Privacy Policy
Introduction
The privacy of your data — and it is your data, not ours — is a big deal to us. In this policy, we lay out what data we collect and why, how your data is handled, and your rights with respect to your data. We promise we never sell your data: never have, never will.
This policy applies to the website casavanguardia.co and all related services (together, “the Service”) operated by Far Horizons OÜ.
Data Controller
The data controller responsible for your personal data is:
| Company | Far Horizons OÜ |
| Registry code | 14863934 |
| Address | Sepapaja 6, 15551 Tallinn, Estonia |
| Privacy email | privacy@farhorizons.io |
What We Collect and Why
Our guiding principle is to collect only what we need. Here is what that means in practice.
Account Data
When you create an account on CasaVanguardia, we collect your name and email address through our authentication provider, Clerk. If you sign in with a social provider (e.g. Google), we receive the name and email associated with that account. We collect this so you can personalise your experience, save favourite listings, and receive responses to any inquiries you make.
Legal basis: Performance of contract (GDPR Art. 6(1)(b)) — necessary to provide you with an account and the features that come with it.
Property Inquiry Data
When you submit an inquiry about a property listing, we collect your name, email address, phone number (if provided), message content, IP address, and user agent. This data is necessary to forward your inquiry to the relevant estate agent or property owner and to prevent abuse of the inquiry system.
When your inquiry is forwarded to an agent or agency, both CasaVanguardia and the receiving agent act as joint controllers of your inquiry data under GDPR Article 26. For details of how responsibilities are divided, see our Joint Controller Agreement.
Legal basis: Performance of contract (Art. 6(1)(b)) for delivering your inquiry; legitimate interest (Art. 6(1)(f)) for fraud prevention and abuse detection.
Scraped Listing Data
CasaVanguardia aggregates property listing data from publicly available sources using automated crawling tools. This data includes property descriptions, prices, locations, images, and agent contact details as published on public websites. This data is not personal data in most cases; where it does include personal data (e.g. agent names and business contact details), it is data that has been made manifestly public by the data subjects themselves.
Legal basis: Legitimate interest (Art. 6(1)(f)) — operating a property search portal that makes publicly available listing information easier to find and compare.
Media and Uploads
If you or an agent upload images or documents, we may process EXIF metadata (camera model, GPS coordinates, timestamps) embedded in image files and photographer attribution data. EXIF metadata is stripped from publicly displayed images but may be retained for internal quality and rights management purposes.
Legal basis: Legitimate interest (Art. 6(1)(f)) for quality assurance and rights management; consent (Art. 6(1)(a)) where the user explicitly uploads content.
Search Queries and Browsing Behaviour
We collect data about how you use the Service, including search queries, filters applied, listings viewed, pages visited, and interaction patterns. This helps us improve search relevance and the overall user experience.
Legal basis: Legitimate interest (Art. 6(1)(f)) — improving the Service based on how it is actually used.
Voice Search Data
When you use voice search, we process your audio input only to generate a text transcript and parse your property intent. Audio is sent to our Cloudflare-hosted AI pipeline and is not retained as a permanent media archive. We may keep short-lived technical logs (error/status metadata) and derived search context (query/refinements) for the active session to support conversational refinement.
Legal basis: Legitimate interest (Art. 6(1)(f)) — providing requested voice-first search functionality; consent (Art. 6(1)(a)) where browser microphone permission is required.
Device and Browser Data
When you visit our Website, your browser automatically shares certain information such as IP address, browser type and version, operating system, screen resolution, language preference, and referring URL. We use this for analytics, security monitoring, and to ensure the Website works correctly on different devices.
Legal basis: Legitimate interest (Art. 6(1)(f)) — ensuring the Website functions properly and maintaining security.
Cookies and Similar Technologies
We use cookies and local storage to operate the Website. For full details, please see our Cookie Policy.
Legal basis: Strictly necessary cookies: legitimate interest (Art. 6(1)(f)); optional cookies: consent (Art. 6(1)(a)).
Voluntary Correspondence
When you contact us with a question, report a problem, or provide feedback, we keep that correspondence — including your email address — so that we have a history of past interactions to reference if you reach out in the future.
Legal basis: Legitimate interest (Art. 6(1)(f)) — providing effective customer support.
Information We Do Not Collect
We do not collect characteristics of protected classifications including age, race, gender, religion, sexual orientation, gender identity, or physical and mental abilities or disabilities. We do not collect biometric data. We do not knowingly collect financial information — any future payment processing will be handled directly by Stripe, and card details will never pass through our servers.
When We Access or Share Your Information
Our default practice is to not access your information. The only times we will access or share your data are:
- To provide the Service you have requested. We use third-party sub-processors (listed below) to the extent necessary to operate the Service. No Far Horizons OÜ employee looks at your personal data for these purposes unless required for debugging with your consent.
- To forward property inquiries. When you submit an inquiry about a listing, we transmit your inquiry data to the relevant estate agent or property owner so they can respond to you.
- To investigate abuse. If we have reason to believe the Service is being used for spam, fraud, or other restricted purposes, we may review relevant account data and logs.
- When required by law. If law enforcement authorities have the necessary warrant, court order, or other valid legal process requiring us to share data, we must comply. Unless legally prohibited, we will notify you of such requests.
Sub-Processors
We use the following third-party sub-processors to operate the Service:
| Sub-Processor | Country | Purpose |
|---|---|---|
| Clerk | United States | Authentication and user management |
| Cloudflare | United States | Hosting, CDN, edge computing, web analytics |
| Stripe | United States | Payment processing (when billing features launch) |
| OpenAI | United States | AI-powered features including content generation and image alt-text |
| DigitalOcean | United States | Infrastructure for automated data collection from publicly available listing sources |
| Firecrawl | United States | Web crawling for publicly available listing data |
International Data Transfers
Several of our sub-processors are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with US-based sub-processors.
- Supplementary measures where necessary, including encryption in transit and at rest, access controls, and data minimisation.
Cloudflare processes data at edge locations worldwide, including within the EU, and provides contractual commitments under the EU SCCs.
Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account existence, plus 30 days after deletion |
| Property inquiry data | 2 years from submission, or until you request deletion |
| Search queries and browsing data | Anonymised after 90 days; raw logs deleted after 30 days |
| Voice search audio/transcripts | Audio processed ephemerally for transcription; transcripts/session context retained for active session and short-lived operational logs |
| Device and browser data | 30 days (raw); anonymised aggregates kept indefinitely |
| Correspondence | Duration of account existence, plus 1 year |
| Scraped listing data | Retained for the life of the listing; updated or removed when source data changes |
| Cookie consent records | 3 years (to demonstrate compliance) |
When you delete your account, we purge your personal data from active systems within 30 days and from backups within 60 days.
Your Rights
As an EU-based company, we apply GDPR data subject rights to all users regardless of location. You have the right to:
- Access — Request a copy of the personal data we hold about you.
- Rectification — Request correction of inaccurate personal data.
- Erasure — Request deletion of your personal data, subject to legal retention obligations.
- Restriction — Request that we restrict processing of your personal data in certain circumstances.
- Data portability — Receive your personal data in a structured, commonly used, machine-readable format.
- Object — Object to processing based on legitimate interests, including profiling.
- Withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Lodge a complaint — File a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee/en, or with the supervisory authority of your habitual residence.
To exercise any of these rights, please contact us at privacy@farhorizons.io. We will respond within 30 days. We may need to verify your identity before fulfilling your request.
Children’s Data
CasaVanguardia is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you are under 16, please do not use the Service or provide any personal data. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.
How We Secure Your Data
All data is encrypted via TLS when transmitted between our servers and your browser. Data at rest is encrypted using industry-standard methods provided by our hosting infrastructure (Cloudflare). We enforce HTTPS on all connections and implement security headers including Content Security Policy, Strict Transport Security, and X-Content-Type-Options.
Access to personal data within our systems is restricted to authorised personnel on a need-to-know basis, and all access is logged.
Changes to This Policy
We may update this policy as needed to comply with relevant regulations and reflect new practices. When we make significant changes, we will notify users by posting a prominent notice on our Website. We encourage you to review this page periodically for the latest information on our privacy practices.
Contact
Have questions, comments, or concerns about this privacy policy, your data, or your rights? Please get in touch:
- Email: privacy@farhorizons.io
- Post: Far Horizons OÜ, Sepapaja 6, 15551 Tallinn, Estonia