Privacy Policy

Effective January 2026. DepoBack B.V.

This Privacy Policy explains how DepoBack processes personal data when you use our tenancy deposit recovery platform.

1. Who this applies to

Tenants (Users): People who create an account and create a case to recover a tenancy deposit.

Landlords/Agents ("Counterparties"): People who receive notices and/or access the landlord portal via OTP login.

The Platform is intended for individuals aged 18+.

2. Our role under the GDPR

DepoBack is the data controller for personal data processed through the Platform (including tenant accounts, cases, notice generation/sending, negotiation portal, and landlord portal access).

3. Personal data we process

Account data: Name, email address, authentication logs. Case data: Property address, deposit amount, move-out date, and dispute details. Financial data: IBAN and payout instructions. Uploads/content: Tenancy agreements, photos, invoices, reports, and other evidence.

4. Why we process data and Legal Bases

A) Provide the Platform (Performance of contract - GDPR Art. 6(1)(b)). B) Send notices on behalf of tenants (Contract and/or legitimate interests). C) Security and Integrity (Legitimate interests). D) Legal obligations (GDPR Art. 6(1)(c)).

5. AI Processing

We use third-party AI services under enterprise data processing agreements to assist with analyzing uploaded documents. AI provides suggestions and does not make solely automated decisions with legal effects. No model training: We do not use your personal data to train AI models.

6. Who we share data with

We do not sell your personal data. We share data only with: A) Service providers (processors) for cloud infrastructure and AI, database hosting, email delivery, and payments. B) Counterparties when you instruct us to send a notice. C) Legal/compliance if required by law.

7. International Transfers

We configure our systems and main providers to store and process personal data in the EEA.

8. Retention

Case files and uploads: Duration of the dispute + 2 years. Tax/accounting records: 7 years. Account deletion: You may delete your account at any time. Your personal data is permanently deleted from our systems within 30 days.

9. Your GDPR Rights

Access, correct, or delete your personal data. Restrict processing or object to processing. Receive your data in a portable format. Lodge a complaint with the Autoriteit Persoonsgegevens (AP). To exercise rights: email support@depoback.com.

10. Security

We use appropriate technical and organizational measures including TLS encryption in transit, encryption at rest, application-level encryption of sensitive financial and identity data, access controls, authentication on all API endpoints, and audit logging.

11. Data breach notification

In the event of a personal data breach, we will notify the Autoriteit Persoonsgegevens within 72 hours and notify affected users without undue delay, as required by GDPR Articles 33 and 34.

14. Contact

DepoBack B.V. Amsterdam, The Netherlands. Email: support@depoback.com