Privacy Policy

Version 1.0 Effective: 2026-05-15 Updated: 2026-05-20

We take the protection of your personal data very seriously. This privacy policy explains the nature, scope, and purpose of how we process personal data on our platform.

1. Data Controller

Jordi Bofill Mombrú (individual, self-employed)

ID Number: 46134141M

34 Riera Fosca, 4th Floor, 08328 Alella, Spain

Email: info@smartlandlord.es

Data Protection Contact: privacidad@smartlandlord.es

The processing of personal data is carried out in accordance with the EU General Data Protection Regulation (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD). Depending on the purpose of the data processing, we rely on different legal bases:

  • Article 6(1)(a) of the GDPR: Consent of the data subject
  • Article 6(1)(b) of the GDPR: processing necessary for the performance of a contract
  • Article 6(1)(c) of the GDPR: processing for compliance with legal obligations
  • Article 6(1)(f) of the GDPR: Processing for the purposes of legitimate interests

3. Collection and storage of personal data

3.1 When visiting our website

  • IP address of the computer from which the connection is being made
  • Date and time of access
  • Name and URL of the file accessed
  • Website from which the access is made (referrer URL)
  • Browser used and, if applicable, the operating system

Requirement to provide data: This data is collected automatically and is technically necessary for the website to display properly. Without it, the website cannot load.

3.2 During registration and use

  • Name and email address
  • Password chosen (stored in encrypted form)
  • Platform usage data
  • Uploaded documents and entered property data
  • Contacting our support team

Required information: To register, you must provide your name, email address, and password. Without this information, you will not be able to use our service. Providing additional information about the property is optional and allows you to use the platform’s features.

4. Use of third-party services

4.1 Payment service providers

Stripe (payments)
  • Purpose: payment processing. Data processed: payment information, email address, billing address. Legal basis: Article 6(1)(b) of the GDPR (performance of a contract)
  • Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin, Ireland
  • Data transfers to the U.S.: Stripe is certified under the EU-U.S. Privacy Shield Framework.
  • Privacy Policy: https://stripe.com/de/privacy
  • Subcontracting: A subcontracting agreement has been entered into with Stripe in accordance with Article 28 of the GDPR.

4.2 Web Hosting Providers

Strato (web hosting)
  • Purpose: Website and database hosting
  • Location: Germany
  • Data processed: all data on the website
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests)
  • Legitimate interest: Our legitimate interest lies in ensuring the secure, reliable, and professional operation of our website.
  • Data Processing Agreement: A data processing agreement has been entered into with Strato in accordance with Article 28 of the GDPR.
Microsoft Azure (database)
  • Subject: Database Hosting
  • Location: Germany/EU
  • Data processed: user data, real estate data
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests)
  • Legitimate interest: Our legitimate interest lies in maintaining a secure and scalable database infrastructure.
  • Data processing agreement: A data processing agreement in accordance with Article 28 of the GDPR is in place with Microsoft Azure.
  • Privacy Policy: https://www.microsoft.com/de-de/trust-center/privacy

4.3 Sending emails

Strato Email Service
  • Provider: Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany
  • Purpose: sending transactional emails (registration, password reset, notifications)
  • Data processed: email address, name, email content.
  • Legal basis: Article 6(1)(b) of the GDPR (performance of a contract) or Article 6(1)(f) of the GDPR (legitimate interests).
  • Location: Germany
  • Data processing on behalf of a third party: Strato has a data processing agreement in accordance with Article 28 of the GDPR
Twilio (SMS notifications)
  • Provider: Twilio Inc., 101 Spear Street, San Francisco, CA 94105, USA
  • Purpose: Sending SMS notifications (e.g., two-factor authentication, important communications)
  • Data processed: phone number, SMS content, timestamp
  • Legal basis: Article 6(1)(b) of the GDPR (performance of a contract) or Article 6(1)(a) of the GDPR (consent for optional notifications)
  • Data transfers to the U.S.: Twilio is certified under the EU-U.S. Privacy Shield Framework and uses standard contractual clauses
  • Privacy Policy: https://www.twilio.com/legal/data-protection-addendum
  • Subcontracting: A subcontracting agreement with Twilio is in place in accordance with Article 28 of the GDPR.

4.4 Maps and Geographic Data

Google Maps API
  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Objective: to display the addresses you enter on a map
  • How it works: When you enter an address, it is only sent to Google Maps to display the map. No location tracking takes place.
  • Data processed: the addresses you have entered
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests in user-friendly presentation)
  • Data transfers to the U.S.: Google is certified under the EU-U.S. Privacy Shield Framework.
  • Privacy Policy: https://policies.google.com/privacy
Overpass API
  • Provider: Overpass API (an open-source project managed by FOSSGIS e.V., Germany, among others)
  • Purpose: To consult geographic data (points of interest, infrastructure, environmental characteristics) for location analysis and evaluation
  • Data processed: Queries (addresses/coordinates); requests are made from our platform’s server—no direct connection is established between your browser and the Overpass API
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests in a justified location analysis)
  • Location: Servers in the EU
  • Privacy Policy: https://wiki.openstreetmap.org/wiki/Privacy_Policy

4.5 Artificial Intelligence (AI Services)

OpenAI API
  • Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, U.S.
  • Purpose: AI-based functions (e.g., text generation, data analysis)
  • Data processed: the text and data you enter and authorize us to process
  • Legal basis: Article 6(1)(b) of the GDPR (performance of a contract) or Article 6(1)(f) of the GDPR (legitimate interests)
  • Data transfers to the U.S.: OpenAI uses standard contractual clauses for data transfers
  • Privacy Policy: https://openai.com/privacy
  • Subcontracting: A subcontracting agreement with OpenAI is in place in accordance with Article 28 of the GDPR
  • Important notice: OpenAI processes your data in accordance with its privacy policy. We recommend that you do not enter sensitive personal information into AI-powered features.
Perplexity AI
  • Supplier: Perplexity AI, Inc., U.S.
  • Objective: Research and data analysis using artificial intelligence
  • Data processed: search queries and text entered
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests)
  • Data transfers to the U.S.: Perplexity AI uses standard contractual clauses
  • Privacy Policy: https://www.perplexity.ai/privacy

4.6 Generating PDF Files

PDFShift
  • Supplier: PDFShift, France
  • Objective: Creating PDF documents from web content
  • Processed data: content converted to PDF
  • Legal basis: Article 6(1)(b) of the GDPR (performance of a contract)
  • Location: EU (France)
  • Privacy Policy: https://pdfshift.io/privacy
  • Data processing agreement: A data processing agreement has been entered into with PDFShift in accordance with Article 28 of the GDPR

4.7 Analytics and Marketing

Google Analytics
  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Objective: To analyze user behavior in order to improve our website
  • Data processed: IP address (anonymized), page views, time spent on the site, device information, browser type, approximate location
  • Legal basis: Article 6(1)(a) of the GDPR (consent via the cookie banner)
  • Cookie duration: up to 2 years; Google is certified under the EU-U.S. Privacy Shield Framework.
  • Privacy Policy: https://policies.google.com/privacy
  • Objection: You can prevent Google Analytics from collecting data in the following ways: - By rejecting cookies in the cookie banner -
  • Browser extension: https://tools.google.com/dlpage/gaoptout
  • Data processing on behalf of a third party: There is a data processing agreement with Google in accordance with Article 28 of the GDPR
Google Tag Manager
  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Purpose: Website tag management (technical implementation of analytics and marketing tools)
  • Data processed: IP address, browser information.
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests in the efficient management of tags).
  • Note: Tag Manager does not collect personal data on its own, but it allows you to load other services (such as Google Analytics), which are already listed separately
  • Privacy Policy: https://policies.google.com/privacy
LinkedIn Insight Tag
  • Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
  • Purpose: conversion tracking, remarketing, and target audience analysis for LinkedIn advertising
  • Data processed: IP address, browser information, page views, LinkedIn profile ID (if logged in)
  • Legal basis: Article 6(1)(a) of the GDPR (consent via the cookie banner)
  • Cookie duration: up to 180 days
  • Data transfers to the U.S.: LinkedIn uses standard contractual clauses
  • Privacy Policy: https://www.linkedin.com/legal/privacy-policy
  • Opt-out: Click "Reject" on the cookie banner or in your LinkedIn settings under the "Privacy" section

4.8 Cloudflare (security and CDN)

Cloudflare
  • Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
  • Objective: Content Delivery Network (CDN) to reduce load times; protection against DDoS attacks and web application firewalls; performance monitoring (Cloudflare Insights)
  • Data processed: IP address, browser information, requested URLs, access times
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests regarding security and performance)
  • Data transfers to the U.S.: Cloudflare is certified under the EU-U.S. Privacy Shield Framework.
  • Privacy Policy: https://www.cloudflare.com/cloudflare-customer-dpa/
  • Data Processing Agreement: A data processing agreement has been entered into with Cloudflare in accordance with Article 28 of the GDPR. Retention Period: Log data is deleted after 24 hours.

4.9 Content Delivery Networks (CDN)

External CDNs (cdnjs.cloudflare.com, cdn.jsdelivr.net, unpkg.com)
  • Objective: Rapid implementation of JavaScript libraries and frameworks
  • Data processed: IP address when loading resources
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests regarding performance and loading times)
  • Note: These CDNs only serve static files (JavaScript, CSS) and do not track users.

4.10 Ratings and Trust

Trustpilot
  • Provider: Trustpilot A/S, Pilestræde 58, 5th floor, 1112 Copenhagen, Denmark
  • Objective: to showcase customer reviews to build trust
  • Data processed: IP address when loading the Trustpilot widget
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests regarding transparency and building trust)
  • Location: EU (Denmark)
  • Privacy Policy: https://legal.trustpilot.com/end-user-privacy-terms
  • Note: If you leave a review, Trustpilot’s separate privacy policy will apply.

4.11 Own Infrastructure

Azure Blob Storage
  • Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
  • Purpose: storage of uploaded files and documents
  • Data processed: uploaded documents, images, PDF files
  • Legal basis: Article 6(1)(b) of the GDPR (performance of a contract)
  • Location: EU (Germany)
  • Data processing agreement: A data processing agreement is in place with Microsoft Azure in accordance with Article 28 of the GDPR
  • Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement
SmartLandlord CDN (cdn.smartlandlord.de)
  • Purpose: Delivery of static content (images, CSS, JavaScript)
  • Data processed: IP address when loading resources
  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interests in performance)
  • Location: Germany/EU
  • Name: SmartLandlord LTD (an independent company within the group; not the data controller as defined in paragraph 1)
  • Subcontracting: A subcontracting agreement has been entered into with SmartLandlord LTD in accordance with Article 28 of the GDPR

5.1 Technically necessary cookies

These cookies are necessary for the website to function:

  • Session cookies for your login
  • Security cookies (CSRF protection)
  • Storing cookie consent

Legal basis: Article 6(1)(f) of the GDPR (legitimate interest in technical operation)

Storage duration: session cookies are deleted at the end of the session; persistent cookies are deleted after 30 days

5.2 Analytics and Marketing Cookies

The following services use cookies that require your consent:

  • Google Analytics (see section 4.8)
  • LinkedIn Insight tag (see 4.8)

Legal basis: Article 6(1)(a) of the GDPR (consent) in conjunction with Article 22(2) of the LSSI-CE (Law 34/2002), provided via the cookie banner and in accordance with the AEPD’s Cookie Guidelines.

You can withdraw your consent at any time through our cookie settings or delete/block cookies in your browser.

The first time you visit our website, a cookie banner will appear where you can set your preferences. You can change your settings at any time by:

  • Cookie settings in the footer of our website
  • Browser settings (varies by browser)

Note: Blocking certain cookies may affect the website's functionality.

Technical security measures
  • SSL encryption: All data transmissions are encrypted
  • Password security: All passwords are stored in hashed form
  • Access Control: Strict Authorization Policies
  • Regular updates: all systems are kept up to date

6. Retention period

  • User data: This data is stored until your account is deleted; it is then completely deleted within 30 days.
  • Payment information: We don't store it; only Stripe does
  • Log files: These are automatically deleted after 30 days.
  • Communication with customer support: retained for 2 years after completion
  • Relevant data for the contract: To the extent that there are retention obligations under Spanish commercial or tax law, we retain the data for up to 6 years (Art. 30 of the Commercial Code) or 4 years for tax purposes (Art. 66 of the General Tax Law).

7. Your rights as a data subject

  • Right of access (Article 15 of the GDPR)
  • Right to rectification (Article 16 of the GDPR)
  • Right to erasure (Article 17 of the GDPR)
  • Right to restriction of processing (Article 18 of the GDPR)
  • Right to data portability (Article 20 of the GDPR)
  • Right to object (Art. 21 of the GDPR)
  • Right to withdraw consent (Article 7(3) of the GDPR)

Withdrawal of consent: If the processing is based on your consent (e.g., Google Analytics, LinkedIn Insight Tag), you may withdraw your consent at any time without this affecting the lawfulness of the processing carried out prior to the withdrawal.

Data Protection Contact

For questions regarding data protection or the exercise of your rights, please contact: privacidad@smartlandlord.es

Response within 30 days.

Note: We have not appointed a Data Protection Officer (DPO), nor are we required to do so, as the conditions set forth in Article 37 of the GDPR and Article 34 of the LOPDGDD do not apply.

Individual automated decisions (Art. 22 GDPR)

No automated individual decisions with legal consequences are made. The AI-based analyses, assessments, and recommendations provided by our platform (e.g., ImmoCheck) are for informational purposes only and do not replace the user’s independent judgment or professional advice.

8. Right to lodge a complaint with the supervisory authority

Right to file a claim

You have the right to file a complaint with the Spanish Data Protection Agency (AEPD) if you believe that the processing of your personal data violates applicable regulations.

Spanish Data Protection Agency (AEPD)

6 Jorge Juan Street

28001 Madrid, Spain

Phone: +34 901 100 099 / +34 912 663 517

Website: https://sedeagpd.gob.es

Website: https://www.aepd.es

9. Updates and Changes to This Privacy Policy

Current version of this privacy policy

Last updated: May 2026