Last updated: 19 April 2026
Quorum is a digital property management platform operated from Luxembourg. For each building managed through the platform, the syndicat des copropriétaires is the data controller under the GDPR, and the syndic acts on their behalf. Quorum operates as a data processor under Article 28 GDPR, processing personal data only on documented instructions from the controller via a Data Processing Agreement. We act as an independent controller only for a narrow set of platform-wide purposes (security monitoring, aggregate product analytics, billing for our SaaS subscription). For any privacy-related inquiry, contact hello@quorum.lu.
Account: name, email, avatar, preferred language, password hash. Membership: relationship type (owner, tenant, syndic, conseil syndical), unit reference, voting rights, building affiliation, approval status. Building content: announcements, issues (including images and attachments), comments, agenda items, votes, house rules, documents, phonebook entries. Financial records: charges, invoices, payments, split templates, SEPA mandate metadata. Usage data: sign-in timestamps, feature interactions, error traces for security and reliability.
Residents, conseil syndical, and the syndic see building content according to the platform’s role-based access rules (RBAC). Comments, issues, and votes display with the author’s name. The "personal" issue visibility mode restricts threads to the reporter and explicit recipients — the syndic does not see these; for data processed in this mode, Quorum acts as a processor on behalf of the reporter. When you close your account, your name is immediately replaced with "Deleted user" for every other resident. Your financial attribution history (charges paid, splits, invoices) remains visible to the syndic and the authorities for 10 years under Article 16 of the Luxembourg Code de commerce, which overrides the GDPR right to erasure for this specific data.
Article 6(1)(b) — performance of a contract, for operating the platform on behalf of your building. Article 6(1)(c) — legal obligation, for accounting and tax record retention. Article 6(1)(f) — legitimate interest, for security monitoring, AI features described below, and product improvement. For cookies that are not strictly necessary, we rely on consent (Article 6(1)(a)).
Quorum uses Mistral AI (Paris, EU-hosted) for: duplicate-issue detection (the title and description of a new issue are sent for semantic comparison), house-rules drafting and moderation (the rule text you write or paste), contact suggestions when reporting an issue (issue description only), and the Quorum Concierge support assistant (your question plus minimal building context). Mistral does not train its models on our requests. AI answers are informational only and do not constitute legal, financial, or professional advice. You can avoid AI processing by not using these features; their outputs are never stored as authoritative records.
Supabase (PostgreSQL database and authentication, EU region — Frankfurt). Vercel (application hosting and CDN, EU region — Frankfurt). Resend (transactional email delivery). Mistral AI (language models, Paris). All sub-processors are bound by GDPR-compliant data processing agreements. We do not sell, rent, or trade your personal data.
Account and building content: kept while your membership is active. Financial records (charges, splits, invoices, SEPA mandates): kept for 10 years from the end of the relevant financial year, as required by Article 16 of the Luxembourg Code de commerce. Deletion requests: personal identifiers are removed within 30 days of your request; your financial trail is anonymized (name replaced with "Deleted user") but retained for the statutory period. Backups: a maximum of 30 days before overwrite. Audit and sign-in logs: 12 months.
You have the right to access, rectify, request erasure (subject to the 10-year financial retention above), restrict, port, and object to processing. You can download a JSON export of your data at any time from Profile → Download your data (Articles 15 and 20). You can close your account from Profile → Close my account. Requests concerning data for which your syndicat is the controller (most building content) should be addressed to your syndic directly; we will support them in responding. You may also lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), Luxembourg’s data protection authority, at cnpd.lu.
Quorum provides digital tools around co-ownership processes, but does not replace the legal formalities required by the loi du 16 mai 1975 and its règlement grand-ducal du 13 juin 1975. Formal convocations, feuilles de présence, procès-verbaux, and legal notifications (mise en demeure, notification of a PV to an opposant, etc.) must follow the paper or legally accepted electronic form prescribed by law. A digital announcement or in-app notification is not a substitute for a legally required notification.
Strictly necessary: a session cookie to keep you signed in, and a language-preference cookie. Optional: Vercel Analytics measures aggregate, anonymous usage (page views and performance metrics) without cross-site tracking or behavioural profiling. A banner on first visit lets you decline optional analytics.
All traffic is encrypted in transit with current industry-standard TLS. Data at rest is encrypted by our hosting provider. Access to building data is scoped by Supabase Row Level Security policies, ensuring residents can only access data for buildings they are active members of. Privileged actions are audited.
We may update this Privacy Policy from time to time. For material changes we will provide at least 30 days’ notice via in-app notification or email. The "Last updated" date at the top of this page reflects the most recent revision.
For any question about this Privacy Policy or our data practices, contact hello@quorum.lu. For questions about data held by your building, contact your syndic.
See also: Data Processing Agreement · Terms of Use