Groundwerkgroundwerk
Back to home

Privacybeleid / Privacy Policy

Last updated: 13 March 2026

1. Who We Are

Groundwerk is a property intelligence service for Dutch home buyers, operated by Reiss Barran in the Netherlands (KvK 42018181). We are the data controller for the personal data described in this policy.

2. What Data We Collect

Account data

Email address, name (from Google OAuth), and authentication tokens. Collected when you create an account or sign in.

Listing data

Property addresses, asking prices, listing descriptions, and property types that you enter into the report form. This data is used to generate your report and is stored alongside the report.

Payment data

Payment method details (card number, iDEAL bank) are collected and processed exclusively by Stripe. We store only a reference to the Stripe payment ID, the amount, and your plan status. We never see or store full card numbers.

Usage data

Number of reports generated, report access timestamps, language preference, and plan type.

Technical data

IP address (for rate limiting — stored as an irreversible SHA-256 hash, retained 24 hours), device fingerprint hash (screen resolution, timezone, and platform — hashed with SHA-256, used for abuse prevention), and standard server logs.

Analytics & performance data (consent required)

If you accept analytics cookies, we collect anonymised usage analytics and performance metrics via Grafana Faro. This includes:

  • Page views and user journey events (e.g. report generation, payment completion)
  • Core Web Vitals (page load speed, interactivity, visual stability)
  • Browser type, operating system, and country-level location
  • JavaScript error reports (no user input or form data is captured)

We do not collect session recordings, keystrokes, form field values, or mouse movements. Your user ID is used for analytics — your email address is never sent to analytics services. All analytics data is processed in the EU (Frankfurt).

Server-side telemetry

We collect operational telemetry (request traces, API latency metrics, error rates) to monitor service health and diagnose issues. This data contains no personal information — IP addresses are SHA-256 hashed, user IDs are truncated hashes, and postcodes are limited to the first 4 digits only. Telemetry data is processed and stored in the EU via Grafana Cloud.

3. How We Use Your Data

  • To generate property reports based on the addresses you provide
  • To process payments and manage your plan
  • To prevent abuse (rate limiting, duplicate account detection)
  • To send payment receipts via Stripe
  • To monitor service performance and diagnose errors (server-side telemetry)
  • To measure and improve page load performance (frontend analytics, consent required)

We do not sell your data. We do not use your data for advertising. We do not send marketing emails.

4. Third-Party Services

ServicePurposeData shared
Supabase (EU)Database & authenticationAccount data, reports, usage data
StripePayment processingEmail, payment method details
Anthropic (Claude API)AI report generationProperty address, listing description, government data
Google OAuthSign-in authenticationEmail, name
PDOK / BAG / EP-online / CBSDutch government property dataProperty address (public API queries)
VercelHosting & serverless functionsStandard request logs (IP, user agent)
Grafana Cloud (EU)Performance monitoring & telemetryHashed IPs, truncated postcodes (4 digits), page load metrics, JS errors (consent required for frontend data)

5. Data Retention

  • Reports: retained for 12 months after last access, then automatically deleted
  • Account data: retained while your account is active
  • IP address hashes (rate limiting): retained for 24 hours
  • Payment records: retained as required by Dutch tax law (7 years)
  • Telemetry data (traces, metrics, logs): retained for 30 days in Grafana Cloud (EU)
  • Analytics data (Grafana Faro): retained for 90 days

6. Your Rights (AVG/GDPR)

Under the Dutch Algemene Verordening Gegevensbescherming (AVG/GDPR), you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Erasure — request deletion of your data (“right to be forgotten”)
  • Objection — object to processing of your data
  • Portability — receive your data in a structured, machine-readable format

To exercise any of these rights, email support@groundwerk.nl with the subject line “Data request”. We will respond within 30 days.

7. Cookies

Groundwerk uses essential cookies for authentication (Supabase session tokens) and language preference. These are strictly necessary cookies under the Dutch Telecommunicatiewet and do not require consent.

If you accept analytics cookies via our consent banner, we additionally set cookies for Grafana Faro (analytics and performance monitoring). These cookies are only placed after you give explicit consent, and you can withdraw consent at any time by clearing your browser's local storage. We do not use advertising cookies or third-party tracking cookies.

8. Security

All data is transmitted over HTTPS. Authentication uses OAuth 2.0 with PKCE. Database access is protected by Row Level Security policies. Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified). Device fingerprints and IP addresses used for rate limiting are stored as irreversible SHA-256 hashes. Telemetry data uses hashed user identifiers and truncated postcodes (first 4 digits only) to prevent personal identification.

9. Changes

We may update this privacy policy from time to time. Material changes will be communicated via email or a notice on the website. The “last updated” date at the top of this page indicates when the policy was last revised.

10. Complaints

If you believe we are processing your data unlawfully, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Contact

Questions about your data or this policy? Email support@groundwerk.nl