Last updated: March 2026
On this page
OpenHospi is the controller within the meaning of Art. 4(7) GDPR for the processing of your personal data. OpenHospi is a free, open-source platform where students in the Netherlands can find and list rooms. For privacy questions, contact us at privacy@openhospi.nl. OpenHospi has not designated a data protection officer, as this is not required under Art. 37 GDPR given the nature and scale of our processing activities.
For all privacy and data protection inquiries, contact privacy@openhospi.nl. We handle your request free of charge and respond within one month of receipt, in accordance with Art. 12(3) GDPR. For complex or numerous requests, we may extend this period by a further two months. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
We collect the following categories of personal data, in accordance with the principle of data minimisation (Art. 5(1)(c) GDPR):
We use your data solely to provide the OpenHospi platform, in accordance with the purpose limitation principle (Art. 5(1)(b) GDPR): matching students with rooms, facilitating communication between seekers and hosts, managing the housing application process, and calendar synchronisation. When you subscribe to your hospi calendar, we serve your event details (titles, dates, times, locations) through a private URL. Calendar applications (Google Calendar, Apple Calendar, Outlook) periodically request this URL to keep your calendar up to date. We do not sell your data, use it for advertising, profile you for marketing purposes, or share it with third parties except as described in this policy.
Profile data (name, email address, study information) is contractually required to use the platform (Art. 13(2)(e) GDPR). Without this data, no account can be created and the platform cannot function. The provision of this data is a contractual requirement, not a statutory obligation. You are free not to create an account if you do not wish to provide this data.
We process your data on the following legal grounds (Art. 6 GDPR). See our Legal Basis Overview page for a complete breakdown per processing activity.
We share your data only with the following parties, all located within the EU/EEA. All processors operate under data processing agreements pursuant to Art. 28 GDPR. See our Data Processors page for details.
All your data is stored and processed within the European Economic Area (EEA). We do not transfer personal data to third countries or international organisations. The provisions on transfers (Art. 44 to 49 GDPR) therefore do not apply. All our infrastructure providers are based in Ireland, the Netherlands, or Germany. Note: Sentry's internal organisational metadata (developer accounts, project configurations (no end-user data)) may be replicated to the US per Sentry's infrastructure. This does not affect end-user privacy as no user data is involved.
We do not retain your data longer than necessary for the purposes for which it was collected, in accordance with the storage limitation principle (Art. 5(1)(e) GDPR):
Under GDPR, you have the following rights with regard to your personal data. You can exercise these rights via Settings > Privacy, or by contacting privacy@openhospi.nl.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) pursuant to Art. 77 GDPR. You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence.
We use a minimal set of cookies. Essential cookies (session authentication) are strictly necessary for the platform to function and do not require consent. Functional cookies (language preference, sidebar state) require your consent under Dutch telecommunications law (Telecommunicatiewet Art. 11.7a). We do not use tracking cookies or third-party advertising cookies. See our Cookie Policy for full details.
All chat messages between students and room hosts are end-to-end encrypted (E2EE) using AES-256-GCM with ECDH key exchange, as an appropriate technical measure within the meaning of Art. 32 GDPR and in implementation of data protection by design (Art. 25 GDPR). This means OpenHospi cannot read the content of your private messages. Encryption keys are stored locally on your device and optionally backed up (encrypted) on our servers.
In the event of a personal data breach, OpenHospi will notify the Autoriteit Persoonsgegevens without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to your rights and freedoms (Art. 33 GDPR). Where the breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay and in clear and plain language (Art. 34 GDPR). The end-to-end encryption of chat messages limits the impact of any breach on communication data, as the encryption renders the data unintelligible to unauthorised persons (Art. 34(3)(a) GDPR).
OpenHospi is exclusively accessible via institutional SSO, which requires enrollment at an accredited Dutch educational institution. This means all users are students aged 16 or older, in accordance with Art. 5 UAVG (implementing Art. 8(1) GDPR, which allows member states to set the age threshold at a minimum of 16). We do not knowingly collect personal data from children under 16.
OpenHospi does not use automated individual decision-making, including profiling, as referred to in Art. 22 GDPR. Room matching is entirely manual: users browse listings and submit applications themselves. House members vote on applicants through a manual voting process. No algorithms determine who sees which rooms or who gets accepted.
We may update this privacy policy from time to time. Significant changes will be communicated via an in-app notification. The 'last updated' date at the top reflects the most recent revision.