Legal Document

Privacy and Data Protection Policy

At Realo platform, we take your privacy seriously. This policy explains what data we collect, why we collect it, how we use it, when we share it, and how you can exercise your rights. This document is designed to be as comprehensive as possible and covers realistic use cases for real estate project page creation and management platforms.

Important Disclosure

This Privacy Policy is a formal disclosure regarding Realo's data practices. Users may require supplemental agreements, such as a Data Processing Agreement (DPA), for organizational compliance or regulatory requirements.
Users (our customers) act as 'Independent Controllers' for any data collected through their own tracking implementations (e.g., Pixel, GA4, GTM) on their project pages and are responsible for their own compliance and visitor disclosures.
Compliance obligations may vary based on your jurisdiction, industry (e.g., real estate, finance, government), and the nature of the data processed.

1) Scope and application of the Policy

This Privacy Policy governs the processing of personal data across all Realo services, including the administrative dashboard, project management tools, and hosted marketing pages.

It applies to registered users, their authorized team members, and visitors to project pages.
By accessing our services, you acknowledge the terms of this policy.
Specific integrations or business features may be subject to additional privacy terms.
Official communication channels (such as mail, support, and WhatsApp) when linked to the service.

This policy does not apply to services, sites, or platforms we do not control (such as WhatsApp/YouTube/Third-party maps) even if accessed via a link from Realo. Those parties are subject to their own policies.

2) Definitions

Realo / we / the Platform: means Realo service, its website, and any associated properties.
User / Customer: The natural or legal person who creates an account and uses the dashboard.
End Beneficiary / Visitor: Anyone browsing the public project pages created by users.
Personal Data: Any data that may identify a person directly or indirectly (such as name, mobile number, email, technical identifiers).
Sensitive Data: Special categories of data that require additional protection according to regulations.
Processing: Any operation on the data (collection, storage, modification, display, sharing, deletion...).
Controller: Whoever determines the purposes and criteria of data processing.
Processor: Whoever processes data on behalf of the controller and according to their instructions.

3) Roles of Parties (Controller/Processor/User)

3.1 Realo's Role

Regarding your account data and your contractual relationship with us (account creation, payment, support), we are mostly the data controller.
Regarding the content data you upload to your project pages (images, prices, descriptions, license numbers, contact data), we may be a processor on your behalf, and you are the controller in what you decide to publish and collect from your audience.
In some cases, we may be joint independent controllers if shared tracking/measurement features belonging to the platform are enabled.

3.2 User's Role

You are responsible for the accuracy and legality of the data you enter or post via the platform.
You are responsible for providing privacy/consent notices to your page visitors if you use tracking codes.
You are responsible for any 'third-party data' you upload and ensuring you have a legal basis for processing it.

3.3 Data Processing Agreement (DPA)

For corporate/institutional clients, we may provide (upon request) a 'Data Processing Agreement' appendix that defines: processing scope, controller instructions, security procedures, duration, and assistance in data subject requests.

4) Legal Basis and Purposes of Processing

We process data according to appropriate legal bases as the case may be. Examples include:

4.1 Contract Performance and Service Delivery

Account creation and management.
Providing hosting and media and making public pages available.
Providing system features (projects/units/templates/links).
Providing technical support and billing.

4.2 Regulatory Compliance/Obligations

Responding to regulatory requests from competent authorities.
Keeping specific records for accounting/compliance purposes when necessary.
Dealing with official reports and abuse.

4.3 Consent (when needed)

Marketing messages (if the system requires it).
Non-essential cookies/analytics according to settings.
Collecting additional optional data in forms.

4.4 Legitimate Interest/Improvement

Improving performance and service stability.
Fighting fraud and abuse.
Performing internal measurements (non-marketing) to raise quality.

4.5 Data Minimization

We adhere to the 'minimum' principle: we collect and retain only what is necessary to achieve the stated purposes, with periodic reviews for reduction and deletion when the need ends.

5) Data We Collect (Detailed)

5.1 Account Creation and Management Data

Name, mobile number, email address.
Login data (encrypted/hashed).
Company name, activity, and administrative contact information.
Important change logs (Audit Logs).

5.2 Billing and Payment Data

Invoice data (name, address, tax number).
Subscription information and status.
We do not typically store full card numbers (processed via an external provider).

5.3 Project and Unit Data

Project name, description, facilities, warranties, templates, and colors.
Location (coordinates/map/address).
Unit data (code, area, price, rooms, status).
Media (images, video, brochures).
Regulatory data (advertisement number, license number).

5.4 Technical Support Data

Support correspondence, complaint tickets, and technical investigations.

5.5 Automatic Technical Data

IP address, device type, browser, operating system.
Session identifiers and necessary Cookies.
Access timings and performance measurements.

5.6 What We Do Not Want to Collect

The platform does not typically request unnecessary sensitive data. We recommend not entering: identity numbers, health data, or customer bank data within project descriptions.

6) Data Sources

Directly from you: When registering, entering data, or contacting support.
From your device/browser: Automatic technical data.
From our service providers: Such as payment provider, mail provider, or hosting provider.
From third parties at your direction: If you link a domain or add GTM or maps.

7) How We Use Data (Detailed)

7.1 Service Operation

Creating and managing accounts and permissions.
Displaying project and unit pages to visitors.
Hosting media and activating templates.

7.2 Improvement and Analytics

Analyzing performance and handling malfunctions.
Measuring feature usage and developing new features.

7.3 Technical Support

Answering inquiries and diagnosing malfunctions.

7.4 Billing and Subscriptions

Managing plans, issuing invoices, and verifying payment.

7.5 Security and Fraud Prevention

Encrypting communications and detecting suspicious activities.

7.6 Restrictions

We will not sell your personal data as a commodity to a third party.

8) Cookies, Analytics and GTM

8.1 Essential Cookies

For login, session management, and protection.

8.2 Analytical Cookies

To measure performance and user experience (we may request your consent).

8.3 GTM Integration for Users

You assume responsibility for informing your page visitors and obtaining consents when activating your own GTM.

8.4 Notice to Page Visitors

Project pages may contain tracking codes belonging to the user and subject to their policies.

10) Data Retention and Disposal

10.1 Account Data

Saved as long as the account is active.

10.2 Billing Data

Saved according to accounting/tax requirements.

10.3 Media

Remains available as long as the project is published or the account is active.

10.4 Technical Logs

Saved for shorter periods for security and diagnosis.

10.5 Disposal

We delete or anonymize data upon end of purpose.

11) Data Security and Protection

We apply reasonable and advanced technical and organizational controls to protect data. Examples include:

11.1 Technical Controls

Encryption of communications (TLS/HTTPS).
Password hashing/encryption.
Environment isolation and access keys management.
Backups and recovery controls.
Protection against common attacks (Rate limiting, WAF if applicable).

11.2 Organizational Controls

Restricting access to specific employees based on roles.
Periodic access rights reviews.
Security incident reporting and handling procedures.
Internal awareness of confidentiality requirements.

11.3 User's Security Responsibility

Keep your password confidential and do not share it.
Use strong passwords and enable additional security measures when available.
Regularly review user permissions within your organization.

Note: No method of transmission or storage over the Internet is 100% secure, but we exert best reasonable practices to minimize risks.

12) Incidents and Breach Reporting

Incident Response Framework

When a breach/leak/unauthorized access is suspected, we work according to a methodology that includes: Containment, Investigation, Remediation, and Documentation.

12.1 Notification

We will notify affected customers when an actual impact on their data is verified, in accordance with regulatory requirements.
We may notify the competent authority when required by laws and regulations.
Notification may include: nature of the incident, its scope, affected data, our actions, and guidance to mitigate impact.

12.2 User Cooperation

We may request confirmations or information to assist in the investigation (e.g., who has permissions).
If the cause is related to your settings (e.g., GTM/external links/malicious content), you may need to take corrective actions on your end.

13) User Content and Responsibilities

13.1 You are responsible for the content you publish

Accuracy of prices, areas, photos, and specifications.
Correctness of license numbers and real estate ads you enter.
Possession of usage rights for images, videos, and files.

13.2 Prohibited Content (Examples)

Fraudulent/misleading content or content attributed to projects you don't have the right to display.
Content that violates intellectual property rights or the privacy of others.
Sensitive data of customers without a legal basis or necessity.
Links or files containing malware or unauthorized hidden tracking.

13.3 Our actions upon suspicion of violation

We may request clarifications or verification documents.
We may suspend the publication of a page/project/file pending remediation.
We may delete violating content or restrict the account in serious cases.
We may comply with requests from competent authorities when necessary.

14) Your Rights and How to Exercise Them

Depending on applicable regulations, you may have rights including:

Right to knowledge/notification of how data is collected and used.
Right to access your data and obtain a copy (where applicable).
Right to correct inaccurate data or update it.
Right to request destruction/deletion when the need ends, without violating our regulatory obligations.
Right to withdraw consent (where processing is based on consent).
Right to object or restrict certain processing (subject to regulatory controls).

14.1 How to Submit a Request

Send your request via email: support@realo.digital
Include: account name, email/mobile number, type of request, and any details that help us.

14.2 Verification and Exceptions

We may request proof of identity/account ownership before responding.
We may reject/postpone the request if it conflicts with a regulatory obligation, affects the rights of others, or is abusively repetitive.
We may retain some data for purposes of an ongoing dispute or accounting/security compliance.

15) Children's Data

The service is directed at businesses/real estate and is not intended for children.
We do not intend to collect children's data. If you are aware of a child's data in your account/content, please delete it or contact us.
We may request parent/guardian consent if required by law and depending on the case.

16) Marketing Communications and Preferences

We may send necessary service messages (invoices, security alerts, important changes).
We may send marketing messages/offers if regulations allow or based on your consent.
You can unsubscribe from marketing messages via the unsubscribe link or by contacting us.
Unsubscribing from marketing does not prevent necessary service messages.

17) Automated Processing and Decision Making

We may use automated rules to combat fraud/spam or to protect the platform, such as:

Identifying and temporarily blocking repeated failed login attempts.
Suspending file uploads upon suspicion of harmful behavior (based on technical indicators).
Hiding/disabling pages when there are high-reliability reports pending review.

If your account is affected by an incorrect automated action, contact us and we will review the case manually.

18) External Links and WhatsApp/YouTube/Maps

WhatsApp: When clicking the WhatsApp button, the WhatsApp service opens subject to its policies, and it may collect its own technical data.
YouTube: Embedding a YouTube video may allow YouTube to place Cookies/identifiers according to its embedding settings and policies.
Maps: Displaying maps may go through an external provider (like Google) and is subject to its policies.

Tip

If you wish to reduce external tracking, use links instead of embedding (Embed) or adjust privacy settings with third-party providers where possible.

19) Amendments to the Policy

We may update this policy to reflect changes in the service, our providers, or regulatory requirements.

We will publish the updated version on this page.
We may send a notification via email or within the platform when there is a material change.
Your continued use of the service after the update is published may be considered acceptance of the update where permitted by law.

20) Communication and Complaints

For inquiries, rights requests, or security reports:

Email: support@realo.digital

If you are a visitor to a project page created by a Realo user and want to exercise your rights regarding tracking/forms belonging to the user, you may need to contact the user directly as the controller of that data.

21) Appendix: Examples and Real-World Scenarios (Conflict Coverage)

21.1 Dispute: 'My photos appeared on a project page without my permission'

If you are the right holder, contact us and provide the page link and proof of right (ownership/authorization).
We may request reasonable proof before removal.
We may temporarily suspend the page pending verification if the report is serious.

21.2 Dispute: 'Incorrect license/advertisement number on a page'

The user is responsible for the accuracy of entry.
We may cooperate to remove/modify content or suspend publication upon indicators of serious violation.
We may comply with requests from competent authorities when necessary.

21.3 Dispute: 'Tracking/Pixel on a project page'

If tracking is added via the user's GTM, the user is an independent controller of those tools.
We can restrict/remove tracking codes if they violate our terms or cause clear security harm.

21.4 Dispute: 'Request to delete all data'

We will evaluate the request and implement it within the limits of regulatory obligations, backups, and disputes.
We may retain a minimum of necessary records to prevent fraud or for accounting/compliance purposes.

21.5 Dispute: 'Leak through a third party'

We use providers with controls and contracts. A residual risk may occur with any digital system.
In the event of a confirmed incident, we follow the response framework and notify as required.
If the cause is the user's settings (e.g., malicious external link), it may require correction from the user's side.

21.6 Concluding Note

This appendix does not limit the rest of the policy terms; it is for practical clarification of recurring scenarios.

Last updated: December 31, 2025