Privacy Policy

The data controller for the Kiez platform is:

Millevazion, Sebastien Dubuisson Einzelunternehmen
Schönfliesser Str. 5
10439 Berlin
Deutschland

E-Mail: hello@getkiez.app

Kiez is a marketplace that matches Berlin businesses with local residents who post about their neighborhood on Instagram. A business publishes a perk (a free meal, a discount, a sample). A local (a "connector") applies, visits, and posts about it. We help both sides find each other and verify that the exchange happened.

• Contract performance (Art. 6(1)(b)): to provide the service, run the matching, generate redemption codes, verify posts.
• Consent (Art. 6(1)(a)): for any optional marketing communication.
• Legitimate interest (Art. 6(1)(f)): for service security, abuse prevention, rate limiting, and basic operational logs.

Business accounts. Email, business name, address, category, Instagram handle, opening hours, contact phone. Geocoded latitude/longitude for the business address.

Connector accounts. Email, name, Instagram handle, Berlin postcode (optional, used for proximity matching only and never returned to the client), interests, Instagram public stats (follower and post counts) fetched at apply time.

Application data. Application status, redemption codes, submitted Instagram post URLs, ratings you and the other party give each other.

When a connector applies to a campaign, we fetch their Instagram account's public follower count and post count via a third-party scraping API (Apify). When a connector submits a post URL, we fetch that single post's caption and metadata to verify it meets the campaign requirements (mention, disclosure hashtag, campaign hashtag, format, posting window). We store only what we need for verification and reputation history.

Kiez does not log into your Instagram account, does not access private content, and does not require any OAuth permission grant from you on Instagram's side.

• Supabase (database, authentication, storage, edge functions)
• Vercel (web hosting)
• Apify (Instagram public-data fetches at apply and post-verification time)
• Mapbox (geocoding addresses and postcodes)
• Resend (transactional emails: sign-in links, application updates)
• Sentry (error tracking)
• PostHog (product analytics, EU region)

All processors operate under GDPR-compliant Data Processing Agreements. Where data is transferred outside the EU/EEA, appropriate safeguards are in place (Standard Contractual Clauses and adequacy decisions where applicable).

• Account data is retained until you delete your account.
• Application data, redemption codes, and Instagram snapshots are retained for 12 months after a campaign closes, then anonymized.
• Ratings and reputation data are retained for as long as the account is active, then anonymized on account deletion.

You have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and associated data
• Restrict or object to processing
• Data portability
• Withdraw consent at any time
• Lodge a complaint with the Berliner Beauftragte für Datenschutz und Informationsfreiheit

To exercise any of these rights, email privacy@getkiez.app.

• Encrypted connections (HTTPS/TLS)
• Row-level security on every database table
• Connector home location is stored as exact coordinates but never returned to the client; only the resolved Kiez and a distance band are exposed
• Single-use, expiring redemption codes
• Rate limiting and abuse detection

Kiez uses one cookie: a signed session cookie that keeps you logged in. It is essential to the service. We do not use tracking, advertising, or behavioural-profiling cookies.

We may update this Privacy Policy from time to time. Material changes will be communicated via the service or by email.