Skip to main content

Legal Basis Overview (Art. 6 GDPR)

Last updated: March 1, 2026

This page provides an overview of the legal basis for each data processing activity at OpenHospi, in accordance with Art. 6 GDPR.

On this page

  1. 1. Performance of a contract: Art. 6(1)(b) GDPR
  2. 2. Consent: Art. 6(1)(a) GDPR
  3. 3. Legitimate interests: Art. 6(1)(f) GDPR
  4. 4. Legal obligation: Art. 6(1)(c) GDPR
  5. 5. No automated individual decision-making
  6. 6. Contact

1. Performance of a contract: Art. 6(1)(b) GDPR

The following processing activities are necessary for the performance of our contract with you (providing the student room platform):

  • User profile creation and management
  • Profile photo uploads
  • Room listing creation and management
  • Application submission and processing
  • Chat messaging (end-to-end encrypted)
  • House membership management
  • Voting on applications
  • Calendar subscription feed

2. Consent: Art. 6(1)(a) GDPR

The following processing activities are based on your explicit consent, which you can withdraw at any time via Settings > Privacy. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Art. 7(3) GDPR).

  • Functional cookies and local storage (sidebar state, language preference)
  • Push notification delivery
  • Analytics (Vercel Analytics: cookieless, no PII)

3. Legitimate interests: Art. 6(1)(f) GDPR

The following processing activities are based on our legitimate interest in platform security and user safety. We have balanced these interests against your rights and freedoms and determined that the processing is proportionate and necessary.

  • Session data (IP address, user agent): for security monitoring
  • Moderation data (reports, blocks): for platform safety
  • Temporarily decrypted message text: for investigating reported messages
  • Error and crash reporting data: for app stability monitoring and error resolution

4. Legal obligation: Art. 6(1)(c) GDPR

The following processing activities are necessary to comply with legal obligations:

  • Consent records (immutable audit trail): to demonstrate valid consent in accordance with Art. 7 GDPR
  • Data request processing: to fulfil data subject rights (Art. 15 to 22 GDPR)
  • Processing restriction records: to comply with the right to restriction of processing (Art. 18 GDPR)

5. No automated individual decision-making

OpenHospi does not use automated individual decision-making, including profiling, as referred to in Art. 22 GDPR. Room matching is entirely manual: users browse listings and submit applications themselves. House members vote on applicants through a manual voting process. No algorithms determine who sees which listings.