Realty Invest AF

Privacy Policy

Last updated: [DATE_MISE_A_JOUR]

1. Data Controller

The data controller for personal data collected on this website is: Realty Invest Registered office: [ADRESSE_SIEGE] Email: [EMAIL_CONTACT] Tax identification number: [NIF]

2. Data Collected

We collect and process the following categories of personal data in connection with your use of our platform:

  • Account data — email address, full name (optional), encrypted password, user role (individual or professional), registration date.
  • Listing data — descriptions, prices, property addresses and locations, photographs, property features, publication status.
  • Contact data (leads) — name, email, phone number (optional), message sent via the contact form, anonymised IP address.
  • Alert data — saved search criteria (property type, price range, location), notification frequency.

3. Legal Basis for Processing

The processing of your data is based on the following legal grounds, in accordance with the General Data Protection Regulation (GDPR) and Cape Verdean Law No. 133/V/2001 on the protection of personal data: • Performance of a contract (GDPR Art. 6(1)(b)) — processing necessary for managing your account, publishing listings and connecting users. • Consent (GDPR Art. 6(1)(a), Law No. 133/V/2001 Art. 6) — subscribing to email alerts and non-essential cookies. • Legitimate interest (GDPR Art. 6(1)(f)) — platform improvement, fraud prevention, anonymised usage statistics. • Legal obligation (GDPR Art. 6(1)(c), Law No. 133/V/2001 Art. 7) — data retention required by tax or judicial regulations.

4. Purpose of Processing

Your personal data is processed for the following purposes: • Creation and management of your user account. • Publication, moderation and display of property listings. • Connecting property owners/agents with potential buyers/tenants via the contact form. • Sending email alerts based on your saved search criteria. • Displaying property locations on maps via the Mapbox service. • Sending transactional emails (registration confirmation, lead notifications). • Internal statistics and platform improvement.

5. Data Recipients

Your personal data may be shared with the following processors, strictly within the scope of the purposes described above:

  • Supabase Inc. (United States) — hosting, authentication, database. SOC 2 Type II certified.
  • Resend Inc. (United States) — transactional email delivery (confirmations, lead notifications, alerts).
  • Mapbox Inc. (United States) — map display and property geolocation.
  • Paddle.com Market Ltd (United Kingdom) — payment and subscription processing, checkout management, fraud detection.

6. International Data Transfers

Some of our processors are located in the United States. These transfers are governed by: • Standard Contractual Clauses (SCCs) approved by the European Commission. • Security guarantees specific to each provider (SOC 2 certifications, data encryption). In accordance with Law No. 133/V/2001 Art. 19-20, transfers to third countries are only carried out where adequate protection safeguards are ensured.

7. Data Retention

• Account data — retained as long as the account is active. Upon account deletion, data is erased within 30 days, unless legally required to be retained. • Listing data — expired listings are archived after 60 days and deleted within 6 months. • Lead data — retained for 12 months after the last contact, then anonymised. • Alert data — retained as long as the alert is active. Deleted immediately upon request. • Security logs — retained for 12 months.

8. Your Rights

In accordance with the GDPR and Law No. 133/V/2001, you have the following rights regarding your personal data:

• Right of access — obtain a copy of your personal data. • Right to rectification — correct inaccurate or incomplete data. • Right to erasure — request the deletion of your data. • Right to data portability — receive your data in a structured, machine-readable format. • Right to object — object to processing based on legitimate interest. • Right to restriction — request the restriction of processing in certain cases. • Right to withdraw consent (GDPR Art. 7(3)) — withdraw your consent to non-essential cookies (maps, payments, analytics) at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise these rights, contact us at [EMAIL_DPO]. We will respond within 30 days. You also have the right to lodge a complaint with: • The CNPD (Comissão Nacional de Protecção de Dados) in Cape Verde. • The CNIL (Commission Nationale de l'Informatique et des Libertés) in France. • Any competent supervisory authority in your country of residence.

9. Cookies and Tracking Technologies

Our website uses two categories of cookies and similar technologies. Strictly necessary cookies (no consent required): • Authentication cookies — maintaining your login session (Supabase Auth). • Preference cookies — saving your language and display settings. • Storage of your consent choice (the "ri_consent" key in your browser's local storage). Third-party cookies and services subject to your consent: • Maps (Mapbox) — property map display and address geocoding search. Enabled only after you opt in. • Payments (Paddle) — checkout initialisation and fraud detection during subscription purchases. Enabled only after you opt in. • Analytics — no third-party analytics solution is currently active. Should we introduce one, your consent will be requested again and this policy will be updated. Managing your consent: • On your first visit, a banner lets you accept or reject all non-essential cookies. • You can withdraw your consent at any time by clearing the "ri_consent" key in your browser's local storage (Settings → Privacy → Site data). • Each disabled service displays a placeholder allowing you to re-enable that specific feature.

10. Data Security

We implement the following security measures to protect your data: • TLS encryption (HTTPS) for all communications between your browser and our servers. • Passwords stored as secure hashes (bcrypt) — never in plain text. • Restricted data access based on the principle of least privilege (Row Level Security). • Infrastructure hosted on Supabase, SOC 2 Type II certified. • Lead IP addresses anonymised via irreversible hashing.

11. Changes to This Policy

We reserve the right to modify this privacy policy at any time. In the event of a substantial change, we will notify you by: • An email sent to the address associated with your account. • A notice banner displayed on the platform. The last updated date at the top of this page shall prevail. Your continued use of the platform after a change constitutes acceptance of the updated policy.

12. Contact and Data Protection Officer

For any questions regarding the protection of your personal data or to exercise your rights, you may contact us: Data Protection Officer (DPO): [NOM_DPO] Email: [EMAIL_DPO] Postal address: [ADRESSE_SIEGE] We are committed to processing your request as promptly as possible and no later than 30 days after receipt.