GDPR Compliant
Privacy Policy
Last updated: 18 May 2026
1. Overview
EQUIA Global Property ("we", "us", "our") operates a web-based property portfolio management platform for international real estate investors. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our application, in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
By using EQUIA, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the application.
2. Data Controller
The data controller responsible for processing your data is the entity identified in our Legal Notice (Impressum). For any data protection inquiries, please contact us using the details provided there.
3. Data We Collect
We collect and process the following categories of personal data:
Account Information
Name, email address, and authentication credentials (password hash or Google OAuth profile data). This data is required to create and maintain your account.
Property Portfolio Data
Asset details you provide, including property names, locations, purchase prices, currencies, purchase dates, and property descriptions. This data is necessary to deliver the core portfolio management functionality.
Uploaded Documents
Files you upload to the Document Vault, such as Sales Purchase Agreements (SPAs), Title Deeds, passports, and visa documents. These documents may contain sensitive personal and financial information.
Mobility & Residency Data
Visa and residency records, presence day logs, and associated compliance data that you voluntarily enter to track your global mobility status.
Usage Data
Technical data generated during your use of the application, including IP addresses (for brute-force protection), timestamps of login attempts, and session metadata.
4. How We Use Your Data
Your data is processed for the following purposes, each with a lawful basis under GDPR:
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b) GDPR) |
| Portfolio management and FX conversion | Contract performance (Art. 6(1)(b) GDPR) |
| AI document analysis via OpenAI | Consent (Art. 6(1)(a) GDPR) |
| Visa expiry notifications and compliance alerts | Legitimate interest (Art. 6(1)(f) GDPR) |
| Security (brute-force protection, session management) | Legitimate interest (Art. 6(1)(f) GDPR) |
5. Data Encryption & Security
We implement industry-standard security measures to protect your data:
Authentication & Session Security
User passwords are hashed using bcrypt with random salts and are never stored in plain text. Sessions are managed via JSON Web Tokens (JWT) signed with the HS256 algorithm and a server-side secret. Access tokens are short-lived (1 hour); refresh tokens (7 days) are stored server-side and rotate on every use, with reuse-detection that revokes the entire token family on any anomaly. Both cookies are httpOnly, Secure, and SameSite=Lax. Brute-force protection locks accounts after 5 failed attempts for 15 minutes.
Document Vault — Encryption at Rest
Documents uploaded to the Vault are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) on our backend before they leave the server. Only the ciphertext is transmitted to and stored in our object-storage provider (Cloudflare R2, EU jurisdiction). Decryption happens transiently in memory when you download or preview a file, and the plaintext is never persisted anywhere. The encryption key lives only in our backend environment configuration and is never transmitted to clients or third parties.
In addition, all file uploads pass server-side magic-byte (MIME) validation to reject mismatched or malicious binaries, and file size is capped at 10 MB per document. Access to stored files is mediated exclusively through authenticated backend API endpoints — no direct storage URLs are exposed to the client. Each file is stored under a non-guessable path scoped to the owning user.
Transport Encryption
All communication between your browser and our servers is encrypted using HTTPS with TLS 1.2+. API credentials, session tokens, and document payloads are transmitted exclusively over encrypted channels.
6. Third-Party Data Processors
We engage the following third-party services to provide our application's functionality. Data shared with these processors is limited to what is strictly necessary for the stated purpose:
OpenAI (via Emergent LLM gateway)
AI Processing · United StatesWe use two OpenAI models routed through the Emergent LLM gateway: gpt-5-mini for lightweight tasks (classification, news summarisation) and gpt-5.2 for vision-based document analysis and the AI Concierge. Document content is transmitted to OpenAI only when you explicitly click an "Analyze" or "Extract" button on a specific document; documents are never sent automatically. Concierge messages are transmitted when you send a chat. According to OpenAI's API data-usage policy, content submitted via the API is not used to train their models and is retained for at most 30 days for abuse-monitoring purposes. OpenAI's Privacy Policy.
MongoDB Atlas
Primary Database · Frankfurt, EUOur primary application database is MongoDB Atlas (M10 cluster) deployed in the eu-central-1 (Frankfurt) region. All personal data, portfolio records, residency entries, and authentication metadata are stored here. The cluster uses SCRAM-SHA-256 authentication, TLS 1.3 in transit, encryption at rest, and is firewalled to our backend's egress IP only. MongoDB Privacy Notice.
Cloudflare R2
Encrypted File Storage · EUUploaded documents are stored in a Cloudflare R2 bucket configured with EU jurisdictional restriction (data physically remains in EU data centres). As described in § 5, all files are Fernet-encrypted on our backend before upload, so Cloudflare only ever sees opaque ciphertext. Access uses a bucket-scoped API token (no master credentials). Cloudflare Privacy Policy.
Resend
Transactional Email · EU/USWe use Resend to deliver transactional emails: password reset links, visa-expiry reminders, payment-milestone reminders, account-deletion confirmations, and account-exists notices. Your email address and the email body are transmitted to Resend solely to deliver the message. Resend does not use your data for marketing. Resend Privacy Policy.
Sentry
Error Monitoring · Frankfurt, EUWe use Sentry (EU region: ingest.de.sentry.io) to monitor application errors and a small sampled fraction of performance traces. Captured data includes the user ID, the user email, error stack traces, request paths, and masked browser session replays. Request bodies and document contents are never sent to Sentry. PII redaction (send_default_pii=False) is enabled. Sentry Privacy Policy.
ExchangeRate-API
Currency DataWe use the ExchangeRate-API service to retrieve live foreign exchange rates (EUR, AED, GBP, TRY, USD) for portfolio valuation and currency conversion. No personal data is transmitted — only currency-pair requests. Rates are cached locally and stored as daily snapshots for historical arbitrage calculations.
Emergent Auth (Google OAuth)
Authentication · USIf you choose to sign in with Google, authentication is processed through Emergent's managed OAuth service, which then exchanges credentials with Google. We receive only your name, email address, and profile picture. We never receive or store your Google password.
7. Regulatory Sentinel — Real Sources + AI Summaries
The Regulatory Sentinel feature aggregates real, published articles from public RSS feeds of established publishers (Tagesschau, Der Spiegel, Handelsblatt, Cyprus Mail, and others) and topical Google News searches for your portfolio's jurisdictions (Dubai/UAE, North Cyprus, Germany). For each article, we use OpenAI's gpt-5-mini model to generate a short summary and to classify the topic and impact. For Germany items, summaries are returned in the original German legal terminology.
The model never invents headlines, sources, or dates — it only summarises the publisher's own excerpt. Every article on the Sentinel page shows the real publisher name and a clickable link to the original article. We cache the result for 6 hours per user to reduce upstream calls. No personal data is transmitted to RSS publishers; only the article excerpt and the user's jurisdictions are sent to OpenAI.
8. Data Retention
We retain your data as follows:
- - Account data: retained for the duration of your active account.
- - Account deletion: when you request deletion, your account enters a 30-day grace period during which you can sign in and cancel the deletion. After 30 days your account and all associated data — assets, deals, documents (including R2 blobs), residencies, presence logs, refresh tokens, and email-reminder logs — are irreversibly hard-deleted.
- - Portfolio & residency data: retained for the duration of your active account.
- - Uploaded documents: retained until you delete them or your account is closed. Deleting a document removes both the database record and the encrypted blob from Cloudflare R2 in the same operation.
- - Login attempt logs: failed login records are automatically cleared upon successful authentication or after 15 minutes.
- - FX rate history: anonymised, non-personal aggregate data retained indefinitely for arbitrage calculations.
- - Sentry error events: retained per Sentry's default plan policy (typically 30–90 days), then auto-purged.
9. Your Rights Under GDPR
As a data subject, you have the following rights under the General Data Protection Regulation:
Right of Access (Art. 15 GDPR)
You have the right to request confirmation of whether your personal data is being processed and, if so, to receive a copy of that data along with information about the purposes of processing, categories of data, and recipients.
Right to Rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate personal data or completion of incomplete data. You can update most information directly within the application.
Right to Erasure (Art. 17 GDPR)
You have the right to request deletion of your personal data. You can delete your account yourself directly in the app via Settings → Delete my account. This schedules permanent deletion in 30 days; during that window you can sign back in and cancel the request. After 30 days all your data — including encrypted documents stored in Cloudflare R2 — is irreversibly purged. You can also delete individual documents and assets at any time from within the app.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, machine-readable format. You can export your data yourself directly in the app via Settings → Export my data. The export is delivered as a ZIP archive containing your account info, full portfolio (assets + deals), residencies, presence logs, calendar events, payment-reminder log, and your uploaded documents (decrypted to their original form). Up to 5 exports per hour.
Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request restriction of processing in certain circumstances, such as when the accuracy of data is contested or processing is unlawful but you oppose erasure.
Right to Object (Art. 21 GDPR)
You have the right to object to processing based on legitimate interests. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or the place of the alleged infringement. The competent supervisory authority for our company is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.
To exercise any of these rights, please contact us using the information provided in our Legal Notice. We will respond to your request within 30 days.
10. Cookies
EQUIA uses only strictly necessary cookies for authentication:
| Cookie | Purpose | Duration |
|---|---|---|
| access_token | JWT session authentication | 1 hour |
| refresh_token | Session renewal without re-login | 7 days |
Both cookies are set as httpOnly (not accessible to JavaScript) and are used solely for authentication. We do not use tracking, analytics, or advertising cookies.
11. International Data Transfers
Our infrastructure is hosted predominantly in the European Union: MongoDB Atlas (Frankfurt, Germany), Cloudflare R2 (EU jurisdiction), and Sentry (Frankfurt). The following sub-processors involve transfers outside the EEA:
- - OpenAI (United States) — transfers occur only when you explicitly trigger an AI feature. Lawful basis: Standard Contractual Clauses (SCCs) as incorporated into OpenAI's Data Processing Addendum, together with your specific consent under Art. 49(1)(a) GDPR for each AI action.
- - Resend (US data plane available) — we route transactional email through Resend. Lawful basis: SCCs as incorporated into Resend's DPA.
- - Google (United States, via Emergent Auth) — only triggered if you choose Google sign-in. Lawful basis: your consent under Art. 49(1)(a) GDPR.
In each case we have ensured an adequate level of protection through Standard Contractual Clauses (SCCs) under Art. 46 GDPR, supplementary technical safeguards (encryption in transit and, for documents, encryption at rest before transfer), and/or your explicit consent.
12. Recipients of Your Personal Data
We do not sell, rent, or share your personal data with marketers, advertisers, data brokers, or any third party for commercial purposes. The only third parties that receive any of your data are the sub-processors listed in § 6, strictly for the technical purposes described there. We may disclose data to public authorities only where legally required by court order or applicable law.
13. Automated Decision-Making & Profiling
EQUIA does not perform automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR. The AI features (document analysis, news summarisation, Concierge chat) generate informational output for your review; they do not produce decisions that legally bind you or any third party. Final decisions on any matter remain entirely with you.
14. Children's Data
EQUIA is intended for adult property investors. We do not knowingly collect personal data from individuals under 16 years of age. If you believe that a minor has provided us with personal data, please contact us using the details in our Legal Notice and we will delete the data without undue delay.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by displaying a notice within the application. The "Last updated" date at the top of this page indicates when the policy was last revised.
© 2026 EQUIA Global Property