Try HabitaliApp

Data Processing Agreement

Last updated: June 2026

This document sets out the basis of the data processing agreement for cases in which a Customer uses HabitaliApp to process third-party personal data on its own behalf.

1. Parties

  • Customer: the natural or legal person that contracts or uses HabitaliApp and acts as data controller in relation to the personal data it enters or manages in the Platform. Its identifying details will be those stated in the registration form, order, contract, invoice, account panel or applicable commercial document.
  • HabitaliApp: service provided by Jose Maria Cruz Iglesias, acting as data processor in relation to that data.

2. Subject matter

The subject matter of the processing is the processing of personal data on behalf of the Customer to provide the HabitaliApp service, including features for managing communities, users, dwellings, incidents, bookings, communications, documentation, support and Platform security.

3. Duration

The processing arrangement will remain in force for the duration of the contractual relationship and, after it ends, for the time needed for return, export, deletion, blocking or compliance with applicable legal obligations.

4. Nature and purpose of processing

  • Management of communities, buildings, dwellings or units.
  • Management of users, roles, permissions and invitations.
  • Management of incidents, tasks, bookings and internal communications.
  • Document management, images and attachments.
  • Technical support, maintenance, security and abuse prevention.
  • Billing and subscription management where applicable.

5. Categories of data subjects

Customers, administrators, authorised users, residents, owners, tenants, workers, caretakers, community staff, suppliers and other third parties entered by the Customer.

6. Categories of data

  • Identification and contact data.
  • Account, access, authentication, role and permission data.
  • Community, dwelling, entrance, building or relationship data.
  • Incidents, tasks, bookings, communications, notes and documents.
  • Images or file attachments.
  • Worker data, time records, holidays or employment documents if used by the Customer.
  • Billing data where applicable.
  • Technical data, IP, logs, device, browser and security events.

7. Obligations of HabitaliApp as processor

  • Process the data only under documented instructions from the Customer.
  • Not use the data for incompatible own purposes.
  • Maintain confidentiality over the processed data.
  • Apply appropriate technical and organisational measures.
  • Assist the Customer with data subject rights where appropriate.
  • Assist with security, risk analysis and breach obligations where appropriate.
  • Delete or return data at the end of the service, unless legally required to retain it.
  • Make reasonable information available to the Customer to demonstrate compliance.
  • Control and require appropriate safeguards from subprocessors.

8. Customer obligations

  • Have a sufficient legal basis to process and enter data in the Platform.
  • Inform data subjects where appropriate.
  • Configure roles, permissions and access appropriately.
  • Do not enter sensitive data unless it has a sufficient legal basis.
  • Communicate documented instructions and relevant requests to HabitaliApp.

9. Subprocessors

The Customer authorises the use of subprocessors necessary to provide the service, such as infrastructure, hosting, communications, payment, support, security or monitoring providers, provided that they offer appropriate safeguards under the GDPR.

CategorySubprocessorPurpose
PaymentsStripe, Inc.Payment, subscription and billing portal management.
Abuse prevention securityCloudflare TurnstileProtection of forms against automated or abusive use.
Frontend infrastructureCloudflare, according to the frontend deployment configurationDelivery and technical operation of the frontend.
Backend, database, email, storage and monitoringTechnical providers used in production for each serviceProvision, support, communications, storage and security of the service.

10. Security

HabitaliApp will apply technical and organisational measures appropriate to the risk, which may include authentication, access control, permission management, encryption in transit, backups, event logging, updates, logical separation of data where applicable, minimisation and access reviews.

At minimum, access to the Platform is controlled through credentials and permissions associated with the role of the user; communications must take place through encrypted channels; session data is protected with HttpOnly cookies where applicable; relevant operations may be logged for security and traceability; and reasonable backup, system update, incident response and internal access limitation processes are maintained.

11. Security breaches

HabitaliApp will notify the Customer, without undue delay, of any personal data breach of which it becomes aware and that affects data processed on behalf of the Customer.

12. Destination of data after termination

At the end of the service, the Customer may request return, export or deletion of the data. Where no automated export exists, the request may be handled through the support channel by providing a reasonable copy in a commonly used structured format, taking into account the nature of the data and proportionate technical limitations. HabitaliApp may keep data blocked where there is a legal obligation or a need to address liabilities.

Data present in backups will be deleted or overwritten according to a limited technical cycle of up to 90 days, unless it must be kept blocked for longer due to legal obligation, security, incident recovery or liability management.