Decision 2021/914). On request, we can provide a copy of the transfer-safeguarding measures in place.
Self Property is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it without undue delay.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the platform. The "last updated" date at the top of this page indicates when the policy was last revised.
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your national Data Protection Authority. Users residing in Belgium can contact the Gegevensbeschermingsautoriteit / Autorité de Protection des Données at dataprotectionauthority.be. You are also encouraged to contact us first at contact@selfproperty.eu and we will do our best to resolve the issue.
Self Property (in the process of incorporation in Belgium)
Email: contact@selfproperty.eu
Website: selfproperty.eu