Privacy Policy
Last updated: June 2026
In accordance with Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), and Spanish Organic Law 3/2018 on personal data protection and digital rights, this policy explains how personal data is processed in connection with HabitaliApp.
1. Data controller
- Identity: Jose Maria Cruz Iglesias
- Tax identification number (DNI/NIF): 70903010S
- Address: C/ Sol Oriente 11 1C, 37002 Salamanca (Spain)
- Email: contacto@habitali.app
- Trading name: HabitaliApp
2. Processing data on behalf of the Customer
When the Customer uses HabitaliApp to enter, store or manage personal data of third parties, including residents, owners, tenants, workers, suppliers or other authorised users, the Customer acts as data controller andHabitaliApp acts as data processor.
HabitaliApp will process that data only to provide the contracted service, following the documented instructions of the Customer and in accordance with the applicable data processing agreement.
You can review the applicable contractual basis on the Data Processing Agreement page.
3. Categories of data processed
Depending on how the Platform is used, the following categories may be processed:
- Identification data: name, surname and internal identifiers.
- Contact data: email address, phone number and address.
- Account, authentication, credential and permission data.
- Community, building, dwelling, entrance, role and relationship data.
- Data relating to residents, owners, tenants, workers, caretakers, suppliers or other authorised users.
- Incident, task, status, comment, image and attachment data.
- Common-area booking data and internal communications.
- Billing, subscription, plan and payment status data.
- Technical data: IP address, logs, browser, device, security events and access date/time.
HabitaliApp does not generally request special categories of personal data. However, the Customer must avoid entering sensitive information unless it has a sufficient legal basis and has fulfilled the obligations that apply to it.
4. Purposes of processing
- Create and manage user accounts.
- Provide, maintain and improve the contracted SaaS service.
- Manage communities, buildings, users, dwellings, roles and permissions.
- Manage incidents, tasks, documents, bookings and internal communications.
- Manage payments, billing, subscriptions, plan changes and renewals.
- Send transactional communications and necessary service notices.
- Provide technical support and respond to contact requests.
- Improve Platform security and prevent misuse or fraudulent activity.
- Comply with legal, tax, accounting or administrative obligations.
- Send marketing communications only where consent or another valid legal basis exists.
5. Legal bases
| Purpose | Legal basis |
|---|---|
| Registration, account management and provision of the service | Performance of a contract or pre-contractual steps. |
| Billing, accounting and tax obligations | Compliance with legal obligations. |
| Security, fraud prevention, technical logs and abuse control | Legitimate interest in keeping the Platform secure and operational. |
| Website analytics with Google Analytics | User consent for analytics cookies. |
| Marketing communications not linked to the service | Consent or the applicable legal basis in each case. |
| Third-party data entered by the Customer | Processing on behalf of the Customer as data processor. |
6. Data retention
| Category | Retention period or criterion |
|---|---|
| Account and profile data | For as long as the contractual relationship or account remains active. |
| Billing and subscription data | For the applicable legal tax, accounting and commercial periods. |
| Data entered by Customers about third parties | For the duration of the service or until deletion or export is requested under the applicable agreement. |
| Technical logs and security events | Up to 12 months, unless longer retention is required to investigate incidents, abuse, legal obligations or liabilities. |
| Backups | For a limited technical cycle of up to 90 days, unless blocked retention is required for legal obligations, security or incident recovery. |
| Leads and commercial contacts | Until withdrawal, objection or a reasonable period without interaction. |
| Support communications | For the time needed to handle the request and address potential liabilities. |
7. Providers and processors
To provide the service, HabitaliApp may use providers that process data under instructions and with appropriate safeguards in accordance with the GDPR.
| Category | Provider | Purpose |
|---|---|---|
| Frontend infrastructure | Cloudflare, according to the frontend deployment configuration | Hosting, delivery and technical operation of the website and frontend app. |
| Backend infrastructure and database | Technical backend and database infrastructure provider used in production | Hosting of the API, database and associated services. |
| Payments and subscriptions | Stripe, Inc. | Payment, subscription, invoicing and customer portal management. |
| Transactional email | Technical transactional email provider used in production | Sending necessary notices, support messages, invitations and operational communications. |
| Abuse prevention security | Cloudflare Turnstile | Anti-abuse verification in contact, registration or login forms. |
| Document and image storage | Technical storage provider used in production | Storage of attachments, documents and images uploaded by users. |
| Analytics | Google Analytics, only if the user accepts analytics cookies | Aggregate measurement of website usage and improvement of content and navigation. |
| Monitoring and logs | Internal tools or technical observability provider used in production | Diagnostics, security, performance and incident resolution. |
HabitaliApp will not disclose personal data to third parties for their own purposes unless required by law or where a valid legal basis exists.
8. International transfers
Some providers, such as Stripe or Google Analytics, may process data from outside the European Economic Area. Where providers located outside the EEA are used, appropriate safeguards under the GDPR will apply, such as adequacy decisions, standard contractual clauses or other legally valid mechanisms.
This policy does not state that all providers are located in a specific country or subject to a specific mechanism until the final list of subprocessors has been confirmed.
9. Rights of data subjects
You may exercise the rights of access, rectification, erasure, objection, restriction of processing, data portability and withdrawal of consent, where applicable, by writing to contacto@habitali.app.
We may request additional information to verify your identity where necessary. If you believe that processing infringes data protection law, you may lodge a complaint with the Spanish Data Protection Agency (AEPD).
Where HabitaliApp acts as data processor, requests relating to data entered by the Customer may be referred to the Customer acting as controller so that it can handle them in accordance with its obligations.
10. Security measures
Appropriate technical and organisational measures are applied, such as authentication, use of HttpOnly session cookies, encrypted communications when the Platform is served over HTTPS, role-based access control, community-level permissions, technical logs and anti-abuse measures in forms.
In general, access to data is limited to authorised users, permissions are reviewed when roles or responsibilities change, dependencies and systems are kept up to date, relevant technical events are logged to detect incidents, reasonable backups are maintained and minimisation criteria are applied so only the data needed to provide the service is processed.
These measures may be updated according to the evolution of the Platform, the state of the art, detected risks and applicable obligations.
11. Cookies and similar technologies
HabitaliApp uses technical cookies that are necessary for the operation of the service and Google Analytics cookies only if the user gives consent. For more information, see the Cookie Policy.
12. Changes to this policy
This policy may be updated to reflect legal, technical or functional changes. Relevant changes will be communicated by notice on the website, in the Platform or by email where appropriate.
13. Related documents
We recommend that you also review the Terms and Conditions, the Legal Notice and the Data Processing Agreement.