strehana
SearchList a placeSign In

Privacy Policy

Last updated: May 27, 2026 · Version 2026.4

Data controller: Vizium OOD, Sofia, Bulgaria

Contents

    1. Information We Collect

    2. Why We Are Allowed to Use Your Data (Legal Bases)

    3. How Long We Keep Your Data

    4. Cookies & Tracking

    5. Who Else Processes Your Data

    6. International Data Transfers

    7. Data Security

    8. Matching Algorithm

    9. Your Rights

    10. Supervisory Authority

    11. Contact Us

Strehana is operated by Vizium OOD (Sofia, Bulgaria). This policy explains, in plain language, what personal data we process when you use the Platform, why we are allowed to process it, who else sees it, how long we keep it, and the rights you have under EU data protection law (GDPR, Regulation 2016/679).

1. Information We Collect

We collect information you provide directly to us, as well as information automatically collected when you use our services:

  • Profile information (name, email, phone, photos, lifestyle preferences)
  • Listing details (property information, photos, pricing, availability)
  • Usage data (pages visited, search queries, interactions)
  • Device information (browser type, IP address, device identifiers)

We do not run facial recognition, automated face matching, or any other biometric processing on photos you upload. Photos are stored only to be displayed on your profile or listing.

2. Why We Are Allowed to Use Your Data (Legal Bases)

Under GDPR Art. 6 every use of personal data needs a documented legal basis. We rely on the following:

PurposeLegal basis
Creating and operating your account, profile, listings, applications, messaging, and paymentsContract — necessary to provide the service you signed up for (Art. 6(1)(b))
Fraud prevention, abuse moderation, security loggingLegitimate interests — keeping the platform safe (Art. 6(1)(f))
Analytics cookies (e.g. Google Analytics 4) and advertising cookies (e.g. AdSense)Consent — only when you opt in via the cookie banner (Art. 6(1)(a))
Server-side sharing of hashed identifiers (email, phone, name, location) and Meta browser cookies (_fbp, _fbc) with Meta Platforms Ireland Ltd. for ad attribution and remarketing audiencesConsent — only when you opt in via the cookie banner advertising toggle (Art. 6(1)(a)). You can withdraw at any time in cookie settings; we delete _fbp / _fbc and stop the server-side stream immediately.
Marketing emails about new features and tipsConsent — only when you opt in (Art. 6(1)(a))
Storing payment records for accounting and taxLegal obligation — required by Bulgarian and EU tax law (Art. 6(1)(c))
3. How Long We Keep Your Data

We keep personal data only as long as needed for the purpose it was collected for, plus any retention period required by law:

Data categoryRetention period
Account & profile dataWhile your account is active; deleted within 30 days of account deletion.
Listings, applications, messagesWhile the related account is active; deleted within 30 days of account deletion.
Payment records (Stripe transactions, invoices)Up to 10 years to comply with Bulgarian/EU accounting and tax law. After account deletion the records are anonymised so they no longer identify you.
Phone-verification recordWhile your account is active; deleted within 30 days of account deletion.
Server logs (IP, request metadata)Approximately 90 days, then deleted.
Cookie-consent audit logKept while needed to demonstrate consent under Art. 7(1); identifiers (user_id, IP hash, user agent) are removed when an account is deleted.
4. Cookies & Tracking

We and a small number of named third parties use cookies and similar technologies. Below is the full list of what may be set on your device. Analytics and advertising cookies are only loaded after you opt in via the banner — you can change your choice any time from your profile.

Specific cookies and storage we use:

NamePurposeDurationSet by
jwt_token, refresh_token (browser localStorage)Keep you signed in and refresh your session.Until you log outStrehana (essential)
harbor_consent_preferences (browser localStorage)Remembers the cookie banner choice you made.PersistentStrehana (essential)
harbor_consent_session_id (browser localStorage)Anonymous identifier so we can attribute the cookie banner choice to one browser without identifying you.PersistentStrehana (essential)
_ga, _ga_*Google Analytics 4 measurement (page visits, traffic source).2 yearsGoogle (analytics — opt-in)
__gads, __gpiGoogle AdSense — frequency capping and ad personalisation.13 monthsGoogle (advertising — opt-in)
_fbpMeta Pixel — identifies the browser for ad attribution and audience matching.3 monthsMeta (advertising — opt-in)
_fbcMeta Pixel — stores the ad click ID (fbclid) for conversion attribution.3 monthsMeta (advertising — opt-in)
5. Who Else Processes Your Data

We do not sell your personal data. The companies below process specific categories of data on our behalf, under written contracts that meet GDPR Art. 28 requirements:

ProviderWhat they handleCountry
Stripe Payments Europe Ltd.Card payments for Featured listings, application boosts, and Early Bird purchases.Ireland (with US sub-processors)
Google Ireland Ltd. (Maps Platform, Places API, Geocoding)Address autocomplete, location lookups, and map display.Ireland (with US infrastructure)
Google Ireland Ltd. (Sign in with Google)Authenticating you when you choose Google sign-in.Ireland
Google Ireland Ltd. (Analytics 4)Aggregated usage analytics — only with your consent.Ireland
Google Ireland Ltd. (Firebase Cloud Messaging)Mobile push notifications.Ireland
Google Ireland Ltd. (AdSense)Advertising — only with your consent.Ireland
Meta Platforms Ireland Ltd. (Pixel + Conversions API)Advertising measurement and remarketing — only with your consent. We share hashed identifiers and matching data (email, phone, name, date of birth, gender, location) so Meta can attribute conversions and build audiences.Ireland (with US transfers under SCCs / EU-US Data Privacy Framework)
Apple Distribution International Ltd. (Sign in with Apple)Authenticating you when you choose Apple sign-in.Ireland
Bird B.V. (formerly MessageBird)SMS verification codes for phone verification.Netherlands
OVH SASHosting (servers, databases, backups).France
6. International Data Transfers

Some of the providers above (Google, Stripe, Apple, Meta) operate globally and may process data outside the European Economic Area, primarily in the United States. We rely on the legal mechanisms recognised by the European Commission to keep your data protected:

  • EU Standard Contractual Clauses (SCCs) signed with each US-based processor.
  • Where the processor is certified, transfers are also covered by the EU–US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795).
  • We minimise what crosses the border — for example, GA4 is configured with IP anonymisation enabled.
7. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest, hashed passwords, server-side authentication, isolated per-service databases, regular backups, and rate limiting. However, no method of transmission over the internet is 100% secure.

8. Matching Algorithm

Strehana ranks listings and applications using an automated scoring algorithm based on the lifestyle preferences, budget, and amenities you set. This is not a "solely automated decision with legal or significant effects" under GDPR Art. 22 — it only changes the order in which results are shown and is always subject to your manual review. You can read the full description, including weights and tie-breakers, on our ranking transparency page.

How ranking works →
9. Your Rights

As a person in the European Union you have the following rights regarding your personal data. To exercise any of them, write to us at the address below — we'll respond within one month.

  • Right to access — receive a copy of the data we hold about you (Art. 15).
  • Right to rectification — correct inaccurate or incomplete data (Art. 16).
  • Right to erasure — delete your data, subject to legal retention obligations (Art. 17).
  • Right to restriction — pause our use of your data while a dispute or correction is pending (Art. 18).
  • Right to data portability — receive your data in a machine-readable format and have it sent to another service (Art. 20).
  • Right to object — object to processing based on legitimate interests, including any direct marketing (Art. 21).
  • Right to withdraw consent — for anything you opted into (analytics, advertising, marketing emails), you can switch it off at any time without affecting prior processing (Art. 7(3)).
  • Right to lodge a complaint — see Section 11 below.

Most of these rights can be exercised directly from your profile page (download your data, change consent, delete your account).

10. Supervisory Authority

If you believe we have handled your data incorrectly, you have the right to lodge a complaint with the Bulgarian data protection authority, or the authority of your usual place of residence:

Commission for Personal Data Protection (Комисия за защита на личните данни)

2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria

cpdp.bg · kzld@cpdp.bg

11. Contact Us

If you have any questions about this privacy policy or wish to exercise your rights, please contact us:

Company: Vizium OOD

Address: Sofia, Bulgaria

Email: legal@strehana.com


© 2026 Strehana. All rights reserved.

strehana
A roof. The right people. Yours.
Vizium OOD · info@strehana.com

Product

RoomsWhole placesList a place

Company

How ranking worksImprint

Support

CookiesPrivacyTerms

© 2026 Vizium OOD · strehana.com