GDPR Art. 22
No fully automated individual decisions about people. Letting decisions rest solely with you.
Compliant with Article 22 of the General Data Protection Regulation (GDPR Art. 22). EU storage, EU LLM, end-to-end encrypted.
Compliance is the legal foundation. Tech is the implementation. The two have to fit together.
Compliance
No fully automated individual decisions about people. Letting decisions rest solely with you.
Following the three-phase model of the German data protection conference (DSK) from 2024: applicant data is processed in three clearly separated phases. Proof of income only after the viewing, ID copy only before the contract.
Database and backups in the EU. A few services (app hosting Vercel, WhatsApp/briefing assistant Anthropic, analytics PostHog) are located in the US, secured via EU standard contractual clauses.
No AI scores, no ranking, no personality assessment. Rule-based hard-facts checks against your criteria.
Tech
All applicant communication and every transferred document is encrypted. TLS 1.3 in transit, AES-256 at rest.
An EU language model (Mistral, Paris) processes the sensitive applicant data: applicant dialogue, document extraction, classification. No training on your data.
A single criteria helper in the backend checks your hard facts (met / not met). The applicant database has no scoring columns at all — there is no field an automated score could be written to.
Applicants see you as the landlord, not “Locari” as a third party. No mention of the platform in the applicant process, no data passed on to marketing.
What the law requires, we meet today.
Self-commitment documented, code architecture auditable, data-protection practice open in detail.
Legally required. Active today.
EU region as the default. Active today.
Four paths, each documented. No hidden processors — the full list is in the Trust Center; US services are secured via EU standard contractual clauses.
| From | To | Safeguard |
|---|---|---|
| Applicant | Locari (WhatsApp / email) | |
| Locari | Landlord (WhatsApp) | |
| Locari | ImmoScout24 · Kleinanzeigen | |
| Locari backend | EU storage · Mistral LLM |
No SCHUFA API and no automatic guarantor verification: the applicant brings their own credit report, Locari stores and displays it — without rating it.
Sensitive applicant data is stored in the EU (EU-certified data centres) and processed by an EU language model (Mistral). A few services — app hosting/CDN (Vercel), the landlord assistant (Anthropic) and analytics (PostHog) — are located in the US and are secured via EU standard contractual clauses (SCC).
Yes. Locari follows GDPR Art. 22 (no fully automated individual decisions about people) and the 2024 DSK three-phase model for applicant data. Letting decisions rest solely with the landlord. The architecture enforces this, not just the terms.
The sensitive applicant data — applicant dialogue, document extraction, classification — is processed by Mistral, hosted in the EU. The landlord assistant (e.g. viewing briefings) additionally uses Claude (Anthropic) via the Vercel AI Gateway; applicant master data (e.g. income, credit indicators) is processed in doing so. No training on applicant data. The full list of services is in the Trust Center.
Applicants can request deletion at any time via chat or email — Locari then immediately erases everything, leaving nothing behind: every email, the AI chat history, open tasks. Without such a request, the data of applicants who weren’t chosen is deleted automatically after the letting ends, as soon as it’s no longer needed. The exact period is set out in the privacy policy. Chosen applicants’ data moves into the tenancy context and follows the retention periods that apply there.
Locari detects an access request under Art. 15 GDPR in every application status — even after rejection or withdrawal. The landlord gets a todo with the statutory one-month deadline; Locari compiles the complete report from the stored data (without AI, word for word from the database), and the landlord confirms delivery with one click. The report is delivered exclusively to the address the applicant communicates from. Deletion is just as simple: a single reply is enough.
No ML scores, no personality assessment, no ranking. Locari checks your self-defined hard facts on a rule basis (number of people, income multiple, pets) — the result is met or not met, not a score. More on the anti-profiling architecture.
A largely EU stack: EU storage, EU database region, EU operations team and an EU language model (Mistral) for directly processing sensitive applicant data. A few services — such as Vercel and Anthropic for the landlord assistant as well as WhatsApp — are located in the US and are secured via EU standard contractual clauses (SCC). You’ll find the full list of processors in the Trust Center.
At Locari, GDPR, EU storage and anti-profiling are anchored in the code — not hidden in the terms.