Privacy Policy
Last updated: 2026-07-02
1. Data controller
Studroof (Benhmid Oualid). Contact: privacy@studroof.app.
2. Data we collect
Account: email, name, photo, university, dates, city. Student profile: budget, flatmate preferences, lifestyle. Listings: address, photos, price. Messages. Payments via Stripe — Studroof never stores card numbers. Erasmus cohorts (cohorts): city, season, capacity — technical reference data, not personal. Cohort memberships (cohort_memberships): user_id, cohort_id, role (student/host), Roofer status, membership status (active/graduated/dropped), join date. Semester payments (season_payments): user_id, cohort_id, amount, currency, Stripe session and payment intent identifiers, status, payment date. Erasmus Squads (squad_memberships): user_id, squad_id, pre-arrival/active/graduated state, last-seen timestamp. Discussion topics (squad_topics): technical identifiers (i18n keys), no personal data. Posts published between students (squad_posts): author, text content, original locale, creation/edit dates, hidden status (moderation). Emoji reactions to posts (squad_post_reactions): author, reaction type. Squad notifications log (squad_notification_log): user_id, squad_id, digest kind sent (J-7 / J-1 / arrival), send date. Analytics cookies (Plausible) with your consent. Server logs: IP address, user-agent, date. Conversation attachments: images you send to your correspondent in a conversation, stored in a private space (file name, type, size). Shared location: when you choose to share your location in a conversation, one-off geolocation coordinates (latitude and longitude at the moment of sharing) and the date of sharing. Studroof does not track your movements and does not derive an address from these coordinates. City search (autocomplete): when you type a city name, the text you enter is relayed by Studroof’s server to our geocoding provider to suggest matches; Studroof does not send your IP address to that provider and keeps from your search only the city you select and its country code. Introductions usage counter (contact_usage_total): your identifier, the total number of landlords and flatmates you have contacted since you created your account, and the date it was last updated. This counter is used only to apply your free introductions and then, if you take a Pass, to give you unlimited contacts.
3. Legal basis
Consent (account creation, posting in a Squad), performance of contract (paid Studroof+ and Studroof Passes services, Roofers Programme enrolment, exchanging the information you need for your housing including conversation attachments), legitimate interest (fraud prevention, community safety including the removal of reported illegal content, animating the pre-arrival community so students of the same cohort can help each other and meet before landing), legal obligation (accounting retention of payments). For location sharing: your explicit consent, collected at the precise moment you decide to share your location (GDPR article 6(1)(a)); you can withdraw this consent at any time by deleting the location message, as easily as you gave it (article 7(3)).
4. Retention
While the account is active, then 30 days after a deletion request. Server logs: 12 months. Stripe data: per their retention policy. Semester payments (season_payments): 5 years from the payment date, in accordance with Article L102B of the French Tax Procedure Code. Posts published in a Squad (squad_posts) and reactions (squad_post_reactions): kept until the author’s account is hard-deleted, then cascade-deleted. Squad notifications log (squad_notification_log): cascade-deleted when the recipient’s account is hard-deleted.
Student verification: supporting documents are deleted as soon as a decision is made; submission metadata and the verification audit log are kept for as long as your account is active, and deleted or anonymised when you delete your account.
Conversation attachments: kept while the message exists; removed from our storage when you delete the message or when your account is permanently deleted (hard-delete).
Shared locations: kept while the message exists; the coordinates are erased when you delete the message or when your account is permanently deleted (hard-delete).
Introductions usage counter (contact_usage_total): kept for as long as your account exists, then cascade-deleted when your account is permanently deleted (hard-delete).
5. Recipients
Vercel (hosting), Supabase (database), Stripe (payments), Resend (emails), Plausible (analytics) — each under a GDPR-compliant Data Processing Agreement.
komoot GmbH (Germany, "Photon" geocoding service, based on OpenStreetMap data) only receives the city text you search for, in order to return autocomplete suggestions; Studroof relays this search from its server, so your IP address is never sent to komoot, and the query is tied to no cookie or tracker. komoot processes this query under its own privacy policy (komoot.com/privacy).
The OpenStreetMap Foundation (United Kingdom — a country covered by a European Commission adequacy decision —, "Nominatim" geocoding service) only receives the public OpenStreetMap identifier of the city you select (osm_id) — never your IP address or the text you typed — so that Studroof can retrieve that city’s name in your language; Studroof relays this request from its server, so your IP address is never sent to the Foundation, and the request is tied to no cookie or tracker. The OpenStreetMap Foundation processes this request under its own privacy policy (osmfoundation.org/wiki/Privacy_Policy).
6. Your rights
Access, rectification, erasure (via /account/danger-zone), objection and portability (JSON export). You can also delete a message, an attachment or a shared location yourself from the conversation; deleting it erases the corresponding data from our systems (and purges the file from our storage if it is an attachment). Data protection contact: privacy@studroof.app.
7. Cookies
See the Cookie Policy: /legal/cookies.
8. Security
Encryption in transit (TLS), Supabase Row-Level Security, encryption at rest.
9. Transfers outside the EU
Stripe (USA) and Resend (USA, email delivery), under the European Commission’s Standard Contractual Clauses (and, where applicable, the EU-US Data Privacy Framework).
10. Changes
Any change to this policy is published on this page.
11. Complaints
You may lodge a complaint with the CNIL (www.cnil.fr) or your local data protection authority.
12. Partner affiliations
On some editorial pages, Studroof displays recommendations to selected partners (for example Garantme for rental guarantees, Uniplaces / Spotahome / HousingAnywhere for housing search). Data collected when you click an affiliate link (affiliate_clicks table): timestamp, clicked partner identifier, source URL on Studroof, anonymous session identifier (from the analytics cookie), user identifier (only if you are signed in — otherwise NULL), SHA-256 hashed IP address (never the raw IP, with a monthly-rotated salt) and SHA-256 hashed user-agent. Conversions reported by partners (affiliate_conversions table): timestamp, partner identifier, B2B commission amount (internal accounting information, never shown to another user). Legal bases (GDPR art. 6): (a) your consent, collected via the cookie banner, for individualised analytics tracking (art. 6(1)(a)); (b) Studroof’s legitimate interest in anonymised audience measurement of editorial recommendations and in calculating the B2B commission owed by the partner (art. 6(1)(f)). Purposes: measure the editorial effectiveness of recommendations, calculate the B2B commission owed by the partner, improve the relevance of displayed recommendations. Studroof does no commercial profiling, no data resale and no ad retargeting. Recipients: Studroof (data controller); affiliate partners (Garantme, Uniplaces, Spotahome, HousingAnywhere) — only when you click on the partner link and your browser is redirected to their website, subject to their own privacy policy (partner terms link shown on each card); Studroof’s technical sub-processors: Supabase (database hosting, EU), Sentry (monitoring), Upstash (rate-limit). No transfer outside the EU is performed without the European Commission’s Standard Contractual Clauses. Retention: affiliate clicks 24 months maximum (editorial audit + recommendations); conversions 5 years (accounting obligations, Article L102B of the French Tax Procedure Code). If your account is permanently deleted (hard-delete), the user_id field of the clicks is set to NULL — the editorial statistic is preserved but is no longer linked to you. Your rights (GDPR art. 13, 15, 17 and 20): you can access your affiliate clicks via the JSON export (affiliateClicks[] included in the /account export), request their erasure via /account/danger-zone (anonymisation user_id → NULL), and disable analytics tracking at any time from /account/cookies. Commission disclosure (DSA art. 26 and French Consumer Code L. 121-1): Studroof gets a commission from the partner if you book or sign up through an affiliate link. It has no impact on the price you pay. Studroof does not take part in the contract concluded between you and the partner, does not negotiate the price and earns no commission on your rent.
13. Alumni & Ambassadors Programme
Alumni & Ambassadors Programme (starting at the end of your Erasmus stay): alumni status (upcoming / active / graduated / alumni / dormant / purged), alumni opt-in date, Erasmus home city, per-stay arrival and departure dates (student_stays table), alumni consent audit log (alumni_consent_log table: id of the affected stay, action — opt-in / opt-out / purge —, purpose — alumni retention or right to erasure —, SHA-256 hashed IP address captured at the moment you clicked the J+0 email, timestamp, source — email_link). No sensitive data (GDPR Art. 9) is collected as part of the programme. Legal bases (GDPR Art. 6): (a) your consent, collected explicitly when you click the "Become Alumni Studroof" button in the J+0 email sent at the end of your stay, for the active retention of your alumni account and the sending of post-stay communications (Art. 6 §1.a); (b) Studroof’s legitimate interest in the passive retention of your account for up to 24 months of inactivity if you do not respond to the J+0 email — with no new active processing, no ambassador emails, no profiling (Art. 6 §1.f, balancing test documented internally). Purposes: keep your multi-stay Erasmus passport, share cross-city recommendations with incoming students, send post-stay communications, animate the alumni network. Studroof does no commercial profiling, no data resale, no ad retargeting from your alumni data. Recipients: Studroof (data controller); Studroof’s technical sub-processors: Supabase (database hosting, EU), Resend (alumni email delivery), Sentry (monitoring). No transfer outside the EU is performed without the European Commission’s Standard Contractual Clauses. Retention: Studroof Alumni account is kept as long as you stay active (at least one sign-in every 24 months); after 24 months of inactivity, the account moves to dormant (read-only, no more notifications); after 36 months of inactivity, the account is permanently deleted (hard-delete) with a 30-day notice email beforehand. alumni_consent_log: kept as long as the alumni account exists, cascade-deleted on hard-delete. Your rights (GDPR Art. 7 §3, 13, 15, 17 and 20): you can withdraw your consent to the Alumni & Ambassadors Programme at any time from /me/alumni — with exactly the same simplicity as opting in, with no justification (Art. 7 §3, anti-dark-pattern aligned with the CNIL ruling SAN-2022-009). Withdrawing either pauses your account or permanently deletes it — you choose. You can access your alumni consent log via the JSON export (alumni_consent_log filtered on your id), and request the full deletion of your passport via /account/danger-zone (cascade student_stays → alumni_consent_log via foreign key ON DELETE CASCADE).
14. Student status verification
To protect the community against fake profiles, Studroof lets students prove their Erasmus student status to obtain a "Verified student" badge, using either a university email (one-time code) or a supporting document.
Data we process for this purpose: (university-email method) the university email address you enter, a one-time code (stored only as a salted SHA-256 hash, valid 15 minutes, single-use), and the date it was verified; (document method) the document you upload (Erasmus attestation, enrolment certificate, student card, or "other") — we ask you to redact any information that is not needed to prove your student status. Files are stored in a PRIVATE bucket (verification-docs); they are never public, are accessible only to authorised Studroof staff through short-lived signed links, and are DELETED as soon as a decision is made (approved, rejected or resubmission requested), as well as when a newer submission replaces an older one; (submission metadata and audit log) method used, document type, submission status, decision date, the deciding staff member, and the rejection reason where applicable.
We do NOT request or knowingly process special-category data (GDPR Art. 9). A photo on a student card is reviewed visually by a human and is never used for biometric identification.
Legal basis: Studroof’s legitimate interest in preventing fraud and keeping the community safe (GDPR Art. 6(1)(f); see Recital 47, which recognises fraud prevention as a legitimate interest). A balancing test is documented internally.
Recipients: authorised Studroof staff (review); Supabase (private storage and database); Resend (delivery of the one-time-code email). See section 9 for transfers outside the EU.
Retention: verification documents are deleted as soon as a decision is made. Submission metadata and the audit log are kept for as long as your account is active, and deleted or anonymised when you delete your account, so that we can demonstrate why a decision was taken and detect repeated fraud attempts while you use Studroof.
Your rights: you can access and export your verification data via the JSON export (/account), ask for rectification, and obtain erasure (via /account/danger-zone, or by withdrawing a pending request). While a request is pending, you cannot delete the proof yourself so that it cannot be tampered with before review; the document is deleted automatically once the decision is made.
⚠️ Draft — lawyer review required.