Privacy Policy

1. DATA CONTROLLER INFORMATION

1.1 Primary Data Controller

Company Name: Caenhebo Sociedade Imobiliária, Unipessoal LDA
Registration Number: 2019060767
VAT Number: 515774995
Registered Address:
Rua Carlos Alberto da Mota Pinto,

Edifício Amoreiras Square,17, 3º piso A,

1070-046, Lisboa Portugal

Contact Information:

Website: https://caenhebo.com
General Support: [email protected]
Data Protection Officer: [email protected]
Privacy Inquiries: [email protected]
Security Issues: [email protected]

1.2 Brokerage Services Data Management

We are a company duly incorporated and registered in Portugal, operating as a licensed real estate brokerage under License Number 25990 issued by the Instituto dos Mercados Públicos, do Imobiliário e da Construção (IMPIC).

1.3 Third-Party Data Controller

It will be managed by Lightspark Payments Europe AS

Registry Code: 16298772
Address: Pärnu mnt 110, Kesklinna linnaosa, 11313 Tallinn, Estonia
Role: Data controller for virtual asset services, vIBAN services, and KYC/AML processing
License: Virtual Asset Service Provider (License Number: FVT000546)

2. SCOPE AND APPLICABILITY

2.1 Covered Services

This Privacy Policy applies to:

Caenhebo Platform (https://caenhebo.com)
Mobile and desktop applications
Customer support services
Marketing communications
All related services and features

2.2 Geographic Scope

This Policy applies to the processing of personal data of users in the European Union, European Economic Area, and worldwide, in accordance with:

EU General Data Protection Regulation (GDPR) – Regulation 2016/679
Portuguese Data Protection Law – Lei n.º 58/2019
ePrivacy Directive – Directive 2002/58/EC
Portuguese AML Law – Law No. 83/2017

3. LEGAL BASES FOR PROCESSING

GDPR Article 6 Legal Bases

Performance of Contract (Article 6(1)(b))

Account creation and management
Transaction processing and completion
Customer support services
Platform functionality delivery

Legal Obligation (Article 6(1)(c))

Regulatory reporting requirements
Court orders and legal process

Legitimate Interests (Article 6(1)(f))

Purpose:
- Platform security and fraud prevention
- Analytics for service improvement
- Direct marketing (with opt-out rights)
- Business operations and administration

Consent (Article 6(1)(a))

Marketing communications
Optional data processing activities
Cookies (non-essential)
Data sharing with non-essential third parties

4. CATEGORIES OF PERSONAL DATA COLLECTED

4.1 Identity and Contact Information

Full legal name and previous names
Date and place of birth
Nationality and citizenship status
Residential and business addresses
Email addresses and phone numbers
Emergency contact information
Government-issued identification documents

4.2 Financial and Transaction Data

Bank account details (IBAN, SWIFT codes)
Income and employment information
Tax identification numbers

4.3 Technical and Usage Data

IP addresses and device identifiers
Browser type, version, and settings
Operating system and hardware specifications
Access logs and timestamps
Platform usage patterns
Search queries and interactions
Performance and error data
Location data (GPS coordinates with consent)

4.4 Communication Data

Messages between platform users
Customer support interactions
Email correspondence
Call recordings (with notice)
Survey responses and feedback
Marketing interaction data

5. PURPOSES OF PROCESSING

5.1 Primary Service Purposes

Platform Operation: Account management, transaction processing, user authentication
Property Transactions: Listing management, buyer-seller matching, transaction facilitation
Customer Support: Issue resolution, technical assistance, complaint handling

5.2 Compliance and Legal Purposes

Regulatory Compliance: KYC/AML obligations , tax reporting, regulatory submissions
Legal Process: Court orders, regulatory investigations, law enforcement cooperation
Risk Management: Fraud detection, security monitoring, sanctions screening

5.3 Business Operations

Analytics: Platform improvement, usage analysis, performance optimization
Marketing: Service promotion, customer communication, market research
Security: Platform protection, incident response, vulnerability management

6. DATA SHARING AND RECIPIENTS

6.1 Essential Service Providers

Lightspark Payments Europe AS (Data Controller)

Services: Virtual asset wallet, vIBAN services, KYC/AML processing
Legal Basis: Contract performance, legal obligation
Data Shared: Identity documents, financial information, transaction data
Location: Pärnu mnt 110, Kesklinna linnaosa, 11313 Tallinn, Estonia
User Control: Required for platform functionality

Data verification provider: Data Processor by third party contractor

Services: Identity verification and document authentication
Role: Processor acting on behalf of third party provider
Data Shared: Identity documents, biometric data
Safeguards: Data Processing Agreement, GDPR compliance

6.2 Other Service Providers (Data Processors)

Cloud Hosting: AWS, Google Cloud (EU regions)
Payment Processing: Licensed payment service providers
Customer Support: Support platform providers
Analytics: Anonymized/pseudonymized data only
Marketing: Email service providers, advertising platforms

6.3 Business Transfer Recipients

In case of merger, acquisition, or asset sale, personal data may be transferred to successors with equivalent privacy protections.

7. INTERNATIONAL TRANSFERS

7.1 Within EU/EEA

Primary data processing occurs within the EU/EEA:

Portugal: Caenhebo operations
Estonia: Lightspark services
Ireland: Cloud infrastructure
Germany: Support services

7.2 Transfers Outside EU/EEA

United States:

Recipients: Cloud service providers, analytics providers
Safeguards: Standard Contractual Clauses (SCCs), adequacy decisions
Data Types: Technical and usage data (pseudonymized)

Other Third Countries:

Condition: Only with adequate protection measures
Safeguards: SCCs, Binding Corporate Rules, adequacy decisions
User Rights: Object to transfers, request alternative arrangements

7.3 Transfer Safeguards

All international transfers are protected by:

EU Commission adequacy decisions, or
Standard Contractual Clauses (2021 SCCs), or
Approved codes of conduct/certification mechanisms
Additional technical and organizational measures

8. DATA RETENTION

8.1 General Retention Periods

Active Account Data:

Identity Information: Duration of relationship + 5 years
Transaction Records: 10 years (AML compliance requirement)
Financial Data: 7 years (tax law requirement)
Technical Logs: 12 months
Marketing Data: Until withdrawal of consent

Closed Account Data:

Core Identity Data: 5 years after account closure
AML/Compliance Data: 10 years after last transaction
Legal/Dispute Data: Until resolution + statute of limitations

8.2 Specific Legal Requirements

Portuguese AML Law: Minimum 5 years, up to 10 years for complex cases
Tax Obligations: 7 years for financial records
Criminal Proceedings: Until completion + appeals period
Regulatory Investigation: Until conclusion + potential appeal period

8.3 Data Deletion

After retention periods expire:

Secure deletion of all personal data
Anonymization for statistical purposes only
Exception: Legal proceedings or regulatory requirements may extend retention
User Request: Earlier deletion where legally permissible

9. YOUR DATA PROTECTION RIGHTS

9.1 Core GDPR Rights

Right of Access (Article 15)

Request copies of your personal data
Obtain information about processing activities
Understand data recipients and retention periods
Response Time: 30 days

Right to Rectification (Article 16)

Correct inaccurate personal data
Complete incomplete information
Update outdated records
Response Time: 30 days

Right to Erasure (“Right to be Forgotten”) (Article 17)

Delete personal data when no longer necessary
Withdraw consent for consent-based processing
Object to unlawful processing
Limitations: Legal retention requirements, ongoing legal proceedings

Right to Restrict Processing (Article 18)

Temporarily limit processing in specific circumstances
During accuracy disputes or lawfulness challenges
Effect: Data stored but not actively processed

Right to Data Portability (Article 20)

Receive data in structured, machine-readable format
Transfer data to another service provider
Scope: Data provided by you, processed by automated means

Right to Object (Article 21)

Object to processing based on legitimate interests
Object to direct marketing (absolute right)
Object to profiling and automated decision-making

9.2 Exercising Your Rights

How to Request:

Email: [email protected]
Subject Line: “Data Protection Rights Request – [Your Name]”
Include: Full name, account email, specific request details
Identity Verification: May require additional verification

Response Timeline:

Acknowledgment: Within 2 business days
Response: Within 30 days (extendable to 90 days for complex requests)
Free of Charge: First request free; subsequent requests may incur reasonable fees

Complex Requests:

Extension Notice: 30-day extension notice with reasons
Consultation: May require consultation with data protection authorities
Third-Party Involvement: Coordination with Lightspark for their data processing

10. AUTOMATED DECISION-MAKING AND PROFILING

10.1 Automated Processing Activities

Risk Scoring:

Purpose: AML/fraud risk assessment
Logic: Transaction patterns, behavior analysis, sanctions screening
Consequences: Account restrictions, enhanced verification requirements
Human Review: Available upon request

Platform Recommendations:

Purpose: Property matching, user experience optimization
Logic: Search history, preferences, behavior patterns
Consequences: Customized listings, targeted recommendations
User Control: Disable in account settings

10.2 Your Rights Regarding Automated Decisions

Request human review of automated decisions
Express your point of view regarding the decision
Contest the decision and request reconsideration
Obtain explanation of the logic involved
Opt-out of non-essential automated processing

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 Cookie Categories

Strictly Necessary Cookies:

Session management and authentication
Security and fraud prevention
Platform functionality
Legal Basis: Legitimate interests
User Control: Cannot be disabled

Performance and Analytics Cookies:

Website performance monitoring
User behavior analysis (anonymized)
Error tracking and debugging
Legal Basis: Consent
User Control: Opt-out available

Functional Cookies:

User preferences and settings
Language selection
Accessibility features
Legal Basis: Consent
User Control: Manageable in settings

Marketing and Advertising Cookies:

Targeted advertising
Marketing campaign effectiveness
Social media integration
Legal Basis: Consent
User Control: Full control via cookie settings

11.2 Cookie Management

Cookie Banner: Clear consent options on first visit
Settings Panel: Granular control over cookie categories
Withdrawal: Easy withdrawal of consent
Do Not Track: Respected where technically feasible

11.3 Third-Party Cookies

Limited Use Policy:

Only essential third-party cookies permitted
Regular audit of third-party cookie providers
Data sharing agreements with all cookie providers
User notification of all third-party cookies

12. DATA SECURITY MEASURES

12.1 Technical Safeguards

Encryption:

In Transit: TLS 1.3 for all data transmission
At Rest: AES-256 encryption for stored data
Key Management: Hardware Security Modules (HSMs)
Regular Updates: Encryption protocols regularly updated

Access Controls:

Multi-Factor Authentication (MFA) for all accounts
Role-Based Access Control (RBAC) for internal systems
Principle of Least Privilege for data access
Regular Access Reviews and audit trails

Network Security:

Firewall Protection and intrusion detection
DDoS Protection and traffic monitoring
Vulnerability Scanning and penetration testing
Network Segmentation for sensitive data

12.2 Organizational Safeguards

Staff Training:

Privacy Awareness training for all employees
Data Handling Procedures and regular updates
Security Incident Response training
Annual Certification requirements

Data Processing:

Data Minimization principles applied
Purpose Limitation strictly enforced
Regular Data Audits and cleanup procedures
Data Protection Impact Assessments (DPIAs) for high-risk processing

Third-Party Management:

Due Diligence on all data processors
Data Processing Agreements with security requirements
Regular Audits of third-party security practices
Incident Notification procedures

12.3 Incident Response

Detection and Response:

24/7 Security Monitoring and alerting
Incident Response Team with defined procedures
Forensic Investigation capabilities
Communication Protocols for affected users

Breach Notification:

CNPD Notification: Within 72 hours of awareness
User Notification: Without undue delay if high risk
Remediation Measures: Immediate containment and recovery
Post-Incident Review: Process improvement and prevention

13. DATA PROCESSING

13.1 Information collected

The platform collects directly the following information:Government issued ID, address, phone number, email, bank account details, tax identification number,

14. CHILDREN’S PRIVACY

14.1 Age Restrictions

Minimum Age Requirement: 18 years

No Services for Minors: Minors will not be able to perform transactions in Caenhebo platform, aligned with Portuguese law

14.2 Minor Data Discovery

Minors will not be able to perform transactions in Caenhebo platform, aligned with Portuguese law

15. MARKETING COMMUNICATIONS

15.1 Types of Communications

Service Updates: Platform changes, security notifications
Transaction Notifications: Purchase confirmations, status updates
Promotional Content: New features, special offers, market insights
Newsletter: Industry news, company updates, educational content

15.2 Legal Basis and Consent

Service Communications: Legitimate interests (essential information)
Marketing Communications: Explicit consent required
Existing Customers: Soft opt-in for similar services
Newsletter: Separate consent required

15.3 Opt-Out Rights

Unsubscribe Links: In all marketing emails
Account Settings: Global communication preferences
Email Request: [email protected]
Immediate Effect: Opt-out processed within 48 hours

16. PRIVACY BY DESIGN AND DEFAULT

16.1 Privacy by Design Principles

Proactive not Reactive: Anticipate and prevent privacy invasions
Privacy as the Default: Maximum privacy protection without user action
Full Functionality: No unnecessary trade-offs with functionality
End-to-End Security: Secure data throughout entire lifecycle
Visibility and Transparency: Clear communication about data practices
Respect for User Privacy: User-centric design and controls

16.2 Implementation

Data Minimization: Collect only necessary data
Purpose Limitation: Use data only for stated purposes
Storage Limitation: Retain data only as long as necessary
Technical Measures: Encryption, access controls, monitoring
Organizational Measures: Training, policies, procedures

17. DATA PROTECTION IMPACT ASSESSMENTS

17.1 When DPIAs are Required

High Risk Processing: Large-scale processing of special categories
Automated Decision-Making: Significant effects on individuals
Systematic Monitoring: Large-scale monitoring of public areas
New Technologies: Innovative processing methods
Biometric Processing: Identity verification systems

17.2 DPIA Process

Scope Definition: Identify processing operations and data types
Risk Assessment: Evaluate potential privacy risks
Mitigation Measures: Implement protective measures
Stakeholder Consultation: Include DPO and affected individuals
Authority Consultation: CNPD consultation if high residual risk
Regular Review: Monitor and update as needed

18. SUPERVISORY AUTHORITY INFORMATION

18.1 Portuguese Data Protection Authority

Comissão Nacional de Proteção de Dados (CNPD)

Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal
Phone: +351 213 928 400
Fax: +351 213 976 832
Email: [email protected]
Website: www.cnpd.pt

18.2 Your Rights with CNPD

Lodge Complaints: About data protection violations
Request Investigations: Into data processing practices
Seek Remedies: Including compensation for damages
Legal Representation: Through qualified organizations

18.3 Other Relevant Authorities

European Data Protection Board (EDPB): EU-wide coordination
Estonian Data Protection Inspectorate: For Lightspark-related issues
Your Local Authority: If you reside outside Portugal

19. CHANGES TO THIS PRIVACY POLICY

19.1 Update Process

Regular Review: Annual privacy policy review
Legal Assessment: Compliance with new regulations
DPO Approval: Data Protection Officer sign-off
User Notification: 30-day advance notice for material changes
Consent Renewal: Where required by law
Version Control: Archived versions available upon request

19.2 Notification Methods

Email Notification: To all registered users
Platform Notice: Prominent banner on website/app
Account Dashboard: Notification in user account
Version History: Available at caenhebo.com/privacy-history

19.3 Material Changes Definition

New Data Categories: Collection of additional personal data types
New Purposes: Processing for different purposes
New Recipients: Sharing with additional third parties
Reduced Rights: Changes affecting user rights
New Technologies: Implementation of new processing technologies

20. CONTACT INFORMATION

20.1 Data Protection Officer

Primary Contact for Privacy Matters:

Email: [email protected]
Response Time: Within 48 hours for rights requests
Office Hours: Monday-Friday, 9:00-18:00 WET
Languages: Portuguese, English

Postal Address: Data Protection Officer
Caenhebo Sociedade Imobiliária, Unipessoal LDA
AV ENG DUARTE PACHECO AMOREIRAS TORRE 1 8º PISO SALA 3
1070-102 LISBOA
Portugal

20.2 Other Privacy Contacts

General Privacy: [email protected]
Security Incidents: [email protected] (24/7 monitoring)
Customer Support: [email protected]
Legal Notices: [email protected]

20.3 Response Timelines

Rights Requests: 2 days acknowledgment, 30 days response
Privacy Inquiries: 48 hours for general questions
Security Incidents: Immediate response for data breaches
Complaints: 5 business days for initial response

21. FINAL PROVISIONS

21.1 Language and Interpretation

Authoritative Version: English
Portuguese Translation: Available upon request
Interpretation: In case of conflict, English version prevails
Updates: All versions updated simultaneously

21.2 Relationship to Other Policies

Terms and Conditions: Complementary legal framework
Cookie Policy: Detailed cookie information
Security Policy: Technical security measures
Lightspark Privacy Policy: For virtual asset services

21.3 Severability

If any provision is found invalid or unenforceable, remaining provisions continue in full force and effect.

ACKNOWLEDGMENT

By using our Platform, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy.

Effective Date: November 18, 2025
Version: 2.1
Next Review: February 10, 2026

7.1 Strictly Necessary Cookies Cookie Name	Purpose	Duration	Provider
session_id	User session management	Session	Caenhebo
csrf_token	Security protection	Session	Caenhebo
auth_token	Authentication	7 days	Caenhebo
security_check	Fraud prevention	24 hours	Caenhebo
platform_access	Platform functionality	12 months	Caenhebo

_ga	Analytics tracking (anonymized)	24 months	Google Analytics
_gid	Session analytics	24 hours	Google Analytics
_gat	Analytics throttling	1 minute	Google Analytics
hjid	Hotjar user identification	12 months	Hotjar
performance_log	Performance monitoring	30 days	Caenhebo

7.3 Functional Cookies Cookie Name	Purpose	Duration	Provider
language	Language preference	12 months	Caenhebo
currency_display	EUR/BTC display	12 months	Caenhebo
search_filters	Saved search criteria	6 months	Caenhebo
notifications	Alert preferences	12 months	Caenhebo
accessibility	Accessibility settings	12 months	Caenhebo

7.4 Marketing Cookies Cookie Name	Purpose	Duration	Provider
_gcl_au	Google Ads conversion	90 days	Google Ads
_fbp	Facebook Pixel	90 days	Facebook
li_sugr	LinkedIn tracking	90 days	LinkedIn
ad_user_id	Advertising ID	24 months	Caenhebo
campaign_source	Marketing attribution	30 days	Caenhebo

PRIVACY POLICY