← Back to listings

Privacy Policy

Last updated: May 2026

1. Data Controller

The data controller for this service is:
Milano Cerco Affitto
Email: [email protected]
Website: https://milano-cerco-affitto.com

2. What Data We Collect

We collect the following personal data:

• Account data: email address and hashed password when you register.
• Favorites and notes: listings you save and any notes you write about them.
• Payment data: if you subscribe to Pro, PayPal processes your payment. We store only your PayPal subscription ID and payment status — never your card or bank details.
• Technical data: IP address (for rate limiting and security), session cookies (for OAuth login flows).

3. What We Do NOT Collect

• We do not use analytics or tracking cookies.
• We do not share your data with third parties for marketing.
• We do not profile you or make automated decisions about you.

4. Legal Basis (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)): processing your account data and favorites is necessary to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)): IP-based rate limiting to protect the service from abuse.
• Consent (Art. 6(1)(a)): you consent to this policy when creating an account.

5. Cookies and Local Storage

We use:

• Session cookie (essential): used only during OAuth login flows (Google/Facebook). This is a strictly necessary cookie and does not require consent under the ePrivacy Directive.
• Local storage: your authentication token is stored in your browser's local storage to keep you signed in.

We do not use advertising, analytics, or third-party tracking cookies.

6. Listing Data

Apartment listings displayed on this service are collected from publicly accessible Facebook group posts. We display listing details (price, location, images, free-form post text) but actively redact personal contact information before display: phone numbers, email addresses, social media handles, and WhatsApp/Telegram contacts are automatically removed from the visible text. The original poster's name (Facebook profile name) is never stored.

Legal basis: we process this publicly available listing data on the basis of legitimate interest (GDPR Art. 6(1)(f)) — providing a free, search-engine-style aggregator of public rental listings to help people find housing. We have weighed this against the rights of the original posters by (a) only using public posts, (b) automatically redacting personal contact details, (c) never republishing the poster's identity, (d) capping retention at 72 hours, and (e) honouring removal requests within 48 hours.

Retention: individual listings are kept for at most 72 hours from the moment we first see them, then automatically dropped from the live feed. Internal historical snapshots are PII-redacted and rotated (oldest deleted), retaining only the most recent.

Removal requests: if you are the author of a listing and want it removed, you have two options:

• Click the "Report" button on any listing card on the website. The listing is queued for removal and we typically take it down within hours.
• Or email [email protected] with the listing URL or a screenshot. We will confirm removal within 48 hours.

Removed listings are added to a permanent block list so they will not reappear if re-scraped.

7. Data Retention

• Account data: retained until you delete your account.
• Favorites and notes: retained until you delete them or delete your account.
• Listing data: historical listing snapshots are automatically rotated (oldest deleted) to keep only the most recent data.
• IP addresses: kept in memory for rate limiting, and stored in the activity log for security auditing. Activity log entries are automatically deleted after 90 days.

8. Your Rights (GDPR Art. 15–22)

You have the right to:

• Access your data — use the "Export my data" button in your account settings.
• Rectify your data — you can update your favorites and notes at any time.
• Erase your data — use the "Delete account" button to permanently delete all your data.
• Data portability — export your data as a JSON file using the export feature.
• Object to processing — contact us at the email above.
• Lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at garanteprivacy.it.

9. Data Security

We protect your data with: encrypted passwords (bcrypt), HTTPS encryption in transit, restrictive Content Security Policy headers, rate limiting on all authentication endpoints, and file-level access controls on stored data.

10. Third-Party Services

• Google / Facebook / Apple OAuth (optional): if you choose to sign in via Google, Facebook, or Apple, their privacy policies apply to the authentication flow. We only receive your email address.
• PayPal (optional): payment processing is handled by PayPal. See PayPal's privacy policy.
• Resend: used to send transactional emails (verification, password reset). See Resend's privacy policy.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify the Italian Data Protection Authority (Garante) within 72 hours and inform affected users without undue delay, as required by GDPR Articles 33 and 34.

12. Changes to This Policy

We may update this policy from time to time. The "last updated" date at the top will reflect changes. We will notify you of material changes via email. If you do not agree with the updated terms, you may delete your account.

13. Accuracy of Listings — No Warranty

Listings displayed on this service are scraped from publicly accessible Facebook group posts and presented to you as collected, with automated processing only (filtering of obvious non-rental posts, deduplication, geocoding of mentioned locations). We do not verify the accuracy, availability, legality, or current status of any listing.

In particular:

• Prices are extracted from the original post text and may be outdated, missing, or differ from what the landlord ultimately asks.
• Availability is not guaranteed — listings may already be rented, withdrawn, or have been posted in error. We attempt to remove dead listings on a best-effort basis but cannot guarantee timeliness.
• Map pin locations are inferred from text in the post (street names, neighborhood mentions, metro stops). Inference is approximate; a listing with no precise address will be pinned to the centre of the mentioned area, not the actual building. Always confirm the address with the original poster before visiting or signing anything.
• Listing content (descriptions, photos, contact details) is the sole responsibility of the original poster on Facebook. We are not the author and cannot assess whether a listing is genuine, current, or compliant with rental law.

To the maximum extent permitted by law, this service is provided "as is" without warranties of any kind. You agree that you are responsible for verifying any listing before acting on it, and that we are not liable for losses, damages, or fraud resulting from inaccurate or misleading content sourced from third-party Facebook groups.