Privacy Policy
Effective date: March 2026
This document is available in English and Spanish. In case of discrepancy, the Spanish version prevails.
1. Identity of the Data Controller
The data controller responsible for the processing of your personal data is:
- Legal name:Jeff Apel (autónomo / self-employed individual)
- Trading name: Llave
- Address: Valencia, Spain
- Email: hello@llave.eu
- Website: llave.eu
Although the appointment of a Data Protection Officer (DPO) is not mandatory for our business under Article 37 of the GDPR, we take data protection seriously. For any inquiries regarding the processing of your personal data or the exercise of your rights, please contact us at hello@llave.eu.
2. Scope and Application
This Privacy Policy applies to all personal data collected through the website llave.eu and related services (collectively, the “Platform”). It applies to all users, including visitors, registered investors, and property sellers.
This policy has been drafted in compliance with:
- General Data Protection Regulation (EU) 2016/679(“GDPR”)
- Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (“LOPDGDD”)
- Ley 34/2002, de 11 de julio, de Servicios de la Sociedad de la Información y de Comercio Electrónico (“LSSI-CE”)
By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with how we process your personal data, please refrain from using the Platform.
3. Personal Data We Collect
We collect and process the following categories of personal data, depending on how you interact with the Platform:
| Category | Data Elements | When Collected |
|---|---|---|
| Account data | Full name, email address, password (stored as a cryptographic hash, never in plain text), phone number, user role (investor or seller), locale/language preference | Account registration |
| Identity verification (KYC) | Government-issued identification document (front and back images of national ID card, passport, or driving licence), proof of address (utility bill, bank statement, or official correspondence dated within the last 3 months) | Before committing to a deal |
| Financial data | Investment amounts, commitment deposit history, commission records, deal transaction details. Payment card numbers and bank account details are processed directly by Stripe and are not stored on our servers. | When making or receiving payments |
| Usage data | IP address, browser type and version, operating system, pages visited, timestamps of visits, referring URL, device identifiers | Automatically on each visit |
| Communications | Messages exchanged between users through the Platform’s messaging system, contact form submissions, support request content | When you communicate through the Platform |
| Cookies and similar technologies | Session identifiers, language preferences, cookie consent preferences, Cloudflare bot protection tokens | See our Cookie Policy |
4. Purposes and Legal Basis
We process your personal data for the purposes set out below, each with its corresponding legal basis under Article 6(1) of the GDPR:
| Purpose | Legal Basis (Art. 6(1) GDPR) | Data Used |
|---|---|---|
| Account creation and management | (b) Performance of a contract | Name, email, password, phone, role, locale |
| Identity verification (KYC/AML compliance) | (c) Legal obligation (Ley 10/2010 de prevención del blanqueo de capitales; EU Anti-Money Laundering Directives) | ID documents, proof of address |
| Payment processing and commitment deposits | (b) Performance of a contract | Payment details (via Stripe), transaction amounts |
| Commission calculation and invoicing | (f) Legitimate interest (business operations) | Transaction amounts, deal value |
| Platform communications and notifications | (b) Performance of a contract | Messages, email address |
| Facilitating deal introductions (sharing contact information between investor and seller when a deal is reserved) | (b) Performance of a contract | Name, email address |
| Marketing communications (newsletters, promotions) | (a) Consent | Email address |
| Security, fraud prevention, and platform integrity | (f) Legitimate interest (protecting users and the Platform) | IP address, usage data, account activity |
| Compliance with legal obligations (tax, commercial, regulatory) | (c) Legal obligation | All relevant data as required by applicable law |
Where processing is based on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time (see Section 8).
5. Data Sharing and Third-Party Processors
We do not sell your personal data to third parties. We share data only with the following categories of recipients, each bound by a Data Processing Agreement (DPA) in compliance with Article 28 of the GDPR:
5.1 Technology service providers
| Processor | Service | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting (PostgreSQL), authentication, file storage | User data, project data, messages, KYC documents | EU-West region |
| Stripe Inc. | Payment processing (card and SEPA Direct Debit), PCI-DSS Level 1 compliant | Payment card data, bank details, transaction amounts, payer identity | EU, with possible US processing (SCCs in place) |
| Resend (Loops Inc.) | Transactional email delivery (account verification, notifications, receipts) | Email address, name, email content | EU region |
| Cloudflare Inc. | Content delivery network (CDN), DDoS protection, Turnstile CAPTCHA, web application firewall | IP address, HTTP request headers, browser fingerprint data | Global (EU processing, SCCs in place) |
| Vercel Inc. | Web application hosting, server-side rendering, edge functions | IP address, request logs, page render data | US (EU Data Processing Addendum in place) |
5.2 User-to-user data sharing
When a deal reaches the “Reserved” status, the investor’s name and email address are shared with the seller, and vice versa, to facilitate the offline transaction process (notary appointment, direct communication, etc.). This sharing is a necessary part of the contract performance and is disclosed to both parties at the time of commitment.
5.3 Legal disclosures
We may disclose personal data to law enforcement authorities, regulatory bodies, or courts of law when required by applicable law, regulation, legal process, or enforceable governmental request.
6. International Data Transfers
Your personal data is primarily stored and processed within the European Economic Area (EEA). However, some of our third-party processors (Stripe, Cloudflare, and Vercel) may process data outside the EEA, including in the United States.
Where personal data is transferred outside the EEA, we ensure that an adequate level of protection is in place through one or more of the following safeguards, in accordance with Chapter V of the GDPR (Articles 44–49):
- Adequacy decisions— The European Commission has determined that the recipient country ensures an adequate level of data protection (Art. 45 GDPR).
- Standard Contractual Clauses (SCCs)— We have entered into EU-approved Standard Contractual Clauses with each processor that transfers data outside the EEA (Art. 46(2)(c) GDPR).
- Binding Corporate Rules— Where applicable, processors have adopted binding corporate rules approved by a supervisory authority (Art. 47 GDPR).
You may request a copy of the relevant safeguards by contacting us at hello@llave.eu.
7. Data Retention Periods
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The specific retention periods are:
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account data | Retained while account is active + 30 days after account deletion request | Contract performance; grace period for accidental deletion |
| KYC documents (ID, proof of address) | 5 years after the last transaction or end of the business relationship | Ley 10/2010 de prevención del blanqueo de capitales y de la financiación del terrorismo (Spanish AML law) |
| Financial and transaction records | 10 years from the date of the transaction | Código de Comercio (Spanish Commercial Code, Art. 30); Ley General Tributaria (tax obligations) |
| Usage and access logs | 12 months | LSSI-CE obligations; legitimate interest in security |
| Marketing consent records | Retained while consent is active; deleted promptly upon withdrawal | GDPR Art. 7(1) — demonstrating valid consent |
| Platform messages | Retained while account is active; deleted 90 days after account deletion | Contract performance; dispute resolution |
After the applicable retention period expires, personal data is securely deleted or anonymised so that it can no longer be associated with you.
8. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights regarding your personal data. These rights are not absolute and may be subject to legal limitations (for example, we cannot erase data that we are legally required to retain).
Right of access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, to request a copy of that data along with information about how it is processed.
Right to rectification (Art. 16)
You have the right to request correction of inaccurate personal data and to have incomplete data completed.
Right to erasure / “right to be forgotten” (Art. 17)
You may request the deletion of your personal data when it is no longer necessary for the purpose it was collected, when you withdraw consent, or when you object to processing. This right is subject to legal retention obligations (see Section 7).
Right to restriction of processing (Art. 18)
You may request that we restrict the processing of your data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of our legitimate grounds.
Right to data portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit it to another controller without hindrance from us.
Right to object (Art. 21)
You have the right to object to the processing of your personal data where it is based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.
Right to withdraw consent (Art. 7(3))
Where processing is based on your consent (e.g., marketing communications), you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
How to exercise your rights
To exercise any of the above rights, please send a written request to hello@llave.eu with the subject line “Data Protection Request”. We may ask you to verify your identity before processing your request. We will respond to your request within 30 calendar days, as required by Article 12(3) of the GDPR. This period may be extended by a further 60 days for complex requests, in which case we will inform you of the extension and the reasons for it.
Right to lodge a complaint
If you believe that we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with the competent supervisory authority. In Spain, this is the:
Agencia Española de Protección de Datos (AEPD)
Website: www.aepd.es
C/ Jorge Juan, 6, 28001 Madrid, Spain
Phone: +34 901 100 099
9. Data Security Measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
- Encryption at rest: Data stored in our database and file storage is encrypted at rest using AES-256 encryption.
- Row-level security (RLS): Database-level access controls ensure that users can only access data they are authorised to view.
- Role-based access control: Access to personal data within our team is restricted on a need-to-know basis, with distinct permission levels for different operational roles.
- Two-factor authentication: Available for user accounts to add an additional layer of account security.
- KYC document storage: Identity documents are stored in private, encrypted storage buckets with strict access controls. Documents are not accessible via public URLs.
- Password security: User passwords are hashed using industry-standard cryptographic algorithms and are never stored in plain text.
- Security monitoring: We utilise web application firewalls, DDoS protection, and bot management through Cloudflare to protect against external threats.
No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security of your data. If you become aware of any security vulnerability or data breach, please contact us immediately at hello@llave.eu.
10. Children’s Privacy
The Platform is not directed at, and is not intended for use by, persons under the age of 18. We do not knowingly collect personal data from minors. If you are under 18, please do not create an account or submit any personal data through the Platform. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us at hello@llave.eu.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or operational needs. When we make material changes:
- We will notify registered users by email at least 30 days before the changes take effect.
- We will update the “Last updated” date at the bottom of this page.
- We will post the revised policy on this page with a clear indication of the changes made.
We encourage you to review this Privacy Policy periodically. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.
12. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
- Email: hello@llave.eu
- Subject line:“Data Protection Inquiry”
- Postal address: Jeff Apel, Valencia, Spain
We aim to respond to all data protection inquiries within 30 calendar days.
Last updated: March 2026