Privacy Policy

Effective Date: November 18, 2025 · Version 2.1

1. Data Controller Information

1.1 Primary Data Controller

• Company Name: Caenhebo Sociedade Imobiliária, Unipessoal LDA
• Registration Number: 2019060767
• VAT Number: 515774995
• Registered Address: Rua Carlos Alberto da Mota Pinto, Edifício Amoreiras Square, 17, 3º piso A, 1070-046, Lisboa, Portugal

Contact Information:

• Website: https://caenhebo.com
• General Support: support@caenhebo.com
• Data Protection Officer: dpo@caenhebo.com
• Privacy Inquiries: privacy@caenhebo.com
• Security Issues: security@caenhebo.com

1.2 Brokerage Services Data Management

We are a company duly incorporated and registered in Portugal, operating as a licensed real estate brokerage under License Number 25990 issued by the Instituto dos Mercados Públicos, do Imobiliário e da Construção (IMPIC).

1.3 Third-Party Data Controller

Managed by Lightspark Payments Europe AS

• Registry Code: 16298772
• Address: Pärnu mnt 110, Kesklinna linnaosa, 11313 Tallinn, Estonia
• Role: Data controller for virtual asset services, vIBAN services, KYC/AML processing
• License: Virtual Asset Service Provider (License Number: FVT000546)

2. Scope and Applicability

2.1 Covered Services

This Privacy Policy applies to:

• Caenhebo Platform (https://caenhebo.com)
• Mobile and desktop applications
• Customer support services
• Marketing communications
• All related services and features

2.2 Geographic Scope

This Policy applies to personal data processing for users in the European Union, European Economic Area, and worldwide, in accordance with:

• EU General Data Protection Regulation (GDPR) – Regulation 2016/679
• Portuguese Data Protection Law – Lei n.º 58/2019
• ePrivacy Directive – Directive 2002/58/EC
• Portuguese AML Law – Law No. 83/2017

3. Legal Bases for Processing

Performance of Contract (Article 6(1)(b))

• Account creation and management
• Transaction processing and completion
• Customer support services
• Platform functionality delivery

Legal Obligation (Article 6(1)(c))

• Regulatory reporting requirements
• Court orders and legal process

Legitimate Interests (Article 6(1)(f))

• Platform security and fraud prevention
• Analytics for service improvement
• Direct marketing (with opt-out rights)
• Business operations and administration

Consent (Article 6(1)(a))

• Marketing communications
• Optional data processing activities
• Cookies (non-essential)
• Data sharing with non-essential third parties

4. Categories of Personal Data Collected

4.1 Identity and Contact Information

• Full legal name and previous names
• Date and place of birth
• Nationality and citizenship status
• Residential and business addresses
• Email addresses and phone numbers
• Emergency contact information
• Government-issued identification documents

4.2 Financial and Transaction Data

• Bank account details (IBAN, SWIFT codes)
• Income and employment information
• Tax identification numbers

4.3 Technical and Usage Data

• IP addresses and device identifiers
• Browser type, version, and settings
• Operating system and hardware specifications
• Access logs and timestamps
• Platform usage patterns
• Search queries and interactions
• Performance and error data
• Location data (GPS coordinates with consent)

4.4 Communication Data

• Messages between platform users
• Customer support interactions
• Email correspondence
• Call recordings (with notice)
• Survey responses and feedback
• Marketing interaction data

5. Purposes of Processing

5.1 Primary Service Purposes

• Platform Operation: Account management, transaction processing, user authentication
• Property Transactions: Listing management, buyer-seller matching, transaction facilitation
• Customer Support: Issue resolution, technical assistance, complaint handling

5.2 Compliance and Legal Purposes

• Regulatory Compliance: KYC/AML obligations, tax reporting, regulatory submissions
• Legal Process: Court orders, regulatory investigations, law enforcement cooperation
• Risk Management: Fraud detection, security monitoring, sanctions screening

5.3 Business Operations

• Analytics: Platform improvement, usage analysis, performance optimization
• Marketing: Service promotion, customer communication, market research
• Security: Platform protection, incident response, vulnerability management

6. Data Sharing and Recipients

6.1 Essential Service Providers

Lightspark Payments Europe AS (Data Controller)

• Services: Virtual asset wallet, vIBAN services, KYC/AML processing
• Legal Basis: Contract performance, legal obligation
• Data Shared: Identity documents, financial information, transaction data
• Location: Pärnu mnt 110, Kesklinna linnaosa, 11313 Tallinn, Estonia
• User Control: Required for platform functionality

Data verification provider (Data Processor by third-party contractor)

• Services: Identity verification and document authentication
• Role: Processor acting on behalf of third-party provider
• Data Shared: Identity documents, biometric data
• Safeguards: Data Processing Agreement, GDPR compliance

6.2 Other Service Providers (Data Processors)

• Cloud Hosting: AWS, Google Cloud (EU regions)
• Payment Processing: Licensed payment service providers
• Customer Support: Support platform providers
• Analytics: Anonymized/pseudonymized data only
• Marketing: Email service providers, advertising platforms

6.3 Business Transfer Recipients

In case of merger, acquisition, or asset sale, personal data may be transferred to successors with equivalent privacy protections.

7. International Transfers

7.1 Within EU/EEA

Primary data processing occurs within the EU/EEA: Portugal (Caenhebo operations), Estonia (Lightspark services), Ireland (cloud infrastructure), Germany (support services).

7.2 Transfers Outside EU/EEA

United States: cloud service providers and analytics providers, protected by Standard Contractual Clauses (SCCs) and adequacy decisions; data types limited to technical and usage data (pseudonymized). Other Third Countries: only with adequate protection measures (SCCs, Binding Corporate Rules, adequacy decisions).

7.3 Transfer Safeguards

All international transfers are protected by EU Commission adequacy decisions, 2021 Standard Contractual Clauses, or approved codes of conduct/certification mechanisms.

8. Data Retention

8.1 General Retention Periods

Active Account Data:

• Identity Information: Duration of relationship + 5 years
• Transaction Records: 10 years (AML compliance requirement)
• Financial Data: 7 years (tax law requirement)
• Technical Logs: 12 months
• Marketing Data: Until withdrawal of consent

Closed Account Data:

• Core Identity Data: 5 years after account closure
• AML/Compliance Data: 10 years after last transaction
• Legal/Dispute Data: Until resolution + statute of limitations

8.2 Specific Legal Requirements

• Portuguese AML Law: Minimum 5 years, up to 10 years for complex cases
• Tax Obligations: 7 years for financial records
• Criminal Proceedings: Until completion + appeals period
• Regulatory Investigation: Until conclusion + potential appeal period

8.3 Data Deletion

After retention periods expire: secure deletion of all personal data, anonymization for statistical purposes only. Exception: legal proceedings or regulatory requirements may extend retention.

9. Your Data Protection Rights

9.1 Core GDPR Rights

• Right of Access (Article 15) — request copies of your personal data and processing information. Response time: 30 days.
• Right to Rectification (Article 16) — correct inaccurate or incomplete data. Response time: 30 days.
• Right to Erasure ("Right to be Forgotten") (Article 17) — delete data when no longer necessary, subject to legal retention requirements.
• Right to Restrict Processing (Article 18) — temporarily limit processing in specific circumstances.
• Right to Data Portability (Article 20) — receive data in a structured, machine-readable format.
• Right to Object (Article 21) — object to processing based on legitimate interests, to direct marketing (absolute right), and to profiling/automated decision-making.

9.2 Exercising Your Rights

• Email: privacy@caenhebo.com
• Subject Line: "Data Protection Rights Request – [Your Name]"
• Include: Full name, account email, specific request details
• Identity Verification: May require additional verification
• Acknowledgment: Within 2 business days
• Response: Within 30 days (extendable to 90 days for complex requests)
• Cost: First request free; subsequent requests may incur reasonable fees

10. Automated Decision-Making and Profiling

10.1 Automated Processing Activities

• Risk Scoring — AML/fraud risk assessment based on transaction patterns, behavior analysis and sanctions screening. Consequences: account restrictions, enhanced verification. Human review available upon request.
• Platform Recommendations — property matching and user experience optimization based on search history, preferences and behavior. Can be disabled in account settings.

10.2 Your Rights Regarding Automated Decisions

You may request human review of automated decisions, express your point of view, and contest the decision and request reconsideration.

11. Cookies and Tracking Technologies

This Privacy Policy is complemented by our full Cookie Policy. Cookie categories: strictly necessary (legitimate interests, cannot be disabled), performance/analytics (consent), functional (consent), and marketing/advertising (consent). A cookie banner provides clear consent options on first visit, with granular control in a settings panel. Do Not Track signals are respected where technically feasible.

12. Data Security Measures

12.1 Technical Safeguards

• Encryption: TLS 1.3 in transit, AES-256 at rest, Hardware Security Modules (HSMs) for key management.
• Access Controls: Multi-Factor Authentication (MFA), Role-Based Access Control (RBAC), principle of least privilege, regular access reviews and audit trails.
• Network Security: Firewall protection, intrusion detection, DDoS protection, vulnerability scanning, penetration testing, network segmentation.

12.2 Organizational Safeguards

• Staff privacy awareness training and annual certification.
• Data minimization and purpose limitation, regular data audits, Data Protection Impact Assessments (DPIAs).
• Third-party due diligence, Data Processing Agreements, regular audits, incident notification procedures.

12.3 Incident Response

24/7 security monitoring, defined incident-response procedures, forensic investigation capabilities. Breach notification: CNPD within 72 hours of awareness; affected users without undue delay if high risk.

13. Data Processing

The platform collects directly the following information: government-issued ID, address, phone number, email, bank account details, tax identification number.

14. Children's Privacy

Minimum age requirement: 18 years. Minors will not be able to perform transactions on the Caenhebo platform, aligned with Portuguese law.

15. Marketing Communications

15.1 Types of Communications

Service updates, transaction notifications, promotional content, and newsletter.

15.2 Legal Basis and Consent

Service communications rely on legitimate interests; marketing communications require explicit consent; newsletter requires separate consent.

15.3 Opt-Out Rights

Unsubscribe links in all marketing emails, global communication preferences in account settings, or email request to privacy@caenhebo.com. Opt-out processed within 48 hours.

16. Privacy by Design and Default

Principles applied: proactive not reactive; privacy as the default; full functionality; end-to-end security; visibility and transparency; respect for user privacy. Implemented via data minimization, purpose limitation, storage limitation, technical measures (encryption, access controls, monitoring) and organizational measures (training, policies, procedures).

17. Data Protection Impact Assessments

DPIAs are required for high-risk processing, automated decision-making with significant effects, systematic monitoring, new technologies, and biometric processing. The DPIA process covers scope definition, risk assessment, mitigation measures, stakeholder consultation, authority consultation (CNPD) if high residual risk, and regular review.

18. Supervisory Authority Information

Comissão Nacional de Proteção de Dados (CNPD)

• Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal
• Phone: +351 213 928 400
• Fax: +351 213 976 832
• Website: www.cnpd.pt

You may lodge complaints, request investigations, and seek remedies including compensation. Other relevant authorities: the European Data Protection Board (EDPB) and the Estonian Data Protection Inspectorate (for Lightspark-related issues).

19. Changes to This Privacy Policy

Annual review, legal assessment, DPO approval, and 30-day advance notice for material changes (email, platform notice, account dashboard). Material changes include new data categories, new purposes, new recipients, reduced rights, or new technologies.

20. Contact Information

Data Protection Officer

• Email: dpo@caenhebo.com
• Response Time: Within 48 hours for rights requests
• Office Hours: Monday–Friday, 9:00–18:00 WET (Portuguese, English)
• Postal Address: Data Protection Officer, Caenhebo Sociedade Imobiliária, Unipessoal LDA, Av. Eng. Duarte Pacheco, Amoreiras Torre 1, 8º piso, sala 3, 1070-102 Lisboa, Portugal

Other Privacy Contacts: General Privacy privacy@caenhebo.com · Security Incidents security@caenhebo.com (24/7 monitoring) · Customer Support support@caenhebo.com · Legal Notices legal@caenhebo.com

21. Final Provisions

The authoritative version of this policy is English; a Portuguese translation is available upon request, and in case of conflict the English version prevails. This Privacy Policy is complementary to the Terms and Conditions, Cookie Policy, Security Policy, and Lightspark's Privacy Policy. If any provision is found invalid or unenforceable, the remaining provisions continue in full force and effect.

By using our Platform, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy.