Privacy Policy

Hemma — gethemma.app
Last updated: March 2026

This document is available in English only. Dutch and French translations are coming soon.

Dit document is alleen beschikbaar in het Engels. Nederlandse en Franse vertalingen volgen binnenkort.

Ce document est disponible en anglais uniquement. Les traductions néerlandaise et française suivront bientôt.

Who we are

Hemma is a construction administration service for Belgian DIY homeowners. We help you organise documents, track budgets, manage contractors, and stay on top of your build.

Hemma is currently in early access and is offered to a limited group of invited users. We are based in Belgium. Belgian and EU law applies to our processing of your personal data.

What data we collect and why

Account data

When you create an account, we collect your first name, last name, and email address. We use this to identify you, send you emails related to your account (magic links, invitations), and address you by name in the product.

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Project data

Everything you add to Hemma about your project — documents, budget lines, contractor information, calendar events, messages — is stored and processed to provide the service.

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Documents you upload

When you upload invoices, quotes, permits, plans, or photos, we store the file and process it with AI to extract structured information (amounts, dates, VAT numbers, contractor details). You can see exactly what was extracted and correct it at any time.

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Contractor data

When we detect contractor details such as a VAT number in your documents, we may query the official Belgian KBO (Crossroads Bank for Enterprises) and EU VIES systems to retrieve registration and validation data. Hemma may compare that official data with information extracted from your documents to generate warning signals where there is a mismatch or where a VAT number cannot be validated. This data comes from public registers — we do not create it. Hemma does not certify or positively approve contractors.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — helping you verify the contractors you work with

Usage data and analytics

We collect usage data through two separate systems. We describe them here so you understand what is collected, how it is linked, and what legal basis applies.

Internal product telemetry

Hemma records product events in our own database — such as which features are used, document processing outcomes, integration activity, and per-account cost metrics. These events are linked to your account and are used for service operation, debugging, cost monitoring, and product improvement.

This data is stored in our own infrastructure (Supabase, EU). It does not leave our systems and is not shared with third parties.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — operating and improving the service

PostHog product analytics (optional)

If you opt in via your account settings, we use PostHog (EU cloud, Frankfurt) to collect behavioural analytics — such as navigation patterns, feature engagement, and session flow.

PostHog analytics uses your user ID (not your name or email address) to link events to your account. This makes the data pseudonymous: it is not directly identified by your name or email in PostHog, but it can be linked back to your account through your user ID.

PostHog analytics data is not used for advertising, is not shared with third parties for marketing, and is not used to train AI models.

PostHog analytics is only active when you opt in, for example when prompted on first login or later via your account settings. You can disable it at any time from your account settings. When you disable it, PostHog stops collecting data from your account.

Legal basis: Consent (Art. 6(1)(a) GDPR) — PostHog analytics is only active when you opt in

Public website analytics

On the public website (before login), we record basic usage events (page views, button clicks) server-side in our own database in aggregate form. These events are not intended to identify individual visitors. The public site does not use third-party analytics tools, advertising cookies, or tracking scripts, but may use limited browser local storage for language preference and a pseudonymous session identifier used for funnel measurement (see our Cookie Policy for details).

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — understanding how the public website is used

Technical data

We collect server logs, error reports, and performance data to keep the service running and debug problems. These logs may contain IP addresses and request metadata but are retained for a limited time and are not used for profiling or analytics purposes.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

AI processing — transparency notice

Hemma uses artificial intelligence to process your documents. We want to be completely transparent about this.

What AI does:

Reads uploaded documents and extracts structured data (amounts, dates, names, VAT numbers)
Classifies documents by type (invoice, quote, permit, etc.)
Compares extractions from two independent AI systems to catch errors
Identifies contractor information and suggests matches

Which AI providers we use:

Anthropic Claude — document extraction and analysis
OpenAI GPT — document extraction and analysis (used in parallel with Claude for financial documents)

Both providers process document content on our behalf under data processing agreements. Document content sent to their APIs is not used to train their models.

What AI does not do:

Make final decisions — all AI outputs are suggestions you can review and override
Access your data beyond what you explicitly upload
Learn from your data or share it with other Hemma users

Your rights regarding AI: You can always see exactly what the AI extracted from any document. You can correct, override, or delete any AI output. If you disagree with an AI result, your correction is final.

Hemma is designed so that AI processing is always visible to you, results are reviewable before you rely on them, and you can correct or override any AI output at any time. Hemma does not make solely automated decisions that produce legal effects or similarly significant effects for you. We monitor developments in AI regulation, including the EU AI Act, and will adapt our practices as requirements become clearer.

Who we share data with

We do not sell your data. We do not share your data with advertisers.

We share data only with the following service providers, all under data processing agreements where applicable:

Provider	Purpose	Location	Transfer basis
Supabase	Database and file storage	EU	—
Anthropic	AI document extraction	US	SCCs + supplementary safeguards
OpenAI	AI document extraction	US	SCCs + supplementary safeguards
Resend	Email delivery	EU processing	—
Vercel	Application hosting	EU primarily	SCCs where data transits US
PostHog	Product analytics (opt-in)	EU (Frankfurt)	—
cbeapi.be	Belgian KBO lookups	Belgium	—
EC VIES	VAT validation	EU	—
Dropbox	File storage integration configured by user	US	SCCs + supplementary safeguards
Microsoft OneDrive	File storage integration configured by user	US/EU	SCCs where data transits US

When we use providers outside the EU, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary safeguards where relevant, as our transfer mechanism.

This list reflects our current production setup. If we add new providers, we will update this policy.

Third-party integrations

Hemma allows you to connect external services to your project. The integrations currently available are:

Google Calendar — to sync project events
Google Drive — to link project files
Dropbox — to link project files
Microsoft OneDrive — to link project files

For each integration you connect, we store encrypted OAuth tokens to access the service on your behalf. We request only the specific scopes you approve.

We use these integrations to operate the specific functionality you configure — for example, syncing a project calendar or accessing files you select. In practice, this may involve listing available calendars, folders, or files so you can choose the relevant ones, and then reading or writing the specific items you direct us to. We do not scan or index the general contents of your connected account beyond what is needed to present selection options and operate the integration you configured.

You can disconnect any integration at any time from your settings. When you disconnect, we delete or invalidate the stored tokens promptly in our live system. Tokens may persist briefly in automated backups or system logs, subject to our standard retention periods described below.

How long we keep your data

Data type	Retention
Account and project data	Until you delete your account
Uploaded documents	Until you delete them or your account
Internal product telemetry	12 months
PostHog analytics	12 months
Server logs	30 days
OAuth tokens	Until you disconnect (deleted promptly)

When you delete your account, we delete your personal data from our live systems within 30 days. Residual copies may persist in encrypted backups for up to an additional 30 days, after which they are overwritten or purged.

Shared projects: If you are part of a shared project, your contributions to that project may remain visible to other project members after you leave or delete your account.

Your rights under GDPR

You have the right to:

Access — request a copy of all data we hold about you
Rectification — correct inaccurate data
Erasure — delete your account and all associated data
Portability — export your data in a machine-readable format
Restriction — ask us to pause processing while a dispute is resolved
Object — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent, withdraw it at any time via your account settings

To exercise any of these rights, email thomas@gethemma.app. We will respond within 30 days.

If you believe we have mishandled your data, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données): gegevensbeschermingsautoriteit.be

Cookies and tracking

See our Cookie Policy for full details.

In short: we use essential session cookies for authentication (required), and PostHog analytics cookies (optional, opt-in via your account settings). We do not use advertising cookies. The public website uses limited local storage for language preference and funnel measurement but does not use third-party analytics or advertising cookies.

Children

Hemma is not intended for use by anyone under 18. We do not knowingly collect data from minors.

Changes to this policy

If we make material changes to this policy, we will notify you by email and update the "Last updated" date above.

Contact

Thomas Hendrickx
thomas@gethemma.app
gethemma.app

Privacy Policy

Hemma — gethemma.app
Last updated: March 2026

This document is available in English only. Dutch and French translations are coming soon.

Dit document is alleen beschikbaar in het Engels. Nederlandse en Franse vertalingen volgen binnenkort.

Ce document est disponible en anglais uniquement. Les traductions néerlandaise et française suivront bientôt.

Who we are

Hemma is a construction administration service for Belgian DIY homeowners. We help you organise documents, track budgets, manage contractors, and stay on top of your build.

Hemma is currently in early access and is offered to a limited group of invited users. We are based in Belgium. Belgian and EU law applies to our processing of your personal data.

What data we collect and why

Account data

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Project data

Everything you add to Hemma about your project — documents, budget lines, contractor information, calendar events, messages — is stored and processed to provide the service.

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Documents you upload

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Contractor data

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — helping you verify the contractors you work with

Usage data and analytics

We collect usage data through two separate systems. We describe them here so you understand what is collected, how it is linked, and what legal basis applies.

Internal product telemetry

This data is stored in our own infrastructure (Supabase, EU). It does not leave our systems and is not shared with third parties.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — operating and improving the service

PostHog product analytics (optional)

If you opt in via your account settings, we use PostHog (EU cloud, Frankfurt) to collect behavioural analytics — such as navigation patterns, feature engagement, and session flow.

PostHog analytics data is not used for advertising, is not shared with third parties for marketing, and is not used to train AI models.

Legal basis: Consent (Art. 6(1)(a) GDPR) — PostHog analytics is only active when you opt in

Public website analytics

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — understanding how the public website is used

Technical data

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

AI processing — transparency notice

Hemma uses artificial intelligence to process your documents. We want to be completely transparent about this.

What AI does:

Reads uploaded documents and extracts structured data (amounts, dates, names, VAT numbers)
Classifies documents by type (invoice, quote, permit, etc.)
Compares extractions from two independent AI systems to catch errors
Identifies contractor information and suggests matches

Which AI providers we use:

Anthropic Claude — document extraction and analysis
OpenAI GPT — document extraction and analysis (used in parallel with Claude for financial documents)

Both providers process document content on our behalf under data processing agreements. Document content sent to their APIs is not used to train their models.

What AI does not do:

Make final decisions — all AI outputs are suggestions you can review and override
Access your data beyond what you explicitly upload
Learn from your data or share it with other Hemma users

Who we share data with

We do not sell your data. We do not share your data with advertisers.

We share data only with the following service providers, all under data processing agreements where applicable:

Provider	Purpose	Location	Transfer basis
Supabase	Database and file storage	EU	—
Anthropic	AI document extraction	US	SCCs + supplementary safeguards
OpenAI	AI document extraction	US	SCCs + supplementary safeguards
Resend	Email delivery	EU processing	—
Vercel	Application hosting	EU primarily	SCCs where data transits US
PostHog	Product analytics (opt-in)	EU (Frankfurt)	—
cbeapi.be	Belgian KBO lookups	Belgium	—
EC VIES	VAT validation	EU	—
Dropbox	File storage integration configured by user	US	SCCs + supplementary safeguards
Microsoft OneDrive	File storage integration configured by user	US/EU	SCCs where data transits US

This list reflects our current production setup. If we add new providers, we will update this policy.

Third-party integrations

Hemma allows you to connect external services to your project. The integrations currently available are:

Google Calendar — to sync project events
Google Drive — to link project files
Dropbox — to link project files
Microsoft OneDrive — to link project files

For each integration you connect, we store encrypted OAuth tokens to access the service on your behalf. We request only the specific scopes you approve.

How long we keep your data

Data type	Retention
Account and project data	Until you delete your account
Uploaded documents	Until you delete them or your account
Internal product telemetry	12 months
PostHog analytics	12 months
Server logs	30 days
OAuth tokens	Until you disconnect (deleted promptly)

Shared projects: If you are part of a shared project, your contributions to that project may remain visible to other project members after you leave or delete your account.

Your rights under GDPR

You have the right to:

Access — request a copy of all data we hold about you
Rectification — correct inaccurate data
Erasure — delete your account and all associated data
Portability — export your data in a machine-readable format
Restriction — ask us to pause processing while a dispute is resolved
Object — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent, withdraw it at any time via your account settings

To exercise any of these rights, email thomas@gethemma.app. We will respond within 30 days.

Cookies and tracking

See our Cookie Policy for full details.

Children

Hemma is not intended for use by anyone under 18. We do not knowingly collect data from minors.

Changes to this policy

If we make material changes to this policy, we will notify you by email and update the "Last updated" date above.

Contact

Thomas Hendrickx
thomas@gethemma.app
gethemma.app