HOUSERROW

Privacy Policy

Privacy at House Arrow

Version 1.0 · Last updated 6 June 2026

This policy explains how House Arrow collects, uses, and protects personal data.

1. Who we are

The data controller is House Arrow (KvK 42070994), established in the Netherlands.

For any privacy question, request, or complaint, contact us at [email protected].

2. The data we process

Depending on how you use our products and services, we may process:

  • Account data. Some of our products let you create an account. Where they do, we process the data you provide to register and sign in, such as your email address, a display name, and a securely hashed password.
  • Content you provide. Some of our products let you upload or create content, including photos. We process that content to operate the product for you.
  • Usage and device data generated as you use a product, such as device type, operating system, and version information, together with non-identifying event metadata.
  • Support and correspondence when you contact us.

We do not sell personal data, and we do not use it for third-party advertising.

3. Why we process it, and our legal bases

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the product or service you have signed up for, including creating your account, storing your content, and delivering the service.
  • Legitimate interests (Art. 6(1)(f)) — to keep our products secure, prevent abuse, diagnose problems, and understand aggregate usage so we can improve. We balance these interests against your rights and freedoms.
  • Consent (Art. 6(1)(a)) — where the law requires it, for example any non-essential processing. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to meet record-keeping, tax, and other obligations that apply to us.

4. Who we share data with

We use a small set of vetted service providers ("processors") to run our products. They process data only on our instructions and under data-processing agreements. By category, these are:

  • hosting and infrastructure providers;
  • database and storage providers;
  • payment providers, where applicable.

We prefer EU-based providers. Where any transfer outside the EEA occurs, it is covered by appropriate safeguards, such as the European Commission's Standard Contractual Clauses.

5. Retention

We keep personal data only as long as needed for the purpose it was collected, or as required by law. You can request deletion of your data, and where you delete an account we remove the associated personal data, in any event within 30 days, except where we must retain limited records to meet a legal obligation.

6. Security

We apply appropriate technical and organisational measures, including encryption in transit, hashed credentials, and access controls scoped to the minimum necessary. No system is perfectly secure, but we work to protect your data and to notify you and the regulator where the law requires.

7. Cookies

This website is static and uses only functional cookies that may be set by our hosting provider to deliver the site securely. We do not use advertising or tracking cookies on this website.

8. Children

Our products are not directed at children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

9. Your rights

Subject to the conditions in the GDPR, you have the right to:

  • Access the personal data we hold about you;
  • Rectify data that is inaccurate or incomplete;
  • Erase your data (the "right to be forgotten");
  • Restrict or object to certain processing;
  • Data portability — receive your data in a structured, machine-readable format;
  • Withdraw consent at any time, without affecting processing already carried out.

To exercise any of these rights, email [email protected]. We respond within one month, as required by the GDPR.

10. The right to complain

If you believe we have mishandled your personal data, you have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). We would appreciate the chance to address your concern first, at [email protected].

11. Changes to this policy

We may update this policy from time to time. Material changes will be reflected in the version number and date above.