Privacy Policy

Last updated: May 29, 2026 — Araneo s.r.o. | Chalupkova 7981/4, Bratislava 811 09, Slovakia | IČO: 57 562 351

This Privacy Policy describes how Araneo s.r.o. ("Araneo", "we", "us", "our") collects, uses, stores, and shares personal information when you use our Services, including when you: visit araneo.io; use Araneo's AI-powered lead qualification and CRM platform; or interact with our AI screening system through Facebook Messenger or WhatsApp as a tenant applicant.

Questions or concerns? Contact us at hello@araneo.io.

1. What Information We Collect

From Agents (platform subscribers)

• Name, email address, and account password
• Billing information processed by Stripe — we do not store card numbers
• WhatsApp phone number used to receive HOT lead alerts
• Facebook Business Page credentials and Page Access Token
• Listing content: address, rent, bedrooms, available date, photos, descriptions
• Ad campaign settings and performance data: daily budget, radius, impressions, reach, clicks, and spend
• Dashboard usage, analytics, and pipeline activity data

From Tenant Applicants (via Facebook Messenger or WhatsApp)

When a tenant interacts with Araneo's conversational AI screening, we may collect information they voluntarily provide, including:

• Full name, email address, and phone number
• Number of occupants and desired move-in date
• Monthly rent budget and income-to-rent ratio (calculated)
• Employment type and monthly income (self-reported)
• Self-reported credit score range
• Guarantor availability and documentation readiness
• Rental history (self-reported)
• Pet ownership and smoking status (optional)
• Facebook Page-Scoped User ID / PSID (Messenger users only) — an anonymous identifier assigned by Meta
• WhatsApp phone number (WhatsApp users only)
• Full Messenger or WhatsApp conversation transcript including all free-text responses — this complete transcript is accessible to the Agent in their Araneo inbox and lead detail view
• Per-step completion data and drop-off point within the screening conversation
• AI-generated lead score and HOT/WARM/COLD classification
• Messenger reply window status and timing data

From Website Visitors

• IP address, browser type, device characteristics, operating system, language preferences
• Pages visited and referral source (via Google Analytics 4, with consent only)
• Name, email address, and message submitted through the contact form

2. How We Process Your Information

We process personal information to:

• Facilitate account creation, authentication, and account management
• Deliver AI-powered lead qualification and screening Services
• Send automated screening conversations to tenant applicants on behalf of connected Agents via Facebook Messenger or WhatsApp
• Send one automated follow-up message to tenant applicants who do not complete the screening conversation within 24 hours
• Send email digests to Agents containing WARM lead profiles (name, phone, income, credit score) for review at their own pace
• Publish listing posts to agency Facebook Business Pages via the Facebook Graph API
• Track and attribute incoming messages to the specific listing referral link through which the tenant made contact
• Retrieve and display post and ad campaign performance analytics from Facebook
• Enable Agents to export lead data including tenant personal information as PDF documents
• Process subscription payments through Stripe
• Send administrative, billing, and onboarding communications
• Respond to support inquiries and contact form submissions
• Comply with our legal obligations

3. Third-Party Processors and International Transfers

We do not sell personal information. We share information only with the following processors:

• Meta (Facebook/Messenger/WhatsApp): to deliver Messenger and WhatsApp messages, publish posts, and retrieve analytics via the Facebook Graph API
• Stripe: to process subscription payments. See stripe.com/privacy
• Supabase: database hosting in the ca-central-1 (Canada) region
• OpenAI (GPT-4o): AI lead scoring and qualification. Lead screening responses may be processed by OpenAI to generate scores and assessments. See openai.com/policies/privacy-policy
• n8n / Hetzner (Frankfurt, Germany): our automation workflows run on a self-hosted n8n instance on a Hetzner VPS located in Frankfurt, Germany. Data transits through this server as part of workflow automation but is not permanently stored there
• Legal authorities: where required by law, subpoena, or court order
• Business transfers: in connection with a merger, acquisition, or sale of assets — we will provide 30 days notice before data becomes subject to a different privacy policy

International transfers: our primary data storage is in Canada (Supabase ca-central-1), which benefits from an EU adequacy decision. Workflow processing transits through Germany (Hetzner VPS, within the EEA). Data shared with OpenAI (US) and Stripe (US) is governed by those providers' data processing agreements and applicable transfer safeguards. We take reasonable steps to ensure that transfers of personal data outside the EEA are subject to appropriate protections.

4. Automated Decision-Making and AI Scoring

Araneo uses AI to automatically score and classify tenant applicants as HOT, WARM, or COLD based on an 8-factor model. This constitutes automated processing that produces assessments with potentially significant effects on tenant applicants.

AI scoring evaluates only financial and logistical factors — it does not score on race, national or ethnic origin, colour, religion, age, sex, sexual orientation, gender identity, marital status, family status, disability, or any other protected ground.

The final rental decision is always made by the Agent, not by the AI. Tenant applicants who wish to request a human review of an automated assessment may contact us at hello@araneo.io.

At the beginning of each screening conversation, Araneo's AI identifies itself as an automated assistant and informs the tenant that their responses will be used to assess their suitability for the rental listing. By continuing the conversation, the tenant provides implicit consent to the screening process. Tenants may stop the conversation at any time by replying STOP.

5. Legal Bases for Processing

As an EU-established entity, we process personal information under the following GDPR legal bases:

• Consent (Article 6(1)(a)): analytics cookies, marketing communications, and optional screening questions
• Contract performance (Article 6(1)(b)): to provide the subscribed Services to Agents
• Legitimate interests (Article 6(1)(f)): to improve the Services, prevent fraud, and maintain security
• Legal obligation (Article 6(1)(c)): to comply with applicable Slovak and EU law

For Canadian residents, we also process information in accordance with PIPEDA and applicable provincial privacy legislation.

In all cases, we apply the principle of data minimization — we collect only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We do not collect personal data speculatively or in excess of what is required to deliver the Services.

6. Facebook Page and Ad Campaign Data

• Listing content is posted to the Agent's Facebook Business Page via the Facebook Graph API — property addresses are never included in posts
• Ad campaigns are created through the Facebook Marketing API — campaign performance data is collected and displayed in the Agent's dashboard
• Agents retain full control and may revoke Araneo's page access at any time through their Facebook Business Settings

7. Cookies and Tracking Technologies

We use cookies and similar technologies to collect information when you interact with our website. For a complete list of cookies we use and instructions on how to manage your preferences, see our Cookie Policy.

We use Google Analytics 4 (Measurement ID: G-7ZX4HNDYC6) to understand how visitors interact with our website. Google Analytics is only loaded after you explicitly accept cookies via our consent banner. If you decline, no analytics data is collected about your visit. You can also opt out via Google's opt-out tool.

8. Multi-Seat Accounts, Admin Portal, and White-Label

The following applies to Pro plan subscribers:

• Team access: where an account has multiple agent seats, all agents within that account have access to the shared lead pipeline and tenant screening data. Tenant data is accessible to all authorised users within the subscribing organisation.
• Admin portal: the account administrator has oversight access to all agents' lead pipelines and tenant data within their organisation. Access is limited to the subscribing organisation and not shared externally.
• White-label branding: Pro plan subscribers may configure Araneo to operate under their own brand name and appearance. Where white-label is enabled, tenant applicants interact with an AI screening system that may not visibly identify Araneo as the underlying operator. Araneo remains the data processor in all cases. Agents using white-label are responsible for ensuring their tenants are informed that an automated AI system is collecting and processing their screening responses, and for providing a contact point through which tenants may exercise their privacy rights. Araneo's contact details at hello@araneo.io remain available for any data subject requests regardless of white-label configuration.

9. Retention

• Agent account data: retained for the duration of the subscription and deleted or anonymised within 30 days of account termination, except where required by law
• Tenant screening data: retained for the duration of the Agency's subscription. Agents may delete individual lead records at any time through the dashboard
• Billing records: retained for 7 years as required by applicable accounting law
• Contact form submissions: retained for 12 months
• Analytics data: retained per Google Analytics data retention settings (default 14 months)
• Backup copies: system backups may retain data for up to 90 days after deletion from primary systems

10. Data Storage and Security

Primary data storage is in Canada (Supabase ca-central-1 region) in compliance with PIPEDA data residency practices. Workflow automation processing transits through Germany (Hetzner VPS, Frankfurt) but data is not permanently stored there. We implement AES-256 encrypted storage, access controls, and HTTPS transmission. No method of electronic transmission or storage is 100% secure.

In the event of a personal data breach, we will: (a) notify affected users without undue delay and within 72 hours where required by applicable law; (b) notify the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR) within 72 hours of becoming aware of a breach that poses a risk to individuals, as required under GDPR Article 33; and (c) notify the Office of the Privacy Commissioner of Canada where the breach poses a real risk of significant harm, as required under PIPEDA. We maintain internal records of all data breaches regardless of whether notification is required.

11. Minors

We do not knowingly collect data from individuals under 18. If we learn that a minor's data has been collected, we will delete it promptly.

12. Your Privacy Rights

We will respond to rights requests within one month of receipt. In complex cases we may extend this by a further two months and will notify you within the first month.

Under GDPR (EU residents and all data subjects where GDPR applies)

• Right of access (Art. 15): request a copy of the personal data we hold about you
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion of your personal data, subject to legal retention obligations
• Right to restriction (Art. 18): request that we limit processing in certain circumstances
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests
• Right to human review (Art. 22): where an automated decision significantly affects you, request human review
• Right to complain: lodge a complaint with the Slovak Data Protection Authority — dataprotection.gov.sk

Under PIPEDA (Canadian residents)

• Right to access: request a copy of the personal information we hold about you
• Right to correction: request correction of inaccurate or incomplete information
• Right to deletion: request deletion of your personal data, subject to legal retention obligations
• Right to withdraw consent: withdraw consent at any time, subject to legal or contractual restrictions
• Right to explanation: request an explanation of any automated decision that affects you
• Right to complain: lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca)

Under Quebec Law 25 (Quebec residents)

• Right to data portability in a structured, technological format
• Enhanced rights regarding automated decision-making and profiling

To exercise any right, contact us at hello@araneo.io or use our Data Deletion page. Tenant applicants may opt out of automated screening at any time by replying STOP to a Messenger or WhatsApp message.

13. Do Not Track

We do not currently respond to Do-Not-Track signals as no uniform standard has been finalized. If a standard is adopted that we must follow, we will update this policy accordingly.

14. Updates

We may update this policy periodically. Material changes will be communicated by email or by prominent notice on the website at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

15. Contact

Araneo s.r.o.
Chalupkova 7981/4, Bratislava 811 09, Slovakia
hello@araneo.io