Skip to main content
CASABROVA Legal

Version v2.5 · Document set v2.5 · D4_PRIVACY_POLICY_v2.5_US_DELAWARE_2026_06_24_EN.md

sha256:612849b43eb1e54317b436e300afea216b7c0b74ab3cf855a4a87f56e0ffeeb5

CASABROVA Privacy Policy - v2.5 US/Delaware

Version: v2.5 Date: 2026-06-24 This Privacy Policy explains how the operator of the service currently offered under the CASABROVA brand at casabrova.com and related product surfaces (the "Service") collects, uses, shares and protects personal data.

1. Controller, Privacy Contact and Representatives

Until a successor operating entity formally assumes the Service, the controller of personal data collected through the Service is Yehonatan Yanay, acting personally as interim operator (the "Operator"). "Operator", "we", "us" and "our" refer to the interim operator and to any permitted successor that assumes the Service by notice.

Privacy and data-subject requests: dpo@casabrova.com or /legal/dpo. General legal and platform notices: info@casabrova.com.

Where representative appointment is required for EU/EEA or UK data-protection purposes and no exemption applies, the Operator will appoint and publish the relevant representative details before relying on that representative channel. Until representative details are posted, privacy communications may be sent to dpo@casabrova.com.

2. Personal Data We Collect

We collect the categories needed to operate, secure, improve and document the Service:

  • Account data: name, email, password/authentication credentials processed by the authentication provider, account role, preferred language, profile settings and account identifiers.
  • Signup and acceptance data: document version, locale, timestamp, source flow, IP address, user agent and consent/acceptance event identifiers.
  • Wizard and profile data: investor profile, residency-intent answers, tax-priority answers, budget, currency, selected markets, preferences, timing, U.S. acknowledgement where shown, and other answers submitted by the user.
  • Inquiry and lead data: name, email, phone where provided, message/free text, Recipient Categories, market codes, project/developer/provider identifiers, retention choice, monitoring preference, opt-out token and routing/release status.
  • Partner, advertiser, broker and provider onboarding data: business name, contact person, email, role, category, licensing or credential information supplied for profile or verification, billing identifiers and agreement acceptance records.
  • DPO/privacy request data: email, request type, verification details, correspondence, decision records and appeal records.
  • Technical and security data: IP address, device, browser, approximate region from hosting or CDN headers, server logs, security logs, anti-abuse signals and audit events.
  • Cookie and analytics choices: necessary cookie data, language/preferences, authentication state, cookie-consent choices and limited analytics events when analytics is enabled.
  • Public or third-party listing data: property-listing information and professional contact data published on publicly accessible portals or supplied by Advertisers, used for source attribution and listings aggregation.
  • Forum and public-content data: display name, post content, replies, translations, moderation status and related audit records.

Do not submit sensitive personal data in free-text fields unless the form specifically asks for it. If you include sensitive information in notes or messages, we use it only as needed to process your request, protect rights, comply with law or as otherwise permitted.

3. Data We Do Not Collect Directly From You

The Service may aggregate public property-listing information from third-party property portals. This may include professional contact details, such as agent names or business contact details, as published by the source portal. We process this data for source attribution, listings aggregation and directing users to the published source. We do not use this data to market to those individuals.

If you are a person identified in public listing data and want correction, deletion or objection review, contact dpo@casabrova.com or use /legal/dpo.

4. Purposes of Processing

We process personal data to:

  • create and maintain accounts;
  • provide market-intelligence, wizard, inquiry, referral, forum and account features;
  • route and manage User Inquiries according to consent;
  • operate the Mediated Inbox and User Release model;
  • provide customer support and legal/privacy request handling;
  • secure the Service, prevent abuse and investigate misuse;
  • document consent, releases, opt-outs, audit logs and legal compliance;
  • administer Advertiser, broker, provider and partner onboarding;
  • process payments through disclosed payment processors or merchants of record;
  • send requested service messages and permitted communications;
  • improve the Service and measure performance; and
  • comply with legal, accounting, tax, regulatory, dispute and security obligations.

We do not use User Inquiries to make automated legal, tax, credit or investment decisions about you.

5. Legal Bases Where GDPR-Style Rules Apply

Where GDPR, UK GDPR or similar rules apply, we rely on:

  • contract or pre-contract steps for accounts, requested services, checkout, support and introductions;
  • consent for optional analytics, optional marketing, User Release, certain lead routing and other consented features;
  • legitimate interests for security, fraud prevention, service improvement, internal administration, source attribution and legal defense;
  • legal obligation for required records, tax, regulatory, breach, court or authority obligations; and
  • vital or public-interest grounds only if legally required in exceptional circumstances.

You may withdraw consent for future processing. Withdrawal does not affect processing that was lawful before withdrawal.

6. Sharing With Advertisers, Recipient Categories and Processors

6.1 When sharing may happen

When you submit a User Inquiry, you ask us to route or display your request to relevant Recipient Categories. Sharing is not silent. It is governed by the consent shown at submission, the Terms of Use Section 9, this Privacy Policy and the recorded User Release rules.

6.2 Recipient Categories

Recipient Categories may include property developers, real-estate brokers, real-estate lawyers, immigration lawyers, tax advisers, accountants, immigration advisers, international money-transfer providers, property-management providers and other categories shown at submission.

6.3 Pseudonymized phase before release

Before User Release, an Advertiser may see only mediated or pseudonymized Inquiry information or coarse traits, such as target market, budget band, asset type, timing, language or service need. The Advertiser does not receive your name, email, phone number or directly identifying details during this phase.

6.4 User Release

Your identity or contact details are released to an Advertiser only after your affirmative User Release to that specific Advertiser for that specific Inquiry. A release to one Advertiser does not release your details to another Advertiser. If an Inquiry is recycled to another Advertiser, a new User Release is required before that Advertiser receives identifying details.

6.5 U.S. opt-out and Global Privacy Control

If you are a U.S. resident, routing or releasing an Inquiry to developers, brokers or other businesses may be treated as a "sale" or "sharing" under certain state privacy laws. You may opt out before release through the control shown at submission, through /privacy/choices#do-not-sell-share, by sending a request to dpo@casabrova.com, or through Global Privacy Control where required. If a valid opt-out applies, identifying details are not released for a sale/share purpose unless you later provide a valid opt-in or release permitted by law.

At launch, the Service does not share personal data for cross-context behavioral advertising.

6.6 Safety gate

Before User Release, the Service should check consent scope, Recipient Category, opt-out status, cross-border transfer basis, DPA/Advertiser Agreement status, and category-specific eligibility. If the gate fails, identifying details are not released.

6.7 Per-inquiry record

We keep a per-inquiry record of the consent you gave, Recipient Categories, routing, User Release, release recipient, opt-out status, withdrawal, recycling and audit events.

6.8 Advertiser obligations

Before any Advertiser may receive identifying Inquiry data, it must be bound by the Advertiser Agreement and Data Processing Addendum. Those terms restrict use to the specific Inquiry, require confidentiality and security, require DSAR cooperation, prohibit resale or unauthorized marketing, and require deletion or return when the purpose expires.

6.9 Service providers

We use service providers for hosting, database, authentication, analytics, email, security, payment, translation, support, professional advice and similar functions. They may process data only for our purposes and subject to contractual confidentiality and security obligations.

6.10 Legal disclosure

We may disclose data to courts, regulators, law-enforcement bodies, advisers, auditors or counterparties where required or reasonably necessary for legal compliance, rights protection, security, dispute handling or corporate transactions.

7. International Transfers and Hosting

The Service's primary database and storage are intended to be hosted with Supabase in the European Union region (Frankfurt, Germany), unless a published update states otherwise.

Application hosting, CDN, security, analytics, email, translation, payment and professional-service providers may process limited technical or service data in other countries. Where a restricted international transfer requires safeguards, we rely on appropriate mechanisms such as adequacy decisions, EU Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, transfer assessments, vendor security commitments or other lawful mechanisms.

If a vendor, hosting region or transfer mechanism changes materially, this Policy and the DPA documentation should be updated.

8. Retention

We keep personal data only as long as reasonably needed for the purpose collected, unless a longer period is required for legal, accounting, tax, dispute, security, audit or regulatory reasons.

  • Account/profile data: for the account life and a reasonable period after closure.
  • Signup and legal acceptance records: as long as needed to prove the applicable terms and consent.
  • User Inquiries: the retention window selected at submission where offered; otherwise normally up to 24 months, unless needed longer for dispute, legal, security or audit reasons.
  • Per-inquiry audit and consent records: as long as needed to prove routing, release, withdrawal, opt-out and compliance history.
  • DPO/privacy requests: normally up to 6 years as evidence of handling.
  • Security logs: short operational periods unless needed for investigation or legal defense.
  • Cookie-consent records: normally up to 12 months, then replaced or renewed.
  • Forum posts: visible until removed, anonymized or deleted under moderation, account or privacy processes, subject to quoted text and legal-retention limits.

9. Privacy Rights

Depending on where you live and which law applies, you may have rights to access, know, receive a copy, correct, delete, restrict, object, withdraw consent, opt out, request portability, appeal a denial and use an authorized agent.

Submit requests through /legal/dpo or dpo@casabrova.com. We may need to verify your identity and authority before acting. Some requests may be limited by legal duties, fraud prevention, security, professional obligations, privilege, dispute needs or the rights of others.

10. Complaints and Appeals

You may contact us first at dpo@casabrova.com so we can try to resolve the issue.

Where applicable, you may complain to a competent data-protection authority. Where a U.S. state privacy law gives you a right to appeal a denied privacy request, you may appeal by replying to the denial notice or emailing dpo@casabrova.com with the subject line "Privacy Appeal". We will review and respond within the period required by applicable law.

11. U.S. State Privacy Notice

For U.S. residents where state privacy laws apply:

  • categories collected are listed in Section 2;
  • purposes are listed in Section 4;
  • sharing and sale/share-risk for lead routing are described in Section 6;
  • retention is described in Section 8;
  • rights and appeals are described in Sections 9 and 10;
  • opt-out is available through /privacy/choices#do-not-sell-share, the submission flow, dpo@casabrova.com, and Global Privacy Control where required; and
  • we do not discriminate against users for exercising privacy rights.

If a "Limit the Use of My Sensitive Personal Information" right applies, use /privacy/choices#limit-sensitive-pi or contact dpo@casabrova.com. The Service does not intentionally require sensitive personal information for ordinary use.

12. Cookies, Analytics and Privacy Signals

We use necessary cookies or local storage for language, security, authentication, profile preferences and consent storage. Optional analytics runs only where enabled and permitted by the applicable consent or privacy-signal configuration.

Your cookie/analytics choice may be stored under the name casabrova-consent or a successor identifier. You can update choices from the footer or privacy choices route where available.

Where required, the Service honors opt-out preference signals, including Global Privacy Control, for sale/share opt-out purposes.

13. Forum and Public Content

Forum posts and public profile content are public by design. They may be visible to anyone, indexed by search engines, quoted by other users, moderated and translated. If you do not want to be identified, do not post identifying details.

Deletion requests may result in deletion or anonymization, subject to quoted material, moderation records, legal retention and technical backup limits.

14. Children

The Service is intended for adults. We do not knowingly collect personal data from anyone under 18 or the age of majority in their jurisdiction if higher. If you believe a minor provided personal data, contact dpo@casabrova.com.

15. Security and Breach Notification

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration and disclosure. No online service can be guaranteed secure.

If we become aware of a personal-data breach, we will assess it and notify affected users, regulators or authorities where required by applicable law, including 72-hour supervisory-authority notification where GDPR-style rules require it.

16. Updates

We may update this Privacy Policy when the Service, processors, law, contacts, hosting, transfer mechanisms or data practices change. The latest version/date should be shown on the public policy page. Material changes will be reflected on the Service and, where required, by additional notice.

⚠️

Important Legal Disclaimer

The information presented on CASABROVA is for general informational purposes only and does not constitute legal, financial, tax, or investment advice. This information is not binding and should not be relied upon as the basis for any decision. Before executing any transaction or investment in overseas real estate, consult with a qualified lawyer, accountant, tax advisor, and/or any other relevant professional in the relevant territory.

Tax, regulatory, and yield data change frequently. CASABROVA makes efforts to update information weekly from primary sources, but is not responsible for the accuracy of the information or for changes not yet reflected. All figures presented are indicative only.