Privacybeleid / Privacy Policy
Last updated: 10 March 2026
1. Who We Are
Groundwork is a property intelligence service for Dutch home buyers, operated by Reiss Barran in the Netherlands. We are the data controller for the personal data described in this policy.
2. What Data We Collect
Account data
Email address, name (from Google OAuth), and authentication tokens. Collected when you create an account or sign in.
Listing data
Property addresses, asking prices, listing descriptions, and property types that you enter into the report form. This data is used to generate your report and is stored alongside the report.
Payment data
Payment method details (card number, iDEAL bank) are collected and processed exclusively by Stripe. We store only a reference to the Stripe payment/subscription ID, the amount, and your plan status. We never see or store full card numbers.
Usage data
Number of reports generated, report access timestamps, language preference, and plan type.
Technical data
IP address (for rate limiting, retained 24 hours), device fingerprint hash (screen resolution, timezone, and platform — hashed with SHA-256, used for abuse prevention), and standard server logs.
3. How We Use Your Data
- To generate property reports based on the addresses you provide
- To process payments and manage your subscription
- To prevent abuse (rate limiting, duplicate account detection)
- To send payment receipts via Stripe
- To improve the service
We do not sell your data. We do not use your data for advertising. We do not send marketing emails.
4. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Supabase (EU) | Database & authentication | Account data, reports, usage data |
| Stripe | Payment processing | Email, payment method details |
| Anthropic (Claude API) | AI report generation | Property address, listing description, government data |
| Google OAuth | Sign-in authentication | Email, name |
| PDOK / BAG / EP-online / CBS | Dutch government property data | Property address (public API queries) |
| Vercel | Hosting & serverless functions | Standard request logs (IP, user agent) |
5. Data Retention
- Reports: retained for 12 months after last access, then automatically deleted
- Account data: retained while your account is active
- IP addresses (rate limiting): retained for 24 hours
- Payment records: retained as required by Dutch tax law (7 years)
6. Your Rights (AVG/GDPR)
Under the Dutch Algemene Verordening Gegevensbescherming (AVG/GDPR), you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Erasure — request deletion of your data (“right to be forgotten”)
- Objection — object to processing of your data
- Portability — receive your data in a structured, machine-readable format
To exercise any of these rights, email reiss.barran@gmail.com with the subject line “Data request”. We will respond within 30 days.
7. Cookies
Groundwork uses only essential cookies for authentication (Supabase session tokens) and language preference. We do not use analytics cookies, advertising cookies, or third-party tracking cookies. No cookie consent banner is required as these are strictly necessary cookies under the Dutch Telecommunicatiewet.
8. Security
All data is transmitted over HTTPS. Authentication uses OAuth 2.0 with PKCE. Database access is protected by Row Level Security policies. Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified). Device fingerprints are stored as irreversible SHA-256 hashes.
9. Changes
We may update this privacy policy from time to time. Material changes will be communicated via email or a notice on the website. The “last updated” date at the top of this page indicates when the policy was last revised.
10. Complaints
If you believe we are processing your data unlawfully, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
Contact
Questions about your data or this policy? Email reiss.barran@gmail.com