Privacy Policy
1. Data Controller
The data controller is Lovro Obreza, a natural person, with a correspondence address for the purposes of the Slovenian Electronic Commerce Act (ZEPT): Železno 11a, 3310 Žalec, Slovenia. Contact: info@houselog.si (hereinafter: "we" or "HouseLog"). You may use this address for written correspondence regarding the service and data protection.
2. Personal Data We Collect
Sources of data (Art. 13(1)(e) GDPR): we obtain personal data directly from you (e.g. account registration, input in the app) and from information about third parties that you enter into the system (e.g. contractor contact details and other people you attach to a project). We do not purchase marketing lists or obtain such data from other controllers for the envisaged processing.
We collect the following categories of personal data:
- Sources of data: we generally collect data directly from you; you may also enter personal data about third parties (for example contractor contact details). Your responsibilities for lawful basis and accuracy of such entries are explained under contractors below.
- Account data: email address and password, or data from your Google/Facebook account when using OAuth sign-in.
- Project data and uploaded files: project name, phases, budget, documents, quotes, and other content you provide; files are stored using encryption at rest on our infrastructure providers (see Security).
- Contractors and other third parties: names, contacts, addresses, or other details you enter when tracking quotes and contractors. You are responsible for having an appropriate lawful basis for entering and for that processing within the service, and for ensuring the data are accurate. For storage, structuring, security-related handling, and processing (including AI-assisted features) of such data in the system, HouseLog acts as an independent controller — we determine the purposes and means of that processing within the service; we are not merely a processor acting on your behalf.
- Payment data: Premium subscription payments are processed via Stripe; HouseLog does not store credit card details.
- Analytics data: usage information (pages, clicks, sessions) via PostHog and Google Analytics 4, on the legal basis set out in the table below (consent where activation is cookie-based).
- Technical and security data: e.g. IP address, browser type, operating system, request logs — for security, diagnostics, and abuse prevention.
3. Purposes and Legal Basis (Art. 6 GDPR)
For each type of processing we identify the legal basis under Art. 6(1) GDPR:
| Processing activity | Legal basis |
|---|---|
| Account management, sign-in, core application | Contract performance (Art. 6(1)(b)) |
| Storage and display of uploaded files and project content | Contract performance (Art. 6(1)(b)) |
| AI processing of document content for quote analysis (Gemini) | Contract performance (Art. 6(1)(b)) — feature you use |
| Storage of contractor / third-party data in the system | Legitimate interest (Art. 6(1)(f)) — providing the service; you remain responsible for your own lawful basis for entry |
| Payment and subscription processing (Stripe) | Contract performance (Art. 6(1)(b)) |
| Retention of invoices and financial transaction records | Legal obligation (Art. 6(1)(c)), e.g. accounting law (ZDavP-2) |
| Analytics (PostHog, GA4) where not enabled without consent | Consent (Art. 6(1)(a)) via cookie preferences |
| Security, logs, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Other statutory requirements | Legal obligation (Art. 6(1)(c)) |
4. Processors (Third Parties) and Art. 28 GDPR agreements
We have entered into or accepted data processing agreements under Art. 28 GDPR with all processors listed below (including EU Standard Contractual Clauses where transfers require them).
To provide the service we work with the following processors:
- Supabase Inc. — database hosting and authentication (transfers outside the EEA under SCC Module 2, Commission Implementing Decision of 4 June 2021, where applicable).
- Stripe Inc. — payment processing (US; transfers: SCC Module 2, Commission Implementing Decision of 4 June 2021).
- Google LLC — Google Analytics 4 and Gemini models (Flash / Flash Lite) for quote analysis; US; transfers: SCC Module 2 (controller to processor), Commission Implementing Decision (EU) 2021/914 of 4 June 2021. GA4, where used, is activated in line with your consent settings.
- PostHog Inc. — product analytics (hosting region and transfer mechanisms per their documentation and contract).
- Cloudflare Inc. — CDN, security, and object storage for documents (R2) where used (global infrastructure; appropriate safeguards and/or SCCs).
The application may include integration hooks for additional AI providers that are not currently active in production. If any additional provider were activated, we would update this Privacy Policy in advance.
5. AI Processing (Gemini) and EU AI Act
For quote analysis (and related processing of document text), content you select or upload is sent to Google Gemini models (e.g. Flash / Flash Lite), which are general-purpose AI (GPAI) systems. Transfers to the United States are based on the EU Standard Contractual Clauses — Module 2 (controller to processor), Commission Implementing Decision (EU) 2021/914 of 4 June 2021, together with Google's agreements. Under Google's publicly stated commitments for this API use, data are not used to train models without a separate arrangement — see Google's DPA and product documentation for detail.
As a deployer of an AI system within the meaning of Art. 50 of Regulation (EU) 2024/1689 (AI Act), we inform you that this feature uses Google's GPAI system; output is for information only and does not constitute professional (including construction or legal) advice.
6. Cookies and Tracking Technologies
We use cookies in accordance with the Slovenian Electronic Communications Act (ZEKom-2, Art. 157) and GDPR. Non-essential cookies are only set after you have given explicit consent.
- Essential cookies: stored in your browser for authentication and session security. No consent required.
- Analytics cookies (PostHog, GA4): activated only with your consent. You can change your preferences at any time via the "Manage cookie preferences" link.
7. Data Retention
| Category | Period |
|---|---|
| Account data | Until account deletion or up to 3 years after last activity |
| Uploaded files and project documentation | Up to 2 years after last activity on the project; we email you at least 30 days before deletion and offer an export window; then files are deleted except where law requires narrow records to be kept |
| Project metadata (if distinct from file content) | Until manual deletion or account deletion |
| Invoices and payment / transaction records (tax-relevant) | 10 years under ZDavP-2 and implementing rules — financial and transaction records only, not the entirety of your account or all project content |
| Analytics data | Up to 14 months (PostHog) or 26 months (GA4), then deleted |
8. Your Rights and Supervisory Authority
Under GDPR and ZVOP-2, you have the following rights:
- Right of access — view the personal data we hold about you.
- Right to rectification — correct inaccurate data.
- Right to erasure — request deletion of your data ("right to be forgotten").
- Right to restriction — restrict certain types of processing.
- Right to data portability — receive your data in a machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to lodge a complaint — with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec RS): Dunajska cesta 22, 1000 Ljubljana, Slovenia, phone: +386 1 230 97 30, website: www.ip-rs.si, email: ip@ip-rs.si.
To exercise your rights, contact us at: info@houselog.si. We respond within 30 days at the latest. Our response must be substantiated (not merely a general refusal).
If you consider that we have not adequately addressed your request, you may lodge a complaint with the Information Commissioner within 15 days of our reply, as provided by Art. 14 ZVOP-2.
9. International Data Transfers
Some processors are located outside the EEA (e.g. the US). Transfers use appropriate safeguards, including Standard Contractual Clauses — Module 2 (controller to processor), Commission Implementing Decision of 4 June 2021, where relevant (Google, Stripe, and others as set out in each processor agreement).
10. Security Measures (Art. 32 GDPR)
We implement appropriate technical and organisational measures: traffic between your browser and the service is protected with TLS; data at rest on our providers' infrastructure uses encryption (e.g. database and object storage); account access requires authentication (including JWT-based sessions after sign-in); staff access to personal data is limited to what is necessary to handle requests and maintain the system.
11. Automated Decision-Making and Profiling (Art. 22 GDPR)
AI feature outputs (quote analysis) are intended as informational support for your own decisions. We do not carry out automated decision-making which produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR — you remain the decision-maker. We do not perform automated profiling within the meaning of Art. 4(4) GDPR (evaluating personal aspects, predicting interests for marketing, etc.) and we do not produce legally or similarly significant effects by solely automated means; processing document text is for summaries and notes in the app.
12. Personal Data Breaches
Where a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner of the Republic of Slovenia without undue delay, where feasible within 72 hours of becoming aware of it (GDPR). Where the breach is likely to result in a high risk to you, we will also communicate the breach to you directly, unless a statutory exception applies. Reports to the supervisory authority: www.ip-rs.si.
13. Deceased Users
We do not automatically disclose account personal data after a user's death. Access or export is granted only to lawful heirs or representatives who demonstrate legal authority. They may request account closure and, where technically possible, data export. ZVOP-2 also governs the protection of personal data of deceased persons (including protection for up to 20 years where the law so provides).
14. Age Requirement
The service is not intended for natural persons under 15 years of age, in line with the minimum age for valid consent in the information society under Art. 8 ZVOP-2 (read with Art. 8 GDPR). If you are under 15, you must not use the service without consent of a holder of parental responsibility where required by law.
15. Contact
For privacy questions: info@houselog.si, address: Železno 11a, 3310 Žalec, Slovenia.
A Data Protection Officer (DPO) is not required for these processing activities under applicable conditions.