Privacy Policy
Last updated: May 27, 2026 · Version 2026.4
Data controller: Vizium OOD, Sofia, Bulgaria
Contents
1. Information We Collect
2. Why We Are Allowed to Use Your Data (Legal Bases)
3. How Long We Keep Your Data
4. Cookies & Tracking
5. Who Else Processes Your Data
6. International Data Transfers
7. Data Security
8. Matching Algorithm
9. Your Rights
10. Supervisory Authority
11. Contact Us
Strehana is operated by Vizium OOD (Sofia, Bulgaria). This policy explains, in plain language, what personal data we process when you use the Platform, why we are allowed to process it, who else sees it, how long we keep it, and the rights you have under EU data protection law (GDPR, Regulation 2016/679).
1. Information We Collect
We collect information you provide directly to us, as well as information automatically collected when you use our services:
- Profile information (name, email, phone, photos, lifestyle preferences)
- Listing details (property information, photos, pricing, availability)
- Usage data (pages visited, search queries, interactions)
- Device information (browser type, IP address, device identifiers)
We do not run facial recognition, automated face matching, or any other biometric processing on photos you upload. Photos are stored only to be displayed on your profile or listing.
2. Why We Are Allowed to Use Your Data (Legal Bases)
Under GDPR Art. 6 every use of personal data needs a documented legal basis. We rely on the following:
| Purpose | Legal basis |
|---|---|
| Creating and operating your account, profile, listings, applications, messaging, and payments | Contract — necessary to provide the service you signed up for (Art. 6(1)(b)) |
| Fraud prevention, abuse moderation, security logging | Legitimate interests — keeping the platform safe (Art. 6(1)(f)) |
| Analytics cookies (e.g. Google Analytics 4) and advertising cookies (e.g. AdSense) | Consent — only when you opt in via the cookie banner (Art. 6(1)(a)) |
| Server-side sharing of hashed identifiers (email, phone, name, location) and Meta browser cookies (_fbp, _fbc) with Meta Platforms Ireland Ltd. for ad attribution and remarketing audiences | Consent — only when you opt in via the cookie banner advertising toggle (Art. 6(1)(a)). You can withdraw at any time in cookie settings; we delete _fbp / _fbc and stop the server-side stream immediately. |
| Marketing emails about new features and tips | Consent — only when you opt in (Art. 6(1)(a)) |
| Storing payment records for accounting and tax | Legal obligation — required by Bulgarian and EU tax law (Art. 6(1)(c)) |
3. How Long We Keep Your Data
We keep personal data only as long as needed for the purpose it was collected for, plus any retention period required by law:
| Data category | Retention period |
|---|---|
| Account & profile data | While your account is active; deleted within 30 days of account deletion. |
| Listings, applications, messages | While the related account is active; deleted within 30 days of account deletion. |
| Payment records (Stripe transactions, invoices) | Up to 10 years to comply with Bulgarian/EU accounting and tax law. After account deletion the records are anonymised so they no longer identify you. |
| Phone-verification record | While your account is active; deleted within 30 days of account deletion. |
| Server logs (IP, request metadata) | Approximately 90 days, then deleted. |
| Cookie-consent audit log | Kept while needed to demonstrate consent under Art. 7(1); identifiers (user_id, IP hash, user agent) are removed when an account is deleted. |
4. Cookies & Tracking
We and a small number of named third parties use cookies and similar technologies. Below is the full list of what may be set on your device. Analytics and advertising cookies are only loaded after you opt in via the banner — you can change your choice any time from your profile.
Specific cookies and storage we use:
| Name | Purpose | Duration | Set by |
|---|---|---|---|
| jwt_token, refresh_token (browser localStorage) | Keep you signed in and refresh your session. | Until you log out | Strehana (essential) |
| harbor_consent_preferences (browser localStorage) | Remembers the cookie banner choice you made. | Persistent | Strehana (essential) |
| harbor_consent_session_id (browser localStorage) | Anonymous identifier so we can attribute the cookie banner choice to one browser without identifying you. | Persistent | Strehana (essential) |
| _ga, _ga_* | Google Analytics 4 measurement (page visits, traffic source). | 2 years | Google (analytics — opt-in) |
| __gads, __gpi | Google AdSense — frequency capping and ad personalisation. | 13 months | Google (advertising — opt-in) |
| _fbp | Meta Pixel — identifies the browser for ad attribution and audience matching. | 3 months | Meta (advertising — opt-in) |
| _fbc | Meta Pixel — stores the ad click ID (fbclid) for conversion attribution. | 3 months | Meta (advertising — opt-in) |
5. Who Else Processes Your Data
We do not sell your personal data. The companies below process specific categories of data on our behalf, under written contracts that meet GDPR Art. 28 requirements:
| Provider | What they handle | Country |
|---|---|---|
| Stripe Payments Europe Ltd. | Card payments for Featured listings, application boosts, and Early Bird purchases. | Ireland (with US sub-processors) |
| Google Ireland Ltd. (Maps Platform, Places API, Geocoding) | Address autocomplete, location lookups, and map display. | Ireland (with US infrastructure) |
| Google Ireland Ltd. (Sign in with Google) | Authenticating you when you choose Google sign-in. | Ireland |
| Google Ireland Ltd. (Analytics 4) | Aggregated usage analytics — only with your consent. | Ireland |
| Google Ireland Ltd. (Firebase Cloud Messaging) | Mobile push notifications. | Ireland |
| Google Ireland Ltd. (AdSense) | Advertising — only with your consent. | Ireland |
| Meta Platforms Ireland Ltd. (Pixel + Conversions API) | Advertising measurement and remarketing — only with your consent. We share hashed identifiers and matching data (email, phone, name, date of birth, gender, location) so Meta can attribute conversions and build audiences. | Ireland (with US transfers under SCCs / EU-US Data Privacy Framework) |
| Apple Distribution International Ltd. (Sign in with Apple) | Authenticating you when you choose Apple sign-in. | Ireland |
| Bird B.V. (formerly MessageBird) | SMS verification codes for phone verification. | Netherlands |
| OVH SAS | Hosting (servers, databases, backups). | France |
6. International Data Transfers
Some of the providers above (Google, Stripe, Apple, Meta) operate globally and may process data outside the European Economic Area, primarily in the United States. We rely on the legal mechanisms recognised by the European Commission to keep your data protected:
- EU Standard Contractual Clauses (SCCs) signed with each US-based processor.
- Where the processor is certified, transfers are also covered by the EU–US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795).
- We minimise what crosses the border — for example, GA4 is configured with IP anonymisation enabled.
7. Data Security
We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest, hashed passwords, server-side authentication, isolated per-service databases, regular backups, and rate limiting. However, no method of transmission over the internet is 100% secure.
8. Matching Algorithm
Strehana ranks listings and applications using an automated scoring algorithm based on the lifestyle preferences, budget, and amenities you set. This is not a "solely automated decision with legal or significant effects" under GDPR Art. 22 — it only changes the order in which results are shown and is always subject to your manual review. You can read the full description, including weights and tie-breakers, on our ranking transparency page.
How ranking works →9. Your Rights
As a person in the European Union you have the following rights regarding your personal data. To exercise any of them, write to us at the address below — we'll respond within one month.
- Right to access — receive a copy of the data we hold about you (Art. 15).
- Right to rectification — correct inaccurate or incomplete data (Art. 16).
- Right to erasure — delete your data, subject to legal retention obligations (Art. 17).
- Right to restriction — pause our use of your data while a dispute or correction is pending (Art. 18).
- Right to data portability — receive your data in a machine-readable format and have it sent to another service (Art. 20).
- Right to object — object to processing based on legitimate interests, including any direct marketing (Art. 21).
- Right to withdraw consent — for anything you opted into (analytics, advertising, marketing emails), you can switch it off at any time without affecting prior processing (Art. 7(3)).
- Right to lodge a complaint — see Section 11 below.
Most of these rights can be exercised directly from your profile page (download your data, change consent, delete your account).
10. Supervisory Authority
If you believe we have handled your data incorrectly, you have the right to lodge a complaint with the Bulgarian data protection authority, or the authority of your usual place of residence:
Commission for Personal Data Protection (Комисия за защита на личните данни)
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
cpdp.bg · kzld@cpdp.bg
11. Contact Us
If you have any questions about this privacy policy or wish to exercise your rights, please contact us:
Company: Vizium OOD
Address: Sofia, Bulgaria
Email: legal@strehana.com
© 2026 Strehana. All rights reserved.