GDPR Compliance Statement

Last updated: May 29, 2026 — Araneo s.r.o. | Chalupkova 7981/4, Bratislava 811 09, Slovakia | IČO: 57 562 351

Araneo s.r.o. is a limited liability company registered in Bratislava, Slovakia (IČO: 57 562 351), an EU member state. As an EU-established entity, we are subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") for all personal data processing activities, regardless of where our clients or their tenants are located.

This statement describes how Araneo complies with GDPR and how data subjects may exercise their rights.

1. Data Controller

Araneo s.r.o. is the data controller for personal data collected from: (a) rental agents and agencies who subscribe to the Services; and (b) tenant applicants who interact with Araneo's AI screening system through Facebook Messenger or WhatsApp.

Contact: hello@araneo.io | Chalupkova 7981/4, Bratislava 811 09, Slovakia

2. Legal Bases for Processing

We process personal data under the following GDPR Article 6 legal bases:

• Consent (Art. 6(1)(a)): analytics cookies and optional tenant screening questions
• Contract performance (Art. 6(1)(b)): providing the Services to Agent subscribers
• Legitimate interests (Art. 6(1)(f)): fraud prevention, security, and service improvement
• Legal obligation (Art. 6(1)(c)): compliance with applicable law including Slovak and EU law

3. Data Flows and Processors

Personal data flows through the following systems:

• Supabase (Canada, ca-central-1): primary database storage — Canada has an EU adequacy decision
• n8n on Hetzner VPS (Frankfurt, Germany): workflow automation — processing within the EEA
• OpenAI (United States): AI lead scoring — data subject to OpenAI's data processing agreement and applicable transfer safeguards
• Stripe (United States): payment processing — subject to Stripe's data processing agreement
• Meta (Facebook/WhatsApp): Messenger and WhatsApp messaging — subject to Meta's data processing terms

We take reasonable steps to ensure that personal data transferred outside the EEA is subject to appropriate protections. Our primary data storage remains within Canada (EEA-adequate) and workflow processing remains within Germany (EEA). Where processing by US-based providers is required, we rely on those providers' data processing agreements and applicable safeguards.

4. Automated Decision-Making (Article 22)

Araneo's AI screening system constitutes automated processing that produces assessments about tenant applicants. We take the following measures to comply with Article 22:

• Disclosure: tenants are informed they are interacting with an automated system
• Human review: any tenant applicant may request a human review of their automated assessment by contacting hello@araneo.io
• Meaningful information: agents are provided with the scoring factors and weighting so they can explain the basis of any AI score
• Non-discrimination: the scoring model evaluates only financial and logistical factors — it does not process special categories of data or protected characteristics

5. Your GDPR Rights

As a data subject under GDPR, you have the following rights:

• Right of access (Art. 15): obtain confirmation of whether we process your data and a copy of that data
• Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data
• Right to erasure (Art. 17): request deletion of your personal data where there is no compelling reason for continued processing
• Right to restriction (Art. 18): request that processing be restricted in certain circumstances
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right to object (Art. 21): object to processing based on legitimate interests
• Right not to be subject to automated decisions (Art. 22): request human review of any automated decision that significantly affects you

To exercise any of these rights, contact us at hello@araneo.io with the subject line "GDPR Rights Request". We will respond within one month. In complex cases we may extend this period by a further two months with notice.

6. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority in your country of residence or the country where the alleged infringement occurred.

Our lead supervisory authority as an EU-established entity is:

Úrad na ochranu osobných údajov Slovenskej republiky
(Office for Personal Data Protection of the Slovak Republic)
Website: dataprotection.gov.sk
Address: Hraničná 12, 820 07 Bratislava, Slovakia
Email: statny.dozor@pdp.gov.sk

EU residents may also lodge a complaint with the supervisory authority in their country of residence.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in our Privacy Policy. See the Retention section of our Privacy Policy for specific timeframes per data category.

8. Security

We implement appropriate technical and organisational measures under Article 32 GDPR including AES-256 encrypted storage, HTTPS transmission, access controls, and regular security reviews.

9. Contact

For all GDPR-related inquiries, email hello@araneo.io with subject line "GDPR Rights Request".

Araneo s.r.o.
Chalupkova 7981/4, Bratislava 811 09, Slovakia
hello@araneo.io