Privacy.

1. Controller

The controller responsible for data processing on this platform is: CYPRUS EXPATS LTD, Filias 9, Acropaphos, Flat/Office 163, Chlorakas, 8220 Paphos, Zypern / Cyprus. Email: [email protected]

We have not appointed a data protection officer; we are not under a legal obligation to do so (Art. 37 GDPR). Data protection requests are handled directly via the address above.

2. Hosting

Our platform is operated on DigitalOcean infrastructure in a data centre in Frankfurt am Main (EU). A data processing agreement (Art. 28 GDPR) is in place. When you access the site, technical access data (IP address, date/time, requested resource, user agent) is processed server-side to deliver and secure the service (Art. 6(1)(f) GDPR). Server logs are generally deleted after 30 days.

3. Account & authentication

When you create an account, we process your email address, your name and a securely hashed password. Sign-in uses a secure, strictly necessary session cookie. The legal basis is performance of the user contract (Art. 6(1)(b) GDPR).

4. Property inquiries & broker leads

When you submit a property inquiry, a search request or a listing request, we process your first name, last name, email, phone number and your message in order to forward your request to the responsible broker(s). Your contact details are only shared after your explicit consent, which we obtain with the following wording:

“I agree that my contact details (name, email, phone) may be shared with the responsible broker(s) to process this enquiry. They will not be used for marketing. I can withdraw this consent at any time.”

We record this consent in an auditable way with the time, IP address, browser identifier and the accepted text version (consent record, Art. 7 GDPR). Legal basis: Art. 6(1)(a) and (b) GDPR. After the transfer, the respective broker processes your data under its own responsibility and privacy policy.

5. Events & registrations

When you register for an event we process participants' names and contact details. Guests without an account can register via a confirmation link (magic link) sent by email; the link contains a time-limited, single-use token and does not set a persistent login cookie. In public views, participants are shown by initials only.

You provide companions' (plus-ones') details on your own responsibility. By entering them you confirm that you have obtained their consent to process their names for event organisation. Legal basis: performance of contract (Art. 6(1)(b) GDPR).

For paid events we provide a ticket with a QR code and a 6-digit code (in your account and by email). At admission the organiser scans the QR code or enters the code; we record the time of check-in (attendance). Legal basis: performance of contract (Art. 6(1)(b) GDPR). For payment processing of paid events, see point 6.

6. Payments, payouts & DAC7 (Stripe Connect)

We process paid event bookings as the seller in our own name (Merchant of Record) technically via Stripe (Stripe Payments Europe Ltd. / Stripe, Inc., USA) using the Connect model. Card payment takes place on a Stripe-hosted page; we do not store full card data, only references (checkout session ID, payment intent ID), the amount and tax-relevant information (buyer country, VAT rate and amount via Stripe Tax). Legal basis: performance of contract (Art. 6(1)(b)) and compliance with tax obligations (Art. 6(1)(c) GDPR).

Organisers of paid events set up a Stripe Connect Express account to receive their 90% share. For identity verification (KYC) and payout, Stripe collects the required data (incl. name, address, date of birth or registration number, bank details); we process the status of that check as well as payout and revenue data. As the platform operator we may be legally required to report organisers' master and revenue data to the tax authorities (DAC7, Directive (EU) 2021/514). Legal basis: compliance with legal obligations (Art. 6(1)(c) GDPR); the data required for this is retained for up to 7 years. Stripe is not used for free events.

7. Messages / inquiry chat

For communication between you and our team or brokers, we store the exchanged messages in order to handle your requests (Art. 6(1)(b) GDPR).

8. Newsletter

For the newsletter we use a double opt-in procedure: after you sign up, you receive a confirmation email. We only send the newsletter after confirmation. You can unsubscribe at any time via the link in every email. Legal basis: consent (Art. 6(1)(a) GDPR).

9. Images & metadata

Event, property and classifieds images are stored on S3-compatible object storage (DigitalOcean Spaces, EU region). On upload we automatically strip the metadata contained in the image file (EXIF, including any GPS coordinates) and generate several compressed WebP variants for display. Property images are additionally watermarked.

10. Automatic translations

For bilingual content, text may be sent to DeepL (DeepL SE, Cologne, EU) for translation. Please do not enter sensitive personal data into translation fields.

11. AI chatbot

If you use our AI-assisted chatbot, your input (your question and the relevant conversation context) is transmitted to and processed by our AI service provider to generate an answer. Please do not enter sensitive personal data into the chat. The chatbot's answers are for non-binding information only and do not constitute legal, tax or investment advice. Legal basis: your request to use the feature or our legitimate interest in providing helpful information (Art. 6(1)(b)/(f) GDPR).

12. Affiliate programme & payouts

If you participate in our affiliate/referral programme, we process the data required to settle commissions (e.g. name, contact details, referred referrals) and, for payout, your bank details (IBAN). Payouts are made by SEPA transfer. Legal basis: performance of contract (Art. 6(1)(b)) and compliance with tax and commercial-law obligations (Art. 6(1)(c) GDPR).

13. Email delivery

Transactional emails (confirmations, notifications) are sent via Resend (Resend, Inc., USA). This involves processing the email address and the content of the respective message. A data processing agreement is in place.

14. Cookies & consent

We use only a few, mostly strictly necessary cookies: • sessionid: sign-in session, strictly necessary, up to 2 weeks (Django). • csrftoken: cross-site request forgery protection, strictly necessary, up to 1 year (Django). • ce_consent: stores your cookie choices, strictly necessary, up to 180 days (Klaro).

For reach measurement we use Plausible Analytics. Plausible works without cookies and without personal profiles and is therefore loaded without separate consent. Optional error monitoring (Sentry), including a masked session-replay recording without text or media, is only activated with your consent. To protect against automated spam registration, the use of hCaptcha is planned (not yet active). You control your choices via the privacy banner and can change them at any time.

15. Recipients / processors

We share data with carefully selected service providers that support our operations: DigitalOcean (hosting & object storage, EU), Resend (email delivery, USA), DeepL (translation, EU), Plausible Analytics (cookieless analytics, EU), Sentry (optional error monitoring, USA), Stripe (payment processing for paid events, USA) and our AI service provider for the chatbot. Where required, data processing agreements under Art. 28 GDPR are in place. In addition, independent brokers and event organisers may be recipients of your data (see points 4 and 5); they are independently responsible for their processing.

16. Transfers to third countries

Resend, Sentry and Stripe process data (also) in the USA. We base these transfers on the EU Standard Contractual Clauses (Art. 46 GDPR) or, where the respective provider is certified, on the EU-US Data Privacy Framework (adequacy decision of the EU Commission). DigitalOcean (EU), DeepL (EU) and Plausible (EU) process within the EEA.

17. Retention

We store personal data only for as long as necessary for the stated purposes or as required by statutory retention obligations: • Account: you can delete it at any time; we anonymise it automatically after a 30-day grace period. • Guest inquiries (without an account): anonymised after 180 days unless actively processed. • Payment and booking records for paid events and affiliate payouts: up to 7 years (statutory tax retention, Art. 17(3)(e) GDPR). • Server logs: generally 30 days.

18. Your rights

You have the right to access, rectification, erasure, restriction of processing, data portability and objection. You can withdraw any consent given at any time with effect for the future.

Account deletion: you can delete your account at any time in the account settings. Immediately afterwards you are signed out and your account is no longer visible (soft delete). Your personal data (name, email, phone) is automatically anonymised after 30 days. Business and booking data is retained without personal reference for statutory evidence purposes.

Note: free-text you entered in inquiries or listings may remain in business records and is not removed automatically. Contact us via the details in the imprint to request manual redaction.

Data portability (Art. 20 GDPR): on request we provide a copy of your data in a structured, commonly used format. No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

19. Right to complain

You have the right to lodge a complaint with a supervisory authority, in Cyprus, the Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy).

20. Contact for data protection matters

For questions about data protection or to exercise your rights, contact us by email: [email protected]