Domera
Free Trial

Legal

Privacy Policy

This Privacy Policy explains how Domera Ltd handles personal data for the Domera platform in line with the EU General Data Protection Regulation (GDPR).

Last updated: 23 March 2026

1. Who We Are

Domera Ltd ("Domera", "we", "us", "our") is the legal entity responsible for this website and platform.

Company: Domera Ltd
Privacy Contact / DPO: Stefan Walther ( [email protected])

2. Controller and Processor Roles

Domera operates in both GDPR roles depending on the processing activity:

  • Controller: for account management, platform security, billing administration, website operations, and support communications.
  • Processor: for data entered by customer organizations (such as management companies) about owners, tenants, units, payments, and building operations. In these cases, the customer organization is the controller.

3. Personal Data We Process

Depending on your role and usage, we may process:

  • Account and identity data (name, email address, login identifiers, role, organization membership).
  • Property-operation data (building, unit, owner, tenant, allocation, statement, and transaction records).
  • Billing data (subscription status, invoices, payment references, and related metadata provided by payment processors).
  • Support and communication data (messages, requests, and service interactions).
  • Technical and security data (IP address, device/browser metadata, audit logs, and error diagnostics).
  • Uploaded files and documents (for example invoices, receipts, attachments, and profile images).

Domera does not intentionally collect special-category personal data unless such data is provided by a customer and required for a lawful operational purpose.

4. Purposes and Legal Bases (GDPR Art. 6)

  • Contract (Art. 6(1)(b)): to provide and maintain the Domera service, manage accounts, and perform platform operations.
  • Legal obligation (Art. 6(1)(c)): to comply with accounting, tax, audit, and regulatory obligations.
  • Legitimate interests (Art. 6(1)(f)): to secure the platform, prevent abuse, improve reliability, and support service quality.
  • Consent (Art. 6(1)(a)): where required, such as optional marketing communications or non-essential cookies.

5. User Roles Covered

Data may be processed in relation to platform roles including super_admin, admin, manager, owner, and tenant.

6. Subprocessors and Data Location

We use vetted service providers (subprocessors) to deliver the service:

  • Google Cloud Platform: Hosting and infrastructure (Frankfurt, Germany (EU))
  • Supabase: Database, authentication, and file storage (Frankfurt, Germany (EU))
  • SMTP2GO: Transactional email delivery (European infrastructure)
  • Stripe: Payment processing and billing (European infrastructure)
  • Google Analytics (GA4): Website analytics and usage insights (European infrastructure)
  • Cloudflare (Turnstile): Bot protection and automated abuse prevention on login and registration forms (Global CDN (EU data minimisation applied))
  • Sentry: Error monitoring, performance diagnostics, and optional session replay for incident investigation (EU-hosted ingestion endpoints and infrastructure)

We configure these services to process data in EU regions where available.

7. International Transfers

Domera is designed to keep personal data processing within the EU. If a transfer outside the EEA becomes necessary, Domera will apply appropriate safeguards (such as Standard Contractual Clauses) before transferring personal data.

8. Cookies

We use a limited number of cookies and similar technologies. Essential cookies are required for the platform to function and cannot be disabled. Analytics cookies are only set after you give explicit consent via our cookie banner.

CookieProviderPurposeDuration
sb-*-auth-tokenSupabaseAuthentication session (essential)Session
_gaGoogle AnalyticsDistinguishes unique visitors (analytics)2 years
_ga_*Google AnalyticsMaintains session state (analytics)2 years

You can change your cookie preference at any time by clearing your browser storage or using the cookie banner that appears on your first visit. If you decline analytics cookies, no tracking data is collected.

9. Retention

Unless a longer period is legally required, personal data is kept for up to 7 years for accounting, audit, and compliance purposes. We apply shorter retention windows where feasible for operational logs and transient technical data.

10. Data Subject Rights

Under GDPR, you may have rights to:

  • Access your personal data.
  • Correct inaccurate or incomplete data.
  • Request deletion (right to erasure), where legally applicable.
  • Restrict or object to processing in specific circumstances.
  • Data portability for data you provided to us.
  • Withdraw consent where processing is based on consent.

To exercise your rights, contact [email protected] with the subject "GDPR Request" and enough information for us to verify your identity. We aim to respond within 30 days, subject to GDPR-allowed extensions for complex requests.

11. Security

We implement technical and organizational measures appropriate to risk, including access controls, tenant isolation, encrypted transport, audit logging, and monitored infrastructure. No method of transmission or storage is fully risk-free, but we continuously improve safeguards.

Bot protection (Cloudflare Turnstile): We use Cloudflare Turnstile on our login, registration, and password-reset forms to detect and prevent automated abuse. When you load these forms, your browser sends technical signals (such as IP address, user-agent, and interaction patterns) to Cloudflare for evaluation. No persistent tracking cookie is set by Turnstile. This processing is based on our legitimate interest in securing the platform (GDPR Art. 6(1)(f)). For details, see Cloudflare's Privacy Policy.

Error monitoring and diagnostics (Sentry): We use Sentry to detect application errors, monitor stability, and investigate incidents. In production, Sentry may receive technical metadata such as IP address, device/browser data, route context, and error payloads. For selected sessions, replay data may be collected to help reproduce issues. Sensitive input fields are masked by default in replay capture. This processing is based on our legitimate interest in platform security and reliability (GDPR Art. 6(1)(f)).

12. Complaints

You may lodge a complaint with your local supervisory authority. If you are in Cyprus, this is the Office of the Commissioner for Personal Data Protection.

13. Policy Updates

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or by email. The latest version will always be available at https://domera.cy/privacy.