MOOVNA — Privacy Policy

1. Who We Are and How to Contact Us

1.1 The data controller for the processing described in this Policy is: innorealty, 25 Boulevard royal, 2449 Luxembourg, email: dpo@moovna.com.

1.2 Where appointed, the Data Protection Officer (DPO) can be contacted at dpo@moovna.com.

1.3 For each market in which Moovna establishes a local subsidiary, the local entity may act as joint controller in respect of local activities. Details of any such joint controllership arrangement, including the essence of the arrangement under Article 26 GDPR, are made available on request.

2. Personal Data We Collect

2.1 We collect the following categories of personal data:

• Identification data — name, surname, date of birth, gender, photograph, identity-document data (where verification is required), nationality (for sanctions screening).
• Contact data — postal address, email address, telephone number, preferred communication channels.
• Account data — username, password (hashed), account settings, preferences, language.
• Business data (Business Users) — company name, registration number, VAT/tax identification, beneficial-ownership information, professional licences, bank-account details for payouts (where applicable).
• Listing data — Property characteristics, location, descriptions, prices, photographs, floor plans, virtual tours, energy-performance data and other Content uploaded as part of a Listing.
• Transaction data — records of interactions on the Platform, including views, saves, favourites, enquiries sent and received, leads, communications and feedback.
• Payment data — billing address, payment-card data (processed by payment-service providers), invoice and tax data.
• Technical data — IP address, device identifiers, browser type and version, operating system, time-zone, language settings, referrer URL, access logs.
• Usage data — pages visited, features used, search queries, click-stream, session duration, conversion events.
• Location data — approximate location derived from IP address; precise location only with explicit consent (for example for proximity searches).
• Communication data — content of messages exchanged through the Platform, support tickets, call recordings (where notified).
• Cookies and similar technologies — see the Cookies Policy.

2.2 We do not knowingly collect special categories of personal data (Article 9 GDPR). If special-category data is incidentally included in user-generated Content (for example a photograph that reveals health-related accessibility features), it is processed only on the basis of explicit consent or another lawful ground under Article 9(2) GDPR.

2.3 The Platform is not directed at children under sixteen (16) and we do not knowingly collect personal data of children. If you believe a child has provided personal data, please contact us and we will delete it.

3. How We Obtain Personal Data

• directly from you when you register, complete forms, upload Content, contact us or otherwise interact with the Platform;
• from your devices, automatically through cookies and similar technologies (see the Cookies Policy);
• from third parties, including identity-verification providers, sanctions-screening providers, payment-service providers, social-login providers, business partners, public registers (commercial register, land register where lawfully accessible), and Business Users who upload Listings featuring the Property of an individual (where lawful);
• from other users (for example a Business User listing a Property may upload contact data of the owner with the owner’s consent or another lawful basis).

4. Purposes and Legal Bases of Processing

4.1 We process personal data for the purposes and on the legal bases set out below (with data categories and retention):

• Provide the Platform, create and manage accounts, publish Listings, enable searches and communications. — Data: Identification, Contact, Account, Listing, Transaction, Technical. Legal basis: Performance of a contract (Art. 6(1)(b)). Retention: Duration of account + 5 years after closure for evidence and limitation periods.
• Verify identity, screen against sanctions and PEP lists. — Data: Identification, Business, Nationality. Legal basis: Legal obligation (Art. 6(1)(c)) and legitimate interest in fraud prevention (Art. 6(1)(f)). Retention: 5 years from last interaction (AML rules) unless longer required by law.
• Process payments and prevent fraud. — Data: Payment, Account, Transaction. Legal basis: Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)). Retention: 10 years from issuance of invoice (tax law) unless longer required.
• Customer support, complaint handling, dispute resolution. — Data: Identification, Contact, Account, Communication. Legal basis: Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)). Retention: Duration of relationship + 5 years.
• Send transactional communications (account, security, service notices). — Data: Identification, Contact, Account. Legal basis: Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)). Retention: Duration of account.
• Send marketing communications (newsletters, promotions). — Data: Identification, Contact, Usage. Legal basis: Consent (Art. 6(1)(a)) or legitimate interest in direct marketing to existing customers (Art. 6(1)(f)) under the soft opt-in. Retention: Until withdrawal of consent or opt-out; technical logs of consent kept 5 years.
• Personalise the Platform, analytics, measure usage, improve services. — Data: Account, Technical, Usage, Location. Legal basis: Consent (for non-essential analytics) or legitimate interest (Art. 6(1)(f)). Retention: Up to 26 months for raw analytics; aggregated data indefinitely.
• Targeted advertising (where used). — Data: Account, Usage, Cookies, Location. Legal basis: Consent (Art. 6(1)(a)). Retention: Until withdrawal of consent; max 13 months for advertising identifiers.
• Comply with legal obligations (tax, accounting, DSA transparency, court orders, regulatory requests). — Data: All applicable categories. Legal basis: Legal obligation (Art. 6(1)(c)). Retention: As required by the applicable legal-retention rule.
• Establish, exercise or defend legal claims, prevent abuse and protect security. — Data: All applicable categories. Legal basis: Legitimate interests (Art. 6(1)(f)). Retention: Duration of limitation period + 1 year.
• DSA notice-and-action, content moderation, transparency reporting. — Data: Identification, Contact, Communication, Listing. Legal basis: Legal obligation (Art. 6(1)(c)); legitimate interest (Art. 6(1)(f)). Retention: Duration prescribed by DSA + applicable national rules.

5. Who We Share Your Data With

5.1 We share personal data with the following categories of recipients, where necessary for the purposes set out in this Policy:

• other Users of the Platform, to the extent reasonably required to enable interaction (for example, Listing contact details are visible to enquirers);
• service providers acting as processors on our behalf, including hosting, cloud, email, SMS, customer support, analytics, security, fraud prevention, identity verification, payment processing, mapping and translation providers;
• professional advisers (lawyers, accountants, auditors) under duties of confidentiality;
• affiliates within the Moovna group, for centralised administration, security and consolidated reporting;
• purchasers of all or part of our business, and their advisers, in connection with a merger, acquisition, restructuring or insolvency event, subject to confidentiality;
• competent public authorities, regulators, courts and law-enforcement bodies, where required by law or to defend legal claims.

5.2 We do not sell personal data.

6. International Data Transfers

6.1 Where personal data is transferred outside the European Economic Area or outside the country in which the data subject is located, we ensure an adequate level of protection by relying on one of the following safeguards under Chapter V GDPR (or analogous local rules):

• an adequacy decision by the European Commission (or, in the case of non-EU markets, the equivalent decision under local law);
• Standard Contractual Clauses approved by the European Commission, supplemented by transfer-impact assessments and additional safeguards where required;
• binding corporate rules, where applicable;
• derogations under Article 49 GDPR, in limited circumstances such as explicit consent or contractual necessity.

6.2 A list of recipient countries and applicable safeguards may be obtained on request from the contact at clause 1.

7. Your Rights

7.1 Subject to applicable law, you have the following rights:

• Right of access (Art. 15 GDPR) — to obtain confirmation as to whether we process personal data concerning you and, where so, access to it and prescribed information.
• Right to rectification (Art. 16) — to have inaccurate personal data corrected and incomplete data completed.
• Right to erasure (Art. 17) — to have personal data erased where one of the conditions in Art. 17 applies.
• Right to restriction (Art. 18) — to obtain restriction of processing in defined circumstances.
• Right to data portability (Art. 20) — to receive personal data you have provided in a structured, commonly used and machine-readable format, and to transmit it to another controller.
• Right to object (Art. 21) — to object to processing based on legitimate interests or for direct marketing (the latter being absolute).
• Rights in relation to automated decision-making (Art. 22) — not to be subject to a decision based solely on automated processing producing legal or similarly significant effects, subject to defined exceptions.
• Right to withdraw consent — where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint — with a competent supervisory authority (see clause 9 below).

7.2 To exercise these rights, contact us using the details in clause 1. We will respond without undue delay and in any event within one (1) month, extendable by a further two (2) months where necessary, in accordance with Article 12 GDPR. To verify your identity, we may request additional information.

8. Security

8.1 We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit, access controls, network segmentation, monitoring, logging, incident response, business-continuity planning, employee training and supplier due diligence. Despite these measures, no system is wholly secure; you are responsible for safeguarding your account credentials and using strong, unique passwords.

8.2 In the event of a personal-data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, and will notify affected data subjects where required under Article 34 GDPR.

9. Right to Complain and Supervisory Authorities

9.1 You have the right to lodge a complaint with the supervisory authority in your country of habitual residence, place of work or place of the alleged infringement. Without prejudice, the principal supervisory authorities in our initial markets are:

• Albania — Information and Data Protection Commissioner (Komisioneri për të Drejtën e Informimit dhe Mbrojtjen e të Dhënave Personale) — www.idp.al;
• Kosovo — Information and Privacy Agency (Agjencia për Informim dhe Privatësi) — www.aip.rks-gov.net;
• Montenegro — Agency for Personal Data Protection and Free Access to Information (AZLP) — www.azlp.me;
• Serbia — Commissioner for Information of Public Importance and Personal Data Protection (Poverenik) — www.poverenik.rs;
• Croatia — Croatian Personal Data Protection Agency (AZOP) — www.azop.hr;
• Greece — Hellenic Data Protection Authority (HDPA) — www.dpa.gr.

10. Automated Decision-Making and Profiling

10.1 The Platform uses algorithmic ranking, recommendations and search-relevance scoring to personalise the User experience. These processes do not produce legal effects or similarly significant effects on individuals within the meaning of Article 22 GDPR, except where expressly indicated. Where automated decisions with legal or similarly significant effects are used (for example for fraud prevention), data subjects have the right to obtain human intervention, express their point of view and contest the decision.

11. Changes to This Privacy Policy

11.1 We may amend this Privacy Policy from time to time. Material changes will be notified by email or in-Platform notice. The “Last updated” date at the top reflects the most recent revision. We encourage you to review this Policy periodically.