1. Who is responsible
The party responsible for processing your personal data is:
aptari GmbH
Leutschenbachstrasse 76
8050 Zürich
Schweiz
Phone: +41 78 751 22 86
Email: info@aptari.ai
2. What data we process
We process the following categories of personal data:
- Contact: name, email, phone (optional)
- Profile: nationality, civil status, employment, employer, gross annual salary, smoker status, pet status, household size
- Search preferences: target cities, rent ceiling, minimum rooms, must-haves, move-in window
- Documents: salary certificate, debt register extract (Betreibungsauszug), photo ID, reference letters — stored encrypted at rest (AES-256)
- Application data: applications submitted via aptari, status, motivation letters, per-application consent records
- Score data: Match Score results and breakdowns, retained immutably in an audit log
- Payment data: subscription tier and billing status. Card and bank details are processed directly by Stripe; we never see them.
- Usage data: log files, IP address, browser information, language preference
3. How we use your data
3.1 Match Score — deterministic, not AI
The Match Score on every listing is computed by a deterministic algorithm we built in-house (the Aptari Engine). It produces a 0–100 score across four dimensions: income coverage (gross salary ÷ 12 × monthly rent), passport completeness (count of verified required documents), lifestyle fit (pet / smoker / family compatibility), and landlord criteria (match against the agency's published criteria). The Match Score involves no language model and no generative AI. It is plain math. The full computation is recorded in our audit log (Section 7) and you have the right to a full breakdown at any time (Section 6.4).
3.2 Document verification — Google Gemini (EU)
When you upload documents to your Tenant Passport, Google Gemini (`gemini-3-flash-preview`) reads them and extracts structured fields (income figure, document date, name match, debt history). We send a minimal, protected-class-free prompt. Gemini sees only the document and that prompt — nothing else about you. Data residency: EU. Training opt-out: enforced — we will only enable Gemini in production after our DPA and no-training rider are confirmed by counsel.
3.3 Motivation letters — Google Gemini
When you ask aptari to draft a motivation letter, we send your profile summary, the listing context, and your chosen tone to Gemini, which returns a draft you can edit. You own the draft. Gemini does not retain it.
3.4 Translation — Google Gemini
When you ask to translate one of your saved motivation letters between German, English, French, or Italian, we send it to Gemini for translation. No retention.
3.5 Match-score explanation — Google Gemini
After the Aptari Engine has computed your Match Score for a specific listing, we ask Google Gemini to generate a short human-readable explanation. The explanation contains a summary of your fit, 2–3 strengths ("highlights"), 1–2 watchouts ("concerns") with suggested neutralising lines you can use in your motivation letter, and one actionable tip. To produce this, Gemini receives your first and last name, gross salary, salary/rent ratio, employer, job title, smoker/pets/household size, document verification status, and dossier completeness, alongside the listing details and the agency's published criteria. It does **not** receive any protected characteristic (race, ethnicity, nationality, religion, gender, sexual orientation, age, disability, pregnancy, family status, marital status, language origin) — those fields are explicitly excluded from the prompt and the exclusion is enforced at three layers in our code. **Important: both you and the agency see this output.** The strengths and watchouts are stored alongside your application and shown to the agency when they review your file. The agency uses this material to decide whether to shortlist you, invite you to a tour, or select you as their tenant. Under EU AI Act Art. 22 and GDPR Art. 22 this constitutes automated processing that significantly affects you, and you have the right to a human-readable explanation (always available at /dashboard/scores/[scoreId]), the right to contest the explanation, the right to ask for human review by the agency, and the right to opt out of the AI explanation entirely (you keep the deterministic Match Score, but no Gemini-generated strengths/watchouts — currently a manual support request; a toggle is in development). Gemini's score is discarded; only the Aptari Engine score is persisted.
3.6 AI Agent (Ultra tier, opt-in)
If you subscribe to the Ultra tier and explicitly enable the AI Agent, our backend runs every 10 minutes. For each new aptari-partner listing in your search radius, the agent runs the Aptari Engine and the Gemini explanation. When your score is at or above 80%, your Passport is verified, and the listing is on an aptari-partner agency, it submits your application via Passport Apply. The agent is capped at 15 applications per day. You can pause it at any time. The agent does not act on third-party portals (Homegate, Flatfox, etc.) — those are flagged for manual handoff.
3.7 Other purposes
Platform operation, payment processing, communication with you, and fulfilling legal obligations (FADP Art. 31, GDPR Art. 6.1.c).
4. Legal basis
We process your data on the following legal grounds:
- Your consent (FADP Art. 6 para. 6 / GDPR Art. 6.1.a) — for AI processing of your documents, for AI-drafted motivation letters, and for the AI Agent
- Contract performance (GDPR Art. 6.1.b) — to provide the platform you signed up for
- Legitimate interest (GDPR Art. 6.1.f) — platform security, fraud prevention, and audit log retention
You can withdraw any consent at any time. Withdrawal does not affect the lawfulness of past processing.
5. Who else processes your data
We use the following service providers, who may process your data on our behalf under data processing agreements:
- Supabase (EU residency for production data) — database, authentication, file storage
- Stripe (USA, Ireland) — payment processing. We never see your card details.
- Google Gemini / Vertex AI (EU) — per Sections 3.2 through 3.5 above
- Resend (USA) — transactional email delivery (verification, password reset, application updates)
- Vercel (USA, with EU edge) — application hosting and cookieless web analytics
For providers outside Switzerland and the EEA, we rely on EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. We do not use Anthropic, OpenAI, or any other large-language-model provider for any tenant-facing flow.
6. Your rights
Under FADP Art. 25 and GDPR Art. 15–22 you have the following rights:
6.1 Access
You can request a copy of all personal data we hold about you. In your account: Settings → Privacy → Download my data. Or email info@aptari.ai.
6.2 Correction
You can correct inaccurate data directly in your account, or ask us via info@aptari.ai.
6.3 Deletion (right to be forgotten)
You can request deletion of your account and all personal data at any time. Settings → Privacy → Delete account. Deletion is processed within 30 days. Within that window you can sign back in to cancel the deletion. After 30 days your account, profile, documents, applications, saved searches, motivation letters, and tour history are permanently erased. Audit-log rows are pseudonymised by removing your identity (function anonymise_scoring_audit_for_erasure). The mathematical record survives for the legally required period (7 years) to satisfy DSG audit obligations, but it is no longer linked to you.
6.4 Right to explanation (AI Act Art. 86 + GDPR Art. 22)
Where an automated decision affects you — specifically a Match Score below an agency's threshold that prevents your application from being shortlisted, or the AI Agent's decision to skip or apply to a listing — you have the right to receive a human-readable explanation of the decision, to contest the decision, and to have a human review it. The full score breakdown for every listing is permanently available at /dashboard/scores/[scoreId].
6.5 Portability
You can download your data in machine-readable JSON format from Settings → Privacy → Download my data.
6.6 Withdraw consent
You can withdraw any specific consent (AI processing of new documents, AI-drafted letters, AI Agent runs) at any time in Settings → Privacy.
6.7 Complain
You can file a complaint with the Swiss Federal Data Protection and Information Commissioner (EDÖB) or any EU supervisory authority.
7. Audit logs and retention
We keep the following records:
- Score audit log (`scoring_audit_log`): every Match Score is recorded with the input snapshot, the agency's criteria, the model identifier (Aptari Engine version plus the Gemini model when an explanation was generated), and a timestamp. Immutable. Retained 7 years. You can read your own rows.
- Document access audit (`document_views_audit`): every time an agency views one of your documents, a row is written with timestamp, agency, document, and application context. Retained 7 years.
- Per-application consent (`ai_processing_consents`, `document_access_grants`): scope, timestamp, and grant duration. Retained for the application lifetime plus 7 years.
- Application data: kept while the application is active; archived to read-only storage for 7 years after closure.
- Account data: kept while your account is active; deleted within 30 days of account closure (see 6.3).
- Payment records: retained for the legally required period of 10 years under Swiss commercial law.
- Marketing analytics: retained for 13 months maximum.
- Product usage analytics: cookieless first-party recording of page views and clicks (session id, path, device type, language, referrer). No cookies, never shared with third parties, stored in our own database (Supabase, EU). Retained 13 months maximum.
- Web analytics (Vercel): cookieless, aggregated page-view statistics via Vercel Web Analytics, collected by our hosting provider. No cookies, IP addresses are not stored, and the anonymous visitor identifier expires after 24 hours.
8. Anti-discrimination guarantees
Agencies on aptari cannot use protected characteristics in their scoring rules. The following inputs are blocked at three layers of our code (input sanitiser, scoring engine, Postgres trigger): race, ethnicity, nationality, religion, gender, sexual orientation, age, disability, pregnancy, family status, marital status, language, permit class, and mother tongue. Any attempted use of these inputs is recorded in `agency_scoring_rule_violations` and reviewed by aptari's compliance team.
9. Document access by agencies
Agencies you apply to **never** receive copies of your documents. They view them through a short-lived signed URL (60 seconds) that expires immediately after viewing. Downloading is blocked. Every view is recorded in our audit log per Section 7.
10. Cookies
We use technically necessary cookies for authentication and session management. We do not set analytics or marketing cookies without your explicit consent.
11. International transfers
Where your data leaves Switzerland or the EEA (Stripe, Resend, Vercel), we rely on EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
12. Changes to this policy
We review this policy quarterly. Material changes (new processors, new data categories, expanded purposes) are notified by email and require renewed consent where the legal basis is consent.
13. Contact and complaints
For any privacy question, withdrawal of consent, or complaint, please contact info@aptari.ai. You can also contact the Swiss Federal Data Protection and Information Commissioner (EDÖB) at edoeb.admin.ch.