LEGAL
Privacy Policy
Last updated: 2 July 2025
At EQUA Estates, protecting the privacy and confidentiality of our clients and prospective clients is fundamental to how we operate. This Privacy Policy explains what personal information we collect through this website, how we use it, and the rights you hold over it. It applies to all visitors to equaestates.com and anyone who submits information through our digital services.
1. Who We Are
EQUA Estates (“we”, “us”, “our”) is a luxury property advisory operating from Marbella Golden Mile, 29602 Marbella, Spain. We act as the data controller for all personal information collected through this website and the services described below.
You may contact our data protection point of contact at advisory@equaestates.com.
2. What Personal Data We Collect
We collect personal data only when you actively interact with our services. The table below describes each data touch-point on this website:
| FEATURE | DATA COLLECTED | PURPOSE |
|---|---|---|
| Contact / Consultation Form | Full name, email address, phone number (optional), free-text message | To respond to your advisory enquiry |
| Property Inquiry Form | Full name, email address, phone number, preferred viewing date, message | To arrange a private property viewing |
| Property Valuation Request | Full name, email address, phone number (optional), property location and details | To provide a confidential valuation consultation |
| Matchmaker Questionnaire | Budget range, lifestyle preferences, family framework, purchase timeline, full name, email address | To curate a personalised property selection |
| Off-Market Portal Access | Email address | To verify and grant access to off-market listings |
| Newsletter Subscription | Email address | To send curated market dossiers and editorial content |
| WhatsApp Communications | Your phone number and conversation history (handled by Meta/WhatsApp) | To facilitate direct advisory communication |
| Website Usage | IP address, browser type, device type, pages visited, session duration (via server logs and cookies) | Site security, performance, and analytics |
We do not collect sensitive personal data (such as health, political, or financial account data) through this website.
3. Legal Basis for Processing
Under the EU General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), we rely on the following legal bases:
- Contractual necessity (Art. 6(1)(b) GDPR): Processing required to respond to your enquiry, arrange a viewing, or provide the advisory service you have requested.
- Legitimate interests (Art. 6(1)(f) GDPR): Our legitimate interest in operating and improving our website, maintaining security, and communicating with prospective clients about our services, where your interests do not override ours.
- Consent (Art. 6(1)(a) GDPR): For newsletter subscriptions and marketing communications. You may withdraw consent at any time by contacting us.
4. How We Use Your Data
We use the personal data we collect to:
- Respond to enquiries and arrange consultations or property viewings.
- Provide personalised property recommendations through our Matchmaker service.
- Grant access to off-market property listings to verified applicants.
- Send our seasonal editorial dossiers and market intelligence reports (newsletter subscribers only).
- Maintain records of our advisory interactions for operational continuity.
- Detect, investigate, and prevent fraud, security incidents, and abuse.
- Comply with legal and regulatory obligations applicable to real estate advisory in Spain.
We will never sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Third-Party Processors
We engage the following sub-processors who may handle your personal data on our behalf. Each is bound by data processing agreements and applicable data protection law:
| PROCESSOR | PURPOSE | LOCATION |
|---|---|---|
| Supabase Inc. | Database hosting and storage of form submissions | United States (EU data residency options available) |
| Netlify Inc. | Website hosting, CDN, and serverless functions | United States |
| Meta Platforms (WhatsApp) | Third-party messaging when you initiate a WhatsApp conversation | United States |
6. Data Retention
We retain personal data only for as long as necessary for its stated purpose:
- Enquiry and form submissions: Up to 3 years from the last interaction, unless a transaction is completed.
- Matchmaker profiles: Up to 2 years from submission date, or until you request deletion.
- Off-market access records: 12 months from the date of access grant.
- Newsletter subscriptions: Until you unsubscribe or request erasure.
- Website server logs: 90 days on a rolling basis.
7. Your Rights
As a data subject under the GDPR, you have the following rights. To exercise any of them, contact us at advisory@equaestates.com. We will respond within 30 days.
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Ask us to correct inaccurate or incomplete data.
- Right to Erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
- Right to Restriction: Ask us to suspend processing of your data in certain circumstances.
- Right to Data Portability: Receive your personal data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: File a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es, or with the supervisory authority in your EU country of residence.
9. International Data Transfers
Our website is hosted on Netlify and our database is operated by Supabase Inc., both of which are headquartered in the United States. Data transfers to the United States are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission, providing an equivalent level of protection to that required within the EEA. For further information on the safeguards in place, please contact us.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure. These measures include encrypted data transmission (TLS/HTTPS), row-level security policies on our database, and access controls restricting data to authorised personnel only. No method of transmission over the internet is 100% secure; if you believe your data has been compromised, please notify us immediately.
11. Contact the Data Controller
For any questions regarding this Privacy Policy, to exercise your rights, or to make a complaint about how we handle your personal data, please contact:
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The “Last updated” date at the top of this page will always indicate when the most recent revision was made. Where changes are material, we will endeavour to notify active enquirers by email. We encourage you to review this page periodically.
RELATED LEGAL DOCUMENTS