Privacy Policy
Hoekk · Last updated: May 2026
This privacy policy explains how Hoekk (“we”, “us”,
“our”) collects, uses, and protects your personal data when you use
the Hoekk mobile application and website (together, the “Service”).
We are committed to protecting your privacy in accordance with the General Data
Protection Regulation (GDPR) and Dutch data protection law.
1. Data controller
The data controller responsible for your personal data is:
Hoekk
Sole proprietor, The Netherlands
Website: www.hoekk.com
Email: support@hoekk.com
2. What data we collect
2.1 Account data
When you create an account, we collect:
- Full name and email address
- Password (stored as a one-way hash — we never store your
actual password)
- Apple Sign In identifier (if you sign in with Apple)
2.2 Profile and preferences
To personalise your experience and generate effective inquiry emails, we
collect information you voluntarily provide:
- Search preferences: cities, neighbourhoods, price range, number of
bedrooms, minimum surface area, property type
- Tenant profile: age, nationality, employment type, gross monthly income,
job title, employer name, move-in date, household type
- Personal details: personal pitch, language preference, viewing
availability, LinkedIn URL
- Additional details: whether you are a student, university, whether you
have pets or smoke, whether you have the 30% ruling
2.3 Gmail OAuth data
If you connect your Gmail account, we store:
- Gmail OAuth access token and refresh token
- Your Gmail email address
We use these tokens solely to send inquiry emails on your
behalf and to check for replies from rental agents. See Section 5 for details.
2.4 Usage data
When you use the Service, we collect:
- Listing interactions: which listings you skip, save, or express
interest in
- Email data: the subject and body of AI-generated inquiry emails,
sending status, thread identifiers, agent reply snippets, and
timestamps
- API usage: token counts for AI email generation (used for internal
cost tracking)
Note on listing data: The rental listings displayed in the
Service describe properties, not people, and therefore do not generally
constitute personal data under the GDPR. Where an inquiry email is sent to a
rental agent, we process only the minimum contact information necessary to
deliver that email on your behalf.
2.5 Subscription data
If you purchase a paid subscription, we collect and process:
- Subscription tier purchased (Monthly, 3-Month, or Annual)
- Apple transaction identifier and original transaction identifier
- Purchase, renewal, and expiry timestamps
- Subscription status (active, in grace period, billing retry, expired,
cancelled)
- Anonymous purchase token (used by RevenueCat to validate the purchase
with Apple)
We do not receive or store your credit card number,
billing address, or any payment instrument details. All payment processing is
handled by Apple.
3. How we use your data
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|
| Provide the Service — show listings, record your actions |
Account data, preferences, usage data |
Performance of contract |
| Generate personalised inquiry emails using AI |
Profile data, listing details |
Performance of contract |
| Send inquiry emails from your Gmail |
Gmail OAuth tokens |
Consent (you explicitly connect Gmail) |
| Check for agent replies to sent emails |
Gmail OAuth tokens, thread IDs |
Consent (you explicitly connect Gmail) |
| Enforce usage limits (free tier: 3 emails/week) |
Account data, email counts |
Performance of contract |
| Authenticate your identity |
Email, password hash, Apple ID |
Performance of contract |
| Manage paid subscription entitlements |
Subscription data |
Performance of contract |
We do not use your data for advertising, profiling, or
automated decision-making that produces legal effects.
4. Data sharing and third parties
We share your data with the following third-party processors, solely for
the purposes described:
- Anthropic (Claude API) — Your tenant profile and
listing details are sent to Anthropic’s API to generate
personalised inquiry emails. Anthropic processes this data in the
United States. Anthropic does not retain prompt data beyond the API
request under their commercial terms.
- Google (Gmail API) — Your OAuth tokens are used
to send emails via the Gmail API and read thread replies. Google
processes data under their standard terms. We use only the
gmail.send and gmail.readonly scopes.
- Apple — If you sign in with Apple, Apple
provides us with an identity token to verify your account. We store
only the Apple user identifier.
- RevenueCat — We use RevenueCat as our
subscription management processor. RevenueCat receives the Apple
transaction identifier and subscription status from Apple’s
StoreKit on our behalf, validates purchases, and provides us with
subscription state. RevenueCat processes data in the United States
under their standard data processing terms.
- Apple App Store / StoreKit — When you purchase
a subscription, Apple processes payment, manages billing and renewal,
and provides us (via RevenueCat) with anonymized transaction
identifiers and subscription status. We never receive payment
instrument details. Apple’s privacy practices are described in
Apple’s Privacy Policy.
- Railway — Our database is hosted on Railway
using EU-based servers. Railway acts as a data processor.
We do not sell, rent, or share your personal data with
advertisers or any other third parties.
5. Gmail API — limited use disclosure
Hoekk’s use and transfer of information received from Google APIs
adheres to the
Google
API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We only request the
gmail.send and
gmail.readonly scopes.
- We use
gmail.send to send inquiry emails to rental agents
on your behalf when you swipe right on a listing.
- We use
gmail.readonly to check whether rental agents have
replied to emails we sent. We only read threads that we initiated
— we never read, scan, or index any other messages in your
inbox.
- We do not use Gmail data for advertising, market research, or any
purpose other than providing the Service.
- We do not transfer Gmail data to others unless necessary to provide
or improve the Service, comply with applicable law, or as part of a
merger, acquisition, or sale of assets with user notice.
- We do not allow humans to read your email content unless you
explicitly request support assistance, it is required for security
purposes, or it is required by law.
- You can disconnect Gmail at any time from within the app, which
immediately deletes your stored OAuth tokens.
6. International data transfers
Your data is stored in the European Union (Railway EU servers). When we
send data to Anthropic for email generation, it is transferred to the United
States. This transfer is covered by Anthropic’s Data Processing
Agreement, which incorporates Standard Contractual Clauses (SCCs) approved by
the European Commission.
Google processes data globally under their own GDPR-compliant data
processing terms.
7. Data retention
- Account data and profile: retained for as long as your
account remains active. Deleted within 30 days of account deletion.
- Gmail OAuth tokens: deleted immediately when you
disconnect Gmail or delete your account.
- Listing interaction data: retained for as long as your
account remains active, and deleted within 30 days of account
deletion.
- Sent email records: retained for up to 24 months from
the date of sending, or until account deletion, whichever comes first.
This allows you to view your email history and track agent replies.
- Inactive accounts: accounts with no activity for 24
consecutive months will be flagged for deletion, and users will be
notified by email before any data is removed.
- Subscription transaction records: retained for 7
years from the date of the transaction, in accordance with Dutch tax
and accounting obligations (Algemene Wet inzake Rijksbelastingen,
Article 52). After this period, transaction records are deleted or
anonymised.
8. Data security
We take appropriate technical and organisational measures to protect your
data:
- All data is transmitted over HTTPS/TLS
- Passwords are hashed using bcrypt (one-way, salted)
- Database access is restricted to the application
- Admin endpoints are protected with authentication
- Gmail OAuth tokens are stored in the database and transmitted only
to Google’s API over encrypted connections
9. Your rights
Under the GDPR, you have the following rights regarding your personal
data:
- Right of access (Art. 15) — request a copy of
your personal data
- Right to rectification (Art. 16) — correct
inaccurate data via your profile settings or by contacting us
- Right to erasure (Art. 17) — delete your account
and all associated data
- Right to data portability (Art. 20) — receive
your data in a structured, machine-readable format
- Right to restrict processing (Art. 18) — request
that we limit how we use your data
- Right to object (Art. 21) — object to processing
based on legitimate interest
- Right to withdraw consent (Art. 7) — withdraw
your Gmail consent at any time by disconnecting Gmail in the app.
Withdrawal does not affect the lawfulness of processing before
withdrawal.
To exercise any of these rights, contact us at
support@hoekk.com. We will respond
within 30 days.
10. Cookies and tracking
Hoekk is primarily a mobile application. Our landing page at
www.hoekk.com does not use cookies,
analytics trackers, or any third-party tracking scripts. We do not use
cookies in any part of the Service.
11. Age requirement
Hoekk is intended for users aged 18 and over. We do not knowingly collect
personal data from anyone under 18. If you believe a minor has created an
account, please contact us and we will promptly delete the account.
12. Changes to this policy
We may update this privacy policy from time to time. If we make material
changes, we will notify users through the app or via email. The “Last
updated” date at the top of this page reflects the most recent
revision. Continued use of the Service after changes constitutes acceptance
of the updated policy.
13. Supervisory authority
If you believe we are processing your data unlawfully, you have the right
to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 8500
Contact
For any questions about this privacy policy or your data, contact us at
support@hoekk.com.