Skip to content
Log in

Privacy Policy

Last updated: 14 April 2026

Hemlo AB, org. nr 559577-1972 ("Hemlo", "we", "us") is the data controller for the processing described in this policy. We process personal data in accordance with the EU General Data Protection Regulation (GDPR).

Account & profile data

When you create an account we store your email address, name, avatar URL (if you sign in via Google), preferred language and timezone. Legal basis: performance of contract (Art. 6(1)(b)). Retained until you delete your account.

Buyer profile data

You may optionally provide details such as family situation, income, commute preferences and BRF financial preferences to receive personalised property recommendations. Legal basis: consent (Art. 6(1)(a)). You can delete this data at any time from your profile settings.

AI chat & conversation data

Messages you send and AI responses are stored to provide the service and allow you to revisit conversations. Message feedback (thumbs up/down) and token usage are stored for service improvement and abuse prevention. Legal basis: contract and legitimate interest (Art. 6(1)(b) and (f)). Retained until you delete the conversation or your account.

Property & search data

Watchlist entries, saved searches and property comparisons are stored to provide the service. Legal basis: contract (Art. 6(1)(b)). Retained until you remove them or delete your account.

Payment data

If you subscribe to a paid plan we store your Stripe customer ID and subscription ID. We do not store credit card numbers or bank details. All payment processing is handled by Stripe (PCI DSS compliant). Legal basis: contract (Art. 6(1)(b)).

Push notifications

If you enable push notifications we store your device token and encryption keys. Legal basis: consent (Art. 6(1)(a)). Revoke at any time in your device or browser settings.

Chrome extension

When you have the Hemlo Chrome extension installed and visit a property listing on Hemnet, Booli, Idealista, Boneo, Mäklarhuset or Bjurfors, the extension extracts structured listing data (price, address, size, images, BRF details) from the page and sends it to Hemlo's API. This only happens on pages you actively visit — no background scanning, no browsing history collection, no geolocation tracking. These third-party sites are not data processors; we read publicly displayed listing information from pages you choose to visit. Legal basis: contract (Art. 6(1)(b)).

Broker chat widget

Anonymous visitors to broker pages receive a server-generated visitor token. Display name and email are collected only if you choose to provide them. Chat messages are retained for 90 days after the conversation closes. Legal basis: legitimate interest (Art. 6(1)(f)).

Analytics

We use Vercel Analytics and Speed Insights to collect anonymous, aggregated page view and performance data. Vercel Analytics is privacy-focused and does not use cookies for tracking. We do not use Google Analytics, tracking pixels, fingerprinting or third-party ad trackers.

Cookies

We use a language preference cookie (NEXT_LOCALE) to remember your language choice and essential authentication cookies for login sessions. We do not use tracking cookies or third-party cookies.

Local storage

We store theme preference, sidebar state and timezone cache in your browser's local storage. This data never leaves your device.

Third-party data processors

We share personal data with the following sub-processors (Art. 28 GDPR) to provide the service:

  • Supabase (AWS eu-north-1, Stockholm) — database, authentication and file storage
  • Vercel (EU preferred region) — hosting, edge functions, anonymous analytics and Speed Insights
  • Stripe (EU/US, PCI DSS compliant) — payment processing
  • OpenAI via Vercel AI Gateway (US) — AI chat responses
  • Google via Vercel AI Gateway (US) — AI property data extraction
  • Geoapify (EU) — driving/cycling times and isochrones (coordinates only, no personal data)
  • Resend (EU, Ireland eu-west-1) — transactional email
  • Apple APNs (US) — iOS push notifications
  • LangSmith / LangChain (Google EU) — AI observability and tracing

For processors in the US, transfers are covered by the EU–US Data Privacy Framework where applicable, or Standard Contractual Clauses (SCCs).

Public data sources

We fetch publicly available data from the following sources. No personal data is sent to them — only public identifiers such as coordinates, organisation numbers or addresses:

AllaBRF (BRF financial data), Mäklarstatistik (property valuations), Lantmäteriet (zoning/development plans), ResRobot/Trafikverket (public transit times), SCB (demographics and income by area), Skolverket (school quality ratings), Kolada/BRÅ (crime statistics), SGU (radon risk), MSB (flood risk), SMHI (air quality), EEA (noise levels), OpenStreetMap/Nominatim/Overpass (geocoding and points of interest).

Your rights

Under the GDPR you have the right to:

  • Access — request a copy of all your personal data (Art. 15)
  • Rectification — correct inaccurate data (Art. 16)
  • Erasure — delete your account and all associated data (Art. 17)
  • Data portability — export your data in a machine-readable format (Art. 20)
  • Restriction — limit how your data is used (Art. 18)
  • Objection — object to processing based on legitimate interest (Art. 21)
  • Withdraw consent — for optional data such as buyer profile and notifications

To exercise any of these rights, email privacy@hemlo.se.

You also have the right to lodge a complaint with the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) at imy.se.

Contact

For privacy-related questions, contact us at privacy@hemlo.se.

Changes to this policy

We will notify registered users by email of material changes. Continued use of the service after notification constitutes acceptance.