Privacy and GDPR at modeiland: Built-In, Not Bolted On
Cüneyt Kaya
·
Jun 22, 2026
·
2 min read
Privacy as a Design Principle
At modeiland, data privacy isn't a legal afterthought — it was built into the architecture from day one. The guiding question: does collecting this data actually serve the user? If not, it isn't collected.
GDPR Compliance in Practice
- Consent log: Every privacy consent is recorded with a timestamp, IP hash, and context — immutably and anonymously. This makes it verifiable if ever needed, without retaining personally identifiable data.
- Account deletion: Users can delete their account at any time. When they do, personal data is replaced with anonymised placeholders. System integrity is preserved; real data is not.
- No third-party tracking: modeiland uses no advertising trackers, social media pixels, or analytics cookies from external providers. The only third-party payment service is Stripe, which is GDPR-compliant and EU-available.
- Photo approval: Landlord photos are reviewed before upload to Cloudflare Images, ensuring no unwanted content reaches the CDN.
Payment Data: What modeiland Never Sees
Credit card numbers and payment details are processed exclusively by Stripe on their hosted checkout pages. modeiland servers never receive or store payment information. This is both best practice and a legal requirement under PCI-DSS and GDPR.
Where Data Is Stored
The modeiland database runs on a German Hostinger server using SQLite in WAL mode. There is no external database server — which reduces the attack surface and keeps the infrastructure simple and auditable.
Privacy at modeiland is a technical commitment, not a marketing claim.
Share this post