I. General Provisions

This Privacy Policy describes how the personal data of users (hereinafter: “Users”) are collected, processed and stored in order to provide electronic services via the website https://levante-estate.com (hereinafter: the “Website”).

The Website collects only the personal data that are necessary for the provision and development of the services offered on it.

Personal data collected via the Website are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter: “GDPR”) and applicable national data protection laws, in particular the Spanish data protection law and other relevant legislation in force in Spain.

II. Data Controller

The controller of personal data collected through the Website is Aleksandra Posmyk, address: Calle Pueblo Camelot D11, 29692 Manilva, Málaga, Spain, Company Register no.: [number], Tax ID (NIF): [number], Business ID: [number], e‑mail address: aleksandra@levante-estate.com (hereinafter: the “Controller”).

III. Purposes and Legal Bases of Processing

Personal data are processed for the following purposes:

1. Registration of a User account and verification of the User’s identity.
   Legal basis: Article 6(1)(b) GDPR (performance of a contract or taking steps at the request of the data subject prior to entering into a contract).

2. Enabling the User to log in to the Website.
   Legal basis: Article 6(1)(b) GDPR.

3. Performance of contracts for services and e‑services.
   Legal basis: Article 6(1)(b) GDPR.

4. Communication with the User (e.g. live chat, contact form, e‑mail, telephone).
   Legal basis: Article 6(1)(b) GDPR – where communication relates directly to the contract or service;
   Article 6(1)(f) GDPR – legitimate interest of the Controller in handling enquiries and maintaining business contact.

5. Sending a newsletter (after the User has given consent to receive it).
   Legal basis: Article 6(1)(a) GDPR (consent).

6. Operating a comments system and social features (where available).
   Legal basis: Article 6(1)(b) GDPR – provision of functionality requested by the User;
   Article 6(1)(f) GDPR – legitimate interest in developing the Website and community.

7. Promotion of the Controller’s offer, marketing, remarketing and affiliation activities, including personalised marketing.
   Legal basis: Article 6(1)(a) GDPR – where required, on the basis of consent (e.g. for electronic direct marketing);
   Article 6(1)(f) GDPR – legitimate interest in promoting the Controller’s services.

8. Personalisation of the Website for Users, including adjusting content and offers.
   Legal basis: Article 6(1)(f) GDPR – legitimate interest in improving the quality and relevance of services;
   in the case of profiling based on cookies or similar technologies – Article 6(1)(a) GDPR (consent via cookie banner / settings).

9. Analytical and statistical activities (e.g. Website traffic analysis, service development).
   Legal basis: Article 6(1)(f) GDPR – legitimate interest in analysing how the Website is used and improving its functioning.

10. Debt collection, establishment, exercise or defence of legal claims.
    Legal basis: Article 6(1)(f) GDPR – legitimate interest in protecting the Controller’s rights.

Providing personal data is voluntary, but necessary to conclude a contract or to use certain functionalities of the Website (e.g. contact form, newsletter, account registration). Failure to provide the required data may make it impossible to provide the relevant service.

IV. Categories of Processed Personal Data

The Controller may process, in particular, the following personal data of Users:

• first name and surname,
• date of birth,
• residential address,
• e‑mail address,
• telephone number,
• tax identification number (NIF/NIP/VAT number),
• data provided voluntarily by the User in messages or forms (e.g. additional information regarding an enquiry).

V. Period of Data Storage

Users’ personal data will be processed for the period necessary to achieve the purposes for which they were collected, i.e.:

1. Where the legal basis for processing is the performance of a contract – for the duration of the contract and until the expiry of any claims related thereto (as a rule, up to 5 or 6 years, depending on the applicable limitation periods under Spanish or other applicable law).

2. Where the legal basis for processing is consent – until such consent is withdrawn, and thereafter for the period necessary for the establishment, exercise or defence of possible claims, but no longer than the applicable limitation period.

In all cases, the Controller applies the limitation periods resulting from applicable law (in particular civil law and tax law) and retains data to the extent necessary to comply with legal obligations (e.g. accounting and tax obligations).

VI. Recipients of Personal Data and Transfers

Users’ personal data may be disclosed to:

• entities affiliated with the Controller,
• service providers and subcontractors acting on behalf of the Controller (e.g. IT service providers, hosting providers),
• entities providing payment services (e‑payments),
• courier and postal operators,
• legal and tax advisers, law firms,
• marketing and analytics service providers (where applicable and subject to appropriate data protection arrangements).

Personal data will generally not be transferred outside the European Economic Area (“EEA”).
If, in exceptional cases, data are transferred to a third country (outside the EEA), such transfer will take place only:

• to countries for which the European Commission has issued an adequacy decision, or
• on the basis of appropriate safeguards referred to in Articles 46–49 GDPR (such as standard contractual clauses), and the User will be appropriately informed of such transfer.

VII. Users’ Rights

The User has the following rights in relation to the processing of their personal data:

• the right of access to their personal data (Article 15 GDPR),
• the right to rectification of their data (Article 16 GDPR),
• the right to erasure of data (“right to be forgotten”) in circumstances specified in Article 17 GDPR,
• the right to restriction of processing (Article 18 GDPR),
• the right to data portability (Article 20 GDPR),
• the right to object to processing based on Article 6(1)(e) or (f) GDPR, including profiling (Article 21 GDPR),
• the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).

A request to exercise any of the above rights should be sent to the following e‑mail address: [contact e‑mail for data protection].

The Controller will respond to the User’s request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. The Controller will inform the User of any such extension.

The User also has the right to lodge a complaint with a supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD).

VIII. Cookies and Similar Technologies

The Website uses cookies and similar technologies (session cookies, persistent cookies and third‑party cookies).

Cookies are used in particular to:

• ensure the correct functioning and security of the Website,
• maintain User sessions,
• remember User settings,
• compile statistics on the use of the Website and improve its operation,
• personalise content and, where applicable, tailor advertising (subject to the User’s consent where required by law).

When visiting the Website for the first time, the User is shown a cookie banner, informing them about the use of cookies and allowing them to manage their preferences. The use of non‑essential cookies (e.g. for analytical or marketing purposes) is based on the User’s consent.

The User can change cookie settings at any time via:

• the cookie management tool available on the Website (if implemented), and/or
• browser settings (the method of changing settings depends on the browser used).

Restricting the use of cookies may affect some functionalities of the Website.

IX. Automated Decision‑Making and Profiling

Users’ data are not subject to automated decision‑making in the sense of Article 22 GDPR that would produce legal effects concerning them or similarly significantly affect them.

Users’ data may be processed for profiling purposes, in particular to tailor content and personalise offers (e.g. based on activity on the Website, previous enquiries or chosen preferences), only where the User has given consent to such processing where required by law. Profiling does not lead to automated decisions with legal or similarly significant effects.

X. Final Provisions

The Controller reserves the right to amend this Privacy Policy, in particular in the event of:

• changes in applicable data protection law,
• development of the Website or changes in the services offered,
• changes in the technologies used.

Users will be informed of any material changes by means of a notice published on the Website and, where appropriate, by other communication channels (e.g. e‑mail).

In matters not covered by this Privacy Policy, the provisions of the GDPR and applicable provisions of Spanish and EU law shall apply.