Privacy Policy
Version 1.0 — Last updated: May 2026
1. Who We Are
itemzz.io is operated by:
itemsnest GmbH
Berlin, Germany
VAT: DE348793078
privacy@itemzz.io
itemsnest GmbH is the data controller responsible for your personal data processed through itemzz.io.
2. What Data We Collect
Account data
When you register, we collect your email address and display name. Optionally you may upload a profile photo.
Board and home data
All data you enter into itemzz is stored on your behalf: items, spaces, rooms, corners, containers, folders, members, contacts, brands, contracts, tags, events, finances, budgets, and home profile details including address and property information.
Uploaded files
Photos, documents, and other files you upload to itemzz are stored in our file storage system.
Usage data
We log actions within the application (events, activity) to provide the service. We do not use third-party analytics tools.
Payment data
When you subscribe to a paid plan, payment is processed by our payment provider (Mollie B.V.). We do not store payment card details. Only subscription status and plan level are stored by us.
Consent records
We record when you accepted our Terms of Service and Privacy Policy, including version, timestamp, and IP address.
Technical data
Standard server logs including IP address and browser type, retained for security purposes only.
3. Why We Collect It and Legal Basis
Providing the itemzz service:
Legal basis: Art. 6(1)(b) — performance of contract
Storing your home and financial data:
Legal basis: Art. 6(1)(b) — performance of contract
Processing payments:
Legal basis: Art. 6(1)(b) — performance of contract
Sending transactional emails:
Legal basis: Art. 6(1)(b) — performance of contract
Security and fraud prevention:
Legal basis: Art. 6(1)(f) — legitimate interest
Improving the service:
Legal basis: Art. 6(1)(f) — legitimate interest
Marketing communications:
Legal basis: Art. 6(1)(a) — consent (opt-in only)
Recording your consent:
Legal basis: Art. 6(1)(c) — legal obligation
4. Where Your Data Is Stored
Your data is stored with the following sub-processors, all operating within the European Union:
Supabase (database, authentication, file storage)
Region: West EU — Ireland (eu-west-1)
Data never leaves the EU. Supabase operates under a Data Processing Agreement (DPA) compliant with GDPR.
supabase.com/privacy
Mollie B.V. (payment processing)
Headquarters: Amsterdam, Netherlands
Subject to Mollie's own privacy policy and PCI DSS compliance.
mollie.com/privacy
We do not transfer your personal data outside the European Economic Area.
5. How Long We Keep Your Data
Account and board data:
Retained until account deletion.
Uploaded files:
Retained until deleted by user or account deletion.
Payment records:
Retained for 10 years (German commercial law — HGB §257).
Server logs:
Retained for 30 days.
Exported data files:
Available for 7 days after export generation.
Consent records:
Retained for the duration of your account plus 3 years.
After account deletion, all personal data is purged within 30 days. Anonymised aggregate data may be retained.
6. Your Rights Under GDPR
Art. 15 — Right of access
You can request a copy of all data we hold about you.
Art. 16 — Right to rectification
You can correct inaccurate data directly in your account settings or by contacting us.
Art. 17 — Right to erasure
You can delete your account at any time in Account Settings → Danger Zone. All your data will be permanently deleted within 30 days.
Art. 18 — Right to restriction
You may request that we restrict processing of your data in certain circumstances.
Art. 20 — Right to data portability
You can export all your data as a JSON file at any time in Account Settings → Your Data.
Art. 21 — Right to object
You may object to processing based on legitimate interest, including direct marketing.
Art. 7(3) — Right to withdraw consent
Where processing is based on consent (e.g. marketing emails), you may withdraw at any time without affecting prior processing.
To exercise any right, contact us at: privacy@itemzz.io
We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
datenschutz-berlin.de
7. Third-Party Services
Supabase
Purpose: Database, authentication, file storage
Data shared: All user data
Privacy: supabase.com/privacy
Mollie B.V.
Purpose: Payment processing
Data shared: Name, email, payment data
Privacy: mollie.com/privacy
Unsplash
Purpose: Product placeholder images
Data shared: No personal data
Privacy: unsplash.com/privacy
ICECAT
Purpose: Product data lookup
Data shared: No personal data
Privacy: icecat.biz/privacy
Klarna Open Banking (planned)
Purpose: Bank account connection
Data shared: Bank account data — only with your explicit consent via a separate consent flow
Privacy: klarna.com/privacy
9. Data Security
We implement appropriate technical and organisational measures including:
- Row-level security (RLS) on all database tables
- Encrypted connections (TLS) for all data in transit
- Encrypted storage for all data at rest
- Access controls limiting data to the account owner
- Regular security reviews
10. Children
itemzz.io is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact privacy@itemzz.io and we will delete it promptly.
11. Changes to This Policy
We will notify you by email and display a notice in the app when this policy changes materially. Continued use of itemzz.io after changes constitutes acceptance of the updated policy. The version number and date at the top of this document indicate the current version.
12. Contact
itemsnest GmbH
Berlin, Germany
VAT: DE348793078
privacy@itemzz.io