This page is maintained by AI Risk Intelligence AS, the operator of Spain Property Pay, to explain what personal data we process, on what legal basis, for how long, and what rights you have. It is written in plain language and is not a substitute for legal advice.
Who is the data controller
The data controller for Spain Property Pay is AI Risk Intelligence AS, a company registered in Norway. You can reach the controller for any privacy question — including data-subject requests under the GDPR — at privacy@spainpropertypay.com.
What we do not do
- We do not sell personal data.
- We do not run behavioural advertising, retargeting pixels, or ad-tech trackers.
- We do not build user profiles for marketing.
- We do not require an account to read any part of the site.
What personal data we process
Spain Property Pay is a read-only intelligence site. The categories of personal data we process are limited to:
- Technical log data — IP address, user agent, request path, timestamp — recorded by our hosting infrastructure for security, abuse prevention and troubleshooting.
- Case-builder inputs — the buyer scenario you enter into the on-site case tool (transfer amount, timing, corridor). These values are stored in your browser's local storage on your device only and are not transmitted to us.
- Correspondence — if you email us (for a correction, referral disclosure question, or data-subject request), we process the content of that email and your reply address in order to respond.
- Search Console data — aggregated, non-identifying search performance data supplied by Google Search Console for the site as a whole.
We do not knowingly collect data from children under 16. The site is intended for adult property buyers.
Legal bases (GDPR Art. 6)
- Legitimate interests (Art. 6(1)(f)) — operating and securing the site, responding to correspondence, and understanding aggregate search demand. The interest is our operation of a lawful, non-commercial-tracking editorial platform; the impact on you is minimal because we do not profile.
- Consent (Art. 6(1)(a)) — for any future non-essential cookie or analytics we may introduce. At the time of writing, no such cookies are set (see our Cookie Policy).
- Legal obligation (Art. 6(1)(c)) — where we must retain records to comply with tax, accounting or regulator requests.
Sharing and international transfers
We use a small number of processors to run the site:
- Hosting and edge network — Cloudflare Workers and the Lovable platform, which serve the site and record technical logs.
- Managed database and authentication — Supabase (EU region), used only where authenticated features exist.
- Search Console — Google LLC, for aggregate search performance reporting.
- Email — the mail provider that handles messages sent to our published addresses.
Where a processor is outside the EEA (for example, Cloudflare and Google in the United States), transfers rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. We do not transfer personal data to jurisdictions without an adequacy decision or equivalent safeguards.
Retention
- Technical log data — up to 30 days for security and abuse prevention, then deleted or aggregated.
- Correspondence — for as long as needed to handle the enquiry, and then for up to 24 months for audit and dispute resolution.
- Case-builder inputs — stored only in your browser; you can clear them at any time by clearing site storage.
- Records we are legally required to keep — for the retention period set by the applicable law.
Your rights under the GDPR
Wherever the GDPR or UK GDPR applies to you, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Have inaccurate data corrected (Art. 16).
- Have your data erased (Art. 17), subject to legal retention obligations.
- Restrict processing (Art. 18).
- Receive your data in a portable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with a supervisory authority — in Norway, the Datatilsynet; in your country of residence if elsewhere in the EEA or UK.
To exercise any of these rights, email privacy@spainpropertypay.com. We respond within 30 days.
Security
Traffic to the site is served over HTTPS with modern TLS. Access to backend systems is restricted to named individuals and protected by multi-factor authentication. We follow the principle of data minimisation — the less we collect, the less there is to protect.
Changes to this policy
Material changes are dated at the top of this page and, where they affect a legal basis or add a new processor, announced on the Trust Centre index. Editorial clarifications are made in place and do not trigger a version bump.