Zum Hauptinhalt springen
CASABROVA Legal

Version v2.5 · Document set v2.5 · DPA_AMENDMENT_v2.5_US_DELAWARE_2026_06_24_EN.md

sha256:63b716721d67a45e21cb90362b73dd1f8d82f40163bf82b3225267fa1fa54231

The English version is authoritative; a localized translation is being prepared.

CASABROVA Data Processing Addendum - v2.5 US/Delaware

Version: v2.5 Date: 2026-06-24 This Data Processing Addendum (the "DPA") forms part of the Advertiser Agreement between the Operator and the Advertiser. It applies before any Advertiser receives identifying User Inquiry data.

1. Parties, Scope and Precedence

1.1 Parties

"Operator" means Yehonatan Yanay, acting personally as interim operator of the Service, and any permitted successor that assumes the Service by notice. "Advertiser" means the business or professional accepting the Advertiser Agreement.

1.2 Scope

This DPA governs the Advertiser's processing of personal data relating to Users and User Inquiries made available through the Service, including pseudonymized Inquiry data, mediated communications and data released after User Release.

1.3 Binding time

The Advertiser accepts this DPA at onboarding. A current DPA and current compliance attestation are conditions to receiving identifying User Inquiry data. No separate per-lead undertaking is required.

1.4 Precedence

On personal-data-processing matters, this DPA controls over the Advertiser Agreement. The Advertiser Agreement controls on commercial matters. Nothing in this DPA reduces any User right under the Privacy Policy, Terms of Use or applicable law.

2. Roles

2.1 Operator role

The Operator is controller of personal data collected through the Service and determines the purposes and means of collection, consent, routing, pseudonymization, User Release, audit records and platform compliance gates.

2.2 Advertiser pre-release role

Before User Release, the Operator shares only pseudonymized, non-identifying signals (coarse Inquiry traits) through the Service's mediated layer. The Advertiser receives no identifying personal data at this stage and is not an independent controller of the User's identity; it may use those signals only to decide whether to engage and to communicate through the Mediated Inbox, on the Operator's documented instructions. The Advertiser becomes an independent controller only after User Release (Section 2.3).

2.3 Advertiser post-release role

After User Release, the Advertiser becomes an independent controller of the released data for the limited purpose of responding to and pursuing that specific Inquiry in the consented Recipient Category. The Advertiser remains contractually bound by this DPA for confidentiality, security, purpose limitation, DSAR cooperation, deletion/return, breach notice, audit and transfer obligations.

2.4 No joint control by default

The parties do not intend to be joint controllers unless a specific signed schedule says otherwise.

3. Permitted Processing

The Advertiser may process User Inquiry data only to:

  • review and respond to the specific Inquiry;
  • correspond with the User through the Mediated Inbox before User Release;
  • pursue the specific introduced opportunity after User Release;
  • comply with legal, accounting, regulatory, dispute or security obligations directly connected to that Inquiry; and
  • perform obligations under the Advertiser Agreement and this DPA.

The Advertiser must not use User Inquiry data for unrelated marketing, list building, profiling, enrichment, resale, syndication, brokerage, onward disclosure or any other purpose without a separate lawful basis obtained directly from the User and permitted by the Advertiser Agreement.

4. Pseudonymized Phase and User Release

Before User Release, the Advertiser must not attempt to identify, contact, enrich, match, scrape, infer or re-identify the User outside the Service.

User identity and contact details may be received only after that User affirmatively releases those details to that specific Advertiser for that specific Inquiry. A release to one Advertiser does not authorize disclosure to another Advertiser.

The identity-gated release mechanism is marked Patent Pending - U.S. Provisional App. No. 64/090,634.

5. Confidentiality and Security

The Advertiser must:

  • protect User Inquiry data with appropriate technical and organizational measures;
  • limit access to personnel with a need to know;
  • bind personnel to confidentiality by contract, policy or professional duty;
  • maintain access controls, secure credentials and reasonable logging;
  • protect data during storage and transmission;
  • maintain malware, phishing and account-takeover protections appropriate to its size and risk;
  • keep released data separate from unrelated marketing databases unless the User independently consents; and
  • promptly patch or mitigate vulnerabilities that materially affect User Inquiry data.

6. Subprocessors and Advisers

The Advertiser may use subprocessors, professional advisers or service providers only where they are needed for the permitted purpose, are bound by written confidentiality and data-protection terms no less protective than this DPA, and are not used to expand the purpose.

The Advertiser remains responsible for its subprocessors and must maintain a current subprocessor list in its own records or onboarding profile. If no subprocessor is listed, none is pre-authorized beyond ordinary secure business infrastructure and professional advisers needed for the specific Inquiry.

The Operator may object on reasonable data-protection grounds. If the objection is not resolved, the Operator may suspend Inquiry access.

7. International Transfers

The Advertiser must not transfer User Inquiry data across borders unless a valid transfer basis exists under applicable law.

Where EU/EEA personal data is transferred to a country without an applicable adequacy mechanism, the parties must use the EU Standard Contractual Clauses in the appropriate module before the restricted transfer occurs. Where UK personal data is transferred in a restricted transfer, the parties must use the UK International Data Transfer Agreement or UK Addendum where required. Equivalent safeguards must be used where other transfer rules apply.

Execution or platform acceptance of the applicable transfer terms is a condition to receiving restricted-transfer data.

8. Retention, Deletion and Return

The Advertiser may retain released User Inquiry data only while needed for the specific Inquiry and any directly connected legal, accounting, regulatory, dispute or security obligation.

The Advertiser must delete or return User Inquiry data when:

  • the purpose is exhausted;
  • the applicable working or attribution window expires;
  • the Inquiry is recycled away from the Advertiser;
  • the User withdraws consent or validly opts out for future processing;
  • the Advertiser Agreement terminates; or
  • the Operator reasonably instructs deletion under the Privacy Policy or applicable law.

Legally required retention is allowed only for the required period and must be isolated from marketing or unrelated use.

On request, the Advertiser must confirm deletion, return or legal-retention status in writing.

9. Data-Subject Requests and User Communications

The Advertiser must assist the Operator without undue delay with requests to access, know, correct, delete, restrict, object, withdraw, opt out, port data, appeal or use an authorized agent.

If the Advertiser receives a User request directly, it must respond consistently with its independent obligations and promptly notify the Operator where the request concerns data received through the Service.

Where the Advertiser receives personal data it did not collect directly from the User, the Advertiser is responsible for any notice obligation that applies to it as independent controller after User Release.

10. Records, Audit and Re-Attestation

The Advertiser must maintain records sufficient to demonstrate compliance with this DPA, including permitted purpose, access, retention, deletion, subprocessors, breach handling and DSAR cooperation.

The Advertiser must re-attest DPA compliance at least annually and whenever reasonably requested after a material change, incident, regulator inquiry or category change.

On reasonable notice, no more than annually unless there is cause, the Advertiser must provide information reasonably necessary to demonstrate compliance. Audits must be limited, confidential and proportionate.

If the Advertiser's DPA, transfer terms or attestation lapse, the Operator may block Inquiry release until cured.

11. Breach Notification

The Advertiser must notify the Operator without undue delay and in any event within 48 hours after becoming aware of a personal-data breach affecting User Inquiry data.

The notice must include, where known, the nature of the breach, categories and approximate number of affected users and records, likely consequences, mitigation steps, contact point and any regulatory or user notifications proposed or made.

The Advertiser must cooperate in investigation, mitigation, remediation and required notifications.

12. Return of Access and Termination

On suspension or termination, the Advertiser must stop accessing User Inquiry data and comply with deletion/return obligations. Confidentiality, security, deletion/return, records, audit, DSAR, transfer and breach obligations survive.

13. Liability

Advertiser breach of this DPA is a breach of the Advertiser Agreement. Advertiser indemnity obligations in Advertiser Agreement Section 11 apply to data misuse, unauthorized disclosure, unlawful processing, breach, circumvention, resale, retention or failure to delete/return. Those obligations are not subject to the user-side liability cap in the Terms of Use.

Schedule A - Processing Details

Data subjects: Users submitting User Inquiries; account holders; forum users where relevant; public listing professionals where relevant; Advertiser personnel.

Data categories: contact details, account identifiers, Inquiry details, wizard answers, selected markets, budget bands, preferences, messages, consent records, release status, opt-out status, technical logs, audit events and correspondence.

Sensitive data: not intentionally required for ordinary Inquiry flow. If a User adds sensitive information in free text, it may be processed only as needed for the specific Inquiry or legal compliance.

Purpose: mediated review, User communication, User Release, response to the specific Inquiry, DSAR handling, audit, security and legal compliance.

Duration: until the purpose expires, the working window ends, the Inquiry is recycled, the User withdraws/opts out for future processing, the agreement ends or legal retention requires isolation.

Schedule B - Minimum Security Measures

  • access limited to authorized personnel;
  • unique user accounts and secure authentication;
  • encryption in transit where available;
  • secure storage and device controls appropriate to risk;
  • confidentiality obligations;
  • deletion/return process;
  • breach escalation process;
  • subprocessor oversight;
  • periodic review of access and retention; and
  • staff awareness for privacy and confidentiality.

Schedule C - Transfer Terms

Restricted transfers require an adequacy mechanism, EU SCCs, UK IDTA/Addendum or other lawful transfer basis before the transfer occurs. If the required transfer mechanism is not in place, the Advertiser must not receive or transfer the data.

⚠️

Wichtiger rechtlicher Haftungsausschluss

Die auf CASABROVA dargestellten Informationen dienen ausschließlich allgemeinen Informationszwecken und stellen keine Rechts-, Finanz-, Steuer- oder Anlageberatung dar. Diese Informationen sind unverbindlich und sollten nicht als Grundlage für eine Entscheidung herangezogen werden. Bevor Sie eine Transaktion oder Investition in ausländische Immobilien durchführen, konsultieren Sie einen qualifizierten Anwalt, Buchhalter, Steuerberater und/oder einen anderen relevanten Fachmann im jeweiligen Gebiet.

Steuer-, Regulierungs- und Ertragsdaten ändern sich häufig. CASABROVA bemüht sich, Informationen aus Primärquellen wöchentlich zu aktualisieren, ist jedoch nicht für die Richtigkeit der Informationen oder für noch nicht berücksichtigte Änderungen verantwortlich. Alle angegebenen Zahlen sind nur Richtwerte.