Last updated: 7 March 2026
1. Our commitment
FixMyUnit is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page explains how we meet our obligations under the regulation.
2. Data controller
FixMyUnit acts as the data controller for personal data processed through our platform. For all GDPR-related inquiries, you can reach us at:
Email: info@fixmyunit.nl
3. Lawful basis for processing
We process personal data under the following lawful bases as defined in Article 6 of the GDPR:
| Lawful Basis | Processing Activity |
|---|---|
| Contract (Art. 6(1)(b)) | Account creation, authentication, property management, lease management, maintenance request handling, meter reading collection. |
| Legitimate Interest (Art. 6(1)(f)) | Service notifications (email alerts for maintenance updates, lease invitations), communication between landlords, tenants, and contractors. |
| Consent (Art. 6(1)(a)) | Optional notification preferences (users can toggle individual notification categories on/off). |
4. Data categories and purposes
| Data Category | Purpose | Retention |
|---|---|---|
| Name, email, phone | User identification and communication | Duration of account |
| Password (hashed) | Authentication | Duration of account |
| Property and unit details | Property management | Duration of account |
| Lease information | Tenant-landlord relationship management | Duration of account |
| Maintenance requests and photos | Issue tracking and documentation | Duration of account |
| Meter reading values and photos | Utility consumption tracking | Duration of account |
| Avatar images | User profile personalisation | Until changed or account deleted |
5. Data subject rights
Under the GDPR, you have the following rights. We will respond to all requests within 30 days:
- Right of access (Art. 15) — Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data. You can also update your name, phone number, and avatar directly in the app.
- Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten"). We will delete your account and associated data within 30 days.
- Right to restriction (Art. 18) — Request that we limit processing of your data in certain circumstances.
- Right to data portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format (JSON).
- Right to object (Art. 21) — Object to processing based on legitimate interest. You can disable individual email notification categories in your profile settings.
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time for processing that relies on consent.
To exercise any of these rights, email us at info@fixmyunit.nl. To delete your account, you can also use our account deletion page. We may ask you to verify your identity before processing your request.
6. Data security measures
We implement the following technical and organisational measures to protect your data (Article 32):
- Encryption in transit — All production traffic is served over HTTPS (TLS).
- Password hashing — User passwords are hashed using bcrypt and never stored in plaintext.
- Token security — JWT access tokens expire after 15 minutes. Refresh tokens are hashed (SHA-256) before storage and rotated on each use.
- Input validation — Uploaded images are validated for type and size, resized, and converted to a safe format. All user input is sanitised.
- Access control — Role-based access ensures users can only view and modify data relevant to their role (landlord, tenant, or contractor).
- Prepared statements — All database queries use parameterised prepared statements to prevent SQL injection.
7. Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| TransIP B.V. | Web hosting, database hosting, email delivery (SMTP) | Netherlands (EU) |
All data processing takes place within the European Union. We do not transfer personal data outside the EU/EEA.
8. Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33).
- Notify affected data subjects without undue delay if the breach is likely to result in a high risk (Article 34).
9. Children's data
FixMyUnit is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.
10. Supervisory authority
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is:
Autoriteit Persoonsgegevens (AP)
Website: autoriteitpersoonsgegevens.nl
11. Contact
For any GDPR-related questions, data requests, or concerns:
Email: info@fixmyunit.nl